From 8a0dfa57a05a7edc164253f9e3aa50ad7c7656c3 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 25 May 2023 11:49:38 -0400 Subject: [PATCH 1/3] Drop size requirement and fix descriptions The size requriement is used when the adapted payload is executed from the command line but that's not the case for the fetch payloads which execute a command to fetch the payload from a URL. The payload size doesn't matter because it's included in the executable file hosted at the URL. --- lib/msf/core/payload/adapter/fetch.rb | 12 ++---------- modules/payloads/adapters/cmd/linux/http/x64.rb | 2 +- modules/payloads/adapters/cmd/linux/https/x64.rb | 2 +- modules/payloads/adapters/cmd/linux/tftp/x64.rb | 2 +- 4 files changed, 5 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/payload/adapter/fetch.rb b/lib/msf/core/payload/adapter/fetch.rb index 68118208e249..285ae5b0a872 100644 --- a/lib/msf/core/payload/adapter/fetch.rb +++ b/lib/msf/core/payload/adapter/fetch.rb @@ -36,14 +36,6 @@ def check_srvhost end end - def compatible?(mod) - if mod.type == Msf::MODULE_PAYLOAD && (mod.class.const_defined?(:CachedSize) && mod.class::CachedSize != :dynamic) && (mod.class::CachedSize >= 120_000) # echo does not have an unlimited amount of space - return false - end - super - end - - # If no fetch URL is provided, we generate one based off the underlying payload data # This is because if we use a randomly-generated URI, the URI generated by venom and # Framework will not match. This way, we can build a payload in venom and a listener @@ -310,7 +302,7 @@ def _generate_wget_command end cmd + _execute_add end - + def _remote_destination return _remote_destination_win if windows? return _remote_destination_nix @@ -339,4 +331,4 @@ def _remote_destination_win @remote_destination_win = payload_path @remote_destination_win end -end \ No newline at end of file +end diff --git a/modules/payloads/adapters/cmd/linux/http/x64.rb b/modules/payloads/adapters/cmd/linux/http/x64.rb index 4e6c18dd6b62..f18ae1f1f992 100644 --- a/modules/payloads/adapters/cmd/linux/http/x64.rb +++ b/modules/payloads/adapters/cmd/linux/http/x64.rb @@ -12,7 +12,7 @@ def initialize(info = {}) update_info( info, 'Name' => 'HTTP Fetch', - 'Description' => 'Fetch and Execute an x64 payload from an http server', + 'Description' => 'Fetch and execute an x64 payload from an HTTP server.', 'Author' => 'Brendan Watters', 'Platform' => 'linux', 'Arch' => ARCH_CMD, diff --git a/modules/payloads/adapters/cmd/linux/https/x64.rb b/modules/payloads/adapters/cmd/linux/https/x64.rb index 34bf2e4e8de9..c1eb37017dbc 100644 --- a/modules/payloads/adapters/cmd/linux/https/x64.rb +++ b/modules/payloads/adapters/cmd/linux/https/x64.rb @@ -12,7 +12,7 @@ def initialize(info = {}) update_info( info, 'Name' => 'HTTPS Fetch', - 'Description' => 'Fetch and Execute an x64 payload from an https server', + 'Description' => 'Fetch and execute an x64 payload from an HTTPS server.', 'Author' => 'Brendan Watters', 'Platform' => 'linux', 'Arch' => ARCH_CMD, diff --git a/modules/payloads/adapters/cmd/linux/tftp/x64.rb b/modules/payloads/adapters/cmd/linux/tftp/x64.rb index 0fad3c06a78c..e41205542c20 100644 --- a/modules/payloads/adapters/cmd/linux/tftp/x64.rb +++ b/modules/payloads/adapters/cmd/linux/tftp/x64.rb @@ -12,7 +12,7 @@ def initialize(info = {}) update_info( info, 'Name' => 'TFTP Fetch', - 'Description' => 'Fetch and Execute an x64 payload from a TFTP server', + 'Description' => 'Fetch and execute an x64 payload from a TFTP server.', 'Author' => 'Brendan Watters', 'Platform' => 'linux', 'Arch' => ARCH_CMD, From d7098aa06d117a318c9f90ce38e78a6fc7178c14 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 25 May 2023 13:20:59 -0400 Subject: [PATCH 2/3] Add MIPS64 fetch adapters --- .../adapters/cmd/linux/http/mips64.rb | 25 +++++++++++++++++++ .../adapters/cmd/linux/https/mips64.rb | 25 +++++++++++++++++++ .../adapters/cmd/linux/tftp/mips64.rb | 25 +++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 modules/payloads/adapters/cmd/linux/http/mips64.rb create mode 100644 modules/payloads/adapters/cmd/linux/https/mips64.rb create mode 100644 modules/payloads/adapters/cmd/linux/tftp/mips64.rb diff --git a/modules/payloads/adapters/cmd/linux/http/mips64.rb b/modules/payloads/adapters/cmd/linux/http/mips64.rb new file mode 100644 index 000000000000..8cbdde61f21a --- /dev/null +++ b/modules/payloads/adapters/cmd/linux/http/mips64.rb @@ -0,0 +1,25 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +module MetasploitModule + include Msf::Payload::Adapter::Fetch::HTTP + include Msf::Payload::Adapter::Fetch::LinuxOptions + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'HTTP Fetch', + 'Description' => 'Fetch and execute a MIPS64 payload from an HTTP server.', + 'Author' => ['Brendan Watters', 'Spencer McIntyre'], + 'Platform' => 'linux', + 'Arch' => ARCH_CMD, + 'License' => MSF_LICENSE, + 'AdaptedArch' => ARCH_MIPS64, + 'AdaptedPlatform' => 'linux' + ) + ) + end +end diff --git a/modules/payloads/adapters/cmd/linux/https/mips64.rb b/modules/payloads/adapters/cmd/linux/https/mips64.rb new file mode 100644 index 000000000000..011e91ceb43c --- /dev/null +++ b/modules/payloads/adapters/cmd/linux/https/mips64.rb @@ -0,0 +1,25 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +module MetasploitModule + include Msf::Payload::Adapter::Fetch::Https + include Msf::Payload::Adapter::Fetch::LinuxOptions + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'HTTPS Fetch', + 'Description' => 'Fetch and execute an x64 payload from an HTTPS server.', + 'Author' => ['Brendan Watters', 'Spencer McIntyre'], + 'Platform' => 'linux', + 'Arch' => ARCH_CMD, + 'License' => MSF_LICENSE, + 'AdaptedArch' => ARCH_MIPS64, + 'AdaptedPlatform' => 'linux' + ) + ) + end +end diff --git a/modules/payloads/adapters/cmd/linux/tftp/mips64.rb b/modules/payloads/adapters/cmd/linux/tftp/mips64.rb new file mode 100644 index 000000000000..89cdad891021 --- /dev/null +++ b/modules/payloads/adapters/cmd/linux/tftp/mips64.rb @@ -0,0 +1,25 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +module MetasploitModule + include Msf::Payload::Adapter::Fetch::TFTP + include Msf::Payload::Adapter::Fetch::LinuxOptions + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'TFTP Fetch', + 'Description' => 'Fetch and execute a MIPS64 payload from a TFTP server.', + 'Author' => ['Brendan Watters', 'Spencer McIntyre'], + 'Platform' => 'linux', + 'Arch' => ARCH_CMD, + 'License' => MSF_LICENSE, + 'AdaptedArch' => ARCH_MIPS64, + 'AdaptedPlatform' => 'linux' + ) + ) + end +end From a6f1be8efd1275ec11cc96160b01ea90eb54b8ed Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 2 Jun 2023 09:07:18 -0400 Subject: [PATCH 3/3] Add new payloads to payloads_spec.rb --- spec/modules/payloads_spec.rb | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index bae55470ea0c..c86713e49c3c 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -508,6 +508,30 @@ reference_name: 'bsdi/x86/shell_reverse_tcp' end + context 'cmd/linux/http/mips64' do + it_should_behave_like 'payload is not cached', + ancestor_reference_names: [ + 'adapters/cmd/linux/http/mips64' + ], + reference_name: 'cmd/linux/http/mips64' + end + + context 'cmd/linux/https/mips64' do + it_should_behave_like 'payload is not cached', + ancestor_reference_names: [ + 'adapters/cmd/linux/https/mips64' + ], + reference_name: 'cmd/linux/https/mips64' + end + + context 'cmd/linux/tftp/mips64' do + it_should_behave_like 'payload is not cached', + ancestor_reference_names: [ + 'adapters/cmd/linux/tftp/mips64' + ], + reference_name: 'cmd/linux/tftp/mips64' + end + context 'cmd/linux/http/x64' do it_should_behave_like 'payload is not cached', ancestor_reference_names: [