-
Notifications
You must be signed in to change notification settings - Fork 112
Home
Every module must be located at the "exploits" directory.
Every EaST module must contain:
-
"Imports" section. In this section you should import all dependencies needs for module work. Also "Sploit" class required to be imported:
from Sploit import Sploit
-
"Info" section. In this section you must declare dictionary "INFO":
INFO = {}
INFO dict must contain keys:
- NAME. Name of module, like "ef_exploit1_DoS".
- DESCRIPTION. Short description of module.
- PATH. Module will be shown at this path in GUI. Like "General/", "Remote/" , etc...
INFO dict also should contain keys:
- VENDOR. Url of vendor of vulnerable software.
- CVE Name. Cve if exists in format "xxxx-xxxx".
- NOTES. Full exploit description, including info about your OS and vulnerable software version.
- DOWNLOAD_LINK. Direct link to download vulnerable software.
- LINKS. Other useful links related to vulnerability.
- CHANGELOG. You can specify version of module or creation date.
- AUTHOR. Author of module(exploit)
So, common structure of "Info" section is:
INFO = {} INFO['NAME'] = "" INFO['DESCRIPTION'] = "" INFO['VENDOR'] = "" INFO['CVE Name'] = "" INFO['NOTES'] = """ """ INFO['DOWNLOAD_LINK'] = "" INFO['LINKS'] = [""] INFO['CHANGELOG'] = "" INFO['PATH'] = "/" INFO['AUTHOR'] = ""
-
"Options" section. This section contains options of module, like host, port, filename, etc...This options will be shown in GUI after module will be chosen and then these options will be used as module's variables. You must declare dictionary "OPTIONS" and specify options. There are 4 types of module options:
OPTIONS = {} OPTIONS["OPTION1"] = "VALUE1" # Will create text field in GUI and returns "str" value type OPTIONS["OPTION2"] = 10 # Will create text field and returns "int" value type OPTIONS["OPTION3"] = False # Will create checkbox and returns "bool" value type OPTIONS["OPTION4"] = dict(options=["value1", "value2"], selected="value1") # Will create combobox and you'll can choose value(in this case "value1" or "value2"). Field "selected" makes value default
If you need to show options in order they added you must:
-
Add to imports section:
from collections import OrderedDict
-
Declare "OPTIONS" dict as:
OPTIONS = OrderedDict()
-
-
"Exploit" section. Common structure of exploit section:
class exploit(Sploit): def __init__(self,host="", port=0, ssl=False, logger=None): Sploit.__init__(self, logger=logger) def args(self): self.args = Sploit.args(self, OPTIONS) self.option1 = self.args.get("OPTION1") self.option2 = self.args.get("OPTION2") self.option3 = self.args.get("OPTION3") self.option4 = self.args.get("OPTION4") def run(self): #Get options from gui self.args() self.log('Starting') # send message to gui #################### # Your main code here #################### self.finish(True) # If True - module succeeded, if False - module failed if __name__ == '__main__': print "Running exploit %s .. " % INFO['NAME'] e = exploit("192.168.0.1",80) e.run()
You can generate shellcodes from your module. There is "OSShellcodes" class for generating os shellcodes for Windows and Linux and "CrossOSShellcodes" class for generating php, jsp, jar, aspx, python shellcodes.
To import OSShellcodes you need to add:
from shellcodes.Shellcodes import OSShellcodesUsage:
s = OSShellcodes(os_target, os_target_arch, '127.0.0.1', 4000)
shellcode_type = 'command'
shellcode = s.create_shellcode(
shellcode_type,
encode=0,
make_exe=1,
debug=1,
filename="payload"
)Constructor of OSShellcodes has structure:
def __init__(self, OS_TARGET, OS_TARGET_ARCH, CONNECTBACK_IP='localhost', CONNECTBACK_PORT=5555, BADCHARS=['\x00']):
'''
Initializes object OSShellcodes.
:param OS_TARGET: (string) "WINDOWS" or "LINUX"
:param OS_TARGET_ARCH: (string) "32bit" or "64bit"
:param CONNECTBACK_IP: (string) Ip address of machine with enabled shell listener
:param CONNECTBACK_PORT: (int) Port where listener listen to connection.
:param BADCHARS: (list of strings) Badchars for encoder
:return:
'''And method "create_shellcode" has structure:
def create_shellcode(self, _shellcode_type='reverse', command='calc.exe', message='', encode=None, make_exe=0, debug=0, filename="test", dll_inj_funcs=[]):
'''
Function for create shellcode.
:param _shellcode_type: (string) Can be "reverse" or "message" for Linux shellcodes and "reverse", "message", "command" for Windows shellcodes.
:param command: (string) Command for Windows command-shellcode.
:param message: (string) Message for "message" for message-shellcode.
:param encode: (string) Encoder type. Can be "xor", "alphanum", "rot_13", "fnstenv" or "jumpcall". If empty shellcode will not be encoded.
:param make_exe: (bool) or (int) If True(or 1) exe file will be generated from shellcode.
:param debug: (bool) or (int) If True(or 1) shellcode will be printed to stdout.
:param filename: (string) Used for assign special name to executable or dll shellcode.
:param dll_inj_funcs: (list of strings) Functions names for dll hijacking. If not empty dll with shellcode will be generated.
:return: (string) Generated shellcode.
'''To import CrossOSShellcodes you need to add:
from shellcodes.Shellcodes import CrossOSShellcodesUsage:
type = Constants.ShellcodeType.JSP
s = CrossOSShellcodes('127.0.0.1', 4000)
print s.create_shellcode(type, False)Constructor of CrossOSShellcodes has structure:
def __init__(self, CONNECTBACK_IP='localhost', CONNECTBACK_PORT=5555):
"""
Class for generating shells for jsp, aspx, python, php
:param CONNECTBACK_IP: (string) Ip address of machine with enabled shell listener
:param CONNECTBACK_PORT: (int) Port where listener listen to connection.
"""And method "create_shellcode" has structure:
def create_shellcode(self, type, inline=False):
"""
Creates shellcode of given type
:param type: (string) aspx, jar, jsp, python, php
:param inline: (bool) If True all symbols \r, \n, \t will be removed from shellcode
:return: (string) Generated shellcode