Use One CMDStagermixin

lib/msf/core/exploit/cmdstager.rb

@@ -19,38 +19,62 @@ module Exploit::CmdStager
   #
   def initialize(info = {})
     super
-    @cmd_list = nil
     @stager_instance = nil
+
+    register_advanced_options(
+      [
+        OptString.new('CMDSTAGER::DECODERSTUB',  [ false, 'The decoder stub to use.', nil]),
+      ], self.class)
   end
 
 
   #
   # Execute the command stager while showing the progress
   #
   def execute_cmdstager(opts = {})
+
+    # Starts select the correct stager
+    unless opts.include?(:flavor)
+      default_flavor = guess_flavor
+      vprint_status("Using default stager: #{default_flavor}")
+      opts[:flavor] = default_flavor
+    end
+
+    unless opts.include?(:decoder)
+      opts[:decoder] = datastore['CMDSTAGER::DECODERSTUB'] || guess_decoder(opts)
+    end
+    # Ends select the correct stager
+
     cmd_list = generate_cmdstager(opts)
 
-    execute_cmdstager_begin(opts)
+    @stager_instance.setup(self)
 
-    sent = 0
-    total_bytes = 0
-    cmd_list.each { |cmd| total_bytes += cmd.length }
+    begin
+      execute_cmdstager_begin(opts)
 
-    delay = opts[:delay]
-    delay ||= 0.25
 
-    cmd_list.each do |cmd|
-      execute_command(cmd, opts)
-      sent += cmd.length
+      sent = 0
+      total_bytes = 0
+      cmd_list.each { |cmd| total_bytes += cmd.length }
 
-      # In cases where a server has multiple threads, we want to be sure that
-      # commands we execute happen in the correct (serial) order.
-      ::IO.select(nil, nil, nil, delay)
+      delay = opts[:delay]
+      delay ||= 0.25
 
-      progress(total_bytes, sent)
-    end
+      cmd_list.each do |cmd|
+        execute_command(cmd, opts)
+        sent += cmd.length
+
+        # In cases where a server has multiple threads, we want to be sure that
+        # commands we execute happen in the correct (serial) order.
+        ::IO.select(nil, nil, nil, delay)
+
+        progress(total_bytes, sent)
+      end
 
-    execute_cmdstager_end(opts)
+      execute_cmdstager_end(opts)
+    ensure
+      @stager_instance.teardown
+    end
   end
 
 
@@ -59,11 +83,18 @@ def execute_cmdstager(opts = {})
   # and operating system.
   #
   def generate_cmdstager(opts = {}, pl = nil)
+
+    # starts Multi task
+    unless opts.include?(:decoder)
+      opts[:decoder] = datastore['CMDSTAGER::DECODERSTUB'] || guess_decoder(opts)
+    end
+    # ends Multi task
+
     pl ||= payload.encoded
 
     @exe = generate_payload_exe
 
-    @stager_instance = create_stager(@exe, opts)
+    @stager_instance = create_stager(opts)
     cmd_list = @stager_instance.generate(opts)
 
     if (cmd_list.nil? or cmd_list.length < 1)
@@ -84,6 +115,57 @@ def progress(total, sent)
     print_status("Command Stager progress - %7s done (%d/%d bytes)" % [percent, sent, total])
   end
 
+  def create_stager(opts)
+    case opts[:flavor]
+    when :bourne
+      return Rex::Exploitation::CmdStagerBourne.new(@exe)
+    when :debug_asm
+      return Rex::Exploitation::CmdStagerDebugAsm.new(@exe)
+    when :debug_write
+      return Rex::Exploitation::CmdStagerDebugWrite.new(@exe)
+    when :echo
+      return Rex::Exploitation::CmdStagerEcho.new(@exe)
+    when :printf
+      return Rex::Exploitation::CmdStagerPrintf.new(@exe)
+    when :vbs, :vbs_adodb
+      return Rex::Exploitation::CmdStagerVBS.new(@exe)
+    when :tftp
+      return Rex::Exploitation::CmdStagerTFTP.new(@exe)
+    end
+  end
+
+  def guess_decoder(opts)
+    case opts[:flavor]
+    when :debug_asm
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")
+    when :debug_write
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")
+    when :vbs
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
+    when :vbs_adodb
+      return File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
+    end
+    return nil
+  end
+
+  def guess_flavor
+    c_platform = nil
+    if target_platform.names.length == 1
+      c_platform = target_platform.names.first
+    end
+    case c_platform
+    when 'linux', 'Linux'
+      return :bourne
+    when 'osx', 'OSX'
+      return :bourne
+    when 'unix', 'Unix'
+      return :bourne
+    when 'win', 'Windows'
+      return :vbs
+    end
+    return nil
+  end
+
   #
   # Methods to override - not used internally
   #

lib/rex/exploitation/cmdstager/base.rb

@@ -172,6 +172,19 @@ def cmd_concat_operator
     nil
   end
 
+  # Should be overriden if the cmd stager needs to setup anything
+  # before it's executed
+  def setup(mod)
+
+  end
+
+  #
+  # Should be overriden if the cmd stager needs to do any clenaup
+  #
+  def teardown
+
+  end
+
 end
 end
 end

lib/rex/exploitation/cmdstager/tftp.rb

@@ -27,7 +27,6 @@ class CmdStagerTFTP < CmdStagerBase
 
   def initialize(exe)
     super
-
     @payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
   end
 
@@ -51,11 +50,23 @@ def compress_commands(cmds, opts)
     super
   end
 
+  def setup_stager(mod)
+    tftp = Rex::Proto::TFTP::Server.new
+    tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
+    tftp.start
+    mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
+  end
+
+  def teardown_stager
+    tftp.stop
+  end
+
   # NOTE: We don't use a concatenation operator here since we only have a couple commands.
   # There really isn't any need to combine them. Also, the ms01_026 exploit depends on
   # the start command being issued separately so that it can ignore it :)
-
+  attr_reader :exe
   attr_reader :payload_exe
+  attr_accessor :tftp
 end
 end
 end

modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb

@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerMulti
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,