Agent: Remove architecture setting from web_rce.py
This commit is contained in:
Shreya Malviya
parent
5cbcb88dd6
commit
0501bb7037
|
|
@ -1,11 +1,10 @@
|
||||||
import logging
|
import logging
|
||||||
import re
|
|
||||||
from abc import abstractmethod
|
from abc import abstractmethod
|
||||||
from posixpath import join
|
from posixpath import join
|
||||||
from typing import List, Tuple
|
from typing import List, Tuple
|
||||||
|
|
||||||
from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus
|
from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus
|
||||||
from infection_monkey.exploit.consts import WIN_ARCH_32, WIN_ARCH_64
|
from infection_monkey.exploit.consts import WIN_ARCH_64
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||||
|
|
@ -15,8 +14,6 @@ from infection_monkey.model import (
|
||||||
CHMOD_MONKEY,
|
CHMOD_MONKEY,
|
||||||
DOWNLOAD_TIMEOUT,
|
DOWNLOAD_TIMEOUT,
|
||||||
DROPPER_ARG,
|
DROPPER_ARG,
|
||||||
GET_ARCH_LINUX,
|
|
||||||
GET_ARCH_WINDOWS,
|
|
||||||
ID_STRING,
|
ID_STRING,
|
||||||
MONKEY_ARG,
|
MONKEY_ARG,
|
||||||
POWERSHELL_HTTP_UPLOAD,
|
POWERSHELL_HTTP_UPLOAD,
|
||||||
|
|
@ -109,7 +106,7 @@ class WebRCE(HostExploiter):
|
||||||
self.target_url = self.get_target_url()
|
self.target_url = self.get_target_url()
|
||||||
|
|
||||||
# Check for targets architecture (if it's 32 or 64 bit)
|
# Check for targets architecture (if it's 32 or 64 bit)
|
||||||
if not exploit_config["blind_exploit"] and not self.set_host_arch(self.get_target_url()):
|
if not exploit_config["blind_exploit"]:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# Upload the right monkey to target
|
# Upload the right monkey to target
|
||||||
|
|
@ -254,38 +251,6 @@ class WebRCE(HostExploiter):
|
||||||
if not self.vulnerable_urls:
|
if not self.vulnerable_urls:
|
||||||
logger.info("No vulnerable urls found, skipping.")
|
logger.info("No vulnerable urls found, skipping.")
|
||||||
|
|
||||||
def get_host_arch(self, url):
|
|
||||||
"""
|
|
||||||
:param url: Url for exploiter to use
|
|
||||||
:return: Machine architecture string or false. Eg. 'i686', '64', 'x86_64', ...
|
|
||||||
"""
|
|
||||||
if "linux" in self.host.os["type"]:
|
|
||||||
resp = self.exploit(url, GET_ARCH_LINUX)
|
|
||||||
if resp:
|
|
||||||
# Pulls architecture string
|
|
||||||
arch = re.search(r"(?<=Architecture:)\s+(\w+)", resp)
|
|
||||||
try:
|
|
||||||
arch = arch.group(1)
|
|
||||||
except AttributeError:
|
|
||||||
logger.error("Looked for linux architecture but could not find it")
|
|
||||||
return False
|
|
||||||
if arch:
|
|
||||||
return arch
|
|
||||||
else:
|
|
||||||
logger.info("Could not pull machine architecture string from command's output")
|
|
||||||
return False
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
else:
|
|
||||||
resp = self.exploit(url, GET_ARCH_WINDOWS)
|
|
||||||
if resp:
|
|
||||||
if "64-bit" in resp:
|
|
||||||
return WIN_ARCH_64
|
|
||||||
else:
|
|
||||||
return WIN_ARCH_32
|
|
||||||
else:
|
|
||||||
return False
|
|
||||||
|
|
||||||
# Wrapped functions:
|
# Wrapped functions:
|
||||||
def get_ports_w(self, ports, names):
|
def get_ports_w(self, ports, names):
|
||||||
"""
|
"""
|
||||||
|
|
@ -302,15 +267,6 @@ class WebRCE(HostExploiter):
|
||||||
else:
|
else:
|
||||||
return ports
|
return ports
|
||||||
|
|
||||||
def set_host_arch(self, url):
|
|
||||||
arch = self.get_host_arch(url)
|
|
||||||
if not arch:
|
|
||||||
logger.error("Couldn't get host machine's architecture")
|
|
||||||
return False
|
|
||||||
else:
|
|
||||||
self.host.os["machine"] = arch
|
|
||||||
return True
|
|
||||||
|
|
||||||
def run_backup_commands(self, resp, url, dest_path, http_path):
|
def run_backup_commands(self, resp, url, dest_path, http_path):
|
||||||
"""
|
"""
|
||||||
If you need multiple commands for the same os you can override this method to add backup
|
If you need multiple commands for the same os you can override this method to add backup
|
||||||
|
|
@ -520,6 +476,7 @@ class WebRCE(HostExploiter):
|
||||||
return self._config.dropper_target_path_linux
|
return self._config.dropper_target_path_linux
|
||||||
if self.host.os["type"] == "windows":
|
if self.host.os["type"] == "windows":
|
||||||
try:
|
try:
|
||||||
|
# remove now or when 32-bit binaries are removed?
|
||||||
if self.host.os["machine"] == WIN_ARCH_64:
|
if self.host.os["machine"] == WIN_ARCH_64:
|
||||||
return self._config.dropper_target_path_win_64
|
return self._config.dropper_target_path_win_64
|
||||||
except KeyError:
|
except KeyError:
|
||||||
|
|
|
||||||
|
|
@ -44,8 +44,7 @@ RUN_MONKEY = "%(monkey_path)s %(monkey_type)s %(parameters)s"
|
||||||
# Commands used to check for architecture and if machine is exploitable
|
# Commands used to check for architecture and if machine is exploitable
|
||||||
CHECK_COMMAND = "echo %s" % ID_STRING
|
CHECK_COMMAND = "echo %s" % ID_STRING
|
||||||
# Architecture checking commands
|
# Architecture checking commands
|
||||||
GET_ARCH_WINDOWS = "wmic os get osarchitecture"
|
GET_ARCH_WINDOWS = "wmic os get osarchitecture" # can't remove, powershell exploiter uses
|
||||||
GET_ARCH_LINUX = "lscpu"
|
|
||||||
|
|
||||||
# All in one commands (upload, change permissions, run)
|
# All in one commands (upload, change permissions, run)
|
||||||
HADOOP_WINDOWS_COMMAND = (
|
HADOOP_WINDOWS_COMMAND = (
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue