Add support for auto-exec commands in bind_php and reverse_tcp payloads

rastating · rastating · commit cdd6cbe3d77c · 2017-02-05T14:02:08.000Z
diff --git a/lib/wpxf/core/payload.rb b/lib/wpxf/core/payload.rb
@@ -16,6 +16,8 @@ def initialize
           default: true
         )
       ])
+
+      self.queued_commands = []
     end
 
     # @return an encoded version of the payload.
@@ -74,12 +76,14 @@ def post_exploit(mod)
 
     # Cleanup any allocated resource to the payload.
     def cleanup
+      nil
     end
 
     # Run checks to raise warnings to the user of any issues or noteworthy
     # points in regards to the payload being used with the current module.
     # @param mod [Module] the module using the payload.
     def check(mod)
+      nil
     end
 
     # @return [Hash] a hash of constants that should be injected at the
@@ -104,9 +108,19 @@ def php_preamble
       preamble
     end
 
+    # Enqueue a command to be executed on the target system, if the
+    # payload supports queued commands.
+    # @param cmd [String] the command to execute when the payload is executed.
+    def enqueue_command(cmd)
+      queued_commands.push(cmd)
+    end
+
     # @return the payload in its raw format.
     attr_accessor :raw
 
+    # @return [Array] the commands queued to be executed on the target.
+    attr_accessor :queued_commands
+
     private
 
     def raw_payload_with_random_var_names
diff --git a/payloads/bind_php.rb b/payloads/bind_php.rb
@@ -57,7 +57,6 @@ def post_exploit(mod)
 
       Wpxf.change_stdout_sync(true) do
         mod.emit_success 'Established a session'
-        puts
         start_socket_io_loop(socket, mod)
         socket.close
         puts
@@ -84,6 +83,10 @@ def raw
       "#{DataFile.new('php', 'bind_php.php').php_content}"
     end
 
+    def cleanup
+      self.queued_commands = []
+    end
+
     attr_accessor :host
   end
 end
diff --git a/payloads/reverse_tcp.rb b/payloads/reverse_tcp.rb
@@ -94,10 +94,8 @@ def client_connected(socket, event_emitter)
       Wpxf.change_stdout_sync(true) do
         port, ip = Socket.unpack_sockaddr_in(socket.getpeername)
         event_emitter.emit_success "Connection established from #{ip}:#{port}"
-        puts
 
         start_socket_io_loop(socket, event_emitter)
-
         socket.close
         @server.close
         puts
@@ -136,6 +134,7 @@ def post_exploit(mod)
     end
 
     def cleanup
+      self.queued_commands = []
       @network_thread.exit if @network_thread
       @server.close if @server && !@server.closed?
     end
diff --git a/payloads/socket_helper.rb b/payloads/socket_helper.rb
@@ -2,6 +2,7 @@
 module Wpxf::Payloads::SocketHelper
   def start_socket_io_loop(socket, event_emitter)
     read_thread = Thread.new { start_socket_read_loop(socket) }
+    execute_queued_commands(socket, event_emitter)
     start_socket_write_loop(socket, read_thread)
   rescue SignalException
     puts
@@ -11,6 +12,15 @@ def start_socket_io_loop(socket, event_emitter)
     event_emitter.emit_error "Error encountered: #{e}"
   end
 
+  def execute_queued_commands(socket, event_emitter)
+    queued_commands.each do |cmd|
+      socket.puts cmd
+      event_emitter.emit_success "Executed: #{cmd}"
+    end
+
+    puts
+  end
+
   def start_socket_write_loop(socket, read_thread)
     loop do
       input = STDIN.gets
