metasploit-framework/msfcli

#!/usr/bin/env ruby
# -*- coding: binary -*-
#
# $Id$
#
# This user interface allows users to interact with the framework through a
# command line interface (CLI) rather than having to use a prompting console
# or web-based interface.
#
# $Revision$
#

msfbase = __FILE__
while File.symlink?(msfbase)
	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end

$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'rex'

Indent = '   '

# Payload naming style is kind of inconsistent, so instead of
# finding the exact path name, we provide the most educated guess based
# on platform/stage type/session type/payload name suffix/etc.
def guess_payload_name(p)
	matches       = []
	payload       = p.split('/')
	platform      = payload[0]
	suffix        = payload[-1]
	stage_types   = ['singles', 'stagers', 'stages']
	session_types = ['meterpreter', 'shell']
	arch          = ''

	# Rule out some possibilities
	if p =~ /meterpreter/
		session_types.delete('shell')
		stage_types.delete('singles')
	end
	if p =~ /shell\/.+$/
		session_types.delete('meterpreter')
		stage_types.delete('singles')
	end

	if p =~ /x64/
		arch = 'x64'
	elsif p =~ /x86/
		arch = 'x86'
	end

	# Determine if the payload is staged. If it is, then
	# we need to load that staged module too.
	if session_types.include?('shell') and stage_types.include?('stages')
		if arch == 'x64'
			matches << /stages\/#{platform}\/x64\/shell/
		elsif arch == 'x86'
			matches << /stages\/#{platform}\/x86\/shell/
		else
			matches << /stages\/#{platform}\/shell/
		end
	elsif session_types.include?('meterpreter') and stage_types.include?('stages')
		if arch == 'x64'
			matches << /stages\/#{platform}\/x64\/meterpreter/
		elsif arch == 'x86'
			matches << /stages\/#{platform}\/x86\/meterpreter/
		else
			matches << /stages\/#{platform}\/meterpreter/
		end
	end

	# Guess the second possible match
	stage_types   *= "|"
	session_types *= "|"

	if arch == 'x64'
		matches << /payloads\/(#{stage_types})\/#{platform}\/x64\/.*(#{suffix})\.rb$/
	elsif arch == 'x86'
		matches << /payloads\/(#{stage_types})\/#{platform}\/x86\/.*(#{suffix})\.rb$/
	else
		matches << /payloads\/(#{stage_types})\/#{platform}\/.*(#{suffix})\.rb$/
	end

	matches
end

def guess_encoder_name(e)
	[/#{e}/]
end

def guess_nop_name(n)
	[/#{n}/]
end

def usage (str = nil, extra = nil)
	tbl = Rex::Ui::Text::Table.new(
		'Header'  => "Usage: #{$0} <exploit_name> <option=value> [mode]",
		'Indent'  => 4,
		'Columns' => ['Mode', 'Description']
	)

	tbl << ['(H)elp', "You're looking at it baby!"]
	tbl << ['(S)ummary', 'Show information about this module']
	tbl << ['(O)ptions', 'Show available options for this module']
	tbl << ['(A)dvanced', 'Show available advanced options for this module']
	tbl << ['(I)DS Evasion', 'Show available ids evasion options for this module']
	tbl << ['(P)ayloads', 'Show available payloads for this module']
	tbl << ['(T)argets', 'Show available targets for this exploit module']
	tbl << ['(AC)tions', 'Show available actions for this auxiliary module']
	tbl << ['(C)heck', 'Run the check routine of the selected module']
	tbl << ['(E)xecute', 'Execute the selected module']

	$stdout.puts "Error: #{str}\n\n" if str
	$stdout.puts tbl.to_s + "\n"
	$stdout.puts extra + "\n" if extra

	exit
end

# Handle the help option before loading modules
exploit_name = ARGV.shift
exploit      = nil
module_class = "exploit"

if(exploit_name == "-h")
	usage()
else
	$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
	require 'fastlib'
	require 'msfenv'
	require 'msf/ui'
	require 'msf/base'
end

if (not exploit_name)
	# This is what happens if the user doesn't specify a module name:
	# msfcli will end up loading EVERYTHING to memory to show you a help
	# menu plus a list of modules available. Really expensive if you ask me.
	$stderr.puts "[*] Please wait while we load the module tree..."
	$framework = Msf::Simple::Framework.create
	ext = ''

	tbl = Rex::Ui::Text::Table.new(
		'Header'  => 'Exploits',
		'Indent'  => 4,
		'Columns' => [ 'Name', 'Description' ])

	$framework.exploits.each_module { |name, mod|
		tbl << [  'exploit/' + name, mod.new.name ]
	}
	ext << tbl.to_s + "\n"

	tbl = Rex::Ui::Text::Table.new(
		'Header'  => 'Auxiliary',
		'Indent'  => 4,
		'Columns' => [ 'Name', 'Description' ])

	$framework.auxiliary.each_module { |name, mod|
		tbl << [ 'auxiliary/' + name, mod.new.name ]
	}

	ext << tbl.to_s + "\n"

	usage(nil, ext)
end


# Process special var/val pairs...
Msf::Ui::Common.process_cli_arguments($framework, ARGV)

# Add modules like exploit/aux, encoders, nops we want to load to the list
whitelist = []
whitelist << /#{exploit_name}/     # Add exploit
whitelist << /x86\/single_byte/    # Add default NOP module
whitelist << /x86\/shikata_ga_nai/ # Add default encoder
whitelist << /generic\/none/       # Add another default encoder
ARGV.each { |args|
	var, val = args.split('=', 2)
	next if var.nil? or val.nil?
	whitelist.concat(guess_payload_name(val)) if var =~ /payload/
	whitelist.concat(guess_encoder_name(val)) if var =~ /encoder/
	whitelist.concat(guess_nops_name(val))    if var =~ /nops/
}

$stderr.puts "[*] Initializing modules..."
$framework = Msf::Simple::Framework.create({'DeferModuleLoads'=>true})
$framework.init_module_paths({:whitelist=>whitelist})
if ($framework.modules.module_load_error_by_path.length > 0)
	print("Warning: The following modules could not be loaded!\n\n")

	$framework.modules.module_load_error_by_path.each do |path, error|
		print("\t#{path}: #{error}\n\n")
	end
end

# Determine what type of module it is
case exploit_name
when /exploit\/(.*)/
	exploit = $framework.exploits.create($1)
	module_class = 'exploit'

when /auxiliary\/(.*)/
	exploit = $framework.auxiliary.create($1)
	module_class = 'auxiliary'

else
	exploit = $framework.exploits.create(exploit_name)
	if exploit == nil
		# Try falling back on aux modules
		exploit = $framework.auxiliary.create(exploit_name)
		module_class = 'auxiliary'
	end

end


if (exploit == nil)
	usage("Invalid module: #{exploit_name}")
end

exploit.init_ui(
	Rex::Ui::Text::Input::Stdio.new,
	Rex::Ui::Text::Output::Stdio.new
)

# Evalulate the command (default to "help")
mode = ARGV.pop || 'h'

# Import options
begin
	exploit.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
rescue Rex::ArgumentParseError => e
	puts "[!] Error: #{e.message}\n\n"
	exit
end

# Initialize associated modules
payload = nil
encoder = nil
nop     = nil

if (exploit.datastore['PAYLOAD'])
	payload = $framework.payloads.create(exploit.datastore['PAYLOAD'])
	if (payload != nil)
		payload.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
	end
end

if (exploit.datastore['ENCODER'])
	encoder = $framework.encoders.create(exploit.datastore['ENCODER'])
	if (encoder != nil)
		encoder.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
	end
end

if (exploit.datastore['NOP'])
	nop = $framework.nops.create(exploit.datastore['NOP'])
	if (nop != nil)
		nop.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
	end
end



case mode.downcase
	when 'h'
		usage
	when "s"
		$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(exploit, Indent))
		$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(payload, Indent)) if payload
		$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(encoder, Indent)) if encoder
		$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(nop, Indent)) if nop
	when "o"
		$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_options(exploit, Indent))
		$stdout.puts("\nPayload:\n\n" + Msf::Serializer::ReadableText.dump_options(payload, Indent)) if payload
		$stdout.puts("\nEncoder:\n\n" + Msf::Serializer::ReadableText.dump_options(encoder, Indent)) if encoder
		$stdout.puts("\nNOP\n\n" + Msf::Serializer::ReadableText.dump_options(nop, Indent)) if nop
	when "a"
		$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_advanced_options(exploit, Indent))
		$stdout.puts("\nPayload:\n\n" + Msf::Serializer::ReadableText.dump_advanced_options(payload, Indent)) if payload
		$stdout.puts("\nEncoder:\n\n" + Msf::Serializer::ReadableText.dump_advanced_options(encoder, Indent)) if encoder
		$stdout.puts("\nNOP:\n\n" + Msf::Serializer::ReadableText.dump_advanced_options(nop, Indent)) if nop
	when "i"
		$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_evasion_options(exploit, Indent))
		$stdout.puts("\nPayload:\n\n" + Msf::Serializer::ReadableText.dump_evasion_options(payload, Indent)) if payload
		$stdout.puts("\nEncoder:\n\n" + Msf::Serializer::ReadableText.dump_evasion_options(encoder, Indent)) if encoder
		$stdout.puts("\nNOP:\n\n" + Msf::Serializer::ReadableText.dump_evasion_options(nop, Indent)) if nop
	when "p"
		if (module_class == 'exploit')
			$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_compatible_payloads(exploit, Indent, "Compatible payloads"))
		else
			$stdout.puts("\nError: This type of module does not support payloads")
		end
	when "t"
		if (module_class == 'exploit')
			$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_exploit_targets(exploit, Indent))
		else
			$stdout.puts("\nError: This type of module does not support targets")
		end
	when "ac"
		if (module_class == 'auxiliary')
			$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_auxiliary_actions(exploit, Indent))
		else
			$stdout.puts("\nError: This type of module does not support actions")
		end
	when "c"
		if (module_class == 'exploit')
			begin
				if (code = exploit.check_simple(
					'LocalInput'    => Rex::Ui::Text::Input::Stdio.new,
					'LocalOutput'   => Rex::Ui::Text::Output::Stdio.new))
					stat = (code == Msf::Exploit::CheckCode::Vulnerable) ? '[+]' : '[*]'

					$stdout.puts("#{stat} #{code[1]}")
				else
					$stderr.puts("Check failed: The state could not be determined.")
				end
			rescue
				$stderr.puts("Check failed: #{$!}")
			end
		else
			$stdout.puts("\nError: This type of module does not support the check feature")
		end
	when "e"
			con = Msf::Ui::Console::Driver.new(
				Msf::Ui::Console::Driver::DefaultPrompt,
				Msf::Ui::Console::Driver::DefaultPromptChar,
				{
					'Framework' => $framework,
					# When I use msfcli, chances are I want speed, so ASCII art fanciness
					# probably isn't much of a big deal for me.
					'DisableBanner' => true
				}
			)
			con.run_single("use #{module_class}/#{exploit.refname}")

			ARGV.each do |arg|
				k,v = arg.split("=", 2)
				con.run_single("set #{k} #{v}")
			end

			con.run_single("exploit")

			# If we have sessions or jobs, keep running
			if $framework.sessions.length > 0 or $framework.jobs.length > 0
				con.run
			else
				con.run_single("quit")
			end

	else
		usage("Invalid mode #{mode}")
end

$stdout.puts