2005-07-09 21:18:49 +00:00
|
|
|
require 'msf/core'
|
2005-05-21 17:57:00 +00:00
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
2005-06-04 18:55:20 +00:00
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# ExploitEvents
|
|
|
|
|
# -------------
|
|
|
|
|
#
|
|
|
|
|
# Event notifications that affect exploits.
|
|
|
|
|
#
|
|
|
|
|
###
|
2005-05-21 17:57:00 +00:00
|
|
|
module ExploitEvents
|
|
|
|
|
|
2005-06-05 00:03:23 +00:00
|
|
|
#
|
|
|
|
|
# Notified when an exploit is successful
|
|
|
|
|
#
|
|
|
|
|
def on_exploit_success(exploit)
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
|
2005-06-05 00:03:23 +00:00
|
|
|
#
|
|
|
|
|
# Notified when an exploit is unsuccessful
|
|
|
|
|
#
|
|
|
|
|
def on_exploit_failure(exploit, reason)
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 18:55:20 +00:00
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# Exploit
|
|
|
|
|
# -------
|
|
|
|
|
#
|
|
|
|
|
# The exploit class acts as the base class for all exploit modules. It
|
|
|
|
|
# provides a common interface for interacting with exploits at the most basic
|
|
|
|
|
# level.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
class Exploit < Msf::Module
|
|
|
|
|
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
# The various check codes that can be returned from the ``check'' routine.
|
|
|
|
|
#
|
|
|
|
|
module CheckCode
|
|
|
|
|
Safe = [ 0, "The target is not exploitable." ]
|
|
|
|
|
Detected = [ 1, "The target service is running, but could not be validated." ]
|
|
|
|
|
Appears = [ 2, "The target appears to be vulnerable." ]
|
|
|
|
|
Vulnerable = [ 3, "The target is vulnerable." ]
|
2005-06-05 00:03:23 +00:00
|
|
|
Unsupported = [ 4, "This exploit does not support check." ]
|
2005-06-04 22:26:42 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# The various basic types of exploits
|
|
|
|
|
#
|
|
|
|
|
module Type
|
|
|
|
|
Remote = "remote"
|
|
|
|
|
Local = "local"
|
|
|
|
|
Omni = "omnipresent"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
2005-06-04 22:39:12 +00:00
|
|
|
# The types of stances an exploit can take, such as passive or aggressive.
|
|
|
|
|
# Stances indicate whether or not the exploit triggers the exploit without
|
|
|
|
|
# waiting for one or more conditions to be met (aggressive) or whether it
|
|
|
|
|
# must wait for certain conditions to be satisfied before the exploit can
|
|
|
|
|
# be initiated (passive)
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
module Stance
|
|
|
|
|
Aggressive = "aggresive"
|
2005-06-04 22:39:12 +00:00
|
|
|
Passive = "passive"
|
2005-06-04 22:26:42 +00:00
|
|
|
end
|
|
|
|
|
|
2005-07-12 22:33:46 +00:00
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# Local
|
|
|
|
|
# -----
|
|
|
|
|
#
|
|
|
|
|
# The local exploit class is a specialization of the exploit module class that
|
|
|
|
|
# is geared toward exploits that are performed locally. Locally, in this
|
|
|
|
|
# case, is defined as an exploit that is realized by means other than network
|
|
|
|
|
# communication.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
class Local < Exploit
|
|
|
|
|
def exploit_type
|
|
|
|
|
Exploit::Type::Local
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# Remote
|
|
|
|
|
# ------
|
|
|
|
|
#
|
|
|
|
|
# The remote exploit class is a specialization of the exploit module class
|
|
|
|
|
# that is geared toward exploits that are performed against targets other than
|
|
|
|
|
# the local machine. This typically implies exploiting other machines via a
|
|
|
|
|
# network connection, though it is not limited to this scope.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
class Remote < Exploit
|
|
|
|
|
|
|
|
|
|
def exploit_type
|
|
|
|
|
Exploit::Type::Remote
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-05 00:03:23 +00:00
|
|
|
#
|
|
|
|
|
# Constructo the clown! Watch as he kills small children with balloons.
|
|
|
|
|
#
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(info)
|
2005-06-05 04:27:57 +00:00
|
|
|
|
|
|
|
|
self.targets = Rex::Transformer.transform(info['Targets'], Array,
|
|
|
|
|
[ Target ], 'Targets')
|
2005-07-11 15:34:31 +00:00
|
|
|
self.default_target = info['DefaultTarget']
|
|
|
|
|
self.payload = info['Payload'] || {}
|
2005-06-05 00:03:23 +00:00
|
|
|
end
|
|
|
|
|
|
2005-06-04 22:26:42 +00:00
|
|
|
##
|
|
|
|
|
#
|
2005-06-05 00:03:23 +00:00
|
|
|
# Core exploit interface
|
|
|
|
|
# ----------------------
|
|
|
|
|
#
|
|
|
|
|
# These are the methods that exploits will override to perform various
|
|
|
|
|
# tasks, such as checking a target to see if it's vulnerable, automatically
|
|
|
|
|
# selecting a target, or performing an exploit.
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Checks to see if the target is vulnerable, returning unsupported if it's
|
|
|
|
|
# not supported.
|
|
|
|
|
#
|
|
|
|
|
def check
|
|
|
|
|
CheckCode::Unsupported
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 22:39:12 +00:00
|
|
|
#
|
|
|
|
|
# Kicks off the actual exploit. Prior to this call, the framework will
|
|
|
|
|
# have validated the data store using the options associated with this
|
|
|
|
|
# exploit module. It will also pre-generate the desired payload, though
|
|
|
|
|
# exploits can re-generate the payload if necessary.
|
|
|
|
|
#
|
|
|
|
|
def exploit
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 22:26:42 +00:00
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Feature detection
|
2005-06-05 00:03:23 +00:00
|
|
|
# -----------------
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
# These methods check to see if there is a derived implementation of
|
|
|
|
|
# various methods as a way of inferring whether or not a given exploit
|
|
|
|
|
# supports the feature.
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
def supports_check?
|
|
|
|
|
derived_implementor?(Msf::Exploit, 'check')
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 22:39:12 +00:00
|
|
|
def supports_exploit?
|
|
|
|
|
derived_implementor?(Msf::Exploit, 'exploit')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Returns a hash of the capabilities this exploit module has
|
|
|
|
|
#
|
|
|
|
|
def capabilities
|
|
|
|
|
{
|
|
|
|
|
'check' => supports_check?,
|
|
|
|
|
'exploit' => supports_exploit?
|
|
|
|
|
}
|
|
|
|
|
end
|
2005-06-04 22:26:42 +00:00
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
# Getters/Setters
|
|
|
|
|
# ---------------
|
|
|
|
|
#
|
|
|
|
|
# Querying and set interfaces for some of the exploit's attributes.
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
2005-06-05 00:03:23 +00:00
|
|
|
#
|
|
|
|
|
# The module's type
|
|
|
|
|
#
|
|
|
|
|
def type
|
|
|
|
|
MODULE_EXPLOIT
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 22:26:42 +00:00
|
|
|
#
|
|
|
|
|
# If we don't know the exploit type, then I guess it's omnipresent!
|
|
|
|
|
#
|
|
|
|
|
def exploit_type
|
|
|
|
|
Type::Omni
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Generally, all exploits take an aggressive stance.
|
|
|
|
|
#
|
|
|
|
|
def stance
|
2005-07-11 15:34:31 +00:00
|
|
|
module_info['Stance'] || Stance::Aggressive
|
2005-06-04 22:39:12 +00:00
|
|
|
end
|
|
|
|
|
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
|
|
|
|
# Return any text that should be prepended to the payload. The payload
|
|
|
|
|
# module is passed so that the exploit can take a guess at architecture
|
|
|
|
|
# and platform if it's a multi exploit.
|
|
|
|
|
#
|
|
|
|
|
def payload_prepend(payload_module)
|
|
|
|
|
payload['Prepend'] || ''
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Return any text that should be appended to the payload. The payload
|
|
|
|
|
# module is passed so that the exploit can take a guess at architecture
|
|
|
|
|
# and platform if it's a multi exploit.
|
|
|
|
|
#
|
|
|
|
|
def payload_append(payload_module)
|
|
|
|
|
payload['Append'] || ''
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Return any text that should be prepended to the encoder of the payload.
|
|
|
|
|
# The payload module is passed so that the exploit can take a guess
|
|
|
|
|
# at architecture and platform if it's a multi exploit.
|
|
|
|
|
#
|
|
|
|
|
def payload_prepend_encoder(payload_module)
|
|
|
|
|
payload['PrependEncoder'] || ''
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
# Maximum number of nops to use as a hint to the framework.
|
|
|
|
|
# Nil signifies that the framework should decide.
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
def payload_max_nops
|
|
|
|
|
payload['MaxNops'] || nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Minimum number of nops to use as a hint to the framework.
|
|
|
|
|
# Nil snigifies that the framework should decide.
|
|
|
|
|
#
|
|
|
|
|
def payload_min_nops
|
|
|
|
|
payload['MinNops'] || nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Returns the maximum amount of room the exploit has for a payload.
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
|
|
|
|
def payload_space
|
|
|
|
|
payload['Space'].to_i
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Returns the bad characters that cannot be in any payload used by this
|
|
|
|
|
# exploit.
|
2005-06-04 22:39:12 +00:00
|
|
|
#
|
2005-07-11 15:34:31 +00:00
|
|
|
def payload_badchars
|
|
|
|
|
payload['BadChars']
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
# NOP requirements
|
|
|
|
|
# ----------------
|
|
|
|
|
#
|
|
|
|
|
# Hints to the nop generator on how it should perform if it's used.
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Returns the list of registers that the NOP generator should save,
|
|
|
|
|
# if any. It will use the current target's save registers in precedence
|
|
|
|
|
# over those defined globally for the exploit module.
|
|
|
|
|
#
|
|
|
|
|
# If there are no save registers, nil is returned.
|
2005-06-04 22:39:12 +00:00
|
|
|
#
|
2005-07-11 15:34:31 +00:00
|
|
|
def nop_save_registers
|
2005-07-12 22:42:58 +00:00
|
|
|
if (target and target.save_registers)
|
|
|
|
|
return target.save_registers
|
2005-07-11 15:34:31 +00:00
|
|
|
else
|
2005-07-12 22:42:58 +00:00
|
|
|
return module_info['SaveRegisters']
|
2005-07-11 15:34:31 +00:00
|
|
|
end
|
2005-06-04 22:26:42 +00:00
|
|
|
end
|
|
|
|
|
|
2005-07-12 22:33:46 +00:00
|
|
|
##
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
|
|
|
|
# Attributes
|
|
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
##
|
|
|
|
|
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
# The active target instance.
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
attr_accessor :target
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
# The list of targets.
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
attr_reader :targets
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
# The default target.
|
2005-07-11 15:34:31 +00:00
|
|
|
#
|
2005-07-12 22:33:46 +00:00
|
|
|
attr_reader :default_target
|
|
|
|
|
#
|
|
|
|
|
# The active payload instance.
|
|
|
|
|
#
|
|
|
|
|
attr_reader :payload
|
2005-07-11 15:34:31 +00:00
|
|
|
|
|
|
|
|
protected
|
2005-06-04 22:26:42 +00:00
|
|
|
|
2005-07-12 22:33:46 +00:00
|
|
|
attr_writer :targets
|
2005-07-11 15:34:31 +00:00
|
|
|
attr_writer :default_target
|
|
|
|
|
attr_writer :payload
|
2005-06-04 22:26:42 +00:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2005-06-04 18:55:20 +00:00
|
|
|
end
|
|
|
|
|
|
2005-07-10 00:49:12 +00:00
|
|
|
require 'msf/core/exploit/tcp'
|
|
|
|
|
require 'msf/core/exploit/dcerpc'
|
