forked from p34709852/monkey
Resolved string templating in dropper and windows_upgrader.
This commit is contained in:
parent
0517f3e06f
commit
9fd27141f2
|
@ -12,11 +12,13 @@ from ctypes import c_char_p
|
|||
|
||||
from common.utils.attack_utils import ScanStatus, UsageEnum
|
||||
from infection_monkey.config import WormConfiguration
|
||||
from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly
|
||||
from infection_monkey.model import MONKEY_CMDLINE_LINUX, MONKEY_CMDLINE_WINDOWS
|
||||
from infection_monkey.system_info import OperatingSystem, SystemInfoCollector
|
||||
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
|
||||
from infection_monkey.utils.commands import get_monkey_cmd_lines_linux, get_monkey_cmd_lines_windows
|
||||
from infection_monkey.utils.commands import (
|
||||
build_monkey_commandline_explicitly,
|
||||
get_monkey_cmd_lines_linux,
|
||||
get_monkey_cmd_lines_windows,
|
||||
)
|
||||
|
||||
if "win32" == sys.platform:
|
||||
from win32process import DETACHED_PROCESS
|
||||
|
@ -143,15 +145,13 @@ class MonkeyDrops(object):
|
|||
)
|
||||
|
||||
if OperatingSystem.Windows == SystemInfoCollector.get_os():
|
||||
# TODO: Replace all of this string templating with a function that accepts
|
||||
# the necessary parameters and returns a list of arguments.
|
||||
|
||||
monkey_cmdline, monkey_cmdline_split = get_monkey_cmd_lines_windows(
|
||||
MONKEY_CMDLINE_WINDOWS, self._config["destination_path"], monkey_options
|
||||
monkey_cmdline = get_monkey_cmd_lines_windows(
|
||||
self._config["destination_path"], monkey_options
|
||||
)
|
||||
|
||||
monkey_process = subprocess.Popen(
|
||||
monkey_cmdline_split,
|
||||
monkey_cmdline,
|
||||
stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
|
@ -162,15 +162,13 @@ class MonkeyDrops(object):
|
|||
dest_path = self._config["destination_path"]
|
||||
# In Linux, we need to change the directory first, which is done
|
||||
# using thw `cwd` argument in `subprocess.Popen` below
|
||||
# TODO: Replace all of this string templating with a function that accepts
|
||||
# the necessary parameters and returns a list of arguments.
|
||||
|
||||
monkey_cmdline, monkey_cmdline_split = get_monkey_cmd_lines_linux(
|
||||
MONKEY_CMDLINE_LINUX, dest_path, monkey_options
|
||||
)
|
||||
monkey_cmdline = get_monkey_cmd_lines_linux(dest_path, monkey_options)
|
||||
|
||||
LOG.info("Commands of monkey cmdline_split %s", monkey_cmdline)
|
||||
|
||||
monkey_process = subprocess.Popen(
|
||||
monkey_cmdline_split,
|
||||
monkey_cmdline,
|
||||
stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
|
@ -182,7 +180,7 @@ class MonkeyDrops(object):
|
|||
LOG.info(
|
||||
"Executed monkey process (PID=%d) with command line: %s",
|
||||
monkey_process.pid,
|
||||
monkey_cmdline,
|
||||
" ".join(monkey_cmdline),
|
||||
)
|
||||
|
||||
time.sleep(3)
|
||||
|
|
|
@ -13,7 +13,7 @@ from random import SystemRandom
|
|||
import requests
|
||||
|
||||
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
|
||||
from infection_monkey.exploit.tools.helpers import build_monkey_commandline, get_monkey_depth
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.model import (
|
||||
|
@ -22,6 +22,7 @@ from infection_monkey.model import (
|
|||
ID_STRING,
|
||||
MONKEY_ARG,
|
||||
)
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
|
|
@ -8,14 +8,11 @@ import pymssql
|
|||
from common.utils.exceptions import ExploitingVulnerableMachineError, FailedExploitationError
|
||||
from common.utils.exploit_enum import ExploitType
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_monkey_dest_path,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_monkey_dest_path
|
||||
from infection_monkey.exploit.tools.http_tools import MonkeyHTTPServer
|
||||
from infection_monkey.exploit.tools.payload_parsing import LimitedSizePayload
|
||||
from infection_monkey.model import DROPPER_ARG
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
|
|
@ -36,16 +36,13 @@ from impacket.smbconnection import SMBConnection
|
|||
import infection_monkey.monkeyfs as monkeyfs
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey_by_os,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey_by_os
|
||||
from infection_monkey.model import DROPPER_ARG
|
||||
from infection_monkey.network.smbfinger import SMB_SERVICE
|
||||
from infection_monkey.network.tools import get_interface_to_target
|
||||
from infection_monkey.pyinstaller_utils import get_binary_file_path
|
||||
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
||||
|
|
|
@ -10,14 +10,11 @@ import requests
|
|||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.shellshock_resources import CGI_FILES
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.model import DROPPER_ARG
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
__author__ = "danielg"
|
||||
|
||||
|
|
|
@ -5,16 +5,13 @@ from impacket.dcerpc.v5 import scmr, transport
|
|||
from common.utils.attack_utils import ScanStatus, UsageEnum
|
||||
from common.utils.exploit_enum import ExploitType
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||
from infection_monkey.model import DROPPER_CMDLINE_DETACHED_WINDOWS, MONKEY_CMDLINE_DETACHED_WINDOWS
|
||||
from infection_monkey.network.smbfinger import SMBFinger
|
||||
from infection_monkey.network.tools import check_tcp_port
|
||||
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
LOG = getLogger(__name__)
|
||||
|
||||
|
|
|
@ -9,15 +9,12 @@ from common.utils.attack_utils import ScanStatus
|
|||
from common.utils.exceptions import FailedExploitationError
|
||||
from common.utils.exploit_enum import ExploitType
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.model import MONKEY_ARG
|
||||
from infection_monkey.network.tools import check_tcp_port, get_interface_to_target
|
||||
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
__author__ = "hoffer"
|
||||
|
||||
|
|
|
@ -45,42 +45,6 @@ def get_target_monkey_by_os(is_windows, is_32bit):
|
|||
return ControlClient.download_monkey_exe_by_os(is_windows, is_32bit)
|
||||
|
||||
|
||||
def build_monkey_commandline_explicitly(
|
||||
parent=None, tunnel=None, server=None, depth=None, location=None, vulnerable_port=None
|
||||
):
|
||||
cmdline = ""
|
||||
|
||||
if parent is not None:
|
||||
cmdline += f" -p {parent}"
|
||||
if tunnel is not None:
|
||||
cmdline += f" -t {tunnel}"
|
||||
if server is not None:
|
||||
cmdline += f" -s {server}"
|
||||
if depth is not None:
|
||||
if int(depth) < 0:
|
||||
depth = 0
|
||||
cmdline += f" -d {depth}"
|
||||
if location is not None:
|
||||
cmdline += f" -l {location}"
|
||||
if vulnerable_port is not None:
|
||||
cmdline += f" -vp {vulnerable_port}"
|
||||
|
||||
return cmdline
|
||||
|
||||
|
||||
def build_monkey_commandline(target_host, depth, vulnerable_port, location=None):
|
||||
from infection_monkey.config import GUID
|
||||
|
||||
return build_monkey_commandline_explicitly(
|
||||
GUID,
|
||||
target_host.default_tunnel,
|
||||
target_host.default_server,
|
||||
depth,
|
||||
location,
|
||||
vulnerable_port,
|
||||
)
|
||||
|
||||
|
||||
def get_monkey_depth():
|
||||
from infection_monkey.config import WormConfiguration
|
||||
|
||||
|
|
|
@ -11,11 +11,7 @@ from logging import getLogger
|
|||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.model import (
|
||||
CHMOD_MONKEY,
|
||||
|
@ -25,6 +21,7 @@ from infection_monkey.model import (
|
|||
WGET_HTTP_UPLOAD,
|
||||
)
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
LOG = getLogger(__name__)
|
||||
|
||||
|
|
|
@ -5,11 +5,7 @@ from posixpath import join
|
|||
|
||||
from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.model import (
|
||||
BITSADMIN_CMDLINE_HTTP,
|
||||
|
@ -28,6 +24,7 @@ from infection_monkey.model import (
|
|||
from infection_monkey.network.tools import tcp_port_to_service
|
||||
from infection_monkey.telemetry.attack.t1197_telem import T1197Telem
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
__author__ = "VakarisZ"
|
||||
|
||||
|
|
|
@ -16,15 +16,12 @@ from impacket.dcerpc.v5 import transport
|
|||
|
||||
from common.utils.shellcode_obfuscator import clarify
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
||||
from infection_monkey.network.smbfinger import SMBFinger
|
||||
from infection_monkey.network.tools import check_tcp_port
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
from infection_monkey.utils.random_password_generator import get_random_password
|
||||
|
||||
LOG = getLogger(__name__)
|
||||
|
|
|
@ -7,14 +7,11 @@ from impacket.dcerpc.v5.rpcrt import DCERPCException
|
|||
|
||||
from common.utils.exploit_enum import ExploitType
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.tools.helpers import (
|
||||
build_monkey_commandline,
|
||||
get_monkey_depth,
|
||||
get_target_monkey,
|
||||
)
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.smb_tools import SmbTools
|
||||
from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools
|
||||
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
|
|
@ -7,7 +7,9 @@ DROPPER_ARG = "dr0pp3r"
|
|||
ID_STRING = "M0NK3Y3XPL0ITABLE"
|
||||
|
||||
# CMD prefix for windows commands
|
||||
CMD_PREFIX = "cmd.exe /c"
|
||||
CMD_EXE = "cmd.exe"
|
||||
CMD_CARRY_OUT = "/c"
|
||||
CMD_PREFIX = CMD_EXE + " " + CMD_CARRY_OUT
|
||||
DROPPER_CMDLINE_WINDOWS = "%s %%(dropper_path)s %s" % (
|
||||
CMD_PREFIX,
|
||||
DROPPER_ARG,
|
||||
|
@ -16,7 +18,6 @@ MONKEY_CMDLINE_WINDOWS = "%s %%(monkey_path)s %s" % (
|
|||
CMD_PREFIX,
|
||||
MONKEY_ARG,
|
||||
)
|
||||
MONKEY_CMDLINE_LINUX = "./%%(monkey_filename)s %s" % (MONKEY_ARG,)
|
||||
DROPPER_CMDLINE_DETACHED_WINDOWS = "%s start cmd /c %%(dropper_path)s %s" % (
|
||||
CMD_PREFIX,
|
||||
DROPPER_ARG,
|
||||
|
|
|
@ -1,15 +1,61 @@
|
|||
import shlex
|
||||
import logging
|
||||
|
||||
from infection_monkey.model import CMD_CARRY_OUT, CMD_EXE, MONKEY_ARG
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def get_monkey_cmd_lines_windows(monkey_cmdline_windows, destination_path, monkey_options):
|
||||
monkey_cmdline = monkey_cmdline_windows % {"monkey_path": destination_path} + monkey_options
|
||||
def build_monkey_commandline(target_host, depth, vulnerable_port, location=None):
|
||||
from infection_monkey.config import GUID
|
||||
|
||||
return monkey_cmdline, shlex.split(monkey_cmdline, posix=False)
|
||||
|
||||
|
||||
def get_monkey_cmd_lines_linux(monkey_cmdline_linux, destination_path, monkey_options):
|
||||
monkey_cmdline = (
|
||||
monkey_cmdline_linux % {"monkey_filename": destination_path.split("/")[-1]} + monkey_options
|
||||
return "".join(
|
||||
build_monkey_commandline_explicitly(
|
||||
GUID,
|
||||
target_host.default_tunnel,
|
||||
target_host.default_server,
|
||||
depth,
|
||||
location,
|
||||
vulnerable_port,
|
||||
)
|
||||
)
|
||||
|
||||
return monkey_cmdline, shlex.split(monkey_cmdline, posix=False)
|
||||
|
||||
def build_monkey_commandline_explicitly(
|
||||
parent=None, tunnel=None, server=None, depth=None, location=None, vulnerable_port=None
|
||||
):
|
||||
cmdline = []
|
||||
|
||||
if parent is not None:
|
||||
cmdline.append("-p")
|
||||
cmdline.append(f"{parent}")
|
||||
if tunnel is not None:
|
||||
cmdline.append("-t")
|
||||
cmdline.append(f"{tunnel}")
|
||||
if server is not None:
|
||||
cmdline.append("-s")
|
||||
cmdline.append(f"{server}")
|
||||
if depth is not None:
|
||||
if int(depth) < 0:
|
||||
depth = 0
|
||||
cmdline.append("-d")
|
||||
cmdline.append(f"{depth}")
|
||||
if location is not None:
|
||||
cmdline.append("-l")
|
||||
cmdline.append(f"{location}")
|
||||
if vulnerable_port is not None:
|
||||
cmdline.append("-vp")
|
||||
cmdline.append(f"{vulnerable_port}")
|
||||
|
||||
return cmdline
|
||||
|
||||
|
||||
def get_monkey_cmd_lines_windows(destination_path, monkey_options):
|
||||
monkey_cmdline = [CMD_EXE, CMD_CARRY_OUT, destination_path, MONKEY_ARG]
|
||||
|
||||
return monkey_cmdline + monkey_options
|
||||
|
||||
|
||||
def get_monkey_cmd_lines_linux(destination_path, monkey_options):
|
||||
monkey_cmdline = [destination_path.split("/")[-1], MONKEY_ARG]
|
||||
|
||||
return monkey_cmdline + monkey_options
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
import logging
|
||||
import shlex
|
||||
import shutil
|
||||
import subprocess
|
||||
import sys
|
||||
|
@ -8,8 +7,10 @@ import time
|
|||
import infection_monkey.monkeyfs as monkeyfs
|
||||
from infection_monkey.config import WormConfiguration
|
||||
from infection_monkey.control import ControlClient
|
||||
from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly
|
||||
from infection_monkey.model import MONKEY_CMDLINE_WINDOWS
|
||||
from infection_monkey.utils.commands import (
|
||||
build_monkey_commandline_explicitly,
|
||||
get_monkey_cmd_lines_windows,
|
||||
)
|
||||
from infection_monkey.utils.environment import is_64bit_python, is_64bit_windows_os, is_windows_os
|
||||
|
||||
__author__ = "itay.mizeretz"
|
||||
|
@ -46,20 +47,12 @@ class WindowsUpgrader(object):
|
|||
opts.parent, opts.tunnel, opts.server, opts.depth
|
||||
)
|
||||
|
||||
# TODO: Replace all of this string templating with a function that accepts
|
||||
# the necessary parameters and returns a list of arguments.
|
||||
monkey_cmdline = (
|
||||
MONKEY_CMDLINE_WINDOWS % {"monkey_path": WormConfiguration.dropper_target_path_win_64}
|
||||
+ monkey_options
|
||||
)
|
||||
|
||||
monkey_cmdline_split = shlex.split(
|
||||
monkey_cmdline,
|
||||
posix=False, # won't try resolving "\" in paths as part of escape sequences
|
||||
monkey_cmdline = get_monkey_cmd_lines_windows(
|
||||
WormConfiguration.dropper_target_path_win_64, monkey_options
|
||||
)
|
||||
|
||||
monkey_process = subprocess.Popen(
|
||||
monkey_cmdline_split,
|
||||
monkey_cmdline,
|
||||
stdin=None,
|
||||
stdout=None,
|
||||
stderr=None,
|
||||
|
@ -70,7 +63,7 @@ class WindowsUpgrader(object):
|
|||
LOG.info(
|
||||
"Executed 64bit monkey process (PID=%d) with command line: %s",
|
||||
monkey_process.pid,
|
||||
monkey_cmdline,
|
||||
"".join(monkey_cmdline),
|
||||
)
|
||||
|
||||
time.sleep(WindowsUpgrader.__UPGRADE_WAIT_TIME__)
|
||||
|
|
|
@ -1,16 +1,29 @@
|
|||
import unittest
|
||||
|
||||
from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly
|
||||
from infection_monkey.utils.commands import build_monkey_commandline_explicitly
|
||||
|
||||
|
||||
class TestHelpers(unittest.TestCase):
|
||||
def test_build_monkey_commandline_explicitly(self):
|
||||
test1 = " -p 101010 -t 10.10.101.10 -s 127.127.127.127:5000 -d 0 -l C:\\windows\\abc -vp 80"
|
||||
test1 = [
|
||||
"-p",
|
||||
"101010",
|
||||
"-t",
|
||||
"10.10.101.10",
|
||||
"-s",
|
||||
"127.127.127.127:5000",
|
||||
"-d",
|
||||
"0",
|
||||
"-l",
|
||||
"C:\\windows\\abc",
|
||||
"-vp",
|
||||
"80",
|
||||
]
|
||||
result1 = build_monkey_commandline_explicitly(
|
||||
101010, "10.10.101.10", "127.127.127.127:5000", 0, "C:\\windows\\abc", 80
|
||||
)
|
||||
|
||||
test2 = " -p parent -s 127.127.127.127:5000 -d 0 -vp 80"
|
||||
test2 = ["-p", "parent", "-s", "127.127.127.127:5000", "-d", "0", "-vp", "80"]
|
||||
result2 = build_monkey_commandline_explicitly(
|
||||
parent="parent", server="127.127.127.127:5000", depth="0", vulnerable_port="80"
|
||||
)
|
Loading…
Reference in New Issue