Class: Msf::Exploit

Inherits:
Module show all
Defined in:
lib/msf/core/exploit.rb,
lib/msf/core/exploit/capture.rb,
lib/msf/core/exploit/format/webarchive.rb,
lib/msf/core/exploit/remote/http/jboss.rb,
lib/msf/core/exploit/remote/http/typo3.rb,
lib/msf/core/exploit/remote/http/joomla.rb,
lib/msf/core/exploit/remote/http/moodle.rb,
lib/msf/core/exploit/remote/http/pihole.rb,
lib/msf/core/exploit/remote/http/exchange.rb,
lib/msf/core/exploit/remote/java/rmi/util.rb,
lib/msf/core/exploit/remote/http/nagios_xi.rb,
lib/msf/core/exploit/remote/http/wordpress.rb,
lib/msf/core/exploit/remote/http/sharepoint.rb,
lib/msf/core/exploit/remote/java/rmi/client.rb,
lib/msf/core/exploit/remote/kerberos/client.rb,
lib/msf/core/exploit/remote/http/http_cookie.rb,
lib/msf/core/exploit/remote/java/rmi/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx.rb,
lib/msf/core/exploit/remote/kerberos/client/pac.rb,
lib/msf/core/exploit/remote/http/http_cookie_jar.rb,
lib/msf/core/exploit/remote/kerberos/client/base.rb,
lib/msf/core/exploit/remote/http/kubernetes/error.rb,
lib/msf/core/exploit/remote/http/kubernetes/client.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server.rb,
lib/msf/core/exploit/remote/kerberos/client/as_request.rb,
lib/msf/core/exploit/remote/kerberos/client/as_response.rb,
lib/msf/core/exploit/remote/kerberos/client/tgs_request.rb,
lib/msf/core/exploit/remote/kerberos/client/tgs_response.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/registry/builder.rb,
lib/msf/core/exploit/remote/kerberos/client/cache_credential.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/parser.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/server/builder.rb,
lib/msf/core/exploit/remote/java/rmi/client/jmx/connection/builder.rb

Overview

This module provides methods for sending and receiving raw packets. It should be preferred over the soon-to-be deprecated Rex::Socket::Ip and Msf::Exploit::Remote::Ip mixins.

Please see the pcaprub documentation for more information on how to use capture objects.

Direct Known Subclasses

Local, Remote

Defined Under Namespace

Modules: Android, AutoTarget, Brute, BruteTargets, Capture, CmdStager, CompatDefaults, DECT_COA, DHCPServer, EXE, Egghunter, FILEFORMAT, FileDropper, Format, FormatString, Git, HTTP, JSObfu, Java, JavaDeserialization, KernelMode, NTLM, ORACLE, Omelet, PDF, PDF_Parse, PhpEXE, Powershell, RIFF, Retry, RopDb, SMB, SQLi, Seh, Stance, TFTPServer, Type, ViewState, WbemExec, Windows_Constants Classes: CheckCode, Complete, Failed, Local, Remote

Constant Summary

Constants inherited from Module

Module::REPLICANT_EXTENSION_DS_KEY

Constants included from Module::ModuleInfo

Module::ModuleInfo::UpdateableOptions

Instance Attribute Summary collapse

Attributes inherited from Module

#error, #job_id, #license, #platform, #privileged, #references, #user_data

Attributes included from Framework::Offspring

#framework

Attributes included from Module::UUID

#uuid

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Attributes included from Module::Privileged

#priveli, #privileged

Attributes included from Module::Options

#options

Attributes included from Module::ModuleStore

#module_store

Attributes included from Module::ModuleInfo

#module_info

Attributes included from Module::FullName

#aliased_as

Attributes included from Module::DataStore

#datastore

Attributes included from Module::Author

#author

Attributes included from Module::Arch

#arch

Attributes included from Module::Alert

#alerts, #you_have_been_warned

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Module

#black_listed_auth_filenames, cached?, #debugging?, #default_cred?, #file_path, #framework, #has_check?, #orig_cls, #owner, #perform_extensions, #platform?, #platform_to_s, #post_auth?, #register_extensions, #register_parent, #replicant, #required_cred_options, #set_defaults, #workspace

Methods included from Module::Reliability

#reliability, #reliability_to_s

Methods included from Module::Stability

#stability, #stability_to_s

Methods included from Module::SideEffects

#side_effects, #side_effects_to_s

Methods included from Module::UUID

#generate_uuid

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Methods included from Module::Type

#auxiliary?, #encoder?, #evasion?, #exploit?, #nop?, #payload?, #post?

Methods included from Module::Ranking

#rank, #rank_to_h, #rank_to_s

Methods included from Module::Privileged

#privileged?

Methods included from Module::Options

#deregister_options, #register_advanced_options, #register_evasion_options, #register_options, #validate

Methods included from Module::Network

#comm, #support_ipv6?, #target_host, #target_port

Methods included from Module::ModuleStore

#[], #[]=

Methods included from Module::ModuleInfo

#alias, #description, #disclosure_date, #info_fixups, #merge_check_key, #merge_info, #merge_info_advanced_options, #merge_info_alias, #merge_info_description, #merge_info_evasion_options, #merge_info_name, #merge_info_options, #merge_info_string, #merge_info_version, #name, #notes, #update_info

Methods included from Module::FullName

#aliases, #fullname, #promptname, #realname, #refname, #shortname

Methods included from Module::DataStore

#import_defaults, #import_target_defaults, #share_datastore

Methods included from Module::Compatibility

#compat, #compatible?

Methods included from Module::Author

#author_to_s, #each_author

Methods included from Module::Auth

#store_valid_credential

Methods included from Module::Arch

#arch?, #arch_to_s, #each_arch

Methods included from Module::Alert

#add_alert, #add_error, #add_warning, #alert_user, #errors, #get_alerts, included, #is_usable?, #warnings

Constructor Details

#initialize(info = {}) ⇒ Exploit

Creates an instance of the exploit module. Mad skillz.


249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
# File 'lib/msf/core/exploit.rb', line 249

def initialize(info = {})

  # Ghetto compat mirroring for payload compatibilities.  This mirrors
  #
  # Payload => Compat => xyz
  #
  # to
  #
  # Compat => Payload => xyz
  if (info['Payload'] and info['Payload']['Compat'])
    info['Compat'] = Hash.new if (info['Compat'] == nil)
    info['Compat']['Payload'] = Hash.new if (info['Compat']['Payload'] == nil)
    info['Compat']['Payload'].update(info['Payload']['Compat'])
  end

  # Call the parent constructor after making any necessary modifications
  # to the information hash.
  super(info)

  if info.key? 'DefaultTarget'
    self.default_target = info['DefaultTarget']
  else
    self.default_target = 0
    # Add an auto-target to the exploit if it doesn't have one
    if info['Targets'] && info['Targets'].count > 1 && !has_auto_target?(info['Targets'])
      # Finally, only add the target if there is a remote host option
      if self.respond_to?(:rhost) && self.respond_to?(:auto_targeted_index)
        auto = ["Automatic", {'AutoGenerated' => true}.merge(info['Targets'][self.default_target][1])]
        info['Targets'].unshift(auto)
      end
    end
  end

  self.targets = Rex::Transformer.transform(info['Targets'], Array, [ Target ], 'Targets')
  self.payload_info = info['Payload'] || {}
  self.successful = false
  self.session_count = 0
  self.active_timeout = 120
  self.fail_reason = Msf::Exploit::Failure::None

  if (info['Payload'] and info['Payload']['ActiveTimeout'])
    self.active_timeout = info['Payload']['ActiveTimeout'].to_i
  end

  # Initialize exploit datastore with target information
  import_target_defaults

  # All exploits can increase the delay when waiting for a session.
  # However, this only applies to aggressive exploits.
  if aggressive?
    register_advanced_options(
      [
        OptInt.new('WfsDelay', [ false, "Additional delay in seconds to wait for a session", 2 ])
      ], Msf::Exploit)
  end

  register_advanced_options(
    [
      # Allow all exploits to leverage context keyed encoding
      OptBool.new('EnableContextEncoding', [ false, "Use transient context when encoding payloads", false ]),
      OptPath.new('ContextInformationFile', [ false, "The information file that contains context information", nil ]),
      # Allow all exploits to disable their payload handlers
      OptBool.new('DisablePayloadHandler', [ false, "Disable the handler code for the selected payload", false ])
    ], Msf::Exploit)
end

Instance Attribute Details

#active_timeoutObject (protected)

Maximum number of seconds for active handlers


1580
1581
1582
# File 'lib/msf/core/exploit.rb', line 1580

def active_timeout
  @active_timeout
end

#default_targetObject

The default target.


1533
1534
1535
# File 'lib/msf/core/exploit.rb', line 1533

def default_target
  @default_target
end

#fail_detailObject

Detailed exception string indicating why the exploit was not successful


1524
1525
1526
# File 'lib/msf/core/exploit.rb', line 1524

def fail_detail
  @fail_detail
end

#fail_reasonObject

The reason why the exploit was not successful (one of Msf::Module::Failure)


1519
1520
1521
# File 'lib/msf/core/exploit.rb', line 1519

def fail_reason
  @fail_reason
end

#needs_cleanupObject

Returns the value of attribute needs_cleanup.


244
245
246
# File 'lib/msf/core/exploit.rb', line 244

def needs_cleanup
  @needs_cleanup
end

#payloadObject

The encoded payload instance. An instance of an EncodedPayload object.


1546
1547
1548
# File 'lib/msf/core/exploit.rb', line 1546

def payload
  @payload
end

#payload_infoObject

The payload requirement hash.


1537
1538
1539
# File 'lib/msf/core/exploit.rb', line 1537

def payload_info
  @payload_info
end

#payload_instanceObject

The active payload instance.


1541
1542
1543
# File 'lib/msf/core/exploit.rb', line 1541

def payload_instance
  @payload_instance
end

#session_countObject

The number of active sessions created by this instance


1551
1552
1553
# File 'lib/msf/core/exploit.rb', line 1551

def session_count
  @session_count
end

#successfulObject

The boolean indicating whether the exploit succeeded


1556
1557
1558
# File 'lib/msf/core/exploit.rb', line 1556

def successful
  @successful
end

#targetsObject

The list of targets.


1529
1530
1531
# File 'lib/msf/core/exploit.rb', line 1529

def targets
  @targets
end

Class Method Details

.mixinsArray

Returns an array of all of the exploit mixins. Lame algorithm right now. We search the Msf::Exploit namespace for all modules that do not have any constants in them. In the future we can replace this with a better algorithm. It's just important that it returns an array of all of the mixin modules.

Returns:

  • (Array)

212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# File 'lib/msf/core/exploit.rb', line 212

def self.mixins
  mixins  = []
  wl      = [ Msf::Exploit ]
  visited = {}

  until wl.length == 0
    wl.delete_if { |mod|
      mod.constants.each { |const|
        child = mod.const_get(const)

        next if child.to_s !~ /^Msf::Exploit/

        next if visited[child]

        next if child.kind_of?(::Module) == false

        visited[child] = true

        if child.constants.length > 0
          wl << child
        else
          mixins << child
        end
      }

      true
    }
  end

  return mixins
end

.typeObject

Returns MODULE_EXPLOIT to indicate that this is an exploit module.


592
593
594
# File 'lib/msf/core/exploit.rb', line 592

def self.type
  Msf::MODULE_EXPLOIT
end

Instance Method Details

#add_handler(opts = {}) ⇒ Object

Allows the payload handler to spawn a new monitor


471
472
473
474
475
# File 'lib/msf/core/exploit.rb', line 471

def add_handler(opts={})
  return if not payload_instance
  return if not handler_enabled?
  payload_instance.add_handler(opts)
end

#aggressive?Boolean

Returns true if the exploit has an aggressive stance.

Returns:

  • (Boolean)

620
621
622
# File 'lib/msf/core/exploit.rb', line 620

def aggressive?
  stance.include?(Stance::Aggressive)
end

#autofilterObject

Performs last-minute sanity checking of exploit parameters. This method is called during automated exploitation attempts and allows an exploit to filter bad targets, obtain more information, and choose better targets based on the available data. Returning anything that evaluates to “false” will cause this specific exploit attempt to be skipped. This method can and will change datastore values and may interact with the backend database.


353
354
355
# File 'lib/msf/core/exploit.rb', line 353

def autofilter
  true
end

#autofilter_portsObject

Provides a list of ports that can be used for matching this module against target systems.


361
362
363
# File 'lib/msf/core/exploit.rb', line 361

def autofilter_ports
  @autofilter_ports || []
end

#autofilter_servicesObject

Provides a list of services that can be used for matching this module against target systems.


369
370
371
# File 'lib/msf/core/exploit.rb', line 369

def autofilter_services
  @autofilter_services || []
end

#cleanupObject

Performs any cleanup that may be necessary, such as disconnecting connections and any other such fun things. If a payload is active then its handler cleanup routines are called as well.


423
424
425
426
427
428
# File 'lib/msf/core/exploit.rb', line 423

def cleanup
  if (payload_instance and handler_enabled?)
    payload_instance.cleanup_handler
  end
  self.abort_sockets if self.respond_to?(:abort_sockets)
end

#compatible_encodersObject

Returns a list of compatible encoders based on architecture


757
758
759
760
761
762
763
764
765
766
767
768
# File 'lib/msf/core/exploit.rb', line 757

def compatible_encoders
  encoders = []

  c_platform, c_arch = normalize_platform_arch

  framework.encoders.each_module_ranked(
    'Arch' => c_arch, 'Platform' => c_platform) { |name, mod|
    encoders << [ name, mod ]
  }

  return encoders;
end

#compatible_payloads(excluded_platforms: [], excluded_archs: []) ⇒ Object

Returns a list of compatible payloads based on platform, architecture, and size requirements.


733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
# File 'lib/msf/core/exploit.rb', line 733

def compatible_payloads(excluded_platforms: [], excluded_archs: [])
  payloads = []

  c_platform, c_arch = normalize_platform_arch

  # The "All" platform name represents generic payloads
  results = Msf::Modules::Metadata::Cache.instance.find(
    'type'     => [['payload'], []],
    'platform' => [[*c_platform.names, 'All'], excluded_platforms],
    'arch'     => [c_arch, excluded_archs]
  )

  results.each do |res|
    if is_payload_compatible?(res.ref_name)
      payloads << [res.ref_name, framework.payloads[res.ref_name]]
    end
  end

  payloads
end

#define_context_encoding_reqs(reqs) ⇒ Object (protected)

Gets the memory map file and other context information that is required when wanting to support context keyed encoding


1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
# File 'lib/msf/core/exploit.rb', line 1617

def define_context_encoding_reqs(reqs)
  return unless datastore['EnableContextEncoding']

  # At present, we don't support any automatic methods of obtaining
  # context information.  In the future, we might support obtaining
  # temporal information remotely.

  # Pass along the information specified in our exploit datastore as
  # encoder options
  reqs['EncoderOptions'] = {} if reqs['EncoderOptions'].nil?
  reqs['EncoderOptions']['EnableContextEncoding']  = datastore['EnableContextEncoding']
  reqs['EncoderOptions']['ContextInformationFile'] = datastore['ContextInformationFile']
end

#encode_begin(real_payload, reqs) ⇒ Object

Called prior to encoding a payload.


570
571
# File 'lib/msf/core/exploit.rb', line 570

def encode_begin(real_payload, reqs)
end

#encode_end(real_payload, reqs, encoded) ⇒ Object

Called after an encoded payload has been generated. This gives exploits or mixins a chance to alter the encoded payload.


577
578
579
# File 'lib/msf/core/exploit.rb', line 577

def encode_end(real_payload, reqs, encoded)
  encoded
end

#encode_shellcode_stub(code, badchars = payload_badchars) ⇒ Object

Allows arbitrary shellcode to be encoded from within an exploit


452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
# File 'lib/msf/core/exploit.rb', line 452

def encode_shellcode_stub(code, badchars=payload_badchars)
  platform = self.platform
  if(self.payload_instance)
    self.payload_instance.platform
  end
  compatible_encoders.each do |name, mod|
    begin
      enc = framework.encoders.create(name)
      raw = enc.encode(code, badchars, nil, platform)
      return raw if raw
    rescue ::Exception
    end
  end
  nil
end

#exploitObject

Kicks off the actual exploit. Prior to this call, the framework will have validated the data store using the options associated with this exploit module. It will also pre-generate the desired payload, though exploits can re-generate the payload if necessary.

This method is designed to be overriden by exploit modules.


341
342
# File 'lib/msf/core/exploit.rb', line 341

def exploit
end

#exploit_typeObject

If we don't know the exploit type, then I guess it's omnipresent!


606
607
608
# File 'lib/msf/core/exploit.rb', line 606

def exploit_type
  Type::Omni
end

#fail_with(reason, msg = nil) ⇒ void

This method returns an undefined value.

Raises a Msf::Exploit::Failed exception. It overrides the fail_with method in lib/msf/core/module.rb

Examples:

fail_with(Msf::Module::Failure::NoAccess, 'Unable to login to upload payload')

Parameters:

  • reason (String)

    A constant from Msf::Module::Failure. If the reason does not come from there, then it will default to Msf::Module::Failure::Unknown.

  • msg (String) (defaults to: nil)

    (Optional) A message about the failure.

Raises:

See Also:


1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
# File 'lib/msf/core/exploit.rb', line 1350

def fail_with(reason,msg=nil)
  # The reason being registered here will be used later on, so it's important we don't actually
  # provide a made-up one.
  allowed_values = Msf::Module::Failure.constants.collect {|e| Msf::Module::Failure.const_get(e)}
  if allowed_values.include?(reason)
    self.fail_reason = reason
  else
    self.fail_reason = Msf::Module::Failure::Unknown
  end

  self.fail_detail = msg
  raise Msf::Exploit::Failed, (msg || "No failure message given")
end

#generate_payload(pinst = nil) ⇒ Object

Generates the encoded version of the supplied payload using the payload requirements specific to this exploit. The encoded instance is returned to the caller. This method is exposed in the manner that it is such that passive exploits and re-generate an encoded payload on the fly rather than having to use the pre-generated one.

The return value is an EncodedPayload instance.


439
440
441
442
443
444
445
446
447
# File 'lib/msf/core/exploit.rb', line 439

def generate_payload(pinst = nil)
  # Set the encoded payload to the result of the encoding process
  self.payload = generate_single_payload(pinst)

  # Save the payload instance
  self.payload_instance = (pinst) ? pinst : self.payload_instance

  return self.payload
end

#generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil) ⇒ Object

This method generates a non-cached payload which is typically useful for passive exploits that will have more than one client.


481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
# File 'lib/msf/core/exploit.rb', line 481

def generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil)
  explicit_target ||= target

  if (explicit_target == nil)
    raise MissingTargetError, "No target has been specified.",
      caller
  end

  # If a payload instance was supplied, use it, otherwise
  # use the active payload instance
  real_payload = (pinst) ? pinst : self.payload_instance

  if (real_payload == nil)
    raise MissingPayloadError, "No payload has been selected.",
      caller
  end

  # If this is a generic payload, then we should specify the platform
  # and architecture so that it knows how to pass things on.
  if real_payload.kind_of?(Msf::Payload::Generic)
    # Convert the architecture specified into an array.
    if arch and arch.kind_of?(String)
      arch = [ arch ]
    end

    # Define the explicit platform and architecture information only if
    # it's been specified.
    if platform
      real_payload.explicit_platform = Msf::Module::PlatformList.transform(platform)
    end

    if arch
      real_payload.explicit_arch = arch
    end

    # Force it to reset so that it will find updated information.
    real_payload.reset
  end

  # Duplicate the exploit payload requirements
  reqs = self.payload_info.dup

  # Pass save register requirements to the NOP generator
  reqs['Space']           = payload_space(explicit_target)
  reqs['SaveRegisters']   = nop_save_registers(explicit_target)
  reqs['Prepend']         = payload_prepend(explicit_target)
  reqs['PrependEncoder']  = payload_prepend_encoder(explicit_target)
  reqs['BadChars']        = payload_badchars(explicit_target)
  reqs['Append']          = payload_append(explicit_target)
  reqs['AppendEncoder']   = payload_append_encoder(explicit_target)
  reqs['DisableNops']     = payload_disable_nops(explicit_target)
  reqs['MaxNops']         = payload_max_nops(explicit_target)
  reqs['MinNops']         = payload_min_nops(explicit_target)
  reqs['Encoder']         = datastore['ENCODER'] || payload_encoder(explicit_target)
  reqs['Nop']             = datastore['NOP'] || payload_nop(explicit_target)
  reqs['EncoderType']     = payload_encoder_type(explicit_target)
  reqs['EncoderOptions']  = payload_encoder_options(explicit_target)
  reqs['ExtendedOptions'] = payload_extended_options(explicit_target)
  reqs['Exploit']         = self

  # Pass along the encoder don't fall through flag
  reqs['EncoderDontFallThrough'] = datastore['EncoderDontFallThrough']

  # Incorporate any context encoding requirements that are needed
  define_context_encoding_reqs(reqs)

  # Call the encode begin routine.
  encode_begin(real_payload, reqs)

  # Generate the encoded payload.
  encoded = EncodedPayload.create(real_payload, reqs)

  # Call the encode end routine which is expected to return the actual
  # encoded payload instance.
  return encode_end(real_payload, reqs, encoded)
end

#handle_exception(e) ⇒ Object

Handle the exception


1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
# File 'lib/msf/core/exploit.rb', line 1381

def handle_exception e
  msg = setup_fail_detail_from_exception e

  case e
    when Msf::Exploit::Complete
      # Nothing to show in this case
      return

    when Msf::OptionValidateError
      self.fail_reason = Msf::Exploit::Failure::BadConfig
      ::Msf::Ui::Formatter::OptionValidateError.print_error(self, e)
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when Msf::Exploit::Failed
      self.print_error("Exploit aborted due to failure: #{self.fail_reason}: #{msg}")

      # The caller should have already set self.fail_reason
      if self.fail_reason == Msf::Exploit::Failure::None
        self.fail_reason = Msf::Exploit::Failure::Unknown
      end

    when Rex::ConnectionError
      self.fail_reason = Msf::Exploit::Failure::Unreachable
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when Rex::BindFailed
      self.fail_reason = Msf::Exploit::Failure::BadConfig
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when Timeout::Error
      self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when ::Interrupt
      self.fail_reason = Msf::Exploit::Failure::UserInterrupt
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)
    else

      # Compare as a string since not all error classes may be loaded
      case msg
        when /access.denied|Login Failed/i # Covers SMB as well as some generic errors
          self.fail_reason = Msf::Exploit::Failure::NoAccess
        when /connection reset/i
          self.fail_reason = Msf::Exploit::Failure::Disconnected
        when /connection timed out|SSL_connect|unreachable|connection was refused/i
          self.fail_reason = Msf::Exploit::Failure::Unreachable
        when /unable.*target/i
          self.fail_reason = Msf::Exploit::Failure::NoTarget
        when /execution expired/i
          self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
        when /(doesn.t|not).*vulnerable|may.*patched/i
          self.fail_reason = Msf::Exploit::Failure::NotVulnerable
      end

      # The caller should have already set self.fail_reason
      if self.fail_reason == Msf::Exploit::Failure::None
        self.fail_reason = Msf::Exploit::Failure::Unknown
      end

      if self.fail_reason == Msf::Exploit::Failure::Unknown
        self.print_error("Exploit failed: #{msg}")
      else
        self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      end

      elog("Exploit failed (#{self.refname}): #{msg}", error: e)
  end

  # Record the error to various places
  self.framework.events.on_module_error(self, msg)

  # Report the failure (and attempt) in the database
  self.report_failure

  # Interrupt any session waiters in the handler
  self.interrupt_handler

  return self.fail_reason
end

#handler(*args) ⇒ Object

Passes the connection to the associated payload handler to see if the exploit succeeded and a connection has been established. The return value can be one of the Handler::constants.


1288
1289
1290
1291
1292
# File 'lib/msf/core/exploit.rb', line 1288

def handler(*args)
  if payload_instance && handler_enabled?
    payload_instance.handler(*args)
  end
end

#handler_bind?Boolean

If the payload uses a bind handler

Returns:

  • (Boolean)

1273
1274
1275
# File 'lib/msf/core/exploit.rb', line 1273

def handler_bind?
  payload_instance && payload_instance.connection_type == 'bind'
end

#handler_enabled?Boolean

Allow the user to disable the payload handler

Returns:

  • (Boolean)

1266
1267
1268
# File 'lib/msf/core/exploit.rb', line 1266

def handler_enabled?
  !datastore['DisablePayloadHandler']
end

#has_auto_target?(targets = []) ⇒ Boolean

Returns:

  • (Boolean)

315
316
317
318
319
320
321
# File 'lib/msf/core/exploit.rb', line 315

def has_auto_target?(targets=[])
  target_names = targets.collect { |target| target.first}
  target_names.each do |target|
    return true if target =~ /Automatic/
  end
  return false
end

#init_compatObject (protected)

Overrides the base class method and serves to initialize default compatibilities for exploits


1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
# File 'lib/msf/core/exploit.rb', line 1592

def init_compat
  super

  #
  # Merge in payload compatible defaults
  #
  p = module_info['Compat']['Payload']

  CompatDefaults::Payload.each_pair { |k,v|
    (p[k]) ? p[k] << " #{v}" : p[k] = v
  }

  #
  # Set the default save registers if none have been explicitly
  # specified.
  #
  if (module_info['SaveRegisters'] == nil)
    module_info['SaveRegisters'] = [ 'esp', 'ebp' ]
  end
end

#interrupt_handlerObject


1294
1295
1296
1297
1298
# File 'lib/msf/core/exploit.rb', line 1294

def interrupt_handler
  if payload_instance && handler_enabled? && payload_instance.respond_to?(:interrupt_wait_for_session)
    payload_instance.interrupt_wait_for_session()
  end
end

#is_payload_compatible?(name) ⇒ TrueClass, FalseClass

Returns whether the requested payload is compatible with the module.

Parameters:

  • payload_name (String)

    The payload name

Returns:

  • (TrueClass)

    Payload is compatible.

  • (FalseClass)

    Payload is not compatible.


705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
# File 'lib/msf/core/exploit.rb', line 705

def is_payload_compatible?(name)
  p = framework.payloads[name]

  return false unless p

  # Skip over payloads that are too big
  return false if payload_space && p.cached_size && p.cached_size > payload_space

  begin
    pi = p.new
  rescue ::Exception, ::LoadError => e
    wlog("Module #{name} failed to initialize: #{e}", 'core', LEV_0)
    return false
  end

  # Are we compatible in terms of conventions and connections and
  # what not?
  return false if !compatible?(pi)

  # If the payload is privileged but the exploit does not give
  # privileged access, then fail it.
  return false if !self.privileged && pi.privileged

  return true
end

#make_fast_nops(count) ⇒ String

Generates a NOP sled using the #make_nops method. The difference between this and #make_nops is this method is much faster, good for exploit developers that actually want huge chunks of NOPs. The downside of using this is the NOP sled is less randomized.

Parameters:

  • count (String)

    Number of NOPs to return.

Returns:

  • (String)

    NOPs


1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
# File 'lib/msf/core/exploit.rb', line 1055

def make_fast_nops(count)
  max_nop_chunk_size = 100

  if count < max_nop_chunk_size
    return make_nops(count)
  end

  nops = make_nops(max_nop_chunk_size)
  nops += nops while nops.length < count

  nops[0, count]
end

#make_nops(count) ⇒ Object

Generates a nop sled of a supplied length and returns it to the caller.


1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
# File 'lib/msf/core/exploit.rb', line 1072

def make_nops(count)
  # If we're debugging, then make_nops will return a safe sled.  We
  # currently assume x86.
  if debugging?
    return "\x90" * count
  end

  nop_sled = nil

  # If there is no payload instance then we can't succeed.
  return nil if (!payload_instance)

  payload_instance.compatible_nops.each { |nopname, nopmod|
    # Create an instance of the nop module
    nop = nopmod.new

    # The list of save registers
    save_regs = nop_save_registers || []

    if (save_regs.empty? == true)
      save_regs = nil
    end

    begin
      nop.copy_ui(self)

      nop_sled = nop.generate_sled(count,
        'BadChars'      => payload_badchars || '',
        'SaveRegisters' => save_regs)

      if nop_sled && nop_sled.length == count
        break
      else
        wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit", 'core', LEV_0)
      end
    rescue
      wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit: #{$!}",
        'core', LEV_0)
    end
  }

  nop_sled
end

#nop_generatorObject

Returns the first compatible NOP generator for this exploit's payload instance.


1037
1038
1039
1040
1041
1042
1043
# File 'lib/msf/core/exploit.rb', line 1037

def nop_generator
  return nil if (!payload_instance)

  payload_instance.compatible_nops.each { |nopname, nopmod|
    return nopmod.new
  }
end

#nop_save_registers(explicit_target = nil) ⇒ Object

Returns the list of registers that the NOP generator should save, if any. It will use the current target's save registers in precedence over those defined globally for the exploit module.

If there are no save registers, nil is returned.


1023
1024
1025
1026
1027
1028
1029
1030
1031
# File 'lib/msf/core/exploit.rb', line 1023

def nop_save_registers(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.save_registers)
    return explicit_target.save_registers
  else
    return module_info['SaveRegisters']
  end
end

#normalize_platform_archObject


691
692
693
694
695
696
# File 'lib/msf/core/exploit.rb', line 691

def normalize_platform_arch
  c_platform = (target && target.platform) ? target.platform : platform
  c_arch     = (target && target.arch)     ? target.arch     : (arch == []) ? nil : arch
  c_arch   ||= [ ARCH_X86 ]
  return c_platform, c_arch
end

#on_new_session(session) ⇒ Object

This is called by the payload when a new session is created


1309
1310
1311
1312
# File 'lib/msf/core/exploit.rb', line 1309

def on_new_session(session)
  self.session_count += 1
  self.successful = true
end

#passive?Boolean

Returns if the exploit has a passive stance. Aggressive exploits are always aggressive.

Returns:

  • (Boolean)

627
628
629
# File 'lib/msf/core/exploit.rb', line 627

def passive?
  stance.include?(Stance::Passive) && !stance.include?(Stance::Aggressive)
end

#pattern_create(length, sets = nil) ⇒ Object

Generate a non-repeating static random string


1250
1251
1252
# File 'lib/msf/core/exploit.rb', line 1250

def pattern_create(length, sets = nil)
  Rex::Text.pattern_create(length, sets)
end

#payload_append(explicit_target = nil) ⇒ Object

Return any text that should be appended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


822
823
824
825
826
827
828
829
830
# File 'lib/msf/core/exploit.rb', line 822

def payload_append(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_append)
    explicit_target.payload_append
  else
    payload_info['Append'] || ''
  end
end

#payload_append_encoder(explicit_target = nil) ⇒ Object

Return any text that should be appended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


854
855
856
857
858
859
860
861
862
863
864
# File 'lib/msf/core/exploit.rb', line 854

def payload_append_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_append_encoder)
    p = explicit_target.payload_append_encoder
  else
    p = payload_info['AppendEncoder'] || ''
  end

  p
end

#payload_badchars(explicit_target = nil) ⇒ Object

Returns the bad characters that cannot be in any payload used by this exploit.


926
927
928
929
930
931
932
933
934
# File 'lib/msf/core/exploit.rb', line 926

def payload_badchars(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_badchars)
    explicit_target.payload_badchars
  else
    payload_info['BadChars']
  end
end

#payload_disable_nops(explicit_target = nil) ⇒ Object

Whether NOP generation should be enabled or disabled


869
870
871
872
873
874
875
876
877
# File 'lib/msf/core/exploit.rb', line 869

def payload_disable_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_disable_nops)
    explicit_target.payload_disable_nops
  else
    payload_info['DisableNops']
  end
end

#payload_encoder(explicit_target = nil) ⇒ Object

Returns the payload encoder that is associated with either the current target or the exploit in general.


940
941
942
943
944
945
946
947
948
# File 'lib/msf/core/exploit.rb', line 940

def payload_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder)
    explicit_target.payload_encoder
  else
    payload_info['Encoder']
  end
end

#payload_encoder_options(explicit_target = nil) ⇒ Object

Returns the payload encoder option hash that is used to initialize the datastore of the encoder that is selected when generating an encoded payload.


983
984
985
986
987
988
989
990
991
# File 'lib/msf/core/exploit.rb', line 983

def payload_encoder_options(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder_options)
    explicit_target.payload_encoder_options
  else
    payload_info['EncoderOptions']
  end
end

#payload_encoder_type(explicit_target = nil) ⇒ Object

Returns the payload encoder type that is associated with either the current target or the exploit in general.


968
969
970
971
972
973
974
975
976
# File 'lib/msf/core/exploit.rb', line 968

def payload_encoder_type(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder_type)
    explicit_target.payload_encoder_type
  else
    payload_info['EncoderType']
  end
end

#payload_extended_options(explicit_target = nil) ⇒ Object

Returns the payload extended options hash which is used to provide a location to store extended information that may be useful to a particular type of payload or mixin.


998
999
1000
1001
1002
1003
1004
1005
1006
# File 'lib/msf/core/exploit.rb', line 998

def payload_extended_options(explicit_target = nil)
  explicit_target ||= target

  if explicit_target and explicit_target.payload_extended_options
    explicit_target.payload_extended_options
  else
    payload_info['ExtendedOptions']
  end
end

#payload_max_nops(explicit_target = nil) ⇒ Object

Maximum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.


883
884
885
886
887
888
889
890
891
# File 'lib/msf/core/exploit.rb', line 883

def payload_max_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_max_nops)
    explicit_target.payload_max_nops
  else
    payload_info['MaxNops'] || nil
  end
end

#payload_min_nops(explicit_target = nil) ⇒ Object

Minimum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.


897
898
899
900
901
902
903
904
905
# File 'lib/msf/core/exploit.rb', line 897

def payload_min_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_min_nops)
    explicit_target.payload_min_nops
  else
    payload_info['MinNops'] || nil
  end
end

#payload_nop(explicit_target = nil) ⇒ Object

Returns the payload NOP generator that is associated with either the current target or the exploit in general.


954
955
956
957
958
959
960
961
962
# File 'lib/msf/core/exploit.rb', line 954

def payload_nop(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_nop)
    explicit_target.payload_nop
  else
    payload_info['Nop']
  end
end

#payload_prepend(explicit_target = nil) ⇒ Object

Return any text that should be prepended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit. This automatically takes into account any require stack adjustments.


805
806
807
808
809
810
811
812
813
814
815
# File 'lib/msf/core/exploit.rb', line 805

def payload_prepend(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_prepend)
    p = explicit_target.payload_prepend
  else
    p = payload_info['Prepend'] || ''
  end

  stack_adjustment + p
end

#payload_prepend_encoder(explicit_target = nil) ⇒ Object

Return any text that should be prepended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


837
838
839
840
841
842
843
844
845
846
847
# File 'lib/msf/core/exploit.rb', line 837

def payload_prepend_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_prepend_encoder)
    p = explicit_target.payload_prepend_encoder
  else
    p = payload_info['PrependEncoder'] || ''
  end

  p
end

#payload_space(explicit_target = nil) ⇒ Object

Returns the maximum amount of room the exploit has for a payload.


910
911
912
913
914
915
916
917
918
919
920
# File 'lib/msf/core/exploit.rb', line 910

def payload_space(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_space)
    explicit_target.payload_space
  elsif (payload_info['Space'])
    payload_info['Space'].to_i
  else
    nil
  end
end

#rand_char(bad = payload_badchars) ⇒ Object

Generate a random character avoiding the exploit's bad characters.


1239
1240
1241
1242
1243
1244
1245
# File 'lib/msf/core/exploit.rb', line 1239

def rand_char(bad=payload_badchars)
  if debugging?
    "A"
  else
    Rex::Text.rand_char(bad)
  end
end

#rand_text(length, bad = payload_badchars) ⇒ Object

Generate random text characters avoiding the exploit's bad characters.


1131
1132
1133
1134
1135
1136
1137
# File 'lib/msf/core/exploit.rb', line 1131

def rand_text(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text(length, bad)
  end
end

#rand_text_alpha(length, bad = payload_badchars) ⇒ Object

Generate random alpha characters avoiding the exploit's bad characters.


1167
1168
1169
1170
1171
1172
1173
# File 'lib/msf/core/exploit.rb', line 1167

def rand_text_alpha(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alpha(length, bad)
  end
end

#rand_text_alpha_lower(length, bad = payload_badchars) ⇒ Object

Generate random alpha lower characters avoiding the exploit's bad characters.


1191
1192
1193
1194
1195
1196
1197
# File 'lib/msf/core/exploit.rb', line 1191

def rand_text_alpha_lower(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, 'a')
  else
    Rex::Text.rand_text_alpha_lower(length, bad)
  end
end

#rand_text_alpha_upper(length, bad = payload_badchars) ⇒ Object

Generate random alpha upper characters avoiding the exploit's bad characters.


1179
1180
1181
1182
1183
1184
1185
# File 'lib/msf/core/exploit.rb', line 1179

def rand_text_alpha_upper(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alpha_upper(length, bad)
  end
end

#rand_text_alphanumeric(length, bad = payload_badchars) ⇒ Object

Generate random alphanumeric characters avoiding the exploit's bad characters.


1203
1204
1205
1206
1207
1208
1209
# File 'lib/msf/core/exploit.rb', line 1203

def rand_text_alphanumeric(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alphanumeric(length, bad)
  end
end

#rand_text_debug(length, char = 'A') ⇒ Object

Utility methods for generating random text that implicitly uses the exploit's bad character set.


1123
1124
1125
# File 'lib/msf/core/exploit.rb', line 1123

def rand_text_debug(length, char = 'A')
  char * (length.kind_of?(Range) ? length.first : length)
end

#rand_text_english(length, bad = payload_badchars) ⇒ Object

Generate random english-like avoiding the exploit's bad characters.


1143
1144
1145
1146
1147
1148
1149
# File 'lib/msf/core/exploit.rb', line 1143

def rand_text_english(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_english(length, bad)
  end
end

#rand_text_hex(length, bad = payload_badchars) ⇒ Object

Generate random hexadecimal characters avoiding the exploit's bad characters.


1227
1228
1229
1230
1231
1232
1233
# File 'lib/msf/core/exploit.rb', line 1227

def rand_text_hex(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, '0')
  else
    Rex::Text.rand_text_hex(length, bad)
  end
end

#rand_text_highascii(length, bad = payload_badchars) ⇒ Object

Generate random high ascii characters avoiding the exploit's bad characters.


1155
1156
1157
1158
1159
1160
1161
# File 'lib/msf/core/exploit.rb', line 1155

def rand_text_highascii(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_highascii(length, bad)
  end
end

#rand_text_numeric(length, bad = payload_badchars) ⇒ Object

Generate random numeric characters avoiding the exploit's bad characters.


1215
1216
1217
1218
1219
1220
1221
# File 'lib/msf/core/exploit.rb', line 1215

def rand_text_numeric(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, '0')
  else
    Rex::Text.rand_text_numeric(length, bad)
  end
end

#regenerate_payload(platform = nil, arch = nil, explicit_target = nil) ⇒ Object Also known as: exploit_regenerate_payload

Re-generates an encoded payload, typically called after something in the datastore has changed. An optional platform and architecture can be supplied as well.


563
564
565
# File 'lib/msf/core/exploit.rb', line 563

def regenerate_payload(platform = nil, arch = nil, explicit_target = nil)
  generate_single_payload(nil, platform, arch, explicit_target)
end

#register_autofilter_ports(ports = []) ⇒ Object

Adds a port into the list of ports


376
377
378
379
380
381
# File 'lib/msf/core/exploit.rb', line 376

def register_autofilter_ports(ports=[])
  @autofilter_ports ||= []
  @autofilter_ports << ports
  @autofilter_ports.flatten!
  @autofilter_ports.uniq!
end

#register_autofilter_services(services = []) ⇒ Object


383
384
385
386
387
388
# File 'lib/msf/core/exploit.rb', line 383

def register_autofilter_services(services=[])
  @autofilter_services ||= []
  @autofilter_services << services
  @autofilter_services.flatten!
  @autofilter_services.uniq!
end

#report_failureObject


1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
# File 'lib/msf/core/exploit.rb', line 1465

def report_failure
  return unless framework.db and framework.db.active

  info = {
    :timestamp   => Time.now.utc,
    :workspace   => framework.db.find_workspace(self.workspace),
    :module      => self.fullname,
    :fail_reason => self.fail_reason,
    :fail_detail => self.fail_detail,
    :target_name => self.target.name,
    :username    => self.owner,
    :refs        => self.references,
    :run_id      => self.datastore['RUN_ID']
  }

  if self.datastore['RHOST'] and self.options['RHOST']
    info[:host] = self.datastore['RHOST']
  end

  if self.datastore['RPORT'] and self.options['RPORT']
    info[:port] = self.datastore['RPORT']
    if self.class.ancestors.include?(Msf::Exploit::Remote::Tcp)
      info[:proto] = 'tcp'
    end
  end

  framework.db.report_exploit_failure(info)
end

#reset_session_countsObject

Reset the session counter to zero (which occurs during set up of the exploit prior to calling exploit).


1328
1329
1330
# File 'lib/msf/core/exploit.rb', line 1328

def reset_session_counts
  self.session_count = 0
end

#session_created?Boolean

A boolean for whether a session has been created yet

Returns:

  • (Boolean)

1317
1318
1319
1320
1321
1322
# File 'lib/msf/core/exploit.rb', line 1317

def session_created?
  # Start bind handlers before checking session creation
  payload_instance.start_handler if handler_bind?

  (self.session_count > 0) ? true : false
end

#setupObject

Prepares the module for exploitation, initializes any state, and starts the payload handler.


394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
# File 'lib/msf/core/exploit.rb', line 394

def setup
  alert_user

  # Reset the session counts to zero.
  reset_session_counts

  return if not payload_instance
  return if not handler_enabled?

  # Configure the payload handler
  payload_instance.exploit_config = {
    'active_timeout' => self.active_timeout
  }

  # Set up the payload handlers
  payload_instance.setup_handler

  # Defer starting bind handlers until after exploit completion
  return if handler_bind?

  # Start the payload handler
  payload_instance.start_handler
end

#setup_fail_detail_from_exception(e) ⇒ Object


1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
# File 'lib/msf/core/exploit.rb', line 1364

def setup_fail_detail_from_exception e
  # Build a user-friendly error message
  msg = "#{e}"
  unless e.class == Msf::Exploit::Failed
    msg = "#{e.class} #{e}"
  end

  self.error = e

  # Record the detailed reason
  self.fail_detail ||= e.to_s
  msg
end

#stack_adjustmentObject

This method returns the encoded instruction(s) required to adjust the stack pointer prior to executing any code. The number of bytes to adjust is indicated to the routine through the payload 'StackAdjustment' attribute or through a target's payload 'StackAdjustment' attribute.


776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
# File 'lib/msf/core/exploit.rb', line 776

def stack_adjustment
  if target && target.payload_stack_adjustment
    adj = target.payload_stack_adjustment
  else
    adj = payload_info['StackAdjustment']
  end

  return '' unless adj

  # Get the architecture for the current target or use the one specific to
  # this exploit
  arch = (target && target.arch) ? target.arch : self.arch

  # Default to x86 if we can't find a list of architectures
  if arch && !arch.empty?
    arch = [arch].flatten.join(', ')
  else
    arch = 'x86'
  end

  Rex::Arch::adjust_stack_pointer(arch, adj) || ''
end

#stanceObject

Generally, all exploits take an aggressive stance.


613
614
615
# File 'lib/msf/core/exploit.rb', line 613

def stance
  module_info['Stance'] || Stance::Aggressive
end

#targetObject

Returns the active target for this exploit. If not target has been defined, nil is returned. If no target was defined but there is a default target, that one will be automatically used.


636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
# File 'lib/msf/core/exploit.rb', line 636

def target
  if self.respond_to?(:auto_targeted_index)
    if auto_target?
      auto_idx = auto_targeted_index
      if auto_idx.present?
        datastore['TARGET'] = auto_idx
      else
        # If our inserted Automatic Target was selected but we failed to
        # find a suitable target, we just grab the original first target.
        datastore['TARGET'] = 1
      end
    end
  end

  target_idx = target_index
  return (target_idx) ? targets[target_idx.to_i] : nil
end

#target_archObject

Returns the target's architecture, or the one assigned to the module itself.


687
688
689
# File 'lib/msf/core/exploit.rb', line 687

def target_arch
  (target and target.arch) ? target.arch : (arch == []) ? nil : arch
end

#target_indexObject

The target index that has been selected.


657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
# File 'lib/msf/core/exploit.rb', line 657

def target_index
  target_idx =
    begin
      Integer(datastore['TARGET'])
    rescue TypeError, ArgumentError
      datastore['TARGET']
    end

  default_idx = default_target || 0
  # Use the default target if one was not supplied.
  if (target_idx == nil and default_idx and default_idx >= 0)
    target_idx = default_idx
  elsif target_idx.is_a?(String)
    target_idx = targets.index { |target| target.name == target_idx }
  end

  return (target_idx) ? target_idx.to_i : nil
end

#target_platformObject

Returns the target's platform, or the one assigned to the module itself.


679
680
681
# File 'lib/msf/core/exploit.rb', line 679

def target_platform
  (target and target.platform) ? target.platform : platform
end

#typeObject

Returns MODULE_EXPLOIT to indicate that this is an exploit module.


599
600
601
# File 'lib/msf/core/exploit.rb', line 599

def type
  Msf::MODULE_EXPLOIT
end

#wfs_delayObject

The minimum “wait for session” delay is 3 seconds for all exploits, the WfsDelay configuration option is added on top of this. The delay allows time for the session handler to perform any session verification.


1259
1260
1261
# File 'lib/msf/core/exploit.rb', line 1259

def wfs_delay
  (datastore['WfsDelay'] || 0).to_i + 3
end