Fixes #1379

2024-11-22 09:36:35 +03:00 · 2015-08-31 14:27:47 +02:00 · 2015-08-31 14:27:47 +02:00 · 265a78b455
commit 265a78b455
parent d70215ad6c
4 changed files with 26 additions and 9 deletions
--- a/extra/cloak/cloak.py
+++ b/extra/cloak/cloak.py
@ -24,18 +24,20 @@ def hideAscii(data):

    return retVal

-def cloak(inputFile):
-    f = open(inputFile, 'rb')
-    data = zlib.compress(f.read())
-    f.close()
+def cloak(inputFile=None, data=None):
+    if data is None:
+        with open(inputFile, "rb") as f:
+            data = f.read()

-    return hideAscii(data)
+    return hideAscii(zlib.compress(data))

-def decloak(inputFile):
-    f = open(inputFile, 'rb')
+def decloak(inputFile=None, data=None):
+    if data is None:
+        with open(inputFile, "rb") as f:
+            data = f.read()
    try:
-        data = zlib.decompress(hideAscii(f.read()))
-    except:
+        data = zlib.decompress(hideAscii(data))
+    except Exception:
        print 'ERROR: the provided input file \'%s\' does not contain valid cloaked content' % inputFile
        sys.exit(1)
    finally:
--- a/extra/shellcodeexec/windows/shellcodeexec.x32.exe_
+++ b/extra/shellcodeexec/windows/shellcodeexec.x32.exe_
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -443,6 +443,9 @@ BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
 # Payload used for checking of existence of IDS/WAF (dummier the better)
 IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd"

+# Data inside shellcodeexec to be filled with random string
+SHELLCODEEXEC_RANDOM_STRING_MARKER = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+
 # Vectors used for provoking specific WAF/IDS/IPS behavior(s)
 WAF_ATTACK_VECTORS = (
                        "",  # NIL
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@ -8,10 +8,13 @@ See the file 'doc/COPYING' for copying permission
 import os
 import re
 import sys
+import tempfile
 import time

 from subprocess import PIPE

+from extra.cloak.cloak import cloak
+from extra.cloak.cloak import decloak
 from lib.core.common import dataToStdout
 from lib.core.common import Backend
 from lib.core.common import getLocalIP
@ -34,6 +37,7 @@ from lib.core.exception import SqlmapFilePathException
 from lib.core.exception import SqlmapGenericException
 from lib.core.settings import IS_WIN
 from lib.core.settings import METASPLOIT_SESSION_TIMEOUT
+from lib.core.settings import SHELLCODEEXEC_RANDOM_STRING_MARKER
 from lib.core.settings import UNICODE_ENCODING
 from lib.core.subprocessng import blockingReadFromFD
 from lib.core.subprocessng import blockingWriteToFD
@ -640,6 +644,14 @@ class Metasploit:

        if Backend.isOs(OS.WINDOWS):
            self.shellcodeexecLocal = os.path.join(self.shellcodeexecLocal, "windows", "shellcodeexec.x%s.exe_" % "32")
+            content = decloak(self.shellcodeexecLocal)
+            if SHELLCODEEXEC_RANDOM_STRING_MARKER in content:
+                content = content.replace(SHELLCODEEXEC_RANDOM_STRING_MARKER, randomStr(len(SHELLCODEEXEC_RANDOM_STRING_MARKER)))
+                _ = cloak(data=content)
+                handle, self.shellcodeexecLocal = tempfile.mkstemp(suffix="%s.exe_" % "32")
+                os.close(handle)
+                with open(self.shellcodeexecLocal, "w+b") as f:
+                    f.write(_)
        else:
            self.shellcodeexecLocal = os.path.join(self.shellcodeexecLocal, "linux", "shellcodeexec.x%s_" % Backend.getArch())