metasploit-framework/spec/file_fixtures/modules/exploits/auto_target_windows.rb

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  include Exploit::Remote::Tcp
  Rank = ManualRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Exploit Auto-Targeting for Windows',
      'Description'    => %q{ This module is a test bed for automatic targeting for Windows exploits. },
      'Author'         => [ 'thelightcosine' ],
      'License'        => MSF_LICENSE,
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'WfsDelay'     => 10,
          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
          'Space'        => 3072,
          'DisableNops'  => true
        },
      'Platform'       => 'win',
      'Arch'           => [ARCH_X86, ARCH_X64],
      'Targets'        =>
        [
          ['Windows 2000 Universal',
           {
             'Ret'       => 0x001f1cb0,
             'Scratch'   => 0x00020408,
           }
          ], # JMP EDI SVCHOST.EXE

          #
          # Standard return-to-ESI without NX bypass
          # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
          #
          ['Windows XP SP0/SP1 Universal',
           {
             'Ret'       => 0x01001361,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP0 Universal',
           {
             'Ret'       => 0x0100129e,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE
          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 English (NX)',
           {
             'Ret'       => 0x6f88f807,
             'DisableNX' => 0x6f8917c2,
             'Scratch'   => 0x00020408
           }
          ]

        ],
      'DisclosureDate' => 'Jan 01 1999'
    ))

    deregister_options('RPORT')
  end

  def exploit
    print_status("This exploit doesn't actually do anything")
    print_status "Target Selected: #{target.name}"
  end


end
start gearing up for testing start getting auto-targeting test framework in place so we can have unit tests for this behaviour MS-2325 2016-12-21 22:23:09 +00:00			`require 'msf/core'`

			`class MetasploitModule < Msf::Exploit::Remote`
target_host specs add specs for finding the 'target host' ie. the mdm::Host object related to the RHOST value to see what we know about our target MS-2325 2016-12-22 20:53:44 +00:00			`include Exploit::Remote::Tcp`
start gearing up for testing start getting auto-targeting test framework in place so we can have unit tests for this behaviour MS-2325 2016-12-21 22:23:09 +00:00			`Rank = ManualRanking`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Exploit Auto-Targeting for Windows',`
			`'Description' => %q{ This module is a test bed for automatic targeting for Windows exploits. },`
			`'Author' => [ 'thelightcosine' ],`
			`'License' => MSF_LICENSE,`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'WfsDelay' => 10,`
			`'EXITFUNC' => 'thread'`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 3072,`
			`'DisableNops' => true`
			`},`
			`'Platform' => 'win',`
			`'Arch' => [ARCH_X86, ARCH_X64],`
			`'Targets' =>`
			`[`
			`['Windows 2000 Universal',`
			`{`
			`'Ret' => 0x001f1cb0,`
			`'Scratch' => 0x00020408,`
			`}`
			`], # JMP EDI SVCHOST.EXE`

			`#`
			`# Standard return-to-ESI without NX bypass`
			`# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET`
			`#`
			`['Windows XP SP0/SP1 Universal',`
			`{`
			`'Ret' => 0x01001361,`
			`'Scratch' => 0x00020408,`
			`}`
			`], # JMP ESI SVCHOST.EXE`

			`# Standard return-to-ESI without NX bypass`
			`['Windows 2003 SP0 Universal',`
			`{`
			`'Ret' => 0x0100129e,`
			`'Scratch' => 0x00020408,`
			`}`
			`], # JMP ESI SVCHOST.EXE`
			`# Metasploit's NX bypass for XP SP2/SP3`
			`['Windows XP SP3 English (NX)',`
			`{`
			`'Ret' => 0x6f88f807,`
			`'DisableNX' => 0x6f8917c2,`
			`'Scratch' => 0x00020408`
			`}`
			`]`

			`],`
			`'DisclosureDate' => 'Jan 01 1999'`
			`))`
tweak target selection the target selection actually adjust the datastore as if a user selected the target, this prevents a mismatch between the target and the target index MS-2325 2016-12-29 17:18:32 +00:00
			`deregister_options('RPORT')`
start gearing up for testing start getting auto-targeting test framework in place so we can have unit tests for this behaviour MS-2325 2016-12-21 22:23:09 +00:00			`end`

			`def exploit`
			`print_status("This exploit doesn't actually do anything")`
tying it all together insert our autotarget routine into the main target selection process MS-2325 2016-12-29 16:58:10 +00:00			`print_status "Target Selected: #{target.name}"`
start gearing up for testing start getting auto-targeting test framework in place so we can have unit tests for this behaviour MS-2325 2016-12-21 22:23:09 +00:00			`end`


			`end`