From d80c6703921d1c0306171995c3321b1d7e42214f Mon Sep 17 00:00:00 2001 From: daniel goldberg Date: Mon, 29 Aug 2016 14:25:30 +0300 Subject: [PATCH] Fixed bug in HTTPFingering Added support for skip_exploit_if_file_exists in linux exploiters. Delayed/fixed a race in the monkey patching that gevents does. --- chaos_monkey/exploit/shellshock.py | 8 +++++--- chaos_monkey/exploit/sshexec.py | 15 ++++++++------- chaos_monkey/network/httpfinger.py | 4 +++- 3 files changed, 16 insertions(+), 11 deletions(-) diff --git a/chaos_monkey/exploit/shellshock.py b/chaos_monkey/exploit/shellshock.py index 0211deaa7..08afe87b2 100644 --- a/chaos_monkey/exploit/shellshock.py +++ b/chaos_monkey/exploit/shellshock.py @@ -9,7 +9,6 @@ from model.host import VictimHost from shellshock_resources import CGI_FILES from model import MONKEY_ARG from exploit.tools import get_target_monkey, HTTPTools, report_failed_login -import grequests import requests __author__ = 'danielg' @@ -38,8 +37,10 @@ class ShellShockExploiter(HostExploiter): def exploit_host(self, host, depth=-1, src_path=None): assert isinstance(host, VictimHost) # start by picking ports - valid_ports = [(port, host.services['tcp-' + str(port)][1]) for port in self.HTTP if - 'tcp-' + str(port) in host.services] + candidate_services = {service: host.services[service] for service in host.services if host.services[service]['name'] == 'http'} + + valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in self.HTTP if + 'tcp-' + str(port) in candidate_services] http_ports = [port[0] for port in valid_ports if not port[1]] https_ports = [port[0] for port in valid_ports if port[1]] @@ -192,6 +193,7 @@ class ShellShockExploiter(HostExploiter): Checks if which urls exist :return: Sequence of URLs to try and attack """ + import grequests attack_path = 'http://' if is_https: attack_path = 'https://' diff --git a/chaos_monkey/exploit/sshexec.py b/chaos_monkey/exploit/sshexec.py index 455d6d19d..fea92f82a 100644 --- a/chaos_monkey/exploit/sshexec.py +++ b/chaos_monkey/exploit/sshexec.py @@ -102,19 +102,20 @@ class SSHExploiter(HostExploiter): except Exception, exc: LOG.debug("Error running uname machine commad on victim %r: (%s)", host, exc) + if self.skip_exist: + _, stdout, stderr = ssh.exec_command("head -c 1 %s" % self._config.dropper_target_path_linux) + stdout_res = stdout.read().strip() + if stdout_res: + # file exists + LOG.info("Host %s was already infected under the current configuration, done" % host) + return True # return already infected + src_path = src_path or get_target_monkey(host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", host) return False - if self._config.skip_exploit_if_file_exist: - _, stdout, _ = ssh.exec_command("head -c 1 %s" % self._config.dropper_target_path_linux) - if stdout: - # file exists - LOG.info("Host %s was already infected under the current configuration, done" % host) - return True # return already infected - try: ftp = ssh.open_sftp() diff --git a/chaos_monkey/network/httpfinger.py b/chaos_monkey/network/httpfinger.py index 52b29d3bb..a7bb56e2e 100644 --- a/chaos_monkey/network/httpfinger.py +++ b/chaos_monkey/network/httpfinger.py @@ -32,7 +32,9 @@ class HTTPFinger(HostFinger): with closing(head(url, verify=False, timeout=1)) as req: server = req.headers.get('Server') ssl = True if 'https://' in url else False - host.services['tcp-' + port[1]] = (server,ssl) + host.services['tcp-' + port[1]] = {} + host.services['tcp-' + port[1]]['name'] = 'http' + host.services['tcp-' + port[1]]['data'] = (server,ssl) break # https will be the same on the same port except Timeout: pass