Author: w7ay @ knows English version of Chuangyu 404 laboratory: https://paper.seebug.org/905/

Compared with the boring usage introduction, I would like to talk about why pocsuite 3 has these functions and how to realize them. If you want to build a similar tool, some ideas of pocsuite 3 may help you. This paper also records some thoughts and understandings in the development process of pocsuite 3.

brief introduction

Pocsuite is an open-source remote vulnerability testing framework built by Kongyu 404 laboratory. It is the cornerstone of the development of Chuangyu security research team, a project that has been maintained by the development of the team up to now, and ensures the leading position of our web security research ability.

You can directly use pocsuite for vulnerability verification and exploitation; you can also develop POC / exp based on pocsuite, because it is also a PoC development framework; at the same time, you can also directly integrate pocsuite in your vulnerability testing tool, which also provides standard call classes.

Pocsuite 3 is completely written by Python 3, which supports windows / Linux / Mac OS X and other systems. Based on the original pocsuite, pocsuite 3 is rewritten and upgraded as a whole, which makes the whole framework more operational and flexible.

Shoulders Of Giants

Pocsuite 3 refers to many open-source frameworks and popular mature frameworks in the market, sqlmap in the code engineering structure, and routersplait and Metasploit in the pocsuite console mode. Therefore, the code format of POC is different from that of the previous ones (but the major changes are restrained as much as possible). Pocsuite 3 also provides very simple interface calls that can be integrated into other security tools.

download

Pip installation

There are two types of installation, PIP and direct run source.

The latest version of pocsuite 3 will be used.

implement

Check the installation effect.

Source installation

If you are confident that you can toss, you can download the source code to use, which is also our recommended way, because the update of PIP may be slower than that of GitHub,

Two dependencies need to be installed at the same time

If you are also a Windows system, you need to install one in addition to the above dependencies

Last

Check the installation effect.

In addition, it should be noted that only one of the two installation methods can be used, and cannot be installed at the same time. It is recommended to use the source installation method.

General use help

In most cases, - h can help you understand the features that pocsuite supports.

-h

A simple test

You will use zoomeye to search for an ECSHOP and use the ECSHOP ﹣ rce.py probe, specifying a thread count of 5

ecshop_rce.py

Pocsuite runs in verify mode by default, which has the least impact on the target at this time. It also has attack and shell mode to attack the target and rebound the shell (of course, pocsuite's POC writing format reserves the interfaces of these three modes, and there are many built-in APIs to help realize these three interfaces)

verify attack shell

Shell mode

Pocsuite 3 adds a new shell mode setting. When you select this function, pocsuite 3 will listen to a port and wait for the target to reconnect. We provide a variety of languages for the anti connect of payloads, as well as for the generation of shellcode executable in Windows / Linux platform.

Run from profile

Sometimes there are too many command-line commands, some parameters are highly reusable, and pocsuite also provides a way to run from a configuration file.

We take redis unauthorized access vulnerability as an example. We modify this file pocsuite.ini

Adjust the thread, run!

With the comparison parameter turned on, we can see more information

comparsion

If you are also a zoomeye VIP, you can identify the honeypot information while collecting the target. At present, only data obtained through zoomeye interface can have honeypot identification. Relevant API interfaces have not been opened by Shodan and censys.

Zoomeye VIP

Plug-in system

Pocsuite supports plug-in system. According to load targets, load POC (POCS). Result processing can be divided into three types of plug-ins.

Targets plug-in

In addition to using - u, - F to load local targets, you can write a targets type plug-in to load targets from anywhere you want (eg: zoomeye, Shodan) or even from the web page, redis. Pocsuite 3 has four built-in target loading plug-ins.

-u -f

As can be seen from the above, if the search dork dork, - dork ﹣ zoomeye, - dork ﹣ Shodan, - dork ﹣ censys is used, the relevant plug-ins will be loaded automatically, without manual specification.

—dork —dork_zoomeye —dork_shodan —dork_censys

Pocs plug-in

The original plug-in can only be invoked from seebug, which is now removed as a plug-in and will be allowed to be invoked from any accessible place, or even write a plug-in to maintain a warehouse call on GitHub.

Demo:

https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/poc_from_redis.py

https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/poc_from_seebug.py

Results-plugin

The results plug-in allows processing of the scanned results. You can refer to the built-in two plug-ins. The saved results are HTML and the saved results are TXT. The results of the results plug-in is real-time. See the implementation of plugins / file record.py for details.

plugins/file_record.py

https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/html_report.py

https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/plugins/file_record.py

Call plug-in

Use -- plugins to specify the plug-in name later. Multiple plug-ins can be used and divided. For example -- plugins HTML & report will generate HTML report format documents.

--plugins , --plugins html_report

Built in API

Based on the accumulation of our vulnerability emergency response, pocsuite's built-in API interface can basically achieve the full coverage of POC writing. We will talk about many API interfaces in the next chapter. Here are two more interesting cases.

Shellcode generation support

In some special Linux and windows environments, it is difficult to get rebound shell conditions. For this reason, we made shellcode for bounce in Windows / Linux x86 x64 environment, and made interface support. You can automatically write shellcode to the target machine and execute bounce shell command with command execution permission. Demo Poc：https://github.com/knownsec/pocsuite3/blob/master/pocsuite3/pocs/thinkphp_rce2.py

HTTP service built in

If you are also impressed with hacking Jenkins Part 2 - abusing meta programming for unauthenticated rce. What a perfect vulnerability, but we encountered difficulties in writing POC. We can easily identify the verify mode with ceye, but we have to make our own jar and upload it to the server for attack mode and shell mode!

verify attack shell

For this reason, we make jar format packaged API and HTTP service API. In the later many POC writing that are more and more difficult to automate, we will find it is so easy to use.

Jenkins abusing meta programming for unauthenticated rce (cve-2019-1003000) with pocsuite 3 demonstration video is attached.

https://www.youtube.com/watch?v=5P7WWlqYt4U

Custom parameter transfer

With the increasing security awareness of programmers, it will be found that the past era when a link can get rce has passed. More and more vulnerabilities turn to require certain "permission" to trigger. To do this, we need to reserve the parameter interface in pocsuite 3.

On the premise of keeping the original POC format as much as possible, we add a "U options" method to specify the parameters passed by users. DemoPoc: https://github.com/knownsec/pocsuite3/blob/master/tests/login_demo.py

_options

We have defined that two parameters, username and password, need to be passed in POC. For the convenience of use, we can directly pass them in the command line mode as follows

username password

Yes, it's that simple. You may ask how to solve the conflict between the parameter defined in POC and the parameter name of pocsuite? Our solution is not to allow defining conflicting parameter names. Pocsuite will check when it starts. If there are conflicting parameter names, you will be prompted to modify the custom parameter names in POC.

Console mode

In some cases, we also consider the interactive command mode (hacker's sense of ritual). And it is fully compatible with POC in command-line mode. If you use it in Linux or Mac, you will get a better experience.

Some tips:

• Use help more in this mode to understand more
• When loading POC plug-ins, you can use + numbers directly, which is simpler and more convenient. Of course, you can enter the full path, and press tab to complete automatically.

use + 数字

• Some command aliases are not displayed in help, waiting for users to find them as eggs~

API general integration

We encourage and support pocsuite 3 as part of the security product. Just import pocsuite 3 as a module into your project to make it easy to use. Later we will also explain in detail how pocsuite 3 does this.

The pocsuite 3.api exposes all the interfaces in the pocsuite, whether it is writing POC or integrating into its own environment, just using this. A simple call to demo.

pocsuite3.api

Last

A fully functional framework is not only an engine that can handle tasks in batches, many things need to be accumulated in actual combat and implemented in the best way (commonly known as stepping on the pit). In the process of building your own PoC framework, you must know what you need and how to solve it gracefully? In the next part, I will talk about the framework structure in pocsuite 3.

This article was published by seebug paper. If you need to reprint it, please indicate the source. Address: https://paper.seebug.org/904/