2005-07-10 07:15:20 +00:00
|
|
|
module Msf
|
|
|
|
|
module Ui
|
|
|
|
|
module Console
|
|
|
|
|
module CommandDispatcher
|
|
|
|
|
|
|
|
|
|
class Exploit
|
|
|
|
|
|
2005-07-14 20:36:34 +00:00
|
|
|
include Msf::Ui::Console::ModuleCommandDispatcher
|
|
|
|
|
|
2005-07-14 06:34:58 +00:00
|
|
|
@@exploit_opts = Rex::Parser::Arguments.new(
|
|
|
|
|
"-e" => [ true, "The payload encoder to use. If none is specified, ENCODER is used." ],
|
|
|
|
|
"-h" => [ false, "Help banner." ],
|
2005-09-22 04:53:46 +00:00
|
|
|
"-j" => [ false, "Run in the context of a job." ],
|
2005-07-14 06:34:58 +00:00
|
|
|
"-n" => [ true, "The NOP generator to use. If none is specified, NOP is used." ],
|
|
|
|
|
"-o" => [ true, "A comma separated list of options in VAR=VAL format." ],
|
|
|
|
|
"-p" => [ true, "The payload to use. If none is specified, PAYLOAD is used." ],
|
2005-07-14 20:36:34 +00:00
|
|
|
"-t" => [ true, "The target index to use. If none is specified, TARGET is used." ],
|
2005-07-14 22:45:10 +00:00
|
|
|
"-z" => [ false, "Do not interact with the session after successful exploitation." ])
|
2005-07-14 06:34:58 +00:00
|
|
|
|
|
|
|
|
def commands
|
|
|
|
|
{
|
2005-10-10 00:30:14 +00:00
|
|
|
"check" => "Check to see if a target is vulnerable",
|
|
|
|
|
"exploit" => "Launch an exploit attempt",
|
|
|
|
|
"rcheck" => "Reloads the module and checks if the target is vulnerable",
|
|
|
|
|
"rexploit" => "Reloads the module and launches an exploit attempt",
|
2005-07-14 06:34:58 +00:00
|
|
|
}
|
|
|
|
|
end
|
|
|
|
|
|
2005-07-14 20:18:36 +00:00
|
|
|
def name
|
|
|
|
|
"Exploit"
|
|
|
|
|
end
|
|
|
|
|
|
2005-07-14 20:36:34 +00:00
|
|
|
#
|
|
|
|
|
# Checks to see if a target is vulnerable
|
|
|
|
|
#
|
|
|
|
|
def cmd_check(*args)
|
|
|
|
|
begin
|
2005-10-10 00:30:14 +00:00
|
|
|
mod.init_ui(
|
|
|
|
|
driver.input,
|
|
|
|
|
driver.output)
|
|
|
|
|
|
2005-07-14 20:36:34 +00:00
|
|
|
code = mod.check
|
|
|
|
|
|
|
|
|
|
if (code)
|
|
|
|
|
stat = '[*]'
|
|
|
|
|
|
|
|
|
|
if (code == Msf::Exploit::CheckCode::Vulnerable)
|
|
|
|
|
stat = '[+]'
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_line(stat + ' ' + code[1])
|
|
|
|
|
else
|
|
|
|
|
print_error(
|
|
|
|
|
"Check failed: The state could not be determined.")
|
|
|
|
|
end
|
|
|
|
|
rescue
|
|
|
|
|
log_error("Check failed: #{$!}.")
|
2005-10-10 00:30:14 +00:00
|
|
|
ensure
|
|
|
|
|
mod.reset_ui
|
2005-07-14 20:36:34 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2005-07-14 06:34:58 +00:00
|
|
|
#
|
|
|
|
|
# Launches an exploitation attempt
|
|
|
|
|
#
|
|
|
|
|
def cmd_exploit(*args)
|
2005-07-14 22:45:10 +00:00
|
|
|
opt_str = nil
|
2005-07-14 20:36:34 +00:00
|
|
|
payload = mod.datastore['PAYLOAD']
|
|
|
|
|
encoder = mod.datastore['ENCODER']
|
|
|
|
|
target = mod.datastore['TARGET']
|
|
|
|
|
nop = mod.datastore['NOP']
|
2005-07-14 22:45:10 +00:00
|
|
|
bg = false
|
2005-09-22 04:53:46 +00:00
|
|
|
jobify = false
|
|
|
|
|
|
|
|
|
|
# Always run passive exploits in the background
|
|
|
|
|
if (mod.passive?)
|
|
|
|
|
jobify = true
|
|
|
|
|
end
|
2005-07-14 20:36:34 +00:00
|
|
|
|
|
|
|
|
@@exploit_opts.parse(args) { |opt, idx, val|
|
|
|
|
|
case opt
|
2005-07-14 22:45:10 +00:00
|
|
|
when '-e'
|
|
|
|
|
encoder = val
|
2005-09-22 04:53:46 +00:00
|
|
|
when '-j'
|
|
|
|
|
jobify = true
|
2005-07-14 22:45:10 +00:00
|
|
|
when '-n'
|
|
|
|
|
nop = val
|
|
|
|
|
when '-o'
|
|
|
|
|
opt_str = val
|
|
|
|
|
when '-p'
|
|
|
|
|
payload = val
|
|
|
|
|
when '-t'
|
|
|
|
|
target = val.to_i
|
|
|
|
|
when '-z'
|
|
|
|
|
bg = true
|
2005-07-14 20:36:34 +00:00
|
|
|
when '-h'
|
|
|
|
|
print(
|
|
|
|
|
"Usage: exploit [options]\n\n" +
|
|
|
|
|
"Launches an exploitation attempt.\n" +
|
|
|
|
|
@@exploit_opts.usage)
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
}
|
2005-07-14 22:45:10 +00:00
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
session = mod.exploit_simple(
|
2005-09-22 04:53:46 +00:00
|
|
|
'Encoder' => encoder,
|
|
|
|
|
'Payload' => payload,
|
|
|
|
|
'Target' => target,
|
|
|
|
|
'Nop' => nop,
|
|
|
|
|
'OptionStr' => opt_str,
|
|
|
|
|
'LocalInput' => driver.input,
|
|
|
|
|
'LocalOutput' => driver.output,
|
|
|
|
|
'RunAsJob' => jobify)
|
2005-11-11 01:22:03 +00:00
|
|
|
rescue EOFError
|
|
|
|
|
print_error("Exploit failed: The remote connection closed.")
|
2005-07-14 22:45:10 +00:00
|
|
|
rescue
|
2005-11-11 01:49:02 +00:00
|
|
|
log_error("Exploit failed: #{$!}")
|
2005-07-14 22:45:10 +00:00
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# If we were given a session, let's see what we can do with it
|
|
|
|
|
if (session)
|
|
|
|
|
# If we aren't told to run in the background and the session can be
|
2005-07-17 02:14:15 +00:00
|
|
|
# interacted with, start interacting with it by issuing the session
|
|
|
|
|
# interaction command.
|
2005-07-14 22:45:10 +00:00
|
|
|
if (bg == false and session.interactive?)
|
2005-07-17 06:01:11 +00:00
|
|
|
print_line
|
|
|
|
|
|
2005-07-17 02:14:15 +00:00
|
|
|
driver.run_single("session -q -i #{session.sid}")
|
2005-07-14 22:45:10 +00:00
|
|
|
# Otherwise, log that we created a session
|
|
|
|
|
else
|
2005-07-17 06:01:11 +00:00
|
|
|
print_status("Session #{session.sid} created in the background.")
|
2005-07-14 22:45:10 +00:00
|
|
|
end
|
2005-09-22 04:53:46 +00:00
|
|
|
# If we ran the exploit as a job, indicate such so the user doesn't
|
|
|
|
|
# wonder what's up.
|
|
|
|
|
elsif (jobify)
|
|
|
|
|
print_status("Exploit running as background job.")
|
2005-09-23 07:17:27 +00:00
|
|
|
|
|
|
|
|
mod.reset_ui
|
2005-09-22 04:53:46 +00:00
|
|
|
# Worst case, the exploit ran but we got no session, bummer.
|
2005-07-14 22:45:10 +00:00
|
|
|
else
|
|
|
|
|
print_status("Exploit completed, no session was created.")
|
|
|
|
|
end
|
2005-07-14 06:34:58 +00:00
|
|
|
end
|
|
|
|
|
|
2005-10-10 00:30:14 +00:00
|
|
|
#
|
|
|
|
|
# Reloads an exploit module and checks the target to see if it's vulnerable
|
|
|
|
|
#
|
|
|
|
|
def cmd_rcheck(*args)
|
|
|
|
|
begin
|
|
|
|
|
self.mod = framework.modules.reload_module(mod)
|
|
|
|
|
|
|
|
|
|
cmd_check(*args)
|
|
|
|
|
rescue
|
|
|
|
|
log_error("Failed to rcheck: #{$!}")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Reloads an exploit module and launches an exploit
|
|
|
|
|
#
|
|
|
|
|
def cmd_rexploit(*args)
|
|
|
|
|
begin
|
|
|
|
|
self.mod = framework.modules.reload_module(mod)
|
|
|
|
|
|
|
|
|
|
cmd_exploit(*args)
|
|
|
|
|
rescue
|
|
|
|
|
log_error("Failed to rexploit: #{$!}")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2005-07-10 07:15:20 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end end end end
|
