Refactored exploit_host and added get_exploit_config

This commit is contained in:
Vakaris 2018-08-22 13:33:36 +03:00
parent 911404ef68
commit eae3f3440d
1 changed files with 35 additions and 21 deletions

View File

@ -37,37 +37,51 @@ class WebRCE(HostExploiter):
self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
self.skip_exist = self._config.skip_exploit_if_file_exist
@staticmethod
def get_exploit_config():
"""
Method that creates a dictionary of configuration values for exploit
:return: configuration dict
"""
exploit_config = dict()
# dropper: If true monkey will use dropper parameter that will detach monkey's process and try to copy
# it's file to the default destination path.
exploit_config['dropper'] = False
# upload_commands: Unformatted dict with one or two commands {'linux': WGET_HTTP_UPLOAD,'windows': WIN_CMD}
# Command must have "monkey_path" and "http_path" format parameters. If None defaults will be used.
exploit_config['upload_commands'] = None
# url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
exploit_config['url_extensions'] = None
# stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
exploit_config['stop_checking_urls'] = False
# blind_exploit: If true we won't check if file exist and won't try to get the architecture of target.
exploit_config['blind_exploit'] = False
return exploit_config
def exploit_host(self):
"""
Override this method to pass custom arguments to default_exploit_host
:return: True if exploited, False otherwise
"""
return self.default_exploit_host()
def default_exploit_host(self, dropper=False, upload_commands=None, url_extensions=None,
stop_checking_urls=False, blind_exploit=False):
"""
Standard framework usage (call this method in exploit_host function):
:param dropper: If true monkey will use dropper parameter that will detach monkey's process and try to copy
it's file to the default destination path.
:param upload_commands: Unformatted dict with one or two commands {'linux': WGET_HTTP_UPLOAD,'windows': WIN_CMD}
Command must have "monkey_path" and "http_path" format parameters.
:param url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
:param stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
:param blind_exploit: If true we won't check if file exist and won't try to get the architecture of target.
:return: True if exploited and False otherwise.
"""
# We get exploit configuration
exploit_config = self.get_exploit_config()
# Get open ports
ports = self.get_ports_w(self.HTTP, ["http"])
if not ports:
return False
# Get urls to try to exploit
urls = self.build_potential_urls(ports, url_extensions)
urls = self.build_potential_urls(ports, exploit_config['url_extensions'])
vulnerable_urls = []
for url in urls:
if self.check_if_exploitable(url):
vulnerable_urls.append(url)
if stop_checking_urls:
if exploit_config['stop_checking_urls']:
break
self._exploit_info['vulnerable_urls'] = vulnerable_urls
@ -75,16 +89,16 @@ class WebRCE(HostExploiter):
return False
# Skip if monkey already exists and this option is given
if not blind_exploit and self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
if not exploit_config['blind_exploit'] and self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
return True
# Check for targets architecture (if it's 32 or 64 bit)
if not blind_exploit and not self.set_host_arch(vulnerable_urls[0]):
if not exploit_config['blind_exploit'] and not self.set_host_arch(vulnerable_urls[0]):
return False
# Upload the right monkey to target
data = self.upload_monkey(vulnerable_urls[0], upload_commands)
data = self.upload_monkey(vulnerable_urls[0], exploit_config['upload_commands'])
if data is not False and data['response'] is False:
return False
@ -94,7 +108,7 @@ class WebRCE(HostExploiter):
return False
# Execute remote monkey
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], dropper) is False:
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], exploit_config['dropper']) is False:
return False
return True