Land rapid7#8346, Templatize shims for external modules

Author: acammack-r7

lib/msf/core/module/external.rb

@@ -0,0 +1,23 @@
+module Msf::Module::External
+  def wait_status(mod)
+    while mod.running
+      m = mod.get_status
+      if m
+        case m['level']
+        when 'error'
+          print_error m['message']
+        when 'warning'
+          print_warning m['message']
+        when 'good'
+          print_good m['message']
+        when 'info'
+          print_status m['message']
+        when 'debug'
+          vprint_status m['message']
+        else
+          print_status m['message']
+        end
+      end
+    end
+  end
+end

lib/msf/core/modules/external/shim.rb

@@ -7,95 +7,53 @@ def self.generate(module_path)
     mod = Msf::Modules::External::Bridge.open(module_path)
     return '' unless mod.meta
     case mod.meta['type']
-    when 'remote_exploit.cmd_stager.wget'
+    when 'remote_exploit_cmd_stager'
       remote_exploit_cmd_stager(mod)
     end
   end
 
-  def self.remote_exploit_cmd_stager(mod)
-    %Q|
-require 'msf/core/modules/external/bridge'
-
-class MetasploitModule < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => #{mod.meta['name'].dump},
-      'Description' => #{mod.meta['description'].dump},
-      'Author'      =>
-        [
-          #{mod.meta['authors'].map(&:dump).join(', ')}
-        ],
-      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          #{mod.meta['references'].map do |r|
-              "[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
-            end.join(', ')}
-        ],
-      'DisclosureDate' => #{mod.meta['date'].dump},
-      'Privileged'     => #{mod.meta['privileged'].inspect},
-      'Platform'       => [#{mod.meta['targets'].map{|t| t['platform'].dump}.uniq.join(', ')}],
-      'Payload'        =>
-        {
-          'DisableNops' => true
-        },
-      'Targets'        =>
-        [
-          #{mod.meta['targets'].map do |t|
-            %Q^[#{t['platform'].dump} + ' ' + #{t['arch'].dump},
-                 {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]^
-            end.join(', ')}
-        ],
-      'DefaultTarget'   => 0,
-      'DefaultOptions' => { 'WfsDelay' => 5 }
-      ))
-
-      register_options([
-        #{mod.meta['options'].map do |n, o|
-            "Opt#{o['type'].capitalize}.new(#{n.dump},
-              [#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
-          end.join(', ')}
-      ], self.class)
+  def self.render_template(name, meta = {})
+    template = File.join(File.dirname(__FILE__), 'templates', name)
+    ERB.new(File.read(template)).result(binding)
   end
 
-  def execute_command(cmd, opts)
-    mod = Msf::Modules::External::Bridge.open(#{mod.path.dump})
-    mod.run(datastore.merge(command: cmd))
-    wait_status(mod)
-    true
+  def self.common_metadata(meta = {})
+    render_template('common_metadata.erb', meta)
   end
 
-  def exploit
-    print_status("Exploiting...")
-    execute_cmdstager({:flavor  => :wget})
+  def self.mod_meta_common(mod, meta = {})
+    meta[:path]        = mod.path.dump
+    meta[:name]        = mod.meta['name'].dump
+    meta[:description] = mod.meta['description'].dump
+    meta[:authors]     = mod.meta['authors'].map(&:dump).join(",\n          ")
+    meta[:date]        = mod.meta['date'].dump
+    meta[:references]  = mod.meta['references'].map do |r|
+      "[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
+    end.join(",\n          ")
+
+    meta[:options]     = mod.meta['options'].map do |n, o|
+      "Opt#{o['type'].capitalize}.new(#{n.dump},
+        [#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
+    end.join(",\n          ")
+    meta
   end
 
-  def wait_status(mod)
-    while mod.running
-      m = mod.get_status
-      if m
-        case m['level']
-        when 'error'
-          print_error m['message']
-        when 'warning'
-          print_warning m['message']
-        when 'good'
-          print_good m['message']
-        when 'info'
-          print_status m['message']
-        when 'debug'
-          vprint_status m['message']
-        else
-          print_status m['message']
-        end
-      end
-    end
+  def self.mod_meta_exploit(mod, meta = {})
+    meta[:wfsdelay]    = mod.meta['wfsdelay'] || 5
+    meta[:privileged]  = mod.meta['privileged'].inspect
+    meta[:platform]    = mod.meta['targets'].map do |t|
+      t['platform'].dump
+    end.uniq.join(",\n          ")
+    meta[:targets]     = mod.meta['targets'].map do |t|
+      "[#{t['platform'].dump} + ' ' + #{t['arch'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]"
+    end.join(",\n          ")
+    meta
   end
-end
-    |
+
+  def self.remote_exploit_cmd_stager(mod)
+    meta = mod_meta_common(mod)
+    meta = mod_meta_exploit(mod, meta)
+    meta[:command_stager_flavor] = mod.meta['payload']['command_stager_flavor'].dump
+    render_template('remote_exploit_cmd_stager.erb', meta)
   end
 end

lib/msf/core/modules/external/templates/common_metadata.erb

@@ -0,0 +1,7 @@
+      'Name'        => <%= meta[:name] %>,
+      'Description' => <%= meta[:description] %>,
+      'Author'      =>
+        [
+          <%= meta[:authors] %>
+        ],
+      'License'     => MSF_LICENSE,

lib/msf/core/modules/external/templates/remote_exploit_cmd_stager.erb

@@ -0,0 +1,48 @@
+require 'msf/core/modules/external/bridge'
+require 'msf/core/module/external'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Module::External
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+	  <%= common_metadata meta %>
+      'References'  =>
+        [
+          <%= meta[:references] %>
+        ],
+      'DisclosureDate' => <%= meta[:date] %>,
+      'Privileged'     => <%= meta[:privileged] %>,
+      'Platform'       => [<%= meta[:platform] %>],
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          <%= meta[:targets] %>
+        ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'WfsDelay' => <%= meta[:wfsdelay] %> }
+      ))
+
+      register_options([
+        <%= meta[:options] %>
+      ])
+  end
+
+  def execute_command(cmd, opts)
+    mod = Msf::Modules::External::Bridge.open(<%= meta[:path] %>)
+    mod.run(datastore.merge(command: cmd))
+    wait_status(mod)
+    true
+  end
+
+  def exploit
+    print_status("Exploiting...")
+    execute_cmdstager({:flavor  => :<%= meta[:command_stager_flavor] %>})
+  end
+end

modules/exploits/linux/smtp/haraka.py

@@ -34,12 +34,16 @@
         {'type': 'edb', 'ref': '41162'},
         {'type': 'url', 'ref': 'https://github.com/haraka/Haraka/pull/1606'},
      ],
-    'type': 'remote_exploit.cmd_stager.wget',
+    'type': 'remote_exploit_cmd_stager',
+    'wfsdelay': 5,
     'privileged': True,
     'targets': [
         {'platform': 'linux', 'arch': 'x64'},
         {'platform': 'linux', 'arch': 'x86'}
     ],
+    'payload': {
+        'command_stager_flavor': 'wget'
+    },
     'options': {
         'email_to': {'type': 'string', 'description': 'Email to send to, must be accepted by the server', 'required': True, 'default': 'admin@localhost'},
         'email_from': {'type': 'string', 'description': 'Address to send from', 'required': True, 'default': '[email protected]'},