Initial attempt to unify the command stagers.

lib/msf/core/exploit/cmdstager.rb

@@ -63,7 +63,7 @@ module Exploit::CmdStager
 
     @exe = generate_payload_exe
 
-    @stager_instance = create_stager(@exe)
+    @stager_instance = create_stager(@exe, opts)
     cmd_list = @stager_instance.generate(opts)
 
     if (cmd_list.nil? or cmd_list.length < 1)

lib/msf/core/exploit/cmdstager_bourne.rb

@@ -1,21 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerBourne
-
-  include Msf::Exploit::CmdStager
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerBourne.new(exe)
-  end
-end
-
-end

lib/msf/core/exploit/cmdstager_debug_asm.rb

@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerDebugAsm
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe assembly listing decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerDebugAsm.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end

lib/msf/core/exploit/cmdstager_debug_write.rb

@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerDebugWrite
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe file-writing decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerDebugWrite.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end

lib/msf/core/exploit/cmdstager_echo.rb

@@ -1,34 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-####
-# Allows for staging cmd to arbitrary payloads through the CmdStagerEcho.
-#
-# This stager uses the echo's "-e" flag, that enable interpretation of
-# backslash escapes, to drop an ELF with the payload embedded to disk.
-# The "-e" flag is usually available on linux environments. This stager
-# has been found useful on restricted linux based embedded devices, and
-# should work on either:
-# * Systems with busy box's echo binary somewhere in $PATH.
-# * Systems with bash/zsh whose echo builtin supports -en flags.
-# * Systems with GNU coreutils echo which supports -en flags.
-#
-####
-
-module Exploit::CmdStagerEcho
-
-  include Msf::Exploit::CmdStager
-
-  # Initializes a CmdStagerEcho instance for the supplied payload
-  #
-  # @param exe [String] The payload embedded into an ELF
-  # @return [Rex::Exploitation::CmdStagerEcho] Stager instance
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerEcho.new(exe)
-  end
-end
-
-end

lib/msf/core/exploit/cmdstager_multi.rb

@@ -0,0 +1,88 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerMulti
+
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super
+
+    register_advanced_options(
+      [
+        OptString.new('CMDSTAGER::DECODERSTUB',  [ false, 'The decoder stub to use.', nil]),
+      ], self.class)
+  end
+
+  def create_stager(exe, opts)
+    case opts[:flavor]
+    when :bourne
+      return Rex::Exploitation::CmdStagerBourne.new(exe)
+    when :debug_asm
+      return Rex::Exploitation::CmdStagerDebugAsm.new(exe)
+    when :debug_write
+      return Rex::Exploitation::CmdStagerDebugWrite.new(exe)
+    when :echo
+      return Rex::Exploitation::CmdStagerEcho.new(exe)
+    when :vbs, :vbs_adodb
+      return Rex::Exploitation::CmdStagerVBS.new(exe)
+    end
+  end
+
+  def execute_cmdstager(opts = {})
+    opts[:decoder] = guess_decoder(opts) if datastore['CMDSTAGER::DECODERSTUB'].nil?
+    super
+  end
+
+  def generate_cmdstager(opts = {}, pl = nil)
+    if not opts.include?(:flavor)
+      default_flavor = guess_flavor
+      vprint_status("Using default stager: #{default_flavor}")
+      opts[:flavor] = default_flavor
+    end
+    opts[:decoder] = guess_decoder(opts) if datastore['CMDSTAGER::DECODERSTUB'].nil?
+    super
+  end
+
+  def guess_decoder(opts)
+    case opts[:flavor]
+    when :debug_asm
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")
+    when :debug_write
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")
+    when :vbs
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
+    when :vbs_adodb
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
+    end
+    return nil
+  end
+
+  def guess_flavor
+    c_platform = nil
+    if target_platform.names.length == 1
+      c_platform = target_platform.names.first
+    end
+    case c_platform
+    when 'linux', 'Linux'
+      return :bourne
+    when 'osx', 'OSX'
+      return :bourne
+    when 'unix', 'Unix'
+      return :bourne
+    when 'win', 'Windows'
+      return :vbs
+    end
+    return nil
+  end
+end
+
+end

lib/msf/core/exploit/cmdstager_tftp.rb

@@ -26,7 +26,7 @@ module Exploit::CmdStagerTFTP
       ], self.class)
   end
 
-  def create_stager(exe)
+  def create_stager(exe, opts)
     Rex::Exploitation::CmdStagerTFTP.new(exe)
   end
 

lib/msf/core/exploit/cmdstager_vbs.rb

@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerVBS
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerVBS.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end

lib/msf/core/exploit/cmdstager_vbs_adodb.rb

@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerVBS::ADODB
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerVBS.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end

lib/msf/core/exploit/mixins.rb

@@ -19,14 +19,6 @@ require 'msf/core/exploit/php_exe'
 
 # CmdStagers
 require 'msf/core/exploit/cmdstager'
-require 'msf/core/exploit/cmdstager_vbs'
-require 'msf/core/exploit/cmdstager_vbs_adodb'
-require 'msf/core/exploit/cmdstager_debug_write'
-require 'msf/core/exploit/cmdstager_debug_asm'
-require 'msf/core/exploit/cmdstager_tftp'
-require 'msf/core/exploit/cmdstager_bourne'
-require 'msf/core/exploit/cmdstager_echo'
-require 'msf/core/exploit/cmdstager_printf'
 
 # Protocol
 require 'msf/core/exploit/tcp'

modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,
@@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     test_login
 
-    execute_cmdstager
+    execute_cmdstager({:flavor => :echo})
   end
 
   # Sends an HTTP request with authorization header to the router

modules/exploits/multi/http/hp_sys_mgmt_exec.rb

@@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info={})

modules/exploits/multi/http/jenkins_script_console.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GoodRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/multi/http/netwin_surgeftp_exec.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GoodRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb

@@ -12,7 +12,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::Remote::HttpServer
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
   include Msf::Exploit::EXE
   include Msf::Exploit::FileDropper
 

modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb

@@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
   Rank = GreatRanking
 
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
   include Msf::Exploit::EXE
   include Msf::Exploit::Remote::HttpClient
 

modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb

@@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
   Rank = GreatRanking
 
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
   include Msf::Exploit::EXE
   include Msf::Exploit::Remote::HttpClient
 

modules/exploits/multi/ssh/sshexec.rb

@@ -9,7 +9,7 @@ require 'net/ssh'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ManualRanking
 
-  include Msf::Exploit::CmdStagerBourne
+  include Msf::Exploit::CmdStagerMulti
 
   attr_accessor :ssh_socket
 
@@ -71,6 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
         OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
         OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
         OptString.new('RHOST', [ true, "The target address" ]),
+        OptEnum.new('STAGER', [ true, "The flavor of stager to use", 'bourne', [ 'bourne', 'echo' ]]),
         Opt::RPORT(22)
       ], self.class
     )
@@ -83,6 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def execute_command(cmd, opts = {})
+    vprint_status("Executing #{cmd}")
     begin
       Timeout.timeout(3) do
         self.ssh_socket.exec!("#{cmd}\n")
@@ -125,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
 
-    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
+    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
-    execute_cmdstager({:linemax => 500})
+    execute_cmdstager({:linemax => 500, :flavor => datastore['STAGER'].to_sym})
   end
 end

modules/exploits/unix/webapp/zeroshell_exec.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStagerMulti
   include Msf::Exploit::EXE
 
   def initialize(info={})
@@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     @session = login(admin_password)
 
-    execute_cmdstager
+    execute_cmdstager({:flavor => :echo})
   end
 
 end

modules/exploits/windows/browser/dxstudio_player_exec.rb

@@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpServer::HTML
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb

@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
   HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/windows/http/sap_configservlet_exec_noauth.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
   include Msf::Exploit::FileDropper
 
   def initialize(info = {})

modules/exploits/windows/mssql/mssql_linkcrawler.rb

@@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::MSSQL
   include Msf::Auxiliary::Report
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/windows/mssql/mssql_payload.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::MSSQL
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
   #include Msf::Exploit::CmdStagerDebugAsm
   #include Msf::Exploit::CmdStagerDebugWrite
   #include Msf::Exploit::CmdStagerTFTP

modules/exploits/windows/mssql/mssql_payload_sqli.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::MSSQL_SQLI
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/windows/mysql/mysql_payload.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::MYSQL
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(

modules/exploits/windows/oracle/extjob.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::SMB
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/windows/winrm/winrm_script_exec.rb

@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ManualRanking
 
   include Msf::Exploit::Remote::WinRM
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStagerMulti
 
 
   def initialize(info = {})