2005-07-09 21:18:49 +00:00
|
|
|
require 'msf/core'
|
2005-06-05 00:03:23 +00:00
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# A target for an exploit.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class Msf::Module::Target
|
|
|
|
|
2005-07-12 22:33:46 +00:00
|
|
|
###
|
|
|
|
#
|
|
|
|
# Target-specific brute force information, such as the addresses
|
|
|
|
# to step, the step size (if the framework default is bad), and
|
|
|
|
# other stuff.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class Bruteforce < Hash
|
2005-11-15 15:11:43 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Initializes a brute force target from the supplied brute forcing
|
|
|
|
# information.
|
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
def initialize(hash)
|
|
|
|
update(hash)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns a hash of addresses that should be stepped during
|
|
|
|
# exploitation and passed in to the bruteforce exploit
|
|
|
|
# routine.
|
|
|
|
#
|
|
|
|
def start_addresses
|
|
|
|
if (self['Start'] and self['Start'].kind_of?(Hash) == false)
|
|
|
|
return {'Address' => self['Start'] }
|
|
|
|
else
|
|
|
|
return self['Start']
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns a hash of addresses that should be stopped at once
|
|
|
|
# they are reached.
|
|
|
|
#
|
|
|
|
def stop_addresses
|
|
|
|
if (self['Stop'] and self['Stop'].kind_of?(Hash) == false)
|
|
|
|
return {'Address' => self['Stop'] }
|
|
|
|
else
|
|
|
|
return self['Stop']
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# The step size to use, or zero if the framework should figure
|
|
|
|
# it out.
|
|
|
|
#
|
|
|
|
def step_size
|
|
|
|
self['Step'] || 0
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Returns the default step direction. -1 indicates that brute forcing
|
|
|
|
# should go toward lower addresses. 1 indicates that brute forcing
|
|
|
|
# should go toward higher addresses.
|
2005-07-12 22:33:46 +00:00
|
|
|
#
|
|
|
|
def default_direction
|
|
|
|
dd = self['DefaultDirection']
|
|
|
|
|
|
|
|
if (dd and dd.to_s.match(/(-1|backward)/i))
|
|
|
|
return -1
|
|
|
|
end
|
|
|
|
|
|
|
|
return 1
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# The delay to add between attempts
|
|
|
|
#
|
|
|
|
def delay
|
|
|
|
self['Delay'].to_i || 0
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-06-05 00:03:23 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Serialize from an array to a Target instance.
|
2005-06-05 00:03:23 +00:00
|
|
|
#
|
|
|
|
def self.from_a(ary)
|
|
|
|
return nil if (ary.length < 2)
|
|
|
|
|
2005-06-05 18:03:56 +00:00
|
|
|
self.new(ary.shift, ary.shift)
|
2005-06-05 00:03:23 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Transforms the supplied source into an array of Targets.
|
2005-06-05 00:03:23 +00:00
|
|
|
#
|
|
|
|
def self.transform(src)
|
|
|
|
Rex::Transformer.transform(src, Array, [ self, String ], 'Target')
|
|
|
|
end
|
|
|
|
|
2005-06-05 18:03:56 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Initializes an instance of a bruteforce target from the supplied
|
|
|
|
# information. The hash of options that this constructor takes is as
|
|
|
|
# follows:
|
|
|
|
#
|
|
|
|
# Platform
|
|
|
|
#
|
|
|
|
# The platform(s) that this target is to operate against.
|
|
|
|
#
|
|
|
|
# SaveRegisters
|
|
|
|
#
|
|
|
|
# The registers that must be saved by NOP generators.
|
|
|
|
#
|
|
|
|
# Arch
|
|
|
|
#
|
|
|
|
# The architectures, if any, that this target is specific to (E.g.
|
|
|
|
# ARCH_X86).
|
|
|
|
#
|
|
|
|
# Bruteforce
|
|
|
|
#
|
|
|
|
# Settings specific to a target that supports brute forcing. See the
|
|
|
|
# BruteForce class.
|
|
|
|
#
|
|
|
|
# Ret
|
|
|
|
#
|
|
|
|
# The target-specific return address or addresses that will be used.
|
|
|
|
#
|
|
|
|
# Payload
|
|
|
|
#
|
|
|
|
# Payload-specific options, such as append, prepend, and other values that
|
|
|
|
# can be set on a per-exploit or per-target basis.
|
2005-06-05 18:03:56 +00:00
|
|
|
#
|
|
|
|
def initialize(name, opts)
|
|
|
|
opts = {} if (!opts)
|
|
|
|
|
2005-07-11 15:34:31 +00:00
|
|
|
self.name = name
|
2005-07-14 14:46:18 +00:00
|
|
|
self.platform = Msf::Module::PlatformList.from_a(opts['Platform'])
|
2005-07-11 15:34:31 +00:00
|
|
|
self.save_registers = opts['SaveRegisters']
|
|
|
|
self.ret = opts['Ret']
|
|
|
|
self.opts = opts
|
2005-07-14 14:46:18 +00:00
|
|
|
|
|
|
|
if (opts['Arch'])
|
|
|
|
self.arch = Rex::Transformer.transform(opts['Arch'], Array,
|
|
|
|
[ String ], 'Arch')
|
|
|
|
end
|
2005-07-12 22:33:46 +00:00
|
|
|
|
|
|
|
# Does this target have brute force information?
|
|
|
|
if (opts['Bruteforce'])
|
|
|
|
self.bruteforce = Bruteforce.new(opts['Bruteforce'])
|
|
|
|
end
|
2005-06-05 00:03:23 +00:00
|
|
|
end
|
|
|
|
|
2005-06-05 18:03:56 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Index the options directly.
|
2005-06-05 18:03:56 +00:00
|
|
|
#
|
|
|
|
def [](key)
|
|
|
|
opts[key]
|
|
|
|
end
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
|
|
|
# Returns whether or not this is a bruteforce target, forces boolean
|
|
|
|
# result.
|
|
|
|
#
|
|
|
|
def bruteforce?
|
|
|
|
return (bruteforce != nil)
|
|
|
|
end
|
|
|
|
|
2005-10-01 05:55:15 +00:00
|
|
|
##
|
|
|
|
#
|
|
|
|
# Target-specific payload modifications
|
|
|
|
#
|
|
|
|
##
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Payload prepend information for this target.
|
|
|
|
#
|
2005-10-01 05:55:15 +00:00
|
|
|
def payload_prepend
|
|
|
|
opts['Payload'] ? opts['Payload']['Prepend'] : nil
|
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Payload append information for this target.
|
|
|
|
#
|
2005-10-01 05:55:15 +00:00
|
|
|
def payload_append
|
|
|
|
opts['Payload'] ? opts['Payload']['Append'] : nil
|
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Payload prepend encoder information for this target.
|
|
|
|
#
|
2005-10-01 05:55:15 +00:00
|
|
|
def payload_prepend_encoder
|
|
|
|
opts['Payload'] ? opts['Payload']['PrependEncoder'] : nil
|
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Payload stack adjustment information for this target.
|
|
|
|
#
|
2005-11-11 01:22:03 +00:00
|
|
|
def payload_stack_adjustment
|
|
|
|
opts['Payload'] ? opts['Payload']['StackAdjustment'] : nil
|
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Payload max nops information for this target.
|
|
|
|
#
|
2005-10-01 05:55:15 +00:00
|
|
|
def payload_max_nops
|
|
|
|
opts['Payload'] ? opts['Payload']['MaxNops'] : nil
|
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Payload min nops information for this target.
|
|
|
|
#
|
2005-10-01 05:55:15 +00:00
|
|
|
def payload_min_nops
|
|
|
|
opts['Payload'] ? opts['Payload']['MinNops'] : nil
|
|
|
|
end
|
2005-11-15 15:11:43 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Payload space information for this target.
|
|
|
|
#
|
2005-10-01 05:55:15 +00:00
|
|
|
def payload_space
|
|
|
|
opts['Payload'] ? opts['Payload']['Space'] : nil
|
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# The name of the target (E.g. Windows XP SP0/SP1)
|
|
|
|
#
|
|
|
|
attr_reader :name
|
|
|
|
#
|
|
|
|
# The platforms that this target is for.
|
|
|
|
#
|
|
|
|
attr_reader :platform
|
|
|
|
#
|
|
|
|
# The architectures, if any, that the target is specific to.
|
|
|
|
#
|
|
|
|
attr_reader :arch
|
|
|
|
#
|
|
|
|
# The target-specific options, like payload settings and other stuff like
|
|
|
|
# that.
|
|
|
|
#
|
|
|
|
attr_reader :opts
|
|
|
|
#
|
|
|
|
# An alias for the target 'Ret' option.
|
|
|
|
#
|
|
|
|
attr_reader :ret
|
|
|
|
#
|
|
|
|
# The list of registers that need to be saved.
|
|
|
|
#
|
|
|
|
attr_reader :save_registers
|
|
|
|
#
|
|
|
|
# The bruteforce target information that will be non-nil if a Bruteforce
|
|
|
|
# option is passed to the constructor of the class.
|
|
|
|
#
|
2005-07-12 14:32:44 +00:00
|
|
|
attr_reader :bruteforce
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
attr_writer :name, :platform, :arch, :opts, :ret, :save_registers # :nodoc:
|
|
|
|
attr_writer :bruteforce # :nodoc:
|
2005-06-05 00:33:38 +00:00
|
|
|
|
2005-06-05 00:03:23 +00:00
|
|
|
end
|
|
|
|
|