metasploit-framework/modules/exploits/multi/hams/steamed.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => 'Steamed Hams',
        'Description'    => "but it's a Metasploit Module",
        'License'        => MSF_LICENSE,
        'Author'         =>  [ 'bcook-r7' ],
        'DisclosureDate' => '2018-04-01',
        'References'     =>  [['URL', 'https://www.youtube.com/watch?v=mkX3dO6KN54']],
        'Platform'       => %w[android apple_ios bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],
        'Arch'           => ARCH_ALL,
        'Targets'        => [
          [ 'An Unforgettable Luncheon', {
            'script' => %q(
Q2FzdDogJXllbFvwn6SUXSAlYmx1W/CfmJNdICVncm5b8J+RqfCfjqRdICVncm5b8J+RtV0gJXJl
ZFvwn5qSXQpDaGFsbWVyczogV2VsbCwgU2V5bW91ciwgSSBtYWRlIGl0LSBkZXNwaXRlIHlvdXIg
ZGlyZWN0aW9ucy4KU2tpbm5lcjogQWguIFN1cGVyaW50ZW5kZW50IENoYWxtZXJzLgpTa2lubmVy
OiBXZWxjb21lLgpTa2lubmVyOiBJIGhvcGUgeW91J3JlIHByZXBhcmVkIGZvciBhbiB1bmZvcmdl
dHRhYmxlIGx1bmNoZW9uLgpDaGFsbWVyczogWWVhaC4KU2tpbm5lcjogT2gsIGVnYWRzIQpTa2lu
bmVyOiBNeSByb2FzdCBpcyBydWluZWQuClNraW5uZXI6IEJ1dCB3aGF0IGlmIEkgd2VyZSB0byBw
dXJjaGFzZSBmYXN0IGZvb2QgYW5kIGRpc2d1aXNlIGl0IGFzIG15IG93biBjb29raW5nPwpTa2lu
bmVyOiBEZWxpZ2h0ZnVsbHkgZGV2aWxpc2gsIFNleW1vdXIuClNpbmdlcnM6IFNraW5uZXIgd2l0
aCBoaXMgY3JhenkgZXhwbGFuYXRpb25zClNpbmdlcnM6IFRoZSBzdXBlcmludGVuZGVudCdzIGdv
bm5hIG5lZWQgaGlzIG1lZGljYXRpb24KU2luZ2VyczogV2hlbiBoZSBoZWFycyBTa2lubmVyJ3Mg
bGFtZSBleGFnZ2VyYXRpb25zClNpbmdlcnM6IFRoZXJlJ2xsIGJlIHRyb3VibGUgaW4gdG93biB0
b25pZ2h0IQpDaGFsbWVyczogU2V5bW91ciEKU2tpbm5lcjogU3VwZXJpbnRlbmRlbnQsIEkgd2Fz
IGp1c3QtIHVoLCBqdXN0IHN0cmV0Y2hpbmcgbXkgY2FsdmVzIG9uIHRoZSB3aW5kb3dzaWxsLgpT
a2lubmVyOiBJc29tZXRyaWMgZXhlcmNpc2UuClNraW5uZXI6IENhcmUgdG8gam9pbiBtZT8KQ2hh
bG1lcnM6IFdoeSBpcyB0aGVyZSBzbW9rZSBjb21pbmcgb3V0IG9mIHlvdXIgb3ZlbiwgU2V5bW91
cj8KU2tpbm5lcjogVWgtIE9oLiBUaGF0IGlzbid0IHNtb2tlLgpTa2lubmVyOiBJdCdzIHN0ZWFt
LgpTa2lubmVyOiBTdGVhbSBmcm9tIHRoZSBzdGVhbWVkIGNsYW1zIHdlJ3JlIGhhdmluZy4KU2tp
bm5lcjogTW1tLiBTdGVhbWVkIGNsYW1zLgpTa2lubmVyOiBTdXBlcmludGVuZGVudCwgSSBob3Bl
IHlvdSdyZSByZWFkeSBmb3IgbW91dGh3YXRlcmluZyBoYW1idXJnZXJzLgpDaGFsbWVyczogSSB0
aG91Z2h0IHdlIHdlcmUgaGF2aW5nIHN0ZWFtZWQgY2xhbXMuClNraW5uZXI6IEQnb2gsIG5vLgpT
a2lubmVyOiBJIHNhaWQgc3RlYW1lZCBoYW1zLgpTa2lubmVyOiBUaGF0J3Mgd2hhdCBJIGNhbGwg
aGFtYnVyZ2Vycy4KQ2hhbG1lcnM6IFlvdSBjYWxsIGhhbWJ1cmdlcnMgc3RlYW1lZCBoYW1zPwpT
a2lubmVyOiBZZXMuClNraW5uZXI6IEl0J3MgYSByZWdpb25hbCBkaWFsZWN0LgpDaGFsbWVyczog
VWgtaHVoLiBVaCwgd2hhdCByZWdpb24/ClNraW5uZXI6IFVoLCB1cHN0YXRlIE5ldyBZb3JrLgpD
aGFsbWVyczogUmVhbGx5LgpDaGFsbWVyczogV2VsbCwgSSdtIGZyb20gVXRpY2EsIGFuZCBJJ3Zl
IG5ldmVyIGhlYXJkIGFueW9uZSB1c2UgdGhlIHBocmFzZSAic3RlYW1lZCBoYW1zLiIKU2tpbm5l
cjogT2gsIG5vdCBpbiBVdGljYS4gTm8uClNraW5uZXI6IEl0J3MgYW4gQWxiYW55IGV4cHJlc3Np
b24uCkNoYWxtZXJzOiBJIHNlZS4KQ2hhbG1lcnM6IFlvdSBrbm93LCB0aGVzZSBoYW1idXJnZXJz
IGFyZSBxdWl0ZSBzaW1pbGFyIHRvIHRoZSBvbmVzIHRoZXkgaGF2ZSBhdCBLcnVzdHkgQnVyZ2Vy
LgpTa2lubmVyOiBPaCwgbm8uClNraW5uZXI6IFBhdGVudGVkIFNraW5uZXIgYnVyZ2Vycy4KU2tp
bm5lcjogT2xkIGZhbWlseSByZWNpcGUuCkNoYWxtZXJzOiBGb3Igc3RlYW1lZCBoYW1zLgpTa2lu
bmVyOiBZZXMuCkNoYWxtZXJzOiBZZXMuCkNoYWxtZXJzOiBBbmQgeW91IGNhbGwgdGhlbSBzdGVh
bWVkIGhhbXMgZGVzcGl0ZSB0aGUgZmFjdCB0aGF0IHRoZXkgYXJlIG9idmlvdXNseSBncmlsbGVk
LgpTa2lubmVyOiBZZS0KU2tpbm5lcjogWW91IGtub3csIHRoZS0KU2tpbm5lcjogT25lIHRoaW5n
IEkgc2hvdWxkLSAtClNraW5uZXI6IEV4Y3VzZSBtZSBmb3Igb25lIHNlY29uZC4KQ2hhbG1lcnM6
IE9mIGNvdXJzZS4KU2tpbm5lcjogV2VsbCwgdGhhdCB3YXMgd29uZGVyZnVsLgpTa2lubmVyOiBB
IGdvb2QgdGltZSB3YXMgaGFkIGJ5IGFsbC4KU2tpbm5lcjogSSdtIHBvb3BlZC4KQ2hhbG1lcnM6
IFllcy4gSSBzaG91bGQgYmUtCkNoYWxtZXJzOiBHb29kIExvcmQhCkNoYWxtZXJzOiBXaGF0IGlz
IGhhcHBlbmluZyBpbiB0aGVyZT8KU2tpbm5lcjogQXVyb3JhIGJvcmVhbGlzLgpDaGFsbWVyczog
VWgtIEF1cm9yYSBib3JlYWxpcwpDaGFsbWVyczogYXQgdGhpcyB0aW1lIG9mIHllYXIKQ2hhbG1l
cnM6IGF0IHRoaXMgdGltZSBvZiBkYXkKQ2hhbG1lcnM6IGluIHRoaXMgcGFydCBvZiB0aGUgY291
bnRyeQpDaGFsbWVyczogbG9jYWxpemVkIGVudGlyZWx5IHdpdGhpbiB5b3VyIGtpdGNoZW4/ClNr
aW5uZXI6IFllcy4KQ2hhbG1lcnM6IE1heSBJIHNlZSBpdD8KU2tpbm5lcjogTm8uCk1vdGhlcjog
U2V5bW91ciEKTW90aGVyOiBUaGUgaG91c2UgaXMgb24gZmlyZSEKU2tpbm5lcjogTm8sIE1vdGhl
ci4gSXQncyBqdXN0IHRoZSBub3J0aGVybiBsaWdodHMuCkNoYWxtZXJzOiBXZWxsLCBTZXltb3Vy
LCB5b3UgYXJlIGFuIG9kZCBmZWxsb3cgYnV0IEkgbXVzdCBzYXkgeW91IHN0ZWFtIGEgZ29vZCBo
YW0uCk1vdGhlcjogSGVscCEKTW90aGVyOiBIZWxwIQpGaXJldHJ1Y2s6IHdoZWVlcnJycgo=)
        } ],
        [ 'Legitimate Theater', {
          'script' => %q(
Q2FzdDogW/Cfpo1dICVibHVb8J+RqPCfmoBdICVncm5b8J+ZiPCfmYnwn5mK8J+OpF0gJWdyblvw
n5C18J+PpV0gJXJlZFvwn5mJXSAlYmx1W/CfkJLwn4+lXSAleWVsW/CfmI5dICV5ZWxb8J+Yi10g
W/Cfpo3wn5C18J+mjfCfkLVdICVibHVb8J+mjfCfkLXwn5Go8J+QtfCfpo1dCkdvcmlsbGE6IEhl
bHAsIHRoZSBodW1hbidzIGFib3V0IHRvIGVzY2FwZSEKVHJveTogR2V0IHlvdXIgcGF3cyBvZmYg
bWUsIHlvdSBkaXJ0eSBhcGUhCkdvcmlsbGE6IChnYXNwcykgSGUgY2FuIHRhbGshCk9yYW5ndXRh
bnM6IEhlIGNhbiB0YWxrISBIZSBjYW4gdGFsayEKT3Jhbmd1dGFuczogSGUgY2FuIHRhbGshIEhl
IGNhbiB0YWxrIQpPcmFuZ3V0YW5zOiBIZSBjYW4gdGFsayEgSGUgY2FuIHRhbGshClRyb3k6IEkg
Y2FuIHNpaWlpaWlpaW5nIQpDaGltcCBOdXJzZTogT29oLCBoZWxwIG1lLCBEci4gWmFpdXMhCk9y
YW5ndXRhbnM6IERyLiBaYWl1cyEgRHIuIFphaXVzIQpPcmFuZ3V0YW5zOiBEci4gWmFpdXMhIERy
LiBaYWl1cyEKT3Jhbmd1dGFuczogRHIuIFphaXVzISBEci4gWmFpdXMhCk9yYW5ndXRhbnM6IE9o
LCBEci4gWmFpdXMhCk9yYW5ndXRhbjogRHIuIFphaXVzISBEci4gWmFpdXMhClRyb3k6IFdoYXQn
cyB3cm9uZyB3aXRoIG1lPwpaYWl1czogSSB0aGluayB5b3UncmUgY3JhenkuClRyb3k6IFdhbnQg
YSBzZWNvbmQgb3Bpbmlvbi4KWmFpdXM6IFlvdSdyZSBhbHNvIGxhenkuCk9yYW5ndXRhbnM6IERy
LiBaYWl1cyEgRHIuIFphaXVzIQpPcmFuZ3V0YW5zOiBEci4gWmFpdXMhIERyLiBaYWl1cyEKT3Jh
bmd1dGFuczogRHIuIFphaXVzISBEci4gWmFpdXMhCk9yYW5ndXRhbnM6IE9oLCBEci4gWmFpdXMh
Ck9yYW5ndXRhbjogRHIuIFphaXVzISBEci4gWmFpdXMhClRyb3k6IENhbiBJIHBsYXkgdGhlIHBp
YW5vIGFueW1vcmU/ClphaXVzOiBPZiBjb3Vyc2UgeW91IGNhbi4KVHJveTogV2VsbCwgSSBjb3Vs
ZG4ndCBiZWZvcmUuClRyb3k6IChwbGF5cyB0aGUgcGlhbm8pCk9yYW5ndXRhbnM6IERyLiBaYWl1
cyEgRHIuIFphaXVzIQpPcmFuZ3V0YW5zOiBEci4gWmFpdXMhIERyLiBaYWl1cyEKT3Jhbmd1dGFu
czogRHIuIFphaXVzISBEci4gWmFpdXMhCk9yYW5ndXRhbnM6IE9oLCBEci4gWmFpdXMhCk9yYW5n
dXRhbjogRHIuIFphaXVzISBEci4gWmFpdXMhCkJhcnQ6IFRoaXMgcGxheSBoYXMgZXZlcnl0aGlu
Zy4KSG9tZXI6IE9oLCBJIGxvdmUgbGVnaXRpbWF0ZSB0aGUtYS10ZXIuClRyb3k6IEkgaGF0ZSBl
dmVyeSBhcGUgSSBzZWUKVHJveTogRnJvbSBjaGltcGFuLWEgdG8gY2hpbXBhbi16LApUcm95OiBO
bywgeW91J2xsIG5ldmVyIG1ha2UgYSBtb25rZXkgb3V0IG9mIG1lLgpUcm95OiBPaCwgbXkgR29k
LCBJIHdhcyB3cm9uZywKVHJveTogSXQgd2FzIEVhcnRoIGFsbCBhbG9uZy4KVHJveTogWW91IGZp
bmFsbHkgbWFkZSBhIG1vbmtleS4uLgpBcGVzOiBZZXMgd2UgZmluYWxseSBtYWRlIGEgbW9ua2V5
Li4uClRyb3kgYW5kIEFwZXM6IFllcywgeW91IGZpbmFsbHkgbWFkZSBhIG1vbmtleSBvdXQgb2Yg
bWUhClRyb3k6IEkgbG92ZSB5b3UsIERyLiBaYWl1cyEK)
        } ],
        ],
        'DefaultTarget'  => 0,
      )
    )
  end

  def exploit
    cast = []
    castmap = {}
    Base64.decode64(target['script']).each_line do |line|
      target, msg = line.split(':').map(&:strip)
      if target == 'Cast'
        cast = msg.split(' ')
        castmap = Hash.new { |hash, key| hash[key] = cast.rotate![-1] }
      else
        t = datastore['VERBOSE'] ? " #{target}:" : ""
        print_line("%bld#{castmap[target]}#{t}%clr #{msg}")
        sleep(0.30 * msg.split(' ').length)
      end
    end
  end
end