def task_run():
while not kb.task_queue.empty() and kb.thread_continue:
target, poc_module = kb.task_queue.get()
if not conf.console_mode:
poc_module = copy.deepcopy(kb.registered_pocs[poc_module])
poc_name = poc_module.name
info_msg = "running poc:'{0}' target '{1}'".format(poc_name, target)
logger.info(info_msg)
# hand user define parameters
if hasattr(poc_module, "_options"):
for item in kb.cmd_line:
value = cmd_line_options.get(item, "")
if item in poc_module.options:
poc_module.set_option(item, value)
info_msg = "Parameter {0} => {1}".format(item, value)
logger.info(info_msg)
# check must be option
for opt, v in poc_module.options.items():
# check conflict in whitelist
if opt in CMD_PARSE_WHITELIST:
info_msg = "Poc:'{0}' You can't customize this variable '{1}' because it is already taken up by the pocsuite.".format(
poc_name, opt)
logger.error(info_msg)
raise SystemExit
if v.require and v.value == "":
info_msg = "Poc:'{poc}' Option '{key}' must be set,please add parameters '--{key}'".format(
poc=poc_name, key=opt)
logger.error(info_msg)
raise SystemExit
result = poc_module.execute(target,
headers=conf.http_headers,
mode=conf.mode,
verbose=False)
if not result:
continue
if not conf.quiet:
result.show_result()
result_status = "success" if result.is_success() else "failed"
output = AttribDict(result.to_dict())
output.update({
'target': target,
'poc_name': poc_name,
'created': time.strftime("%Y-%m-%d %X", time.localtime()),
'status': result_status
})
kb.results.append(output)
def listener_worker():
s = get_tcp_listener(ipv6=conf.ipv6, listen_port=int(conf.connect_back_port))
while True:
try:
conn, address = s.accept()
conn.setblocking(1)
client = AttribDict()
client.conn = conn
client.address = address
kb.data.clients.append(client)
info_msg = "new connection established from {0}".format(address[0])
logger.log(CUSTOM_LOGGING.SUCCESS, info_msg)
except Exception:
pass
class POC_CATEGORY:
EXPLOITS = AttribDict()
EXPLOITS.WEBAPP = 'WebApp'
EXPLOITS.DOS = 'DoS'
EXPLOITS.REMOTE = 'Remote'
EXPLOITS.LOCAL = 'Local'
TOOLS = AttribDict()
TOOLS.CRACK = 'Crack'
PROTOCOL = AttribDict()
PROTOCOL.HTTP = "Http"
PROTOCOL.FTP = "Ftp"
PROTOCOL.SSH = "Ssh"
PROTOCOL.TELENT = "Telent"
PROTOCOL.REDIS = "Redis"
def init_options(input_options=AttribDict(), override_options=False):
cmd_line_options.update(input_options)
_set_conf_attributes()
_set_poc_options(input_options)
_set_kb_attributes()
_merge_options(input_options, override_options)
# export rules, dont run the poc in the default status
if conf.rule or conf.rule_req:
logger.info(
"The rule export function is in use. The POC is not executed at this point"
)
if conf.pocs_path:
if check_path(conf.pocs_path):
paths.USER_POCS_PATH = conf.pocs_path
for root, dirs, files in os.walk(paths.USER_POCS_PATH):
files = list(
filter(
lambda x: not x.startswith("__") and x.endswith(
".py"), files))
regex_rule(list(paths.USER_POCS_PATH + i for i in files))
if conf.poc:
regex_rule(conf.poc)
exit()
# if check version
if conf.show_version:
exit()
def init_options(input_options=AttribDict(), override_options=False):
cmd_line_options.update(input_options)
_set_conf_attributes()
_set_poc_options(input_options)
_set_kb_attributes()
_merge_options(input_options, override_options)
# if check version
if conf.show_version:
exit()
def _set_kb_attributes(flush_all=True):
"""
This function set some needed attributes into the knowledge base
singleton.
"""
debug_msg = "initializing the knowledge base"
logger.debug(debug_msg)
kb.abs_file_paths = set()
kb.os = None
kb.os_version = None
kb.arch = None
kb.dbms = None
kb.auth_header = None
kb.counters = {}
kb.multi_thread_mode = False
kb.thread_continue = True
kb.thread_exception = False
kb.word_lists = None
kb.single_log_flags = set()
kb.cache = AttribDict()
kb.cache.addrinfo = {}
kb.cache.content = {}
kb.cache.regex = {}
kb.data = AttribDict()
kb.data.local_ips = []
kb.data.connect_back_ip = None
kb.data.connect_back_port = DEFAULT_LISTENER_PORT
kb.data.clients = []
kb.targets = OrderedSet()
kb.plugins = AttribDict()
kb.plugins.targets = AttribDict()
kb.plugins.pocs = AttribDict()
kb.plugins.results = AttribDict()
kb.results = []
kb.current_poc = None
kb.registered_pocs = AttribDict()
kb.task_queue = Queue()
kb.cmd_line = DIY_OPTIONS or []
kb.comparison = None
def task_run():
while not kb.task_queue.empty() and kb.thread_continue:
target, poc_module = kb.task_queue.get()
if not conf.console_mode:
poc_module = copy.deepcopy(kb.registered_pocs[poc_module])
poc_name = poc_module.name
# for hide some infomations
if conf.ppt:
length = len(target)
_target = target
if length > 15:
_target = "*" + _target[length - 9:]
else:
_target = "*" + _target[length - 3:]
info_msg = "running poc:'{0}' target '{1}'".format(poc_name, _target)
else:
info_msg = "running poc:'{0}' target '{1}'".format(poc_name, target)
logger.info(info_msg)
# hand user define parameters
if hasattr(poc_module, "_options"):
for item in kb.cmd_line:
value = cmd_line_options.get(item, "")
if item in poc_module.options:
poc_module.set_option(item, value)
info_msg = "Parameter {0} => {1}".format(item, value)
logger.info(info_msg)
# check must be option
for opt, v in poc_module.options.items():
# check conflict in whitelist
if opt in CMD_PARSE_WHITELIST:
info_msg = "Poc:'{0}' You can't customize this variable '{1}' because it is already taken up by the pocsuite.".format(
poc_name, opt)
logger.error(info_msg)
raise SystemExit
if v.require and v.value == "":
info_msg = "Poc:'{poc}' Option '{key}' must be set,please add parameters '--{key}'".format(
poc = poc_name, key = opt)
logger.error(info_msg)
raise SystemExit
try:
result = poc_module.execute(target, headers = conf.http_headers, mode = conf.mode, verbose = False)
except PocsuiteValidationException as ex:
info_msg = "Poc:'{}' PocsuiteValidationException:{}".format(poc_name, ex)
logger.error(info_msg)
result = None
if not isinstance(result, Output) and not None:
_result = Output(poc_module)
if result:
if isinstance(result, bool):
_result.success({})
elif isinstance(result, str):
_result.success({"Info": result})
elif isinstance(result, dict):
_result.success(result)
else:
_result.success({"Info": repr(result)})
else:
_result.fail('target is not vulnerable')
result = _result
if not result:
continue
if not conf.quiet:
result.show_result()
result_status = "success" if result.is_success() else "failed"
if result_status == "success" and kb.comparison:
kb.comparison.change_success(target, True)
output = AttribDict(result.to_dict())
if conf.ppt:
# hide some information
length = len(target)
if length > 15:
target = "*" + target[length - 9:]
elif length > 8:
target = "*" + target[4:]
else:
target = "*" + target[1:]
output.update({
'target': target,
'poc_name': poc_name,
'created': time.strftime("%Y-%m-%d %X", time.localtime()),
'status': result_status
})
result_plugins_handle(output)
kb.results.append(output)
def init_options(input_options=AttribDict(), override_options=False):
cmd_line_options.update(input_options)
_set_conf_attributes()
_set_poc_options(input_options)
_set_kb_attributes()
_merge_options(input_options, override_options)
from pocsuite3.lib.core.datatype import AttribDict from pocsuite3.lib.core.log import LOGGER # logger logger = LOGGER # object to share within function and classes command # line options and settings conf = AttribDict() # Dictionary storing # (1)targets, (2)registeredPocs, (3) bruteMode # (4)results, (5)pocFiles # (6)multiThreadMode \ threadContinue \ threadException kb = AttribDict() # object to store original command line options cmd_line_options = AttribDict() # object to store merged options (command line, configuration file and default options) merged_options = AttribDict() # pocsuite paths paths = AttribDict()
def task_run():
while not kb.task_queue.empty() and kb.thread_continue:
target, poc_module = kb.task_queue.get()
if not conf.console_mode:
poc_module = copy.deepcopy(kb.registered_pocs[poc_module])
poc_name = poc_module.name
if conf.pcap:
# start capture flow
import os
import logging
os.environ["MPLBACKEND"] = "Agg"
logging.getLogger("scapy").setLevel(logging.ERROR)
from pocsuite3.lib.utils.pcap_sniffer import Sniffer
from scapy.utils import wrpcap
sniffer = Sniffer(urlparse(target).hostname)
if sniffer.use_pcap:
if not sniffer.is_admin:
logger.warn(
"Please use administrator privileges, and the poc will continue to execute without fetching the packet"
)
conf.pcap = False
else:
sniffer.start()
# let scapy start for a while
time.sleep(1)
else:
logger.warn(
"No libpcap is detected, and the poc will continue to execute without fetching the packet"
)
conf.pcap = False
# for hide some infomations
if conf.ppt:
info_msg = "running poc:'{0}' target '{1}'".format(
poc_name, desensitization(target))
else:
info_msg = "running poc:'{0}' target '{1}'".format(
poc_name, target)
logger.info(info_msg)
# hand user define parameters
if hasattr(poc_module, "_options"):
for item in kb.cmd_line:
value = cmd_line_options.get(item, "")
if item in poc_module.options:
poc_module.set_option(item, value)
info_msg = "Parameter {0} => {1}".format(item, value)
logger.info(info_msg)
# check must be option
for opt, v in poc_module.options.items():
# check conflict in whitelist
if opt in CMD_PARSE_WHITELIST:
info_msg = "Poc:'{0}' You can't customize this variable '{1}' because it is already taken up by the pocsuite.".format(
poc_name, opt)
logger.error(info_msg)
raise SystemExit
if v.require and v.value == "":
info_msg = "Poc:'{poc}' Option '{key}' must be set,please add parameters '--{key}'".format(
poc=poc_name, key=opt)
logger.error(info_msg)
raise SystemExit
try:
result = poc_module.execute(target,
headers=conf.http_headers,
mode=conf.mode,
verbose=False)
except PocsuiteValidationException as ex:
info_msg = "Poc:'{}' PocsuiteValidationException:{}".format(
poc_name, ex)
logger.error(info_msg)
result = None
if not isinstance(result, Output) and not None:
_result = Output(poc_module)
if result:
if isinstance(result, bool):
_result.success({})
elif isinstance(result, str):
_result.success({"Info": result})
elif isinstance(result, dict):
_result.success(result)
else:
_result.success({"Info": repr(result)})
else:
_result.fail('target is not vulnerable')
result = _result
if not result:
continue
if not conf.quiet:
result.show_result()
result_status = "success" if result.is_success() else "failed"
if result_status == "success" and kb.comparison:
kb.comparison.change_success(target, True)
output = AttribDict(result.to_dict())
if conf.ppt:
# hide some information
target = desensitization(target)
output.update({
'target': target,
'poc_name': poc_name,
'created': time.strftime("%Y-%m-%d %X", time.localtime()),
'status': result_status
})
result_plugins_handle(output)
kb.results.append(output)
if conf.pcap:
sniffer.join(20)
if not sniffer.is_alive():
filename = urlparse(target).hostname + time.strftime(
'_%Y_%m_%d_%H%M%S.pcap')
logger.info(f"pcap data has been saved in: {filename}")
wrpcap(filename, sniffer.pcap.results)
else:
logger.error("Thread terminates timeout. Failed to save pcap")
