Finished up exploitation and added reporting

2018-06-20 22:35:18 +03:00 · 2018-06-20 22:35:18 +03:00 · ef6c512ea9
parent 2d27972e7e
commit ef6c512ea9
3 changed files with 41 additions and 6 deletions
--- a/infection_monkey/exploit/struts2.py
+++ b/infection_monkey/exploit/struts2.py
@ -59,8 +59,7 @@ class Struts2Exploiter(HostExploiter):
            if port == 443:
                current_host = "https://%s:%d" % (self.host.ip_addr, port)
            else:
-                # TODO remove struts from url
-                current_host = "http://%s:%d/struts" % (self.host.ip_addr, port)
+                current_host = "http://%s:%d" % (self.host.ip_addr, port)
            # Get full URL
            url = self.get_redirected(current_host)
            # Get os architecture so that we don't have to update monkey
@ -154,8 +153,8 @@ class Struts2Exploiter(HostExploiter):

            command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
                                         'http_path': http_path, 'parameters': cmdline}
-            # TODO Add timeout
-            self.exploit(url, command)
+
+            self.exploit(url, command, RESPONSE_TIMEOUT)

            http_thread.join(DOWNLOAD_TIMEOUT)
            http_thread.stop()
--- a/monkey_island/cc/services/report.py
+++ b/monkey_island/cc/services/report.py
@ -30,6 +30,7 @@ class ReportService:
            'ElasticGroovyExploiter': 'Elastic Groovy Exploiter',
            'Ms08_067_Exploiter': 'Conficker Exploiter',
            'ShellShockExploiter': 'ShellShock Exploiter',
+            'Struts2Exploiter': 'Struts2 Exploiter'
        }

    class ISSUES_DICT(Enum):
@ -41,6 +42,7 @@ class ReportService:
        CONFICKER = 5
        AZURE = 6
        STOLEN_SSH_KEYS = 7
+        STRUTS2 = 8

    class WARNINGS_DICT(Enum):
        CROSS_SEGMENT = 0
@ -290,6 +292,12 @@ class ReportService:
        processed_exploit['paths'] = ['/' + url.split(':')[2].split('/')[1] for url in urls]
        return processed_exploit

+    @staticmethod
+    def process_struts2_exploit(exploit):
+        processed_exploit = ReportService.process_general_exploit(exploit)
+        processed_exploit['type'] = 'struts2'
+        return processed_exploit
+
    @staticmethod
    def process_exploit(exploit):
        exploiter_type = exploit['data']['exploiter']
@ -302,6 +310,7 @@ class ReportService:
            'ElasticGroovyExploiter': ReportService.process_elastic_exploit,
            'Ms08_067_Exploiter': ReportService.process_conficker_exploit,
            'ShellShockExploiter': ReportService.process_shellshock_exploit,
+            'Struts2Exploiter': ReportService.process_struts2_exploit
        }

        return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit)
@ -419,6 +428,8 @@ class ReportService:
                    issues_byte_array[ReportService.ISSUES_DICT.AZURE.value] = True
                elif issue['type'] == 'ssh_key':
                    issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True
+                elif issue['type'] == 'struts2':
+                    issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True
                elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
                        issue['username'] in config_users or issue['type'] == 'ssh':
                    issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True
--- a/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js
@ -23,7 +23,8 @@ class ReportPageComponent extends AuthComponent {
      SHELLSHOCK: 4,
      CONFICKER: 5,
      AZURE: 6,
-      STOLEN_SSH_KEYS: 7
+      STOLEN_SSH_KEYS: 7,
+      STRUTS2: 8
    };

  Warning =
@ -321,7 +322,10 @@ class ReportPageComponent extends AuthComponent {
                    <li>Azure machines expose plaintext passwords. (<a
                      href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
                    >More info</a>)</li> : null}
-
+                  {this.state.report.overview.issues[this.Issue.STRUTS2] ?
+                    <li>Struts2 servers are vulnerable to remote code execution. (<a
+                      href="https://cwiki.apache.org/confluence/display/WW/S2-045">
+                      CVE-2017-5638</a>)</li> : null }
                </ul>
              </div>
              :
@ -671,6 +675,24 @@ class ReportPageComponent extends AuthComponent {
    );
  }

+  generateStruts2Issue(issue) {
+    return (
+      <li>
+        Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.
+        <CollapsibleWellComponent>
+          Struts2 server at <span className="label label-primary">{issue.machine}</span> (<span
+          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
+          className="label label-danger">remote code execution</span> attack.
+          <br/>
+          The attack was made possible because the server is using an old version of Jakarta based file upload
+          Multipart parser. For possible work-arounds and more info read <a
+                      href="https://cwiki.apache.org/confluence/display/WW/S2-045"
+                    >here</a>.
+        </CollapsibleWellComponent>
+      </li>
+    );
+  }
+


  generateIssue = (issue) => {
@ -718,6 +740,9 @@ class ReportPageComponent extends AuthComponent {
      case 'azure_password':
        data = this.generateAzureIssue(issue);
        break;
+      case 'struts2':
+        data = this.generateStruts2Issue(issue);
+        break;
    }
    return data;
  };