require 'msf/core' module Msf ### # # ExploitEvents # ------------- # # Event notifications that affect exploits. # ### module ExploitEvents # # Notified when an exploit is successful # def on_exploit_success(exploit) end # # Notified when an exploit is unsuccessful # def on_exploit_failure(exploit, reason) end end ### # # Exploit # ------- # # The exploit class acts as the base class for all exploit modules. It # provides a common interface for interacting with exploits at the most basic # level. # ### class Exploit < Msf::Module # # The various check codes that can be returned from the ``check'' routine. # module CheckCode Safe = [ 0, "The target is not exploitable." ] Detected = [ 1, "The target service is running, but could not be validated." ] Appears = [ 2, "The target appears to be vulnerable." ] Vulnerable = [ 3, "The target is vulnerable." ] Unsupported = [ 4, "This exploit does not support check." ] end # # The various basic types of exploits # module Type Remote = "remote" Local = "local" Omni = "omnipresent" end # # The types of stances an exploit can take, such as passive or aggressive. # Stances indicate whether or not the exploit triggers the exploit without # waiting for one or more conditions to be met (aggressive) or whether it # must wait for certain conditions to be satisfied before the exploit can # be initiated (passive) # module Stance Aggressive = "aggresive" Passive = "passive" end ### # # Local # ----- # # The local exploit class is a specialization of the exploit module class that # is geared toward exploits that are performed locally. Locally, in this # case, is defined as an exploit that is realized by means other than network # communication. # ### class Local < Exploit def exploit_type Exploit::Type::Local end end ### # # Remote # ------ # # The remote exploit class is a specialization of the exploit module class # that is geared toward exploits that are performed against targets other than # the local machine. This typically implies exploiting other machines via a # network connection, though it is not limited to this scope. # ### class Remote < Exploit def exploit_type Exploit::Type::Remote end end # # Constructo the clown! Watch as he kills small children with balloons. # def initialize(info = {}) super(info) self.targets = Rex::Transformer.transform(info['Targets'], Array, [ Target ], 'Targets') self.default_target = info['DefaultTarget'] self.payload = info['Payload'] || {} end ## # # Core exploit interface # ---------------------- # # These are the methods that exploits will override to perform various # tasks, such as checking a target to see if it's vulnerable, automatically # selecting a target, or performing an exploit. # ## # # Checks to see if the target is vulnerable, returning unsupported if it's # not supported. # def check CheckCode::Unsupported end # # Kicks off the actual exploit. Prior to this call, the framework will # have validated the data store using the options associated with this # exploit module. It will also pre-generate the desired payload, though # exploits can re-generate the payload if necessary. # def exploit end ## # # Feature detection # ----------------- # # These methods check to see if there is a derived implementation of # various methods as a way of inferring whether or not a given exploit # supports the feature. # ## def supports_check? derived_implementor?(Msf::Exploit, 'check') end def supports_exploit? derived_implementor?(Msf::Exploit, 'exploit') end # # Returns a hash of the capabilities this exploit module has # def capabilities { 'check' => supports_check?, 'exploit' => supports_exploit? } end ## # # Getters/Setters # --------------- # # Querying and set interfaces for some of the exploit's attributes. # ## # # The module's type # def type MODULE_EXPLOIT end # # If we don't know the exploit type, then I guess it's omnipresent! # def exploit_type Type::Omni end # # Generally, all exploits take an aggressive stance. # def stance module_info['Stance'] || Stance::Aggressive end # # Return any text that should be prepended to the payload. The payload # module is passed so that the exploit can take a guess at architecture # and platform if it's a multi exploit. # def payload_prepend(payload_module) payload['Prepend'] || '' end # # Return any text that should be appended to the payload. The payload # module is passed so that the exploit can take a guess at architecture # and platform if it's a multi exploit. # def payload_append(payload_module) payload['Append'] || '' end # # Return any text that should be prepended to the encoder of the payload. # The payload module is passed so that the exploit can take a guess # at architecture and platform if it's a multi exploit. # def payload_prepend_encoder(payload_module) payload['PrependEncoder'] || '' end # # Maximum number of nops to use as a hint to the framework. # Nil signifies that the framework should decide. # def payload_max_nops payload['MaxNops'] || nil end # # Minimum number of nops to use as a hint to the framework. # Nil snigifies that the framework should decide. # def payload_min_nops payload['MinNops'] || nil end # # Returns the maximum amount of room the exploit has for a payload. # def payload_space payload['Space'].to_i end # # Returns the bad characters that cannot be in any payload used by this # exploit. # def payload_badchars payload['BadChars'] end ## # # NOP requirements # ---------------- # # Hints to the nop generator on how it should perform if it's used. # ## # # Returns the list of registers that the NOP generator should save, # if any. It will use the current target's save registers in precedence # over those defined globally for the exploit module. # # If there are no save registers, nil is returned. # def nop_save_registers if (target and target.save_registers) return target.save_registers else return module_info['SaveRegisters'] end end ## # # Attributes # ## # # The active target instance. # attr_accessor :target # # The list of targets. # attr_reader :targets # # The default target. # attr_reader :default_target # # The active payload instance. # attr_reader :payload protected attr_writer :targets attr_writer :default_target attr_writer :payload end end require 'msf/core/exploit/tcp' require 'msf/core/exploit/dcerpc'