dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Consolidate the FileDropper Mixin doc

This commit is contained in:
Christophe De La Fuente 2023-04-26 18:04:43 +02:00
parent 057fd1b74b
commit 8ab37b0b07
No known key found for this signature in database
GPG Key ID: 9E350956EA00352A
4 changed files with 48 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/metasploit-framework.wiki/Home.md
View File

@ -33,7 +33,6 @@ Are you anxious to get your [[Metasploit Development Environment|./dev/Setting-U
- [[Exploit Ranking]]
- [[Module Reference Identifiers]]
- [[How to check Microsoft patch levels for your exploit]]
- [[How to clean up files using FileDropper]]
- [[How to deprecate a Metasploit module]]
- [[How to do reporting or store data in module development]]
- [[How to log in Metasploit]]

38
docs/metasploit-framework.wiki/How-to-clean-up-files-using-FileDropper.md
View File

@ -1,38 +0,0 @@
## On this page
* [Examples](#examples)
* [Reference](#reference)
In some exploitation scenarios such as local privilege escalation, command execution, write privilege attacks, SQL Injections, etc, it is very likely that you have to upload one or more malicious files in order to gain control of the target machine. Well, a smart attacker shouldn't leave anything behind, so if a module needs to drop something onto the file system, it's important to remove it right after the purpose is served. And that is why we created the FileDropper mixin.
## Examples
The FileDropper mixin is a file manager that allows you to keep track of files, and then delete them when a session is created. To use it, first include the mixin:
```ruby
include Msf::Exploit::FileDropper
```
Next, tell the FileDropper mixin where the file is going to be after a session is created by using the ```register_file_for_cleanup``` method. Each file name should either be a full path or relative to the current working directory of the session. For example, if I want to upload a payload to the target machine's remote path: ```C:\Windows\System32\payload.exe```, then my statement can be:
```ruby
register_file_for_cleanup("C:\\Windows\\System32\\payload.exe")
```
If my session's current directory is already in ```C:\Windows\System32\```, then you can:
```ruby
register_file_for_cleanup("payload.exe")
```
If you wish to register multiple files, you can also provide the file names as arguments:
```ruby
register_file_for_cleanup("file_1.vbs", "file_2.exe", "file_1.conf")
```
Note that if your exploit module uses ```on_new_session```, you are actually overriding FileDropper's ```on_new_session```.
## Reference
- <https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/file_dropper.rb>

50
docs/metasploit-framework.wiki/How-to-cleanup-after-module-execution.md
View File

@ -1,6 +1,13 @@
## On this page
* [Cleanup method](#cleanup-method)
* [FileDropper Mixin](#filedropper-mixin)
## Cleanup method
Metasploit has a handy `cleanup` method that is always called when the module terminates, whether it is successful or not. This method can be overridden by any modules to add their own cleanup routines. For example, this might be useful to put some files back on the target after the module had deleted them. Another scenario would be to restore the settings in a web application that were modified by the exploit. This is the right place to clean things up.
Framework itself implements this method to disconnect connections, call the handler cleanup routines, etc. Some other mixins, such as the `Msf::Exploit::FileDropper` or `Msf::Exploit::Remote::Kerberos::Client`, override this method to add their own cleanup code. It is extremely important to **always** call `super` in your `cleanup` method to make sure Framework and any other mixins clean up themself properly.
Framework itself implements this method to disconnect connections, call the handler cleanup routines, etc. Some other mixins, such as the `Msf::Exploit::FileDropper` (see the next [section](#filedropper-mixin)) or `Msf::Exploit::Remote::Kerberos::Client`, override this method to add their own cleanup code. It is extremely important to **always** call `super` in your `cleanup` method to make sure Framework and any other mixins clean up themself properly.
Here is an example that restores a configuration file after being deleted by the module:
```ruby
@ -21,7 +28,17 @@ def cleanup
print_status('Cleaning up')
uri = normalize_uri(datastore['USERNAME'], self.repo_name, '/settings')
res = http_post_request(uri, action: 'delete', repo_name: self.repo_name)
csrf = get_csrf(uri)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI'], uri),
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => {
_csrf: csrf,
action: 'delete',
repo_name: self.repo_name
}
})
unless res
fail_with(Failure::Unreachable, 'Unable to reach the settings page')
@ -37,4 +54,33 @@ def cleanup
end
```
## FileDropper Mixin
In some exploitation scenarios such as local privilege escalation, command execution, write privilege attacks, SQL Injections, etc, it is very likely that you have to upload one or more malicious files in order to gain control of the target machine. Well, a smart attacker shouldn't leave anything behind, so if a module needs to drop something onto the file system, it's important to remove it right after the purpose is served. And that is why we created the FileDropper mixin.
The [FileDropper mixin](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/file_dropper.rb) is a file manager that allows you to keep track of files, and then delete them when a session is created. To use it, first include the mixin:
```ruby
include Msf::Exploit::FileDropper
```
Next, tell the FileDropper mixin where the file is going to be after a session is created by using the `register_file_for_cleanup` method. Each file name should either be a full path or relative to the current working directory of the session. For example, if I want to upload a payload to the target machine's remote path: `C:\Windows\System32\payload.exe`, then my statement can be:
```ruby
register_file_for_cleanup("C:\\Windows\\System32\\payload.exe")
```
If my session's current directory is already in `C:\Windows\System32\`, then you can:
```ruby
register_file_for_cleanup("payload.exe")
```
If you wish to register multiple files, you can also provide the file names as arguments:
```ruby
register_file_for_cleanup("file_1.vbs", "file_2.exe", "file_1.conf")
```
Note that if your exploit module uses `on_new_session`, you are actually overriding FileDropper's `on_new_session`.

4
docs/navigation.rb
View File

@ -605,10 +605,6 @@ NAVIGATION_CONFIG = [
path: 'How-to-use-the-Seh-mixin-to-exploit-an-exception-handler.md',
title: 'SEH Exploitation'
},
{
path: 'How-to-clean-up-files-using-FileDropper.md',
title: 'FileDropper'
},
{
path: 'How-to-use-PhpEXE-to-exploit-an-arbitrary-file-upload-bug.md',
title: 'PhpExe'