CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/msf/core/exploit/exe.rb
Views: 1904
# -*- coding: binary -*-12###3#4# This module exposes a simple method to create an payload in an executable.5#6###78module Msf9module Exploit::EXE1011def initialize(info = {})12super1314# NOTE: Any new options here should also be dealt with in15# EncodedPayload#encoded_exe in lib/msf/core/encoded_payload.rb16register_advanced_options(17[18OptBool.new('EXE::EICAR', [false, 'Generate an EICAR file instead of regular payload exe']),19OptPath.new('EXE::Custom', [false, 'Use custom exe instead of automatically generating a payload exe']),20OptPath.new('EXE::Path', [false, 'The directory in which to look for the executable template']),21OptPath.new('EXE::Template', [false, 'The executable template file name.']),22OptBool.new('EXE::Inject', [false, 'Set to preserve the original EXE function']),23OptBool.new('EXE::OldMethod',[false, 'Set to use the substitution EXE generation method.']),24OptBool.new('EXE::FallBack', [false, 'Use the default template in case the specified one is missing']),25OptBool.new('MSI::EICAR', [false, 'Generate an EICAR file instead of regular payload msi']),26OptPath.new('MSI::Custom', [false, 'Use custom msi instead of automatically generating a payload msi']),27OptPath.new('MSI::Path', [false, 'The directory in which to look for the msi template']),28OptPath.new('MSI::Template', [false, 'The msi template file name']),29OptBool.new('MSI::UAC', [false, 'Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)'])30], self.class)31end3233# Avoid stating the string directly, don't want to get caught by local34# antivirus!35def get_eicar_exe36obfus_eicar = ["x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar", "standard", "antivirus", "test", "file!$h+h*"]37obfus_eicar.join("-").upcase38end3940def get_custom_exe(path = nil)41path ||= datastore['EXE::Custom']42print_status("Using custom payload #{path}, no handler will be created!")43datastore['DisablePayloadHandler'] = true44exe = nil45::File.open(path,'rb') {|f| exe = f.read(f.stat.size)}46exe47end484950# Returns an executable.51#52# @param opts [Hash]53# @option opts [String] :code Payload54# @option opts [Array] :arch Architecture55# @option opts [Msf::Module::PlatformList] :platform56# @raise [Msf::NoCompatiblePayloadError] When #genereate_payload_exe fails to generate a payload.57# @return [String]58def generate_payload_exe(opts = {})59return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?60return get_eicar_exe if datastore['EXE::EICAR']6162exe_init_options(opts)6364pl = opts[:code]65pl ||= payload.encoded6667# Fall back to x86...68opts[:arch] = [ARCH_X86] if !opts[:arch] || opts[:arch].length < 16970# Ensure we have an array71opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array7273# Transform the PlatformList74if opts[:platform].kind_of? Msf::Module::PlatformList75opts[:platform] = opts[:platform].platforms76end7778exe = Msf::Util::EXE.to_executable(framework, opts[:arch], opts[:platform], pl, opts)7980unless exe81raise Msf::NoCompatiblePayloadError, "Failed to generate an executable payload due to an invalid platform or arch."82end8384exe_post_generation(opts)85exe86end8788def generate_payload_exe_service(opts = {})89return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?90return get_eicar_exe if datastore['EXE::EICAR']9192exe_init_options(opts)9394# NOTE: Only Windows is supported here.95pl = opts[:code]96pl ||= payload.encoded9798#Ensure opts[:arch] is an array99opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array100101if opts[:arch] && opts[:arch].index(ARCH_X64)102exe = Msf::Util::EXE.to_win64pe_service(framework, pl, opts)103else104exe = Msf::Util::EXE.to_win32pe_service(framework, pl, opts)105end106107exe_post_generation(opts)108exe109end110111def generate_payload_dll(opts = {})112return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?113return get_eicar_exe if datastore['EXE::EICAR']114115exe_init_options(opts)116plat = opts[:platform]117pl = opts[:code]118pl ||= payload.encoded119120#Ensure opts[:arch] is an array121opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array122123# NOTE: Only x86_64 linux is supported here.124if plat.index(Msf::Module::Platform::Linux)125if opts[:arch] && opts[:arch].index(ARCH_X64)126dll = Msf::Util::EXE.to_linux_x64_elf_dll(framework, pl,opts)127elsif opts[:arch] && opts[:arch].index(ARCH_AARCH64)128dll = Msf::Util::EXE.to_linux_aarch64_elf_dll(framework, pl,opts)129end130elsif plat.index(Msf::Module::Platform::Windows)131if opts[:arch] && opts[:arch].index(ARCH_X64)132dll = Msf::Util::EXE.to_win64pe_dll(framework, pl, opts)133else134dll = Msf::Util::EXE.to_win32pe_dll(framework, pl, opts)135end136end137138exe_post_generation(opts)139dll140end141142def generate_payload_dccw_gdiplus_dll(opts = {})143return get_custom_exe unless datastore['EXE::Custom'].to_s.strip.empty?144return get_eicar_exe if datastore['EXE::EICAR']145146exe_init_options(opts)147plat = opts[:platform]148pl = opts[:code]149150pl ||= payload.encoded151152#Ensure opts[:arch] is an array153opts[:arch] = [opts[:arch]] unless opts[:arch].kind_of? Array154if opts[:arch] && opts[:arch].index(ARCH_X64)155dll = Msf::Util::EXE.to_win64pe_dccw_gdiplus_dll(framework, pl, opts)156else157dll = Msf::Util::EXE.to_win32pe_dccw_gdiplus_dll(framework, pl, opts)158end159160exe_post_generation(opts)161dll162end163164def generate_payload_msi(opts = {})165return get_custom_exe(datastore['MSI::Custom']) unless datastore['MSI::Custom'].to_s.strip.empty?166return get_eicar_exe if datastore['MSI::EICAR']167168exe = generate_payload_exe(opts)169170opts.merge! ({171:msi_template => datastore['MSI::Template'],172:msi_template_path => datastore['MSI::Path'],173:uac => datastore['MSI::UAC']174})175176Msf::Util::EXE.to_exe_msi(framework, exe, opts)177end178179protected180def exe_init_options(opts)181opts.merge!(182{183:template_path => datastore['EXE::Path'],184:template => datastore['EXE::Template'],185:inject => datastore['EXE::Inject'],186:fallback => datastore['EXE::FallBack'],187:sub_method => datastore['EXE::OldMethod']188})189190# NOTE: If code and platform/arch are supplied, we use those values and skip initialization.191#192# This part is kind of tricky so we need to explain the logic behind the following load order.193# First off, platform can be seen from different sources:194#195# 1. From the opts argument. For example: When you are using generate_payload_exe, and you want196# to set a specific platform. This is the most explicit. So we check first.197#198# 2. From the metadata of a payload module. Normally, a payload module should include the platform199# information, with the exception of some generic payloads. For example: generic/shell_reverse_tcp.200# This is the most trusted source.201#202# 3. From the exploit module's target.203#204# 4. From the exploit module's metadata.205#206# Architecture shares the same load order.207208unless opts[:code] && opts[:platform]209if self.respond_to?(:payload_instance) && payload_instance.platform.platforms != [Msf::Module::Platform]210opts[:platform] = payload_instance.platform211elsif self.respond_to? :target_platform212opts[:platform] = target_platform213elsif self.respond_to? :platform214opts[:platform] = platform215end216end217218unless opts[:code] && opts[:arch]219if self.respond_to? :payload_instance220opts[:arch] = payload_instance.arch221elsif self.respond_to? :target_arch222opts[:arch] = target_arch223elsif self.respond_to? :arch224opts[:arch] = arch225end226end227end228229def exe_post_generation(opts)230if opts[:fellback]231print_status("Warning: Falling back to default template: #{opts[:fellback]}")232end233end234235end236end237238239