2005-05-21 18:27:24 +00:00
|
|
|
require 'Msf/Core'
|
2005-05-21 17:57:00 +00:00
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
2005-06-04 18:55:20 +00:00
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# ExploitEvents
|
|
|
|
|
# -------------
|
|
|
|
|
#
|
|
|
|
|
# Event notifications that affect exploits.
|
|
|
|
|
#
|
|
|
|
|
###
|
2005-05-21 17:57:00 +00:00
|
|
|
module ExploitEvents
|
|
|
|
|
|
|
|
|
|
def on_exploit_success(exploit, target)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def on_exploit_failure(exploit, target)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 18:55:20 +00:00
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# Exploit
|
|
|
|
|
# -------
|
|
|
|
|
#
|
|
|
|
|
# The exploit class acts as the base class for all exploit modules. It
|
|
|
|
|
# provides a common interface for interacting with exploits at the most basic
|
|
|
|
|
# level.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
class Exploit < Msf::Module
|
|
|
|
|
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
# The various check codes that can be returned from the ``check'' routine.
|
|
|
|
|
#
|
|
|
|
|
module CheckCode
|
|
|
|
|
Safe = [ 0, "The target is not exploitable." ]
|
|
|
|
|
Detected = [ 1, "The target service is running, but could not be validated." ]
|
|
|
|
|
Appears = [ 2, "The target appears to be vulnerable." ]
|
|
|
|
|
Vulnerable = [ 3, "The target is vulnerable." ]
|
|
|
|
|
Unsupported = [ 4, "This exploit does not support checks." ]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# The various basic types of exploits
|
|
|
|
|
#
|
|
|
|
|
module Type
|
|
|
|
|
Remote = "remote"
|
|
|
|
|
Local = "local"
|
|
|
|
|
Omni = "omnipresent"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
2005-06-04 22:39:12 +00:00
|
|
|
# The types of stances an exploit can take, such as passive or aggressive.
|
|
|
|
|
# Stances indicate whether or not the exploit triggers the exploit without
|
|
|
|
|
# waiting for one or more conditions to be met (aggressive) or whether it
|
|
|
|
|
# must wait for certain conditions to be satisfied before the exploit can
|
|
|
|
|
# be initiated (passive)
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
module Stance
|
|
|
|
|
Aggressive = "aggresive"
|
2005-06-04 22:39:12 +00:00
|
|
|
Passive = "passive"
|
2005-06-04 22:26:42 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Core exploit interface. These are the methods that exploits will
|
|
|
|
|
# override to perform various tasks, such as checking a target to see if
|
2005-06-04 22:39:12 +00:00
|
|
|
# it's vulnerable, automatically selecting a target, or
|
2005-06-04 22:26:42 +00:00
|
|
|
# performing an exploit.
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Checks to see if the target is vulnerable, returning unsupported if it's
|
|
|
|
|
# not supported.
|
|
|
|
|
#
|
|
|
|
|
def check
|
|
|
|
|
CheckCode::Unsupported
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Attempts to automatically select the target for exploitation. If the
|
|
|
|
|
# target can be automatically determined, the appropriate target will be
|
|
|
|
|
# returned, otherwise nil is returned if the target cannot be automatically
|
|
|
|
|
# determined.
|
|
|
|
|
#
|
|
|
|
|
# If an exploit module establishes a connection that can stay open past the
|
|
|
|
|
# auto targetting phase, it can persist it as a class attribute and
|
|
|
|
|
# reference it when the exploit is actually run. The auto_target routine
|
|
|
|
|
# is only called if no target is specified.
|
|
|
|
|
#
|
|
|
|
|
def auto_target
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 22:39:12 +00:00
|
|
|
#
|
|
|
|
|
# Kicks off the actual exploit. Prior to this call, the framework will
|
|
|
|
|
# have validated the data store using the options associated with this
|
|
|
|
|
# exploit module. It will also pre-generate the desired payload, though
|
|
|
|
|
# exploits can re-generate the payload if necessary.
|
|
|
|
|
#
|
|
|
|
|
def exploit
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 22:26:42 +00:00
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Feature detection
|
|
|
|
|
#
|
|
|
|
|
# These methods check to see if there is a derived implementation of
|
|
|
|
|
# various methods as a way of inferring whether or not a given exploit
|
|
|
|
|
# supports the feature.
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
def supports_check?
|
|
|
|
|
derived_implementor?(Msf::Exploit, 'check')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def supports_auto_target?
|
|
|
|
|
derived_implementor?(Msf::Exploit, 'auto_target')
|
|
|
|
|
end
|
2005-06-04 22:39:12 +00:00
|
|
|
|
|
|
|
|
def supports_exploit?
|
|
|
|
|
derived_implementor?(Msf::Exploit, 'exploit')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Returns a hash of the capabilities this exploit module has
|
|
|
|
|
#
|
|
|
|
|
def capabilities
|
|
|
|
|
{
|
|
|
|
|
'check' => supports_check?,
|
|
|
|
|
'auto_target' => supports_auto_target?,
|
|
|
|
|
'exploit' => supports_exploit?
|
|
|
|
|
}
|
|
|
|
|
end
|
2005-06-04 22:26:42 +00:00
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Getters/Setters and information collectors
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# If we don't know the exploit type, then I guess it's omnipresent!
|
|
|
|
|
#
|
|
|
|
|
def exploit_type
|
|
|
|
|
Type::Omni
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Generally, all exploits take an aggressive stance.
|
|
|
|
|
#
|
|
|
|
|
def stance
|
2005-06-04 22:39:12 +00:00
|
|
|
Stance::Aggressive
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Returns the payload that has been set for this exploit instance
|
|
|
|
|
#
|
|
|
|
|
def payload
|
|
|
|
|
# TODO
|
2005-06-04 22:26:42 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
attr_accessor :target
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# LocalExploit
|
|
|
|
|
# ------------
|
|
|
|
|
#
|
|
|
|
|
# The local exploit class is a specialization of the exploit module class that
|
|
|
|
|
# is geared toward exploits that are performed locally. Locally, in this
|
|
|
|
|
# case, is defined as an exploit that is realized by means other than network
|
|
|
|
|
# communication.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
class LocalExploit < Exploit
|
|
|
|
|
def exploit_type
|
|
|
|
|
Exploit::Type::Local
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# RemoteExploit
|
|
|
|
|
# -------------
|
|
|
|
|
#
|
|
|
|
|
# The remote exploit class is a specialization of the exploit module class
|
|
|
|
|
# that is geared toward exploits that are performed against targets other than
|
|
|
|
|
# the local machine. This typically implies exploiting other machines via a
|
|
|
|
|
# network connection, though it is not limited to this scope.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
class RemoteExploit < Exploit
|
|
|
|
|
def exploit_type
|
|
|
|
|
Exploit::Type::Remote
|
|
|
|
|
end
|
2005-06-04 18:55:20 +00:00
|
|
|
end
|
|
|
|
|
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
