2005-07-10 07:15:20 +00:00
|
|
|
module Msf
|
|
|
|
module Ui
|
|
|
|
module Console
|
|
|
|
module CommandDispatcher
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
###
|
|
|
|
#
|
|
|
|
# Exploit module command dispatcher.
|
|
|
|
#
|
|
|
|
###
|
2005-07-10 07:15:20 +00:00
|
|
|
class Exploit
|
|
|
|
|
2005-07-14 20:36:34 +00:00
|
|
|
include Msf::Ui::Console::ModuleCommandDispatcher
|
|
|
|
|
2005-07-14 06:34:58 +00:00
|
|
|
@@exploit_opts = Rex::Parser::Arguments.new(
|
|
|
|
"-e" => [ true, "The payload encoder to use. If none is specified, ENCODER is used." ],
|
2009-12-09 02:49:27 +00:00
|
|
|
"-f" => [ false, "Force the exploit to run regardless of the value of MinimumRank." ],
|
2005-07-14 06:34:58 +00:00
|
|
|
"-h" => [ false, "Help banner." ],
|
2007-02-10 06:54:03 +00:00
|
|
|
"-j" => [ false, "Run in the context of a job." ],
|
2005-07-14 06:34:58 +00:00
|
|
|
"-n" => [ true, "The NOP generator to use. If none is specified, NOP is used." ],
|
|
|
|
"-o" => [ true, "A comma separated list of options in VAR=VAL format." ],
|
|
|
|
"-p" => [ true, "The payload to use. If none is specified, PAYLOAD is used." ],
|
2005-07-14 20:36:34 +00:00
|
|
|
"-t" => [ true, "The target index to use. If none is specified, TARGET is used." ],
|
2005-07-14 22:45:10 +00:00
|
|
|
"-z" => [ false, "Do not interact with the session after successful exploitation." ])
|
2005-07-14 06:34:58 +00:00
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Returns the hash of exploit module specific commands.
|
|
|
|
#
|
2005-07-14 06:34:58 +00:00
|
|
|
def commands
|
2011-01-28 03:29:20 +00:00
|
|
|
super.update({
|
2005-10-10 00:30:14 +00:00
|
|
|
"check" => "Check to see if a target is vulnerable",
|
|
|
|
"exploit" => "Launch an exploit attempt",
|
|
|
|
"rcheck" => "Reloads the module and checks if the target is vulnerable",
|
|
|
|
"rexploit" => "Reloads the module and launches an exploit attempt",
|
2010-11-09 02:31:21 +00:00
|
|
|
"reload" => "Just reloads the module"
|
2011-01-28 03:29:20 +00:00
|
|
|
})
|
2005-07-14 06:34:58 +00:00
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Returns the name of the command dispatcher.
|
|
|
|
#
|
2005-07-14 20:18:36 +00:00
|
|
|
def name
|
|
|
|
"Exploit"
|
|
|
|
end
|
|
|
|
|
2005-07-14 20:36:34 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Checks to see if a target is vulnerable.
|
2005-07-14 20:36:34 +00:00
|
|
|
#
|
|
|
|
def cmd_check(*args)
|
2007-01-30 04:48:35 +00:00
|
|
|
defanged?
|
|
|
|
|
2005-07-14 20:36:34 +00:00
|
|
|
begin
|
2007-01-30 04:48:35 +00:00
|
|
|
|
2007-03-17 19:39:30 +00:00
|
|
|
code = mod.check_simple(
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output)
|
2005-07-14 20:36:34 +00:00
|
|
|
|
2010-05-14 19:53:06 +00:00
|
|
|
if (code and code.kind_of?(Array) and code.length > 1)
|
2005-07-14 20:36:34 +00:00
|
|
|
|
|
|
|
if (code == Msf::Exploit::CheckCode::Vulnerable)
|
2010-03-05 17:03:59 +00:00
|
|
|
print_good(code[1])
|
|
|
|
else
|
|
|
|
print_status(code[1])
|
2005-07-14 20:36:34 +00:00
|
|
|
end
|
2009-11-16 15:08:58 +00:00
|
|
|
|
2005-07-14 20:36:34 +00:00
|
|
|
else
|
2010-03-05 17:03:59 +00:00
|
|
|
print_error("Check failed: The state could not be determined.")
|
2005-07-14 20:36:34 +00:00
|
|
|
end
|
2010-03-05 17:03:59 +00:00
|
|
|
|
2009-10-18 18:03:02 +00:00
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error("Exploit check failed: #{e.class} #{e}")
|
|
|
|
if(e.class.to_s != 'Msf::OptionValidateError')
|
|
|
|
print_error("Call stack:")
|
|
|
|
e.backtrace.each do |line|
|
|
|
|
break if line =~ /lib.msf.base.simple/
|
|
|
|
print_error(" #{line}")
|
|
|
|
end
|
|
|
|
end
|
2005-07-14 20:36:34 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-07-14 06:34:58 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Launches an exploitation attempt.
|
2005-07-14 06:34:58 +00:00
|
|
|
#
|
|
|
|
def cmd_exploit(*args)
|
2007-01-30 04:48:35 +00:00
|
|
|
defanged?
|
|
|
|
|
2005-07-14 22:45:10 +00:00
|
|
|
opt_str = nil
|
2005-07-14 20:36:34 +00:00
|
|
|
payload = mod.datastore['PAYLOAD']
|
|
|
|
encoder = mod.datastore['ENCODER']
|
|
|
|
target = mod.datastore['TARGET']
|
|
|
|
nop = mod.datastore['NOP']
|
2005-07-14 22:45:10 +00:00
|
|
|
bg = false
|
2005-09-22 04:53:46 +00:00
|
|
|
jobify = false
|
2009-12-09 02:49:27 +00:00
|
|
|
force = false
|
2005-09-22 04:53:46 +00:00
|
|
|
|
|
|
|
# Always run passive exploits in the background
|
|
|
|
if (mod.passive?)
|
|
|
|
jobify = true
|
|
|
|
end
|
2005-07-14 20:36:34 +00:00
|
|
|
|
|
|
|
@@exploit_opts.parse(args) { |opt, idx, val|
|
|
|
|
case opt
|
2005-07-14 22:45:10 +00:00
|
|
|
when '-e'
|
|
|
|
encoder = val
|
2009-12-09 02:49:27 +00:00
|
|
|
when '-f'
|
|
|
|
force = true
|
2005-09-22 04:53:46 +00:00
|
|
|
when '-j'
|
|
|
|
jobify = true
|
2005-07-14 22:45:10 +00:00
|
|
|
when '-n'
|
|
|
|
nop = val
|
|
|
|
when '-o'
|
|
|
|
opt_str = val
|
|
|
|
when '-p'
|
|
|
|
payload = val
|
|
|
|
when '-t'
|
|
|
|
target = val.to_i
|
|
|
|
when '-z'
|
|
|
|
bg = true
|
2005-07-14 20:36:34 +00:00
|
|
|
when '-h'
|
2011-01-28 03:29:20 +00:00
|
|
|
cmd_exploit_help
|
2005-07-14 20:36:34 +00:00
|
|
|
return false
|
|
|
|
end
|
|
|
|
}
|
2005-07-14 22:45:10 +00:00
|
|
|
|
2009-12-09 02:49:27 +00:00
|
|
|
minrank = RankingName.invert[framework.datastore['MinimumRank']] || 0
|
|
|
|
if minrank > mod.rank
|
|
|
|
if force
|
|
|
|
print_status("Forcing #{mod.refname} to run despite MinimumRank '#{framework.datastore['MinimumRank']}'")
|
|
|
|
ilog("Forcing #{mod.refname} to run despite MinimumRank '#{framework.datastore['MinimumRank']}'", 'core')
|
|
|
|
else
|
|
|
|
print_error("This exploit is below the minimum rank, '#{framework.datastore['MinimumRank']}'.")
|
|
|
|
print_error("If you really want to run it, do 'exploit -f' or")
|
|
|
|
print_error("setg MinimumRank to something lower ('manual' is")
|
|
|
|
print_error("the lowest and would allow running all exploits).")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
end
|
2010-11-09 02:31:21 +00:00
|
|
|
|
2010-10-04 04:50:10 +00:00
|
|
|
if not payload
|
|
|
|
payload = exploit_choose_payload(mod, target)
|
|
|
|
end
|
2009-12-09 02:49:27 +00:00
|
|
|
|
2005-07-14 22:45:10 +00:00
|
|
|
begin
|
|
|
|
session = mod.exploit_simple(
|
2005-09-22 04:53:46 +00:00
|
|
|
'Encoder' => encoder,
|
|
|
|
'Payload' => payload,
|
|
|
|
'Target' => target,
|
|
|
|
'Nop' => nop,
|
|
|
|
'OptionStr' => opt_str,
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
'RunAsJob' => jobify)
|
Merged revisions 5366-5377 via svnmerge from
svn+ssh://metasploit.com/home/svn/framework3/branches/framework-3.1
........
r5366 | hdm | 2008-01-26 20:30:53 -0600 (Sat, 26 Jan 2008) | 2 lines
Update version information
........
r5367 | hdm | 2008-01-26 21:10:57 -0600 (Sat, 26 Jan 2008) | 3 lines
Updated for version 3.1
........
r5369 | hdm | 2008-01-26 21:13:31 -0600 (Sat, 26 Jan 2008) | 3 lines
Wipe the private directories from the branch.
........
r5371 | hdm | 2008-01-27 17:24:24 -0600 (Sun, 27 Jan 2008) | 5 lines
Timeout options added for dcerpc connect and read times. Addition of novell netware as a supported target platform. Inclusion of the serverprotect exploit (still works on the latest version). Addition of the first remote netware kernel exploit that leads to a shell, addition of netware stager and shell, and first draft of the release notes for 3.1
........
r5372 | hdm | 2008-01-27 17:30:08 -0600 (Sun, 27 Jan 2008) | 3 lines
Formatting, indentation, fixed the static IP embedded in the request
........
r5373 | hdm | 2008-01-27 20:02:48 -0600 (Sun, 27 Jan 2008) | 3 lines
Correctly trap exploit errors in a way that works with all of the UIs
........
r5374 | hdm | 2008-01-27 20:23:25 -0600 (Sun, 27 Jan 2008) | 3 lines
More last-minute bug fixes
........
r5375 | hdm | 2008-01-27 20:37:43 -0600 (Sun, 27 Jan 2008) | 3 lines
Force multi-bind off in netware, correct label display in gtk gui labels
........
r5376 | hdm | 2008-01-27 20:50:03 -0600 (Sun, 27 Jan 2008) | 3 lines
More exception handling fun
........
git-svn-id: file:///home/svn/framework3/trunk@5378 4d416f70-5f16-0410-b530-b9f4589650da
2008-01-28 03:06:31 +00:00
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
2010-07-15 21:28:21 +00:00
|
|
|
print_error("Exploit exception (#{mod.refname}): #{e.class} #{e}")
|
2009-10-18 18:03:02 +00:00
|
|
|
if(e.class.to_s != 'Msf::OptionValidateError')
|
|
|
|
print_error("Call stack:")
|
|
|
|
e.backtrace.each do |line|
|
|
|
|
break if line =~ /lib.msf.base.simple/
|
|
|
|
print_error(" #{line}")
|
|
|
|
end
|
|
|
|
end
|
2005-07-14 22:45:10 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# If we were given a session, let's see what we can do with it
|
|
|
|
if (session)
|
2009-11-16 15:08:58 +00:00
|
|
|
|
2005-07-14 22:45:10 +00:00
|
|
|
# If we aren't told to run in the background and the session can be
|
2005-07-17 02:14:15 +00:00
|
|
|
# interacted with, start interacting with it by issuing the session
|
|
|
|
# interaction command.
|
2005-07-14 22:45:10 +00:00
|
|
|
if (bg == false and session.interactive?)
|
2005-07-17 06:01:11 +00:00
|
|
|
print_line
|
|
|
|
|
2006-07-29 23:01:38 +00:00
|
|
|
driver.run_single("sessions -q -i #{session.sid}")
|
2005-07-14 22:45:10 +00:00
|
|
|
# Otherwise, log that we created a session
|
|
|
|
else
|
2005-07-17 06:01:11 +00:00
|
|
|
print_status("Session #{session.sid} created in the background.")
|
2005-07-14 22:45:10 +00:00
|
|
|
end
|
2005-09-22 04:53:46 +00:00
|
|
|
# If we ran the exploit as a job, indicate such so the user doesn't
|
|
|
|
# wonder what's up.
|
|
|
|
elsif (jobify)
|
2010-07-21 00:50:25 +00:00
|
|
|
if mod.job_id
|
|
|
|
print_status("Exploit running as background job.")
|
|
|
|
end
|
2005-09-22 04:53:46 +00:00
|
|
|
# Worst case, the exploit ran but we got no session, bummer.
|
2005-07-14 22:45:10 +00:00
|
|
|
else
|
2011-01-04 17:06:22 +00:00
|
|
|
# If we didn't run a payload handler for this exploit it doesn't
|
|
|
|
# make sense to complain to the user that we didn't get a session
|
|
|
|
unless (mod.datastore["DisablePayloadHandler"])
|
|
|
|
print_status("Exploit completed, but no session was created.")
|
|
|
|
end
|
2005-07-14 22:45:10 +00:00
|
|
|
end
|
2005-07-14 06:34:58 +00:00
|
|
|
end
|
|
|
|
|
2011-01-28 03:29:20 +00:00
|
|
|
def cmd_exploit_help
|
|
|
|
print_line "Usage: exploit [options]"
|
|
|
|
print_line
|
|
|
|
print_line "Launches an exploitation attempt."
|
|
|
|
print @@exploit_opts.usage
|
|
|
|
end
|
|
|
|
|
2005-10-10 00:30:14 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Reloads an exploit module and checks the target to see if it's
|
|
|
|
# vulnerable.
|
2005-10-10 00:30:14 +00:00
|
|
|
#
|
|
|
|
def cmd_rcheck(*args)
|
2010-11-09 02:31:21 +00:00
|
|
|
reload()
|
2009-11-16 15:08:58 +00:00
|
|
|
|
2008-11-08 17:48:21 +00:00
|
|
|
cmd_check(*args)
|
2005-10-10 00:30:14 +00:00
|
|
|
end
|
|
|
|
|
2010-11-09 02:31:21 +00:00
|
|
|
#
|
|
|
|
# Reloads an exploit module and launches an exploit.
|
|
|
|
#
|
|
|
|
def cmd_rexploit(*args)
|
2011-01-28 03:29:20 +00:00
|
|
|
return cmd_rexploit_help if args.include? "-h"
|
|
|
|
|
2010-11-09 02:31:21 +00:00
|
|
|
# Stop existing job and reload the module
|
2011-01-28 17:02:26 +00:00
|
|
|
if reload(true)
|
|
|
|
# Delegate to the exploit command unless the reload failed
|
|
|
|
cmd_exploit(*args)
|
|
|
|
end
|
2005-10-10 00:30:14 +00:00
|
|
|
end
|
2010-11-09 02:31:21 +00:00
|
|
|
|
2011-01-28 03:29:20 +00:00
|
|
|
def cmd_rexploit_help
|
|
|
|
print_line "Usage: rexploit [options]"
|
|
|
|
print_line
|
|
|
|
print_line "Reloads a module, stopping any associated job, and launches an exploitation attempt."
|
|
|
|
print @@exploit_opts.usage
|
|
|
|
end
|
|
|
|
|
2010-10-04 04:50:10 +00:00
|
|
|
#
|
|
|
|
# Picks a reasonable payload and minimally configures it
|
|
|
|
#
|
|
|
|
def exploit_choose_payload(mod, target)
|
2010-11-09 02:31:21 +00:00
|
|
|
|
2010-10-04 04:50:10 +00:00
|
|
|
# Choose either the real target or an invalid address
|
|
|
|
# This is used to determine the LHOST value
|
|
|
|
rhost = mod.datastore['RHOST'] || '50.50.50.50'
|
2010-11-09 02:31:21 +00:00
|
|
|
|
2010-10-04 04:50:10 +00:00
|
|
|
# A list of preferred payloads in the best-first order
|
|
|
|
pref = [
|
|
|
|
'windows/meterpreter/reverse_tcp',
|
|
|
|
'java/meterpreter/reverse_tcp',
|
|
|
|
'php/meterpreter/reverse_tcp',
|
|
|
|
'php/meterpreter_reverse_tcp',
|
2011-07-09 06:57:30 +00:00
|
|
|
'cmd/unix/interact',
|
2010-10-04 04:50:10 +00:00
|
|
|
'cmd/unix/reverse',
|
|
|
|
'cmd/unix/reverse_perl',
|
|
|
|
'cmd/unix/reverse_netcat',
|
|
|
|
'windows/meterpreter/reverse_nonx_tcp',
|
|
|
|
'windows/meterpreter/reverse_ord_tcp',
|
|
|
|
'windows/shell/reverse_tcp',
|
2010-11-09 02:31:21 +00:00
|
|
|
'generic/shell_reverse_tcp'
|
2010-10-04 04:50:10 +00:00
|
|
|
]
|
|
|
|
pset = mod.compatible_payloads.map{|x| x[0] }
|
|
|
|
pref.each do |n|
|
|
|
|
if(pset.include?(n))
|
|
|
|
mod.datastore['PAYLOAD'] = n
|
|
|
|
mod.datastore['LHOST'] = Rex::Socket.source_address(rhost)
|
|
|
|
return n
|
|
|
|
end
|
2010-11-09 02:31:21 +00:00
|
|
|
end
|
2010-10-04 04:50:10 +00:00
|
|
|
return
|
|
|
|
end
|
2005-10-10 00:30:14 +00:00
|
|
|
|
2005-07-10 07:15:20 +00:00
|
|
|
end
|
|
|
|
|
2008-11-08 17:48:21 +00:00
|
|
|
end end end end
|
2009-11-16 15:08:58 +00:00
|
|
|
|