Module: Msf::Exploit::EXE

Included in:
CmdStager, PhpEXE
Defined in:
lib/msf/core/exploit/exe.rb

Instance Method Summary collapse

Instance Method Details

#generate_payload_dll(opts = {}) ⇒ Object


102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# File 'lib/msf/core/exploit/exe.rb', line 102

def generate_payload_dll(opts = {})
  return get_custom_exe if datastore.include? 'EXE::Custom'
  return get_eicar_exe if datastore['EXE::EICAR']

  exe_init_options(opts)

  # NOTE: Only Windows is supported here.
  pl = opts[:code]
  pl ||= payload.encoded

  #Ensure opts[:arch] is an array
  opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array

  if opts[:arch] and (opts[:arch].index(ARCH_X64) or opts[:arch].index(ARCH_X86_64))
    dll = Msf::Util::EXE.to_win64pe_dll(framework, pl, opts)
  else
    dll = Msf::Util::EXE.to_win32pe_dll(framework, pl, opts)
  end

  exe_post_generation(opts)
  dll
end

#generate_payload_exe(opts = {}) ⇒ Object


51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# File 'lib/msf/core/exploit/exe.rb', line 51

def generate_payload_exe(opts = {})
  return get_custom_exe if datastore.include? 'EXE::Custom'
  return get_eicar_exe if datastore['EXE::EICAR']

  exe_init_options(opts)

  pl = opts[:code]
  pl ||= payload.encoded

  # Fall back to x86...
  if not opts[:arch] or opts[:arch].length < 1
    opts[:arch] = [ ARCH_X86 ]
  end
  # Ensure we have an array
  if not opts[:arch].kind_of? Array
    opts[:arch] = [ opts[:arch] ]
  end

  # Transform the PlatformList
  if (opts[:platform].kind_of? Msf::Module::PlatformList)
    opts[:platform] = opts[:platform].platforms
  end

  exe = Msf::Util::EXE.to_executable(framework, opts[:arch], opts[:platform], pl, opts)
  exe_post_generation(opts)
  exe
end

#generate_payload_exe_service(opts = {}) ⇒ Object


79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# File 'lib/msf/core/exploit/exe.rb', line 79

def generate_payload_exe_service(opts = {})
  return get_custom_exe if datastore.include? 'EXE::Custom'
  return get_eicar_exe if datastore['EXE::EICAR']

  exe_init_options(opts)

  # NOTE: Only Windows is supported here.
  pl = opts[:code]
  pl ||= payload.encoded

  #Ensure opts[:arch] is an array
  opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array

  if opts[:arch] and (opts[:arch].index(ARCH_X64) or opts[:arch].index(ARCH_X86_64))
    exe = Msf::Util::EXE.to_win64pe_service(framework, pl, opts)
  else
    exe = Msf::Util::EXE.to_win32pe_service(framework, pl, opts)
  end

  exe_post_generation(opts)
  exe
end

#generate_payload_msi(opts = {}) ⇒ Object


125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# File 'lib/msf/core/exploit/exe.rb', line 125

def generate_payload_msi(opts = {})
  return get_custom_exe(datastore['MSI::Custom']) if datastore.include? 'MSI::Custom'
  return get_eicar_exe if datastore['MSI::EICAR']

  exe = generate_payload_exe(opts)

  opts.merge! ({
      :msi_template => datastore['MSI::Template'],
      :msi_template_path => datastore['MSI::Path'],
      :uac => datastore['MSI::UAC']
  })

  msi = Msf::Util::EXE.to_exe_msi(framework, exe, opts)

  return msi
end

#get_custom_exe(path = nil) ⇒ Object


41
42
43
44
45
46
47
48
49
# File 'lib/msf/core/exploit/exe.rb', line 41

def get_custom_exe(path=nil)
  path ||= datastore['EXE::Custom']
  print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
  datastore['DisablePayloadHandler'] = true
  file = ::File.open(path,'rb')
  exe = file.read(file.stat.size)
  file.close
  exe
end

#get_eicar_exeObject

Avoid stating the string directly, don't want to get caught by local antivirus!


36
37
38
39
# File 'lib/msf/core/exploit/exe.rb', line 36

def get_eicar_exe
  obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]
  obfus_eicar.join("-").upcase
end

#initialize(info = {}) ⇒ Object


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# File 'lib/msf/core/exploit/exe.rb', line 12

def initialize(info = {})
  super

  # NOTE: Any new options here should also be dealt with in
  # EncodedPayload#encoded_exe in lib/msf/core/encoded_payload.rb
  register_advanced_options(
    [
      OptBool.new(   'EXE::EICAR',    [ false, 'Generate an EICAR file instead of regular payload exe']),
      OptPath.new(   'EXE::Custom',   [ false, 'Use custom exe instead of automatically generating a payload exe']),
      OptPath.new(   'EXE::Path',     [ false, 'The directory in which to look for the executable template' ]),
      OptPath.new(   'EXE::Template', [ false, 'The executable template file name.' ]),
      OptBool.new(   'EXE::Inject',   [ false, 'Set to preserve the original EXE function' ]),
      OptBool.new(   'EXE::OldMethod',[ false, 'Set to use the substitution EXE generation method.' ]),
      OptBool.new(   'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ]),
      OptBool.new(   'MSI::EICAR',    [ false, 'Generate an EICAR file instead of regular payload msi']),
      OptPath.new(   'MSI::Custom',   [ false, 'Use custom msi instead of automatically generating a payload msi']),
      OptPath.new(   'MSI::Path',     [ false, 'The directory in which to look for the msi template' ]),
      OptPath.new(   'MSI::Template', [ false, 'The msi template file name' ]),
      OptBool.new(   'MSI::UAC',      [ false, 'Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)' ])
    ], self.class)
end