metasploit-framework/tools/exploit/egghunter.rb

157 lines
5.2 KiB
Ruby
Raw Normal View History

2015-03-21 04:48:13 +00:00
#!/usr/bin/env ruby
2015-03-20 19:15:14 +00:00
msfbase = __FILE__
while File.symlink?(msfbase)
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end
2015-10-06 15:30:52 +00:00
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
Update egghunter.rb msfenv requirements On Stock Kali 2.0 (after apt-get upgrade), the following command errors ./egghunter.rb --list-formats. Adding the require 'msfenv' to the file alleviates the issue. root@kali:/usr/share/metasploit-framework/tools/exploit# ./egghunter.rb --list-formats /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- rkelly (LoadError) from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex/proto/http/response.rb:5:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex/proto/http.rb:4:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex/proto.rb:2:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex.rb:79:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/msf/core.rb:17:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/msf/base.rb:17:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from ./egghunter.rb:9:in `<main>'
2016-01-04 22:21:21 +00:00
require 'msfenv'
2015-03-20 19:15:14 +00:00
require 'msf/core'
2015-03-20 21:15:43 +00:00
require 'msf/base'
Update egghunter.rb msfenv requirements On Stock Kali 2.0 (after apt-get upgrade), the following command errors ./egghunter.rb --list-formats. Adding the require 'msfenv' to the file alleviates the issue. root@kali:/usr/share/metasploit-framework/tools/exploit# ./egghunter.rb --list-formats /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- rkelly (LoadError) from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex/proto/http/response.rb:5:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex/proto/http.rb:4:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex/proto.rb:2:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/rex.rb:79:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/msf/core.rb:17:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/share/metasploit-framework/lib/msf/base.rb:17:in `<top (required)>' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' from ./egghunter.rb:9:in `<main>'
2016-01-04 22:21:21 +00:00
require 'rex'
2015-03-20 19:15:14 +00:00
require 'optparse'
module Egghunter
2015-03-20 21:15:43 +00:00
class OptsConsole
def self.parse(args)
options = {}
parser = OptionParser.new do |opt|
2015-03-21 01:55:30 +00:00
opt.banner = "Usage: #{__FILE__} [options]\nExample: #{__FILE__} -f python -e W00T"
2015-03-20 21:15:43 +00:00
opt.separator ''
opt.separator 'Specific options:'
2015-03-20 19:15:14 +00:00
2015-03-20 21:15:43 +00:00
opt.on('-f', '--format <String>', "See --list-formats for a list of supported output formats") do |v|
options[:format] = v
end
opt.on('-b', '--badchars <String>', "(Optional) Bad characters to avoid for the egg") do |v|
options[:badchars] = v
end
2015-03-20 21:30:29 +00:00
opt.on('-e', '--egg <String>', "The egg (Please give 4 bytes)") do |v|
2015-03-20 21:15:43 +00:00
options[:eggtag] = v
end
opt.on('-p', '--platform <String>', "(Optional) Platform") do |v|
options[:platform] = v
end
2015-03-20 21:30:29 +00:00
opt.on('--startreg <String>', "(Optional) The starting register") do |v|
2015-03-20 21:34:58 +00:00
# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter
2015-03-20 21:30:29 +00:00
options[:startreg] = v
end
opt.on('--forward', "(Optional) To search forward") do |v|
2015-03-20 21:34:58 +00:00
# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter
2015-03-21 17:14:00 +00:00
options[:searchforward] = true
2015-03-20 21:30:29 +00:00
end
opt.on('--depreg <String>', "(Optional) The DEP register") do |v|
2015-03-20 21:34:58 +00:00
# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter
2015-03-20 21:30:29 +00:00
options[:depreg] = v
end
opt.on('--depdest <String>', "(Optional) The DEP destination") do |v|
2015-03-20 21:34:58 +00:00
# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter
2015-03-20 21:30:29 +00:00
options[:depdest] = v
end
opt.on('--depsize <Integer>', "(Optional) The DEP size") do |v|
2015-03-20 21:34:58 +00:00
# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter
2015-03-20 21:30:29 +00:00
options[:depsize] = v
end
opt.on('--depmethod <String>', "(Optional) The DEP method to use (virtualprotect/virtualalloc/copy/copy_size)") do |v|
2015-03-20 21:34:58 +00:00
# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter
2015-03-20 21:30:29 +00:00
options[:depmethod] = v
end
2015-03-20 21:15:43 +00:00
opt.on('-a', '--arch <String>', "(Optional) Architecture") do |v|
2015-03-20 21:37:42 +00:00
# Although this is an option, this is currently useless because we don't have x64 egghunters
2015-03-20 21:15:43 +00:00
options[:arch] = v
end
opt.on('--list-formats', "List all supported output formats") do
options[:list_formats] = true
end
2015-03-21 17:18:02 +00:00
opt.on('-v', '--var-name <name>', String, '(Optional) Specify a custom variable name to use for certain output formats') do |v|
options[:var_name] = v
end
2015-03-20 21:15:43 +00:00
opt.on_tail('-h', '--help', 'Show this message') do
$stdout.puts opt
exit
end
end
parser.parse!(args)
if options.empty?
raise OptionParser::MissingArgument, 'No options set, try -h for usage'
elsif options[:format].blank? && !options[:list_formats]
raise OptionParser::MissingArgument, '-f is required'
2015-03-20 21:33:19 +00:00
elsif options[:eggtag].blank? && !options[:list_formats]
raise OptionParser::MissingArgument, '-e is required'
2015-03-20 21:15:43 +00:00
elsif options[:format] && !::Msf::Simple::Buffer.transform_formats.include?(options[:format])
raise OptionParser::InvalidOption, "#{options[:format]} is not a valid format"
2015-03-21 01:53:04 +00:00
elsif options[:depsize] && options[:depsize] !~ /^\d+$/
raise OptionParser::InvalidOption, "--depsize must be a Integer"
2015-03-20 21:15:43 +00:00
end
2015-03-21 17:14:00 +00:00
options[:badchars] = '' unless options[:badchars]
options[:platform] = 'windows' unless options[:platform]
options[:arch] = ARCH_X86 unless options[:arch]
2015-03-21 17:20:29 +00:00
options[:var_name] = 'buf' unless options[:var_name]
2015-03-21 17:14:00 +00:00
2015-03-20 21:15:43 +00:00
options
end
end
class Driver
def initialize
begin
@opts = OptsConsole.parse(ARGV)
rescue OptionParser::ParseError => e
$stderr.puts "[x] #{e.message}"
exit
end
2015-03-20 19:15:14 +00:00
end
def run
2015-03-20 21:15:43 +00:00
# list_formats should check first
if @opts[:list_formats]
list_formats
return
end
egghunter = Rex::Exploitation::Egghunter.new(@opts[:platform], @opts[:arch])
raw_code = egghunter.hunter_stub('', @opts[:badchars], @opts)
output_stream = $stdout
output_stream.binmode
2015-03-21 17:18:02 +00:00
output_stream.write ::Msf::Simple::Buffer.transform(raw_code, @opts[:format], @opts[:var_name])
2015-03-21 18:49:50 +00:00
$stderr.puts
2015-03-20 21:15:43 +00:00
end
private
def list_formats
$stderr.puts "[*] Supported output formats:"
$stderr.puts ::Msf::Simple::Buffer.transform_formats.join(", ")
2015-03-20 19:15:14 +00:00
end
end
end
if __FILE__ == $PROGRAM_NAME
driver = Egghunter::Driver.new
begin
driver.run
2015-03-20 21:15:43 +00:00
rescue ::Exception => e
elog("#{e.class}: #{e.message}\n#{e.backtrace * "\n"}")
$stderr.puts "[x] #{e.class}: #{e.message}"
$stderr.puts "[*] If necessary, please refer to framework.log for more details."
2015-03-20 19:15:14 +00:00
end
2015-03-24 05:19:27 +00:00
end