def do_ps_ls(self, arg):
'''
Display all the files accessed by the specified process
If you also want to filter on the file name, then use
ps_cd to establish a process context then ls <file_name_filter>
Examples:
ps_ls <pid>
ps_ls <descriptor address>
'''
if (self.sqlite_conn is None):
sys.stderr.write(
"Please load a database first with the load_db command\n")
return
arg = arg.strip()
process_filter = ""
if (arg):
try:
int(arg)
process_filter = "WHERE pid = %s" % arg
except ValueError:
process_filter = "WHERE desc_address = '%s'" % arg
else:
sys.stderr.write(
"Please specify a process PID or descriptor address\n")
return
cursor = self.sqlite_conn.cursor()
resp = cursor.execute("SELECT id, pid, desc_address FROM process %s" %
process_filter).fetchall()
for pRow in resp:
'''
This query accounts for both image loads + file i/o
'''
query = "SELECT name, COALESCE(op, ''), COALESCE(process.pid, ''), COALESCE(desc_address, ''), COALESCE(data, ''), \
time FROM operation LEFT JOIN process ON target_p_id = process.id JOIN \
resource ON r_id = resource.id WHERE target_p_id = %s AND type = 'F' \
UNION \
SELECT name, COALESCE(op, ''), '', '', COALESCE(data, ''), \
time FROM operation JOIN process ON p_id = process.id JOIN \
resource ON r_id = resource.id WHERE p_id = %s AND type = 'F' AND target_p_id IS NULL ORDER BY time" % \
(pRow[0], pRow[0])
table = BeautifulTable(max_width=160)
table.column_headers = [
"Name", "Operation", "Target PID", "Target PID Descriptor",
"Aux Data", "First Seen"
]
for row in cursor.execute(query):
table.append_row(row)
print("\n")
print(banner("Process %s (%s)" % (pRow[1], pRow[2])))
print(table)
print("Total: %d\n" % len(table))
def print_process_report(self, pid, descriptor, image, report_data):
for data in report_data:
if data[0] == Analyst.DATA_TYPE_PROCESS_INFO:
print("%s\n" % data[1])
elif data[0] == Analyst.DATA_TYPE_ANALYST_HEADING:
print("\n")
print(banner(data[1], "=", 80))
elif data[0] == Analyst.DATA_TYPE_ANALYST_PROCESS_DATA:
self.print_process_report(pid, descriptor, image, data[1])
elif data[0] in [
Analyst.DATA_TYPE_TABLE_DATA,
Analyst.PROCESS_ANALYST_SCORES_TABLE
]:
print(data[1])
print("Number of results: %s\n" % len(data[1]))
print("\n")
else:
print(data[1])
def do_ps_reqs(self, arg):
'''
Lists the process requests made by the specified process
using the process PID or address descriptor.
Note that if you use the PID, due to the
OS possibly reusing the PID, you may get more than one process back
Examples:
ps_reqs 4608
ps_reqs 0x00000073
ps_reqs if already in a process context (using ps_cd)
'''
if (self.sqlite_conn is None):
sys.stderr.write(
"Please load a database first with the load_db command\n")
return
if not arg:
if self.process_context:
arg = self.process_context
else:
sys.stderr.write(
"Please specify a process id or descriptor address\n")
return
arg = arg.strip()
process_filter = ""
if (arg):
try:
int(arg)
process_filter = "WHERE pid = %s" % arg
except ValueError:
#assume its a process descriptor
process_filter = "WHERE desc_address = '%s'" % arg
cursor = self.sqlite_conn.cursor()
resp = cursor.execute(
"SELECT id, desc_address, COALESCE(image,''), pid FROM process %s"
% process_filter).fetchall()
if not len(resp):
sys.stderr.write("Invalid process pid, %s, specified\n" % arg)
return
table = BeautifulTable(max_width=160)
for row in resp:
table.column_headers = [
"Time", "Operation", "Target PID", "Target Descriptor",
"Target Image"
]
initiating = cursor.execute(
"SELECT time, data, pid, desc_address, COALESCE(image, '') FROM operation \
JOIN process ON target_p_id = process.id WHERE p_id = %s AND op = 'PROCESS-ACCESS-REQ'"
% row[0])
for rowIni in initiating:
table.append_row(rowIni)
print("\n")
print(banner("Process %s (%s)" % (row[3], row[1])))
print("Image: %s\n" % row[2])
print("Operations Initiated By This Process:")
print(table)
print("Total: %d\n" % len(table))
table.clear()
table.column_headers = [
"Time", "Operation", "Initiator PID", "Initiator Descriptor",
"Initiator Image"
]
initiating = cursor.execute(
"SELECT time, data, pid, desc_address, COALESCE(image, '') FROM operation \
JOIN process ON p_id = process.id WHERE target_p_id = %s AND op = 'PROCESS-ACCESS-REQ'"
% row[0])
for rowIni in initiating:
table.append_row(rowIni)
print("\nOperations In Which This Process Is The Target:")
print(table)
print("Total: %d\n" % len(table))
table.clear()
def do_ls(self, arg):
'''
List the file resources contained in the database.
The returned files can be filtered by using globs. Example: ls *ntdll.dll*
If in a process context (via ps_cd <pid>), shows only the file resources accessed by this process
in addition to the type of access, i.e. READ, WRITE, etc. You can also filter for specific files
in this context using ls *NickVirus*
'''
if (self.sqlite_conn is None):
sys.stderr.write(
"Please load a database first with the load_db command\n")
return
if self.prompt == self.CONST_DEFAULT_PROMPT:
query = "SELECT id, name, first_seen FROM resource WHERE type = 'F'"
cursor = self.sqlite_conn.cursor()
arg = arg.strip()
if arg:
query = "SELECT id, name, first_seen FROM resource WHERE type = 'F' AND name LIKE '%s'" % arg.replace(
"*", "%")
try:
table = BeautifulTable(max_width=160)
table.column_headers = ["Resource Id", "Name", "First Seen"]
for row in cursor.execute(query):
table.append_row(row)
if not len(table):
sys.stderr.write("No file with name %s found\n" % arg)
return
print(table)
print("\n")
print("Total: %d\n" % len(table))
if arg:
table.clear(True)
table.column_headers = [
"Time", "PID", "Process Descriptor", "Process Image",
"Target PID", "Target Descriptor", "Target Image",
"Operation", "Aux Data"
]
for row in cursor.execute(
"SELECT time, p1.pid, p1.desc_address, COALESCE(p1.image, ''), \
COALESCE(p2.pid, ''), COALESCE(p2.desc_address, ''), COALESCE(p2.image, ''), op, COALESCE(data,'') \
FROM operation JOIN process p1 ON p_id = p1.id LEFT JOIN \
process p2 ON target_p_id = p2.id JOIN resource ON \
r_id = resource.id WHERE name LIKE '%s'" %
arg.replace("*", "%")):
table.append_row(row)
if len(table):
print("Accessed by process(es) ...")
print(table)
print("\n")
print("Total: %d\n" % len(table))
except Exception as e:
print(e)
sys.stderr.write("Invalid file name specified")
else:
searchOnNameClause = ""
arg = arg.strip()
if arg:
searchOnNameClause = "AND name LIKE '%s'" % arg.replace(
"*", "%")
process_filter = ""
try:
int(self.process_context)
process_filter = "WHERE pid = %s" % self.process_context
except:
process_filter = "WHERE desc_address = '%s'" % self.process_context
cursor = self.sqlite_conn.cursor()
resp = cursor.execute(
"SELECT id, pid, desc_address FROM process %s" %
process_filter).fetchall()
for pRow in resp:
'''
This query accounts for both image loads + file i/o
'''
query = "SELECT name, COALESCE(op, ''), COALESCE(process.pid, ''), COALESCE(desc_address, ''), COALESCE(data, ''), \
time FROM operation LEFT JOIN process ON target_p_id = process.id JOIN \
resource ON r_id = resource.id WHERE target_p_id = %s AND type = 'F' %s \
UNION \
SELECT name, COALESCE(op, ''), '', '', COALESCE(data, ''), \
time FROM operation JOIN process ON p_id = process.id JOIN \
resource ON r_id = resource.id WHERE p_id = %s AND type = 'F' AND target_p_id IS NULL %s ORDER BY time" % \
(pRow[0], searchOnNameClause, pRow[0], searchOnNameClause)
print("\n")
print(banner("Process %s (%s)" % (pRow[1], pRow[2])))
table = BeautifulTable(max_width=160)
table.column_headers = [
"Name", "Operation", "Target PID", "Target PID Descriptor",
"Aux Data", "First Seen"
]
for row in cursor.execute(query):
table.append_row(row)
print(table)
print("Total: %d\n" % len(table))
from utils.utilities import parse_url, banner
menu = argparse.ArgumentParser(
"\n[+] mmpublish scanner tool to exploit misconfigured mmpublish instances\n"
)
menu.add_argument("-u",
"--url",
help="[+] URL to scan\n",
required=True,
type=str)
menu.add_argument("--passfile", help="[+] file with passwords\n", type=str)
menu.add_argument("--userfile", help="[+] file with users\n", type=str)
args = menu.parse_args()
url = args.url
passfile = args.passfile
user_file = args.userfile
banner()
obj = Coffe(parse_url(url))
obj.is_alive()
obj.get_info_robots()
obj.find_dwr_view()
obj.find_dwr()
obj.get_groups()
obj.find_admin_path()
obj.brute_dwr_path()
obj.exploit_user_email()
obj.get_users_login()
obj.get_user_remind()
obj.all_users_remainders()