From 1a61d3d2fb447bee18af1b730b4153451b0c8cef Mon Sep 17 00:00:00 2001 From: Matt Miller Date: Thu, 8 Jun 2006 20:53:15 +0000 Subject: [PATCH] changes to support native win32 git-svn-id: file:///home/svn/incoming/trunk@3654 4d416f70-5f16-0410-b530-b9f4589650da --- data/msfweb/exploits.rhtml | 74 ++++++++++++++++++- data/msfweb/msfweb_common.rb | 9 ++- lib/msf/core/handler/passivex.rb | 6 +- lib/msf/core/payload/windows/dllinject.rb | 4 +- lib/msf/ui/console/driver.rb | 7 ++ lib/msf/ui/web/driver.rb | 11 ++- lib/rex/post/meterpreter/client_core.rb | 13 +++- .../meterpreter/extensions/stdapi/fs/file.rb | 6 +- lib/rex/post/meterpreter/ui/console.rb | 6 +- .../ui/console/command_dispatcher/core.rb | 7 +- lib/rex/proto/http/handler/erb.rb | 6 +- 11 files changed, 135 insertions(+), 14 deletions(-) diff --git a/data/msfweb/exploits.rhtml b/data/msfweb/exploits.rhtml index 6820e71e98..1c86f50cef 100644 --- a/data/msfweb/exploits.rhtml +++ b/data/msfweb/exploits.rhtml @@ -166,6 +166,7 @@
+ @@ -215,6 +216,10 @@   + + @@ -229,9 +234,74 @@ <%# Wizard step 3 - exploitation %> <% elsif (step == 3) - %> -Exploit time + # Is JS disabled in the client's browser? + nojs = query_string['nojs'] == '1' ? true : false + + # Create the exploit instance + modinst = framework.exploits.create(name) + + # Set the encoder/nop to nil if it's not valid. + query_string['encoder'] = nil if (query_string['encoder'] == '__default') + query_string['nop'] = nil if (query_string['nop'] == '__default') + + # Build the options string + options = '' + + query_string.each_pair { |k, v| + next if v.nil? or v.length == 0 + + if k =~ /^opt_(.*)$/ + options += "#{$1}=#{v} " + end + } + + # Use buffered output by default + output = Rex::Ui::Text::Output::Buffer.new + + # If we support javascript, then we'll use something better + if nojs == false + # TODO + end + + # Whether or not we should run this as a job + as_job = modinst.passive? || (nojs == false) + + # Kick off the exploit process + error = false + + begin + modinst.exploit_simple( + 'Encoder' => query_string['encoder'], + 'Nop' => query_string['nop'], + 'Payload' => query_string['payload'], + 'Target' => query_string['target'].to_i, + 'OptionStr' => options, + 'LocalOutput' => output, + 'LocalInput' => nil, + 'RunAsJob' => as_job) + rescue + display = "Error:  " + html_escape($!) + "" + error = true + end + + # Use the buffered output for display if we didn't fail. + if error == false + display = html_escape(output.buf).gsub(/\n/, "
") + + if as_job + display += "

Exploit is now running in the background." + end + end +%> + +
+ +Launching exploit <%= modinst.refname %> ... + +

+ +<%= display %> <% else %> Unknown step: <%= html_escape(step) %> diff --git a/data/msfweb/msfweb_common.rb b/data/msfweb/msfweb_common.rb index df212cb596..126c10a1b2 100644 --- a/data/msfweb/msfweb_common.rb +++ b/data/msfweb/msfweb_common.rb @@ -31,15 +31,18 @@ module Common - - - +
+ EXPLOITS + PAYLOADS + SESSIONS + JOBS +
diff --git a/lib/msf/core/handler/passivex.rb b/lib/msf/core/handler/passivex.rb index b00787b40f..e5749b1a93 100644 --- a/lib/msf/core/handler/passivex.rb +++ b/lib/msf/core/handler/passivex.rb @@ -329,7 +329,11 @@ protected print_status("Sending PassiveX main page to client") when "/passivex.dll" resp['Content-Type'] = 'application/octet-stream' - resp.body = IO.readlines(datastore['PXAXDLL']).join + resp.body = '' + + File.open(datastore['PXAXDLL'], "rb") { |f| + resp.body = f.read + } print_status("Sending PassiveX DLL (#{resp.body.length} bytes)") when "/stage" diff --git a/lib/msf/core/payload/windows/dllinject.rb b/lib/msf/core/payload/windows/dllinject.rb index e663326b8c..931f3d090a 100644 --- a/lib/msf/core/payload/windows/dllinject.rb +++ b/lib/msf/core/payload/windows/dllinject.rb @@ -214,7 +214,9 @@ module Payload::Windows::DllInject data = library_name + "\x00" begin - data += IO.readlines(library_path).join + File.open(library_path, "rb") { |f| + data += f.read + } rescue print_error("Failed to load DLL: #{$!}.") diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index 3fde42a3e4..89722bc9f5 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -47,6 +47,13 @@ class Driver < Msf::Ui::Driver # the local system. # def initialize(prompt = DefaultPrompt, prompt_char = DefaultPromptChar, opts = {}) + + # The command prompt doesn't like bling bling'in colors. + if (RUBY_PLATFORM =~ /win/) + prompt = "msf" + prompt_char = ">" + end + # Call the parent super(prompt, prompt_char) diff --git a/lib/msf/ui/web/driver.rb b/lib/msf/ui/web/driver.rb index 39df737129..3743c56507 100644 --- a/lib/msf/ui/web/driver.rb +++ b/lib/msf/ui/web/driver.rb @@ -7,7 +7,6 @@ module Msf module Ui module Web - ### # # This class implements a user interface driver on a web interface. @@ -18,6 +17,16 @@ class Driver < Msf::Ui::Driver ConfigCore = "framework/core" ConfigGroup = "framework/ui/web" + @@Eid = 0 + + # + # Returns the next unique exploit identifier. + # + def self.next_eid + @@Eid += 1 + @@Eid.to_s + end + # # The msfweb resource handler that wrappers the default Erb handler. # diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 33b1d384f0..34e5b06e82 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -81,7 +81,11 @@ class ClientCore < Extension # If we must upload the library, do so now if ((load_flags & LOAD_LIBRARY_FLAG_LOCAL) != LOAD_LIBRARY_FLAG_LOCAL) - image = ::IO.readlines(library_path).join + image = '' + + File.open(library_path, 'rb') { |f| + image = f.read + } if (image != nil) request.add_tlv(TLV_TYPE_DATA, image) @@ -325,7 +329,12 @@ class ClientCore < Extension # Transmit the size of the server metsrv = "data/meterpreter/metsrv.dll" - buf = "metsrv.dll\x00" + ::IO.readlines(metsrv).join + buf = "metsrv.dll\x00" + + File.open(metsrv, 'rb') { |f| + buf += f.read + } + size = buf.length # Give the stage some time to transmit diff --git a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb index d124b06f19..5d83244a06 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb @@ -90,7 +90,11 @@ Separator = "\\" # Open the file on the remote side for writing and read # all of the contents of the local file dest_fd = client.fs.file.new(dest_file, "wb") - src_buf = ::IO.readlines(src_file).join + src_buf = '' + + File.open(src_file, 'rb') { |f| + src_buf = f.read + } begin dest_fd.write(src_buf) diff --git a/lib/rex/post/meterpreter/ui/console.rb b/lib/rex/post/meterpreter/ui/console.rb index 52151fd936..6f8312fed7 100644 --- a/lib/rex/post/meterpreter/ui/console.rb +++ b/lib/rex/post/meterpreter/ui/console.rb @@ -24,7 +24,11 @@ class Console # Initialize the meterpreter console. # def initialize(client) - super("%umeterpreter%c") + if (RUBY_PLATFORM =~ /win/) + super("meterpreter") + else + super("%umeterpreter%c") + end # The meterpreter client context self.client = client diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 6cc004abd8..1210fde4ad 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -330,7 +330,12 @@ class Console::CommandDispatcher::Core # the channel if (src_file) begin - data = ::IO.readlines(src_file) + data = '' + + File.open(src_file, 'rb') { |f| + data = f.read + } + rescue Errno::ENOENT print_error("Invalid source file specified: #{src_file}") return true diff --git a/lib/rex/proto/http/handler/erb.rb b/lib/rex/proto/http/handler/erb.rb index ca95483474..22adec667e 100644 --- a/lib/rex/proto/http/handler/erb.rb +++ b/lib/rex/proto/http/handler/erb.rb @@ -56,7 +56,11 @@ class Handler::Erb < Handler file_path = root_path + resource # Serialize the contents of the file - data = ::IO.readlines(file_path).join + data = '' + + File.open(file_path, 'rb') { |f| + data = f.read + } # Set the content-type to text/html by default. We do this before # evaluation so that the script can change it.