JoomlaRegPrivExploit.py 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240
  1. import logging
  2. import random as rnd
  3. import lea
  4. import scapy.layers.inet as inet
  5. import scapy.utils
  6. import Attack.AttackParameters as atkParam
  7. import Attack.BaseAttack as BaseAttack
  8. import ID2TLib.Utility as Util
  9. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  10. # noinspection PyPep8
  11. class JoomlaRegPrivExploit(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = Util.RESOURCE_DIR + "joomla_registration_privesc.pcap"
  13. # HTTP port
  14. http_port = 80
  15. # Metasploit experiments show this range of ports
  16. minDefaultPort = 30000
  17. maxDefaultPort = 50000
  18. def __init__(self):
  19. """
  20. Creates a new instance of the Joomla Registeration Privileges Escalation Exploit.
  21. """
  22. # Initialize attack
  23. super(JoomlaRegPrivExploit, self).__init__("JoomlaRegPrivesc Exploit", "Injects an JoomlaRegPrivesc exploit'",
  24. "Privilege elevation")
  25. self.pkt_num = 0
  26. self.path_attack_pcap = None
  27. # Define allowed parameters and their type
  28. self.supported_params.update({
  29. atkParam.Parameter.MAC_SOURCE: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  30. atkParam.Parameter.IP_SOURCE: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  31. atkParam.Parameter.MAC_DESTINATION: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  32. atkParam.Parameter.IP_DESTINATION: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  33. atkParam.Parameter.PORT_DESTINATION: atkParam.ParameterTypes.TYPE_PORT,
  34. atkParam.Parameter.TARGET_HOST: atkParam.ParameterTypes.TYPE_DOMAIN,
  35. # atkParam.Parameter.TARGET_URI: atkParam.ParameterTypes.TYPE_URI,
  36. atkParam.Parameter.INJECT_AT_TIMESTAMP: atkParam.ParameterTypes.TYPE_FLOAT,
  37. atkParam.Parameter.INJECT_AFTER_PACKET: atkParam.ParameterTypes.TYPE_PACKET_POSITION,
  38. atkParam.Parameter.PACKETS_PER_SECOND: atkParam.ParameterTypes.TYPE_FLOAT
  39. })
  40. def init_params(self):
  41. """
  42. Initialize the parameters of this attack using the user supplied command line parameters.
  43. Use the provided statistics to calculate default parameters and to process user
  44. supplied queries.
  45. """
  46. # PARAMETERS: initialize with default utilsvalues
  47. # (values are overwritten if user specifies them)
  48. # Attacker configuration
  49. most_used_ip_address = self.statistics.get_most_used_ip_address()
  50. self.add_param_value(atkParam.Parameter.IP_SOURCE, most_used_ip_address)
  51. self.add_param_value(atkParam.Parameter.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  52. # Victim configuration
  53. random_ip_address = self.statistics.get_random_ip_address()
  54. self.add_param_value(atkParam.Parameter.IP_DESTINATION, random_ip_address)
  55. destination_mac = self.statistics.get_mac_address(random_ip_address)
  56. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  57. destination_mac = self.generate_random_mac_address()
  58. self.add_param_value(atkParam.Parameter.MAC_DESTINATION, destination_mac)
  59. self.add_param_value(atkParam.Parameter.PORT_DESTINATION, self.http_port)
  60. # self.add_param_value(atkParam.Parameter.TARGET_URI, '/')
  61. self.add_param_value(atkParam.Parameter.TARGET_HOST, "www.hackme.com")
  62. # Attack configuration
  63. self.add_param_value(atkParam.Parameter.INJECT_AFTER_PACKET, rnd.randint(0, self.statistics.get_packet_count()))
  64. self.add_param_value(atkParam.Parameter.PACKETS_PER_SECOND,
  65. (self.statistics.get_pps_sent(most_used_ip_address) +
  66. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  67. def generate_attack_packets(self):
  68. """
  69. Creates the attack packets.
  70. """
  71. # Timestamp
  72. timestamp_next_pkt = self.get_param_value(atkParam.Parameter.INJECT_AT_TIMESTAMP)
  73. pps = self.get_param_value(atkParam.Parameter.PACKETS_PER_SECOND)
  74. # Calculate complement packet rates of BG traffic per interval
  75. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  76. # Initialize parameters
  77. self.packets = []
  78. mac_source = self.get_param_value(atkParam.Parameter.MAC_SOURCE)
  79. ip_source = self.get_param_value(atkParam.Parameter.IP_SOURCE)
  80. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort)
  81. mac_destination = self.get_param_value(atkParam.Parameter.MAC_DESTINATION)
  82. ip_destination = self.get_param_value(atkParam.Parameter.IP_DESTINATION)
  83. port_destination = self.get_param_value(atkParam.Parameter.PORT_DESTINATION)
  84. target_host = self.get_param_value(atkParam.Parameter.TARGET_HOST)
  85. target_uri = "/" # self.get_param_value(atkParam.Parameter.TARGET_URI)
  86. # Check ip.src == ip.dst
  87. self.ip_src_dst_equal_check(ip_source, ip_destination)
  88. # Set TTL based on TTL distribution of IP address
  89. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  90. if len(source_ttl_dist) > 0:
  91. source_ttl_prob_dict = lea.Lea.fromValFreqsDict(source_ttl_dist)
  92. source_ttl_value = source_ttl_prob_dict.random()
  93. else:
  94. source_ttl_value = Util.handle_most_used_outputs(self.statistics.get_most_used_ttl_value())
  95. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  96. if len(destination_ttl_dist) > 0:
  97. destination_ttl_prob_dict = lea.Lea.fromValFreqsDict(destination_ttl_dist)
  98. destination_ttl_value = destination_ttl_prob_dict.random()
  99. else:
  100. destination_ttl_value = Util.handle_most_used_outputs(
  101. self.statistics.get_most_used_ttl_value())
  102. # Inject Joomla_registration_privesc
  103. # Read joomla_registration_privesc pcap file
  104. orig_ip_dst = None
  105. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  106. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets, True)
  107. exploit_raw_packets.close()
  108. time_steps = lea.Lea.fromValFreqsDict(inter_arrival_time_dist)
  109. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  110. # Random TCP sequence numbers
  111. global attacker_seq
  112. attacker_seq = rnd.randint(1000, 50000)
  113. global victim_seq
  114. victim_seq = rnd.randint(1000, 50000)
  115. for self.pkt_num, pkt in enumerate(exploit_raw_packets):
  116. eth_frame = inet.Ether(pkt[0])
  117. ip_pkt = eth_frame.payload
  118. tcp_pkt = ip_pkt.payload
  119. str_tcp_seg = str(tcp_pkt.payload)
  120. # Clean payloads
  121. eth_frame.payload = b''
  122. ip_pkt.payload = b''
  123. tcp_pkt.payload = b''
  124. # FIXME: no getfieldval in class bytes
  125. if self.pkt_num == 0:
  126. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  127. if tcp_pkt.getfieldval("dport") == self.http_port:
  128. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  129. # Request: Attacker --> vicitm
  130. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  131. # There are 7 TCP connections with different source ports, for each of them we generate random port
  132. if tcp_pkt.getfieldval("sport") != prev_orig_port_source:
  133. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort)
  134. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  135. # New connection, new random TCP sequence numbers
  136. attacker_seq = rnd.randint(1000, 50000)
  137. victim_seq = rnd.randint(1000, 50000)
  138. # First packet in a connection has ACK = 0
  139. tcp_pkt.setfieldval("ack", 0)
  140. # Ether
  141. eth_frame.setfieldval("src", mac_source)
  142. eth_frame.setfieldval("dst", mac_destination)
  143. # IP
  144. ip_pkt.setfieldval("src", ip_source)
  145. ip_pkt.setfieldval("dst", ip_destination)
  146. ip_pkt.setfieldval("ttl", source_ttl_value)
  147. # TCP
  148. tcp_pkt.setfieldval("sport", port_source)
  149. tcp_pkt.setfieldval("dport", port_destination)
  150. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  151. # TCP Seq, Ack
  152. if tcp_pkt.getfieldval("ack") != 0:
  153. tcp_pkt.setfieldval("ack", victim_seq)
  154. tcp_pkt.setfieldval("seq", attacker_seq)
  155. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  156. attacker_seq += max(len(str_tcp_seg), 1)
  157. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  158. new_pkt.time = timestamp_next_pkt
  159. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  160. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  161. # Reply: Victim --> attacker
  162. else:
  163. # Ether
  164. eth_frame.setfieldval("src", mac_destination)
  165. eth_frame.setfieldval("dst", mac_source)
  166. # IP
  167. ip_pkt.setfieldval("src", ip_destination)
  168. ip_pkt.setfieldval("dst", ip_source)
  169. ip_pkt.setfieldval("ttl", destination_ttl_value)
  170. # TCP
  171. tcp_pkt.setfieldval("dport", port_source)
  172. tcp_pkt.setfieldval("sport", port_destination)
  173. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  174. # TCP Seq, ACK
  175. tcp_pkt.setfieldval("ack", attacker_seq)
  176. tcp_pkt.setfieldval("seq", victim_seq)
  177. str_len = len(str_tcp_seg)
  178. if not (tcp_pkt.getfieldval("flags") == 16 and str_len == 0): # flags=A:
  179. victim_seq += max(str_len, 1)
  180. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  181. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  182. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  183. new_pkt.time = timestamp_next_pkt
  184. self.packets.append(new_pkt)
  185. exploit_raw_packets.close()
  186. def generate_attack_pcap(self):
  187. """
  188. Creates a pcap containing the attack packets.
  189. :return: The location of the generated pcap file.
  190. """
  191. # Store timestamp of first packet (for attack label)
  192. self.attack_start_utime = self.packets[0].time
  193. self.attack_end_utime = self.packets[-1].time
  194. if len(self.packets) > 0:
  195. self.packets = sorted(self.packets, key=lambda pkt: pkt.time)
  196. self.path_attack_pcap = self.write_attack_pcap(self.packets, True, self.path_attack_pcap)
  197. # return packets sorted by packet time_sec_start
  198. # pkt_num+1: because pkt_num starts at 0
  199. return self.pkt_num + 1, self.path_attack_pcap