3
0

JoomlaRegPrivExploit.py 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272
  1. # Created by Aidmar
  2. """
  3. Joomla Account Creation and Privilege Escalation
  4. This attack creates an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3.
  5. more info:
  6. https://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_privesc
  7. """
  8. import logging
  9. import math
  10. from operator import itemgetter
  11. import operator
  12. from random import randint, uniform
  13. from lea import Lea
  14. from Attack import BaseAttack
  15. from Attack.AttackParameters import Parameter as Param
  16. from Attack.AttackParameters import ParameterTypes
  17. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  18. # noinspection PyPep8
  19. from scapy.utils import RawPcapReader
  20. from scapy.layers.inet import IP, Ether, TCP, RandShort
  21. #from scapy.all import *
  22. class JoomlaRegPrivExploit(BaseAttack.BaseAttack):
  23. # Metasploit default packet rate
  24. maxDefaultPPS = 55
  25. minDefaultPPS = 5
  26. # HTTP port
  27. http_port = 80
  28. # Metasploit experiments show this range of ports
  29. minDefaultPort = 30000
  30. maxDefaultPort = 50000
  31. def __init__(self, statistics, pcap_file_path):
  32. """
  33. Creates a new instance of the Joomla Registeration Privileges Escalation Exploit.
  34. :param statistics: A reference to the statistics class.
  35. """
  36. # Initialize attack
  37. super(JoomlaRegPrivExploit, self).__init__(statistics, "JoomlaRegPrivesc Exploit", "Injects an JoomlaRegPrivesc exploit'",
  38. "Resource Exhaustion")
  39. # Define allowed parameters and their type
  40. self.supported_params = {
  41. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  42. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  43. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  44. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  45. Param.TARGET_HOST: ParameterTypes.TYPE_DOMAIN,
  46. #Param.TARGET_URI: ParameterTypes.TYPE_URI,
  47. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  48. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  49. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  50. }
  51. # PARAMETERS: initialize with default utilsvalues
  52. # (values are overwritten if user specifies them)
  53. most_used_ip_address = self.statistics.get_most_used_ip_address()
  54. if isinstance(most_used_ip_address, list):
  55. most_used_ip_address = most_used_ip_address[0]
  56. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  57. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  58. #self.add_param_value(Param.TARGET_URI, '/')
  59. self.add_param_value(Param.TARGET_HOST, "www.hackme.com")
  60. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  61. self.add_param_value(Param.PACKETS_PER_SECOND,self.maxDefaultPPS)
  62. # victim configuration
  63. # consider that the destination has port 80 opened
  64. random_ip_address = self.statistics.get_random_ip_address()
  65. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  66. destination_mac = self.statistics.get_mac_address(random_ip_address)
  67. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  68. destination_mac = self.generate_random_mac_address()
  69. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  70. def generate_attack_pcap(self):
  71. def update_timestamp(timestamp, pps, maxdelay):
  72. """
  73. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  74. :return: Timestamp to be used for the next packet.
  75. """
  76. return timestamp + uniform(1 / pps, maxdelay)
  77. # Aidmar
  78. def getIntervalPPS(complement_interval_pps, timestamp):
  79. """
  80. Gets the packet rate (pps) in specific time interval.
  81. :return: the corresponding packet rate for packet rate (pps) .
  82. """
  83. for row in complement_interval_pps:
  84. if timestamp <= row[0]:
  85. return row[1]
  86. return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
  87. # Timestamp
  88. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  89. # TO-DO: find better pkt rate
  90. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  91. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 30, 5 / pps: 15, 10 / pps: 3})
  92. # Aidmar - calculate complement packet rates of BG traffic per interval
  93. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  94. # Initialize parameters
  95. packets = []
  96. mac_source = self.get_param_value(Param.MAC_SOURCE)
  97. ip_source = self.get_param_value(Param.IP_SOURCE)
  98. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  99. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  100. target_host = self.get_param_value(Param.TARGET_HOST)
  101. target_uri = "/" #self.get_param_value(Param.TARGET_URI)
  102. # Check ip.src == ip.dst
  103. if ip_source == ip_destination:
  104. print("\nERROR: Invalid IP addresses; source IP is the same as destination IP: " + ip_source + ".")
  105. import sys
  106. sys.exit(0)
  107. path_attack_pcap = None
  108. minDelay, maxDelay = self.get_reply_delay(ip_destination)
  109. # Set TTL based on TTL distribution of IP address
  110. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  111. if len(source_ttl_dist) > 0:
  112. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  113. source_ttl_value = source_ttl_prob_dict.random()
  114. else:
  115. source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  116. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  117. if len(destination_ttl_dist) > 0:
  118. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  119. destination_ttl_value = destination_ttl_prob_dict.random()
  120. else:
  121. destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  122. # Inject Joomla_registration_privesc
  123. # Read joomla_registration_privesc pcap file
  124. orig_ip_dst = None
  125. exploit_raw_packets = RawPcapReader("resources/joomla_registration_privesc.pcap")
  126. port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  127. # Random TCP sequence numbers
  128. global attacker_seq
  129. attacker_seq = randint(1000,50000)
  130. global victim_seq
  131. victim_seq = randint(1000,50000)
  132. for pkt_num, pkt in enumerate(exploit_raw_packets):
  133. eth_frame = Ether(pkt[0])
  134. ip_pkt = eth_frame.payload
  135. tcp_pkt = ip_pkt.payload
  136. str_tcp_seg = str(tcp_pkt.payload)
  137. # Clean payloads
  138. eth_frame.payload = b''
  139. ip_pkt.payload = b''
  140. tcp_pkt.payload = b''
  141. if pkt_num == 0:
  142. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  143. if tcp_pkt.getfieldval("dport") == self.http_port:
  144. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  145. # Request: Attacker --> vicitm
  146. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  147. # There are 7 TCP connections with different source ports, for each of them we generate random port
  148. if tcp_pkt.getfieldval("sport") != prev_orig_port_source:
  149. port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  150. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  151. # New connection, new random TCP sequence numbers
  152. attacker_seq = randint(1000, 50000)
  153. victim_seq = randint(1000, 50000)
  154. # First packet in a connection has ACK = 0
  155. tcp_pkt.setfieldval("ack", 0)
  156. # Ether
  157. eth_frame.setfieldval("src", mac_source)
  158. eth_frame.setfieldval("dst", mac_destination)
  159. # IP
  160. ip_pkt.setfieldval("src", ip_source)
  161. ip_pkt.setfieldval("dst", ip_destination)
  162. ip_pkt.setfieldval("ttl", source_ttl_value)
  163. # TCP
  164. tcp_pkt.setfieldval("sport",port_source)
  165. if len(str_tcp_seg) > 0:
  166. # convert payload bytes to string => str = "b'..\\r\\n..'" additional characters are added in the string,
  167. # mainly backslashes to escape single quotes and whitespaces
  168. str_tcp_seg = str_tcp_seg[2:-1]
  169. str_tcp_seg = str_tcp_seg.replace('/joomla360', target_uri)
  170. str_tcp_seg = str_tcp_seg.replace(orig_ip_dst, target_host)
  171. str_tcp_seg = str_tcp_seg.replace("\\n", "\n")
  172. str_tcp_seg = str_tcp_seg.replace("\\r", "\r")
  173. str_tcp_seg = str_tcp_seg.replace("\\t", "\t")
  174. str_tcp_seg = str_tcp_seg.replace("\\\'", "\'")
  175. # TCP Seq, Ack
  176. if tcp_pkt.getfieldval("ack") != 0:
  177. tcp_pkt.setfieldval("ack", victim_seq)
  178. tcp_pkt.setfieldval("seq", attacker_seq)
  179. if not(tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  180. attacker_seq += max(len(str_tcp_seg),1)
  181. new_pkt = (eth_frame / ip_pkt/ tcp_pkt / str_tcp_seg)
  182. new_pkt.time = timestamp_next_pkt
  183. maxdelay = randomdelay.random()
  184. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), self.minDefaultPPS)
  185. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
  186. # Reply: Victim --> attacker
  187. else:
  188. # Ether
  189. eth_frame.setfieldval("src", mac_destination)
  190. eth_frame.setfieldval("dst", mac_source)
  191. # IP
  192. ip_pkt.setfieldval("src", ip_destination)
  193. ip_pkt.setfieldval("dst", ip_source)
  194. ip_pkt.setfieldval("ttl", destination_ttl_value)
  195. # TCP
  196. tcp_pkt.setfieldval("dport", port_source)
  197. if len(str_tcp_seg) > 0:
  198. # convert payload bytes to string => str = "b'..\\r\\n..'" additional characters are added in the string,
  199. # mainly backslashes to escape single quotes and whitespaces
  200. str_tcp_seg = str_tcp_seg[2:-1]
  201. str_tcp_seg = str_tcp_seg.replace('/joomla360', target_uri)
  202. str_tcp_seg = str_tcp_seg.replace(orig_ip_dst, target_host)
  203. str_tcp_seg = str_tcp_seg.replace("\\n", "\n")
  204. str_tcp_seg = str_tcp_seg.replace("\\r", "\r")
  205. str_tcp_seg = str_tcp_seg.replace("\\t", "\t")
  206. str_tcp_seg = str_tcp_seg.replace("\\\'", "\'")
  207. # TCP Seq, ACK
  208. tcp_pkt.setfieldval("ack", attacker_seq)
  209. tcp_pkt.setfieldval("seq", victim_seq)
  210. strLen = len(str_tcp_seg)
  211. if not(tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  212. victim_seq += max(strLen, 1)
  213. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  214. timestamp_next_pkt = timestamp_next_pkt + uniform(minDelay, maxDelay)
  215. new_pkt.time = timestamp_next_pkt
  216. packets.append(new_pkt)
  217. # Store timestamp of first packet (for attack label)
  218. self.attack_start_utime = packets[0].time
  219. self.attack_end_utime = packets[-1].time
  220. if len(packets) > 0:
  221. packets = sorted(packets, key=lambda pkt: pkt.time)
  222. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  223. # return packets sorted by packet time_sec_start
  224. # pkt_num+1: because pkt_num starts at 0
  225. return pkt_num + 1, path_attack_pcap