Class: Msf::Exploit
- Defined in:
- lib/msf/core/exploit.rb,
lib/msf/core/exploit/capture.rb,
lib/msf/core/exploit/http/jboss.rb,
lib/msf/core/exploit/http/typo3.rb,
lib/msf/core/exploit/http/joomla.rb,
lib/msf/core/exploit/java/rmi/util.rb,
lib/msf/core/exploit/http/wordpress.rb,
lib/msf/core/exploit/java/rmi/client.rb,
lib/msf/core/exploit/kerberos/client.rb,
lib/msf/core/exploit/java/rmi/builder.rb,
lib/msf/core/exploit/format/webarchive.rb,
lib/msf/core/exploit/java/rmi/client/jmx.rb,
lib/msf/core/exploit/kerberos/client/pac.rb,
lib/msf/core/exploit/kerberos/client/base.rb,
lib/msf/core/exploit/java/rmi/client/registry.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server.rb,
lib/msf/core/exploit/kerberos/client/as_request.rb,
lib/msf/core/exploit/kerberos/client/as_response.rb,
lib/msf/core/exploit/kerberos/client/tgs_request.rb,
lib/msf/core/exploit/kerberos/client/tgs_response.rb,
lib/msf/core/exploit/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/java/rmi/client/registry/builder.rb,
lib/msf/core/exploit/kerberos/client/cache_credential.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server/parser.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb,
lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb
Overview
This module provides methods for sending and receiving raw packets. It should be preferred over the soon-to-be deprecated Rex::Socket::Ip and Msf::Exploit::Remote::Ip mixins.
Please see the pcaprub documentation for more information on how to use capture objects.
Defined Under Namespace
Modules: Android, AutoTarget, Brute, BruteTargets, Capture, CmdStager, CompatDefaults, DECT_COA, DHCPServer, EXE, Egghunter, FILEFORMAT, FileDropper, Format, FormatString, Git, JSObfu, Java, KernelMode, NTLM, ORACLE, Omelet, PDF, PDF_Parse, PhpEXE, Powershell, RIFF, RopDb, SQLi, Seh, Stance, TFTPServer, Type, ViewState, WbemExec, Windows_Constants Classes: CheckCode, Complete, Failed, Local, Remote
Constant Summary
Constants inherited from Module
Module::REPLICANT_EXTENSION_DS_KEY
Constants included from Module::ModuleInfo
Module::ModuleInfo::UpdateableOptions
Instance Attribute Summary collapse
-
#active_timeout ⇒ Object
protected
Maximum number of seconds for active handlers.
-
#default_target ⇒ Object
The default target.
-
#fail_detail ⇒ Object
Detailed exception string indicating why the exploit was not successful.
-
#fail_reason ⇒ Object
The reason why the exploit was not successful (one of Msf::Module::Failure).
-
#needs_cleanup ⇒ Object
Returns the value of attribute needs_cleanup.
-
#payload ⇒ Object
The encoded payload instance.
-
#payload_info ⇒ Object
The payload requirement hash.
-
#payload_instance ⇒ Object
The active payload instance.
-
#session_count ⇒ Object
The number of active sessions created by this instance.
-
#successful ⇒ Object
The boolean indicating whether the exploit succeeded.
-
#targets ⇒ Object
The list of targets.
Attributes inherited from Module
#error, #job_id, #license, #platform, #privileged, #references, #user_data
Attributes included from Framework::Offspring
Attributes included from Module::UUID
Attributes included from Rex::Ui::Subscriber::Input
Attributes included from Rex::Ui::Subscriber::Output
Attributes included from Module::Privileged
Attributes included from Module::Options
Attributes included from Module::ModuleStore
Attributes included from Module::ModuleInfo
Attributes included from Module::FullName
Attributes included from Module::DataStore
Attributes included from Module::Author
Attributes included from Module::Arch
Attributes included from Module::Alert
#alerts, #you_have_been_warned
Class Method Summary collapse
-
.mixins ⇒ Array
Returns an array of all of the exploit mixins.
-
.type ⇒ Object
Returns MODULE_EXPLOIT to indicate that this is an exploit module.
Instance Method Summary collapse
-
#add_handler(opts = {}) ⇒ Object
Allows the payload handler to spawn a new monitor.
-
#aggressive? ⇒ Boolean
Returns true if the exploit has an aggressive stance.
-
#autofilter ⇒ Object
Performs last-minute sanity checking of exploit parameters.
-
#autofilter_ports ⇒ Object
Provides a list of ports that can be used for matching this module against target systems.
-
#autofilter_services ⇒ Object
Provides a list of services that can be used for matching this module against target systems.
-
#cleanup ⇒ Object
Performs any cleanup that may be necessary, such as disconnecting connections and any other such fun things.
-
#compatible_encoders ⇒ Object
Returns a list of compatible encoders based on architecture.
-
#compatible_payloads(excluded_platforms: [], excluded_archs: []) ⇒ Object
Returns a list of compatible payloads based on platform, architecture, and size requirements.
-
#define_context_encoding_reqs(reqs) ⇒ Object
protected
Gets the memory map file and other context information that is required when wanting to support context keyed encoding.
-
#encode_begin(real_payload, reqs) ⇒ Object
Called prior to encoding a payload.
-
#encode_end(real_payload, reqs, encoded) ⇒ Object
Called after an encoded payload has been generated.
-
#encode_shellcode_stub(code, badchars = payload_badchars) ⇒ Object
Allows arbitrary shellcode to be encoded from within an exploit.
-
#exploit ⇒ Object
Kicks off the actual exploit.
-
#exploit_type ⇒ Object
If we don't know the exploit type, then I guess it's omnipresent!.
-
#fail_with(reason, msg = nil) ⇒ void
Raises a Msf::Exploit::Failed exception.
-
#generate_payload(pinst = nil) ⇒ Object
Generates the encoded version of the supplied payload using the payload requirements specific to this exploit.
-
#generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil) ⇒ Object
This method generates a non-cached payload which is typically useful for passive exploits that will have more than one client.
-
#handle_exception(e) ⇒ Object
Handle the exception.
-
#handler(*args) ⇒ Object
Passes the connection to the associated payload handler to see if the exploit succeeded and a connection has been established.
-
#handler_bind? ⇒ Boolean
If the payload uses a bind handler.
-
#handler_enabled? ⇒ Boolean
Allow the user to disable the payload handler.
- #has_auto_target?(targets = []) ⇒ Boolean
-
#init_compat ⇒ Object
protected
Overrides the base class method and serves to initialize default compatibilities for exploits.
-
#initialize(info = {}) ⇒ Exploit
constructor
Creates an instance of the exploit module.
- #interrupt_handler ⇒ Object
-
#is_payload_compatible?(name) ⇒ TrueClass, FalseClass
Returns whether the requested payload is compatible with the module.
-
#make_fast_nops(count) ⇒ String
Generates a NOP sled using the #make_nops method.
-
#make_nops(count) ⇒ Object
Generates a nop sled of a supplied length and returns it to the caller.
-
#nop_generator ⇒ Object
Returns the first compatible NOP generator for this exploit's payload instance.
-
#nop_save_registers(explicit_target = nil) ⇒ Object
Returns the list of registers that the NOP generator should save, if any.
- #normalize_platform_arch ⇒ Object
-
#on_new_session(session) ⇒ Object
This is called by the payload when a new session is created.
-
#passive? ⇒ Boolean
Returns if the exploit has a passive stance.
-
#pattern_create(length, sets = nil) ⇒ Object
Generate a non-repeating static random string.
-
#payload_append(explicit_target = nil) ⇒ Object
Return any text that should be appended to the payload.
-
#payload_append_encoder(explicit_target = nil) ⇒ Object
Return any text that should be appended to the encoder of the payload.
-
#payload_badchars(explicit_target = nil) ⇒ Object
Returns the bad characters that cannot be in any payload used by this exploit.
-
#payload_disable_nops(explicit_target = nil) ⇒ Object
Whether NOP generation should be enabled or disabled.
-
#payload_encoder(explicit_target = nil) ⇒ Object
Returns the payload encoder that is associated with either the current target or the exploit in general.
-
#payload_encoder_options(explicit_target = nil) ⇒ Object
Returns the payload encoder option hash that is used to initialize the datastore of the encoder that is selected when generating an encoded payload.
-
#payload_encoder_type(explicit_target = nil) ⇒ Object
Returns the payload encoder type that is associated with either the current target or the exploit in general.
-
#payload_extended_options(explicit_target = nil) ⇒ Object
Returns the payload extended options hash which is used to provide a location to store extended information that may be useful to a particular type of payload or mixin.
-
#payload_max_nops(explicit_target = nil) ⇒ Object
Maximum number of nops to use as a hint to the framework.
-
#payload_min_nops(explicit_target = nil) ⇒ Object
Minimum number of nops to use as a hint to the framework.
-
#payload_nop(explicit_target = nil) ⇒ Object
Returns the payload NOP generator that is associated with either the current target or the exploit in general.
-
#payload_prepend(explicit_target = nil) ⇒ Object
Return any text that should be prepended to the payload.
-
#payload_prepend_encoder(explicit_target = nil) ⇒ Object
Return any text that should be prepended to the encoder of the payload.
-
#payload_space(explicit_target = nil) ⇒ Object
Returns the maximum amount of room the exploit has for a payload.
-
#rand_char(bad = payload_badchars) ⇒ Object
Generate a random character avoiding the exploit's bad characters.
-
#rand_text(length, bad = payload_badchars) ⇒ Object
Generate random text characters avoiding the exploit's bad characters.
-
#rand_text_alpha(length, bad = payload_badchars) ⇒ Object
Generate random alpha characters avoiding the exploit's bad characters.
-
#rand_text_alpha_lower(length, bad = payload_badchars) ⇒ Object
Generate random alpha lower characters avoiding the exploit's bad characters.
-
#rand_text_alpha_upper(length, bad = payload_badchars) ⇒ Object
Generate random alpha upper characters avoiding the exploit's bad characters.
-
#rand_text_alphanumeric(length, bad = payload_badchars) ⇒ Object
Generate random alphanumeric characters avoiding the exploit's bad characters.
-
#rand_text_debug(length, char = 'A') ⇒ Object
Utility methods for generating random text that implicitly uses the exploit's bad character set.
-
#rand_text_english(length, bad = payload_badchars) ⇒ Object
Generate random english-like avoiding the exploit's bad characters.
-
#rand_text_hex(length, bad = payload_badchars) ⇒ Object
Generate random hexadecimal characters avoiding the exploit's bad characters.
-
#rand_text_highascii(length, bad = payload_badchars) ⇒ Object
Generate random high ascii characters avoiding the exploit's bad characters.
-
#rand_text_numeric(length, bad = payload_badchars) ⇒ Object
Generate random numeric characters avoiding the exploit's bad characters.
-
#regenerate_payload(platform = nil, arch = nil, explicit_target = nil) ⇒ Object
(also: #exploit_regenerate_payload)
Re-generates an encoded payload, typically called after something in the datastore has changed.
-
#register_autofilter_ports(ports = []) ⇒ Object
Adds a port into the list of ports.
- #register_autofilter_services(services = []) ⇒ Object
- #report_failure ⇒ Object
-
#reset_session_counts ⇒ Object
Reset the session counter to zero (which occurs during set up of the exploit prior to calling exploit).
-
#session_created? ⇒ Boolean
A boolean for whether a session has been created yet.
-
#setup ⇒ Object
Prepares the module for exploitation, initializes any state, and starts the payload handler.
- #setup_fail_detail_from_exception(e) ⇒ Object
-
#stack_adjustment ⇒ Object
This method returns the encoded instruction(s) required to adjust the stack pointer prior to executing any code.
-
#stance ⇒ Object
Generally, all exploits take an aggressive stance.
-
#target ⇒ Object
Returns the active target for this exploit.
-
#target_arch ⇒ Object
Returns the target's architecture, or the one assigned to the module itself.
-
#target_index ⇒ Object
The target index that has been selected.
-
#target_platform ⇒ Object
Returns the target's platform, or the one assigned to the module itself.
-
#type ⇒ Object
Returns MODULE_EXPLOIT to indicate that this is an exploit module.
-
#wfs_delay ⇒ Object
The default “wait for session” delay is zero for all exploits.
Methods inherited from Module
#black_listed_auth_filenames, cached?, #debugging?, #default_cred?, #file_path, #framework, #has_check?, #orig_cls, #owner, #perform_extensions, #platform?, #platform_to_s, #post_auth?, #register_extensions, #register_parent, #replicant, #required_cred_options, #set_defaults, #workspace
Methods included from Module::Reliability
#reliability, #reliability_to_s
Methods included from Module::Stability
Methods included from Module::SideEffects
#side_effects, #side_effects_to_s
Methods included from Module::UUID
Methods included from Module::UI
Methods included from Module::UI::Message
#print_error, #print_good, #print_prefix, #print_status, #print_warning
Methods included from Module::UI::Message::Verbose
#vprint_error, #vprint_good, #vprint_status, #vprint_warning
Methods included from Module::UI::Line
#print_line, #print_line_prefix
Methods included from Module::UI::Line::Verbose
Methods included from Rex::Ui::Subscriber
Methods included from Rex::Ui::Subscriber::Input
Methods included from Rex::Ui::Subscriber::Output
#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning
Methods included from Module::Type
#auxiliary?, #encoder?, #evasion?, #exploit?, #nop?, #payload?, #post?
Methods included from Module::Ranking
Methods included from Module::Privileged
Methods included from Module::Options
#deregister_options, #register_advanced_options, #register_evasion_options, #register_options, #validate
Methods included from Module::Network
#comm, #support_ipv6?, #target_host, #target_port
Methods included from Module::ModuleStore
Methods included from Module::ModuleInfo
#alias, #description, #disclosure_date, #info_fixups, #merge_check_key, #merge_info, #merge_info_advanced_options, #merge_info_alias, #merge_info_description, #merge_info_evasion_options, #merge_info_name, #merge_info_options, #merge_info_string, #merge_info_version, #name, #notes, #update_info
Methods included from Module::FullName
#aliases, #fullname, #promptname, #realname, #refname, #shortname
Methods included from Module::DataStore
#import_defaults, #import_target_defaults, #share_datastore
Methods included from Module::Compatibility
Methods included from Module::Author
Methods included from Module::Auth
Methods included from Module::Arch
#arch?, #arch_to_s, #each_arch
Methods included from Module::Alert
#add_alert, #add_error, #add_warning, #alert_user, #errors, #get_alerts, included, #is_usable?, #warnings
Constructor Details
#initialize(info = {}) ⇒ Exploit
Creates an instance of the exploit module. Mad skillz.
336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 |
# File 'lib/msf/core/exploit.rb', line 336 def initialize(info = {}) # Ghetto compat mirroring for payload compatibilities. This mirrors # # Payload => Compat => xyz # # to # # Compat => Payload => xyz if (info['Payload'] and info['Payload']['Compat']) info['Compat'] = Hash.new if (info['Compat'] == nil) info['Compat']['Payload'] = Hash.new if (info['Compat']['Payload'] == nil) info['Compat']['Payload'].update(info['Payload']['Compat']) end # Call the parent constructor after making any necessary modifications # to the information hash. super(info) if info.key? 'DefaultTarget' self.default_target = info['DefaultTarget'] else self.default_target = 0 # Add an auto-target to the exploit if it doesn't have one if info['Targets'] && info['Targets'].count > 1 && !has_auto_target?(info['Targets']) # Finally, only add the target if there is a remote host option if self.respond_to?(:rhost) && self.respond_to?(:auto_targeted_index) auto = ["Automatic", {'AutoGenerated' => true}.merge(info['Targets'][self.default_target][1])] info['Targets'].unshift(auto) end end end self.targets = Rex::Transformer.transform(info['Targets'], Array, [ Target ], 'Targets') self.payload_info = info['Payload'] || {} self.successful = false self.session_count = 0 self.active_timeout = 120 self.fail_reason = Failure::None if (info['Payload'] and info['Payload']['ActiveTimeout']) self.active_timeout = info['Payload']['ActiveTimeout'].to_i end # Initialize exploit datastore with target information import_target_defaults # All exploits can increase the delay when waiting for a session. # However, this only applies to aggressive exploits. if aggressive? ( [ OptInt.new('WfsDelay', [ false, "Additional delay when waiting for a session", 0 ]) ], Msf::Exploit) end ( [ # Allow all exploits to leverage context keyed encoding OptBool.new('EnableContextEncoding', [ false, "Use transient context when encoding payloads", false ]), OptPath.new('ContextInformationFile', [ false, "The information file that contains context information", nil ]), # Allow all exploits to disable their payload handlers OptBool.new('DisablePayloadHandler', [ false, "Disable the handler code for the selected payload", false ]) ], Msf::Exploit) end |
Instance Attribute Details
#active_timeout ⇒ Object (protected)
Maximum number of seconds for active handlers
1659 1660 1661 |
# File 'lib/msf/core/exploit.rb', line 1659 def active_timeout @active_timeout end |
#default_target ⇒ Object
The default target.
1612 1613 1614 |
# File 'lib/msf/core/exploit.rb', line 1612 def default_target @default_target end |
#fail_detail ⇒ Object
Detailed exception string indicating why the exploit was not successful
1603 1604 1605 |
# File 'lib/msf/core/exploit.rb', line 1603 def fail_detail @fail_detail end |
#fail_reason ⇒ Object
The reason why the exploit was not successful (one of Msf::Module::Failure)
1598 1599 1600 |
# File 'lib/msf/core/exploit.rb', line 1598 def fail_reason @fail_reason end |
#needs_cleanup ⇒ Object
Returns the value of attribute needs_cleanup
331 332 333 |
# File 'lib/msf/core/exploit.rb', line 331 def needs_cleanup @needs_cleanup end |
#payload ⇒ Object
The encoded payload instance. An instance of an EncodedPayload object.
1625 1626 1627 |
# File 'lib/msf/core/exploit.rb', line 1625 def payload @payload end |
#payload_info ⇒ Object
The payload requirement hash.
1616 1617 1618 |
# File 'lib/msf/core/exploit.rb', line 1616 def payload_info @payload_info end |
#payload_instance ⇒ Object
The active payload instance.
1620 1621 1622 |
# File 'lib/msf/core/exploit.rb', line 1620 def payload_instance @payload_instance end |
#session_count ⇒ Object
The number of active sessions created by this instance
1630 1631 1632 |
# File 'lib/msf/core/exploit.rb', line 1630 def session_count @session_count end |
#successful ⇒ Object
The boolean indicating whether the exploit succeeded
1635 1636 1637 |
# File 'lib/msf/core/exploit.rb', line 1635 def successful @successful end |
#targets ⇒ Object
The list of targets.
1608 1609 1610 |
# File 'lib/msf/core/exploit.rb', line 1608 def targets @targets end |
Class Method Details
.mixins ⇒ Array
Returns an array of all of the exploit mixins. Lame algorithm right now. We search the Msf::Exploit namespace for all modules that do not have any constants in them. In the future we can replace this with a better algorithm. It's just important that it returns an array of all of the mixin modules.
299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 |
# File 'lib/msf/core/exploit.rb', line 299 def self.mixins mixins = [] wl = [ Msf::Exploit ] visited = {} until wl.length == 0 wl.delete_if { |mod| mod.constants.each { |const| child = mod.const_get(const) next if child.to_s !~ /^Msf::Exploit/ next if visited[child] next if child.kind_of?(::Module) == false visited[child] = true if child.constants.length > 0 wl << child else mixins << child end } true } end return mixins end |
.type ⇒ Object
Returns MODULE_EXPLOIT to indicate that this is an exploit module.
679 680 681 |
# File 'lib/msf/core/exploit.rb', line 679 def self.type Msf::MODULE_EXPLOIT end |
Instance Method Details
#add_handler(opts = {}) ⇒ Object
Allows the payload handler to spawn a new monitor
558 559 560 561 562 |
# File 'lib/msf/core/exploit.rb', line 558 def add_handler(opts={}) return if not payload_instance return if not handler_enabled? payload_instance.add_handler(opts) end |
#aggressive? ⇒ Boolean
Returns true if the exploit has an aggressive stance.
707 708 709 |
# File 'lib/msf/core/exploit.rb', line 707 def aggressive? stance.include?(Stance::Aggressive) end |
#autofilter ⇒ Object
Performs last-minute sanity checking of exploit parameters. This method is called during automated exploitation attempts and allows an exploit to filter bad targets, obtain more information, and choose better targets based on the available data. Returning anything that evaluates to “false” will cause this specific exploit attempt to be skipped. This method can and will change datastore values and may interact with the backend database.
440 441 442 |
# File 'lib/msf/core/exploit.rb', line 440 def autofilter true end |
#autofilter_ports ⇒ Object
Provides a list of ports that can be used for matching this module against target systems.
448 449 450 |
# File 'lib/msf/core/exploit.rb', line 448 def autofilter_ports @autofilter_ports || [] end |
#autofilter_services ⇒ Object
Provides a list of services that can be used for matching this module against target systems.
456 457 458 |
# File 'lib/msf/core/exploit.rb', line 456 def autofilter_services @autofilter_services || [] end |
#cleanup ⇒ Object
Performs any cleanup that may be necessary, such as disconnecting connections and any other such fun things. If a payload is active then its handler cleanup routines are called as well.
510 511 512 513 514 515 |
# File 'lib/msf/core/exploit.rb', line 510 def cleanup if (payload_instance and handler_enabled?) payload_instance.cleanup_handler end self.abort_sockets if self.respond_to?(:abort_sockets) end |
#compatible_encoders ⇒ Object
Returns a list of compatible encoders based on architecture
843 844 845 846 847 848 849 850 851 852 853 854 |
# File 'lib/msf/core/exploit.rb', line 843 def compatible_encoders encoders = [] c_platform, c_arch = normalize_platform_arch framework.encoders.each_module_ranked( 'Arch' => c_arch, 'Platform' => c_platform) { |name, mod| encoders << [ name, mod ] } return encoders; end |
#compatible_payloads(excluded_platforms: [], excluded_archs: []) ⇒ Object
Returns a list of compatible payloads based on platform, architecture, and size requirements.
819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 |
# File 'lib/msf/core/exploit.rb', line 819 def compatible_payloads(excluded_platforms: [], excluded_archs: []) payloads = [] c_platform, c_arch = normalize_platform_arch # The "All" platform name represents generic payloads results = Msf::Modules::Metadata::Cache.instance.find( 'type' => [['payload'], []], 'platform' => [[*c_platform.names, 'All'], excluded_platforms], 'arch' => [c_arch, excluded_archs] ) results.each do |res| if is_payload_compatible?(res.ref_name) payloads << [res.ref_name, framework.payloads[res.ref_name]] end end payloads end |
#define_context_encoding_reqs(reqs) ⇒ Object (protected)
Gets the memory map file and other context information that is required when wanting to support context keyed encoding
1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 |
# File 'lib/msf/core/exploit.rb', line 1696 def define_context_encoding_reqs(reqs) return unless datastore['EnableContextEncoding'] # At present, we don't support any automatic methods of obtaining # context information. In the future, we might support obtaining # temporal information remotely. # Pass along the information specified in our exploit datastore as # encoder options reqs['EncoderOptions'] = {} if reqs['EncoderOptions'].nil? reqs['EncoderOptions']['EnableContextEncoding'] = datastore['EnableContextEncoding'] reqs['EncoderOptions']['ContextInformationFile'] = datastore['ContextInformationFile'] end |
#encode_begin(real_payload, reqs) ⇒ Object
Called prior to encoding a payload.
657 658 |
# File 'lib/msf/core/exploit.rb', line 657 def encode_begin(real_payload, reqs) end |
#encode_end(real_payload, reqs, encoded) ⇒ Object
Called after an encoded payload has been generated. This gives exploits or mixins a chance to alter the encoded payload.
664 665 666 |
# File 'lib/msf/core/exploit.rb', line 664 def encode_end(real_payload, reqs, encoded) encoded end |
#encode_shellcode_stub(code, badchars = payload_badchars) ⇒ Object
Allows arbitrary shellcode to be encoded from within an exploit
539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 |
# File 'lib/msf/core/exploit.rb', line 539 def encode_shellcode_stub(code, badchars=payload_badchars) platform = self.platform if(self.payload_instance) self.payload_instance.platform end compatible_encoders.each do |name, mod| begin enc = framework.encoders.create(name) raw = enc.encode(code, badchars, nil, platform) return raw if raw rescue ::Exception end end nil end |
#exploit ⇒ Object
Kicks off the actual exploit. Prior to this call, the framework will have validated the data store using the options associated with this exploit module. It will also pre-generate the desired payload, though exploits can re-generate the payload if necessary.
This method is designed to be overriden by exploit modules.
428 429 |
# File 'lib/msf/core/exploit.rb', line 428 def exploit end |
#exploit_type ⇒ Object
If we don't know the exploit type, then I guess it's omnipresent!
693 694 695 |
# File 'lib/msf/core/exploit.rb', line 693 def exploit_type Type::Omni end |
#fail_with(reason, msg = nil) ⇒ void
This method returns an undefined value.
Raises a Msf::Exploit::Failed exception. It overrides the fail_with method in lib/msf/core/module.rb
1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 |
# File 'lib/msf/core/exploit.rb', line 1434 def fail_with(reason,msg=nil) # The reason being registered here will be used later on, so it's important we don't actually # provide a made-up one. allowed_values = Msf::Module::Failure.constants.collect {|e| Msf::Module::Failure.const_get(e)} if allowed_values.include?(reason) self.fail_reason = reason else self.fail_reason = Msf::Module::Failure::Unknown end self.fail_detail = msg raise Msf::Exploit::Failed, (msg || "No failure message given") end |
#generate_payload(pinst = nil) ⇒ Object
Generates the encoded version of the supplied payload using the payload requirements specific to this exploit. The encoded instance is returned to the caller. This method is exposed in the manner that it is such that passive exploits and re-generate an encoded payload on the fly rather than having to use the pre-generated one.
The return value is an EncodedPayload instance.
526 527 528 529 530 531 532 533 534 |
# File 'lib/msf/core/exploit.rb', line 526 def generate_payload(pinst = nil) # Set the encoded payload to the result of the encoding process self.payload = generate_single_payload(pinst) # Save the payload instance self.payload_instance = (pinst) ? pinst : self.payload_instance return self.payload end |
#generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil) ⇒ Object
This method generates a non-cached payload which is typically useful for passive exploits that will have more than one client.
568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 |
# File 'lib/msf/core/exploit.rb', line 568 def generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil) explicit_target ||= target if (explicit_target == nil) raise MissingTargetError, "No target has been specified.", caller end # If a payload instance was supplied, use it, otherwise # use the active payload instance real_payload = (pinst) ? pinst : self.payload_instance if (real_payload == nil) raise MissingPayloadError, "No payload has been selected.", caller end # If this is a generic payload, then we should specify the platform # and architecture so that it knows how to pass things on. if real_payload.kind_of?(Msf::Payload::Generic) # Convert the architecture specified into an array. if arch and arch.kind_of?(String) arch = [ arch ] end # Define the explicit platform and architecture information only if # it's been specified. if platform real_payload.explicit_platform = Msf::Module::PlatformList.transform(platform) end if arch real_payload.explicit_arch = arch end # Force it to reset so that it will find updated information. real_payload.reset end # Duplicate the exploit payload requirements reqs = self.payload_info.dup # Pass save register requirements to the NOP generator reqs['Space'] = payload_space(explicit_target) reqs['SaveRegisters'] = nop_save_registers(explicit_target) reqs['Prepend'] = payload_prepend(explicit_target) reqs['PrependEncoder'] = payload_prepend_encoder(explicit_target) reqs['BadChars'] = payload_badchars(explicit_target) reqs['Append'] = payload_append(explicit_target) reqs['AppendEncoder'] = payload_append_encoder(explicit_target) reqs['DisableNops'] = payload_disable_nops(explicit_target) reqs['MaxNops'] = payload_max_nops(explicit_target) reqs['MinNops'] = payload_min_nops(explicit_target) reqs['Encoder'] = datastore['ENCODER'] || payload_encoder(explicit_target) reqs['Nop'] = datastore['NOP'] || payload_nop(explicit_target) reqs['EncoderType'] = payload_encoder_type(explicit_target) reqs['EncoderOptions'] = (explicit_target) reqs['ExtendedOptions'] = (explicit_target) reqs['Exploit'] = self # Pass along the encoder don't fall through flag reqs['EncoderDontFallThrough'] = datastore['EncoderDontFallThrough'] # Incorporate any context encoding requirements that are needed define_context_encoding_reqs(reqs) # Call the encode begin routine. encode_begin(real_payload, reqs) # Generate the encoded payload. encoded = EncodedPayload.create(real_payload, reqs) # Call the encode end routine which is expected to return the actual # encoded payload instance. return encode_end(real_payload, reqs, encoded) end |
#handle_exception(e) ⇒ Object
Handle the exception
1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 |
# File 'lib/msf/core/exploit.rb', line 1465 def handle_exception e msg = setup_fail_detail_from_exception e case e when Msf::Exploit::Complete # Nothing to show in this case return when Msf::Exploit::Failed self.print_error("Exploit aborted due to failure: #{self.fail_reason}: #{msg}") # The caller should have already set self.fail_reason if self.fail_reason == Msf::Exploit::Failure::None self.fail_reason = Msf::Exploit::Failure::Unknown end when Rex::ConnectionError self.fail_reason = Msf::Exploit::Failure::Unreachable self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}") elog("Exploit failed (#{self.refname}): #{msg}", error: e) when Rex::BindFailed self.fail_reason = Msf::Exploit::Failure::BadConfig self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}") elog("Exploit failed (#{self.refname}): #{msg}", error: e) when Timeout::Error self.fail_reason = Msf::Exploit::Failure::TimeoutExpired self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}") elog("Exploit failed (#{self.refname}): #{msg}", error: e) when ::Interrupt self.fail_reason = Msf::Exploit::Failure::UserInterrupt self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}") elog("Exploit failed (#{self.refname}): #{msg}", error: e) else # Compare as a string since not all error classes may be loaded case msg when /access.denied|Login Failed/i # Covers SMB as well as some generic errors self.fail_reason = Msf::Exploit::Failure::NoAccess when /connection reset/i self.fail_reason = Msf::Exploit::Failure::Disconnected when /connection timed out|SSL_connect|unreachable|connection was refused/i self.fail_reason = Msf::Exploit::Failure::Unreachable when /unable.*target/i self.fail_reason = Msf::Exploit::Failure::NoTarget when /execution expired/i self.fail_reason = Msf::Exploit::Failure::TimeoutExpired when /(doesn.t|not).*vulnerable|may.*patched/i self.fail_reason = Msf::Exploit::Failure::NotVulnerable end # The caller should have already set self.fail_reason if self.fail_reason == Msf::Exploit::Failure::None self.fail_reason = Msf::Exploit::Failure::Unknown end if self.fail_reason == Msf::Exploit::Failure::Unknown self.print_error("Exploit failed: #{msg}") else self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}") end elog("Exploit failed (#{self.refname}): #{msg}", error: e) end # Record the error to various places self.framework.events.on_module_error(self, msg) # Report the failure (and attempt) in the database self.report_failure # Interrupt any session waiters in the handler self.interrupt_handler return self.fail_reason end |
#handler(*args) ⇒ Object
Passes the connection to the associated payload handler to see if the exploit succeeded and a connection has been established. The return value can be one of the Handler::constants.
1372 1373 1374 1375 1376 |
# File 'lib/msf/core/exploit.rb', line 1372 def handler(*args) if payload_instance && handler_enabled? payload_instance.handler(*args) end end |
#handler_bind? ⇒ Boolean
If the payload uses a bind handler
1357 1358 1359 |
# File 'lib/msf/core/exploit.rb', line 1357 def handler_bind? payload_instance && payload_instance.connection_type == 'bind' end |
#handler_enabled? ⇒ Boolean
Allow the user to disable the payload handler
1350 1351 1352 |
# File 'lib/msf/core/exploit.rb', line 1350 def handler_enabled? !datastore['DisablePayloadHandler'] end |
#has_auto_target?(targets = []) ⇒ Boolean
402 403 404 405 406 407 408 |
# File 'lib/msf/core/exploit.rb', line 402 def has_auto_target?(targets=[]) target_names = targets.collect { |target| target.first} target_names.each do |target| return true if target =~ /Automatic/ end return false end |
#init_compat ⇒ Object (protected)
Overrides the base class method and serves to initialize default compatibilities for exploits
1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 |
# File 'lib/msf/core/exploit.rb', line 1671 def init_compat super # # Merge in payload compatible defaults # p = module_info['Compat']['Payload'] CompatDefaults::Payload.each_pair { |k,v| (p[k]) ? p[k] << " #{v}" : p[k] = v } # # Set the default save registers if none have been explicitly # specified. # if (module_info['SaveRegisters'] == nil) module_info['SaveRegisters'] = [ 'esp', 'ebp' ] end end |
#interrupt_handler ⇒ Object
1378 1379 1380 1381 1382 |
# File 'lib/msf/core/exploit.rb', line 1378 def interrupt_handler if payload_instance && handler_enabled? && payload_instance.respond_to?(:interrupt_wait_for_session) payload_instance.interrupt_wait_for_session() end end |
#is_payload_compatible?(name) ⇒ TrueClass, FalseClass
Returns whether the requested payload is compatible with the module.
792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 |
# File 'lib/msf/core/exploit.rb', line 792 def is_payload_compatible?(name) p = framework.payloads[name] return false unless p # Skip over payloads that are too big return false if payload_space && p.cached_size && p.cached_size > payload_space pi = p.new # Are we compatible in terms of conventions and connections and # what not? return false if !compatible?(pi) if self.needs_cleanup && !pi.can_cleanup return false end # If the payload is privileged but the exploit does not give # privileged access, then fail it. return false if !self.privileged && pi.privileged return true end |
#make_fast_nops(count) ⇒ String
Generates a NOP sled using the #make_nops method. The difference between this and #make_nops is this method is much faster, good for exploit developers that actually want huge chunks of NOPs. The downside of using this is the NOP sled is less randomized.
1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 |
# File 'lib/msf/core/exploit.rb', line 1141 def make_fast_nops(count) max_nop_chunk_size = 100 if count < max_nop_chunk_size return make_nops(count) end nops = make_nops(max_nop_chunk_size) nops += nops while nops.length < count nops[0, count] end |
#make_nops(count) ⇒ Object
Generates a nop sled of a supplied length and returns it to the caller.
1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 |
# File 'lib/msf/core/exploit.rb', line 1158 def make_nops(count) # If we're debugging, then make_nops will return a safe sled. We # currently assume x86. if debugging? return "\x90" * count end nop_sled = nil # If there is no payload instance then we can't succeed. return nil if (!payload_instance) payload_instance.compatible_nops.each { |nopname, nopmod| # Create an instance of the nop module nop = nopmod.new # The list of save registers save_regs = nop_save_registers || [] if (save_regs.empty? == true) save_regs = nil end begin nop.copy_ui(self) nop_sled = nop.generate_sled(count, 'BadChars' => payload_badchars || '', 'SaveRegisters' => save_regs) if nop_sled && nop_sled.length == count break else wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit", 'core', LEV_0) end rescue wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit: #{$!}", 'core', LEV_0) end } nop_sled end |
#nop_generator ⇒ Object
Returns the first compatible NOP generator for this exploit's payload instance.
1123 1124 1125 1126 1127 1128 1129 |
# File 'lib/msf/core/exploit.rb', line 1123 def nop_generator return nil if (!payload_instance) payload_instance.compatible_nops.each { |nopname, nopmod| return nopmod.new } end |
#nop_save_registers(explicit_target = nil) ⇒ Object
Returns the list of registers that the NOP generator should save, if any. It will use the current target's save registers in precedence over those defined globally for the exploit module.
If there are no save registers, nil is returned.
1109 1110 1111 1112 1113 1114 1115 1116 1117 |
# File 'lib/msf/core/exploit.rb', line 1109 def nop_save_registers(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.save_registers) return explicit_target.save_registers else return module_info['SaveRegisters'] end end |
#normalize_platform_arch ⇒ Object
778 779 780 781 782 783 |
# File 'lib/msf/core/exploit.rb', line 778 def normalize_platform_arch c_platform = (target && target.platform) ? target.platform : platform c_arch = (target && target.arch) ? target.arch : (arch == []) ? nil : arch c_arch ||= [ ARCH_X86 ] return c_platform, c_arch end |
#on_new_session(session) ⇒ Object
This is called by the payload when a new session is created
1393 1394 1395 1396 |
# File 'lib/msf/core/exploit.rb', line 1393 def on_new_session(session) self.session_count += 1 self.successful = true end |
#passive? ⇒ Boolean
Returns if the exploit has a passive stance. Aggressive exploits are always aggressive.
714 715 716 |
# File 'lib/msf/core/exploit.rb', line 714 def passive? stance.include?(Stance::Passive) && !stance.include?(Stance::Aggressive) end |
#pattern_create(length, sets = nil) ⇒ Object
Generate a non-repeating static random string
1336 1337 1338 |
# File 'lib/msf/core/exploit.rb', line 1336 def pattern_create(length, sets = nil) Rex::Text.pattern_create(length, sets) end |
#payload_append(explicit_target = nil) ⇒ Object
Return any text that should be appended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.
908 909 910 911 912 913 914 915 916 |
# File 'lib/msf/core/exploit.rb', line 908 def payload_append(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_append) explicit_target.payload_append else payload_info['Append'] || '' end end |
#payload_append_encoder(explicit_target = nil) ⇒ Object
Return any text that should be appended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.
940 941 942 943 944 945 946 947 948 949 950 |
# File 'lib/msf/core/exploit.rb', line 940 def payload_append_encoder(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_append_encoder) p = explicit_target.payload_append_encoder else p = payload_info['AppendEncoder'] || '' end p end |
#payload_badchars(explicit_target = nil) ⇒ Object
Returns the bad characters that cannot be in any payload used by this exploit.
1012 1013 1014 1015 1016 1017 1018 1019 1020 |
# File 'lib/msf/core/exploit.rb', line 1012 def payload_badchars(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_badchars) explicit_target.payload_badchars else payload_info['BadChars'] end end |
#payload_disable_nops(explicit_target = nil) ⇒ Object
Whether NOP generation should be enabled or disabled
955 956 957 958 959 960 961 962 963 |
# File 'lib/msf/core/exploit.rb', line 955 def payload_disable_nops(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_disable_nops) explicit_target.payload_disable_nops else payload_info['DisableNops'] end end |
#payload_encoder(explicit_target = nil) ⇒ Object
Returns the payload encoder that is associated with either the current target or the exploit in general.
1026 1027 1028 1029 1030 1031 1032 1033 1034 |
# File 'lib/msf/core/exploit.rb', line 1026 def payload_encoder(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_encoder) explicit_target.payload_encoder else payload_info['Encoder'] end end |
#payload_encoder_options(explicit_target = nil) ⇒ Object
Returns the payload encoder option hash that is used to initialize the datastore of the encoder that is selected when generating an encoded payload.
1069 1070 1071 1072 1073 1074 1075 1076 1077 |
# File 'lib/msf/core/exploit.rb', line 1069 def (explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.) explicit_target. else payload_info['EncoderOptions'] end end |
#payload_encoder_type(explicit_target = nil) ⇒ Object
Returns the payload encoder type that is associated with either the current target or the exploit in general.
1054 1055 1056 1057 1058 1059 1060 1061 1062 |
# File 'lib/msf/core/exploit.rb', line 1054 def payload_encoder_type(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_encoder_type) explicit_target.payload_encoder_type else payload_info['EncoderType'] end end |
#payload_extended_options(explicit_target = nil) ⇒ Object
Returns the payload extended options hash which is used to provide a location to store extended information that may be useful to a particular type of payload or mixin.
1084 1085 1086 1087 1088 1089 1090 1091 1092 |
# File 'lib/msf/core/exploit.rb', line 1084 def (explicit_target = nil) explicit_target ||= target if explicit_target and explicit_target. explicit_target. else payload_info['ExtendedOptions'] end end |
#payload_max_nops(explicit_target = nil) ⇒ Object
Maximum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.
969 970 971 972 973 974 975 976 977 |
# File 'lib/msf/core/exploit.rb', line 969 def payload_max_nops(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_max_nops) explicit_target.payload_max_nops else payload_info['MaxNops'] || nil end end |
#payload_min_nops(explicit_target = nil) ⇒ Object
Minimum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.
983 984 985 986 987 988 989 990 991 |
# File 'lib/msf/core/exploit.rb', line 983 def payload_min_nops(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_min_nops) explicit_target.payload_min_nops else payload_info['MinNops'] || nil end end |
#payload_nop(explicit_target = nil) ⇒ Object
Returns the payload NOP generator that is associated with either the current target or the exploit in general.
1040 1041 1042 1043 1044 1045 1046 1047 1048 |
# File 'lib/msf/core/exploit.rb', line 1040 def payload_nop(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_nop) explicit_target.payload_nop else payload_info['Nop'] end end |
#payload_prepend(explicit_target = nil) ⇒ Object
Return any text that should be prepended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit. This automatically takes into account any require stack adjustments.
891 892 893 894 895 896 897 898 899 900 901 |
# File 'lib/msf/core/exploit.rb', line 891 def payload_prepend(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_prepend) p = explicit_target.payload_prepend else p = payload_info['Prepend'] || '' end stack_adjustment + p end |
#payload_prepend_encoder(explicit_target = nil) ⇒ Object
Return any text that should be prepended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.
923 924 925 926 927 928 929 930 931 932 933 |
# File 'lib/msf/core/exploit.rb', line 923 def payload_prepend_encoder(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_prepend_encoder) p = explicit_target.payload_prepend_encoder else p = payload_info['PrependEncoder'] || '' end p end |
#payload_space(explicit_target = nil) ⇒ Object
Returns the maximum amount of room the exploit has for a payload.
996 997 998 999 1000 1001 1002 1003 1004 1005 1006 |
# File 'lib/msf/core/exploit.rb', line 996 def payload_space(explicit_target = nil) explicit_target ||= target if (explicit_target and explicit_target.payload_space) explicit_target.payload_space elsif (payload_info['Space']) payload_info['Space'].to_i else nil end end |
#rand_char(bad = payload_badchars) ⇒ Object
Generate a random character avoiding the exploit's bad characters.
1325 1326 1327 1328 1329 1330 1331 |
# File 'lib/msf/core/exploit.rb', line 1325 def rand_char(bad=payload_badchars) if debugging? "A" else Rex::Text.rand_char(bad) end end |
#rand_text(length, bad = payload_badchars) ⇒ Object
Generate random text characters avoiding the exploit's bad characters.
1217 1218 1219 1220 1221 1222 1223 |
# File 'lib/msf/core/exploit.rb', line 1217 def rand_text(length, bad=payload_badchars) if debugging? rand_text_debug(length) else Rex::Text.rand_text(length, bad) end end |
#rand_text_alpha(length, bad = payload_badchars) ⇒ Object
Generate random alpha characters avoiding the exploit's bad characters.
1253 1254 1255 1256 1257 1258 1259 |
# File 'lib/msf/core/exploit.rb', line 1253 def rand_text_alpha(length, bad=payload_badchars) if debugging? rand_text_debug(length) else Rex::Text.rand_text_alpha(length, bad) end end |
#rand_text_alpha_lower(length, bad = payload_badchars) ⇒ Object
Generate random alpha lower characters avoiding the exploit's bad characters.
1277 1278 1279 1280 1281 1282 1283 |
# File 'lib/msf/core/exploit.rb', line 1277 def rand_text_alpha_lower(length, bad=payload_badchars) if debugging? rand_text_debug(length, 'a') else Rex::Text.rand_text_alpha_lower(length, bad) end end |
#rand_text_alpha_upper(length, bad = payload_badchars) ⇒ Object
Generate random alpha upper characters avoiding the exploit's bad characters.
1265 1266 1267 1268 1269 1270 1271 |
# File 'lib/msf/core/exploit.rb', line 1265 def rand_text_alpha_upper(length, bad=payload_badchars) if debugging? rand_text_debug(length) else Rex::Text.rand_text_alpha_upper(length, bad) end end |
#rand_text_alphanumeric(length, bad = payload_badchars) ⇒ Object
Generate random alphanumeric characters avoiding the exploit's bad characters.
1289 1290 1291 1292 1293 1294 1295 |
# File 'lib/msf/core/exploit.rb', line 1289 def rand_text_alphanumeric(length, bad=payload_badchars) if debugging? rand_text_debug(length) else Rex::Text.rand_text_alphanumeric(length, bad) end end |
#rand_text_debug(length, char = 'A') ⇒ Object
Utility methods for generating random text that implicitly uses the exploit's bad character set.
1209 1210 1211 |
# File 'lib/msf/core/exploit.rb', line 1209 def rand_text_debug(length, char = 'A') char * (length.kind_of?(Range) ? length.first : length) end |
#rand_text_english(length, bad = payload_badchars) ⇒ Object
Generate random english-like avoiding the exploit's bad characters.
1229 1230 1231 1232 1233 1234 1235 |
# File 'lib/msf/core/exploit.rb', line 1229 def rand_text_english(length, bad=payload_badchars) if debugging? rand_text_debug(length) else Rex::Text.rand_text_english(length, bad) end end |
#rand_text_hex(length, bad = payload_badchars) ⇒ Object
Generate random hexadecimal characters avoiding the exploit's bad characters.
1313 1314 1315 1316 1317 1318 1319 |
# File 'lib/msf/core/exploit.rb', line 1313 def rand_text_hex(length, bad=payload_badchars) if debugging? rand_text_debug(length, '0') else Rex::Text.rand_text_hex(length, bad) end end |
#rand_text_highascii(length, bad = payload_badchars) ⇒ Object
Generate random high ascii characters avoiding the exploit's bad characters.
1241 1242 1243 1244 1245 1246 1247 |
# File 'lib/msf/core/exploit.rb', line 1241 def rand_text_highascii(length, bad=payload_badchars) if debugging? rand_text_debug(length) else Rex::Text.rand_text_highascii(length, bad) end end |
#rand_text_numeric(length, bad = payload_badchars) ⇒ Object
Generate random numeric characters avoiding the exploit's bad characters.
1301 1302 1303 1304 1305 1306 1307 |
# File 'lib/msf/core/exploit.rb', line 1301 def rand_text_numeric(length, bad=payload_badchars) if debugging? rand_text_debug(length, '0') else Rex::Text.rand_text_numeric(length, bad) end end |
#regenerate_payload(platform = nil, arch = nil, explicit_target = nil) ⇒ Object Also known as: exploit_regenerate_payload
Re-generates an encoded payload, typically called after something in the datastore has changed. An optional platform and architecture can be supplied as well.
650 651 652 |
# File 'lib/msf/core/exploit.rb', line 650 def regenerate_payload(platform = nil, arch = nil, explicit_target = nil) generate_single_payload(nil, platform, arch, explicit_target) end |
#register_autofilter_ports(ports = []) ⇒ Object
Adds a port into the list of ports
463 464 465 466 467 468 |
# File 'lib/msf/core/exploit.rb', line 463 def register_autofilter_ports(ports=[]) @autofilter_ports ||= [] @autofilter_ports << ports @autofilter_ports.flatten! @autofilter_ports.uniq! end |
#register_autofilter_services(services = []) ⇒ Object
470 471 472 473 474 475 |
# File 'lib/msf/core/exploit.rb', line 470 def register_autofilter_services(services=[]) @autofilter_services ||= [] @autofilter_services << services @autofilter_services.flatten! @autofilter_services.uniq! end |
#report_failure ⇒ Object
1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 |
# File 'lib/msf/core/exploit.rb', line 1544 def report_failure return unless framework.db and framework.db.active info = { :timestamp => Time.now.utc, :workspace => framework.db.find_workspace(self.workspace), :module => self.fullname, :fail_reason => self.fail_reason, :fail_detail => self.fail_detail, :target_name => self.target.name, :username => self.owner, :refs => self.references, :run_id => self.datastore['RUN_ID'] } if self.datastore['RHOST'] and self.['RHOST'] info[:host] = self.datastore['RHOST'] end if self.datastore['RPORT'] and self.['RPORT'] info[:port] = self.datastore['RPORT'] if self.class.ancestors.include?(Msf::Exploit::Remote::Tcp) info[:proto] = 'tcp' end end framework.db.report_exploit_failure(info) end |
#reset_session_counts ⇒ Object
Reset the session counter to zero (which occurs during set up of the exploit prior to calling exploit).
1412 1413 1414 |
# File 'lib/msf/core/exploit.rb', line 1412 def reset_session_counts self.session_count = 0 end |
#session_created? ⇒ Boolean
A boolean for whether a session has been created yet
1401 1402 1403 1404 1405 1406 |
# File 'lib/msf/core/exploit.rb', line 1401 def session_created? # Start bind handlers before checking session creation payload_instance.start_handler if handler_bind? (self.session_count > 0) ? true : false end |
#setup ⇒ Object
Prepares the module for exploitation, initializes any state, and starts the payload handler.
481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 |
# File 'lib/msf/core/exploit.rb', line 481 def setup alert_user # Reset the session counts to zero. reset_session_counts return if not payload_instance return if not handler_enabled? # Configure the payload handler payload_instance.exploit_config = { 'active_timeout' => self.active_timeout } # Set up the payload handlers payload_instance.setup_handler # Defer starting bind handlers until after exploit completion return if handler_bind? # Start the payload handler payload_instance.start_handler end |
#setup_fail_detail_from_exception(e) ⇒ Object
1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 |
# File 'lib/msf/core/exploit.rb', line 1448 def setup_fail_detail_from_exception e # Build a user-friendly error message msg = "#{e}" unless e.class == Msf::Exploit::Failed msg = "#{e.class} #{e}" end self.error = e # Record the detailed reason self.fail_detail ||= e.to_s msg end |
#stack_adjustment ⇒ Object
This method returns the encoded instruction(s) required to adjust the stack pointer prior to executing any code. The number of bytes to adjust is indicated to the routine through the payload 'StackAdjustment' attribute or through a target's payload 'StackAdjustment' attribute.
862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 |
# File 'lib/msf/core/exploit.rb', line 862 def stack_adjustment if target && target.payload_stack_adjustment adj = target.payload_stack_adjustment else adj = payload_info['StackAdjustment'] end return '' unless adj # Get the architecture for the current target or use the one specific to # this exploit arch = (target && target.arch) ? target.arch : self.arch # Default to x86 if we can't find a list of architectures if arch && !arch.empty? arch = [arch].flatten.join(', ') else arch = 'x86' end Rex::Arch::adjust_stack_pointer(arch, adj) || '' end |
#stance ⇒ Object
Generally, all exploits take an aggressive stance.
700 701 702 |
# File 'lib/msf/core/exploit.rb', line 700 def stance module_info['Stance'] || Stance::Aggressive end |
#target ⇒ Object
Returns the active target for this exploit. If not target has been defined, nil is returned. If no target was defined but there is a default target, that one will be automatically used.
723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 |
# File 'lib/msf/core/exploit.rb', line 723 def target if self.respond_to?(:auto_targeted_index) if auto_target? auto_idx = auto_targeted_index if auto_idx.present? datastore['TARGET'] = auto_idx else # If our inserted Automatic Target was selected but we failed to # find a suitable target, we just grab the original first target. datastore['TARGET'] = 1 end end end target_idx = target_index return (target_idx) ? targets[target_idx.to_i] : nil end |
#target_arch ⇒ Object
Returns the target's architecture, or the one assigned to the module itself.
774 775 776 |
# File 'lib/msf/core/exploit.rb', line 774 def target_arch (target and target.arch) ? target.arch : (arch == []) ? nil : arch end |
#target_index ⇒ Object
The target index that has been selected.
744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 |
# File 'lib/msf/core/exploit.rb', line 744 def target_index target_idx = begin Integer(datastore['TARGET']) rescue TypeError, ArgumentError datastore['TARGET'] end default_idx = default_target || 0 # Use the default target if one was not supplied. if (target_idx == nil and default_idx and default_idx >= 0) target_idx = default_idx elsif target_idx.is_a?(String) target_idx = targets.index { |target| target.name == target_idx } end return (target_idx) ? target_idx.to_i : nil end |
#target_platform ⇒ Object
Returns the target's platform, or the one assigned to the module itself.
766 767 768 |
# File 'lib/msf/core/exploit.rb', line 766 def target_platform (target and target.platform) ? target.platform : platform end |
#type ⇒ Object
Returns MODULE_EXPLOIT to indicate that this is an exploit module.
686 687 688 |
# File 'lib/msf/core/exploit.rb', line 686 def type Msf::MODULE_EXPLOIT end |
#wfs_delay ⇒ Object
The default “wait for session” delay is zero for all exploits.
1343 1344 1345 |
# File 'lib/msf/core/exploit.rb', line 1343 def wfs_delay (datastore['WfsDelay'] || 0).to_i end |