#!/usr/bin/perl
###############
##
# Name: msfpayload
# Author: H D Moore <hdm [at] metasploit.com>
# Version: $Revision: 3753 $
# Description: Command line interface for generating Metasploit payloads
# License:
#
# This file is part of the Metasploit Exploit Framework
# and is subject to the same licenses and copyrights as
# the rest of this package.
#
##
require 5.6.0;
use strict;
use FindBin qw{$RealBin};
use lib "$RealBin/lib";
use Getopt::Std;
use POSIX;
use Msf::TextUI;
use Pex;
no utf8;
no locale;
Msf::UI::ActiveStateSucks();
Msf::UI::BrokenUTF8();
my $ui = Msf::TextUI->new($RealBin);
my $FRAMEVERSION = $ui->Version;
my $VERSION = '$Revision: 3753 $';
my %opts;
getopts('hv', \%opts);
Version() if($opts{'v'});
$ui->SetTempEnv('_MsfPayload', 1);
$ui->SetTempEnv('DebugLevel', 0);
my $exploits = { };
my $payloads = { };
my $payloadsIndex = $ui->LoadPayloads;
foreach my $key (keys(%{$payloadsIndex})) {
$payloads->{$payloadsIndex->{$key}->SelfEndName} = $payloadsIndex->{$key};
}
$ui->SetTempEnv('_Payloads', $payloadsIndex);
my $sel = shift(@ARGV);
my $p = $payloads->{$sel};
Usage() if($opts{'h'});
Usage() if ! $p;
my $action = uc(pop(@ARGV));
foreach my $opt (@ARGV) {
$ui->SetTempEnv(split('=', $opt));
}
$p->_Load;
$ui->SetTempEnv('_PayloadName', $sel);
$ui->SetTempEnv('_Payload', $p);
if (! $action || $action =~ /^S/)
{
print "\n" . $ui->DumpPayloadSummary($p);
exit(0);
}
Usage() if $action !~ /^(C|P|R|X|J)/;
if ($action =~ /^R/) { print $p->Build; exit; }
if ($p->Multistage) {
print STDERR "Warning: Multistage payloads only return first stage\n";
}
if ($action =~ /^X/) {
my (%pos, %parch);
map { $pos{$_}++ } @{ $p->OS };
map { $parch{$_}++ } @{ $p->Arch };
# Generate a PE image for Windows payloads
if ($pos{'win32'} && $parch{'x86'}) {
ExportWinPE();
}
# Generate a shell script if there is no architecture
if (! scalar(keys(%parch))) {
print "#!/bin/sh\n" . $p->Build;
exit(0);
}
print STDERR "Error: No export format is implemented for this payload\n";
exit(0);
}
# Needs to
if ($action =~ /^J/) {
my $end = 'LE';
my (%pos, %parch);
map { $pos{$_}++ } @{ $p->OS };
map { $parch{$_}++ } @{ $p->Arch };
if (! scalar(keys(%parch)) || $parch{'x86'}) {
$end = 'LE';
} else {
$end = 'BE';
}
my $out = '';
$out .= "// Created by msfpayload, a component of the Metasploit Framework ($FRAMEVERSION)\n";
$out .= "// This variable contains the ".$p->SelfEndName." payload\n";
$out .= "// Options:\n";
$out .= "//\tEndian=".$end."\n";
foreach (keys %{ $ui->GetTempEnv() }) {
next if $_ =~ /^_/;
$out .= "//\t" . $_ ."=". $ui->GetTempEnv($_)."\n";
}
$out .= "var shellcode = unescape('";
$out .= Pex::Utils::JSUnescape($p->Build, $end);
$out .= "');\n";
print STDOUT $out;
exit(0);
}
my $r = $action =~ /^C/ ? Pex::Text::BufferC($p->Build) : Pex::Text::BufferPerl($p->Build);
print $r;
exit(0);
sub Usage
{
print STDERR "\n Usage: $0 <payload> [var=val] <S|C|P|R|X>\n\n";
print STDERR "Payloads: \n";
print STDERR $ui->DumpPayloads(2, $payloads);
print STDERR "\n";
exit(0);
}
sub ExportWinPE {
# Comments are limited to 512 bytes
# Payloads are limited to 8192 bytes
my $bin = $p->Build;
my $com = "Created by msfpayload, a component of the Metasploit Framework ($FRAMEVERSION). ".
"This executable contains the ".$p->SelfEndName." payload, ".
"generated with the following set of options: ";
foreach (keys %{ $ui->GetTempEnv() }) {
next if $_ =~ /^_/;
$com .= $_ ."=". $ui->GetTempEnv($_)." ";
}
print STDOUT Pex::Utils::CreateWin32PE($bin, $com);
exit(0);
}
sub Version {
my $ver = Pex::Utils::Rev2Ver($VERSION);
print STDERR qq{
Framework Version: $FRAMEVERSION
Msfpayload Version: $ver
};
exit(0);
}