metasploit-framework/lib/msf/core/exploit/exe.rb

171 lines
6.0 KiB
Ruby

# -*- coding: binary -*-
###
#
# This module exposes a simple method to create an payload in an executable.
#
###
module Msf
module Exploit::EXE
def initialize(info = {})
super
# NOTE: Any new options here should also be dealt with in
# EncodedPayload#encoded_exe in lib/msf/core/encoded_payload.rb
register_advanced_options(
[
OptBool.new( 'EXE::EICAR', [ false, 'Generate an EICAR file instead of regular payload exe']),
OptPath.new( 'EXE::Custom', [ false, 'Use custom exe instead of automatically generating a payload exe']),
OptPath.new( 'EXE::Path', [ false, 'The directory in which to look for the executable template' ]),
OptPath.new( 'EXE::Template', [ false, 'The executable template file name.' ]),
OptBool.new( 'EXE::Inject', [ false, 'Set to preserve the original EXE function' ]),
OptBool.new( 'EXE::OldMethod',[ false, 'Set to use the substitution EXE generation method.' ]),
OptBool.new( 'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ]),
OptBool.new( 'MSI::EICAR', [ false, 'Generate an EICAR file instead of regular payload msi']),
OptPath.new( 'MSI::Custom', [ false, 'Use custom msi instead of automatically generating a payload msi']),
OptPath.new( 'MSI::Path', [ false, 'The directory in which to look for the msi template' ]),
OptPath.new( 'MSI::Template', [ false, 'The msi template file name' ]),
OptBool.new( 'MSI::UAC', [ false, 'Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)' ])
], self.class)
end
# Avoid stating the string directly, don't want to get caught by local
# antivirus!
def get_eicar_exe
obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
obfus_eicar.join("-").upcase
end
def get_custom_exe(path = nil)
path ||= datastore['EXE::Custom']
print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
datastore['DisablePayloadHandler'] = true
exe = nil
::File.open(path,'rb') {|f| exe = f.read(f.stat.size)}
exe
end
def generate_payload_exe(opts = {})
return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?
return get_eicar_exe if datastore['EXE::EICAR']
exe_init_options(opts)
pl = opts[:code]
pl ||= payload.encoded
# Fall back to x86...
opts[:arch] = [ARCH_X86] if !opts[:arch] || opts[:arch].length < 1
# Ensure we have an array
opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array
# Transform the PlatformList
if opts[:platform].kind_of? Msf::Module::PlatformList
opts[:platform] = opts[:platform].platforms
end
exe = Msf::Util::EXE.to_executable(framework, opts[:arch], opts[:platform], pl, opts)
exe_post_generation(opts)
exe
end
def generate_payload_exe_service(opts = {})
return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?
return get_eicar_exe if datastore['EXE::EICAR']
exe_init_options(opts)
# NOTE: Only Windows is supported here.
pl = opts[:code]
pl ||= payload.encoded
#Ensure opts[:arch] is an array
opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array
if opts[:arch] && (opts[:arch].index(ARCH_X64) or opts[:arch].index(ARCH_X86_64))
exe = Msf::Util::EXE.to_win64pe_service(framework, pl, opts)
else
exe = Msf::Util::EXE.to_win32pe_service(framework, pl, opts)
end
exe_post_generation(opts)
exe
end
def generate_payload_dll(opts = {})
return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?
return get_eicar_exe if datastore['EXE::EICAR']
exe_init_options(opts)
plat = opts[:platform]
pl = opts[:code]
pl ||= payload.encoded
#Ensure opts[:arch] is an array
opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array
# NOTE: Only x86_64 linux is supported here.
if plat.index(Msf::Module::Platform::Linux)
if opts[:arch] && (opts[:arch].index(ARCH_X64) || opts[:arch].index(ARCH_X86_64))
dll = Msf::Util::EXE.to_linux_x64_elf_dll(framework, pl,opts)
end
elsif plat.index(Msf::Module::Platform::Windows)
if opts[:arch] && (opts[:arch].index(ARCH_X64) || opts[:arch].index(ARCH_X86_64))
dll = Msf::Util::EXE.to_win64pe_dll(framework, pl, opts)
else
dll = Msf::Util::EXE.to_win32pe_dll(framework, pl, opts)
end
end
exe_post_generation(opts)
dll
end
def generate_payload_msi(opts = {})
return get_custom_exe(datastore['MSI::Custom']) unless datastore['MSI::Custom'].to_s.strip.empty?
return get_eicar_exe if datastore['MSI::EICAR']
exe = generate_payload_exe(opts)
opts.merge! ({
:msi_template => datastore['MSI::Template'],
:msi_template_path => datastore['MSI::Path'],
:uac => datastore['MSI::UAC']
})
Msf::Util::EXE.to_exe_msi(framework, exe, opts)
end
protected
def exe_init_options(opts)
opts.merge!(
{
:template_path => datastore['EXE::Path'],
:template => datastore['EXE::Template'],
:inject => datastore['EXE::Inject'],
:fallback => datastore['EXE::FallBack'],
:sub_method => datastore['EXE::OldMethod']
})
# Prefer the target's platform/architecture information, but use
# the module's if no target specific information exists
opts[:platform] ||= payload_instance.platform if self.respond_to? :payload_instance
opts[:platform] ||= target_platform if self.respond_to? :target_platform
opts[:platform] ||= platform if self.respond_to? :platform
opts[:arch] ||= payload_instance.arch if self.respond_to? :payload_instance
opts[:arch] ||= target_arch if self.respond_to? :target_arch
opts[:arch] ||= arch if self.respond_to? :arch
end
def exe_post_generation(opts)
if opts[:fellback]
print_status("Warning: Falling back to default template: #{opts[:fellback]}")
end
end
end
end