JoomlaRegPrivExploit.py 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231
  1. import logging
  2. from random import randint
  3. from lea import Lea
  4. from scapy.layers.inet import Ether
  5. from scapy.utils import RawPcapReader
  6. from Attack import BaseAttack
  7. from Attack.AttackParameters import Parameter as Param
  8. from Attack.AttackParameters import ParameterTypes
  9. import ID2TLib.Utility as Util
  10. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  11. # noinspection PyPep8
  12. class JoomlaRegPrivExploit(BaseAttack.BaseAttack):
  13. template_attack_pcap_path = Util.RESOURCE_DIR + "joomla_registration_privesc.pcap"
  14. # HTTP port
  15. http_port = 80
  16. # Metasploit experiments show this range of ports
  17. minDefaultPort = 30000
  18. maxDefaultPort = 50000
  19. def __init__(self):
  20. """
  21. Creates a new instance of the Joomla Registeration Privileges Escalation Exploit.
  22. """
  23. # Initialize attack
  24. super(JoomlaRegPrivExploit, self).__init__("JoomlaRegPrivesc Exploit", "Injects an JoomlaRegPrivesc exploit'",
  25. "Privilege elevation")
  26. # Define allowed parameters and their type
  27. self.supported_params.update({
  28. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  29. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  30. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  31. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  32. Param.PORT_DESTINATION: ParameterTypes.TYPE_PORT,
  33. Param.TARGET_HOST: ParameterTypes.TYPE_DOMAIN,
  34. #Param.TARGET_URI: ParameterTypes.TYPE_URI,
  35. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  36. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  37. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  38. })
  39. def init_params(self):
  40. """
  41. Initialize the parameters of this attack using the user supplied command line parameters.
  42. Use the provided statistics to calculate default parameters and to process user
  43. supplied queries.
  44. :param statistics: Reference to a statistics object.
  45. """
  46. # PARAMETERS: initialize with default utilsvalues
  47. # (values are overwritten if user specifies them)
  48. # Attacker configuration
  49. most_used_ip_address = self.statistics.get_most_used_ip_address()
  50. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  51. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  52. # Victim configuration
  53. random_ip_address = self.statistics.get_random_ip_address()
  54. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  55. destination_mac = self.statistics.get_mac_address(random_ip_address)
  56. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  57. destination_mac = self.generate_random_mac_address()
  58. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  59. self.add_param_value(Param.PORT_DESTINATION, self.http_port)
  60. # self.add_param_value(Param.TARGET_URI, '/')
  61. self.add_param_value(Param.TARGET_HOST, "www.hackme.com")
  62. # Attack configuration
  63. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  64. self.add_param_value(Param.PACKETS_PER_SECOND,
  65. (self.statistics.get_pps_sent(most_used_ip_address) +
  66. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  67. def generate_attack_pcap(self):
  68. # Timestamp
  69. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  70. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  71. # Calculate complement packet rates of BG traffic per interval
  72. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  73. # Initialize parameters
  74. packets = []
  75. mac_source = self.get_param_value(Param.MAC_SOURCE)
  76. ip_source = self.get_param_value(Param.IP_SOURCE)
  77. port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  78. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  79. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  80. port_destination = self.get_param_value(Param.PORT_DESTINATION)
  81. target_host = self.get_param_value(Param.TARGET_HOST)
  82. target_uri = "/" #self.get_param_value(Param.TARGET_URI)
  83. # Check ip.src == ip.dst
  84. self.ip_src_dst_equal_check(ip_source, ip_destination)
  85. path_attack_pcap = None
  86. # Set TTL based on TTL distribution of IP address
  87. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  88. if len(source_ttl_dist) > 0:
  89. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  90. source_ttl_value = source_ttl_prob_dict.random()
  91. else:
  92. source_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
  93. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  94. if len(destination_ttl_dist) > 0:
  95. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  96. destination_ttl_value = destination_ttl_prob_dict.random()
  97. else:
  98. destination_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
  99. # Inject Joomla_registration_privesc
  100. # Read joomla_registration_privesc pcap file
  101. orig_ip_dst = None
  102. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  103. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets,True)
  104. exploit_raw_packets.close()
  105. timeSteps = Lea.fromValFreqsDict(inter_arrival_time_dist)
  106. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  107. # Random TCP sequence numbers
  108. global attacker_seq
  109. attacker_seq = randint(1000,50000)
  110. global victim_seq
  111. victim_seq = randint(1000,50000)
  112. for pkt_num, pkt in enumerate(exploit_raw_packets):
  113. eth_frame = Ether(pkt[0])
  114. ip_pkt = eth_frame.payload
  115. tcp_pkt = ip_pkt.payload
  116. str_tcp_seg = str(tcp_pkt.payload)
  117. # Clean payloads
  118. eth_frame.payload = b''
  119. ip_pkt.payload = b''
  120. tcp_pkt.payload = b''
  121. if pkt_num == 0:
  122. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  123. if tcp_pkt.getfieldval("dport") == self.http_port:
  124. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  125. # Request: Attacker --> vicitm
  126. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  127. # There are 7 TCP connections with different source ports, for each of them we generate random port
  128. if tcp_pkt.getfieldval("sport") != prev_orig_port_source:
  129. port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  130. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  131. # New connection, new random TCP sequence numbers
  132. attacker_seq = randint(1000, 50000)
  133. victim_seq = randint(1000, 50000)
  134. # First packet in a connection has ACK = 0
  135. tcp_pkt.setfieldval("ack", 0)
  136. # Ether
  137. eth_frame.setfieldval("src", mac_source)
  138. eth_frame.setfieldval("dst", mac_destination)
  139. # IP
  140. ip_pkt.setfieldval("src", ip_source)
  141. ip_pkt.setfieldval("dst", ip_destination)
  142. ip_pkt.setfieldval("ttl", source_ttl_value)
  143. # TCP
  144. tcp_pkt.setfieldval("sport",port_source)
  145. tcp_pkt.setfieldval("dport", port_destination)
  146. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  147. # TCP Seq, Ack
  148. if tcp_pkt.getfieldval("ack") != 0:
  149. tcp_pkt.setfieldval("ack", victim_seq)
  150. tcp_pkt.setfieldval("seq", attacker_seq)
  151. if not(tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  152. attacker_seq += max(len(str_tcp_seg),1)
  153. new_pkt = (eth_frame / ip_pkt/ tcp_pkt / str_tcp_seg)
  154. new_pkt.time = timestamp_next_pkt
  155. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  156. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  157. # Reply: Victim --> attacker
  158. else:
  159. # Ether
  160. eth_frame.setfieldval("src", mac_destination)
  161. eth_frame.setfieldval("dst", mac_source)
  162. # IP
  163. ip_pkt.setfieldval("src", ip_destination)
  164. ip_pkt.setfieldval("dst", ip_source)
  165. ip_pkt.setfieldval("ttl", destination_ttl_value)
  166. # TCP
  167. tcp_pkt.setfieldval("dport", port_source)
  168. tcp_pkt.setfieldval("sport", port_destination)
  169. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  170. # TCP Seq, ACK
  171. tcp_pkt.setfieldval("ack", attacker_seq)
  172. tcp_pkt.setfieldval("seq", victim_seq)
  173. strLen = len(str_tcp_seg)
  174. if not(tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  175. victim_seq += max(strLen, 1)
  176. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  177. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  178. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  179. new_pkt.time = timestamp_next_pkt
  180. packets.append(new_pkt)
  181. exploit_raw_packets.close()
  182. # Store timestamp of first packet (for attack label)
  183. self.attack_start_utime = packets[0].time
  184. self.attack_end_utime = packets[-1].time
  185. if len(packets) > 0:
  186. packets = sorted(packets, key=lambda pkt: pkt.time)
  187. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  188. # return packets sorted by packet time_sec_start
  189. # pkt_num+1: because pkt_num starts at 0
  190. return pkt_num + 1, path_attack_pcap