JoomlaRegPrivExploit.py 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233
  1. import logging
  2. import random as rnd
  3. import lea
  4. import scapy.layers.inet as inet
  5. import scapy.utils
  6. import Attack.AttackParameters as atkParam
  7. import Attack.BaseAttack as BaseAttack
  8. import ID2TLib.Utility as Util
  9. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  10. # noinspection PyPep8
  11. class JoomlaRegPrivExploit(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = Util.RESOURCE_DIR + "joomla_registration_privesc.pcap"
  13. # HTTP port
  14. http_port = 80
  15. # Metasploit experiments show this range of ports
  16. minDefaultPort = 30000
  17. maxDefaultPort = 50000
  18. def __init__(self):
  19. """
  20. Creates a new instance of the Joomla Registeration Privileges Escalation Exploit.
  21. """
  22. # Initialize attack
  23. super(JoomlaRegPrivExploit, self).__init__("JoomlaRegPrivesc Exploit", "Injects an JoomlaRegPrivesc exploit'",
  24. "Privilege elevation")
  25. self.pkt_num = 0
  26. self.path_attack_pcap = None
  27. # Define allowed parameters and their type
  28. self.supported_params.update({
  29. atkParam.Parameter.MAC_SOURCE: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  30. atkParam.Parameter.IP_SOURCE: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  31. atkParam.Parameter.MAC_DESTINATION: atkParam.ParameterTypes.TYPE_MAC_ADDRESS,
  32. atkParam.Parameter.IP_DESTINATION: atkParam.ParameterTypes.TYPE_IP_ADDRESS,
  33. atkParam.Parameter.PORT_DESTINATION: atkParam.ParameterTypes.TYPE_PORT,
  34. atkParam.Parameter.TARGET_HOST: atkParam.ParameterTypes.TYPE_DOMAIN,
  35. # atkParam.Parameter.TARGET_URI: atkParam.ParameterTypes.TYPE_URI,
  36. atkParam.Parameter.INJECT_AT_TIMESTAMP: atkParam.ParameterTypes.TYPE_FLOAT,
  37. atkParam.Parameter.INJECT_AFTER_PACKET: atkParam.ParameterTypes.TYPE_PACKET_POSITION,
  38. atkParam.Parameter.PACKETS_PER_SECOND: atkParam.ParameterTypes.TYPE_FLOAT
  39. })
  40. def init_params(self):
  41. """
  42. Initialize the parameters of this attack using the user supplied command line parameters.
  43. Use the provided statistics to calculate default parameters and to process user
  44. supplied queries.
  45. """
  46. # PARAMETERS: initialize with default utilsvalues
  47. # (values are overwritten if user specifies them)
  48. # Attacker configuration
  49. most_used_ip_address = self.statistics.get_most_used_ip_address()
  50. self.add_param_value(atkParam.Parameter.IP_SOURCE, most_used_ip_address)
  51. self.add_param_value(atkParam.Parameter.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  52. # Victim configuration
  53. random_ip_address = self.statistics.get_random_ip_address()
  54. self.add_param_value(atkParam.Parameter.IP_DESTINATION, random_ip_address)
  55. destination_mac = self.statistics.get_mac_address(random_ip_address)
  56. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  57. destination_mac = self.generate_random_mac_address()
  58. self.add_param_value(atkParam.Parameter.MAC_DESTINATION, destination_mac)
  59. self.add_param_value(atkParam.Parameter.PORT_DESTINATION, self.http_port)
  60. # self.add_param_value(atkParam.Parameter.TARGET_URI, '/')
  61. self.add_param_value(atkParam.Parameter.TARGET_HOST, "www.hackme.com")
  62. # Attack configuration
  63. self.add_param_value(atkParam.Parameter.INJECT_AFTER_PACKET, rnd.randint(0, self.statistics.get_packet_count()))
  64. self.add_param_value(atkParam.Parameter.PACKETS_PER_SECOND,
  65. (self.statistics.get_pps_sent(most_used_ip_address) +
  66. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  67. def generate_attack_packets(self):
  68. # Timestamp
  69. timestamp_next_pkt = self.get_param_value(atkParam.Parameter.INJECT_AT_TIMESTAMP)
  70. pps = self.get_param_value(atkParam.Parameter.PACKETS_PER_SECOND)
  71. # Calculate complement packet rates of BG traffic per interval
  72. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  73. # Initialize parameters
  74. self.packets = []
  75. mac_source = self.get_param_value(atkParam.Parameter.MAC_SOURCE)
  76. ip_source = self.get_param_value(atkParam.Parameter.IP_SOURCE)
  77. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort)
  78. mac_destination = self.get_param_value(atkParam.Parameter.MAC_DESTINATION)
  79. ip_destination = self.get_param_value(atkParam.Parameter.IP_DESTINATION)
  80. port_destination = self.get_param_value(atkParam.Parameter.PORT_DESTINATION)
  81. target_host = self.get_param_value(atkParam.Parameter.TARGET_HOST)
  82. target_uri = "/" # self.get_param_value(atkParam.Parameter.TARGET_URI)
  83. # Check ip.src == ip.dst
  84. self.ip_src_dst_equal_check(ip_source, ip_destination)
  85. # Set TTL based on TTL distribution of IP address
  86. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  87. if len(source_ttl_dist) > 0:
  88. source_ttl_prob_dict = lea.Lea.fromValFreqsDict(source_ttl_dist)
  89. source_ttl_value = source_ttl_prob_dict.random()
  90. else:
  91. source_ttl_value = Util.handle_most_used_outputs(self.statistics.process_db_query("most_used(ttlValue)"))
  92. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  93. if len(destination_ttl_dist) > 0:
  94. destination_ttl_prob_dict = lea.Lea.fromValFreqsDict(destination_ttl_dist)
  95. destination_ttl_value = destination_ttl_prob_dict.random()
  96. else:
  97. destination_ttl_value = Util.handle_most_used_outputs(
  98. self.statistics.process_db_query("most_used(ttlValue)"))
  99. # Inject Joomla_registration_privesc
  100. # Read joomla_registration_privesc pcap file
  101. orig_ip_dst = None
  102. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  103. inter_arrival_times, inter_arrival_time_dist = self.get_inter_arrival_time(exploit_raw_packets, True)
  104. exploit_raw_packets.close()
  105. time_steps = lea.Lea.fromValFreqsDict(inter_arrival_time_dist)
  106. exploit_raw_packets = scapy.utils.RawPcapReader(self.template_attack_pcap_path)
  107. # Random TCP sequence numbers
  108. global attacker_seq
  109. attacker_seq = rnd.randint(1000, 50000)
  110. global victim_seq
  111. victim_seq = rnd.randint(1000, 50000)
  112. for self.pkt_num, pkt in enumerate(exploit_raw_packets):
  113. eth_frame = inet.Ether(pkt[0])
  114. ip_pkt = eth_frame.payload
  115. tcp_pkt = ip_pkt.payload
  116. str_tcp_seg = str(tcp_pkt.payload)
  117. # Clean payloads
  118. eth_frame.payload = b''
  119. ip_pkt.payload = b''
  120. tcp_pkt.payload = b''
  121. # FIXME: no getfieldval in class bytes
  122. if self.pkt_num == 0:
  123. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  124. if tcp_pkt.getfieldval("dport") == self.http_port:
  125. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  126. # Request: Attacker --> vicitm
  127. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  128. # There are 7 TCP connections with different source ports, for each of them we generate random port
  129. if tcp_pkt.getfieldval("sport") != prev_orig_port_source:
  130. port_source = rnd.randint(self.minDefaultPort, self.maxDefaultPort)
  131. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  132. # New connection, new random TCP sequence numbers
  133. attacker_seq = rnd.randint(1000, 50000)
  134. victim_seq = rnd.randint(1000, 50000)
  135. # First packet in a connection has ACK = 0
  136. tcp_pkt.setfieldval("ack", 0)
  137. # Ether
  138. eth_frame.setfieldval("src", mac_source)
  139. eth_frame.setfieldval("dst", mac_destination)
  140. # IP
  141. ip_pkt.setfieldval("src", ip_source)
  142. ip_pkt.setfieldval("dst", ip_destination)
  143. ip_pkt.setfieldval("ttl", source_ttl_value)
  144. # TCP
  145. tcp_pkt.setfieldval("sport", port_source)
  146. tcp_pkt.setfieldval("dport", port_destination)
  147. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  148. # TCP Seq, Ack
  149. if tcp_pkt.getfieldval("ack") != 0:
  150. tcp_pkt.setfieldval("ack", victim_seq)
  151. tcp_pkt.setfieldval("seq", attacker_seq)
  152. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  153. attacker_seq += max(len(str_tcp_seg), 1)
  154. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  155. new_pkt.time = timestamp_next_pkt
  156. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  157. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  158. # Reply: Victim --> attacker
  159. else:
  160. # Ether
  161. eth_frame.setfieldval("src", mac_destination)
  162. eth_frame.setfieldval("dst", mac_source)
  163. # IP
  164. ip_pkt.setfieldval("src", ip_destination)
  165. ip_pkt.setfieldval("dst", ip_source)
  166. ip_pkt.setfieldval("ttl", destination_ttl_value)
  167. # TCP
  168. tcp_pkt.setfieldval("dport", port_source)
  169. tcp_pkt.setfieldval("sport", port_destination)
  170. str_tcp_seg = self.modify_http_header(str_tcp_seg, '/joomla360', target_uri, orig_ip_dst, target_host)
  171. # TCP Seq, ACK
  172. tcp_pkt.setfieldval("ack", attacker_seq)
  173. tcp_pkt.setfieldval("seq", victim_seq)
  174. str_len = len(str_tcp_seg)
  175. if not (tcp_pkt.getfieldval("flags") == 16 and str_len == 0): # flags=A:
  176. victim_seq += max(str_len, 1)
  177. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  178. pps = max(Util.get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  179. timestamp_next_pkt = Util.update_timestamp(timestamp_next_pkt, pps) + float(time_steps.random())
  180. new_pkt.time = timestamp_next_pkt
  181. self.packets.append(new_pkt)
  182. exploit_raw_packets.close()
  183. def generate_attack_pcap(self):
  184. # Store timestamp of first packet (for attack label)
  185. self.attack_start_utime = self.packets[0].time
  186. self.attack_end_utime = self.packets[-1].time
  187. if len(self.packets) > 0:
  188. self.packets = sorted(self.packets, key=lambda pkt: pkt.time)
  189. self.path_attack_pcap = self.write_attack_pcap(self.packets, True, self.path_attack_pcap)
  190. # return packets sorted by packet time_sec_start
  191. # pkt_num+1: because pkt_num starts at 0
  192. return self.pkt_num + 1, self.path_attack_pcap