Closed Mato-Z closed 7 years ago
I had the same idea a few hours ago and I have already started to merge the commits. Feel free to have a look at #104. It still needs some testing and I think dionaea is unable store the payload at the moment, but I think I will fix this soon
Hey @phibos , thanks for the merges about the SMB patches!
By the way, we can test the SMB patches with:
WannaCry example: Metasploit module https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/blob/master/eternalblue_doublepulsar.rb . Well, this module is not installed by default in official Metasploit. We may need to copy this file to Metasploit working dir.
SambaCry example: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb . This module included in the official Metasploit framework now.
Dionaea should be able to store the payloads from these 2 modules. Again, thanks for the good works!
@phibos, I observed files failing to save due to a missing key - 'downloads' - on line 665 of smb.py:
dir = g_dionaea.config()['downloads']['dir'] + "/"
If replaced with the following:
dionaea_config = g_dionaea.config().get("dionaea")
download_dir = dionaea_config.get("download.dir")
Along with replacing occurrences of 'dir' with 'download_dir', files are saved into the standard 'binaries' directory (or whatever the user has configured in their dionaea.conf).
My first hit was: https://www.virustotal.com/en/file/c05e2dab77349cd639aa837e7e121710b8a0718d8fc93fb4cc6458ae90e5c597/analysis/
Am still seeing a lot of occurrences of: 'SMB dionaea/smb/smb.py:112-critical: === SMB did not get enough data' in my log however... but that could well be standard background noise.
@phage-nz Thanks for your tip. That exaplains why my dionaea instance didn't save payloads yesterday. Finally, it saved a payload after applying your suggested changes.
Hey, after applying the change above I have a payload however the store.py module always say the file already exists. Are we bypassing store.py with that change?
I've fixed the thing by adding '.tmp' to the file path downloaded into binaries. So then when the store.py gets called it will just create a hardlink to it.
I have merged the support for WannaCry and SambaCry into the master branch. Thanks for all your work and comments.
ISSUE TYPE
DIONAEA VERSION
OS / ENVIRONMENT
SUMMARY
Hello, do you think about modification for WannaCry and SambaCry CVE 2017-7494 detection? It is described here https://www.honeynet.org/node/1353 and changes are in this repository https://github.com/gento/dionaea/commits/master - last three commits.
Thank you.