Module: Msf::Util::EXE::ClassMethods

Included in:
Msf::Util::EXE
Defined in:
lib/msf/util/exe.rb

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.generate_nops(framework, arch, len, opts = {}) ⇒ Object 



335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
 
# File 'lib/msf/util/exe.rb', line 335

def self.generate_nops(framework, arch, len, opts = {})
  opts['BadChars'] ||= ''
  opts['SaveRegisters'] ||= [ 'esp', 'ebp', 'esi', 'edi' ]

  return nil unless framework.nops

  framework.nops.each_module_ranked('Arch' => arch) do |name, _mod|
    nop = framework.nops.create(name)
    raw = nop.generate_sled(len, opts)
    return raw if raw
  rescue StandardError
    # @TODO: stop rescuing everying on each of these, be selective
  end
  nil
end

Instance Method Details

#encode_stub(framework, arch, code, platform = nil, badchars = '') ⇒ Object

encode_stub

Parameters:

  • framework (Msf::Framework)
  • arch (String)
  • code (String)
  • platform (String) (defaults to: nil)
  • badchars (String) (defaults to: '') 


323
324
325
326
327
328
329
330
331
332
333
 
# File 'lib/msf/util/exe.rb', line 323

def encode_stub(framework, arch, code, platform = nil, badchars = '')
  return code unless framework.encoders

  framework.encoders.each_module_ranked('Arch' => arch) do |name, _mod|
    enc = framework.encoders.create(name)
    raw = enc.encode(code, badchars, nil, platform)
    return raw if raw
  rescue StandardError
  end
  nil
end

#to_executable(framework, arch, plat, code = '', fmt = '', opts = {}) ⇒ Object

to_executable

Parameters:

  • framework (Msf::Framework)
  • arch (String)
  • plat (String)
  • code (String) (defaults to: '')
  • fmt (String) (defaults to: '')
  • opts (Hash) (defaults to: {}) 


60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/msf/util/exe.rb', line 60

def to_executable(framework, arch, plat, code = '', fmt='', opts = {})
  # This code handles mettle stageless when LinuxMinKernel is 2.4+ because the code will be a elf or macho.
  if elf?(code) || macho?(code)
    return code
  end

  if fmt.empty?
    fmt = 'exe' if plat.index(Msf::Module::Platform::Windows)
    fmt = 'macho' if plat.index(Msf::Module::Platform::OSX)
    fmt = 'elf' if plat.index(Msf::Module::Platform::Linux) || plat.index(Msf::Module::Platform::BSD) || plat.index(Msf::Module::Platform::Solaris)
  end

  return to_executable_linux(framework, arch, code, fmt, opts)    if plat.index(Msf::Module::Platform::Linux)
  return to_executable_osx(framework, arch, code, fmt, opts)      if plat.index(Msf::Module::Platform::OSX)
  return to_executable_solaris(framework, arch, code, fmt, opts)  if plat.index(Msf::Module::Platform::Solaris)
  return to_executable_windows(framework, arch, code, fmt, opts)  if plat.index(Msf::Module::Platform::Windows)
  return to_executable_bsd(framework, arch, code, fmt, opts)      if plat.index(Msf::Module::Platform::BSD)

  nil
end

#to_executable_fmt(framework, arch, plat, code, fmt, exeopts) ⇒ String?

Generate an executable of a given format suitable for running on the architecture/platform pair.

This routine is shared between msfvenom, rpc, and payload modules (use <payload>)

constants

Parameters:

  • framework (Framework)
  • arch (String)

    Architecture for the target format; one of the ARCH_*

  • plat (#index)

    platform

  • code (String)

    The shellcode for the resulting executable to run

  • fmt (String)

    One of the executable formats as defined in #to_executable_fmt_formats

  • exeopts (Hash)

    Passed directly to the appropriate method for generating an executable for the given arch/plat pair.

Returns:

  • (String)

    An executable appropriate for the given architecture/platform pair.

  • (nil)

    If the format is unrecognized or the arch and plat don't make sense together.



102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
 
# File 'lib/msf/util/exe.rb', line 102

def to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
  # For backwards compatibility with the way this gets called when
  # generating from Msf::Simple::Payload.generate_simple
  if arch.is_a? Array
    output = nil
    arch.each do |a|
      output = to_executable_fmt(framework, a, plat, code, fmt, exeopts)
      break if output
    end
    return output
  end

  # otherwise the result of this huge case statement is returned
  case fmt
  when 'asp'
    exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
    Msf::Util::EXE.to_exe_asp(exe, exeopts)
  when 'aspx'
    Msf::Util::EXE.to_mem_aspx(framework, code, exeopts)
  when 'aspx-exe'
    exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
    Msf::Util::EXE.to_exe_aspx(exe, exeopts)
  when 'dll'
    case arch
    when ARCH_X86, nil
      to_win32pe_dll(framework, code, exeopts)
    when ARCH_X64
      to_win64pe_dll(framework, code, exeopts)
    end
  when 'exe'
    case arch
    when ARCH_X86, nil
      to_win32pe(framework, code, exeopts)
    when ARCH_X64
      to_win64pe(framework, code, exeopts)
    end
  when 'exe-service'
    case arch
    when ARCH_X86, nil
      to_win32pe_service(framework, code, exeopts)
    when ARCH_X64
      to_win64pe_service(framework, code, exeopts)
    end
  when 'exe-small'
    case arch
    when ARCH_X86, nil
      to_win32pe_old(framework, code, exeopts)
    when ARCH_X64
      to_win64pe(framework, code, exeopts)
    end
  when 'exe-only'
    case arch
    when ARCH_X86, nil
      to_winpe_only(framework, code, exeopts)
    when ARCH_X64
      to_winpe_only(framework, code, exeopts, arch)
    end
  when 'msi'
    case arch
    when ARCH_X86, nil
      exe = to_win32pe(framework, code, exeopts)
    when ARCH_X64
      exe = to_win64pe(framework, code, exeopts)
    end
    exeopts[:uac] = true
    Msf::Util::EXE.to_exe_msi(framework, exe, exeopts)
  when 'msi-nouac'
    case arch
    when ARCH_X86, nil
      exe = to_win32pe(framework, code, exeopts)
    when ARCH_X64
      exe = to_win64pe(framework, code, exeopts)
    end
    Msf::Util::EXE.to_exe_msi(framework, exe, exeopts)
  when 'elf'
    if elf? code
      return code
    end

    if !plat || plat.index(Msf::Module::Platform::Linux)
      case arch
      when ARCH_X86, nil
        to_linux_x86_elf(framework, code, exeopts)
      when ARCH_X64
        to_linux_x64_elf(framework, code, exeopts)
      when ARCH_AARCH64
        to_linux_aarch64_elf(framework, code, exeopts)
      when ARCH_ARMLE
        to_linux_armle_elf(framework, code, exeopts)
      when ARCH_ARMBE
        to_linux_armbe_elf(framework, code, exeopts)
      when ARCH_MIPSBE
        to_linux_mipsbe_elf(framework, code, exeopts)
      when ARCH_MIPSLE
        to_linux_mipsle_elf(framework, code, exeopts)
      when ARCH_MIPS64
        to_linux_mips64_elf(framework, code, exeopts)
      when ARCH_RISCV32LE
        to_linux_riscv32le_elf(framework, code, exeopts)
      when ARCH_RISCV64LE
        to_linux_riscv64le_elf(framework, code, exeopts)
      when ARCH_PPC64LE
        to_linux_ppc64le_elf(framework, code, exeopts)
      when ARCH_PPC
        to_linux_ppc_elf(framework, code, exeopts)
      when ARCH_PPCE500V2
        to_linux_ppce500v2_elf(framework, code, exeopts)
      when ARCH_ZARCH
        to_linux_zarch_elf(framework, code, exeopts)
      when ARCH_LOONGARCH64
        to_linux_loongarch64_elf(framework, code, exeopts)
      end
    elsif plat && plat.index(Msf::Module::Platform::BSD)
      case arch
      when ARCH_X86, nil
        Msf::Util::EXE.to_bsd_x86_elf(framework, code, exeopts)
      when ARCH_X64
        Msf::Util::EXE.to_bsd_x64_elf(framework, code, exeopts)
      end
    elsif plat && plat.index(Msf::Module::Platform::Solaris)
      case arch
      when ARCH_X86, nil
        to_solaris_x86_elf(framework, code, exeopts)
      end
    end
  when 'elf-so'
    if elf? code
      return code
    end

    if !plat || plat.index(Msf::Module::Platform::Linux)
      case arch
      when ARCH_X86
        to_linux_x86_elf_dll(framework, code, exeopts)
      when ARCH_X64
        to_linux_x64_elf_dll(framework, code, exeopts)
      when ARCH_ARMLE
        to_linux_armle_elf_dll(framework, code, exeopts)
      when ARCH_AARCH64
        to_linux_aarch64_elf_dll(framework, code, exeopts)
      when ARCH_RISCV32LE
        to_linux_riscv32le_elf_dll(framework, code, exeopts)
      when ARCH_RISCV64LE
        to_linux_riscv64le_elf_dll(framework, code, exeopts)
      when ARCH_LOONGARCH64
        to_linux_loongarch64_elf_dll(framework, code, exeopts)
      end
    end
  when 'macho', 'osx-app'
    if macho? code
      macho = code
    else
      macho = case arch
              when ARCH_X86, nil
                to_osx_x86_macho(framework, code, exeopts)
              when ARCH_X64
                to_osx_x64_macho(framework, code, exeopts)
              when ARCH_ARMLE
                to_osx_arm_macho(framework, code, exeopts)
              when ARCH_PPC
                to_osx_ppc_macho(framework, code, exeopts)
              when ARCH_AARCH64
                to_osx_aarch64_macho(framework, code, exeopts)
              end
    end
    fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho
  when 'vba'
    Msf::Util::EXE.to_vba(framework, code, exeopts)
  when 'vba-exe'
    exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
    Msf::Util::EXE.to_exe_vba(exe)
  when 'vba-psh'
    Msf::Util::EXE.to_powershell_vba(framework, arch, code)
  when 'vbs'
    exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
    Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ persist: false }))
  when 'loop-vbs'
    exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
    Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ persist: true }))
  when 'jsp'
    arch ||= [ ARCH_X86 ]
    tmp_plat = plat.platforms if plat
    tmp_plat ||= Msf::Module::PlatformList.transform('win')
    tmp_fmt = 'elf'
    tmp_fmt = 'exe' if tmp_plat.index(Msf::Module::Platform::Windows)
    tmp_fmt = 'macho' if tmp_plat.index(Msf::Module::Platform::OSX)
    exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, tmp_fmt, exeopts)
    Msf::Util::EXE.to_jsp(exe)
  when 'war'
    arch ||= [ ARCH_X86 ]
    tmp_plat = plat.platforms if plat
    tmp_plat ||= Msf::Module::PlatformList.transform('win')
    tmp_fmt = 'elf'
    tmp_fmt = 'exe' if tmp_plat.index(Msf::Module::Platform::Windows)
    tmp_fmt = 'macho' if tmp_plat.index(Msf::Module::Platform::OSX)
    exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, tmp_fmt, exeopts)
    Msf::Util::EXE.to_jsp_war(exe)
  when 'psh'
    Msf::Util::EXE.to_win32pe_psh(framework, code, exeopts)
  when 'psh-net'
    Msf::Util::EXE.to_win32pe_psh_net(framework, code, exeopts)
  when 'psh-reflection'
    Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts)
  when 'psh-cmd'
    Msf::Util::EXE.to_powershell_command(framework, arch, code)
  when 'hta-psh'
    Msf::Util::EXE.to_powershell_hta(framework, arch, code)
  when 'python-reflection'
    Msf::Util::EXE.to_python_reflection(framework, arch, code, exeopts)
  when 'ducky-script-psh'
    Msf::Util::EXE.to_powershell_ducky_script(framework, arch, code)
  end
end

#to_executable_fmt_formatsArray

FMT Formats self.to_executable_fmt_formats

Returns:

  • (Array)

    Returns an array of strings



357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
 
# File 'lib/msf/util/exe.rb', line 357

def to_executable_fmt_formats
  [
    'asp',
    'aspx',
    'aspx-exe',
    'axis2',
    'dll',
    'ducky-script-psh',
    'elf',
    'elf-so',
    'exe',
    'exe-only',
    'exe-service',
    'exe-small',
    'hta-psh',
    'jar',
    'jsp',
    'loop-vbs',
    'macho',
    'msi',
    'msi-nouac',
    'osx-app',
    'psh',
    'psh-cmd',
    'psh-net',
    'psh-reflection',
    'python-reflection',
    'vba',
    'vba-exe',
    'vba-psh',
    'vbs',
    'war'
  ]
end