Ejemplo n.º 1
0
 def __replace_tag_localip(self):
     """
     Replace tag [LOCALIP] by the local IP address in self.formatted_cmdline.
     """
     pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
     self.formatted_cmdline = pattern.sub(NetUtils.get_local_ip_address(), 
                                          self.formatted_cmdline)
Ejemplo n.º 2
0
    def run(self, target):
        try:
            self.command = Command(self.rawcmd, self.type)
        except CommandException as e:
            logger.error(e)
            return None

        # Build script to run
        if self.type == 'rce-blind':
            logger.warning('WARNING: This attack box must be reachable from the target !')
            logger.info('If target is vulnerable, exploit will try to ping local ' \
                'IP = {localip} from target'.format(
                    localip=NetUtils.get_local_ip_address()))

            print(self.command.get_cmdline(target))

            script = SCRIPT_RCE_BLIND.format(
                exploit_dir=self.directory,
                command=self.command.get_cmdline(target))

        elif self.type == 'rce-standard':
            script = self.command.get_cmdline(target)

        else:
            logger.error('Unsupported exploit type')
            return None

        # Run subprocess
        try:
            logger.info('Exploit will be run from directory: {directory}'.format(
                directory=self.directory))

            proc = subprocess.Popen(script, 
                                    shell=True, 
                                    stdout=subprocess.PIPE, 
                                    stderr=subprocess.STDOUT)

            # Agressivelly get the output
            while True:
                out = proc.stdout.read(1)
                # We put that inside try block to avoid utf8 decoding error
                try:
                    out = out.decode(sys.stdout.encoding)
                    sys.stdout.write(out)
                    self.output += out
                except:
                    pass

                # Break if process has finished
                if out == ''  and proc.poll() != None:
                    break

        except Exception as e:
            logger.error('Error when trying to run command: {exception}'.format(
                exception=e))
            return None

        return self.output
Ejemplo n.º 3
0
    def get_cmdline(self, target):
        cmdline = self.rawcmd

        # Replace tag [IP]
        pattern = re.compile('\[IP\]', re.IGNORECASE)
        cmdline = pattern.sub(target.ip, cmdline)

        # Replace tag [PORT]
        pattern = re.compile('\[PORT\]', re.IGNORECASE)
        cmdline = pattern.sub(target.port, cmdline)

        # Replace tag [URL]
        pattern = re.compile('\[URL\]', re.IGNORECASE)
        cmdline = pattern.sub(target.url, cmdline)

        # Replace tag [URIPATH]
        pattern = re.compile('\[URIPATH\]', re.IGNORECASE)
        try:
            o = urllib.parse.urlparse(url)
            uripath = o.path or '/'
        except:
            uripath = '/'
        cmdline = pattern.sub(uripath, cmdline)

        # Replace tag [SSL true="..."]
        pattern = re.compile(
            r'\[SSL\s+true\s*=\s*[\'"](?P<option>.*?)[\'"]\s*\]',
            re.IGNORECASE)

        m = pattern.search(cmdline)
        if target.ssl == True:
            cmdline = pattern.sub(m.group('option'), cmdline)
        else:
            cmdline = pattern.sub('', cmdline)

        # Replace tag [CMD]
        if '[cmd]' in cmdline.lower():
            try:
                pattern = re.compile('\[CMD\]', re.IGNORECASE)
                if CMD[self.type]['linux'] != CMD[self.type]['windows']:
                    cmdline_lin = pattern.sub(CMD[self.type]['linux'], cmdline)
                    cmdline_win = pattern.sub(CMD[self.type]['windows'],
                                              cmdline)
                    cmdline = '{0}; {1}'.format(cmdline_lin, cmdline_win)
                else:
                    cmdline = pattern.sub(CMD[self.type]['linux'], cmdline)

            except Exception as e:
                raise CommandException(e)
        elif '[cmdlinux]' in cmdline.lower(
        ) or '[cmdwindows]' in cmdline.lower():
            pattern = re.compile('\[CMDLINUX\]', re.IGNORECASE)
            cmdline = pattern.sub(CMD[self.type]['linux'], cmdline)

            pattern = re.compile('\[CMDWINDOWS\]', re.IGNORECASE)
            cmdline = pattern.sub(CMD[self.type]['windows'], cmdline)

        # Replace tag [LOCALIP]
        localip = NetUtils.get_local_ip_address()
        if localip == '127.0.0.1':
            raise CommandException('Unable to get local IP address')
        pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
        cmdline = pattern.sub(localip, cmdline)

        return cmdline
Ejemplo n.º 4
0
    def run(self, target, mode, rce_command=''):
        """
        :param Target targer: Target instance
        :param str mode: mode can be either "detect" or "exploit"
        :param str rce_command: RCE command to run when running exploit (requires mode=exploit)
        """
        try:
            if mode == 'detect':
                self.command = Command(self.detection_rawcmd, self.type)
            elif mode == 'exploit':
                self.command = Command(self.exploit_rawcmd, self.type, self.exploit_rce_output)
        except CommandException as e:
            logger.error(e)
            return None

        # Build script to run
        if mode == 'exploit':
            if self.type == 'rce':
                if not self.exploit_rce_output:
                    logger.warning('The exploit will attempt to execute command on remote system but no '
                        'output will be available !')
                    # For RCE exploit without command output in test mode (no rce_command provided):
                    # Use script template that check for reverse connection with ICMP ping and HTTP requests
                    if len(rce_command) == 0:
                        logger.warning('WARNING: This attack box must be reachable from the target !')
                        logger.info('No command supplied to run through RCE, automatic exploit test will be started...')
                        logger.info('If target is vulnerable, exploit will try to ping (ICMP Echo request) and '
                            'to send HTTP request to local IP = {localip} from target'.format(
                                localip=NetUtils.get_local_ip_address()))

                        cmdline = self.command.get_cmdline(target)
                        print(cmdline)

                        script = SCRIPT_RCE_BLIND.format(
                            exploit_dir=self.directory,
                            command=cmdline)
                    else:
                        cmdline = self.command.get_cmdline(target, rce_command)
                        print(cmdline)
                        script  = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
                        script += cmdline
                else:
                    if len(rce_command) == 0:
                        logger.info('No command supplied to run through RCE, automatic exploit test will be started...')
                        logger.info('If target is vulnerable, exploit will try to run an echo command on target')
                        cmdline = self.command.get_cmdline(target)
                        print(cmdline)
                        script  = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
                        script += cmdline
                    else:
                        cmdline = self.command.get_cmdline(target, rce_command)
                        print(cmdline)
                        script  = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
                        script += cmdline                        

            else:
                cmdline = self.command.get_cmdline(target)
                print(cmdline)
                script  = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
                script += cmdline
        else:
            logger.warning('The script will attempt to detect if remote system is vulnerable without '
                'actually exploiting the vulnerability.')
            logger.warning('WARNING: False Positive is possible !')
            cmdline = self.command.get_cmdline(target)
            script  = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
            script += cmdline            

        # Run subprocess
        try:
            logger.info('{script} will be run from directory: {directory}'.format(
                script='Exploit' if mode == 'exploit' else 'Detection script',
                directory=self.directory))

            proc = subprocess.Popen(script, 
                                    shell=True, 
                                    executable='/bin/bash',
                                    stdout=subprocess.PIPE, 
                                    stderr=subprocess.STDOUT)

            # Agressivelly get the output
            while True:
                out = proc.stdout.read(1)
                # We put that inside try block to avoid utf8 decoding error
                try:
                    out = out.decode(sys.stdout.encoding)
                    sys.stdout.write(out)
                    self.output += out
                except:
                    pass

                # Break if process has finished
                if out == ''  and proc.poll() != None:
                    break

        except Exception as e:
            logger.error('Error when trying to run command: {exception}'.format(
                exception=e))
            return None

        return self.output
Ejemplo n.º 5
0
 def __replace_tag_localip(self):
     pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
     self.parsed_cmdline = pattern.sub(NetUtils.get_local_ip_address(),
                                       self.parsed_cmdline)
Ejemplo n.º 6
0
    def get_cmdline(self, target, rce_command=''):
        """
        :param Target target: Target instance
        :param str rce_command: Command to execute on vulnerable system through RCE vuln
        """
        cmdline = self.rawcmd

        # Replace tag [IP]
        pattern = re.compile('\[IP\]', re.IGNORECASE)
        cmdline = pattern.sub(target.ip, cmdline)

        # Replace tag [PORT]
        pattern = re.compile('\[PORT\]', re.IGNORECASE)
        cmdline = pattern.sub(str(target.port), cmdline)

        # Replace tag [URL]
        pattern = re.compile('\[URL\]', re.IGNORECASE)
        cmdline = pattern.sub(str(target.url), cmdline)

        # Replace tag [BASEURL]
        pattern = re.compile('\[BASEURL\]', re.IGNORECASE)
        baseurl = target.url.split('//')[0] + '//' + target.url.split(
            '//')[1].split('/')[0]
        cmdline = pattern.sub(str(baseurl), cmdline)

        # Replace tag [URIPATH]
        pattern = re.compile('\[URIPATH\]', re.IGNORECASE)
        try:
            o = urllib.parse.urlparse(url)
            uripath = o.path or '/'
        except:
            uripath = '/'
        cmdline = pattern.sub(uripath, cmdline)

        # Replace tag [SSL true="..."]
        pattern = re.compile(
            r'\[SSL\s+true\s*=\s*[\'"](?P<option>.*?)[\'"]\s*\]',
            re.IGNORECASE)

        m = pattern.search(cmdline)
        if m:
            if target.ssl == True:
                cmdline = pattern.sub(m.group('option'), cmdline)
            else:
                cmdline = pattern.sub('', cmdline)

        # Replace tag [CMD]
        if '[cmd]' in cmdline.lower():
            try:
                pattern = re.compile('\[CMD\]', re.IGNORECASE)

                # If command provided by user, replace tag by this command, otherwise
                # use the predefined commands for automatic test
                if len(rce_command) > 0:
                    cmdline = pattern.sub(rce_command, cmdline)
                else:
                    if self.type == 'rce' and not self.exploit_rce_output:
                        cmdline_lin = pattern.sub(CMD['rce-blind']['linux'],
                                                  cmdline)
                        cmdline_lin2 = pattern.sub(CMD['rce-blind']['linux2'],
                                                   cmdline)
                        cmdline_lin3 = pattern.sub(CMD['rce-blind']['linux3'],
                                                   cmdline)
                        cmdline_win = pattern.sub(CMD['rce-blind']['windows'],
                                                  cmdline)
                        cmdline = '{0}; {1}; {2}; {3}'.format(
                            cmdline_lin, cmdline_lin2, cmdline_lin3,
                            cmdline_win)
                    else:
                        cmdline = pattern.sub(CMD['rce-standard']['linux'],
                                              cmdline)

            except Exception as e:
                raise CommandException(e)

        # Special case where Linux/Windows command line differ
        elif '[cmdlinux]' in cmdline.lower(
        ) or '[cmdwindows]' in cmdline.lower():
            try:
                pattern_linux = re.compile('\[CMDLINUX\]', re.IGNORECASE)
                pattern_windows = re.compile('\[CMDWINDOWS\]', re.IGNORECASE)

                # If command provided by user, replace both tag by this command, otherwise
                # use the predefined commands for automatic test
                if len(rce_command) > 0:
                    cmdline = pattern_linux.sub(rce_command, cmdline)
                    cmdline = pattern_windows.sub(rce_command, cmdline)
                else:
                    if self.type == 'rce' and not self.exploit_rce_output:
                        # Replace [CMDLINUX]
                        cmdline_lin = pattern_linux.sub(
                            CMD['rce-blind']['linux'], cmdline)
                        cmdline_lin2 = pattern_linux.sub(
                            CMD['rce-blind']['linux2'], cmdline)
                        cmdline_lin3 = pattern_linux.sub(
                            CMD['rce-blind']['linux3'], cmdline)
                        cmdline = '{0}; {1}; {2}'.format(
                            cmdline_lin, cmdline_lin2, cmdline_lin3)

                        # Replace [CMDWINDOWS]
                        cmdline = pattern_windows.sub(
                            CMD['rce-blind']['windows'], cmdline)
                    else:
                        # Replace [CMDLINUX]
                        cmdline = pattern_linux.sub(
                            CMD['rce-standard']['linux'], cmdline)

                        # Replace [CMDWINDOWS]
                        cmdline = pattern_windows.sub(
                            CMD['rce-standard']['windows'], cmdline)
            except Exception as e:
                raise CommandException(e)

        # Replace tag [LOCALIP]
        localip = NetUtils.get_local_ip_address()
        if localip == '127.0.0.1':
            raise CommandException('Unable to get local IP address')
        pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
        cmdline = pattern.sub(localip, cmdline)

        return cmdline