metasploit-framework/modules/exploits/test/aggressive.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internal Aggressive Test Exploit',
			'Description'    => 	
				"This module tests the exploitation of a test service.",
			'Author'         => 'skape',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'Arch'           => 'x86',
			'Payload'        =>
				{
					'Space'    => 1000,
					'MaxNops'  => 0,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					# Target 0: Universal
					[ 
						'Any Platform',
						{
							'Platform' => [ 'linux', 'win' ]
						}
					],
					[
						'Test encoder specific',
						{
							'Platform' => [ 'linux', 'win' ],
							'Payload'  =>
								{
									'EncoderType'    => Msf::Encoder::Type::AlphanumUpper,
									'EncoderOptions' =>
										{
											'BufferRegister' => 'EBX',
											'BufferOffset'   => 4
										}
								}
						},
					],
					[
						'Cannot be encoded',
						{
							'Platform' => [ 'linux', 'win' ],
							'Payload'  => 
								{
									'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
								}
						}
					],
					[ 'Test context encoder', 
					  { 
							'Platform' => [ 'linux', 'win' ],
							'Payload'  =>
								{ 
									'BadChars' => "\x00"
								}
					  }
					]
				],
			'DefaultTarget' => 0))

		register_options(
			[
				OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
				OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
			])
	end

	def check
		return Exploit::CheckCode::Vulnerable
	end

	def exploit
		# Show disassembled payload for context encoder test
		if target.name =~ /context encoder/
			puts Rex::Assembly::Nasm.disassemble(payload.encoded[0,40])
		end

		connect

		print_status("Sending #{payload.encoded.length} byte payload...[#{datastore['TestInteger']}]")

		sock.put(payload.encoded)

		if (datastore['WaitForInput'])
			puts "Type something..."
			gets
		end

		handler
	end

end