Initial attempt to unify the command stagers.

2013-10-07 17:31:34 -04:00 · 2013-10-07 17:31:34 -04:00 · ae25c300e5
parent a60dfdaacb
commit ae25c300e5
28 changed files with 114 additions and 251 deletions
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@ -63,7 +63,7 @@ module Exploit::CmdStager

    @exe = generate_payload_exe

-    @stager_instance = create_stager(@exe)
+    @stager_instance = create_stager(@exe, opts)
    cmd_list = @stager_instance.generate(opts)

    if (cmd_list.nil? or cmd_list.length < 1)
--- a/lib/msf/core/exploit/cmdstager_bourne.rb
+++ b/lib/msf/core/exploit/cmdstager_bourne.rb
@ -1,21 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerBourne
-
-  include Msf::Exploit::CmdStager
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerBourne.new(exe)
-  end
-end
-
-end
--- a/lib/msf/core/exploit/cmdstager_debug_asm.rb
+++ b/lib/msf/core/exploit/cmdstager_debug_asm.rb
@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerDebugAsm
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe assembly listing decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerDebugAsm.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
--- a/lib/msf/core/exploit/cmdstager_debug_write.rb
+++ b/lib/msf/core/exploit/cmdstager_debug_write.rb
@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerDebugWrite
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe file-writing decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerDebugWrite.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
--- a/lib/msf/core/exploit/cmdstager_echo.rb
+++ b/lib/msf/core/exploit/cmdstager_echo.rb
@ -1,34 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-####
-# Allows for staging cmd to arbitrary payloads through the CmdStagerEcho.
-#
-# This stager uses the echo's "-e" flag, that enable interpretation of
-# backslash escapes, to drop an ELF with the payload embedded to disk.
-# The "-e" flag is usually available on linux environments. This stager
-# has been found useful on restricted linux based embedded devices, and
-# should work on either:
-# * Systems with busy box's echo binary somewhere in $PATH.
-# * Systems with bash/zsh whose echo builtin supports -en flags.
-# * Systems with GNU coreutils echo which supports -en flags.
-#
-####
-
-module Exploit::CmdStagerEcho
-
-  include Msf::Exploit::CmdStager
-
-  # Initializes a CmdStagerEcho instance for the supplied payload
-  #
-  # @param exe [String] The payload embedded into an ELF
-  # @return [Rex::Exploitation::CmdStagerEcho] Stager instance
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerEcho.new(exe)
-  end
-end
-
-end
--- a/lib/msf/core/exploit/cmdstager_multi.rb
+++ b/lib/msf/core/exploit/cmdstager_multi.rb
@ -0,0 +1,88 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerMulti
+
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super
+
+    register_advanced_options(
+      [
+        OptString.new('CMDSTAGER::DECODERSTUB',  [ false, 'The decoder stub to use.', nil]),
+      ], self.class)
+  end
+
+  def create_stager(exe, opts)
+    case opts[:flavor]
+    when :bourne
+      return Rex::Exploitation::CmdStagerBourne.new(exe)
+    when :debug_asm
+      return Rex::Exploitation::CmdStagerDebugAsm.new(exe)
+    when :debug_write
+      return Rex::Exploitation::CmdStagerDebugWrite.new(exe)
+    when :echo
+      return Rex::Exploitation::CmdStagerEcho.new(exe)
+    when :vbs, :vbs_adodb
+      return Rex::Exploitation::CmdStagerVBS.new(exe)
+    end
+  end
+
+  def execute_cmdstager(opts = {})
+    opts[:decoder] = guess_decoder(opts) if datastore['CMDSTAGER::DECODERSTUB'].nil?
+    super
+  end
+
+  def generate_cmdstager(opts = {}, pl = nil)
+    if not opts.include?(:flavor)
+      default_flavor = guess_flavor
+      vprint_status("Using default stager: #{default_flavor}")
+      opts[:flavor] = default_flavor
+    end
+    opts[:decoder] = guess_decoder(opts) if datastore['CMDSTAGER::DECODERSTUB'].nil?
+    super
+  end
+
+  def guess_decoder(opts)
+    case opts[:flavor]
+    when :debug_asm
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")
+    when :debug_write
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")
+    when :vbs
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
+    when :vbs_adodb
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
+    end
+    return nil
+  end
+
+  def guess_flavor
+    c_platform = nil
+    if target_platform.names.length == 1
+      c_platform = target_platform.names.first
+    end
+    case c_platform
+    when 'linux', 'Linux'
+      return :bourne
+    when 'osx', 'OSX'
+      return :bourne
+    when 'unix', 'Unix'
+      return :bourne
+    when 'win', 'Windows'
+      return :vbs
+    end
+    return nil
+  end
+end
+
+end
--- a/lib/msf/core/exploit/cmdstager_tftp.rb
+++ b/lib/msf/core/exploit/cmdstager_tftp.rb
@ -26,7 +26,7 @@ module Exploit::CmdStagerTFTP
      ], self.class)
  end

-  def create_stager(exe)
+  def create_stager(exe, opts)
    Rex::Exploitation::CmdStagerTFTP.new(exe)
  end

--- a/lib/msf/core/exploit/cmdstager_vbs.rb
+++ b/lib/msf/core/exploit/cmdstager_vbs.rb
@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerVBS
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerVBS.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
--- a/lib/msf/core/exploit/cmdstager_vbs_adodb.rb
+++ b/lib/msf/core/exploit/cmdstager_vbs_adodb.rb
@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerVBS::ADODB
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerVBS.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@ -19,14 +19,6 @@ require 'msf/core/exploit/php_exe'

 # CmdStagers
 require 'msf/core/exploit/cmdstager'
-require 'msf/core/exploit/cmdstager_vbs'
-require 'msf/core/exploit/cmdstager_vbs_adodb'
-require 'msf/core/exploit/cmdstager_debug_write'
-require 'msf/core/exploit/cmdstager_debug_asm'
-require 'msf/core/exploit/cmdstager_tftp'
-require 'msf/core/exploit/cmdstager_bourne'
-require 'msf/core/exploit/cmdstager_echo'
-require 'msf/core/exploit/cmdstager_printf'

 # Protocol
 require 'msf/core/exploit/tcp'
--- a/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb
+++ b/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
  def exploit
    test_login

-    execute_cmdstager
+    execute_cmdstager({:flavor => :echo})
  end

  # Sends an HTTP request with authorization header to the router
--- a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb
+++ b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb
@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
--- a/modules/exploits/multi/http/jenkins_script_console.rb
+++ b/modules/exploits/multi/http/jenkins_script_console.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/multi/http/netwin_surgeftp_exec.rb
+++ b/modules/exploits/multi/http/netwin_surgeftp_exec.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
+++ b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
@ -12,7 +12,7 @@ class Metasploit4 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

--- a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb
+++ b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb
@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote

  Rank = GreatRanking

-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient

--- a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb
+++ b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb
@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote

  Rank = GreatRanking

-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient

--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@ -9,7 +9,7 @@ require 'net/ssh'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

-  include Msf::Exploit::CmdStagerBourne
+  include Msf::Exploit::CmdStagerMulti

  attr_accessor :ssh_socket

@ -71,6 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
        OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
        OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
        OptString.new('RHOST', [ true, "The target address" ]),
+        OptEnum.new('STAGER', [ true, "The flavor of stager to use", 'bourne', [ 'bourne', 'echo' ]]),
        Opt::RPORT(22)
      ], self.class
    )
@ -83,6 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def execute_command(cmd, opts = {})
+    vprint_status("Executing #{cmd}")
    begin
      Timeout.timeout(3) do
        self.ssh_socket.exec!("#{cmd}\n")
@ -125,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
  def exploit
    do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

-    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
-    execute_cmdstager({:linemax => 500})
+    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
+    execute_cmdstager({:linemax => 500, :flavor => datastore['STAGER'].to_sym})
  end
 end
--- a/modules/exploits/unix/webapp/zeroshell_exec.rb
+++ b/modules/exploits/unix/webapp/zeroshell_exec.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStagerMulti
  include Msf::Exploit::EXE

  def initialize(info={})
@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote

    @session = login(admin_password)

-    execute_cmdstager
+    execute_cmdstager({:flavor => :echo})
  end

 end
--- a/modules/exploits/windows/browser/dxstudio_player_exec.rb
+++ b/modules/exploits/windows/browser/dxstudio_player_exec.rb
@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
+++ b/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
  HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
+++ b/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
  include Msf::Exploit::FileDropper

  def initialize(info = {})
--- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb
+++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb
@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::MSSQL
  include Msf::Auxiliary::Report
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/windows/mssql/mssql_payload.rb
+++ b/modules/exploits/windows/mssql/mssql_payload.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MSSQL
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
  #include Msf::Exploit::CmdStagerDebugAsm
  #include Msf::Exploit::CmdStagerDebugWrite
  #include Msf::Exploit::CmdStagerTFTP
--- a/modules/exploits/windows/mssql/mssql_payload_sqli.rb
+++ b/modules/exploits/windows/mssql/mssql_payload_sqli.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MSSQL_SQLI
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/windows/mysql/mysql_payload.rb
+++ b/modules/exploits/windows/mysql/mysql_payload.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MYSQL
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(
--- a/modules/exploits/windows/oracle/extjob.rb
+++ b/modules/exploits/windows/oracle/extjob.rb
@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SMB
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti

  def initialize(info = {})
    super(update_info(info,
--- a/modules/exploits/windows/winrm/winrm_script_exec.rb
+++ b/modules/exploits/windows/winrm/winrm_script_exec.rb
@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::WinRM
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti


  def initialize(info = {})