2005-07-09 21:18:49 +00:00
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/module_manager'
|
2005-07-09 00:24:02 +00:00
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# PayloadSet
|
|
|
|
# ----------
|
|
|
|
#
|
|
|
|
# This class is a special case of the generic module set class because
|
|
|
|
# payloads are generated in terms of combinations between various
|
|
|
|
# components, such as a stager and a stage. As such, the payload set
|
|
|
|
# needs to be built on the fly and cannot be simply matched one-to-one
|
|
|
|
# with a payload module. Yeah, the term module is kind of overloaded
|
|
|
|
# here, but eat it!
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class PayloadSet < ModuleSet
|
|
|
|
|
|
|
|
def initialize(manager)
|
|
|
|
super(MODULE_PAYLOAD)
|
|
|
|
|
|
|
|
# A reference to the ModuleManager instance
|
|
|
|
self.manager = manager
|
|
|
|
|
|
|
|
# A hash of each of the payload types that holds an array
|
|
|
|
# for all of the associated modules
|
|
|
|
self.payload_type_modules = {}
|
2005-07-11 05:15:30 +00:00
|
|
|
|
|
|
|
# Initialize the hash entry for each type to an empty list
|
|
|
|
[
|
|
|
|
Payload::Type::Single,
|
|
|
|
Payload::Type::Stager,
|
|
|
|
Payload::Type::Stage
|
|
|
|
].each { |type|
|
2005-07-12 05:39:44 +00:00
|
|
|
self.payload_type_modules[type] = {}
|
2005-07-11 05:15:30 +00:00
|
|
|
}
|
2005-07-12 05:39:44 +00:00
|
|
|
|
|
|
|
# Initialize hashes for each of the stages and singles. Stagers
|
|
|
|
# never exist independent. The stages hash will have entries that
|
|
|
|
# point to another hash that point to the per-stager implementation
|
|
|
|
# payload class. For instance:
|
|
|
|
#
|
|
|
|
# ['windows/shell']['reverse_tcp']
|
|
|
|
#
|
|
|
|
# Singles will simply point to the single payload class.
|
|
|
|
self.stages = {}
|
|
|
|
self.singles = {}
|
2005-07-13 18:06:12 +00:00
|
|
|
|
|
|
|
# Hash that caches the sizes of payloads
|
|
|
|
self.sizes = {}
|
2005-07-12 05:39:44 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Performs custom filtering during each_module enumeration. This allows us
|
|
|
|
# to filter out certain stagers as necessary.
|
|
|
|
#
|
|
|
|
# TODO: stager-based customf iltering
|
|
|
|
#
|
|
|
|
def each_module_filter(opts, name, mod)
|
|
|
|
return false
|
2005-07-09 00:24:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Build the actual hash of alias names based on all the permutations
|
|
|
|
# of singles, stagers, and stages
|
|
|
|
def recalculate
|
|
|
|
# Reset the current hash associations
|
2005-07-09 19:35:29 +00:00
|
|
|
self.each_key { |key|
|
|
|
|
manager.delete(key)
|
|
|
|
}
|
2005-07-09 00:24:02 +00:00
|
|
|
self.clear
|
|
|
|
|
|
|
|
# Recalculate single payloads
|
2005-07-12 05:39:44 +00:00
|
|
|
_singles.each_pair { |name, p|
|
|
|
|
mod, handler = p
|
2005-07-09 00:24:02 +00:00
|
|
|
|
|
|
|
# Build the payload dupe using the determined handler
|
|
|
|
# and module
|
|
|
|
p = build_payload(handler, mod)
|
|
|
|
|
2005-07-10 19:21:40 +00:00
|
|
|
# Sets the modules derived name
|
|
|
|
p.refname = name
|
|
|
|
|
2005-07-12 05:39:44 +00:00
|
|
|
# Add it to the set
|
|
|
|
add_single(p, name)
|
2005-07-13 18:06:12 +00:00
|
|
|
|
|
|
|
# Cache the payload's size
|
|
|
|
sizes[name] = p.new.size
|
2005-07-09 00:24:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# Recalculate stagers and stages
|
2005-07-12 05:39:44 +00:00
|
|
|
_stagers.each_pair { |stager_name, p|
|
2005-10-01 06:09:46 +00:00
|
|
|
stager_mod, handler, stager_platform, stager_arch, stager_conv = p
|
2005-07-09 00:24:02 +00:00
|
|
|
|
|
|
|
# Walk the array of stages
|
2005-07-12 05:39:44 +00:00
|
|
|
_stages.each_pair { |stage_name, p|
|
2005-10-01 06:09:46 +00:00
|
|
|
stage_mod, junk, stage_platform, stage_arch, stage_conv = p
|
2005-07-11 04:07:52 +00:00
|
|
|
|
2005-07-09 00:24:02 +00:00
|
|
|
# No intersection between architectures on the payloads?
|
|
|
|
if ((stager_arch) and
|
|
|
|
(stage_arch) and
|
|
|
|
((stager_arch & stage_arch).empty?))
|
|
|
|
dlog("Stager #{stager_name} and stage #{stage_name} have incompatible architectures:",
|
|
|
|
'core', LEV_3)
|
|
|
|
dlog(" Stager: #{stager_arch.join}.", 'core', LEV_3)
|
|
|
|
dlog(" Stage: #{stage_arch.join}.", 'core', LEV_3)
|
2005-07-17 06:01:11 +00:00
|
|
|
next
|
2005-07-09 00:24:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# No intersection between platforms on the payloads?
|
|
|
|
if ((stager_platform) and
|
|
|
|
(stage_platform) and
|
|
|
|
(stager_platform & stage_platform).empty?)
|
|
|
|
dlog("Stager #{stager_name} and stage #{stage_name} have incompatible platforms:",
|
|
|
|
'core', LEV_3)
|
2005-07-11 22:51:25 +00:00
|
|
|
dlog(" Stager: #{stager_platform.names}.", 'core', LEV_3)
|
|
|
|
dlog(" Stage: #{stage_platform.names}.", 'core', LEV_3)
|
2005-07-17 06:01:11 +00:00
|
|
|
next
|
2005-07-09 00:24:02 +00:00
|
|
|
end
|
|
|
|
|
2005-10-01 06:09:46 +00:00
|
|
|
# If the stage has a convention, make sure it's compatible with
|
|
|
|
# the stager's
|
|
|
|
if ((stage_conv) and
|
|
|
|
(stager_conv != stage_conv))
|
|
|
|
dlog("Stager #{stager_name} and stage #{stage_name} have incompatible conventions:",
|
|
|
|
'core', LEV_3)
|
|
|
|
dlog(" Stager: #{stager_conv}.", 'core', LEV_3)
|
|
|
|
dlog(" Stage: #{stage_conv}.", 'core', LEV_3)
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
2005-07-09 00:24:02 +00:00
|
|
|
# Build the payload dupe using the handler, stager,
|
|
|
|
# and stage
|
|
|
|
p = build_payload(handler, stager_mod, stage_mod)
|
|
|
|
|
2005-07-18 23:32:34 +00:00
|
|
|
# If the stager has an alias for the handler type (such as is the
|
|
|
|
# case for ordinal based stagers), use it in preference of the
|
|
|
|
# handler's actual type.
|
|
|
|
if (stager_mod.respond_to?('handler_type_alias') == true)
|
|
|
|
handler_type = stager_mod.handler_type_alias
|
|
|
|
else
|
|
|
|
handler_type = handler.handler_type
|
|
|
|
end
|
|
|
|
|
2005-07-09 00:24:02 +00:00
|
|
|
# Associate the name as a combination of the stager and stage
|
2005-07-11 04:07:52 +00:00
|
|
|
combined = stage_name
|
|
|
|
|
|
|
|
# If a valid handler exists for this stager, then combine it
|
2005-07-18 23:32:34 +00:00
|
|
|
combined += '/' + handler_type
|
2005-07-09 00:24:02 +00:00
|
|
|
|
2005-07-10 19:21:40 +00:00
|
|
|
# Sets the modules derived name
|
|
|
|
p.refname = combined
|
|
|
|
|
2005-07-12 05:39:44 +00:00
|
|
|
# Add the stage
|
2005-07-18 23:32:34 +00:00
|
|
|
add_stage(p, combined, stage_name, handler_type)
|
2005-07-13 18:06:12 +00:00
|
|
|
|
|
|
|
# Cache the payload's size
|
|
|
|
sizes[combined] = p.new.size
|
2005-07-09 00:24:02 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-09 00:24:02 +00:00
|
|
|
# Called when a new payload module class is loaded up. For the payload
|
|
|
|
# set we simply create an instance of the class and do some magic to figure
|
|
|
|
# out if it's a single, stager, or stage. Depending on which it is, we
|
|
|
|
# add it to the appropriate list
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-10 00:16:48 +00:00
|
|
|
def add_module(pmodule, name)
|
2005-07-11 22:51:25 +00:00
|
|
|
if (md = name.match(/^(singles|stagers|stages)#{File::SEPARATOR}(.*)$/))
|
|
|
|
name = md[2]
|
|
|
|
end
|
2005-07-09 00:24:02 +00:00
|
|
|
|
|
|
|
# Duplicate the Payload base class and extend it with the module
|
|
|
|
# class that is passed in. This allows us to inspect the actual
|
|
|
|
# module to see what type it is, and to grab other information for
|
|
|
|
# our own evil purposes.
|
|
|
|
instance = build_payload(pmodule).new
|
|
|
|
|
2005-07-11 05:15:30 +00:00
|
|
|
# Create an array of information about this payload module
|
|
|
|
pinfo =
|
2005-07-09 00:24:02 +00:00
|
|
|
[
|
|
|
|
pmodule,
|
2005-07-11 04:07:52 +00:00
|
|
|
instance.handler,
|
2005-07-09 00:24:02 +00:00
|
|
|
instance.platform,
|
2005-10-01 06:09:46 +00:00
|
|
|
instance.arch,
|
|
|
|
instance.convention
|
2005-07-09 00:24:02 +00:00
|
|
|
]
|
2005-07-11 05:15:30 +00:00
|
|
|
|
2005-07-12 05:39:44 +00:00
|
|
|
# Use the module's preferred alias if it has one
|
|
|
|
name = instance.alias if (instance.alias)
|
|
|
|
|
2005-07-11 05:15:30 +00:00
|
|
|
# Store the module and alias name for this payload. We
|
|
|
|
# also convey other information about the module, such as
|
|
|
|
# the platforms and architectures it supports
|
2005-07-12 05:39:44 +00:00
|
|
|
payload_type_modules[instance.payload_type][name] = pinfo
|
2005-07-11 05:15:30 +00:00
|
|
|
|
|
|
|
# If the payload happens to be a single, but has no defined
|
|
|
|
# connection, then it can also be staged. Insert it into
|
|
|
|
# the staged list.
|
|
|
|
if ((instance.payload_type == Payload::Type::Single) and
|
2005-07-17 06:01:11 +00:00
|
|
|
((instance.handler == Msf::Handler::None) or
|
|
|
|
(instance.handler == nil)))
|
2005-07-12 05:39:44 +00:00
|
|
|
payload_type_modules[Payload::Type::Stage][name] = pinfo
|
2005-07-11 05:15:30 +00:00
|
|
|
end
|
2005-07-09 00:24:02 +00:00
|
|
|
end
|
|
|
|
|
2005-07-12 05:39:44 +00:00
|
|
|
#
|
|
|
|
# Adds a single payload to the set and adds it to the singles hash
|
|
|
|
#
|
|
|
|
def add_single(p, name)
|
2005-07-13 18:06:12 +00:00
|
|
|
p.framework = framework
|
|
|
|
|
2005-07-12 05:39:44 +00:00
|
|
|
# Associate this class with the single payload's name
|
|
|
|
self[name] = p
|
|
|
|
|
|
|
|
# Add the singles hash
|
|
|
|
singles[name] = p
|
|
|
|
|
|
|
|
# Add it to the global module set
|
|
|
|
manager.add_module(p, name)
|
|
|
|
|
|
|
|
dlog("Built single payload #{name}.", 'core', LEV_1)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Adds a stage payload to the set and adds it to the stages hash
|
|
|
|
# using the supplied handler type.
|
|
|
|
#
|
|
|
|
def add_stage(p, full_name, stage_name, handler_type)
|
2005-07-13 18:06:12 +00:00
|
|
|
p.framework = framework
|
|
|
|
|
2005-07-12 05:39:44 +00:00
|
|
|
# Associate this stage's full name with the payload class in the set
|
|
|
|
self[full_name] = p
|
|
|
|
|
|
|
|
# Add the full name association in the global module set
|
|
|
|
manager.add_module(p, full_name)
|
|
|
|
|
|
|
|
# Create the hash entry for this stage and then create
|
|
|
|
# the associated entry for the handler type
|
|
|
|
stages[stage_name] = {} if (!stages[stage_name])
|
|
|
|
|
|
|
|
# Add it to this stage's stager hash
|
|
|
|
stages[stage_name][handler_type] = p
|
|
|
|
|
|
|
|
dlog("Built staged payload #{full_name}.", 'core', LEV_1)
|
|
|
|
end
|
|
|
|
|
2005-07-13 18:06:12 +00:00
|
|
|
attr_reader :stages, :singles, :sizes
|
2005-07-12 05:39:44 +00:00
|
|
|
|
2005-07-09 00:24:02 +00:00
|
|
|
protected
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-12 05:39:44 +00:00
|
|
|
# Return the hash of single payloads
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-12 05:39:44 +00:00
|
|
|
def _singles
|
|
|
|
return payload_type_modules[Payload::Type::Single] || {}
|
|
|
|
end
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-12 05:39:44 +00:00
|
|
|
# Return the hash of stager payloads
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-12 05:39:44 +00:00
|
|
|
def _stagers
|
|
|
|
return payload_type_modules[Payload::Type::Stager] || {}
|
|
|
|
end
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-12 05:39:44 +00:00
|
|
|
# Return the hash of stage payloads
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-12 05:39:44 +00:00
|
|
|
def _stages
|
|
|
|
return payload_type_modules[Payload::Type::Stage] || {}
|
|
|
|
end
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-09 00:24:02 +00:00
|
|
|
# Builds a duplicate, extended version of the Payload base
|
|
|
|
# class using the supplied modules.
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-07-09 00:24:02 +00:00
|
|
|
def build_payload(*modules)
|
|
|
|
klass = Class.new(Payload)
|
|
|
|
|
2005-07-11 20:48:13 +00:00
|
|
|
# Remove nil modules
|
|
|
|
modules.delete_if { |x| x == nil }
|
2005-07-09 00:24:02 +00:00
|
|
|
|
2005-07-11 20:48:13 +00:00
|
|
|
# Include the modules supplied to us with the mad skillz
|
|
|
|
# spoonfu style
|
2005-07-11 23:10:48 +00:00
|
|
|
klass.include(*modules.reverse)
|
2005-07-09 00:24:02 +00:00
|
|
|
|
|
|
|
return klass
|
|
|
|
end
|
|
|
|
|
|
|
|
attr_accessor :manager, :payload_type_modules
|
2005-07-13 18:06:12 +00:00
|
|
|
attr_writer :stages, :singles, :sizes
|
2005-07-09 00:24:02 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|