This repository has been archived by the owner on Dec 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial implementation of module chaining
Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results
- Loading branch information
byt3bl33d3r
committed
Sep 12, 2016
1 parent
e67fc4c
commit db056d1
Showing
32 changed files
with
1,080 additions
and
395 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
import BaseHTTPServer | ||
import threading | ||
import ssl | ||
import os | ||
import sys | ||
from BaseHTTPServer import BaseHTTPRequestHandler | ||
from logging import getLogger | ||
from gevent import sleep | ||
from cme.helpers import highlight | ||
from cme.logger import CMEAdapter | ||
from cme.cmeserver import CMEServer | ||
|
||
class RequestHandler(BaseHTTPRequestHandler): | ||
|
||
def log_message(self, format, *args): | ||
module = self.server.host_chain[self.client_address[0]][0] | ||
server_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': self.client_address[0]}) | ||
server_logger.info("- - %s" % (format%args)) | ||
|
||
def do_GET(self): | ||
current_module = self.server.host_chain[self.client_address[0]][0] | ||
|
||
if hasattr(current_module, 'on_request'): | ||
|
||
module_list = self.server.host_chain[self.client_address[0]][:] | ||
module_list.reverse() | ||
|
||
final_launcher = module_list[0].launcher(self.server.context, None if not hasattr(module_list[0], 'command') else module_list[0].command) | ||
if len(module_list) > 2: | ||
for module in module_list: | ||
if module == current_module or module == module_list[0]: | ||
continue | ||
|
||
server_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': self.client_address[0]}) | ||
self.server.context.log = server_logger | ||
|
||
final_launcher = module.launcher(self.server.context, final_launcher) | ||
|
||
server_logger = CMEAdapter(getLogger('CME'), {'module': current_module.name.upper(), 'host': self.client_address[0]}) | ||
self.server.context.log = server_logger | ||
|
||
if current_module == module_list[0]: final_launcher = None if not hasattr(module_list[0], 'command') else module_list[0].command | ||
|
||
launcher = current_module.launcher(self.server.context, final_launcher) | ||
payload = current_module.payload(self.server.context, final_launcher) | ||
|
||
current_module.on_request(self.server.context, self, launcher, payload) | ||
|
||
if not hasattr(current_module, 'on_response'): | ||
try: | ||
del self.server.host_chain[self.client_address[0]][0] | ||
except KeyError or IndexError: | ||
pass | ||
|
||
def do_POST(self): | ||
self.server.log.debug(self.server.host_chain) | ||
module = self.server.host_chain[self.client_address[0]][0] | ||
|
||
if hasattr(module, 'on_response'): | ||
server_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': self.client_address[0]}) | ||
self.server.context.log = server_logger | ||
module.on_response(self.server.context, self) | ||
|
||
try: | ||
del self.server.host_chain[self.client_address[0]][0] | ||
except KeyError or IndexError: | ||
pass | ||
|
||
def stop_tracking_host(self): | ||
''' | ||
This gets called when a module has finshed executing, removes the host from the connection tracker list | ||
''' | ||
if len(self.server.host_chain[self.client_address[0]]) == 1: | ||
try: | ||
self.server.hosts.remove(self.client_address[0]) | ||
del self.server.host_chain[self.client_address[0]] | ||
except ValueError: | ||
pass | ||
|
||
class CMEChainServer(CMEServer): | ||
|
||
def __init__(self, chain_list, context, logger, srv_host, port, server_type='https'): | ||
|
||
try: | ||
threading.Thread.__init__(self) | ||
|
||
self.server = BaseHTTPServer.HTTPServer((srv_host, int(port)), RequestHandler) | ||
self.server.hosts = [] | ||
self.server.host_chain = {} | ||
self.server.chain_list = chain_list | ||
self.server.context = context | ||
self.server.log = context.log | ||
self.cert_path = os.path.join(os.path.expanduser('~/.cme'), 'cme.pem') | ||
|
||
if server_type == 'https': | ||
self.server.socket = ssl.wrap_socket(self.server.socket, certfile=self.cert_path, server_side=True) | ||
|
||
except Exception as e: | ||
errno, message = e.args | ||
if errno == 98 and message == 'Address already in use': | ||
logger.error('Error starting HTTP(S) server: the port is already in use, try specifying a diffrent port using --server-port') | ||
else: | ||
logger.error('Error starting HTTP(S) server: {}'.format(message)) | ||
|
||
sys.exit(1) | ||
|
||
def track_host(self, host_ip): | ||
self.server.hosts.append(host_ip) | ||
self.server.host_chain[host_ip] = [module['object'] for module in self.server.chain_list] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
import threading | ||
import logging | ||
import sys | ||
import os | ||
from impacket import smbserver | ||
|
||
class CMESMBServer(threading.Thread): | ||
|
||
def __init__(self, logger, share_name, verbose=False): | ||
|
||
try: | ||
threading.Thread.__init__(self) | ||
|
||
self.server = smbserver.SimpleSMBServer() | ||
self.server.addShare(share_name.upper(), os.path.join('/tmp', 'cme_hosted')) | ||
if verbose: self.server.setLogFile('') | ||
self.server.setSMB2Support(False) | ||
self.server.setSMBChallenge('') | ||
|
||
except Exception as e: | ||
errno, message = e.args | ||
if errno == 98 and message == 'Address already in use': | ||
logger.error('Error starting SMB server: the port is already in use') | ||
else: | ||
logger.error('Error starting SMB server: {}'.format(message)) | ||
|
||
sys.exit(1) | ||
|
||
def run(self): | ||
try: | ||
self.server.start() | ||
except: | ||
pass | ||
|
||
def shutdown(self): | ||
#try: | ||
# while len(self.server.hosts) > 0: | ||
# self.server.log.info('Waiting on {} host(s)'.format(highlight(len(self.server.hosts)))) | ||
# sleep(15) | ||
#except KeyboardInterrupt: | ||
# pass | ||
|
||
self._Thread__stop() | ||
# make sure all the threads are killed | ||
for thread in threading.enumerate(): | ||
if thread.isAlive(): | ||
try: | ||
thread._Thread__stop() | ||
except: | ||
pass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.