From b64ff7bffba66fce147a2ff5f35fa306f14d5d64 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Thu, 19 Oct 2017 17:59:17 +0300 Subject: [PATCH 1/3] Fix src_path referenced before assignment on shellshock --- chaos_monkey/exploit/shellshock.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chaos_monkey/exploit/shellshock.py b/chaos_monkey/exploit/shellshock.py index acae085f0..97c950a18 100644 --- a/chaos_monkey/exploit/shellshock.py +++ b/chaos_monkey/exploit/shellshock.py @@ -99,7 +99,7 @@ class ShellShockExploiter(HostExploiter): LOG.info("Host %s was already infected under the current configuration, done" % self.host) return True # return already infected - src_path = src_path or get_target_monkey(self.host) + src_path = get_target_monkey(self.host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False From 68643ce343bb77a1925fa73a30597a0e2d255745 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Thu, 19 Oct 2017 18:48:03 +0300 Subject: [PATCH 2/3] Add dropper target path on SMB exec --- chaos_monkey/exploit/smbexec.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chaos_monkey/exploit/smbexec.py b/chaos_monkey/exploit/smbexec.py index 0fc1f27fe..f5fa2b26b 100644 --- a/chaos_monkey/exploit/smbexec.py +++ b/chaos_monkey/exploit/smbexec.py @@ -86,11 +86,11 @@ class SmbExploiter(HostExploiter): # execute the remote dropper in case the path isn't final if remote_full_path.lower() != self._config.dropper_target_path.lower(): - cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \ + build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path) else: - cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} - - cmdline += build_monkey_commandline(self.host, get_monkey_depth() - 1) + cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \ + build_monkey_commandline(self.host, get_monkey_depth() - 1) for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values(): rpctransport = transport.DCERPCTransportFactory(str_bind_format % (self.host.ip_addr,)) From 17d3795581a139cfb078f01e7bd9c430602c6027 Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Tue, 24 Oct 2017 15:42:52 +0300 Subject: [PATCH 3/3] Fix get_interface_to_target to always return an IP --- chaos_monkey/exploit/tools.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chaos_monkey/exploit/tools.py b/chaos_monkey/exploit/tools.py index 1fc76147a..60e3950a6 100644 --- a/chaos_monkey/exploit/tools.py +++ b/chaos_monkey/exploit/tools.py @@ -389,7 +389,9 @@ class HTTPTools(object): def get_interface_to_target(dst): if sys.platform == "win32": - return get_close_matches(dst, local_ips())[0] + ips = local_ips() + matches = get_close_matches(dst, ips) + return matches[0] if (len(matches) > 0) else ips[0] else: # based on scapy implementation