start gearing up for testing

start getting auto-targeting test framework in place so we can have unit tests for this behaviour MS-2325
2016-12-21 16:23:09 -06:00 · 2016-12-21 16:23:09 -06:00 · 84d5e42e4f
parent 769d477e97
commit 84d5e42e4f
5 changed files with 171 additions and 3 deletions
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@ -162,6 +162,8 @@ class Exploit < Msf::Module
  #
  ###
  class Remote < Exploit
+    require 'msf/core/exploit/auto_target'
+    include Msf::Exploit::AutoTarget

    #
    # Initializes the socket array.
@ -285,11 +287,19 @@ class Exploit < Msf::Module
    # to the information hash.
    super(info)

-    unless has_auto_target?(info['Targets'])
-      auto = ["Automatic", {}]
-      info['Targets'].unshift(auto)
+    # Skip this whole routine if there are no targets
+    unless targets.blank?
+      # Add an Automatic Target to the Exploit if it doesn't have one
+      unless has_auto_target?(info['Targets'])
+        # Don't add the automatic target unless there's already more than one target to pick from
+        if info['Targets'].count > 1
+          auto = ["Automatic", {}]
+          info['Targets'].unshift(auto)
+        end
+      end
    end

+
    self.targets = Rex::Transformer.transform(info['Targets'], Array,
        [ Target ], 'Targets')
    self.default_target = info['DefaultTarget']
--- a/lib/msf/core/exploit/auto_target.rb
+++ b/lib/msf/core/exploit/auto_target.rb
@ -0,0 +1,38 @@
+
+module Msf
+  module Exploit::AutoTarget
+
+    def auto_target?
+      selected_target = targets[target_index]
+      if selected_target.name =~ /Automatic/
+        true
+      else
+        false
+      end
+    end
+
+    def select_target
+      return nil unless auto_target?
+      host_record = target_host
+      return nil if host_record.nil?
+
+    end
+
+    def target_host
+      return nil unless self.respond_to?(:rhost)
+      return nil unless framework.db.active
+      current_workspace = framework.db.find_workspace(self.workspace)
+      current_workspace.hosts.where(address: rhost).first
+    end
+
+    def filter_by_os_name(host_record)
+      filtered_targets = targets.collect do |target|
+        if target =~ host_record.os_name
+          target
+        else
+          nil
+        end
+      end
+    end
+  end
+end
--- a/spec/file_fixtures/modules/exploits/auto_target_linux.rb
+++ b/spec/file_fixtures/modules/exploits/auto_target_linux.rb
@ -0,0 +1,40 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ManualRanking
+
+  def initialize(info = {})
+    super(update_info(info,
+                      'Name'           => 'Exploit Auto-Targeting for Linux',
+                      'Description'    => %q{ This module is a test bed for automatic targeting for Windows exploits. },
+                      'Author'         => [ 'thelightcosine' ],
+                      'License'        => MSF_LICENSE,
+                      'Privileged'     => true,
+                      'DefaultOptions' =>
+                        {
+                          'WfsDelay'     => 10,
+                          'EXITFUNC' => 'thread'
+                        },
+                      'Payload'        =>
+                        {
+                          'Space'        => 3072,
+                          'DisableNops'  => true
+                        },
+                      'Platform'       => 'win',
+                      'Arch'           => [ARCH_X86, ARCH_X64],
+                      'Targets'        =>
+                        [
+
+                        ],
+                      'DisclosureDate' => 'Jan 01 1999'
+          ))
+  end
+
+  def exploit
+    print_status("This exploit doesn't actually do anything")
+
+  end
+
+
+end
--- a/spec/file_fixtures/modules/exploits/auto_target_windows.rb
+++ b/spec/file_fixtures/modules/exploits/auto_target_windows.rb
@ -0,0 +1,73 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ManualRanking
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Exploit Auto-Targeting for Windows',
+      'Description'    => %q{ This module is a test bed for automatic targeting for Windows exploits. },
+      'Author'         => [ 'thelightcosine' ],
+      'License'        => MSF_LICENSE,
+      'Privileged'     => true,
+      'DefaultOptions' =>
+        {
+          'WfsDelay'     => 10,
+          'EXITFUNC' => 'thread'
+        },
+      'Payload'        =>
+        {
+          'Space'        => 3072,
+          'DisableNops'  => true
+        },
+      'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+          ['Windows 2000 Universal',
+           {
+             'Ret'       => 0x001f1cb0,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP EDI SVCHOST.EXE
+
+          #
+          # Standard return-to-ESI without NX bypass
+          # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
+          #
+          ['Windows XP SP0/SP1 Universal',
+           {
+             'Ret'       => 0x01001361,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI SVCHOST.EXE
+
+          # Standard return-to-ESI without NX bypass
+          ['Windows 2003 SP0 Universal',
+           {
+             'Ret'       => 0x0100129e,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI SVCHOST.EXE
+          # Metasploit's NX bypass for XP SP2/SP3
+          ['Windows XP SP3 English (NX)',
+           {
+             'Ret'       => 0x6f88f807,
+             'DisableNX' => 0x6f8917c2,
+             'Scratch'   => 0x00020408
+           }
+          ]
+
+        ],
+      'DisclosureDate' => 'Jan 01 1999'
+    ))
+  end
+
+  def exploit
+    print_status("This exploit doesn't actually do anything")
+
+  end
+
+
+end
--- a/spec/lib/msf/core/exploit/auto_target_spec.rb
+++ b/spec/lib/msf/core/exploit/auto_target_spec.rb
@ -0,0 +1,7 @@
+require 'spec_helper'
+
+RSpec.describe Msf::Exploit::AutoTarget do
+
+
+
+end