From 5b526de09d9c2cc71e6ea32de6879c4d4820249e Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 10 Jul 2012 13:21:32 +0200 Subject: [PATCH 1/3] bla --- scripts/resource/autoexploit.rc | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/scripts/resource/autoexploit.rc b/scripts/resource/autoexploit.rc index 8fcee714c0..97bdbdf744 100644 --- a/scripts/resource/autoexploit.rc +++ b/scripts/resource/autoexploit.rc @@ -1,5 +1,3 @@ -# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de) - # @@ -15,7 +13,7 @@ def help_me default to a suitable meterpreter. Usage: - ./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [dry] + ./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [dry] [check] Arguments: rc_path - Full path to the RC script @@ -24,13 +22,14 @@ def help_me db_worksapce - Workspace for the database (datastore: 'DB_WORKSPACE') module_path - Path to the exploit (datastore: 'MODULE') dry - Optional. Dry-run mode [yes/no] (datastore: 'DRY') + check - Optional. Check mode [yes/no] (datastore: 'CHECK') Example: msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi Authors: - m-1-k-3 sinn3r + m-1-k-3 | help = help.gsub(/^\t/, '') @@ -150,7 +149,7 @@ end # # Find all mathing references # -def dry_run(module_path) +def dry_run(module_path,check) exploit = load_exploit(module_path) raise RuntimeError, "Exploit not found: #{module_path}" if exploit.nil? @@ -160,6 +159,14 @@ def dry_run(module_path) next if not ref_has_match(vuln.refs, exploit_refs) addr = vuln.host.address.to_s print_good("#{addr} seems vulnerable to #{exploit.shortname}") + if check == true + print_good("checking #{addr} with check mechanism of #{exploit.shortname}") + run_single("use #{exploit.fullname}") + run_single("set RHOST #{addr}") + run_single("check") + run_single("back") + print_line("") + end end end @@ -193,6 +200,7 @@ def init_args args[:db_workspace] = ARGV.shift || datastore['DB_WORKSPACE'] || '' args[:module] = ARGV.shift || datastore['MODULE'] || '' args[:dry] = (ARGV.shift || datastore['DRY']) =~ /^yes$/i ? true : false + args[:check] = (ARGV.shift || datastore['CHECK']) =~ /^yes$/i ? true : false raise ArgumentError, "Missing a module path" if args[:module].empty? @@ -218,7 +226,9 @@ begin end if args[:dry] - dry_run(args[:module]) + dry_run(args[:module], args[:check]) + elsif args[:check] + dry_run(args[:module], args[:check]) else auto_exploit(args[:module]) end From b449c0e21c13f7c639920b0457d0a12795883cbf Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 10 Jul 2012 20:04:03 +0200 Subject: [PATCH 2/3] new parameter --- scripts/resource/autoexploit.rc | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/scripts/resource/autoexploit.rc b/scripts/resource/autoexploit.rc index 97bdbdf744..b9ca420bad 100644 --- a/scripts/resource/autoexploit.rc +++ b/scripts/resource/autoexploit.rc @@ -13,7 +13,7 @@ def help_me default to a suitable meterpreter. Usage: - ./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [dry] [check] + ./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [mode] Arguments: rc_path - Full path to the RC script @@ -21,11 +21,10 @@ def help_me db_pass - Password for MSF database (datastore: 'DB_PASS') db_worksapce - Workspace for the database (datastore: 'DB_WORKSPACE') module_path - Path to the exploit (datastore: 'MODULE') - dry - Optional. Dry-run mode [yes/no] (datastore: 'DRY') - check - Optional. Check mode [yes/no] (datastore: 'CHECK') + mode - Optional. Dry-run mode [dry/check] (datastore: 'MODE') Example: - msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi + msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi dry Authors: sinn3r @@ -149,7 +148,7 @@ end # # Find all mathing references # -def dry_run(module_path,check) +def dry_run(module_path,mode) exploit = load_exploit(module_path) raise RuntimeError, "Exploit not found: #{module_path}" if exploit.nil? @@ -159,7 +158,7 @@ def dry_run(module_path,check) next if not ref_has_match(vuln.refs, exploit_refs) addr = vuln.host.address.to_s print_good("#{addr} seems vulnerable to #{exploit.shortname}") - if check == true + if mode == "check" print_good("checking #{addr} with check mechanism of #{exploit.shortname}") run_single("use #{exploit.fullname}") run_single("set RHOST #{addr}") @@ -199,8 +198,7 @@ def init_args args[:db_pass] = ARGV.shift || datastore['DB_PASS'] || '' args[:db_workspace] = ARGV.shift || datastore['DB_WORKSPACE'] || '' args[:module] = ARGV.shift || datastore['MODULE'] || '' - args[:dry] = (ARGV.shift || datastore['DRY']) =~ /^yes$/i ? true : false - args[:check] = (ARGV.shift || datastore['CHECK']) =~ /^yes$/i ? true : false + args[:mode] = (ARGV.shift || datastore['MODE'] || '') raise ArgumentError, "Missing a module path" if args[:module].empty? @@ -225,10 +223,8 @@ begin end end - if args[:dry] - dry_run(args[:module], args[:check]) - elsif args[:check] - dry_run(args[:module], args[:check]) + if (args[:mode] == "dry" or args[:mode] == "check") + dry_run(args[:module], args[:mode]) else auto_exploit(args[:module]) end From ce107fbd6f7478ade4fe088718b38c4a151cea2e Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 10 Jul 2012 16:06:07 -0500 Subject: [PATCH 3/3] Rewrite how each mode is handled --- scripts/resource/autoexploit.rc | 78 +++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 29 deletions(-) diff --git a/scripts/resource/autoexploit.rc b/scripts/resource/autoexploit.rc index b9ca420bad..52b7c7cd63 100644 --- a/scripts/resource/autoexploit.rc +++ b/scripts/resource/autoexploit.rc @@ -1,4 +1,3 @@ - # # Print the help function @@ -6,25 +5,27 @@ def help_me help = %Q| Description: - This Metasploit RC file can be used to automate the exploitation process. Before - using this script, you should import your vulnerability results to Metasploit, and - then it will exploit each possible host when there is a match to one of the - references. A reverse shell is automatically selected for you, and will always - default to a suitable meterpreter. + This Metasploit RC file can be used to automate the exploitation process. Before using the + script, you must import your vulnerability results to Metasploit so that it can deploy the + module based on matching references. Three modes are available: exploit/dry/and check. + In exploit mode, it will attempt to gain access to all vulnerable hosts with the most + suitable reverse shell that's automatically selected. In "dry" mode (dry-run), it'll list + all the hosts vulnerable to the exploit. In check mode, it will only trigger the check() + function found in the module. If no mode is specified, then it'll default to 'exploit'. Usage: ./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [mode] Arguments: rc_path - Full path to the RC script - db_user - Username for MSF database (datastore: 'DB_USER') - db_pass - Password for MSF database (datastore: 'DB_PASS') - db_worksapce - Workspace for the database (datastore: 'DB_WORKSPACE') - module_path - Path to the exploit (datastore: 'MODULE') - mode - Optional. Dry-run mode [dry/check] (datastore: 'MODE') + db_user - Username for MSF database (datastore: 'DB_USER') + db_pass - Password for MSF database (datastore: 'DB_PASS') + db_worksapce - Workspace for the database (datastore: 'DB_WORKSPACE') + module_path - Path to the exploit (datastore: 'MODULE') + mode - Optional. Accept:exploit/dry/check (datastore: 'MODE') - Example: - msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi dry + Example of running an exploit: + msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi Authors: sinn3r @@ -114,7 +115,7 @@ end # -# Start the exploitation +# Exploit mode # def auto_exploit(module_path) exploit = load_exploit(module_path) @@ -146,9 +147,9 @@ end # -# Find all mathing references +# Dry-run mode # -def dry_run(module_path,mode) +def dry_run(module_path) exploit = load_exploit(module_path) raise RuntimeError, "Exploit not found: #{module_path}" if exploit.nil? @@ -157,15 +158,29 @@ def dry_run(module_path,mode) framework.db.workspace.vulns.each do |vuln| next if not ref_has_match(vuln.refs, exploit_refs) addr = vuln.host.address.to_s - print_good("#{addr} seems vulnerable to #{exploit.shortname}") - if mode == "check" - print_good("checking #{addr} with check mechanism of #{exploit.shortname}") - run_single("use #{exploit.fullname}") - run_single("set RHOST #{addr}") - run_single("check") - run_single("back") - print_line("") - end + print_good("#{addr} has a matching reference to #{exploit.shortname}") + end +end + + +# +# Check mode +# +def check_exploit(module_path) + exploit = load_exploit(module_path) + raise RuntimeError, "Exploit not found: #{module_path}" if exploit.nil? + + exploit_refs = exploit.references + + framework.db.workspace.vulns.each do |vuln| + next if not ref_has_match(vuln.refs, exploit_refs) + print_good("Checking #{exploit.shortname} against host #{vuln.host.address.to_s}") + run_single("use #{exploit.fullname}") + run_single("set RHOST #{vuln.host.address.to_s}") + run_single("check") + select(nil, nil, nil, 1) + run_single("back") + print_line() end end @@ -198,7 +213,7 @@ def init_args args[:db_pass] = ARGV.shift || datastore['DB_PASS'] || '' args[:db_workspace] = ARGV.shift || datastore['DB_WORKSPACE'] || '' args[:module] = ARGV.shift || datastore['MODULE'] || '' - args[:mode] = (ARGV.shift || datastore['MODE'] || '') + args[:mode] = ARGV.shift || datastore['MODE'] || 'exploit' raise ArgumentError, "Missing a module path" if args[:module].empty? @@ -223,10 +238,15 @@ begin end end - if (args[:mode] == "dry" or args[:mode] == "check") - dry_run(args[:module], args[:mode]) - else + case args[:mode] + when /^exploit$/i auto_exploit(args[:module]) + when /^dry$/i + dry_run(args[:module]) + when /^check$/i + check_exploit(args[:module]) + else + raise ArgumentError, "Invalid mode" end rescue ArgumentError => e