metasploit-framework/lib/msf/base/simple/payload.rb

148 lines
4.3 KiB
Ruby

require 'msf/base'
module Msf
module Simple
###
#
# Simple payload wrapper class for performing generation.
#
###
module Payload
include Module
#
# Generate a payload with the mad skillz. The payload can be generated in
# a number of ways.
#
# opts can have:
#
# Encoder => A encoder module name.
# BadChars => A string of bad characters.
# Format => The format to represent the data as: ruby, perl, c, raw
# Options => A hash of options to set.
# OptionStr => A string of options in VAR=VAL form separated by
# whitespace.
# NoComment => Disables prepention of a comment
# NopSledSize => The number of NOPs to use
# MaxSize => The maximum size of the payload.
# Iterations => Number of times to encode.
# Force => Force encoding.
#
# raises:
#
# BadcharError => If the supplied encoder fails to encode the payload
# NoKeyError => No valid encoder key could be found
# ArgumentParseError => Options were supplied improperly
#
def self.generate_simple(payload, opts)
# Import any options we may need
payload._import_extra_options(opts)
framework = payload.framework
# Generate the payload
e = EncodedPayload.create(payload,
'BadChars' => opts['BadChars'],
'MinNops' => opts['NopSledSize'],
'Encoder' => opts['Encoder'],
'Iterations' => opts['Iterations'],
'ForceEncode' => opts['ForceEncode'],
'Space' => opts['MaxSize'])
fmt = opts['Format'] || 'raw'
inject = opts['KeepTemplateWorking'] || false
altexe = opts['Template'] || nil
arch = payload.arch
# Save off the original payload length
len = e.encoded.length
case fmt
when 'exe'
buf = nil
if(not arch or (arch.index(ARCH_X86)))
buf = Msf::Util::EXE.to_win32pe(framework, e.encoded , {:insert => inject, :template => altexe})
end
if(arch and (arch.index( ARCH_X86_64 ) or arch.index( ARCH_X64 )))
buf = Msf::Util::EXE.to_win64pe(framework, e.encoded, {:insert => inject, :template => altexe})
end
when 'exe-small'
buf = nil
if(not arch or (arch.index(ARCH_X86)))
buf = Msf::Util::EXE.to_win32pe_old(framework, e.encoded)
end
when 'elf'
buf = Msf::Util::EXE.to_linux_x86_elf(framework, e.encoded)
when 'macho'
buf = Msf::Util::EXE.to_osx_x86_macho(framework, e.encoded)
when 'vba'
exe = nil
exe = Msf::Util::EXE.to_win32pe(framework, e.encoded , {:insert => inject, :template => altexe})
buf = Msf::Util::EXE.to_exe_vba(exe)
when 'vbs'
buf = Msf::Util::EXE.to_win32pe_vbs(framework, e.encoded, {:insert => inject, :persist => false, :template => altexe})
when 'loop-vbs'
buf = Msf::Util::EXE.to_win32pe_vbs(framework, e.encoded, {:insert => inject, :persist => true, :template => altexe})
when 'asp'
buf = Msf::Util::EXE.to_win32pe_asp(framework, e.encoded , {:insert => inject, :persist => false, :template => altexe})
when 'war'
plat = Msf::Module::PlatformList.transform(opts['Platform'])
tmp_plat = plat.platforms
exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, e.encoded, { :template => altexe})
buf = Msf::Util::EXE.to_jsp_war(exe, {:persist => false })
else
# Serialize the generated payload to some sort of format
buf = Buffer.transform(e.encoded, fmt)
# Prepend a comment
if (fmt != 'raw' and opts['NoComment'] != true)
((ou = payload.options.options_used_to_s(payload.datastore)) and ou.length > 0) ? ou += "\n" : ou = ''
buf = Buffer.comment(
"#{payload.refname} - #{len} bytes#{payload.staged? ? " (stage 1)" : ""}\n" +
"http://www.metasploit.com\n" +
((e.encoder) ? "Encoder: #{e.encoder.refname}\n" : '') +
((e.nop) ? "NOP gen: #{e.nop.refname}\n" : '') +
"#{ou}",
fmt) + buf
# If it's multistage, include the second stage too
if payload.staged?
stage = payload.generate_stage
# If a stage was generated, then display it
if stage and stage.length > 0
buf +=
"\n" +
Buffer.comment(
"#{payload.refname} - #{stage.length} bytes (stage 2)\n" +
"http://www.metasploit.com\n",
fmt) + Buffer.transform(stage, fmt)
end
end
end
end
return buf
end
#
# Calls the class method.
#
def generate_simple(opts)
Msf::Simple::Payload.generate_simple(self, opts)
end
end
end
end