def __replace_tag_localip(self):
"""
Replace tag [LOCALIP] by the local IP address in self.formatted_cmdline.
"""
pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
self.formatted_cmdline = pattern.sub(NetUtils.get_local_ip_address(),
self.formatted_cmdline)
def run(self, target):
try:
self.command = Command(self.rawcmd, self.type)
except CommandException as e:
logger.error(e)
return None
# Build script to run
if self.type == 'rce-blind':
logger.warning('WARNING: This attack box must be reachable from the target !')
logger.info('If target is vulnerable, exploit will try to ping local ' \
'IP = {localip} from target'.format(
localip=NetUtils.get_local_ip_address()))
print(self.command.get_cmdline(target))
script = SCRIPT_RCE_BLIND.format(
exploit_dir=self.directory,
command=self.command.get_cmdline(target))
elif self.type == 'rce-standard':
script = self.command.get_cmdline(target)
else:
logger.error('Unsupported exploit type')
return None
# Run subprocess
try:
logger.info('Exploit will be run from directory: {directory}'.format(
directory=self.directory))
proc = subprocess.Popen(script,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
# Agressivelly get the output
while True:
out = proc.stdout.read(1)
# We put that inside try block to avoid utf8 decoding error
try:
out = out.decode(sys.stdout.encoding)
sys.stdout.write(out)
self.output += out
except:
pass
# Break if process has finished
if out == '' and proc.poll() != None:
break
except Exception as e:
logger.error('Error when trying to run command: {exception}'.format(
exception=e))
return None
return self.output
def get_cmdline(self, target):
cmdline = self.rawcmd
# Replace tag [IP]
pattern = re.compile('\[IP\]', re.IGNORECASE)
cmdline = pattern.sub(target.ip, cmdline)
# Replace tag [PORT]
pattern = re.compile('\[PORT\]', re.IGNORECASE)
cmdline = pattern.sub(target.port, cmdline)
# Replace tag [URL]
pattern = re.compile('\[URL\]', re.IGNORECASE)
cmdline = pattern.sub(target.url, cmdline)
# Replace tag [URIPATH]
pattern = re.compile('\[URIPATH\]', re.IGNORECASE)
try:
o = urllib.parse.urlparse(url)
uripath = o.path or '/'
except:
uripath = '/'
cmdline = pattern.sub(uripath, cmdline)
# Replace tag [SSL true="..."]
pattern = re.compile(
r'\[SSL\s+true\s*=\s*[\'"](?P<option>.*?)[\'"]\s*\]',
re.IGNORECASE)
m = pattern.search(cmdline)
if target.ssl == True:
cmdline = pattern.sub(m.group('option'), cmdline)
else:
cmdline = pattern.sub('', cmdline)
# Replace tag [CMD]
if '[cmd]' in cmdline.lower():
try:
pattern = re.compile('\[CMD\]', re.IGNORECASE)
if CMD[self.type]['linux'] != CMD[self.type]['windows']:
cmdline_lin = pattern.sub(CMD[self.type]['linux'], cmdline)
cmdline_win = pattern.sub(CMD[self.type]['windows'],
cmdline)
cmdline = '{0}; {1}'.format(cmdline_lin, cmdline_win)
else:
cmdline = pattern.sub(CMD[self.type]['linux'], cmdline)
except Exception as e:
raise CommandException(e)
elif '[cmdlinux]' in cmdline.lower(
) or '[cmdwindows]' in cmdline.lower():
pattern = re.compile('\[CMDLINUX\]', re.IGNORECASE)
cmdline = pattern.sub(CMD[self.type]['linux'], cmdline)
pattern = re.compile('\[CMDWINDOWS\]', re.IGNORECASE)
cmdline = pattern.sub(CMD[self.type]['windows'], cmdline)
# Replace tag [LOCALIP]
localip = NetUtils.get_local_ip_address()
if localip == '127.0.0.1':
raise CommandException('Unable to get local IP address')
pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
cmdline = pattern.sub(localip, cmdline)
return cmdline
def run(self, target, mode, rce_command=''):
"""
:param Target targer: Target instance
:param str mode: mode can be either "detect" or "exploit"
:param str rce_command: RCE command to run when running exploit (requires mode=exploit)
"""
try:
if mode == 'detect':
self.command = Command(self.detection_rawcmd, self.type)
elif mode == 'exploit':
self.command = Command(self.exploit_rawcmd, self.type, self.exploit_rce_output)
except CommandException as e:
logger.error(e)
return None
# Build script to run
if mode == 'exploit':
if self.type == 'rce':
if not self.exploit_rce_output:
logger.warning('The exploit will attempt to execute command on remote system but no '
'output will be available !')
# For RCE exploit without command output in test mode (no rce_command provided):
# Use script template that check for reverse connection with ICMP ping and HTTP requests
if len(rce_command) == 0:
logger.warning('WARNING: This attack box must be reachable from the target !')
logger.info('No command supplied to run through RCE, automatic exploit test will be started...')
logger.info('If target is vulnerable, exploit will try to ping (ICMP Echo request) and '
'to send HTTP request to local IP = {localip} from target'.format(
localip=NetUtils.get_local_ip_address()))
cmdline = self.command.get_cmdline(target)
print(cmdline)
script = SCRIPT_RCE_BLIND.format(
exploit_dir=self.directory,
command=cmdline)
else:
cmdline = self.command.get_cmdline(target, rce_command)
print(cmdline)
script = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
script += cmdline
else:
if len(rce_command) == 0:
logger.info('No command supplied to run through RCE, automatic exploit test will be started...')
logger.info('If target is vulnerable, exploit will try to run an echo command on target')
cmdline = self.command.get_cmdline(target)
print(cmdline)
script = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
script += cmdline
else:
cmdline = self.command.get_cmdline(target, rce_command)
print(cmdline)
script = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
script += cmdline
else:
cmdline = self.command.get_cmdline(target)
print(cmdline)
script = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
script += cmdline
else:
logger.warning('The script will attempt to detect if remote system is vulnerable without '
'actually exploiting the vulnerability.')
logger.warning('WARNING: False Positive is possible !')
cmdline = self.command.get_cmdline(target)
script = 'cd {exploit_dir}; '.format(exploit_dir=self.directory)
script += cmdline
# Run subprocess
try:
logger.info('{script} will be run from directory: {directory}'.format(
script='Exploit' if mode == 'exploit' else 'Detection script',
directory=self.directory))
proc = subprocess.Popen(script,
shell=True,
executable='/bin/bash',
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
# Agressivelly get the output
while True:
out = proc.stdout.read(1)
# We put that inside try block to avoid utf8 decoding error
try:
out = out.decode(sys.stdout.encoding)
sys.stdout.write(out)
self.output += out
except:
pass
# Break if process has finished
if out == '' and proc.poll() != None:
break
except Exception as e:
logger.error('Error when trying to run command: {exception}'.format(
exception=e))
return None
return self.output
def __replace_tag_localip(self):
pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
self.parsed_cmdline = pattern.sub(NetUtils.get_local_ip_address(),
self.parsed_cmdline)
def get_cmdline(self, target, rce_command=''):
"""
:param Target target: Target instance
:param str rce_command: Command to execute on vulnerable system through RCE vuln
"""
cmdline = self.rawcmd
# Replace tag [IP]
pattern = re.compile('\[IP\]', re.IGNORECASE)
cmdline = pattern.sub(target.ip, cmdline)
# Replace tag [PORT]
pattern = re.compile('\[PORT\]', re.IGNORECASE)
cmdline = pattern.sub(str(target.port), cmdline)
# Replace tag [URL]
pattern = re.compile('\[URL\]', re.IGNORECASE)
cmdline = pattern.sub(str(target.url), cmdline)
# Replace tag [BASEURL]
pattern = re.compile('\[BASEURL\]', re.IGNORECASE)
baseurl = target.url.split('//')[0] + '//' + target.url.split(
'//')[1].split('/')[0]
cmdline = pattern.sub(str(baseurl), cmdline)
# Replace tag [URIPATH]
pattern = re.compile('\[URIPATH\]', re.IGNORECASE)
try:
o = urllib.parse.urlparse(url)
uripath = o.path or '/'
except:
uripath = '/'
cmdline = pattern.sub(uripath, cmdline)
# Replace tag [SSL true="..."]
pattern = re.compile(
r'\[SSL\s+true\s*=\s*[\'"](?P<option>.*?)[\'"]\s*\]',
re.IGNORECASE)
m = pattern.search(cmdline)
if m:
if target.ssl == True:
cmdline = pattern.sub(m.group('option'), cmdline)
else:
cmdline = pattern.sub('', cmdline)
# Replace tag [CMD]
if '[cmd]' in cmdline.lower():
try:
pattern = re.compile('\[CMD\]', re.IGNORECASE)
# If command provided by user, replace tag by this command, otherwise
# use the predefined commands for automatic test
if len(rce_command) > 0:
cmdline = pattern.sub(rce_command, cmdline)
else:
if self.type == 'rce' and not self.exploit_rce_output:
cmdline_lin = pattern.sub(CMD['rce-blind']['linux'],
cmdline)
cmdline_lin2 = pattern.sub(CMD['rce-blind']['linux2'],
cmdline)
cmdline_lin3 = pattern.sub(CMD['rce-blind']['linux3'],
cmdline)
cmdline_win = pattern.sub(CMD['rce-blind']['windows'],
cmdline)
cmdline = '{0}; {1}; {2}; {3}'.format(
cmdline_lin, cmdline_lin2, cmdline_lin3,
cmdline_win)
else:
cmdline = pattern.sub(CMD['rce-standard']['linux'],
cmdline)
except Exception as e:
raise CommandException(e)
# Special case where Linux/Windows command line differ
elif '[cmdlinux]' in cmdline.lower(
) or '[cmdwindows]' in cmdline.lower():
try:
pattern_linux = re.compile('\[CMDLINUX\]', re.IGNORECASE)
pattern_windows = re.compile('\[CMDWINDOWS\]', re.IGNORECASE)
# If command provided by user, replace both tag by this command, otherwise
# use the predefined commands for automatic test
if len(rce_command) > 0:
cmdline = pattern_linux.sub(rce_command, cmdline)
cmdline = pattern_windows.sub(rce_command, cmdline)
else:
if self.type == 'rce' and not self.exploit_rce_output:
# Replace [CMDLINUX]
cmdline_lin = pattern_linux.sub(
CMD['rce-blind']['linux'], cmdline)
cmdline_lin2 = pattern_linux.sub(
CMD['rce-blind']['linux2'], cmdline)
cmdline_lin3 = pattern_linux.sub(
CMD['rce-blind']['linux3'], cmdline)
cmdline = '{0}; {1}; {2}'.format(
cmdline_lin, cmdline_lin2, cmdline_lin3)
# Replace [CMDWINDOWS]
cmdline = pattern_windows.sub(
CMD['rce-blind']['windows'], cmdline)
else:
# Replace [CMDLINUX]
cmdline = pattern_linux.sub(
CMD['rce-standard']['linux'], cmdline)
# Replace [CMDWINDOWS]
cmdline = pattern_windows.sub(
CMD['rce-standard']['windows'], cmdline)
except Exception as e:
raise CommandException(e)
# Replace tag [LOCALIP]
localip = NetUtils.get_local_ip_address()
if localip == '127.0.0.1':
raise CommandException('Unable to get local IP address')
pattern = re.compile('\[LOCALIP\]', re.IGNORECASE)
cmdline = pattern.sub(localip, cmdline)
return cmdline