312 lines
8.2 KiB
Plaintext
312 lines
8.2 KiB
Plaintext
|
<%= Msf::Ui::Web::Common.header(framework.version, 'exploits') %>
|
||
|
<tr><td colspan='5'>
|
||
|
|
||
|
<%
|
||
|
name = query_string['name']
|
||
|
step = query_string['step'] || 0
|
||
|
target = query_string['target']
|
||
|
|
||
|
step = step.to_i
|
||
|
|
||
|
if (name == nil)
|
||
|
%>
|
||
|
|
||
|
<%# Display the exploit list if one hasn't been selected %>
|
||
|
<br/>
|
||
|
<div align='center' class='navHead'>
|
||
|
<table class='moduleList' width='100%' cellspacing='0' border='0'>
|
||
|
<% framework.exploits.each_module { |name, mod|
|
||
|
modinst = mod.new
|
||
|
%>
|
||
|
<tr>
|
||
|
<td class='moduleIcons' align='center'>
|
||
|
<%= Msf::Ui::Web::Common.module_icons(modinst) %>
|
||
|
</td>
|
||
|
<td class='moduleName'>
|
||
|
<a href="exploits.rhtml?name=<%= name %>"><%= modinst.name %></a>
|
||
|
</td>
|
||
|
<td class='moduleSpacer' colspan='2'>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<% } %>
|
||
|
</table>
|
||
|
</div>
|
||
|
|
||
|
<%# Wizard step 0 - target selection %>
|
||
|
<%
|
||
|
elsif (step == 0)
|
||
|
modinst = framework.exploits.create(name)
|
||
|
%>
|
||
|
<br/>
|
||
|
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
|
||
|
<tr>
|
||
|
<td class='moduleName'>
|
||
|
<div class='textBold'><%= html_escape(modinst.name) %></div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
<br/>
|
||
|
|
||
|
<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
|
||
|
<tr>
|
||
|
<td align='right' width='80' class='textBold'>Name:</td>
|
||
|
<td class='textNormal'><%= html_escape(modinst.name) %></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td align='right' width='80' class='textBold'>Authors:</td>
|
||
|
<td class='textNormal'><%= html_escape(modinst.author.join("<br/>")) %></td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td align='right' width='80' class='textBold' valign='top'>Description:</td>
|
||
|
<td colspan='2' class='textNormal' valign='top'>
|
||
|
<%= html_escape(modinst.description) %>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td align='right' width='80' class='textBold' valign='top'>References:</td>
|
||
|
<td colspan='2' class='textNormal' valign='top'>
|
||
|
<% modinst.references.each { |ref| %>
|
||
|
<% if (ref.kind_of?(Msf::Module::SiteReference)) %>
|
||
|
- <a href='<%= ref.site %>' target='_blank'><%= ref.to_s %></a><br/>
|
||
|
<% else %>
|
||
|
- <%= ref.to_s %><br/>
|
||
|
<% end %>
|
||
|
<% } %>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td align='right' width='80' class='textBold'>Targets:</td>
|
||
|
<td class='textNormal'> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td> </td>
|
||
|
<td>
|
||
|
<table align='align' cellpadding='2' cellspacing='0' border='0'>
|
||
|
<tr>
|
||
|
<td class='textBold'>Target Name</td>
|
||
|
<td class='textBold'>Platform</td>
|
||
|
</tr>
|
||
|
<% modinst.targets.each_with_index { |tgt, idx| %>
|
||
|
<tr>
|
||
|
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
|
||
|
<%= idx %> - <a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= idx %>'><%= tgt.name %></a>
|
||
|
</td>
|
||
|
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
|
||
|
<%= Msf::Ui::Web::Common.target_icons(tgt) %>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<% } %>
|
||
|
</table>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<%# Wizard step 1 - payload selection %>
|
||
|
<%
|
||
|
elsif (step == 1)
|
||
|
modinst = framework.exploits.create(name)
|
||
|
modinst.datastore['TARGET'] = query_string['target'].to_i
|
||
|
%>
|
||
|
<br/>
|
||
|
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
|
||
|
<tr>
|
||
|
<td class='moduleName'>
|
||
|
<div class='textBold'><%= html_escape(modinst.name) %></div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
<br/>
|
||
|
|
||
|
<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
|
||
|
<tr>
|
||
|
<td align='left' width='80' class='textBold'><nobr>Select Payload:</nobr></td>
|
||
|
<td> </td>
|
||
|
<td> </td>
|
||
|
</tr>
|
||
|
<tr>
|
||
|
<td> </td>
|
||
|
<td class='textBold'>Name</td>
|
||
|
<td class='textBold'>Description</td>
|
||
|
</tr>
|
||
|
|
||
|
<% idx = 0
|
||
|
modinst.compatible_payloads.each { |pname, pmod|
|
||
|
pmodinst = pmod.new
|
||
|
%>
|
||
|
|
||
|
<tr>
|
||
|
<td> </td>
|
||
|
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
|
||
|
<a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= target %>&payload=<%= pname %>'><%= html_escape(pname) %></a>
|
||
|
</td>
|
||
|
<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'><%= html_escape(pmodinst.description) %></td>
|
||
|
</tr>
|
||
|
|
||
|
<% idx += 1
|
||
|
}
|
||
|
%>
|
||
|
|
||
|
</table>
|
||
|
|
||
|
<%# Wizard step 2 - option selection %>
|
||
|
<% elsif (step == 2)
|
||
|
payload = query_string['payload']
|
||
|
modinst = framework.exploits.create(name)
|
||
|
pinst = framework.payloads.create(payload)
|
||
|
modinst.datastore['TARGET'] = query_string['target'].to_i
|
||
|
%>
|
||
|
<br/>
|
||
|
<table width='100%' cellspacing='0' cellpadding='0' border='0'>
|
||
|
<tr>
|
||
|
<td class='moduleName'>
|
||
|
<div class='textBold'><%= html_escape(modinst.name) %></div>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
<br/>
|
||
|
|
||
|
<form method='GET'>
|
||
|
<input type='hidden' name='eid' value="<%= Msf::Ui::Web::Driver::next_eid %>"/>
|
||
|
<input type='hidden' name='name' value="<%= html_escape(name) %>"/>
|
||
|
<input type='hidden' name='step' value="<%= step + 1 %>"/>
|
||
|
<input type='hidden' name='target' value="<%= html_escape(modinst.datastore['TARGET']) %>"/>
|
||
|
<input type='hidden' name='payload' value="<%= html_escape(payload) %>"/>
|
||
|
|
||
|
<table align='center' cellpadding='2' border='0' cellspacing='0' width='95%'>
|
||
|
<%
|
||
|
options = pinst.options.merge_sort(modinst.options)
|
||
|
|
||
|
options.each { |name, option|
|
||
|
next if (option.advanced?)
|
||
|
next if (option.evasion?)
|
||
|
%>
|
||
|
<tr>
|
||
|
<td class='textBold'><%= name %></td>
|
||
|
<td class='textBold'><%= (option.required?) ? "Required" : "Optional" %></td>
|
||
|
<td class='textNormal'><%= option.type %></td>
|
||
|
<td class='textNormal'>
|
||
|
<input type='text' name="opt_<%= html_escape(name) %>" value="<%= html_escape(option.default || '') %>"/>
|
||
|
</td>
|
||
|
<td class='textNormal'><%= html_escape(option.desc) %></td>
|
||
|
</tr>
|
||
|
<% } %>
|
||
|
|
||
|
<tr><td colspan='5'> </td></tr>
|
||
|
|
||
|
<tr>
|
||
|
<td colspan='3' class='textBold'>
|
||
|
Preferred Encoder:<br/>
|
||
|
<select name='encoder' size='1'>
|
||
|
<option value='__default'>Default
|
||
|
<% pinst.compatible_encoders.each { |encname, mod| %>
|
||
|
<option><%= encname %>
|
||
|
<% } %>
|
||
|
</select>
|
||
|
</td>
|
||
|
<td colspan='2' class='textBold'>
|
||
|
NOP Generator:<br/>
|
||
|
<select name='nop' size='1'>
|
||
|
<option value='__default'>Default
|
||
|
<% pinst.compatible_nops.each { |nopname, mod| %>
|
||
|
<option><%= nopname %>
|
||
|
<% } %>
|
||
|
</select>
|
||
|
</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr><td colspan='5'> </td></tr>
|
||
|
|
||
|
<noscript>
|
||
|
<input type='hidden' name='nojs' value="1"/>
|
||
|
</noscript>
|
||
|
|
||
|
<tr>
|
||
|
<td colspan='3' align='right'>
|
||
|
<input type='submit' name='action' value='Check' class='button'/>
|
||
|
</td>
|
||
|
<td colspan='2' align='left'>
|
||
|
<input type='submit' name='action' value='Exploit' class='button'/>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</form>
|
||
|
|
||
|
<%# Wizard step 3 - exploitation %>
|
||
|
<%
|
||
|
elsif (step == 3)
|
||
|
|
||
|
# Is JS disabled in the client's browser?
|
||
|
nojs = query_string['nojs'] == '1' ? true : false
|
||
|
|
||
|
# Create the exploit instance
|
||
|
modinst = framework.exploits.create(name)
|
||
|
|
||
|
# Set the encoder/nop to nil if it's not valid.
|
||
|
query_string['encoder'] = nil if (query_string['encoder'] == '__default')
|
||
|
query_string['nop'] = nil if (query_string['nop'] == '__default')
|
||
|
|
||
|
# Build the options string
|
||
|
options = ''
|
||
|
|
||
|
query_string.each_pair { |k, v|
|
||
|
next if v.nil? or v.length == 0
|
||
|
|
||
|
if k =~ /^opt_(.*)$/
|
||
|
options += "#{$1}=#{v} "
|
||
|
end
|
||
|
}
|
||
|
|
||
|
# Use buffered output by default
|
||
|
output = Rex::Ui::Text::Output::Buffer.new
|
||
|
|
||
|
# If we support javascript, then we'll use something better
|
||
|
if nojs == false
|
||
|
# TODO
|
||
|
end
|
||
|
|
||
|
# Whether or not we should run this as a job
|
||
|
as_job = modinst.passive? || (nojs == false)
|
||
|
|
||
|
# Kick off the exploit process
|
||
|
error = false
|
||
|
|
||
|
begin
|
||
|
modinst.exploit_simple(
|
||
|
'Encoder' => query_string['encoder'],
|
||
|
'Nop' => query_string['nop'],
|
||
|
'Payload' => query_string['payload'],
|
||
|
'Target' => query_string['target'].to_i,
|
||
|
'OptionStr' => options,
|
||
|
'LocalOutput' => output,
|
||
|
'LocalInput' => nil,
|
||
|
'RunAsJob' => as_job)
|
||
|
rescue
|
||
|
display = "<span style='font-weight: bold'><span style='color: red'>Error:</span> " + html_escape($!) + "</span>"
|
||
|
error = true
|
||
|
end
|
||
|
|
||
|
# Use the buffered output for display if we didn't fail.
|
||
|
if error == false
|
||
|
display = html_escape(output.buf).gsub(/\n/, "<br>")
|
||
|
|
||
|
if as_job
|
||
|
display += "<br/><br/><span style='font-weight: bold'>Exploit is now running in the background.</span>"
|
||
|
end
|
||
|
end
|
||
|
%>
|
||
|
|
||
|
<br/>
|
||
|
<span style='font-weight: bold'>
|
||
|
Launching exploit <%= modinst.refname %> ...
|
||
|
</span>
|
||
|
<br/><br/>
|
||
|
|
||
|
<%= display %>
|
||
|
|
||
|
<% else %>
|
||
|
Unknown step: <%= html_escape(step) %>
|
||
|
<% end %>
|
||
|
|
||
|
</td></tr>
|
||
|
<%= Msf::Ui::Web::Common.footer %>
|