forked from p34709852/monkey
Refactored exploit_host and added get_exploit_config
This commit is contained in:
parent
911404ef68
commit
eae3f3440d
|
@ -37,37 +37,51 @@ class WebRCE(HostExploiter):
|
|||
self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
|
||||
self.skip_exist = self._config.skip_exploit_if_file_exist
|
||||
|
||||
@staticmethod
|
||||
def get_exploit_config():
|
||||
"""
|
||||
Method that creates a dictionary of configuration values for exploit
|
||||
:return: configuration dict
|
||||
"""
|
||||
exploit_config = dict()
|
||||
|
||||
# dropper: If true monkey will use dropper parameter that will detach monkey's process and try to copy
|
||||
# it's file to the default destination path.
|
||||
exploit_config['dropper'] = False
|
||||
|
||||
# upload_commands: Unformatted dict with one or two commands {'linux': WGET_HTTP_UPLOAD,'windows': WIN_CMD}
|
||||
# Command must have "monkey_path" and "http_path" format parameters. If None defaults will be used.
|
||||
exploit_config['upload_commands'] = None
|
||||
|
||||
# url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
|
||||
exploit_config['url_extensions'] = None
|
||||
|
||||
# stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
|
||||
exploit_config['stop_checking_urls'] = False
|
||||
|
||||
# blind_exploit: If true we won't check if file exist and won't try to get the architecture of target.
|
||||
exploit_config['blind_exploit'] = False
|
||||
|
||||
return exploit_config
|
||||
|
||||
def exploit_host(self):
|
||||
"""
|
||||
Override this method to pass custom arguments to default_exploit_host
|
||||
:return: True if exploited, False otherwise
|
||||
"""
|
||||
return self.default_exploit_host()
|
||||
|
||||
def default_exploit_host(self, dropper=False, upload_commands=None, url_extensions=None,
|
||||
stop_checking_urls=False, blind_exploit=False):
|
||||
"""
|
||||
Standard framework usage (call this method in exploit_host function):
|
||||
:param dropper: If true monkey will use dropper parameter that will detach monkey's process and try to copy
|
||||
it's file to the default destination path.
|
||||
:param upload_commands: Unformatted dict with one or two commands {'linux': WGET_HTTP_UPLOAD,'windows': WIN_CMD}
|
||||
Command must have "monkey_path" and "http_path" format parameters.
|
||||
:param url_extensions: What subdirectories to scan (www.domain.com[/extension]). Eg. ["home", "index.php"]
|
||||
:param stop_checking_urls: If true it will stop checking vulnerable urls once one was found vulnerable.
|
||||
:param blind_exploit: If true we won't check if file exist and won't try to get the architecture of target.
|
||||
:return: True if exploited and False otherwise.
|
||||
"""
|
||||
# We get exploit configuration
|
||||
exploit_config = self.get_exploit_config()
|
||||
# Get open ports
|
||||
ports = self.get_ports_w(self.HTTP, ["http"])
|
||||
if not ports:
|
||||
return False
|
||||
# Get urls to try to exploit
|
||||
urls = self.build_potential_urls(ports, url_extensions)
|
||||
urls = self.build_potential_urls(ports, exploit_config['url_extensions'])
|
||||
vulnerable_urls = []
|
||||
for url in urls:
|
||||
if self.check_if_exploitable(url):
|
||||
vulnerable_urls.append(url)
|
||||
if stop_checking_urls:
|
||||
if exploit_config['stop_checking_urls']:
|
||||
break
|
||||
self._exploit_info['vulnerable_urls'] = vulnerable_urls
|
||||
|
||||
|
@ -75,16 +89,16 @@ class WebRCE(HostExploiter):
|
|||
return False
|
||||
|
||||
# Skip if monkey already exists and this option is given
|
||||
if not blind_exploit and self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
|
||||
if not exploit_config['blind_exploit'] and self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
|
||||
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||
return True
|
||||
|
||||
# Check for targets architecture (if it's 32 or 64 bit)
|
||||
if not blind_exploit and not self.set_host_arch(vulnerable_urls[0]):
|
||||
if not exploit_config['blind_exploit'] and not self.set_host_arch(vulnerable_urls[0]):
|
||||
return False
|
||||
|
||||
# Upload the right monkey to target
|
||||
data = self.upload_monkey(vulnerable_urls[0], upload_commands)
|
||||
data = self.upload_monkey(vulnerable_urls[0], exploit_config['upload_commands'])
|
||||
|
||||
if data is not False and data['response'] is False:
|
||||
return False
|
||||
|
@ -94,7 +108,7 @@ class WebRCE(HostExploiter):
|
|||
return False
|
||||
|
||||
# Execute remote monkey
|
||||
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], dropper) is False:
|
||||
if self.execute_remote_monkey(vulnerable_urls[0], data['path'], exploit_config['dropper']) is False:
|
||||
return False
|
||||
|
||||
return True
|
||||
|
|
Loading…
Reference in New Issue