3
0

JoomlaRegPrivExploit.py 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232
  1. import logging
  2. from random import randint
  3. from lea import Lea
  4. from scapy.utils import RawPcapReader
  5. from scapy.layers.inet import Ether
  6. from definitions import ROOT_DIR
  7. from Attack import BaseAttack
  8. from Attack.AttackParameters import Parameter as Param
  9. from Attack.AttackParameters import ParameterTypes
  10. from ID2TLib.Utility import update_timestamp, get_interval_pps
  11. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  12. # noinspection PyPep8
  13. class JoomlaRegPrivExploit(BaseAttack.BaseAttack):
  14. template_attack_pcap_path = ROOT_DIR + "/../resources/joomla_registration_privesc.pcap"
  15. # HTTP port
  16. http_port = 80
  17. # Metasploit experiments show this range of ports
  18. minDefaultPort = 30000
  19. maxDefaultPort = 50000
  20. def __init__(self):
  21. """
  22. Creates a new instance of the Joomla Registeration Privileges Escalation Exploit.
  23. """
  24. # Initialize attack
  25. super(JoomlaRegPrivExploit, self).__init__("JoomlaRegPrivesc Exploit", "Injects an JoomlaRegPrivesc exploit'",
  26. "Privilege elevation")
  27. # Define allowed parameters and their type
  28. self.supported_params = {
  29. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  30. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  31. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  32. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  33. Param.PORT_DESTINATION: ParameterTypes.TYPE_PORT,
  34. Param.TARGET_HOST: ParameterTypes.TYPE_DOMAIN,
  35. #Param.TARGET_URI: ParameterTypes.TYPE_URI,
  36. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  37. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  38. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  39. }
  40. def init_params(self):
  41. """
  42. Initialize the parameters of this attack using the user supplied command line parameters.
  43. Use the provided statistics to calculate default parameters and to process user
  44. supplied queries.
  45. :param statistics: Reference to a statistics object.
  46. """
  47. # PARAMETERS: initialize with default utilsvalues
  48. # (values are overwritten if user specifies them)
  49. # Attacker configuration
  50. most_used_ip_address = self.statistics.get_most_used_ip_address()
  51. if isinstance(most_used_ip_address, list):
  52. most_used_ip_address = most_used_ip_address[0]
  53. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  54. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  55. # Victim configuration
  56. random_ip_address = self.statistics.get_random_ip_address()
  57. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  58. destination_mac = self.statistics.get_mac_address(random_ip_address)
  59. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  60. destination_mac = self.generate_random_mac_address()
  61. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  62. self.add_param_value(Param.PORT_DESTINATION, self.http_port)
  63. # self.add_param_value(Param.TARGET_URI, '/')
  64. self.add_param_value(Param.TARGET_HOST, "www.hackme.com")
  65. # Attack configuration
  66. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  67. self.add_param_value(Param.PACKETS_PER_SECOND,
  68. (self.statistics.get_pps_sent(most_used_ip_address) +
  69. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  70. def generate_attack_pcap(self):
  71. # Timestamp
  72. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  73. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  74. # Calculate complement packet rates of BG traffic per interval
  75. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  76. # Initialize parameters
  77. packets = []
  78. mac_source = self.get_param_value(Param.MAC_SOURCE)
  79. ip_source = self.get_param_value(Param.IP_SOURCE)
  80. port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  81. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  82. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  83. port_destination = self.get_param_value(Param.PORT_DESTINATION)
  84. target_host = self.get_param_value(Param.TARGET_HOST)
  85. target_uri = "/" #self.get_param_value(Param.TARGET_URI)
  86. # Check ip.src == ip.dst
  87. self.ip_src_dst_equal_check(ip_source, ip_destination)
  88. path_attack_pcap = None
  89. # Set TTL based on TTL distribution of IP address
  90. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  91. if len(source_ttl_dist) > 0:
  92. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  93. source_ttl_value = source_ttl_prob_dict.random()
  94. else:
  95. source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  96. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  97. if len(destination_ttl_dist) > 0:
  98. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  99. destination_ttl_value = destination_ttl_prob_dict.random()
  100. else:
  101. destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  102. # Inject Joomla_registration_privesc
  103. # Read joomla_registration_privesc pcap file
  104. orig_ip_dst = None
  105. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  106. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets,True)
  107. timeSteps = Lea.fromValFreqsDict(inter_arrival_time_dist)
  108. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  109. # Random TCP sequence numbers
  110. global attacker_seq
  111. attacker_seq = randint(1000,50000)
  112. global victim_seq
  113. victim_seq = randint(1000,50000)
  114. for pkt_num, pkt in enumerate(exploit_raw_packets):
  115. eth_frame = Ether(pkt[0])
  116. ip_pkt = eth_frame.payload
  117. tcp_pkt = ip_pkt.payload
  118. str_tcp_seg = str(tcp_pkt.payload)
  119. # Clean payloads
  120. eth_frame.payload = b''
  121. ip_pkt.payload = b''
  122. tcp_pkt.payload = b''
  123. if pkt_num == 0:
  124. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  125. if tcp_pkt.getfieldval("dport") == self.http_port:
  126. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  127. # Request: Attacker --> vicitm
  128. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  129. # There are 7 TCP connections with different source ports, for each of them we generate random port
  130. if tcp_pkt.getfieldval("sport") != prev_orig_port_source:
  131. port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  132. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  133. # New connection, new random TCP sequence numbers
  134. attacker_seq = randint(1000, 50000)
  135. victim_seq = randint(1000, 50000)
  136. # First packet in a connection has ACK = 0
  137. tcp_pkt.setfieldval("ack", 0)
  138. # Ether
  139. eth_frame.setfieldval("src", mac_source)
  140. eth_frame.setfieldval("dst", mac_destination)
  141. # IP
  142. ip_pkt.setfieldval("src", ip_source)
  143. ip_pkt.setfieldval("dst", ip_destination)
  144. ip_pkt.setfieldval("ttl", source_ttl_value)
  145. # TCP
  146. tcp_pkt.setfieldval("sport",port_source)
  147. tcp_pkt.setfieldval("dport", port_destination)
  148. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  149. # TCP Seq, Ack
  150. if tcp_pkt.getfieldval("ack") != 0:
  151. tcp_pkt.setfieldval("ack", victim_seq)
  152. tcp_pkt.setfieldval("seq", attacker_seq)
  153. if not(tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  154. attacker_seq += max(len(str_tcp_seg),1)
  155. new_pkt = (eth_frame / ip_pkt/ tcp_pkt / str_tcp_seg)
  156. new_pkt.time = timestamp_next_pkt
  157. pps = max(get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  158. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  159. # Reply: Victim --> attacker
  160. else:
  161. # Ether
  162. eth_frame.setfieldval("src", mac_destination)
  163. eth_frame.setfieldval("dst", mac_source)
  164. # IP
  165. ip_pkt.setfieldval("src", ip_destination)
  166. ip_pkt.setfieldval("dst", ip_source)
  167. ip_pkt.setfieldval("ttl", destination_ttl_value)
  168. # TCP
  169. tcp_pkt.setfieldval("dport", port_source)
  170. tcp_pkt.setfieldval("sport", port_destination)
  171. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  172. # TCP Seq, ACK
  173. tcp_pkt.setfieldval("ack", attacker_seq)
  174. tcp_pkt.setfieldval("seq", victim_seq)
  175. strLen = len(str_tcp_seg)
  176. if not(tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  177. victim_seq += max(strLen, 1)
  178. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  179. pps = max(get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  180. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps) + float(timeSteps.random())
  181. new_pkt.time = timestamp_next_pkt
  182. packets.append(new_pkt)
  183. # Store timestamp of first packet (for attack label)
  184. self.attack_start_utime = packets[0].time
  185. self.attack_end_utime = packets[-1].time
  186. if len(packets) > 0:
  187. packets = sorted(packets, key=lambda pkt: pkt.time)
  188. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  189. # return packets sorted by packet time_sec_start
  190. # pkt_num+1: because pkt_num starts at 0
  191. return pkt_num + 1, path_attack_pcap