Class: Msf::Exploit

Inherits:
Module show all
Defined in:
lib/msf/core/exploit.rb,
lib/msf/core/exploit/capture.rb,
lib/msf/core/exploit/format/webarchive.rb,
lib/msf/core/exploit/remote/http/jboss.rb,
lib/msf/core/exploit/remote/http/typo3.rb,
lib/msf/core/exploit/remote/http/joomla.rb,
lib/msf/core/exploit/remote/java/rmi/util.rb,
lib/msf/core/exploit/remote/http/nagios_xi.rb,
lib/msf/core/exploit/remote/http/wordpress.rb,
lib/msf/core/exploit/remote/java/rmi/client.rb,
lib/msf/core/exploit/remote/kerberos/client.rb,
lib/msf/core/exploit/remote/http/http_cookie.rb,
lib/msf/core/exploit/remote/java/rmi/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx.rb,
lib/msf/core/exploit/remote/kerberos/client/pac.rb,
lib/msf/core/exploit/remote/http/http_cookie_jar.rb,
lib/msf/core/exploit/remote/kerberos/client/base.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server.rb,
lib/msf/core/exploit/remote/kerberos/client/as_request.rb,
lib/msf/core/exploit/remote/kerberos/client/as_response.rb,
lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb,
lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/builder.rb,
lib/msf/core/exploit/remote/kerberos/client/cache_credential.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb

Overview

This module provides methods for sending and receiving raw packets. It should be preferred over the soon-to-be deprecated Rex::Socket::Ip and Msf::Exploit::Remote::Ip mixins.

Please see the pcaprub documentation for more information on how to use capture objects.

Direct Known Subclasses

Local, Remote

Defined Under Namespace

Modules: Android, AutoTarget, Brute, BruteTargets, Capture, CmdStager, CompatDefaults, DECT_COA, DHCPServer, EXE, Egghunter, FILEFORMAT, FileDropper, Format, FormatString, Git, HTTP, JSObfu, Java, JavaDeserialization, KernelMode, NTLM, ORACLE, Omelet, PDF, PDF_Parse, PhpEXE, Powershell, RIFF, RopDb, SQLi, Seh, Stance, TFTPServer, Type, ViewState, WbemExec, Windows_Constants Classes: CheckCode, Complete, Failed, Local, Remote

Constant Summary

Constants inherited from Module

Module::REPLICANT_EXTENSION_DS_KEY

Constants included from Module::ModuleInfo

Module::ModuleInfo::UpdateableOptions

Instance Attribute Summary collapse

Attributes inherited from Module

#error, #job_id, #license, #platform, #privileged, #references, #user_data

Attributes included from Framework::Offspring

#framework

Attributes included from Module::UUID

#uuid

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Attributes included from Module::Privileged

#priveli, #privileged

Attributes included from Module::Options

#options

Attributes included from Module::ModuleStore

#module_store

Attributes included from Module::ModuleInfo

#module_info

Attributes included from Module::FullName

#aliased_as

Attributes included from Module::DataStore

#datastore

Attributes included from Module::Author

#author

Attributes included from Module::Arch

#arch

Attributes included from Module::Alert

#alerts, #you_have_been_warned

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Module

#black_listed_auth_filenames, cached?, #debugging?, #default_cred?, #file_path, #framework, #has_check?, #orig_cls, #owner, #perform_extensions, #platform?, #platform_to_s, #post_auth?, #register_extensions, #register_parent, #replicant, #required_cred_options, #set_defaults, #workspace

Methods included from Module::Reliability

#reliability, #reliability_to_s

Methods included from Module::Stability

#stability, #stability_to_s

Methods included from Module::SideEffects

#side_effects, #side_effects_to_s

Methods included from Module::UUID

#generate_uuid

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Methods included from Module::Type

#auxiliary?, #encoder?, #evasion?, #exploit?, #nop?, #payload?, #post?

Methods included from Module::Ranking

#rank, #rank_to_h, #rank_to_s

Methods included from Module::Privileged

#privileged?

Methods included from Module::Options

#deregister_options, #register_advanced_options, #register_evasion_options, #register_options, #validate

Methods included from Module::Network

#comm, #support_ipv6?, #target_host, #target_port

Methods included from Module::ModuleStore

#[], #[]=

Methods included from Module::ModuleInfo

#alias, #description, #disclosure_date, #info_fixups, #merge_check_key, #merge_info, #merge_info_advanced_options, #merge_info_alias, #merge_info_description, #merge_info_evasion_options, #merge_info_name, #merge_info_options, #merge_info_string, #merge_info_version, #name, #notes, #update_info

Methods included from Module::FullName

#aliases, #fullname, #promptname, #realname, #refname, #shortname

Methods included from Module::DataStore

#import_defaults, #import_target_defaults, #share_datastore

Methods included from Module::Compatibility

#compat, #compatible?

Methods included from Module::Author

#author_to_s, #each_author

Methods included from Module::Auth

#store_valid_credential

Methods included from Module::Arch

#arch?, #arch_to_s, #each_arch

Methods included from Module::Alert

#add_alert, #add_error, #add_warning, #alert_user, #errors, #get_alerts, included, #is_usable?, #warnings

Constructor Details

#initialize(info = {}) ⇒ Exploit

Creates an instance of the exploit module. Mad skillz.


249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
 
# File 'lib/msf/core/exploit.rb', line 249

def initialize(info = {})

  # Ghetto compat mirroring for payload compatibilities.  This mirrors
  #
  # Payload => Compat => xyz
  #
  # to
  #
  # Compat => Payload => xyz
  if (info['Payload'] and info['Payload']['Compat'])
    info['Compat'] = Hash.new if (info['Compat'] == nil)
    info['Compat']['Payload'] = Hash.new if (info['Compat']['Payload'] == nil)
    info['Compat']['Payload'].update(info['Payload']['Compat'])
  end

  # Call the parent constructor after making any necessary modifications
  # to the information hash.
  super(info)

  if info.key? 'DefaultTarget'
    self.default_target = info['DefaultTarget']
  else
    self.default_target = 0
    # Add an auto-target to the exploit if it doesn't have one
    if info['Targets'] && info['Targets'].count > 1 && !has_auto_target?(info['Targets'])
      # Finally, only add the target if there is a remote host option
      if self.respond_to?(:rhost) && self.respond_to?(:auto_targeted_index)
        auto = ["Automatic", {'AutoGenerated' => true}.merge(info['Targets'][self.default_target][1])]
        info['Targets'].unshift(auto)
      end
    end
  end

  self.targets = Rex::Transformer.transform(info['Targets'], Array, [ Target ], 'Targets')
  self.payload_info = info['Payload'] || {}
  self.successful = false
  self.session_count = 0
  self.active_timeout = 120
  self.fail_reason = Msf::Exploit::Failure::None

  if (info['Payload'] and info['Payload']['ActiveTimeout'])
    self.active_timeout = info['Payload']['ActiveTimeout'].to_i
  end

  # Initialize exploit datastore with target information
  import_target_defaults

  # All exploits can increase the delay when waiting for a session.
  # However, this only applies to aggressive exploits.
  if aggressive?
    register_advanced_options(
      [
        OptInt.new('WfsDelay', [ false, "Additional delay in seconds to wait for a session", 2 ])
      ], Msf::Exploit)
  end

  register_advanced_options(
    [
      # Allow all exploits to leverage context keyed encoding
      OptBool.new('EnableContextEncoding', [ false, "Use transient context when encoding payloads", false ]),
      OptPath.new('ContextInformationFile', [ false, "The information file that contains context information", nil ]),
      # Allow all exploits to disable their payload handlers
      OptBool.new('DisablePayloadHandler', [ false, "Disable the handler code for the selected payload", false ])
    ], Msf::Exploit)
end

Instance Attribute Details

#active_timeoutObject (protected)

Maximum number of seconds for active handlers


1579
1580
1581
 
# File 'lib/msf/core/exploit.rb', line 1579

def active_timeout
  @active_timeout
end

#default_targetObject

The default target.


1532
1533
1534
 
# File 'lib/msf/core/exploit.rb', line 1532

def default_target
  @default_target
end

#fail_detailObject

Detailed exception string indicating why the exploit was not successful


1523
1524
1525
 
# File 'lib/msf/core/exploit.rb', line 1523

def fail_detail
  @fail_detail
end

#fail_reasonObject

The reason why the exploit was not successful (one of Msf::Module::Failure)


1518
1519
1520
 
# File 'lib/msf/core/exploit.rb', line 1518

def fail_reason
  @fail_reason
end

#needs_cleanupObject

Returns the value of attribute needs_cleanup


244
245
246
 
# File 'lib/msf/core/exploit.rb', line 244

def needs_cleanup
  @needs_cleanup
end

#payloadObject

The encoded payload instance. An instance of an EncodedPayload object.


1545
1546
1547
 
# File 'lib/msf/core/exploit.rb', line 1545

def payload
  @payload
end

#payload_infoObject

The payload requirement hash.


1536
1537
1538
 
# File 'lib/msf/core/exploit.rb', line 1536

def payload_info
  @payload_info
end

#payload_instanceObject

The active payload instance.


1540
1541
1542
 
# File 'lib/msf/core/exploit.rb', line 1540

def payload_instance
  @payload_instance
end

#session_countObject

The number of active sessions created by this instance


1550
1551
1552
 
# File 'lib/msf/core/exploit.rb', line 1550

def session_count
  @session_count
end

#successfulObject

The boolean indicating whether the exploit succeeded


1555
1556
1557
 
# File 'lib/msf/core/exploit.rb', line 1555

def successful
  @successful
end

#targetsObject

The list of targets.


1528
1529
1530
 
# File 'lib/msf/core/exploit.rb', line 1528

def targets
  @targets
end

Class Method Details

.mixinsArray

Returns an array of all of the exploit mixins. Lame algorithm right now. We search the Msf::Exploit namespace for all modules that do not have any constants in them. In the future we can replace this with a better algorithm. It's just important that it returns an array of all of the mixin modules.

Returns:

  • (Array) 

212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
 
# File 'lib/msf/core/exploit.rb', line 212

def self.mixins
  mixins  = []
  wl      = [ Msf::Exploit ]
  visited = {}

  until wl.length == 0
    wl.delete_if { |mod|
      mod.constants.each { |const|
        child = mod.const_get(const)

        next if child.to_s !~ /^Msf::Exploit/

        next if visited[child]

        next if child.kind_of?(::Module) == false

        visited[child] = true

        if child.constants.length > 0
          wl << child
        else
          mixins << child
        end
      }

      true
    }
  end

  return mixins
end

.typeObject

Returns MODULE_EXPLOIT to indicate that this is an exploit module.


592
593
594
 
# File 'lib/msf/core/exploit.rb', line 592

def self.type
  Msf::MODULE_EXPLOIT
end

Instance Method Details

#add_handler(opts = {}) ⇒ Object

Allows the payload handler to spawn a new monitor


471
472
473
474
475
 
# File 'lib/msf/core/exploit.rb', line 471

def add_handler(opts={})
  return if not payload_instance
  return if not handler_enabled?
  payload_instance.add_handler(opts)
end

#aggressive?Boolean

Returns true if the exploit has an aggressive stance.

Returns:

  • (Boolean) 

620
621
622
 
# File 'lib/msf/core/exploit.rb', line 620

def aggressive?
  stance.include?(Stance::Aggressive)
end

#autofilterObject

Performs last-minute sanity checking of exploit parameters. This method is called during automated exploitation attempts and allows an exploit to filter bad targets, obtain more information, and choose better targets based on the available data. Returning anything that evaluates to “false” will cause this specific exploit attempt to be skipped. This method can and will change datastore values and may interact with the backend database.


353
354
355
 
# File 'lib/msf/core/exploit.rb', line 353

def autofilter
  true
end

#autofilter_portsObject

Provides a list of ports that can be used for matching this module against target systems.


361
362
363
 
# File 'lib/msf/core/exploit.rb', line 361

def autofilter_ports
  @autofilter_ports || []
end

#autofilter_servicesObject

Provides a list of services that can be used for matching this module against target systems.


369
370
371
 
# File 'lib/msf/core/exploit.rb', line 369

def autofilter_services
  @autofilter_services || []
end

#cleanupObject

Performs any cleanup that may be necessary, such as disconnecting connections and any other such fun things. If a payload is active then its handler cleanup routines are called as well.


423
424
425
426
427
428
 
# File 'lib/msf/core/exploit.rb', line 423

def cleanup
  if (payload_instance and handler_enabled?)
    payload_instance.cleanup_handler
  end
  self.abort_sockets if self.respond_to?(:abort_sockets)
end

#compatible_encodersObject

Returns a list of compatible encoders based on architecture


761
762
763
764
765
766
767
768
769
770
771
772
 
# File 'lib/msf/core/exploit.rb', line 761

def compatible_encoders
  encoders = []

  c_platform, c_arch = normalize_platform_arch

  framework.encoders.each_module_ranked(
    'Arch' => c_arch, 'Platform' => c_platform) { |name, mod|
    encoders << [ name, mod ]
  }

  return encoders;
end

#compatible_payloads(excluded_platforms: [], excluded_archs: []) ⇒ Object

Returns a list of compatible payloads based on platform, architecture, and size requirements.


737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
 
# File 'lib/msf/core/exploit.rb', line 737

def compatible_payloads(excluded_platforms: [], excluded_archs: [])
  payloads = []

  c_platform, c_arch = normalize_platform_arch

  # The "All" platform name represents generic payloads
  results = Msf::Modules::Metadata::Cache.instance.find(
    'type'     => [['payload'], []],
    'platform' => [[*c_platform.names, 'All'], excluded_platforms],
    'arch'     => [c_arch, excluded_archs]
  )

  results.each do |res|
    if is_payload_compatible?(res.ref_name)
      payloads << [res.ref_name, framework.payloads[res.ref_name]]
    end
  end

  payloads
end

#define_context_encoding_reqs(reqs) ⇒ Object (protected)

Gets the memory map file and other context information that is required when wanting to support context keyed encoding


1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
 
# File 'lib/msf/core/exploit.rb', line 1616

def define_context_encoding_reqs(reqs)
  return unless datastore['EnableContextEncoding']

  # At present, we don't support any automatic methods of obtaining
  # context information.  In the future, we might support obtaining
  # temporal information remotely.

  # Pass along the information specified in our exploit datastore as
  # encoder options
  reqs['EncoderOptions'] = {} if reqs['EncoderOptions'].nil?
  reqs['EncoderOptions']['EnableContextEncoding']  = datastore['EnableContextEncoding']
  reqs['EncoderOptions']['ContextInformationFile'] = datastore['ContextInformationFile']
end

#encode_begin(real_payload, reqs) ⇒ Object

Called prior to encoding a payload.


570
571
 
# File 'lib/msf/core/exploit.rb', line 570

def encode_begin(real_payload, reqs)
end

#encode_end(real_payload, reqs, encoded) ⇒ Object

Called after an encoded payload has been generated. This gives exploits or mixins a chance to alter the encoded payload.


577
578
579
 
# File 'lib/msf/core/exploit.rb', line 577

def encode_end(real_payload, reqs, encoded)
  encoded
end

#encode_shellcode_stub(code, badchars = payload_badchars) ⇒ Object

Allows arbitrary shellcode to be encoded from within an exploit


452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
 
# File 'lib/msf/core/exploit.rb', line 452

def encode_shellcode_stub(code, badchars=payload_badchars)
  platform = self.platform
  if(self.payload_instance)
    self.payload_instance.platform
  end
  compatible_encoders.each do |name, mod|
    begin
      enc = framework.encoders.create(name)
      raw = enc.encode(code, badchars, nil, platform)
      return raw if raw
    rescue ::Exception
    end
  end
  nil
end

#exploitObject

Kicks off the actual exploit. Prior to this call, the framework will have validated the data store using the options associated with this exploit module. It will also pre-generate the desired payload, though exploits can re-generate the payload if necessary.

This method is designed to be overriden by exploit modules.


341
342
 
# File 'lib/msf/core/exploit.rb', line 341

def exploit
end

#exploit_typeObject

If we don't know the exploit type, then I guess it's omnipresent!


606
607
608
 
# File 'lib/msf/core/exploit.rb', line 606

def exploit_type
  Type::Omni
end

#fail_with(reason, msg = nil) ⇒ void

This method returns an undefined value.

Raises a Msf::Exploit::Failed exception. It overrides the fail_with method in lib/msf/core/module.rb

Examples:

fail_with(Msf::Module::Failure::NoAccess, 'Unable to login to upload payload')

Parameters:

  • reason (String)

    A constant from Msf::Module::Failure. If the reason does not come from there, then it will default to Msf::Module::Failure::Unknown.

  • msg (String) (defaults to: nil)

    (Optional) A message about the failure.

Raises:

See Also:


1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
 
# File 'lib/msf/core/exploit.rb', line 1354

def fail_with(reason,msg=nil)
  # The reason being registered here will be used later on, so it's important we don't actually
  # provide a made-up one.
  allowed_values = Msf::Module::Failure.constants.collect {|e| Msf::Module::Failure.const_get(e)}
  if allowed_values.include?(reason)
    self.fail_reason = reason
  else
    self.fail_reason = Msf::Module::Failure::Unknown
  end

  self.fail_detail = msg
  raise Msf::Exploit::Failed, (msg || "No failure message given")
end

#generate_payload(pinst = nil) ⇒ Object

Generates the encoded version of the supplied payload using the payload requirements specific to this exploit. The encoded instance is returned to the caller. This method is exposed in the manner that it is such that passive exploits and re-generate an encoded payload on the fly rather than having to use the pre-generated one.

The return value is an EncodedPayload instance.


439
440
441
442
443
444
445
446
447
 
# File 'lib/msf/core/exploit.rb', line 439

def generate_payload(pinst = nil)
  # Set the encoded payload to the result of the encoding process
  self.payload = generate_single_payload(pinst)

  # Save the payload instance
  self.payload_instance = (pinst) ? pinst : self.payload_instance

  return self.payload
end

#generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil) ⇒ Object

This method generates a non-cached payload which is typically useful for passive exploits that will have more than one client.


481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
 
# File 'lib/msf/core/exploit.rb', line 481

def generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil)
  explicit_target ||= target

  if (explicit_target == nil)
    raise MissingTargetError, "No target has been specified.",
      caller
  end

  # If a payload instance was supplied, use it, otherwise
  # use the active payload instance
  real_payload = (pinst) ? pinst : self.payload_instance

  if (real_payload == nil)
    raise MissingPayloadError, "No payload has been selected.",
      caller
  end

  # If this is a generic payload, then we should specify the platform
  # and architecture so that it knows how to pass things on.
  if real_payload.kind_of?(Msf::Payload::Generic)
    # Convert the architecture specified into an array.
    if arch and arch.kind_of?(String)
      arch = [ arch ]
    end

    # Define the explicit platform and architecture information only if
    # it's been specified.
    if platform
      real_payload.explicit_platform = Msf::Module::PlatformList.transform(platform)
    end

    if arch
      real_payload.explicit_arch = arch
    end

    # Force it to reset so that it will find updated information.
    real_payload.reset
  end

  # Duplicate the exploit payload requirements
  reqs = self.payload_info.dup

  # Pass save register requirements to the NOP generator
  reqs['Space']           = payload_space(explicit_target)
  reqs['SaveRegisters']   = nop_save_registers(explicit_target)
  reqs['Prepend']         = payload_prepend(explicit_target)
  reqs['PrependEncoder']  = payload_prepend_encoder(explicit_target)
  reqs['BadChars']        = payload_badchars(explicit_target)
  reqs['Append']          = payload_append(explicit_target)
  reqs['AppendEncoder']   = payload_append_encoder(explicit_target)
  reqs['DisableNops']     = payload_disable_nops(explicit_target)
  reqs['MaxNops']         = payload_max_nops(explicit_target)
  reqs['MinNops']         = payload_min_nops(explicit_target)
  reqs['Encoder']         = datastore['ENCODER'] || payload_encoder(explicit_target)
  reqs['Nop']             = datastore['NOP'] || payload_nop(explicit_target)
  reqs['EncoderType']     = payload_encoder_type(explicit_target)
  reqs['EncoderOptions']  = payload_encoder_options(explicit_target)
  reqs['ExtendedOptions'] = payload_extended_options(explicit_target)
  reqs['Exploit']         = self

  # Pass along the encoder don't fall through flag
  reqs['EncoderDontFallThrough'] = datastore['EncoderDontFallThrough']

  # Incorporate any context encoding requirements that are needed
  define_context_encoding_reqs(reqs)

  # Call the encode begin routine.
  encode_begin(real_payload, reqs)

  # Generate the encoded payload.
  encoded = EncodedPayload.create(real_payload, reqs)

  # Call the encode end routine which is expected to return the actual
  # encoded payload instance.
  return encode_end(real_payload, reqs, encoded)
end

#handle_exception(e) ⇒ Object

Handle the exception


1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
 
# File 'lib/msf/core/exploit.rb', line 1385

def handle_exception e
  msg = setup_fail_detail_from_exception e

  case e
    when Msf::Exploit::Complete
      # Nothing to show in this case
      return

    when Msf::Exploit::Failed
      self.print_error("Exploit aborted due to failure: #{self.fail_reason}: #{msg}")

      # The caller should have already set self.fail_reason
      if self.fail_reason == Msf::Exploit::Failure::None
        self.fail_reason = Msf::Exploit::Failure::Unknown
      end

    when Rex::ConnectionError
      self.fail_reason = Msf::Exploit::Failure::Unreachable
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when Rex::BindFailed
      self.fail_reason = Msf::Exploit::Failure::BadConfig
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when Timeout::Error
      self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when ::Interrupt
      self.fail_reason = Msf::Exploit::Failure::UserInterrupt
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)
    else

      # Compare as a string since not all error classes may be loaded
      case msg
        when /access.denied|Login Failed/i # Covers SMB as well as some generic errors
          self.fail_reason = Msf::Exploit::Failure::NoAccess
        when /connection reset/i
          self.fail_reason = Msf::Exploit::Failure::Disconnected
        when /connection timed out|SSL_connect|unreachable|connection was refused/i
          self.fail_reason = Msf::Exploit::Failure::Unreachable
        when /unable.*target/i
          self.fail_reason = Msf::Exploit::Failure::NoTarget
        when /execution expired/i
          self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
        when /(doesn.t|not).*vulnerable|may.*patched/i
          self.fail_reason = Msf::Exploit::Failure::NotVulnerable
      end

      # The caller should have already set self.fail_reason
      if self.fail_reason == Msf::Exploit::Failure::None
        self.fail_reason = Msf::Exploit::Failure::Unknown
      end

      if self.fail_reason == Msf::Exploit::Failure::Unknown
        self.print_error("Exploit failed: #{msg}")
      else
        self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      end

      elog("Exploit failed (#{self.refname}): #{msg}", error: e)
  end

  # Record the error to various places
  self.framework.events.on_module_error(self, msg)

  # Report the failure (and attempt) in the database
  self.report_failure

  # Interrupt any session waiters in the handler
  self.interrupt_handler

  return self.fail_reason
end

#handler(*args) ⇒ Object

Passes the connection to the associated payload handler to see if the exploit succeeded and a connection has been established. The return value can be one of the Handler::constants.


1292
1293
1294
1295
1296
 
# File 'lib/msf/core/exploit.rb', line 1292

def handler(*args)
  if payload_instance && handler_enabled?
    payload_instance.handler(*args)
  end
end

#handler_bind?Boolean

If the payload uses a bind handler

Returns:

  • (Boolean) 

1277
1278
1279
 
# File 'lib/msf/core/exploit.rb', line 1277

def handler_bind?
  payload_instance && payload_instance.connection_type == 'bind'
end

#handler_enabled?Boolean

Allow the user to disable the payload handler

Returns:

  • (Boolean) 

1270
1271
1272
 
# File 'lib/msf/core/exploit.rb', line 1270

def handler_enabled?
  !datastore['DisablePayloadHandler']
end

#has_auto_target?(targets = []) ⇒ Boolean

Returns:

  • (Boolean) 

315
316
317
318
319
320
321
 
# File 'lib/msf/core/exploit.rb', line 315

def has_auto_target?(targets=[])
  target_names = targets.collect { |target| target.first}
  target_names.each do |target|
    return true if target =~ /Automatic/
  end
  return false
end

#init_compatObject (protected)

Overrides the base class method and serves to initialize default compatibilities for exploits


1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
 
# File 'lib/msf/core/exploit.rb', line 1591

def init_compat
  super

  #
  # Merge in payload compatible defaults
  #
  p = module_info['Compat']['Payload']

  CompatDefaults::Payload.each_pair { |k,v|
    (p[k]) ? p[k] << " #{v}" : p[k] = v
  }

  #
  # Set the default save registers if none have been explicitly
  # specified.
  #
  if (module_info['SaveRegisters'] == nil)
    module_info['SaveRegisters'] = [ 'esp', 'ebp' ]
  end
end

#interrupt_handlerObject 


1298
1299
1300
1301
1302
 
# File 'lib/msf/core/exploit.rb', line 1298

def interrupt_handler
  if payload_instance && handler_enabled? && payload_instance.respond_to?(:interrupt_wait_for_session)
    payload_instance.interrupt_wait_for_session()
  end
end

#is_payload_compatible?(name) ⇒ TrueClass, FalseClass

Returns whether the requested payload is compatible with the module.

Parameters:

  • payload_name (String)

    The payload name

Returns:

  • (TrueClass)

    Payload is compatible.

  • (FalseClass)

    Payload is not compatible.


705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
 
# File 'lib/msf/core/exploit.rb', line 705

def is_payload_compatible?(name)
  p = framework.payloads[name]

  return false unless p

  # Skip over payloads that are too big
  return false if payload_space && p.cached_size && p.cached_size > payload_space

  begin
    pi = p.new
  rescue ::Exception, ::LoadError => e
    wlog("Module #{name} failed to initialize: #{e}", 'core', LEV_0)
    return false
  end

  # Are we compatible in terms of conventions and connections and
  # what not?
  return false if !compatible?(pi)

  if self.needs_cleanup && !pi.can_cleanup
    return false
  end

  # If the payload is privileged but the exploit does not give
  # privileged access, then fail it.
  return false if !self.privileged && pi.privileged

  return true
end

#make_fast_nops(count) ⇒ String

Generates a NOP sled using the #make_nops method. The difference between this and #make_nops is this method is much faster, good for exploit developers that actually want huge chunks of NOPs. The downside of using this is the NOP sled is less randomized.

Parameters:

  • count (String)

    Number of NOPs to return.

Returns:

  • (String)

    NOPs


1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
 
# File 'lib/msf/core/exploit.rb', line 1059

def make_fast_nops(count)
  max_nop_chunk_size = 100

  if count < max_nop_chunk_size
    return make_nops(count)
  end

  nops = make_nops(max_nop_chunk_size)
  nops += nops while nops.length < count

  nops[0, count]
end

#make_nops(count) ⇒ Object

Generates a nop sled of a supplied length and returns it to the caller.


1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
 
# File 'lib/msf/core/exploit.rb', line 1076

def make_nops(count)
  # If we're debugging, then make_nops will return a safe sled.  We
  # currently assume x86.
  if debugging?
    return "\x90" * count
  end

  nop_sled = nil

  # If there is no payload instance then we can't succeed.
  return nil if (!payload_instance)

  payload_instance.compatible_nops.each { |nopname, nopmod|
    # Create an instance of the nop module
    nop = nopmod.new

    # The list of save registers
    save_regs = nop_save_registers || []

    if (save_regs.empty? == true)
      save_regs = nil
    end

    begin
      nop.copy_ui(self)

      nop_sled = nop.generate_sled(count,
        'BadChars'      => payload_badchars || '',
        'SaveRegisters' => save_regs)

      if nop_sled && nop_sled.length == count
        break
      else
        wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit", 'core', LEV_0)
      end
    rescue
      wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit: #{$!}",
        'core', LEV_0)
    end
  }

  nop_sled
end

#nop_generatorObject

Returns the first compatible NOP generator for this exploit's payload instance.


1041
1042
1043
1044
1045
1046
1047
 
# File 'lib/msf/core/exploit.rb', line 1041

def nop_generator
  return nil if (!payload_instance)

  payload_instance.compatible_nops.each { |nopname, nopmod|
    return nopmod.new
  }
end

#nop_save_registers(explicit_target = nil) ⇒ Object

Returns the list of registers that the NOP generator should save, if any. It will use the current target's save registers in precedence over those defined globally for the exploit module.

If there are no save registers, nil is returned.


1027
1028
1029
1030
1031
1032
1033
1034
1035
 
# File 'lib/msf/core/exploit.rb', line 1027

def nop_save_registers(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.save_registers)
    return explicit_target.save_registers
  else
    return module_info['SaveRegisters']
  end
end

#normalize_platform_archObject 


691
692
693
694
695
696
 
# File 'lib/msf/core/exploit.rb', line 691

def normalize_platform_arch
  c_platform = (target && target.platform) ? target.platform : platform
  c_arch     = (target && target.arch)     ? target.arch     : (arch == []) ? nil : arch
  c_arch   ||= [ ARCH_X86 ]
  return c_platform, c_arch
end

#on_new_session(session) ⇒ Object

This is called by the payload when a new session is created


1313
1314
1315
1316
 
# File 'lib/msf/core/exploit.rb', line 1313

def on_new_session(session)
  self.session_count += 1
  self.successful = true
end

#passive?Boolean

Returns if the exploit has a passive stance. Aggressive exploits are always aggressive.

Returns:

  • (Boolean) 

627
628
629
 
# File 'lib/msf/core/exploit.rb', line 627

def passive?
  stance.include?(Stance::Passive) && !stance.include?(Stance::Aggressive)
end

#pattern_create(length, sets = nil) ⇒ Object

Generate a non-repeating static random string


1254
1255
1256
 
# File 'lib/msf/core/exploit.rb', line 1254

def pattern_create(length, sets = nil)
  Rex::Text.pattern_create(length, sets)
end

#payload_append(explicit_target = nil) ⇒ Object

Return any text that should be appended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


826
827
828
829
830
831
832
833
834
 
# File 'lib/msf/core/exploit.rb', line 826

def payload_append(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_append)
    explicit_target.payload_append
  else
    payload_info['Append'] || ''
  end
end

#payload_append_encoder(explicit_target = nil) ⇒ Object

Return any text that should be appended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


858
859
860
861
862
863
864
865
866
867
868
 
# File 'lib/msf/core/exploit.rb', line 858

def payload_append_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_append_encoder)
    p = explicit_target.payload_append_encoder
  else
    p = payload_info['AppendEncoder'] || ''
  end

  p
end

#payload_badchars(explicit_target = nil) ⇒ Object

Returns the bad characters that cannot be in any payload used by this exploit.


930
931
932
933
934
935
936
937
938
 
# File 'lib/msf/core/exploit.rb', line 930

def payload_badchars(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_badchars)
    explicit_target.payload_badchars
  else
    payload_info['BadChars']
  end
end

#payload_disable_nops(explicit_target = nil) ⇒ Object

Whether NOP generation should be enabled or disabled


873
874
875
876
877
878
879
880
881
 
# File 'lib/msf/core/exploit.rb', line 873

def payload_disable_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_disable_nops)
    explicit_target.payload_disable_nops
  else
    payload_info['DisableNops']
  end
end

#payload_encoder(explicit_target = nil) ⇒ Object

Returns the payload encoder that is associated with either the current target or the exploit in general.


944
945
946
947
948
949
950
951
952
 
# File 'lib/msf/core/exploit.rb', line 944

def payload_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder)
    explicit_target.payload_encoder
  else
    payload_info['Encoder']
  end
end

#payload_encoder_options(explicit_target = nil) ⇒ Object

Returns the payload encoder option hash that is used to initialize the datastore of the encoder that is selected when generating an encoded payload.


987
988
989
990
991
992
993
994
995
 
# File 'lib/msf/core/exploit.rb', line 987

def payload_encoder_options(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder_options)
    explicit_target.payload_encoder_options
  else
    payload_info['EncoderOptions']
  end
end

#payload_encoder_type(explicit_target = nil) ⇒ Object

Returns the payload encoder type that is associated with either the current target or the exploit in general.


972
973
974
975
976
977
978
979
980
 
# File 'lib/msf/core/exploit.rb', line 972

def payload_encoder_type(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder_type)
    explicit_target.payload_encoder_type
  else
    payload_info['EncoderType']
  end
end

#payload_extended_options(explicit_target = nil) ⇒ Object

Returns the payload extended options hash which is used to provide a location to store extended information that may be useful to a particular type of payload or mixin.


1002
1003
1004
1005
1006
1007
1008
1009
1010
 
# File 'lib/msf/core/exploit.rb', line 1002

def payload_extended_options(explicit_target = nil)
  explicit_target ||= target

  if explicit_target and explicit_target.payload_extended_options
    explicit_target.payload_extended_options
  else
    payload_info['ExtendedOptions']
  end
end

#payload_max_nops(explicit_target = nil) ⇒ Object

Maximum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.


887
888
889
890
891
892
893
894
895
 
# File 'lib/msf/core/exploit.rb', line 887

def payload_max_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_max_nops)
    explicit_target.payload_max_nops
  else
    payload_info['MaxNops'] || nil
  end
end

#payload_min_nops(explicit_target = nil) ⇒ Object

Minimum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.


901
902
903
904
905
906
907
908
909
 
# File 'lib/msf/core/exploit.rb', line 901

def payload_min_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_min_nops)
    explicit_target.payload_min_nops
  else
    payload_info['MinNops'] || nil
  end
end

#payload_nop(explicit_target = nil) ⇒ Object

Returns the payload NOP generator that is associated with either the current target or the exploit in general.


958
959
960
961
962
963
964
965
966
 
# File 'lib/msf/core/exploit.rb', line 958

def payload_nop(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_nop)
    explicit_target.payload_nop
  else
    payload_info['Nop']
  end
end

#payload_prepend(explicit_target = nil) ⇒ Object

Return any text that should be prepended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit. This automatically takes into account any require stack adjustments.


809
810
811
812
813
814
815
816
817
818
819
 
# File 'lib/msf/core/exploit.rb', line 809

def payload_prepend(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_prepend)
    p = explicit_target.payload_prepend
  else
    p = payload_info['Prepend'] || ''
  end

  stack_adjustment + p
end

#payload_prepend_encoder(explicit_target = nil) ⇒ Object

Return any text that should be prepended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


841
842
843
844
845
846
847
848
849
850
851
 
# File 'lib/msf/core/exploit.rb', line 841

def payload_prepend_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_prepend_encoder)
    p = explicit_target.payload_prepend_encoder
  else
    p = payload_info['PrependEncoder'] || ''
  end

  p
end

#payload_space(explicit_target = nil) ⇒ Object

Returns the maximum amount of room the exploit has for a payload.


914
915
916
917
918
919
920
921
922
923
924
 
# File 'lib/msf/core/exploit.rb', line 914

def payload_space(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_space)
    explicit_target.payload_space
  elsif (payload_info['Space'])
    payload_info['Space'].to_i
  else
    nil
  end
end

#rand_char(bad = payload_badchars) ⇒ Object

Generate a random character avoiding the exploit's bad characters.


1243
1244
1245
1246
1247
1248
1249
 
# File 'lib/msf/core/exploit.rb', line 1243

def rand_char(bad=payload_badchars)
  if debugging?
    "A"
  else
    Rex::Text.rand_char(bad)
  end
end

#rand_text(length, bad = payload_badchars) ⇒ Object

Generate random text characters avoiding the exploit's bad characters.


1135
1136
1137
1138
1139
1140
1141
 
# File 'lib/msf/core/exploit.rb', line 1135

def rand_text(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text(length, bad)
  end
end

#rand_text_alpha(length, bad = payload_badchars) ⇒ Object

Generate random alpha characters avoiding the exploit's bad characters.


1171
1172
1173
1174
1175
1176
1177
 
# File 'lib/msf/core/exploit.rb', line 1171

def rand_text_alpha(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alpha(length, bad)
  end
end

#rand_text_alpha_lower(length, bad = payload_badchars) ⇒ Object

Generate random alpha lower characters avoiding the exploit's bad characters.


1195
1196
1197
1198
1199
1200
1201
 
# File 'lib/msf/core/exploit.rb', line 1195

def rand_text_alpha_lower(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, 'a')
  else
    Rex::Text.rand_text_alpha_lower(length, bad)
  end
end

#rand_text_alpha_upper(length, bad = payload_badchars) ⇒ Object

Generate random alpha upper characters avoiding the exploit's bad characters.


1183
1184
1185
1186
1187
1188
1189
 
# File 'lib/msf/core/exploit.rb', line 1183

def rand_text_alpha_upper(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alpha_upper(length, bad)
  end
end

#rand_text_alphanumeric(length, bad = payload_badchars) ⇒ Object

Generate random alphanumeric characters avoiding the exploit's bad characters.


1207
1208
1209
1210
1211
1212
1213
 
# File 'lib/msf/core/exploit.rb', line 1207

def rand_text_alphanumeric(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alphanumeric(length, bad)
  end
end

#rand_text_debug(length, char = 'A') ⇒ Object

Utility methods for generating random text that implicitly uses the exploit's bad character set.


1127
1128
1129
 
# File 'lib/msf/core/exploit.rb', line 1127

def rand_text_debug(length, char = 'A')
  char * (length.kind_of?(Range) ? length.first : length)
end

#rand_text_english(length, bad = payload_badchars) ⇒ Object

Generate random english-like avoiding the exploit's bad characters.


1147
1148
1149
1150
1151
1152
1153
 
# File 'lib/msf/core/exploit.rb', line 1147

def rand_text_english(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_english(length, bad)
  end
end

#rand_text_hex(length, bad = payload_badchars) ⇒ Object

Generate random hexadecimal characters avoiding the exploit's bad characters.


1231
1232
1233
1234
1235
1236
1237
 
# File 'lib/msf/core/exploit.rb', line 1231

def rand_text_hex(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, '0')
  else
    Rex::Text.rand_text_hex(length, bad)
  end
end

#rand_text_highascii(length, bad = payload_badchars) ⇒ Object

Generate random high ascii characters avoiding the exploit's bad characters.


1159
1160
1161
1162
1163
1164
1165
 
# File 'lib/msf/core/exploit.rb', line 1159

def rand_text_highascii(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_highascii(length, bad)
  end
end

#rand_text_numeric(length, bad = payload_badchars) ⇒ Object

Generate random numeric characters avoiding the exploit's bad characters.


1219
1220
1221
1222
1223
1224
1225
 
# File 'lib/msf/core/exploit.rb', line 1219

def rand_text_numeric(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, '0')
  else
    Rex::Text.rand_text_numeric(length, bad)
  end
end

#regenerate_payload(platform = nil, arch = nil, explicit_target = nil) ⇒ Object Also known as: exploit_regenerate_payload

Re-generates an encoded payload, typically called after something in the datastore has changed. An optional platform and architecture can be supplied as well.


563
564
565
 
# File 'lib/msf/core/exploit.rb', line 563

def regenerate_payload(platform = nil, arch = nil, explicit_target = nil)
  generate_single_payload(nil, platform, arch, explicit_target)
end

#register_autofilter_ports(ports = []) ⇒ Object

Adds a port into the list of ports


376
377
378
379
380
381
 
# File 'lib/msf/core/exploit.rb', line 376

def register_autofilter_ports(ports=[])
  @autofilter_ports ||= []
  @autofilter_ports << ports
  @autofilter_ports.flatten!
  @autofilter_ports.uniq!
end

#register_autofilter_services(services = []) ⇒ Object 


383
384
385
386
387
388
 
# File 'lib/msf/core/exploit.rb', line 383

def register_autofilter_services(services=[])
  @autofilter_services ||= []
  @autofilter_services << services
  @autofilter_services.flatten!
  @autofilter_services.uniq!
end

#report_failureObject 


1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
 
# File 'lib/msf/core/exploit.rb', line 1464

def report_failure
  return unless framework.db and framework.db.active

  info = {
    :timestamp   => Time.now.utc,
    :workspace   => framework.db.find_workspace(self.workspace),
    :module      => self.fullname,
    :fail_reason => self.fail_reason,
    :fail_detail => self.fail_detail,
    :target_name => self.target.name,
    :username    => self.owner,
    :refs        => self.references,
    :run_id      => self.datastore['RUN_ID']
  }

  if self.datastore['RHOST'] and self.options['RHOST']
    info[:host] = self.datastore['RHOST']
  end

  if self.datastore['RPORT'] and self.options['RPORT']
    info[:port] = self.datastore['RPORT']
    if self.class.ancestors.include?(Msf::Exploit::Remote::Tcp)
      info[:proto] = 'tcp'
    end
  end

  framework.db.report_exploit_failure(info)
end

#reset_session_countsObject

Reset the session counter to zero (which occurs during set up of the exploit prior to calling exploit).


1332
1333
1334
 
# File 'lib/msf/core/exploit.rb', line 1332

def reset_session_counts
  self.session_count = 0
end

#session_created?Boolean

A boolean for whether a session has been created yet

Returns:

  • (Boolean) 

1321
1322
1323
1324
1325
1326
 
# File 'lib/msf/core/exploit.rb', line 1321

def session_created?
  # Start bind handlers before checking session creation
  payload_instance.start_handler if handler_bind?

  (self.session_count > 0) ? true : false
end

#setupObject

Prepares the module for exploitation, initializes any state, and starts the payload handler.


394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
 
# File 'lib/msf/core/exploit.rb', line 394

def setup
  alert_user

  # Reset the session counts to zero.
  reset_session_counts

  return if not payload_instance
  return if not handler_enabled?

  # Configure the payload handler
  payload_instance.exploit_config = {
    'active_timeout' => self.active_timeout
  }

  # Set up the payload handlers
  payload_instance.setup_handler

  # Defer starting bind handlers until after exploit completion
  return if handler_bind?

  # Start the payload handler
  payload_instance.start_handler
end

#setup_fail_detail_from_exception(e) ⇒ Object 


1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
 
# File 'lib/msf/core/exploit.rb', line 1368

def setup_fail_detail_from_exception e
  # Build a user-friendly error message
  msg = "#{e}"
  unless e.class == Msf::Exploit::Failed
    msg = "#{e.class} #{e}"
  end

  self.error = e

  # Record the detailed reason
  self.fail_detail ||= e.to_s
  msg
end

#stack_adjustmentObject

This method returns the encoded instruction(s) required to adjust the stack pointer prior to executing any code. The number of bytes to adjust is indicated to the routine through the payload 'StackAdjustment' attribute or through a target's payload 'StackAdjustment' attribute.


780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
 
# File 'lib/msf/core/exploit.rb', line 780

def stack_adjustment
  if target && target.payload_stack_adjustment
    adj = target.payload_stack_adjustment
  else
    adj = payload_info['StackAdjustment']
  end

  return '' unless adj

  # Get the architecture for the current target or use the one specific to
  # this exploit
  arch = (target && target.arch) ? target.arch : self.arch

  # Default to x86 if we can't find a list of architectures
  if arch && !arch.empty?
    arch = [arch].flatten.join(', ')
  else
    arch = 'x86'
  end

  Rex::Arch::adjust_stack_pointer(arch, adj) || ''
end

#stanceObject

Generally, all exploits take an aggressive stance.


613
614
615
 
# File 'lib/msf/core/exploit.rb', line 613

def stance
  module_info['Stance'] || Stance::Aggressive
end

#targetObject

Returns the active target for this exploit. If not target has been defined, nil is returned. If no target was defined but there is a default target, that one will be automatically used.


636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
 
# File 'lib/msf/core/exploit.rb', line 636

def target
  if self.respond_to?(:auto_targeted_index)
    if auto_target?
      auto_idx = auto_targeted_index
      if auto_idx.present?
        datastore['TARGET'] = auto_idx
      else
        # If our inserted Automatic Target was selected but we failed to
        # find a suitable target, we just grab the original first target.
        datastore['TARGET'] = 1
      end
    end
  end

  target_idx = target_index
  return (target_idx) ? targets[target_idx.to_i] : nil
end

#target_archObject

Returns the target's architecture, or the one assigned to the module itself.


687
688
689
 
# File 'lib/msf/core/exploit.rb', line 687

def target_arch
  (target and target.arch) ? target.arch : (arch == []) ? nil : arch
end

#target_indexObject

The target index that has been selected.


657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
 
# File 'lib/msf/core/exploit.rb', line 657

def target_index
  target_idx =
    begin
      Integer(datastore['TARGET'])
    rescue TypeError, ArgumentError
      datastore['TARGET']
    end

  default_idx = default_target || 0
  # Use the default target if one was not supplied.
  if (target_idx == nil and default_idx and default_idx >= 0)
    target_idx = default_idx
  elsif target_idx.is_a?(String)
    target_idx = targets.index { |target| target.name == target_idx }
  end

  return (target_idx) ? target_idx.to_i : nil
end

#target_platformObject

Returns the target's platform, or the one assigned to the module itself.


679
680
681
 
# File 'lib/msf/core/exploit.rb', line 679

def target_platform
  (target and target.platform) ? target.platform : platform
end

#typeObject

Returns MODULE_EXPLOIT to indicate that this is an exploit module.


599
600
601
 
# File 'lib/msf/core/exploit.rb', line 599

def type
  Msf::MODULE_EXPLOIT
end

#wfs_delayObject

The minimum “wait for session” delay is 3 seconds for all exploits, the WfsDelay configuration option is added on top of this. The delay allows time for the session handler to perform any session verification.


1263
1264
1265
 
# File 'lib/msf/core/exploit.rb', line 1263

def wfs_delay
  (datastore['WfsDelay'] || 0).to_i + 3
end