metasploit-framework/msfcli

354 lines
10 KiB
Ruby
Executable File

#!/usr/bin/env ruby
# -*- coding: binary -*-
#
# $Id$
#
# This user interface allows users to interact with the framework through a
# command line interface (CLI) rather than having to use a prompting console
# or web-based interface.
#
# $Revision$
#
msfbase = __FILE__
while File.symlink?(msfbase)
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'rex'
Indent = ' '
# Payload naming style is kind of inconsistent, so instead of
# finding the exact path name, we provide the most educated guess based
# on platform/stage type/session type/payload name suffix/etc.
def guess_payload_name(p)
matches = []
payload = p.split('/')
platform = payload[0]
suffix = payload[-1]
stage_types = ['singles', 'stagers', 'stages']
session_types = ['meterpreter', 'shell']
arch = ''
# Rule out some possibilities
if p =~ /meterpreter/
session_types.delete('shell')
stage_types.delete('singles')
end
if p =~ /shell\/.+$/
session_types.delete('meterpreter')
stage_types.delete('singles')
end
if p =~ /x64/
arch = 'x64'
elsif p =~ /x86/
arch = 'x86'
end
# Determine if the payload is staged. If it is, then
# we need to load that staged module too.
if session_types.include?('shell') and stage_types.include?('stages')
if arch == 'x64'
matches << /stages\/#{platform}\/x64\/shell/
elsif arch == 'x86'
matches << /stages\/#{platform}\/x86\/shell/
else
matches << /stages\/#{platform}\/shell/
end
elsif session_types.include?('meterpreter') and stage_types.include?('stages')
if arch == 'x64'
matches << /stages\/#{platform}\/x64\/meterpreter/
elsif arch == 'x86'
matches << /stages\/#{platform}\/x86\/meterpreter/
else
matches << /stages\/#{platform}\/meterpreter/
end
end
# Guess the second possible match
stage_types *= "|"
session_types *= "|"
if arch == 'x64'
matches << /payloads\/(#{stage_types})\/#{platform}\/x64\/.*(#{suffix})\.rb$/
elsif arch == 'x86'
matches << /payloads\/(#{stage_types})\/#{platform}\/x86\/.*(#{suffix})\.rb$/
else
matches << /payloads\/(#{stage_types})\/#{platform}\/.*(#{suffix})\.rb$/
end
matches
end
def guess_encoder_name(e)
[/#{e}/]
end
def guess_nop_name(n)
[/#{n}/]
end
def usage (str = nil, extra = nil)
tbl = Rex::Ui::Text::Table.new(
'Header' => "Usage: #{$0} <exploit_name> <option=value> [mode]",
'Indent' => 4,
'Columns' => ['Mode', 'Description']
)
tbl << ['(H)elp', "You're looking at it baby!"]
tbl << ['(S)ummary', 'Show information about this module']
tbl << ['(O)ptions', 'Show available options for this module']
tbl << ['(A)dvanced', 'Show available advanced options for this module']
tbl << ['(I)DS Evasion', 'Show available ids evasion options for this module']
tbl << ['(P)ayloads', 'Show available payloads for this module']
tbl << ['(T)argets', 'Show available targets for this exploit module']
tbl << ['(AC)tions', 'Show available actions for this auxiliary module']
tbl << ['(C)heck', 'Run the check routine of the selected module']
tbl << ['(E)xecute', 'Execute the selected module']
$stdout.puts "Error: #{str}\n\n" if str
$stdout.puts tbl.to_s + "\n"
$stdout.puts extra + "\n" if extra
exit
end
# Handle the help option before loading modules
exploit_name = ARGV.shift
exploit = nil
module_class = "exploit"
if(exploit_name == "-h")
usage()
else
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'fastlib'
require 'msfenv'
require 'msf/ui'
require 'msf/base'
end
if (not exploit_name)
# This is what happens if the user doesn't specify a module name:
# msfcli will end up loading EVERYTHING to memory to show you a help
# menu plus a list of modules available. Really expensive if you ask me.
$stderr.puts "[*] Please wait while we load the module tree..."
$framework = Msf::Simple::Framework.create
ext = ''
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Exploits',
'Indent' => 4,
'Columns' => [ 'Name', 'Description' ])
$framework.exploits.each_module { |name, mod|
tbl << [ 'exploit/' + name, mod.new.name ]
}
ext << tbl.to_s + "\n"
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Auxiliary',
'Indent' => 4,
'Columns' => [ 'Name', 'Description' ])
$framework.auxiliary.each_module { |name, mod|
tbl << [ 'auxiliary/' + name, mod.new.name ]
}
ext << tbl.to_s + "\n"
usage(nil, ext)
end
# Process special var/val pairs...
Msf::Ui::Common.process_cli_arguments($framework, ARGV)
# Add modules like exploit/aux, encoders, nops we want to load to the list
whitelist = []
whitelist << /#{exploit_name}/ # Add exploit
whitelist << /x86\/single_byte/ # Add default NOP module
whitelist << /x86\/shikata_ga_nai/ # Add default encoder
whitelist << /generic\/none/ # Add another default encoder
ARGV.each { |args|
var, val = args.split('=', 2)
next if var.nil? or val.nil?
whitelist.concat(guess_payload_name(val)) if var =~ /payload/
whitelist.concat(guess_encoder_name(val)) if var =~ /encoder/
whitelist.concat(guess_nops_name(val)) if var =~ /nops/
}
$stderr.puts "[*] Initializing modules..."
$framework = Msf::Simple::Framework.create({'DeferModuleLoads'=>true})
$framework.init_module_paths({:whitelist=>whitelist})
if ($framework.modules.module_load_error_by_path.length > 0)
print("Warning: The following modules could not be loaded!\n\n")
$framework.modules.module_load_error_by_path.each do |path, error|
print("\t#{path}: #{error}\n\n")
end
end
# Determine what type of module it is
case exploit_name
when /exploit\/(.*)/
exploit = $framework.exploits.create($1)
module_class = 'exploit'
when /auxiliary\/(.*)/
exploit = $framework.auxiliary.create($1)
module_class = 'auxiliary'
else
exploit = $framework.exploits.create(exploit_name)
if exploit == nil
# Try falling back on aux modules
exploit = $framework.auxiliary.create(exploit_name)
module_class = 'auxiliary'
end
end
if (exploit == nil)
usage("Invalid module: #{exploit_name}")
end
exploit.init_ui(
Rex::Ui::Text::Input::Stdio.new,
Rex::Ui::Text::Output::Stdio.new
)
# Evalulate the command (default to "help")
mode = ARGV.pop || 'h'
# Import options
begin
exploit.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
rescue Rex::ArgumentParseError => e
puts "[!] Error: #{e.message}\n\n"
exit
end
# Initialize associated modules
payload = nil
encoder = nil
nop = nil
if (exploit.datastore['PAYLOAD'])
payload = $framework.payloads.create(exploit.datastore['PAYLOAD'])
if (payload != nil)
payload.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
end
end
if (exploit.datastore['ENCODER'])
encoder = $framework.encoders.create(exploit.datastore['ENCODER'])
if (encoder != nil)
encoder.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
end
end
if (exploit.datastore['NOP'])
nop = $framework.nops.create(exploit.datastore['NOP'])
if (nop != nil)
nop.datastore.import_options_from_s(ARGV.join('_|_'), '_|_')
end
end
case mode.downcase
when 'h'
usage
when "s"
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(exploit, Indent))
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(payload, Indent)) if payload
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(encoder, Indent)) if encoder
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(nop, Indent)) if nop
when "o"
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_options(exploit, Indent))
$stdout.puts("\nPayload:\n\n" + Msf::Serializer::ReadableText.dump_options(payload, Indent)) if payload
$stdout.puts("\nEncoder:\n\n" + Msf::Serializer::ReadableText.dump_options(encoder, Indent)) if encoder
$stdout.puts("\nNOP\n\n" + Msf::Serializer::ReadableText.dump_options(nop, Indent)) if nop
when "a"
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_advanced_options(exploit, Indent))
$stdout.puts("\nPayload:\n\n" + Msf::Serializer::ReadableText.dump_advanced_options(payload, Indent)) if payload
$stdout.puts("\nEncoder:\n\n" + Msf::Serializer::ReadableText.dump_advanced_options(encoder, Indent)) if encoder
$stdout.puts("\nNOP:\n\n" + Msf::Serializer::ReadableText.dump_advanced_options(nop, Indent)) if nop
when "i"
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_evasion_options(exploit, Indent))
$stdout.puts("\nPayload:\n\n" + Msf::Serializer::ReadableText.dump_evasion_options(payload, Indent)) if payload
$stdout.puts("\nEncoder:\n\n" + Msf::Serializer::ReadableText.dump_evasion_options(encoder, Indent)) if encoder
$stdout.puts("\nNOP:\n\n" + Msf::Serializer::ReadableText.dump_evasion_options(nop, Indent)) if nop
when "p"
if (module_class == 'exploit')
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_compatible_payloads(exploit, Indent, "Compatible payloads"))
else
$stdout.puts("\nError: This type of module does not support payloads")
end
when "t"
if (module_class == 'exploit')
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_exploit_targets(exploit, Indent))
else
$stdout.puts("\nError: This type of module does not support targets")
end
when "ac"
if (module_class == 'auxiliary')
$stdout.puts("\n" + Msf::Serializer::ReadableText.dump_auxiliary_actions(exploit, Indent))
else
$stdout.puts("\nError: This type of module does not support actions")
end
when "c"
if (module_class == 'exploit')
begin
if (code = exploit.check_simple(
'LocalInput' => Rex::Ui::Text::Input::Stdio.new,
'LocalOutput' => Rex::Ui::Text::Output::Stdio.new))
stat = (code == Msf::Exploit::CheckCode::Vulnerable) ? '[+]' : '[*]'
$stdout.puts("#{stat} #{code[1]}")
else
$stderr.puts("Check failed: The state could not be determined.")
end
rescue
$stderr.puts("Check failed: #{$!}")
end
else
$stdout.puts("\nError: This type of module does not support the check feature")
end
when "e"
con = Msf::Ui::Console::Driver.new(
Msf::Ui::Console::Driver::DefaultPrompt,
Msf::Ui::Console::Driver::DefaultPromptChar,
{
'Framework' => $framework,
# When I use msfcli, chances are I want speed, so ASCII art fanciness
# probably isn't much of a big deal for me.
'DisableBanner' => true
}
)
con.run_single("use #{module_class}/#{exploit.refname}")
ARGV.each do |arg|
k,v = arg.split("=", 2)
con.run_single("set #{k} #{v}")
end
con.run_single("exploit")
# If we have sessions or jobs, keep running
if $framework.sessions.length > 0 or $framework.jobs.length > 0
con.run
else
con.run_single("quit")
end
else
usage("Invalid mode #{mode}")
end
$stdout.puts