diff --git a/lib/core/option.py b/lib/core/option.py index 2eba19026..db7cb8c44 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -766,8 +766,14 @@ def _setMetasploit(): if conf.msfPath: for path in (conf.msfPath, os.path.join(conf.msfPath, "bin")): - if all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("", "msfcli", "msfconsole", "msfencode", "msfpayload")): + if all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("", "msfcli", "msfconsole")): msfEnvPathExists = True + if all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfvenom",)): + kb.msfVenom = True + elif all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfencode", "msfpayload")): + kb.msfVenom = False + else: + msfEnvPathExists = False conf.msfPath = path break @@ -798,15 +804,23 @@ def _setMetasploit(): for envPath in envPaths: envPath = envPath.replace(";", "") - if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("", "msfcli", "msfconsole", "msfencode", "msfpayload")): - infoMsg = "Metasploit Framework has been found " - infoMsg += "installed in the '%s' path" % envPath - logger.info(infoMsg) - + if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("", "msfcli", "msfconsole")): msfEnvPathExists = True - conf.msfPath = envPath + if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("msfvenom",)): + kb.msfVenom = True + elif all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("msfencode", "msfpayload")): + kb.msfVenom = False + else: + msfEnvPathExists = False - break + if msfEnvPathExists: + infoMsg = "Metasploit Framework has been found " + infoMsg += "installed in the '%s' path" % envPath + logger.info(infoMsg) + + conf.msfPath = envPath + + break if not msfEnvPathExists: errMsg = "unable to locate Metasploit Framework installation. " @@ -1794,6 +1808,7 @@ def _setKnowledgeBaseAttributes(flushAll=True): kb.matchRatio = None kb.maxConnectionsFlag = False kb.mergeCookies = None + kb.msfVenom = False kb.multiThreadMode = False kb.negativeLogic = False kb.nullConnection = None diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index 4f7b43887..14364c77d 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -24,6 +24,7 @@ from lib.core.common import randomRange from lib.core.common import randomStr from lib.core.common import readInput from lib.core.data import conf +from lib.core.data import kb from lib.core.data import logger from lib.core.data import paths from lib.core.enums import DBMS @@ -63,6 +64,7 @@ class Metasploit: self._msfCli = normalizePath(os.path.join(conf.msfPath, "msfcli")) self._msfEncode = normalizePath(os.path.join(conf.msfPath, "msfencode")) self._msfPayload = normalizePath(os.path.join(conf.msfPath, "msfpayload")) + self._msfVenom = normalizePath(os.path.join(conf.msfPath, "msfvenom")) if IS_WIN: _ = conf.msfPath @@ -78,6 +80,7 @@ class Metasploit: self._msfCli = "%s & ruby %s" % (_, self._msfCli) self._msfEncode = "ruby %s" % self._msfEncode self._msfPayload = "%s & ruby %s" % (_, self._msfPayload) + self._msfVenom = "%s & ruby %s" % (_, self._msfVenom) self._msfPayloadsList = { "windows": { @@ -361,7 +364,11 @@ class Metasploit: self._cliCmd += " E" def _forgeMsfPayloadCmd(self, exitfunc, format, outFile, extra=None): - self._payloadCmd = "%s %s" % (self._msfPayload, self.payloadConnStr) + if kb.msfVenom: + self._payloadCmd = "%s -p" % self._msfVenom + else: + self._payloadCmd = self._msfPayload + self._payloadCmd += " %s" % self.payloadConnStr self._payloadCmd += " EXITFUNC=%s" % exitfunc self._payloadCmd += " LPORT=%s" % self.portStr @@ -373,13 +380,22 @@ class Metasploit: if Backend.isOs(OS.LINUX) and conf.privEsc: self._payloadCmd += " PrependChrootBreak=true PrependSetuid=true" - if extra == "BufferRegister=EAX": - self._payloadCmd += " R | %s -a x86 -e %s -o \"%s\" -t %s" % (self._msfEncode, self.encoderStr, outFile, format) + if kb.msfVenom: + if extra == "BufferRegister=EAX": + self._payloadCmd += " -a x86 -e %s -f %s > \"%s\"" % (self.encoderStr, format, outFile) - if extra is not None: - self._payloadCmd += " %s" % extra + if extra is not None: + self._payloadCmd += " %s" % extra + else: + self._payloadCmd += " -f exe > \"%s\"" % outFile else: - self._payloadCmd += " X > \"%s\"" % outFile + if extra == "BufferRegister=EAX": + self._payloadCmd += " R | %s -a x86 -e %s -o \"%s\" -t %s" % (self._msfEncode, self.encoderStr, outFile, format) + + if extra is not None: + self._payloadCmd += " %s" % extra + else: + self._payloadCmd += " X > \"%s\"" % outFile def _runMsfCliSmbrelay(self): self._forgeMsfCliCmdForSmbrelay()