diff --git a/monkey/agent_plugins/exploiters/hadoop/src/hadoop_command_builder.py b/monkey/agent_plugins/exploiters/hadoop/src/hadoop_command_builder.py index 81218077926..a75a5ec993f 100644 --- a/monkey/agent_plugins/exploiters/hadoop/src/hadoop_command_builder.py +++ b/monkey/agent_plugins/exploiters/hadoop/src/hadoop_command_builder.py @@ -8,6 +8,7 @@ LinuxDownloadMethod, LinuxDownloadOptions, LinuxRunOptions, + LinuxSetPermissionsOptions, TargetHost, WindowsDownloadMethod, WindowsDownloadOptions, @@ -78,11 +79,17 @@ def _build_linux_hadoop_command( download_url=agent_download_url, ) + chmod_options = LinuxSetPermissionsOptions( + agent_destination_path=agent_destination_path, permissions=0o700 + ) + run_options = LinuxRunOptions( agent_destination_path=agent_destination_path, dropper_execution_mode=DropperExecutionMode.NONE, ) agent_command_builder.build_download_command(download_options) + agent_command_builder.build_set_permissions_command(chmod_options) agent_command_builder.build_run_command(run_options) + return agent_command_builder.get_command() diff --git a/monkey/agent_plugins/exploiters/log4shell/src/log4shell_command_builder.py b/monkey/agent_plugins/exploiters/log4shell/src/log4shell_command_builder.py index bce52a4a106..fc81165e766 100644 --- a/monkey/agent_plugins/exploiters/log4shell/src/log4shell_command_builder.py +++ b/monkey/agent_plugins/exploiters/log4shell/src/log4shell_command_builder.py @@ -8,6 +8,7 @@ LinuxDownloadMethod, LinuxDownloadOptions, LinuxRunOptions, + LinuxSetPermissionsOptions, TargetHost, WindowsDownloadMethod, WindowsDownloadOptions, @@ -77,11 +78,17 @@ def _build_linux_log4shell_command( download_url=agent_download_url, ) + permission_options = LinuxSetPermissionsOptions( + agent_destination_path=agent_destination_path, permissions=0o700 + ) + run_options = LinuxRunOptions( agent_destination_path=agent_destination_path, dropper_execution_mode=DropperExecutionMode.DROPPER, ) agent_command_builder.build_download_command(download_options) + agent_command_builder.build_set_permissions_command(permission_options) agent_command_builder.build_run_command(run_options) + return agent_command_builder.get_command() diff --git a/monkey/agent_plugins/exploiters/snmp/src/snmp_command_builder.py b/monkey/agent_plugins/exploiters/snmp/src/snmp_command_builder.py index b6c45bac601..8f855052cf4 100644 --- a/monkey/agent_plugins/exploiters/snmp/src/snmp_command_builder.py +++ b/monkey/agent_plugins/exploiters/snmp/src/snmp_command_builder.py @@ -3,6 +3,7 @@ ILinuxAgentCommandBuilder, LinuxDownloadMethod, LinuxDownloadOptions, + LinuxSetPermissionsOptions, LinuxRunOptions, TargetHost, ) @@ -20,11 +21,16 @@ def build_snmp_command( download_url=agent_download_url, agent_destination_path=dropper_script_dst_path, ) + permission_options = LinuxSetPermissionsOptions( + agent_destination_path=dropper_script_dst_path, + permissions=0o700, + ) run_options = LinuxRunOptions( dropper_execution_mode=DropperExecutionMode.SCRIPT, agent_destination_path=dropper_script_dst_path, ) agent_command_builder.build_download_command(download_options) + agent_command_builder.build_set_permissions_command(permission_options) agent_command_builder.build_run_command(run_options) return f'-c "{agent_command_builder.get_command()}"' diff --git a/monkey/infection_monkey/Pipfile.lock b/monkey/infection_monkey/Pipfile.lock index d1e5422ff16..d47aa03908a 100644 --- a/monkey/infection_monkey/Pipfile.lock +++ b/monkey/infection_monkey/Pipfile.lock @@ -298,11 +298,11 @@ }, "monkey-agentpluginapi": { "hashes": [ - "sha256:6e4ed986fcacefa1bd043dc167a869ba2b3ccbe7f25a3c52cebdb275444d41f9", - "sha256:f4124176d84235318e7733f92c96451d4cf905ba6ce96089efced1e5ed851181" + "sha256:d2e5a16ce63cd658586795d426989a1d182fde51ceca89b07d5002e61cd9fbbe", + "sha256:fc85af6a795d7d06b8b3cc7f47d07a812f851a63b7b96334479d1d072a83cbda" ], "index": "pypi", - "version": "==0.8.0" + "version": "==0.9.0" }, "monkey-types": { "hashes": [ diff --git a/monkey/infection_monkey/command_builders/linux_agent_command_builder.py b/monkey/infection_monkey/command_builders/linux_agent_command_builder.py index f4e882aab0d..0f6676d3f60 100644 --- a/monkey/infection_monkey/command_builders/linux_agent_command_builder.py +++ b/monkey/infection_monkey/command_builders/linux_agent_command_builder.py @@ -8,6 +8,7 @@ LinuxDownloadMethod, LinuxDownloadOptions, LinuxRunOptions, + LinuxSetPermissionsOptions, ) from monkeytypes import AgentID @@ -42,21 +43,18 @@ def build_download_command(self, download_options: LinuxDownloadOptions): def _build_download_command_wget( self, download_url: str, destination_path: PurePosixPath ) -> str: - return ( - f"wget -qO {destination_path} {download_url}; " - f"{self._set_permissions_command(destination_path)}; " - ) + return f"wget -qO {destination_path} {download_url}; " def _build_download_command_curl( self, download_url: str, destination_path: PurePosixPath ) -> str: - return ( - f"curl -so {destination_path} {download_url}; " - f"{self._set_permissions_command(destination_path)}; " - ) + return f"curl -so {destination_path} {download_url}; " - def _set_permissions_command(self, destination_path: PurePosixPath) -> str: - return f"chmod +x {destination_path}" + def build_set_permissions_command(self, set_permissions_options: LinuxSetPermissionsOptions): + self._command += ( + f"chmod {set_permissions_options.permissions:o} " + f"{set_permissions_options.agent_destination_path}; " + ) def build_run_command(self, run_options: LinuxRunOptions): self._command += ( diff --git a/monkey/tests/unit_tests/infection_monkey/command_builders/test_linux_agent_command_builder.py b/monkey/tests/unit_tests/infection_monkey/command_builders/test_linux_agent_command_builder.py index 6d8ae0fd69a..917e3515d5a 100644 --- a/monkey/tests/unit_tests/infection_monkey/command_builders/test_linux_agent_command_builder.py +++ b/monkey/tests/unit_tests/infection_monkey/command_builders/test_linux_agent_command_builder.py @@ -8,6 +8,7 @@ LinuxDownloadMethod, LinuxDownloadOptions, LinuxRunOptions, + LinuxSetPermissionsOptions, ) from monkeytypes import AgentID @@ -55,10 +56,32 @@ def test_build_download_command( assert expected_method in actual_command assert not_expected_method not in actual_command - assert "chmod" in actual_command assert EXPECTED_AGENT_DESTINATION_PATH in actual_command +@pytest.mark.parametrize( + "permissions, expected_command", + [ + (0o777, f"chmod 777 {AGENT_DESTINATION_PATH}; "), + (0o700, f"chmod 700 {AGENT_DESTINATION_PATH}; "), + (0o550, f"chmod 550 {AGENT_DESTINATION_PATH}; "), + ], +) +def test_build_set_permissions_command( + linux_agent_command_builder: ILinuxAgentCommandBuilder, + permissions: int, + expected_command: str, +): + linux_set_permissions_options = LinuxSetPermissionsOptions( + agent_destination_path=AGENT_DESTINATION_PATH, permissions=permissions + ) + + linux_agent_command_builder.build_set_permissions_command(linux_set_permissions_options) + actual_command = linux_agent_command_builder.get_command() + + assert actual_command == expected_command + + def test_build_run_command_none( linux_agent_command_builder: ILinuxAgentCommandBuilder, agent_otp_environment_variable: str, diff --git a/vulture_allowlist.py b/vulture_allowlist.py index 45dc8e8d34e..bda449c12b9 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -182,3 +182,4 @@ # TODO: Remove after we move the plugins to separate repos execute_agent +LinuxAgentCommandBuilder.build_permission_change_command