From f25e3ebaaf54e9be9eb04497b5acc15b2aef19e1 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Dec 2014 11:19:58 -0600 Subject: [PATCH 1/2] Fix #4246 - More undef 'payload_exe' in other modules Root cause: payload_exe is an accessor in the TFPT command stager mixin, you need stager_instance in order to retreive that info. --- modules/exploits/windows/iis/msadc.rb | 4 ++-- modules/exploits/windows/misc/altiris_ds_sqli.rb | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 359c24fdf7..3325f9e5f8 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -332,12 +332,12 @@ class Metasploit3 < Msf::Exploit::Remote # Save these file names for later deletion @exe_cmd_copy = exe_fname - @exe_payload = payload_exe + @exe_payload = stager_instance.payload_exe # Just for good measure, we'll make a quick, direct request for the payload # Using the "start" method doesn't seem to make iis very happy :( print_status("Triggering the payload via a direct request...") - res = send_request_raw({ 'uri' => '/scripts/' + payload_exe, 'method' => 'GET' }, 1) + res = send_request_raw({ 'uri' => '/scripts/' + stager_instance.payload_exe, 'method' => 'GET' }, 1) end handler diff --git a/modules/exploits/windows/misc/altiris_ds_sqli.rb b/modules/exploits/windows/misc/altiris_ds_sqli.rb index 1bff0c4af0..78668cff09 100644 --- a/modules/exploits/windows/misc/altiris_ds_sqli.rb +++ b/modules/exploits/windows/misc/altiris_ds_sqli.rb @@ -163,7 +163,7 @@ Processor-Speed=#{processor_speed} end def on_new_session(client) - return if not payload_exe + return if not stager_instance.payload_exe #can't scrub dropped payload while the process is still active so... #iterate through process list, find our process and the associated @@ -174,7 +174,7 @@ Processor-Speed=#{processor_speed} #SeeRM#8365 https://http://dev.metasploit.com/redmine/issues/8365 unless client.type == "meterpreter" - print_error("Automatic cleanup only available with meterpreter, please delete #{payload_exe} manually") + print_error("Automatic cleanup only available with meterpreter, please delete #{stager_instance.payload_exe} manually") return end @@ -191,7 +191,7 @@ Processor-Speed=#{processor_speed} end win_temp = client.sys.config.getenv('TEMP') - win_file = "#{win_temp}\\#{payload_exe}" + win_file = "#{win_temp}\\#{stager_instance.payload_exe}" print_status("Attempting to delete #{win_file} ...") client.shell_command_token(%Q|attrib.exe -r #{win_file}|) client.fs.file.rm(win_file) From 7ae786a53bcda4e82b84df370abf5a8b6e3894b8 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Dec 2014 11:26:26 -0600 Subject: [PATCH 2/2] Add a comment as an excuse to tag the issue Fix #4246 ... so it will automatically close the ticket. --- modules/exploits/windows/iis/msadc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 3325f9e5f8..de5f2e17b7 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -332,7 +332,7 @@ class Metasploit3 < Msf::Exploit::Remote # Save these file names for later deletion @exe_cmd_copy = exe_fname - @exe_payload = stager_instance.payload_exe + @exe_payload = stager_instance.payload_exe # Grab this info from CmdStagerTFTP # Just for good measure, we'll make a quick, direct request for the payload # Using the "start" method doesn't seem to make iis very happy :(