def __init__(self, item, currDownl, tftp_downloads, event_dict, dlLogger, config_dict):
asyncore.dispatcher.__init__(self)
self.log_obj = amun_logging.amun_logging("tftp_download", dlLogger)
self.file = item['path']
self._address = (item['host'], int(item['port']))
self.tftp_downloads = tftp_downloads
self.currentDownloads = currDownl
self.event_dict = event_dict
self.item = item
self.active = True
if config_dict['store_unfinished_tftp']:
self.complete = True
else:
self.complete = False
### send buffer
self.buffer = ''
self.max_retries = config_dict['tftp_max_retransmissions']
self.tmp_max_retries = self.max_retries
### receive parameters
self.rcv_packet = []
self.blk_size = 516
### setup socket
self.create_socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
udp_port = random.randint(5062,62535)
self.bind( (item['own_host'], udp_port) )
except socket.error, e:
self.log_obj.log("UDP Port busy: %i" % (udp_port), 6, "crit", True, True)
self.handle_close()
return
def incoming(self, file_data, file_data_length, downMethod, attIP, victimIP, smLogger, md5hash, attackedPort, vulnName, downURL, fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_anubis", smLogger)
### check if already stored to disc than do not submit
if not fexists:
### submit to anubis for analysis
postdata = {}
if self.reportToEmail!='None':
postdata["notification"] = "email"
postdata["email"] = self.reportToEmail
else:
postdata["notification"] = "browser"
postdata["email"] = ""
filename = "amun-%s.exe" % (md5hash)
postdata['analysisType'] = "file"
postdata["executable"] = {"content" : file_data, "filename" : filename}
response = self.httprequest(postdata)
if (response.status == 200 and response.getheader("taskid", "DEFAULT") != "DEFAULT"):
self.log_obj.log("submit anubis successfull", 12, "div", Log=False, display=True)
if postdata["notification"] == "browser" or self.alwaysLog:
self.log_obj.log("anubis result: %s&task_id=%s" % (self.anubisResultURL, response.getheader('taskid')), 12, "div", Log=True, display=False)
else:
self.log_obj.log("could not submit sample to anubis: %s %s" % (response.status, response.getheader("taskid", "DEFAULT")), 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
except StandardError, e:
self.log_obj.log("could not submit sample to anubis: %s" % (e), 12, "crit", Log=True, display=True)
def __init__(self, item, currentDownloads, bindports, event_dict, divLogger, config_dict, currentSockets, decodersDict):
asyncore.dispatcher.__init__(self)
self.divLogger = divLogger
self.log_obj = amun_logging.amun_logging("bindport", divLogger['download'])
self.item = item
self.bindports = bindports
self.currentDownloads = currentDownloads
self.currentSockets = currentSockets
self.event_dict = event_dict
self.config_dict = config_dict
self.decodersDict = decodersDict
self.replace_locals = config_dict['replace_locals']
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
self.identifier = "%s%s" % (item['own_host'],item['port'])
try:
self.bind( (item['own_host'], int(item['port'])) )
except socket.error, e:
self.log_obj.log("port already in use? (%s): %s" % (item['port'],e), 6, "crit", True, True)
self.remove_download_entry()
try:
self.close()
except:
pass
return
def __init__(self, item, currentDownloads, bindports, event_dict, divLogger, config_dict, currentSockets, decodersDict):
asyncore.dispatcher.__init__(self)
self.divLogger = divLogger
self.log_obj = amun_logging.amun_logging("bindport", divLogger['download'])
self.item = item
self.bindports = bindports
self.currentDownloads = currentDownloads
self.currentSockets = currentSockets
self.event_dict = event_dict
self.config_dict = config_dict
self.decodersDict = decodersDict
self.replace_locals = config_dict['replace_locals']
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
self.identifier = "%s%s" % (item['own_host'],item['port'])
try:
self.bind( (item['own_host'], int(item['port'])) )
except socket.error, e:
self.log_obj.log("port already in use? (%s): %s" % (item['port'],e), 6, "crit", True, True)
self.remove_download_entry()
try:
self.close()
except:
pass
return
def incoming(self, file_data, file_data_length, downMethod, attIP, victimIP, smLogger, md5hash, attackedPort, vulnName, downURL, fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_cwsandbox", smLogger)
### check if already stored to disc than do not submit
if not fexists:
### submit to CWSandbox for analysis
fields = []
fields.append( ("email", self.reportToEmail) )
filename = "amun-%s.exe" % (md5hash)
files = []
files.append( ("upfile", filename, file_data) )
(status, reason, response) = self.httprequest(fields, files)
if (status == 200 and reason != "DEFAULT"):
self.log_obj.log("submit cwsandbox successfull", 12, "div", Log=False, display=True)
self.log_obj.log("cwsandbox result: %s" % (response), 12, "div", Log=True, display=False)
#resultURL = self.evaluateReply(response)
#if len(resultURL)>0:
# self.log_obj.log("cwsandbox result: %s" % (resultURL), 12, "div", Log=True, display=False)
#else:
# self.log_obj.log("cwsandbox result url not found: %s" % (response), 12, "div", Log=True, display=True)
else:
self.log_obj.log("could not submit sample to cwsandbox: %s %s" % (status, reason), 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
except StandardError, e:
self.log_obj.log("could not submit sample to cwsandbox: %s" % (e), 12, "crit", Log=True, display=True)
def incoming(self, file_data, file_data_length, downMethod, attIP, victimIP, smLogger, md5hash, attackedPort, vulnName, downURL, fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_joebox", smLogger)
### check if already stored to disc than do not submit
if not fexists:
### submit to Joebox for analysis
fields = []
fields.append( ("email", self.reportToEmail) )
filename = "amun-%s.exe" % (md5hash)
files = []
files.append( ("upfile", filename, file_data) )
(status, reason, response) = self.httprequest(fields, files)
if (status == 200 and reason != "DEFAULT"):
self.log_obj.log("submit joebox successfull", 12, "div", Log=True, display=True)
#resultURL = self.evaluateReply(response)
#if len(resultURL)>0:
# self.log_obj.log("joebox result: %s" % (resultURL), 12, "div", Log=True, display=False)
else:
self.log_obj.log("could not submit sample to joebox: %s %s" % (status, reason), 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
except StandardError, e:
self.log_obj.log("could not submit sample to joebox: %s" % (e), 12, "crit", Log=True, display=True)
def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName):
try:
self.log_obj = amun_logging.amun_logging("log_mail", loLogger)
### construct message header
### From, To, and Subject
Subject = "Amun Exploit from: %s" % (attackerIP)
RecipientRow = ",".join(self.RecipientList)
MessageHeader = "From: %s\r\nTo: %s\r\nSubject: %s \r\n" % (self.mailFrom,RecipientRow,Subject)
### If ReplyTo is set, add to header
if self.mailReplyTo!="":
MessageHeader += "ReplyTo: %s\r\n" % (self.mailReplyTo)
if len(self.mailCCList)>0:
MessageHeader += "CC: %s\r\n" % (",".join(self.mailCCList))
### set character encoding
charencode = "Content-Type: text/plain; charset=iso-8859-1"
MessageHeader += "%s\r\n" % (charencode)
### finalize Message Header
MessageHeader += "\r\n"
### eMail Body
MailBody = self.mailBody
ExploitLine = "\n\nTimestamp: %s\nExploit: %s:%s -> %s:%s %s (%s)" % (time.ctime(int(timestamp)),attackerIP,attackerPort,victimIP,victimPort,vulnName,downloadMethod)
### construct final eMail
Message = str(MessageHeader) + str(MailBody) + str(ExploitLine)
### connect to mailserver and send email
try:
Server = smtplib.SMTP(self.smtpServer,int(self.smtpPort))
Server.set_debuglevel(0)
Server.sendmail(self.mailFrom, self.RecipientList, Message)
Server.quit()
except:
self.log_obj.log("failed sending email message", 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
def incoming(self, file_data, file_data_length, downMethod, attIP, victimIP, smLogger, md5hash, attackedPort, vulnName, downURL, fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_mwportal", smLogger)
### check if already stored to disc than do not submit
if not fexists:
### submit to MWPortal for analysis
filename = "amun-%s.exe" % (md5hash)
files = []
files.append( ("fileselect", filename, file_data) )
(status, reason, response) = self.httprequest(files)
if (status == 200 and reason != "DEFAULT"):
self.log_obj.log("submit mwportal successfull", 12, "div", Log=False, display=True)
#self.log_obj.log("mwportal result: %s" % (response), 12, "div", Log=True, display=False)
else:
self.log_obj.log("could not submit sample to mwportal: %s %s (%s)" % (status, reason, response), 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise Exception("KeyboardError")
except StandardError as e:
self.log_obj.log("could not submit sample to mwportal: %s" % (e), 12, "crit", Log=True, display=True)
except:
self.log_obj.log("could not submit sample to mwportal", 12, "crit", Log=True, display=True)
import traceback
import sys
import StringIO
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def incoming(
self,
attackerIP,
attackerPort,
victimIP,
victimPort,
vulnName,
timestamp,
downloadMethod,
loLogger,
attackerID,
shellcodeName,
):
try:
self.log_obj = amun_logging.amun_logging("log_pgsql", loLogger)
### current table
tableName = time.strftime("%Y%m%d")
if self.connectDB(self.log_obj):
### insert new connection
self.insertConnection(tableName, attackerIP, attackerPort, victimIP, victimPort, vulnName)
self.closeDB(self.log_obj)
else:
self.log_obj.log("log-pgsql failed connection", 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
def successfullSubmission(
self,
attackerIP,
attackerPort,
victimIP,
downloadURL,
md5hash,
data,
filelength,
downMethod,
loLogger,
vulnName,
fexists,
):
try:
self.log_obj = amun_logging.amun_logging("log_pgsql", loLogger)
### current table
tableName = time.strftime("%Y%m%d")
if self.connectDB(self.log_obj):
### insert binary
self.insertBinary(tableName, md5hash, attackerIP, victimIP, downloadURL, filelength, data)
self.closeDB(self.log_obj)
else:
self.log_obj.log("log-pgsql failed connection", 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_lotusdomino", vuLogger)
### construct standard reply
self.reply = []
for i in range(0,1022):
try:
self.reply.append("\x00")
except KeyboardInterrupt:
raise
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "LOTUS_STAGE1" and bytes>0:
resultSet["result"] = True
resultSet["accept"] = True
self.reply = "a001 OK LOGIN completed"
resultSet['reply'] = self.reply
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes>0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
#resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def incoming(self, file_data, file_data_length, downMethod, attIP,
victimIP, smLogger, md5hash, attackedPort, vulnName, downURL,
fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_md5", smLogger)
### store to disc
filename = "malware/md5sum/%s.bin" % (md5hash)
if not fexists:
fp = open(filename, 'a+b')
fp.write(file_data)
fp.close()
self.log_obj.log("download (%s): %s (size: %i) - %s" %
(downURL, md5hash, file_data_length,
vulnName.replace(' Vulnerability', '')),
12,
"div",
Log=True,
display=True)
else:
self.log_obj.log("file exists",
12,
"crit",
Log=False,
display=False)
except KeyboardInterrupt:
raise
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging object
self.log_obj = amun_logging.amun_logging("vuln_arkeia", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "ARKEIA_STAGE1" and bytes == 8:
if arkeia_shellcodes.arkeia_request_stage_1 == message:
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "".join(self.reply)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes > 0:
print ".::[Amun - ARKEIA] collecting shellcode: %s ::." % (
bytes)
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
#resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
print ".::[Amun - ARKEIA] finish collecting shellcode (bytes %s) ::." % (
bytes)
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_maxdb", vuLogger)
### construct standard reply
self.reply = []
for i in range(0, 510):
try:
self.reply.append("\x00")
except KeyboardInterrupt:
raise
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "SHELLCODE":
if bytes > 0:
if message.count(
'\x42\x69\x74\x54\x6f\x72\x72\x65\x6e\x74') > 0:
self.log_obj.log("BitTorrent Request ignored", 6,
"crit", True, False)
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shellcode"] = "None"
return resultSet
else:
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "".join(self.reply)
if message.count('\x90') < 1024:
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging object
self.log_obj = amun_logging.amun_logging("vuln_dameware", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "DAMEWARE_STAGE1":
self.log_obj.log("DAMEWARE STAGE1: Message (%s) (%s)" % (message, bytes), 12, "debug", True, True)
resultSet["result"] = True
resultSet["accept"] = True
self.reply[8] = "5"
self.reply[12] = "1"
self.reply[37] = "0"
resultSet["reply"] = "".join(self.reply)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes>0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
self.stage = "SHELLCODE"
#resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging object
self.log_obj = amun_logging.amun_logging("vuln_dameware", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "DAMEWARE_STAGE1":
self.log_obj.log("DAMEWARE STAGE1: Message (%s) (%s)" % (message, bytes), 12, "debug", True, True)
resultSet["result"] = True
resultSet["accept"] = True
self.reply[8] = "5"
self.reply[12] = "1"
self.reply[37] = "0"
resultSet["reply"] = "".join(self.reply)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes>0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
self.stage = "SHELLCODE"
#resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName):
try:
self.log_obj = amun_logging.amun_logging("log_syslog", loLogger)
syslog_message = "Exploit: %s -> %s:%s %s (%s)" % (attackerIP,victimIP,victimPort,vulnName,downloadMethod)
syslog.openlog('Amun',syslog.LOG_PID,syslog.LOG_LOCAL4)
syslog.syslog(syslog.LOG_WARNING, syslog_message)
syslog.closelog()
except KeyboardInterrupt:
raise
def __init__(self, divLogger, config_dict, decodersDict):
self.shellcmds = []
self.bindport_closed = False
self.divLogger = divLogger
self.config_dict = config_dict
self.shellcode_manager = shellcode_mgr_core.shell_mgr(decodersDict, divLogger['shellcode'], config_dict)
self.log_obj = amun_logging.amun_logging("bindport", divLogger['download'])
self.shellemu = shellemulator.shellemulator(divLogger['shellemulator'])
self.shellInfo = self.shellemu.getShellInfoLine()
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_analyzer", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "STAGE1" and bytes > 0:
print ".::[Amun - Analyzer] collecting stage1 (bytes %s ip %s) ::." % (
bytes, ip)
self.print_message(message)
resultSet['result'] = True
resultSet['accept'] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes > 0:
print ".::[Amun - Analyzer] collecting shellcode (bytes %s ip %s) ::." % (
bytes, ip)
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
print ".::[Amun - Analyzer] finish collecting shellcode (bytes %s ip %s) ::." % (
bytes, ip)
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def __init__(self, divLogger, config_dict, decodersDict):
self.shellcmds = []
self.bindport_closed = False
self.divLogger = divLogger
self.config_dict = config_dict
self.shellcode_manager = shellcode_mgr_core.shell_mgr(decodersDict, divLogger['shellcode'], config_dict)
self.log_obj = amun_logging.amun_logging("bindport", divLogger['download'])
self.shellemu = shellemulator.shellemulator(divLogger['shellemulator'])
self.shellInfo = self.shellemu.getShellInfoLine()
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging object
self.log_obj = amun_logging.amun_logging("vuln_arkeia", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "ARKEIA_STAGE1" and bytes==8:
if arkeia_shellcodes.arkeia_request_stage_1 == message:
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "".join(self.reply)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes>0:
print ".::[Amun - ARKEIA] collecting shellcode: %s ::." % (bytes)
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
#resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
print ".::[Amun - ARKEIA] finish collecting shellcode (bytes %s) ::." % (bytes)
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def incoming(self, file_data, file_data_length, downMethod, attIP,
victimIP, smLogger, md5hash, attackedPort, vulnName, downURL,
fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_anubis", smLogger)
### check if already stored to disc than do not submit
if not fexists:
### submit to anubis for analysis
postdata = {}
if self.reportToEmail != 'None':
postdata["notification"] = "email"
postdata["email"] = self.reportToEmail
else:
postdata["notification"] = "browser"
postdata["email"] = ""
filename = "amun-%s.exe" % (md5hash)
postdata['analysisType'] = "file"
postdata["executable"] = {
"content": file_data,
"filename": filename
}
response = self.httprequest(postdata)
if (response.status == 200 and
response.getheader("taskid", "DEFAULT") != "DEFAULT"):
self.log_obj.log("submit anubis successfull",
12,
"div",
Log=False,
display=True)
if postdata["notification"] == "browser" or self.alwaysLog:
self.log_obj.log("anubis result: %s&task_id=%s" %
(self.anubisResultURL,
response.getheader('taskid')),
12,
"div",
Log=True,
display=False)
else:
self.log_obj.log(
"could not submit sample to anubis: %s %s" %
(response.status,
response.getheader("taskid", "DEFAULT")),
12,
"crit",
Log=True,
display=True)
except KeyboardInterrupt:
raise
except StandardError, e:
self.log_obj.log("could not submit sample to anubis: %s" % (e),
12,
"crit",
Log=True,
display=True)
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging obj
self.log_obj = amun_logging.amun_logging("vuln_tivoli", vuLogger)
### construct standard reply
self.reply = []
for i in range(0, 510):
try:
self.reply.append("\x00")
except KeyboardInterrupt:
raise
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "TIVOLI_STAGE1" and bytes >= 1024:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes > 0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_maxdb", vuLogger)
### construct standard reply
self.reply = []
for i in range(0,510):
try:
self.reply.append("\x00")
except KeyboardInterrupt:
raise
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "SHELLCODE":
if bytes>0:
if message.count('\x42\x69\x74\x54\x6f\x72\x72\x65\x6e\x74')>0:
self.log_obj.log("BitTorrent Request ignored", 6, "crit", True, False)
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shellcode"] = "None"
return resultSet
else:
resultSet["result"] = True
resultSet["accept"] = True
resultSet["reply"] = "".join(self.reply)
if message.count('\x90')<1024:
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging obj
self.log_obj = amun_logging.amun_logging("vuln_tivoli", vuLogger)
### construct standard reply
self.reply = []
for i in range(0,510):
try:
self.reply.append("\x00")
except KeyboardInterrupt:
raise
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage=="TIVOLI_STAGE1" and bytes>=1024:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes>0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def incoming(self, attackerIP, attackerPort, victimIP, victimPort,
vulnName, timestamp, downloadMethod, loLogger, attackerID,
shellcodeName):
try:
if shellcodeName == "None":
return
self.log_obj = amun_logging.amun_logging("log_blastomat", loLogger)
tstart = timestamp
tend = timestamp
proceed = "Kick"
type = "Exploit"
secret = "testing"
blastHost = "127.0.0.1"
blastPort = 12345
mess = "%s%s%s%s%s%s" % (type, attackerIP, tstart, tend, proceed,
secret)
shahash = sha.sha(mess).hexdigest()
message = '<?xml version="1.0" encoding="UTF-8"?>'
message += '<!DOCTYPE BlastEvent SYSTEM "xmlblast.dtd">'
message += '<BlastEvent>'
message += '<Type>%s</Type>' % (type)
message += '<IP>%s</IP>' % (attackerIP)
message += '<TStart>%s</TStart>' % (tstart)
message += '<TEnd>%s</TEnd>' % (tend)
message += '<Proceed>%s</Proceed>' % (proceed)
message += '<Ports>%s</Ports>' % (victimPort)
message += '<Module>%s</Module>' % (vulnName)
message += '<Hash>%s</Hash>' % (shahash)
message += '</BlastEvent>'
addr = (blastHost, blastPort)
UDPSock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
if (UDPSock.sendto(message, addr)):
self.log_obj.log("blast-o-mat message for %s send (%s)" %
(attackerIP, shellcodeName),
12,
"crit",
Log=True,
display=True)
else:
self.log_obj.log("failed sending message to blast-o-mat",
12,
"crit",
Log=True,
display=False)
UDPSock.close()
self.log_obj.log("blast-o-mat: %s" % (message),
12,
"crit",
Log=True,
display=False)
except KeyboardInterrupt:
raise
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging object
self.log_obj = amun_logging.amun_logging("vuln_helix", vuLogger)
### construct standard reply
self.reply = random_reply
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "HELIX_STAGE1" and bytes >= 1024:
resultSet["result"] = True
resultSet["accept"] = True
#resultSet["reply"] = "".join(self.reply)
resultSet["reply"] = "None"
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes > 0:
resultSet["result"] = True
resultSet["accept"] = True
#resultSet["reply"] = "".join(self.reply)
resultSet["reply"] = "None"
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
### logging object
self.log_obj = amun_logging.amun_logging("vuln_helix", vuLogger)
### construct standard reply
self.reply = random_reply
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "HELIX_STAGE1" and bytes>=1024:
resultSet["result"] = True
resultSet["accept"] = True
#resultSet["reply"] = "".join(self.reply)
resultSet["reply"] = "None"
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes>0:
resultSet["result"] = True
resultSet["accept"] = True
#resultSet["reply"] = "".join(self.reply)
resultSet["reply"] = "None"
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def __init__(self, item, currDownl, event_dict, config_dict,
currentSockets, dlLogger):
asyncore.dispatcher.__init__(self)
self.log_obj = amun_logging.amun_logging("http_download", dlLogger)
self.connection_closed = False
self.currentDownloads = currDownl
self.currentSockets = currentSockets
self.event_dict = event_dict
self.config_dict = config_dict
self.vulnName = item['vulnname']
self.downURL = item['displayURL']
self.dlident = item['dlident']
self.victimIP = item['own_host']
self.remote_ip = item['hostile_host']
self.active = False
self.received = StringIO()
self.header = []
self.content = []
self.content_length = 0
### check for incomplete path
if item['path'] == '/x.' or item['path'] == '/x.e' or item[
'path'] == '/x.ex':
item['path'] = '/x.exe'
#self.buffer = 'GET %s HTTP/1.0\r\nUser-Agent: Microsoft Internet Explorer\nAccept: */*\nHost: %s\nConnection: close\r\n\r\n' % (item['path'], item['host'])
#self.buffer = 'GET %s HTTP/1.0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; NN4.1.0.0; .NET CLR 1.1.4322)\nAccept: */*\nHost: %s\nConnection: close\r\n\r\n' % (item['path'], item['host'])
self.buffer = 'GET %s HTTP/1.0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\nAccept: */*\nHost: %s\nConnection: close\r\n\r\n' % (
item['path'], item['host'])
self.path = self.buffer.strip()
self._address = (item['host'], int(item['port']))
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
#self.bind( (item['own_host'], 0) )
self.set_reuse_addr()
self.identifier = "%s%s%s%s" % (self.dlident, item['host'],
item['port'], item['own_host'])
try:
self.connect(self._address)
self.active = True
except socket.error, e:
if e[0] == 111:
self.log_obj.log(
"failed to connect: connection refused (%s)" %
(item['host']), 12, "crit", False, False)
else:
self.log_obj.log(
"failed to connect: %s (%s)" % (e, item['host']), 12,
"crit", False, False)
### add host to refused list, block connections for 3 minutes
if config_dict['block_refused'] == 1:
item_id = str(item['host'])
self.event_dict['refused_connections'][item_id] = int(
time.time())
### close connection
self.active = False
self.handle_close()
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_speedport", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "STAGE1" and bytes>0:
print ".::[Amun - Speedport] collecting stage1 (bytes %s ip %s) ::." % (bytes,ip)
self.print_message(message)
resultSet['result'] = True
resultSet['accept'] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
elif self.stage == "SHELLCODE":
if bytes>0:
print ".::[Amun - Speedport] collecting shellcode (bytes %s ip %s) ::." % (bytes,ip)
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
print ".::[Amun - Speedport] finish collecting shellcode (bytes %s ip %s) ::." % (bytes,ip)
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def incoming(self, attackerIP, attackerPort, victimIP, victimPort,
vulnName, timestamp, downloadMethod, loLogger, attackerID,
shellcodeName):
try:
self.log_obj = amun_logging.amun_logging("log_syslog", loLogger)
syslog_message = "Exploit: %s -> %s:%s %s (%s)" % (
attackerIP, victimIP, victimPort, vulnName, downloadMethod)
syslog.openlog('Amun', syslog.LOG_PID, syslog.LOG_LOCAL4)
syslog.syslog(syslog.LOG_WARNING, syslog_message)
syslog.closelog()
except KeyboardInterrupt:
raise
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_symantec", vuLogger)
### construct standard reply
self.reply = []
for i in range(0, 64):
try:
self.reply.append("\x00")
except KeyboardInterrupt:
raise
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "SHELLCODE":
if bytes > 0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply) + '*'
self.shellcode.append(message)
self.stage = "SHELLCODE"
#resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def __init__(self, server, port, ident, secret, debug, loLogger):
self.debug = debug
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.debug: self.log_obj.log("log-hpfeeds hpfeeds client init broker {0}:{1}, identifier {2}".format(server, port, ident), 12, "debug", Log=True, display=True)
self.server, self.port = server, int(port)
self.ident, self.secret = ident.encode('latin1'), secret.encode('latin1')
self.unpacker = FeedUnpack()
self.state = 'INIT'
self.connect()
self.sendfiles = []
self.filehandle = None
def __init__(self, server, port, ident, secret, debug, loLogger):
self.debug = debug
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.debug: self.log_obj.log("log-hpfeeds hpfeeds client init broker {0}:{1}, identifier {2}".format(server, port, ident), 12, "crit", Log=True, display=True)
self.server, self.port = server, int(port)
self.ident, self.secret = ident.encode('latin1'), secret.encode('latin1')
self.unpacker = FeedUnpack()
self.state = 'INIT'
self.connect()
self.sendfiles = []
self.filehandle = None
def __init__(self, item, currDownl, currentSockets, divLogger, event_dict, config_dict, display_shell, authkey, decodersDict):
asyncore.dispatcher.__init__(self)
self.log_obj = amun_logging.amun_logging("connback_download", divLogger['download'])
self.connection_closed = False
self.shellcode_manager = shellcode_mgr_core.shell_mgr(decodersDict, divLogger['shellcode'], config_dict)
self.currentDownloads = currDownl
self.currentSockets = currentSockets
self.event_dict = event_dict
self.config_dict = config_dict
self.vulnName = item['vulnname']
self.downURL = item['displayURL']
self.dlident = item['dlident']
self.victimIP = item['own_host']
self.display_shell = display_shell
self.active = False
self.authkey = authkey
self.content = []
if self.display_shell:
if config_dict['verbose_logging']==1:
self.log_obj.log("displaying shell to %s" % (item['host']), 12, "debug", True, True)
self.shellemu = shellemulator.shellemulator(divLogger['shellemulator'])
self.buffer = self.shellemu.getShellInfoLine()
elif authkey!="None":
self.authkey = base64.b64decode(authkey)
self.buffer = self.authkey
else:
self.buffer = ''
self._address = (item['host'], int(item['port']))
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
#self.bind( (item['own_host'], 0) )
self.set_reuse_addr()
self.identifier = "%s%s%s%s" % (self.dlident, item['host'], item['port'], item['own_host'])
try:
self.connect( self._address )
self.active = True
except socket.error, e:
if e[0]==111:
if config_dict['verbose_logging']==1:
self.log_obj.log("failed to connect: connection refused (%s)" % (item['host']), 12, "crit", True, True)
else:
self.log_obj.log("failed to connect: connection refused (%s)" % (item['host']), 12, "crit", False, False)
else:
if config_dict['verbose_logging']==1:
self.log_obj.log("failed to connect: %s (%s)" % (e, item['host']), 12, "crit", True, True)
else:
self.log_obj.log("failed to connect: %s (%s)" % (e, item['host']), 12, "crit", False, False)
### add host to refused list, block connections for 3 minutes
if self.config_dict['block_refused'] == 1:
item_id = str(item['host'])
self.event_dict['refused_connections'][item_id] = int(time.time())
### close connection
self.active = False
self.handle_close()
def incoming(self, file_data, file_data_length, downMethod, attIP, victimIP, smLogger, md5hash, attackedPort, vulnName, downURL, fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_mysql", smLogger)
### current table
tableName = time.strftime('%Y%m%d')
if self.connectDB(self.log_obj):
### insert binary
self.insertBinary(tableName, md5hash, attIP, victimIP, downURL, file_data_length, file_data)
self.closeDB(self.log_obj)
else:
self.log_obj.log("log-mysql failed connection", 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
def initialConnection(self, attackerIP, attackerPort, victimIP, victimPort,
identifier, initialConnectionsDict, loLogger):
try:
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.connectClient(loLogger):
self.client.publish(AMUNCHAN,
attackerIP=attackerIP,
attackerPort=attackerPort,
victimIP=victimIP,
victimPort=victimPort)
except KeyboardInterrupt:
raise
def successfullSubmission(self, attackerIP, attackerPort, victimIP, downloadURL, md5hash, data, filelength, downMethod, loLogger, vulnName, fexists):
try:
self.log_obj = amun_logging.amun_logging("log_pgsql", loLogger)
### current table
tableName = time.strftime('%Y%m%d')
if self.connectDB(self.log_obj):
### insert binary
self.insertBinary(tableName, md5hash, attackerIP, victimIP, downloadURL, filelength, data)
self.closeDB(self.log_obj)
else:
self.log_obj.log("log-pgsql failed connection", 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
def initialConnection(self, attackerIP, attackerPort, victimIP, victimPort, identifier, initialConnectionsDict, loLogger):
try:
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.connectClient(loLogger):
self.client.publish(AMUNCHAN,
attackerIP=attackerIP,
attackerPort=attackerPort,
victimIP=victimIP,
victimPort=victimPort
)
except KeyboardInterrupt:
raise
def incoming(self, file_data, file_data_length, downMethod, attIP,
victimIP, smLogger, md5hash, attackedPort, vulnName, downURL,
fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_mwportal",
smLogger)
### check if already stored to disc than do not submit
if not fexists:
### submit to MWPortal for analysis
filename = "amun-%s.exe" % (md5hash)
files = []
files.append(("fileselect", filename, file_data))
(status, reason, response) = self.httprequest(files)
if (status == 200 and reason != "DEFAULT"):
self.log_obj.log("submit mwportal successfull",
12,
"div",
Log=False,
display=True)
#self.log_obj.log("mwportal result: %s" % (response), 12, "div", Log=True, display=False)
else:
self.log_obj.log(
"could not submit sample to mwportal: %s %s (%s)" %
(status, reason, response),
12,
"crit",
Log=True,
display=True)
except KeyboardInterrupt:
raise Exception("KeyboardError")
except StandardError as e:
self.log_obj.log("could not submit sample to mwportal: %s" % (e),
12,
"crit",
Log=True,
display=True)
except:
self.log_obj.log("could not submit sample to mwportal",
12,
"crit",
Log=True,
display=True)
import traceback
import sys
import StringIO
f = StringIO.StringIO()
traceback.print_exc(file=f)
print f.getvalue()
sys.exit(1)
def successfullSubmission(self, attackerIP, attackerPort, victimIP, downloadURL, md5hash, data, filelength, downMethod, loLogger, vulnName, fexists):
try:
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.connectClient(loLogger):
self.client.publish(AMUNCHAN,
attackerIP=attackerIP,
attackerPort=attackerPort,
victimIP=victimIP,
victimPort=victimPort,
downloadURL=downloadURL, md5hash=md5hash, data=data, filelength=filelength, downMethod=downMethod, vulnName=vulnName, fexists=fexists
)
except KeyboardInterrupt:
raise
def successfullSubmission(self, attackerIP, attackerPort, victimIP, downloadURL, md5hash, data, filelength, downMethod, loLogger, vulnName, fexists):
try:
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.connectClient(loLogger):
self.client.publish(AMUNCHAN,
connectionType='submission',
attackerIP=attackerIP,
attackerPort=attackerPort,
victimIP=victimIP,
downloadURL=downloadURL, md5hash=md5hash, data=data, filelength=filelength, downMethod=downMethod, vulnName=vulnName, fexists=fexists
)
except KeyboardInterrupt:
raise
def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName):
try:
self.log_obj = amun_logging.amun_logging("log_pgsql", loLogger)
### current table
tableName = time.strftime('%Y%m%d')
if self.connectDB(self.log_obj):
### insert new connection
self.insertConnection(tableName, attackerIP, attackerPort, victimIP, victimPort, vulnName)
self.closeDB(self.log_obj)
else:
self.log_obj.log("log-pgsql failed connection", 12, "crit", Log=True, display=True)
except KeyboardInterrupt:
raise
def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName):
try:
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.connectClient(loLogger):
self.client.publish(AMUNCHAN,
attackerIP=attackerIP,
attackerPort=attackerPort,
victimIP=victimIP,
victimPort=victimPort,
vulnName=vulnName, timestamp=timestamp, downloadMethod=downloadMethod, attackerID=attackerID, shellcodeName=shellcodeName
)
except KeyboardInterrupt:
raise
def incoming(self, file_data, file_data_length, downMethod, attIP, victimIP, smLogger, md5hash, attackedPort, vulnName, downURL, fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_md5", smLogger)
### store to disc
filename = "malware/md5sum/%s.bin" % (md5hash)
if not fexists:
fp = open(filename, 'a+b')
fp.write(file_data)
fp.close()
self.log_obj.log("download (%s): %s (size: %i) - %s" % (downURL, md5hash, file_data_length, vulnName.replace(' Vulnerability','')), 12, "div", Log=True, display=True)
else:
self.log_obj.log("file exists", 12, "crit", Log=False, display=False)
except KeyboardInterrupt:
raise
def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName):
try:
self.log_obj = amun_logging.amun_logging("log_hpfeeds", loLogger)
if self.connectClient(loLogger):
self.client.publish(AMUNCHAN,
connectionType='exploit',
attackerIP=attackerIP,
attackerPort=attackerPort,
victimIP=victimIP,
victimPort=victimPort,
vulnName=vulnName, timestamp=timestamp, downloadMethod=downloadMethod, attackerID=attackerID, shellcodeName=shellcodeName
)
except KeyboardInterrupt:
raise
def __init__(self, emuLogger):
self.log_obj = amun_logging.amun_logging("shellemulator", emuLogger)
os_id = random.randint(0,1)
if os_id==0:
self.shellInfo = "Microsoft Windows XP [Version 5.1.2600]\n(C) Copyright 1985-2001 Microsoft Corp.\n\nC:\\WINNT\\System32>"
self.prompt = "C:\\WINNT\\System32>"
else:
self.shellInfo = "Microsoft Windows 2000 [Version 5.00.2195]\n(C) Copyright 1985-2000 Microsoft Corp.\n\nC:\\WINDOWS\\System32>"
self.prompt = "C:\\WINDOWS\\System32>"
self.randomNumber = random.randint(255,5100)
self.computerName = "DESKTOP-%i" % (self.randomNumber)
self.attackerIP = None
self.ownIP = None
self.attackerPort = None
self.ownPort = None
self.defaultGW = None
def __init__(self, emuLogger):
self.log_obj = amun_logging.amun_logging("shellemulator", emuLogger)
os_id = random.randint(0, 1)
if os_id == 0:
self.shellInfo = "Microsoft Windows XP [Version 5.1.2600]\n(C) Copyright 1985-2001 Microsoft Corp.\n\nC:\\WINNT\\System32>"
self.prompt = "C:\\WINNT\\System32>"
else:
self.shellInfo = "Microsoft Windows 2000 [Version 5.00.2195]\n(C) Copyright 1985-2000 Microsoft Corp.\n\nC:\\WINDOWS\\System32>"
self.prompt = "C:\\WINDOWS\\System32>"
self.randomNumber = random.randint(255, 5100)
self.computerName = "DESKTOP-%i" % (self.randomNumber)
self.attackerIP = None
self.ownIP = None
self.attackerPort = None
self.ownPort = None
self.defaultGW = None
def __init__(self, item, port, event_dict, ftp_downloads, dlLogger, vulnName, currentSockets, bound_to_ip):
asyncore.dispatcher.__init__(self)
self.log_obj = amun_logging.amun_logging("ftp_download", dlLogger)
self.item = item
self.vulnName = vulnName
self.dlLogger = dlLogger
self.event_dict = event_dict
self.ftp_downloads = ftp_downloads
self.currentSockets = currentSockets
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
try:
self.bind( (bound_to_ip,port) )
except socket.error, e:
self.log_obj.log("port already in use?: %s - %s" % (port, e), 9, "crit", True, True)
return
def __init__(self, item, currDownl, event_dict, config_dict, currentSockets, dlLogger):
asyncore.dispatcher.__init__(self)
self.log_obj = amun_logging.amun_logging("http_download", dlLogger)
self.connection_closed = False
self.currentDownloads = currDownl
self.currentSockets = currentSockets
self.event_dict = event_dict
self.config_dict = config_dict
self.vulnName = item['vulnname']
self.downURL = item['displayURL']
self.dlident = item['dlident']
self.victimIP = item['own_host']
self.remote_ip = item['hostile_host']
self.active = False
self.received = StringIO()
self.header = []
self.content = []
self.content_length = 0
### check for incomplete path
if item['path'] == '/x.' or item['path'] == '/x.e' or item['path'] == '/x.ex':
item['path'] = '/x.exe'
#self.buffer = 'GET %s HTTP/1.0\r\nUser-Agent: Microsoft Internet Explorer\nAccept: */*\nHost: %s\nConnection: close\r\n\r\n' % (item['path'], item['host'])
#self.buffer = 'GET %s HTTP/1.0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; NN4.1.0.0; .NET CLR 1.1.4322)\nAccept: */*\nHost: %s\nConnection: close\r\n\r\n' % (item['path'], item['host'])
self.buffer = 'GET %s HTTP/1.0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\nAccept: */*\nHost: %s\nConnection: close\r\n\r\n' % (item['path'], item['host'])
self.path = self.buffer.strip()
self._address = (item['host'], int(item['port']))
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
#self.bind( (item['own_host'], 0) )
self.set_reuse_addr()
self.identifier = "%s%s%s%s" % (self.dlident, item['host'], item['port'], item['own_host'])
try:
self.connect( self._address )
self.active = True
except socket.error, e:
if e[0]==111:
self.log_obj.log("failed to connect: connection refused (%s)" % (item['host']), 12, "crit", False, False)
else:
self.log_obj.log("failed to connect: %s (%s)" % (e, item['host']), 12, "crit", False, False)
### add host to refused list, block connections for 3 minutes
if config_dict['block_refused'] == 1:
item_id = str(item['host'])
self.event_dict['refused_connections'][item_id] = int(time.time())
### close connection
self.active = False
self.handle_close()
def __init__(self, item, port, event_dict, ftp_downloads, dlLogger,
vulnName, currentSockets, bound_to_ip):
asyncore.dispatcher.__init__(self)
self.log_obj = amun_logging.amun_logging("ftp_download", dlLogger)
self.item = item
self.vulnName = vulnName
self.dlLogger = dlLogger
self.event_dict = event_dict
self.ftp_downloads = ftp_downloads
self.currentSockets = currentSockets
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
try:
self.bind((bound_to_ip, port))
except socket.error, e:
self.log_obj.log("port already in use?: %s - %s" % (port, e), 9,
"crit", True, True)
return
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_veritas", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "SHELLCODE":
if bytes > 0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging("vuln_veritas", vuLogger)
### construct standard reply
self.reply = random_reply[:62]
### prepare default resultSet
resultSet = {}
resultSet["vulnname"] = self.vuln_name
resultSet["accept"] = False
resultSet["result"] = False
resultSet["shutdown"] = False
resultSet["reply"] = "None"
resultSet["stage"] = self.stage
resultSet["shellcode"] = "None"
resultSet["isFile"] = False
if self.stage == "SHELLCODE":
if bytes>0:
resultSet["result"] = True
resultSet["accept"] = True
resultSet['reply'] = "".join(self.reply)
self.shellcode.append(message)
self.stage = "SHELLCODE"
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = True
resultSet["reply"] = "None"
self.shellcode.append(message)
resultSet["shellcode"] = "".join(self.shellcode)
return resultSet
else:
resultSet["result"] = False
resultSet["accept"] = False
resultSet["reply"] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
def incoming(self, attackerIP, attackerPort, victimIP, victimPort,
vulnName, timestamp, downloadMethod, loLogger, attackerID,
shellcodeName):
try:
self.log_obj = amun_logging.amun_logging("log_mail", loLogger)
### construct message header
### From, To, and Subject
Subject = "Amun Exploit from: %s" % (attackerIP)
RecipientRow = ",".join(self.RecipientList)
MessageHeader = "From: %s\r\nTo: %s\r\nSubject: %s \r\n" % (
self.mailFrom, RecipientRow, Subject)
### If ReplyTo is set, add to header
if self.mailReplyTo != "":
MessageHeader += "ReplyTo: %s\r\n" % (self.mailReplyTo)
if len(self.mailCCList) > 0:
MessageHeader += "CC: %s\r\n" % (",".join(self.mailCCList))
### set character encoding
charencode = "Content-Type: text/plain; charset=iso-8859-1"
MessageHeader += "%s\r\n" % (charencode)
### finalize Message Header
MessageHeader += "\r\n"
### eMail Body
MailBody = self.mailBody
ExploitLine = "\n\nTimestamp: %s\nExploit: %s:%s -> %s:%s %s (%s)" % (
time.ctime(int(timestamp)), attackerIP, attackerPort, victimIP,
victimPort, vulnName, downloadMethod)
### construct final eMail
Message = str(MessageHeader) + str(MailBody) + str(ExploitLine)
### connect to mailserver and send email
try:
Server = smtplib.SMTP(self.smtpServer, int(self.smtpPort))
Server.set_debuglevel(0)
Server.sendmail(self.mailFrom, self.RecipientList, Message)
Server.quit()
except:
self.log_obj.log("failed sending email message",
12,
"crit",
Log=True,
display=True)
except KeyboardInterrupt:
raise
def incoming(self, file_data, file_data_length, downMethod, attIP,
victimIP, smLogger, md5hash, attackedPort, vulnName, downURL,
fexists):
try:
self.log_obj = amun_logging.amun_logging("submit_mysql", smLogger)
### current table
tableName = time.strftime('%Y%m%d')
if self.connectDB(self.log_obj):
### insert binary
self.insertBinary(tableName, md5hash, attIP, victimIP, downURL,
file_data_length, file_data)
self.closeDB(self.log_obj)
else:
self.log_obj.log("log-mysql failed connection",
12,
"crit",
Log=True,
display=True)
except KeyboardInterrupt:
raise
def __init__(self, divLogger):
self.remote_ip = None
self.remote_port = None
self.own_ip = None
self.own_port = None
self.identifier = None
self.in_buffer_size = 1024
self.in_buffer = ""
self.out_buffer = ""
self.connected = True
self.set_terminator(None)
### FIXME: configuration file
self.enableProxy = False
self.proxytoIP = "127.0.0.1"
self.proxyMode = False
self.proxyShellcode = []
self.proxyReplies = []
self.proxyRequests = []
self.proxyTimedOut = False
self.proxyResult = None
self.sendRequest = ""
self.log_obj = amun_logging.amun_logging("amun_request_handler", divLogger['requestHandler'])
def incoming(self, attackerIP, attackerPort, victimIP, victimPort, vulnName, timestamp, downloadMethod, loLogger, attackerID, shellcodeName):
try:
if shellcodeName=="None":
return
self.log_obj = amun_logging.amun_logging("log_blastomat", loLogger)
tstart = timestamp
tend = timestamp
proceed = "Kick"
type = "Exploit"
secret = "testing"
blastHost = "127.0.0.1"
blastPort = 12345
mess = "%s%s%s%s%s%s" % (type,attackerIP,tstart,tend,proceed,secret)
shahash = sha.sha(mess).hexdigest()
message = '<?xml version="1.0" encoding="UTF-8"?>'
message += '<!DOCTYPE BlastEvent SYSTEM "xmlblast.dtd">'
message += '<BlastEvent>'
message += '<Type>%s</Type>' % (type)
message += '<IP>%s</IP>' % (attackerIP)
message += '<TStart>%s</TStart>' % (tstart)
message += '<TEnd>%s</TEnd>' % (tend)
message += '<Proceed>%s</Proceed>' % (proceed)
message += '<Ports>%s</Ports>' % (victimPort)
message += '<Module>%s</Module>' % (vulnName)
message += '<Hash>%s</Hash>' % (shahash)
message += '</BlastEvent>'
addr = (blastHost, blastPort)
UDPSock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
if(UDPSock.sendto(message,addr)):
self.log_obj.log("blast-o-mat message for %s send (%s)" % (attackerIP,shellcodeName), 12, "crit", Log=True, display=True)
else:
self.log_obj.log("failed sending message to blast-o-mat", 12, "crit", Log=True, display=False)
UDPSock.close()
self.log_obj.log("blast-o-mat: %s" % (message), 12, "crit", Log=True, display=False)
except KeyboardInterrupt:
raise
def __init__(self, divLogger):
self.remote_ip = None
self.remote_port = None
self.own_ip = None
self.own_port = None
self.identifier = None
self.in_buffer_size = 1024
self.in_buffer = ""
self.out_buffer = ""
self.connected = True
self.set_terminator(None)
### FIXME: configuration file
self.enableProxy = False
self.proxytoIP = "127.0.0.1"
self.proxyMode = False
self.proxyShellcode = []
self.proxyReplies = []
self.proxyRequests = []
self.proxyTimedOut = False
self.proxyResult = None
self.sendRequest = ""
self.log_obj = amun_logging.amun_logging("amun_request_handler",
divLogger['requestHandler'])
def __init__(self, item, currDownl, tftp_downloads, event_dict, dlLogger,
config_dict):
asyncore.dispatcher.__init__(self)
self.log_obj = amun_logging.amun_logging("tftp_download", dlLogger)
self.file = item['path']
self._address = (item['host'], int(item['port']))
self.tftp_downloads = tftp_downloads
self.currentDownloads = currDownl
self.event_dict = event_dict
self.item = item
self.active = True
if config_dict['store_unfinished_tftp']:
self.complete = True
else:
self.complete = False
### send buffer
self.buffer = ''
self.max_retries = config_dict['tftp_max_retransmissions']
self.tmp_max_retries = self.max_retries
### receive parameters
self.rcv_packet = []
self.blk_size = 516
### setup socket
self.create_socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
udp_port = random.randint(5062, 62535)
self.bind((item['own_host'], udp_port))
except socket.error, e:
self.log_obj.log("UDP Port busy: %i" % (udp_port), 6, "crit", True,
True)
self.handle_close()
return
def incoming(self, message, bytes, ip, vuLogger, random_reply, ownIP):
try:
self.log_obj = amun_logging.amun_logging('vuln_axigen', vuLogger)
self.reply = []
for i in range(0, 510):
try:
self.reply.append("\x00")
except KeyboardInterrupt:
raise
resultSet = {}
resultSet['vulnname'] = self.vuln_name
resultSet['result'] = False
resultSet['accept'] = False
resultSet['shutdown'] = False
resultSet['reply'] = "None"
resultSet['stage'] = self.stage
resultSet['shellcode'] = "None"
resultSet["isFile"] = False
if self.stage == "AXIGEN_STAGE1" and bytes == 254:
resultSet['result'] = False
resultSet['accept'] = True
self.shellcode.append(message)
resultSet['shellcode'] = "".join(self.shellcode)
return resultSet
else:
resultSet['result'] = False
resultSet['reply'] = "None"
return resultSet
return resultSet
except KeyboardInterrupt:
raise
except StandardError, e:
print e
return resultSet