p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Resolved string templating in dropper and windows_upgrader.

This commit is contained in:
Ilija Lazoroski 2021-06-17 19:50:34 +02:00 committed by Ilija Lazoroski
parent 0517f3e06f
commit 9fd27141f2
16 changed files with 116 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
monkey/infection_monkey/dropper.py
View File

@ -12,11 +12,13 @@ from ctypes import c_char_p
from common.utils.attack_utils import ScanStatus, UsageEnum
from infection_monkey.config import WormConfiguration
from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly
from infection_monkey.model import MONKEY_CMDLINE_LINUX, MONKEY_CMDLINE_WINDOWS
from infection_monkey.system_info import OperatingSystem, SystemInfoCollector
from infection_monkey.telemetry.attack.t1106_telem import T1106Telem
from infection_monkey.utils.commands import get_monkey_cmd_lines_linux, get_monkey_cmd_lines_windows
from infection_monkey.utils.commands import (
build_monkey_commandline_explicitly,
get_monkey_cmd_lines_linux,
get_monkey_cmd_lines_windows,
)
if "win32" == sys.platform:
from win32process import DETACHED_PROCESS
@ -143,15 +145,13 @@ class MonkeyDrops(object):
)
if OperatingSystem.Windows == SystemInfoCollector.get_os():
# TODO: Replace all of this string templating with a function that accepts
# the necessary parameters and returns a list of arguments.
monkey_cmdline, monkey_cmdline_split = get_monkey_cmd_lines_windows(
MONKEY_CMDLINE_WINDOWS, self._config["destination_path"], monkey_options
monkey_cmdline = get_monkey_cmd_lines_windows(
self._config["destination_path"], monkey_options
)
monkey_process = subprocess.Popen(
monkey_cmdline_split,
monkey_cmdline,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
@ -162,15 +162,13 @@ class MonkeyDrops(object):
dest_path = self._config["destination_path"]
# In Linux, we need to change the directory first, which is done
# using thw `cwd` argument in `subprocess.Popen` below
# TODO: Replace all of this string templating with a function that accepts
# the necessary parameters and returns a list of arguments.
monkey_cmdline, monkey_cmdline_split = get_monkey_cmd_lines_linux(
MONKEY_CMDLINE_LINUX, dest_path, monkey_options
)
monkey_cmdline = get_monkey_cmd_lines_linux(dest_path, monkey_options)
LOG.info("Commands of monkey cmdline_split %s", monkey_cmdline)
monkey_process = subprocess.Popen(
monkey_cmdline_split,
monkey_cmdline,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
@ -182,7 +180,7 @@ class MonkeyDrops(object):
LOG.info(
"Executed monkey process (PID=%d) with command line: %s",
monkey_process.pid,
monkey_cmdline,
" ".join(monkey_cmdline),
)
time.sleep(3)

3
monkey/infection_monkey/exploit/hadoop.py
View File

@ -13,7 +13,7 @@ from random import SystemRandom
import requests
from common.common_consts.timeouts import LONG_REQUEST_TIMEOUT
from infection_monkey.exploit.tools.helpers import build_monkey_commandline, get_monkey_depth
from infection_monkey.exploit.tools.helpers import get_monkey_depth
from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.model import (
@ -22,6 +22,7 @@ from infection_monkey.model import (
ID_STRING,
MONKEY_ARG,
)
from infection_monkey.utils.commands import build_monkey_commandline
__author__ = "VakarisZ"

7
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -8,14 +8,11 @@ import pymssql
from common.utils.exceptions import ExploitingVulnerableMachineError, FailedExploitationError
from common.utils.exploit_enum import ExploitType
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_monkey_dest_path,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_monkey_dest_path
from infection_monkey.exploit.tools.http_tools import MonkeyHTTPServer
from infection_monkey.exploit.tools.payload_parsing import LimitedSizePayload
from infection_monkey.model import DROPPER_ARG
from infection_monkey.utils.commands import build_monkey_commandline
LOG = logging.getLogger(__name__)

7
monkey/infection_monkey/exploit/sambacry.py
View File

@ -36,16 +36,13 @@ from impacket.smbconnection import SMBConnection
import infection_monkey.monkeyfs as monkeyfs
from common.utils.attack_utils import ScanStatus
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey_by_os,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey_by_os
from infection_monkey.model import DROPPER_ARG
from infection_monkey.network.smbfinger import SMB_SERVICE
from infection_monkey.network.tools import get_interface_to_target
from infection_monkey.pyinstaller_utils import get_binary_file_path
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
from infection_monkey.utils.commands import build_monkey_commandline
__author__ = "itay.mizeretz"

7
monkey/infection_monkey/exploit/shellshock.py
View File

@ -10,14 +10,11 @@ import requests
from common.utils.attack_utils import ScanStatus
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.shellshock_resources import CGI_FILES
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.model import DROPPER_ARG
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
from infection_monkey.utils.commands import build_monkey_commandline
__author__ = "danielg"

7
monkey/infection_monkey/exploit/smbexec.py
View File

@ -5,16 +5,13 @@ from impacket.dcerpc.v5 import scmr, transport
from common.utils.attack_utils import ScanStatus, UsageEnum
from common.utils.exploit_enum import ExploitType
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.smb_tools import SmbTools
from infection_monkey.model import DROPPER_CMDLINE_DETACHED_WINDOWS, MONKEY_CMDLINE_DETACHED_WINDOWS
from infection_monkey.network.smbfinger import SMBFinger
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.telemetry.attack.t1035_telem import T1035Telem
from infection_monkey.utils.commands import build_monkey_commandline
LOG = getLogger(__name__)

7
monkey/infection_monkey/exploit/sshexec.py
View File

@ -9,15 +9,12 @@ from common.utils.attack_utils import ScanStatus
from common.utils.exceptions import FailedExploitationError
from common.utils.exploit_enum import ExploitType
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.model import MONKEY_ARG
from infection_monkey.network.tools import check_tcp_port, get_interface_to_target
from infection_monkey.telemetry.attack.t1105_telem import T1105Telem
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
from infection_monkey.utils.commands import build_monkey_commandline
__author__ = "hoffer"

36
monkey/infection_monkey/exploit/tools/helpers.py
View File

@ -45,42 +45,6 @@ def get_target_monkey_by_os(is_windows, is_32bit):
return ControlClient.download_monkey_exe_by_os(is_windows, is_32bit)
def build_monkey_commandline_explicitly(
parent=None, tunnel=None, server=None, depth=None, location=None, vulnerable_port=None
):
cmdline = ""
if parent is not None:
cmdline += f" -p {parent}"
if tunnel is not None:
cmdline += f" -t {tunnel}"
if server is not None:
cmdline += f" -s {server}"
if depth is not None:
if int(depth) < 0:
depth = 0
cmdline += f" -d {depth}"
if location is not None:
cmdline += f" -l {location}"
if vulnerable_port is not None:
cmdline += f" -vp {vulnerable_port}"
return cmdline
def build_monkey_commandline(target_host, depth, vulnerable_port, location=None):
from infection_monkey.config import GUID
return build_monkey_commandline_explicitly(
GUID,
target_host.default_tunnel,
target_host.default_server,
depth,
location,
vulnerable_port,
)
def get_monkey_depth():
from infection_monkey.config import WormConfiguration

7
monkey/infection_monkey/exploit/vsftpd.py
View File

@ -11,11 +11,7 @@ from logging import getLogger
from common.utils.attack_utils import ScanStatus
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.model import (
CHMOD_MONKEY,
@ -25,6 +21,7 @@ from infection_monkey.model import (
WGET_HTTP_UPLOAD,
)
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
from infection_monkey.utils.commands import build_monkey_commandline
LOG = getLogger(__name__)

7
monkey/infection_monkey/exploit/web_rce.py
View File

@ -5,11 +5,7 @@ from posixpath import join
from common.utils.attack_utils import BITS_UPLOAD_STRING, ScanStatus
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.model import (
BITSADMIN_CMDLINE_HTTP,
@ -28,6 +24,7 @@ from infection_monkey.model import (
from infection_monkey.network.tools import tcp_port_to_service
from infection_monkey.telemetry.attack.t1197_telem import T1197Telem
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
from infection_monkey.utils.commands import build_monkey_commandline
__author__ = "VakarisZ"

7
monkey/infection_monkey/exploit/win_ms08_067.py
View File

@ -16,15 +16,12 @@ from impacket.dcerpc.v5 import transport
from common.utils.shellcode_obfuscator import clarify
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.smb_tools import SmbTools
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from infection_monkey.network.smbfinger import SMBFinger
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.utils.commands import build_monkey_commandline
from infection_monkey.utils.random_password_generator import get_random_password
LOG = getLogger(__name__)

7
monkey/infection_monkey/exploit/wmiexec.py
View File

@ -7,14 +7,11 @@ from impacket.dcerpc.v5.rpcrt import DCERPCException
from common.utils.exploit_enum import ExploitType
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import (
build_monkey_commandline,
get_monkey_depth,
get_target_monkey,
)
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.smb_tools import SmbTools
from infection_monkey.exploit.tools.wmi_tools import AccessDeniedException, WmiTools
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from infection_monkey.utils.commands import build_monkey_commandline
LOG = logging.getLogger(__name__)

5
monkey/infection_monkey/model/__init__.py
View File

@ -7,7 +7,9 @@ DROPPER_ARG = "dr0pp3r"
ID_STRING = "M0NK3Y3XPL0ITABLE"
# CMD prefix for windows commands
CMD_PREFIX = "cmd.exe /c"
CMD_EXE = "cmd.exe"
CMD_CARRY_OUT = "/c"
CMD_PREFIX = CMD_EXE + " " + CMD_CARRY_OUT
DROPPER_CMDLINE_WINDOWS = "%s %%(dropper_path)s %s" % (
CMD_PREFIX,
DROPPER_ARG,
@ -16,7 +18,6 @@ MONKEY_CMDLINE_WINDOWS = "%s %%(monkey_path)s %s" % (
CMD_PREFIX,
MONKEY_ARG,
)
MONKEY_CMDLINE_LINUX = "./%%(monkey_filename)s %s" % (MONKEY_ARG,)
DROPPER_CMDLINE_DETACHED_WINDOWS = "%s start cmd /c %%(dropper_path)s %s" % (
CMD_PREFIX,
DROPPER_ARG,

66
monkey/infection_monkey/utils/commands.py
View File

@ -1,15 +1,61 @@
import shlex
import logging
from infection_monkey.model import CMD_CARRY_OUT, CMD_EXE, MONKEY_ARG
LOG = logging.getLogger(__name__)
def get_monkey_cmd_lines_windows(monkey_cmdline_windows, destination_path, monkey_options):
monkey_cmdline = monkey_cmdline_windows % {"monkey_path": destination_path} + monkey_options
def build_monkey_commandline(target_host, depth, vulnerable_port, location=None):
from infection_monkey.config import GUID
return monkey_cmdline, shlex.split(monkey_cmdline, posix=False)
def get_monkey_cmd_lines_linux(monkey_cmdline_linux, destination_path, monkey_options):
monkey_cmdline = (
monkey_cmdline_linux % {"monkey_filename": destination_path.split("/")[-1]} + monkey_options
return "".join(
build_monkey_commandline_explicitly(
GUID,
target_host.default_tunnel,
target_host.default_server,
depth,
location,
vulnerable_port,
)
)
return monkey_cmdline, shlex.split(monkey_cmdline, posix=False)
def build_monkey_commandline_explicitly(
parent=None, tunnel=None, server=None, depth=None, location=None, vulnerable_port=None
):
cmdline = []
if parent is not None:
cmdline.append("-p")
cmdline.append(f"{parent}")
if tunnel is not None:
cmdline.append("-t")
cmdline.append(f"{tunnel}")
if server is not None:
cmdline.append("-s")
cmdline.append(f"{server}")
if depth is not None:
if int(depth) < 0:
depth = 0
cmdline.append("-d")
cmdline.append(f"{depth}")
if location is not None:
cmdline.append("-l")
cmdline.append(f"{location}")
if vulnerable_port is not None:
cmdline.append("-vp")
cmdline.append(f"{vulnerable_port}")
return cmdline
def get_monkey_cmd_lines_windows(destination_path, monkey_options):
monkey_cmdline = [CMD_EXE, CMD_CARRY_OUT, destination_path, MONKEY_ARG]
return monkey_cmdline + monkey_options
def get_monkey_cmd_lines_linux(destination_path, monkey_options):
monkey_cmdline = [destination_path.split("/")[-1], MONKEY_ARG]
return monkey_cmdline + monkey_options

23
monkey/infection_monkey/windows_upgrader.py
View File

@ -1,5 +1,4 @@
import logging
import shlex
import shutil
import subprocess
import sys
@ -8,8 +7,10 @@ import time
import infection_monkey.monkeyfs as monkeyfs
from infection_monkey.config import WormConfiguration
from infection_monkey.control import ControlClient
from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly
from infection_monkey.model import MONKEY_CMDLINE_WINDOWS
from infection_monkey.utils.commands import (
build_monkey_commandline_explicitly,
get_monkey_cmd_lines_windows,
)
from infection_monkey.utils.environment import is_64bit_python, is_64bit_windows_os, is_windows_os
__author__ = "itay.mizeretz"
@ -46,20 +47,12 @@ class WindowsUpgrader(object):
opts.parent, opts.tunnel, opts.server, opts.depth
)
# TODO: Replace all of this string templating with a function that accepts
# the necessary parameters and returns a list of arguments.
monkey_cmdline = (
MONKEY_CMDLINE_WINDOWS % {"monkey_path": WormConfiguration.dropper_target_path_win_64}
+ monkey_options
)
monkey_cmdline_split = shlex.split(
monkey_cmdline,
posix=False, # won't try resolving "\" in paths as part of escape sequences
monkey_cmdline = get_monkey_cmd_lines_windows(
WormConfiguration.dropper_target_path_win_64, monkey_options
)
monkey_process = subprocess.Popen(
monkey_cmdline_split,
monkey_cmdline,
stdin=None,
stdout=None,
stderr=None,
@ -70,7 +63,7 @@ class WindowsUpgrader(object):
LOG.info(
"Executed 64bit monkey process (PID=%d) with command line: %s",
monkey_process.pid,
monkey_cmdline,
"".join(monkey_cmdline),
)
time.sleep(WindowsUpgrader.__UPGRADE_WAIT_TIME__)

19
monkey/tests/unit_tests/infection_monkey/exploit/tools/test_helpers.py → monkey/tests/unit_tests/infection_monkey/utils/test_commands.py
View File

@ -1,16 +1,29 @@
import unittest
from infection_monkey.exploit.tools.helpers import build_monkey_commandline_explicitly
from infection_monkey.utils.commands import build_monkey_commandline_explicitly
class TestHelpers(unittest.TestCase):
def test_build_monkey_commandline_explicitly(self):
test1 = " -p 101010 -t 10.10.101.10 -s 127.127.127.127:5000 -d 0 -l C:\\windows\\abc -vp 80"
test1 = [
"-p",
"101010",
"-t",
"10.10.101.10",
"-s",
"127.127.127.127:5000",
"-d",
"0",
"-l",
"C:\\windows\\abc",
"-vp",
"80",
]
result1 = build_monkey_commandline_explicitly(
101010, "10.10.101.10", "127.127.127.127:5000", 0, "C:\\windows\\abc", 80
)
test2 = " -p parent -s 127.127.127.127:5000 -d 0 -vp 80"
test2 = ["-p", "parent", "-s", "127.127.127.127:5000", "-d", "0", "-vp", "80"]
result2 = build_monkey_commandline_explicitly(
parent="parent", server="127.127.127.127:5000", depth="0", vulnerable_port="80"
)