Class: Msf::Exploit

Inherits:
Module show all
Defined in:
lib/msf/core/exploit.rb,
lib/msf/core/exploit/capture.rb,
lib/msf/core/exploit/http/jboss.rb,
lib/msf/core/exploit/http/typo3.rb,
lib/msf/core/exploit/http/joomla.rb,
lib/msf/core/exploit/java/rmi/util.rb,
lib/msf/core/exploit/http/wordpress.rb,
lib/msf/core/exploit/java/rmi/client.rb,
lib/msf/core/exploit/kerberos/client.rb,
lib/msf/core/exploit/java/rmi/builder.rb,
lib/msf/core/exploit/format/webarchive.rb,
lib/msf/core/exploit/java/rmi/client/jmx.rb,
lib/msf/core/exploit/kerberos/client/pac.rb,
lib/msf/core/exploit/kerberos/client/base.rb,
lib/msf/core/exploit/java/rmi/client/registry.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server.rb,
lib/msf/core/exploit/kerberos/client/as_request.rb,
lib/msf/core/exploit/kerberos/client/as_response.rb,
lib/msf/core/exploit/kerberos/client/tgs_request.rb,
lib/msf/core/exploit/kerberos/client/tgs_response.rb,
lib/msf/core/exploit/java/rmi/client/jmx/connection.rb,
lib/msf/core/exploit/java/rmi/client/registry/parser.rb,
lib/msf/core/exploit/java/rmi/client/registry/builder.rb,
lib/msf/core/exploit/kerberos/client/cache_credential.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server/parser.rb,
lib/msf/core/exploit/java/rmi/client/jmx/server/builder.rb,
lib/msf/core/exploit/java/rmi/client/jmx/connection/builder.rb

Overview

This module provides methods for sending and receiving raw packets. It should be preferred over the soon-to-be deprecated Rex::Socket::Ip and Msf::Exploit::Remote::Ip mixins.

Please see the pcaprub documentation for more information on how to use capture objects.

Direct Known Subclasses

Local, Remote

Defined Under Namespace

Modules: Android, AutoTarget, Brute, BruteTargets, Capture, CmdStager, CompatDefaults, DECT_COA, DHCPServer, EXE, Egghunter, FILEFORMAT, FileDropper, Format, FormatString, Git, JSObfu, Java, KernelMode, NTLM, ORACLE, Omelet, PDF, PDF_Parse, PhpEXE, Powershell, RIFF, RopDb, SQLi, Seh, Stance, TFTPServer, Type, ViewState, WbemExec, Windows_Constants Classes: CheckCode, Complete, Failed, Local, Remote

Constant Summary

Constants inherited from Module

Module::REPLICANT_EXTENSION_DS_KEY

Constants included from Module::ModuleInfo

Module::ModuleInfo::UpdateableOptions

Instance Attribute Summary collapse

Attributes inherited from Module

#error, #job_id, #license, #platform, #privileged, #references, #user_data

Attributes included from Framework::Offspring

#framework

Attributes included from Module::UUID

#uuid

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Attributes included from Module::Privileged

#priveli, #privileged

Attributes included from Module::Options

#options

Attributes included from Module::ModuleStore

#module_store

Attributes included from Module::ModuleInfo

#module_info

Attributes included from Module::FullName

#aliased_as

Attributes included from Module::DataStore

#datastore

Attributes included from Module::Author

#author

Attributes included from Module::Arch

#arch

Attributes included from Module::Alert

#alerts, #you_have_been_warned

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Module

#black_listed_auth_filenames, cached?, #debugging?, #default_cred?, #file_path, #framework, #has_check?, #orig_cls, #owner, #perform_extensions, #platform?, #platform_to_s, #post_auth?, #register_extensions, #register_parent, #replicant, #required_cred_options, #set_defaults, #workspace

Methods included from Module::Reliability

#reliability, #reliability_to_s

Methods included from Module::Stability

#stability, #stability_to_s

Methods included from Module::SideEffects

#side_effects, #side_effects_to_s

Methods included from Module::UUID

#generate_uuid

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Methods included from Module::Type

#auxiliary?, #encoder?, #evasion?, #exploit?, #nop?, #payload?, #post?

Methods included from Module::Ranking

#rank, #rank_to_h, #rank_to_s

Methods included from Module::Privileged

#privileged?

Methods included from Module::Options

#deregister_options, #register_advanced_options, #register_evasion_options, #register_options, #validate

Methods included from Module::Network

#comm, #support_ipv6?, #target_host, #target_port

Methods included from Module::ModuleStore

#[], #[]=

Methods included from Module::ModuleInfo

#alias, #description, #disclosure_date, #info_fixups, #merge_check_key, #merge_info, #merge_info_advanced_options, #merge_info_alias, #merge_info_description, #merge_info_evasion_options, #merge_info_name, #merge_info_options, #merge_info_string, #merge_info_version, #name, #notes, #update_info

Methods included from Module::FullName

#aliases, #fullname, #promptname, #realname, #refname, #shortname

Methods included from Module::DataStore

#import_defaults, #import_target_defaults, #share_datastore

Methods included from Module::Compatibility

#compat, #compatible?

Methods included from Module::Author

#author_to_s, #each_author

Methods included from Module::Auth

#store_valid_credential

Methods included from Module::Arch

#arch?, #arch_to_s, #each_arch

Methods included from Module::Alert

#add_alert, #add_error, #add_warning, #alert_user, #errors, #get_alerts, included, #is_usable?, #warnings

Constructor Details

#initialize(info = {}) ⇒ Exploit

Creates an instance of the exploit module. Mad skillz.


336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
# File 'lib/msf/core/exploit.rb', line 336

def initialize(info = {})

  # Ghetto compat mirroring for payload compatibilities.  This mirrors
  #
  # Payload => Compat => xyz
  #
  # to
  #
  # Compat => Payload => xyz
  if (info['Payload'] and info['Payload']['Compat'])
    info['Compat'] = Hash.new if (info['Compat'] == nil)
    info['Compat']['Payload'] = Hash.new if (info['Compat']['Payload'] == nil)
    info['Compat']['Payload'].update(info['Payload']['Compat'])
  end

  # Call the parent constructor after making any necessary modifications
  # to the information hash.
  super(info)

  if info.key? 'DefaultTarget'
    self.default_target = info['DefaultTarget']
  else
    self.default_target = 0
    # Add an auto-target to the exploit if it doesn't have one
    if info['Targets'] && info['Targets'].count > 1 && !has_auto_target?(info['Targets'])
      # Finally, only add the target if there is a remote host option
      if self.respond_to?(:rhost) && self.respond_to?(:auto_targeted_index)
        auto = ["Automatic", {'AutoGenerated' => true}.merge(info['Targets'][self.default_target][1])]
        info['Targets'].unshift(auto)
      end
    end
  end

  self.targets = Rex::Transformer.transform(info['Targets'], Array, [ Target ], 'Targets')
  self.payload_info = info['Payload'] || {}
  self.successful = false
  self.session_count = 0
  self.active_timeout = 120
  self.fail_reason = Failure::None

  if (info['Payload'] and info['Payload']['ActiveTimeout'])
    self.active_timeout = info['Payload']['ActiveTimeout'].to_i
  end

  # Initialize exploit datastore with target information
  import_target_defaults

  # All exploits can increase the delay when waiting for a session.
  # However, this only applies to aggressive exploits.
  if aggressive?
    register_advanced_options(
      [
        OptInt.new('WfsDelay', [ false, "Additional delay when waiting for a session", 0 ])
      ], Msf::Exploit)
  end

  register_advanced_options(
    [
      # Allow all exploits to leverage context keyed encoding
      OptBool.new('EnableContextEncoding', [ false, "Use transient context when encoding payloads", false ]),
      OptPath.new('ContextInformationFile', [ false, "The information file that contains context information", nil ]),
      # Allow all exploits to disable their payload handlers
      OptBool.new('DisablePayloadHandler', [ false, "Disable the handler code for the selected payload", false ])
    ], Msf::Exploit)
end

Instance Attribute Details

#active_timeoutObject (protected)

Maximum number of seconds for active handlers


1659
1660
1661
# File 'lib/msf/core/exploit.rb', line 1659

def active_timeout
  @active_timeout
end

#default_targetObject

The default target.


1612
1613
1614
# File 'lib/msf/core/exploit.rb', line 1612

def default_target
  @default_target
end

#fail_detailObject

Detailed exception string indicating why the exploit was not successful


1603
1604
1605
# File 'lib/msf/core/exploit.rb', line 1603

def fail_detail
  @fail_detail
end

#fail_reasonObject

The reason why the exploit was not successful (one of Msf::Module::Failure)


1598
1599
1600
# File 'lib/msf/core/exploit.rb', line 1598

def fail_reason
  @fail_reason
end

#needs_cleanupObject

Returns the value of attribute needs_cleanup


331
332
333
# File 'lib/msf/core/exploit.rb', line 331

def needs_cleanup
  @needs_cleanup
end

#payloadObject

The encoded payload instance. An instance of an EncodedPayload object.


1625
1626
1627
# File 'lib/msf/core/exploit.rb', line 1625

def payload
  @payload
end

#payload_infoObject

The payload requirement hash.


1616
1617
1618
# File 'lib/msf/core/exploit.rb', line 1616

def payload_info
  @payload_info
end

#payload_instanceObject

The active payload instance.


1620
1621
1622
# File 'lib/msf/core/exploit.rb', line 1620

def payload_instance
  @payload_instance
end

#session_countObject

The number of active sessions created by this instance


1630
1631
1632
# File 'lib/msf/core/exploit.rb', line 1630

def session_count
  @session_count
end

#successfulObject

The boolean indicating whether the exploit succeeded


1635
1636
1637
# File 'lib/msf/core/exploit.rb', line 1635

def successful
  @successful
end

#targetsObject

The list of targets.


1608
1609
1610
# File 'lib/msf/core/exploit.rb', line 1608

def targets
  @targets
end

Class Method Details

.mixinsArray

Returns an array of all of the exploit mixins. Lame algorithm right now. We search the Msf::Exploit namespace for all modules that do not have any constants in them. In the future we can replace this with a better algorithm. It's just important that it returns an array of all of the mixin modules.

Returns:

  • (Array)

299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
# File 'lib/msf/core/exploit.rb', line 299

def self.mixins
  mixins  = []
  wl      = [ Msf::Exploit ]
  visited = {}

  until wl.length == 0
    wl.delete_if { |mod|
      mod.constants.each { |const|
        child = mod.const_get(const)

        next if child.to_s !~ /^Msf::Exploit/

        next if visited[child]

        next if child.kind_of?(::Module) == false

        visited[child] = true

        if child.constants.length > 0
          wl << child
        else
          mixins << child
        end
      }

      true
    }
  end

  return mixins
end

.typeObject

Returns MODULE_EXPLOIT to indicate that this is an exploit module.


679
680
681
# File 'lib/msf/core/exploit.rb', line 679

def self.type
  Msf::MODULE_EXPLOIT
end

Instance Method Details

#add_handler(opts = {}) ⇒ Object

Allows the payload handler to spawn a new monitor


558
559
560
561
562
# File 'lib/msf/core/exploit.rb', line 558

def add_handler(opts={})
  return if not payload_instance
  return if not handler_enabled?
  payload_instance.add_handler(opts)
end

#aggressive?Boolean

Returns true if the exploit has an aggressive stance.

Returns:

  • (Boolean)

707
708
709
# File 'lib/msf/core/exploit.rb', line 707

def aggressive?
  stance.include?(Stance::Aggressive)
end

#autofilterObject

Performs last-minute sanity checking of exploit parameters. This method is called during automated exploitation attempts and allows an exploit to filter bad targets, obtain more information, and choose better targets based on the available data. Returning anything that evaluates to “false” will cause this specific exploit attempt to be skipped. This method can and will change datastore values and may interact with the backend database.


440
441
442
# File 'lib/msf/core/exploit.rb', line 440

def autofilter
  true
end

#autofilter_portsObject

Provides a list of ports that can be used for matching this module against target systems.


448
449
450
# File 'lib/msf/core/exploit.rb', line 448

def autofilter_ports
  @autofilter_ports || []
end

#autofilter_servicesObject

Provides a list of services that can be used for matching this module against target systems.


456
457
458
# File 'lib/msf/core/exploit.rb', line 456

def autofilter_services
  @autofilter_services || []
end

#cleanupObject

Performs any cleanup that may be necessary, such as disconnecting connections and any other such fun things. If a payload is active then its handler cleanup routines are called as well.


510
511
512
513
514
515
# File 'lib/msf/core/exploit.rb', line 510

def cleanup
  if (payload_instance and handler_enabled?)
    payload_instance.cleanup_handler
  end
  self.abort_sockets if self.respond_to?(:abort_sockets)
end

#compatible_encodersObject

Returns a list of compatible encoders based on architecture


843
844
845
846
847
848
849
850
851
852
853
854
# File 'lib/msf/core/exploit.rb', line 843

def compatible_encoders
  encoders = []

  c_platform, c_arch = normalize_platform_arch

  framework.encoders.each_module_ranked(
    'Arch' => c_arch, 'Platform' => c_platform) { |name, mod|
    encoders << [ name, mod ]
  }

  return encoders;
end

#compatible_payloads(excluded_platforms: [], excluded_archs: []) ⇒ Object

Returns a list of compatible payloads based on platform, architecture, and size requirements.


819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
# File 'lib/msf/core/exploit.rb', line 819

def compatible_payloads(excluded_platforms: [], excluded_archs: [])
  payloads = []

  c_platform, c_arch = normalize_platform_arch

  # The "All" platform name represents generic payloads
  results = Msf::Modules::Metadata::Cache.instance.find(
    'type'     => [['payload'], []],
    'platform' => [[*c_platform.names, 'All'], excluded_platforms],
    'arch'     => [c_arch, excluded_archs]
  )

  results.each do |res|
    if is_payload_compatible?(res.ref_name)
      payloads << [res.ref_name, framework.payloads[res.ref_name]]
    end
  end

  payloads
end

#define_context_encoding_reqs(reqs) ⇒ Object (protected)

Gets the memory map file and other context information that is required when wanting to support context keyed encoding


1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
# File 'lib/msf/core/exploit.rb', line 1696

def define_context_encoding_reqs(reqs)
  return unless datastore['EnableContextEncoding']

  # At present, we don't support any automatic methods of obtaining
  # context information.  In the future, we might support obtaining
  # temporal information remotely.

  # Pass along the information specified in our exploit datastore as
  # encoder options
  reqs['EncoderOptions'] = {} if reqs['EncoderOptions'].nil?
  reqs['EncoderOptions']['EnableContextEncoding']  = datastore['EnableContextEncoding']
  reqs['EncoderOptions']['ContextInformationFile'] = datastore['ContextInformationFile']
end

#encode_begin(real_payload, reqs) ⇒ Object

Called prior to encoding a payload.


657
658
# File 'lib/msf/core/exploit.rb', line 657

def encode_begin(real_payload, reqs)
end

#encode_end(real_payload, reqs, encoded) ⇒ Object

Called after an encoded payload has been generated. This gives exploits or mixins a chance to alter the encoded payload.


664
665
666
# File 'lib/msf/core/exploit.rb', line 664

def encode_end(real_payload, reqs, encoded)
  encoded
end

#encode_shellcode_stub(code, badchars = payload_badchars) ⇒ Object

Allows arbitrary shellcode to be encoded from within an exploit


539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
# File 'lib/msf/core/exploit.rb', line 539

def encode_shellcode_stub(code, badchars=payload_badchars)
  platform = self.platform
  if(self.payload_instance)
    self.payload_instance.platform
  end
  compatible_encoders.each do |name, mod|
    begin
      enc = framework.encoders.create(name)
      raw = enc.encode(code, badchars, nil, platform)
      return raw if raw
    rescue ::Exception
    end
  end
  nil
end

#exploitObject

Kicks off the actual exploit. Prior to this call, the framework will have validated the data store using the options associated with this exploit module. It will also pre-generate the desired payload, though exploits can re-generate the payload if necessary.

This method is designed to be overriden by exploit modules.


428
429
# File 'lib/msf/core/exploit.rb', line 428

def exploit
end

#exploit_typeObject

If we don't know the exploit type, then I guess it's omnipresent!


693
694
695
# File 'lib/msf/core/exploit.rb', line 693

def exploit_type
  Type::Omni
end

#fail_with(reason, msg = nil) ⇒ void

This method returns an undefined value.

Raises a Msf::Exploit::Failed exception. It overrides the fail_with method in lib/msf/core/module.rb

Examples:

fail_with(Msf::Module::Failure::NoAccess, 'Unable to login to upload payload')

Parameters:

  • reason (String)

    A constant from Msf::Module::Failure. If the reason does not come from there, then it will default to Msf::Module::Failure::Unknown.

  • msg (String) (defaults to: nil)

    (Optional) A message about the failure.

Raises:

See Also:


1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
# File 'lib/msf/core/exploit.rb', line 1434

def fail_with(reason,msg=nil)
  # The reason being registered here will be used later on, so it's important we don't actually
  # provide a made-up one.
  allowed_values = Msf::Module::Failure.constants.collect {|e| Msf::Module::Failure.const_get(e)}
  if allowed_values.include?(reason)
    self.fail_reason = reason
  else
    self.fail_reason = Msf::Module::Failure::Unknown
  end

  self.fail_detail = msg
  raise Msf::Exploit::Failed, (msg || "No failure message given")
end

#generate_payload(pinst = nil) ⇒ Object

Generates the encoded version of the supplied payload using the payload requirements specific to this exploit. The encoded instance is returned to the caller. This method is exposed in the manner that it is such that passive exploits and re-generate an encoded payload on the fly rather than having to use the pre-generated one.

The return value is an EncodedPayload instance.


526
527
528
529
530
531
532
533
534
# File 'lib/msf/core/exploit.rb', line 526

def generate_payload(pinst = nil)
  # Set the encoded payload to the result of the encoding process
  self.payload = generate_single_payload(pinst)

  # Save the payload instance
  self.payload_instance = (pinst) ? pinst : self.payload_instance

  return self.payload
end

#generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil) ⇒ Object

This method generates a non-cached payload which is typically useful for passive exploits that will have more than one client.


568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
# File 'lib/msf/core/exploit.rb', line 568

def generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil)
  explicit_target ||= target

  if (explicit_target == nil)
    raise MissingTargetError, "No target has been specified.",
      caller
  end

  # If a payload instance was supplied, use it, otherwise
  # use the active payload instance
  real_payload = (pinst) ? pinst : self.payload_instance

  if (real_payload == nil)
    raise MissingPayloadError, "No payload has been selected.",
      caller
  end

  # If this is a generic payload, then we should specify the platform
  # and architecture so that it knows how to pass things on.
  if real_payload.kind_of?(Msf::Payload::Generic)
    # Convert the architecture specified into an array.
    if arch and arch.kind_of?(String)
      arch = [ arch ]
    end

    # Define the explicit platform and architecture information only if
    # it's been specified.
    if platform
      real_payload.explicit_platform = Msf::Module::PlatformList.transform(platform)
    end

    if arch
      real_payload.explicit_arch = arch
    end

    # Force it to reset so that it will find updated information.
    real_payload.reset
  end

  # Duplicate the exploit payload requirements
  reqs = self.payload_info.dup

  # Pass save register requirements to the NOP generator
  reqs['Space']           = payload_space(explicit_target)
  reqs['SaveRegisters']   = nop_save_registers(explicit_target)
  reqs['Prepend']         = payload_prepend(explicit_target)
  reqs['PrependEncoder']  = payload_prepend_encoder(explicit_target)
  reqs['BadChars']        = payload_badchars(explicit_target)
  reqs['Append']          = payload_append(explicit_target)
  reqs['AppendEncoder']   = payload_append_encoder(explicit_target)
  reqs['DisableNops']     = payload_disable_nops(explicit_target)
  reqs['MaxNops']         = payload_max_nops(explicit_target)
  reqs['MinNops']         = payload_min_nops(explicit_target)
  reqs['Encoder']         = datastore['ENCODER'] || payload_encoder(explicit_target)
  reqs['Nop']             = datastore['NOP'] || payload_nop(explicit_target)
  reqs['EncoderType']     = payload_encoder_type(explicit_target)
  reqs['EncoderOptions']  = payload_encoder_options(explicit_target)
  reqs['ExtendedOptions'] = payload_extended_options(explicit_target)
  reqs['Exploit']         = self

  # Pass along the encoder don't fall through flag
  reqs['EncoderDontFallThrough'] = datastore['EncoderDontFallThrough']

  # Incorporate any context encoding requirements that are needed
  define_context_encoding_reqs(reqs)

  # Call the encode begin routine.
  encode_begin(real_payload, reqs)

  # Generate the encoded payload.
  encoded = EncodedPayload.create(real_payload, reqs)

  # Call the encode end routine which is expected to return the actual
  # encoded payload instance.
  return encode_end(real_payload, reqs, encoded)
end

#handle_exception(e) ⇒ Object

Handle the exception


1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
# File 'lib/msf/core/exploit.rb', line 1465

def handle_exception e
  msg = setup_fail_detail_from_exception e

  case e
    when Msf::Exploit::Complete
      # Nothing to show in this case
      return

    when Msf::Exploit::Failed
      self.print_error("Exploit aborted due to failure: #{self.fail_reason}: #{msg}")

      # The caller should have already set self.fail_reason
      if self.fail_reason == Msf::Exploit::Failure::None
        self.fail_reason = Msf::Exploit::Failure::Unknown
      end

    when Rex::ConnectionError
      self.fail_reason = Msf::Exploit::Failure::Unreachable
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when Rex::BindFailed
      self.fail_reason = Msf::Exploit::Failure::BadConfig
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when Timeout::Error
      self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)

    when ::Interrupt
      self.fail_reason = Msf::Exploit::Failure::UserInterrupt
      self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      elog("Exploit failed (#{self.refname}): #{msg}", error: e)
    else

      # Compare as a string since not all error classes may be loaded
      case msg
        when /access.denied|Login Failed/i # Covers SMB as well as some generic errors
          self.fail_reason = Msf::Exploit::Failure::NoAccess
        when /connection reset/i
          self.fail_reason = Msf::Exploit::Failure::Disconnected
        when /connection timed out|SSL_connect|unreachable|connection was refused/i
          self.fail_reason = Msf::Exploit::Failure::Unreachable
        when /unable.*target/i
          self.fail_reason = Msf::Exploit::Failure::NoTarget
        when /execution expired/i
          self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
        when /(doesn.t|not).*vulnerable|may.*patched/i
          self.fail_reason = Msf::Exploit::Failure::NotVulnerable
      end

      # The caller should have already set self.fail_reason
      if self.fail_reason == Msf::Exploit::Failure::None
        self.fail_reason = Msf::Exploit::Failure::Unknown
      end

      if self.fail_reason == Msf::Exploit::Failure::Unknown
        self.print_error("Exploit failed: #{msg}")
      else
        self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
      end

      elog("Exploit failed (#{self.refname}): #{msg}", error: e)
  end

  # Record the error to various places
  self.framework.events.on_module_error(self, msg)

  # Report the failure (and attempt) in the database
  self.report_failure

  # Interrupt any session waiters in the handler
  self.interrupt_handler

  return self.fail_reason
end

#handler(*args) ⇒ Object

Passes the connection to the associated payload handler to see if the exploit succeeded and a connection has been established. The return value can be one of the Handler::constants.


1372
1373
1374
1375
1376
# File 'lib/msf/core/exploit.rb', line 1372

def handler(*args)
  if payload_instance && handler_enabled?
    payload_instance.handler(*args)
  end
end

#handler_bind?Boolean

If the payload uses a bind handler

Returns:

  • (Boolean)

1357
1358
1359
# File 'lib/msf/core/exploit.rb', line 1357

def handler_bind?
  payload_instance && payload_instance.connection_type == 'bind'
end

#handler_enabled?Boolean

Allow the user to disable the payload handler

Returns:

  • (Boolean)

1350
1351
1352
# File 'lib/msf/core/exploit.rb', line 1350

def handler_enabled?
  !datastore['DisablePayloadHandler']
end

#has_auto_target?(targets = []) ⇒ Boolean

Returns:

  • (Boolean)

402
403
404
405
406
407
408
# File 'lib/msf/core/exploit.rb', line 402

def has_auto_target?(targets=[])
  target_names = targets.collect { |target| target.first}
  target_names.each do |target|
    return true if target =~ /Automatic/
  end
  return false
end

#init_compatObject (protected)

Overrides the base class method and serves to initialize default compatibilities for exploits


1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
# File 'lib/msf/core/exploit.rb', line 1671

def init_compat
  super

  #
  # Merge in payload compatible defaults
  #
  p = module_info['Compat']['Payload']

  CompatDefaults::Payload.each_pair { |k,v|
    (p[k]) ? p[k] << " #{v}" : p[k] = v
  }

  #
  # Set the default save registers if none have been explicitly
  # specified.
  #
  if (module_info['SaveRegisters'] == nil)
    module_info['SaveRegisters'] = [ 'esp', 'ebp' ]
  end
end

#interrupt_handlerObject


1378
1379
1380
1381
1382
# File 'lib/msf/core/exploit.rb', line 1378

def interrupt_handler
  if payload_instance && handler_enabled? && payload_instance.respond_to?(:interrupt_wait_for_session)
    payload_instance.interrupt_wait_for_session()
  end
end

#is_payload_compatible?(name) ⇒ TrueClass, FalseClass

Returns whether the requested payload is compatible with the module.

Parameters:

  • payload_name (String)

    The payload name

Returns:

  • (TrueClass)

    Payload is compatible.

  • (FalseClass)

    Payload is not compatible.


792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
# File 'lib/msf/core/exploit.rb', line 792

def is_payload_compatible?(name)
  p = framework.payloads[name]

  return false unless p

  # Skip over payloads that are too big
  return false if payload_space && p.cached_size && p.cached_size > payload_space

  pi = p.new

  # Are we compatible in terms of conventions and connections and
  # what not?
  return false if !compatible?(pi)

  if self.needs_cleanup && !pi.can_cleanup
    return false
  end

  # If the payload is privileged but the exploit does not give
  # privileged access, then fail it.
  return false if !self.privileged && pi.privileged

  return true
end

#make_fast_nops(count) ⇒ String

Generates a NOP sled using the #make_nops method. The difference between this and #make_nops is this method is much faster, good for exploit developers that actually want huge chunks of NOPs. The downside of using this is the NOP sled is less randomized.

Parameters:

  • count (String)

    Number of NOPs to return.

Returns:

  • (String)

    NOPs


1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
# File 'lib/msf/core/exploit.rb', line 1141

def make_fast_nops(count)
  max_nop_chunk_size = 100

  if count < max_nop_chunk_size
    return make_nops(count)
  end

  nops = make_nops(max_nop_chunk_size)
  nops += nops while nops.length < count

  nops[0, count]
end

#make_nops(count) ⇒ Object

Generates a nop sled of a supplied length and returns it to the caller.


1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
# File 'lib/msf/core/exploit.rb', line 1158

def make_nops(count)
  # If we're debugging, then make_nops will return a safe sled.  We
  # currently assume x86.
  if debugging?
    return "\x90" * count
  end

  nop_sled = nil

  # If there is no payload instance then we can't succeed.
  return nil if (!payload_instance)

  payload_instance.compatible_nops.each { |nopname, nopmod|
    # Create an instance of the nop module
    nop = nopmod.new

    # The list of save registers
    save_regs = nop_save_registers || []

    if (save_regs.empty? == true)
      save_regs = nil
    end

    begin
      nop.copy_ui(self)

      nop_sled = nop.generate_sled(count,
        'BadChars'      => payload_badchars || '',
        'SaveRegisters' => save_regs)

      if nop_sled && nop_sled.length == count
        break
      else
        wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit", 'core', LEV_0)
      end
    rescue
      wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit: #{$!}",
        'core', LEV_0)
    end
  }

  nop_sled
end

#nop_generatorObject

Returns the first compatible NOP generator for this exploit's payload instance.


1123
1124
1125
1126
1127
1128
1129
# File 'lib/msf/core/exploit.rb', line 1123

def nop_generator
  return nil if (!payload_instance)

  payload_instance.compatible_nops.each { |nopname, nopmod|
    return nopmod.new
  }
end

#nop_save_registers(explicit_target = nil) ⇒ Object

Returns the list of registers that the NOP generator should save, if any. It will use the current target's save registers in precedence over those defined globally for the exploit module.

If there are no save registers, nil is returned.


1109
1110
1111
1112
1113
1114
1115
1116
1117
# File 'lib/msf/core/exploit.rb', line 1109

def nop_save_registers(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.save_registers)
    return explicit_target.save_registers
  else
    return module_info['SaveRegisters']
  end
end

#normalize_platform_archObject


778
779
780
781
782
783
# File 'lib/msf/core/exploit.rb', line 778

def normalize_platform_arch
  c_platform = (target && target.platform) ? target.platform : platform
  c_arch     = (target && target.arch)     ? target.arch     : (arch == []) ? nil : arch
  c_arch   ||= [ ARCH_X86 ]
  return c_platform, c_arch
end

#on_new_session(session) ⇒ Object

This is called by the payload when a new session is created


1393
1394
1395
1396
# File 'lib/msf/core/exploit.rb', line 1393

def on_new_session(session)
  self.session_count += 1
  self.successful = true
end

#passive?Boolean

Returns if the exploit has a passive stance. Aggressive exploits are always aggressive.

Returns:

  • (Boolean)

714
715
716
# File 'lib/msf/core/exploit.rb', line 714

def passive?
  stance.include?(Stance::Passive) && !stance.include?(Stance::Aggressive)
end

#pattern_create(length, sets = nil) ⇒ Object

Generate a non-repeating static random string


1336
1337
1338
# File 'lib/msf/core/exploit.rb', line 1336

def pattern_create(length, sets = nil)
  Rex::Text.pattern_create(length, sets)
end

#payload_append(explicit_target = nil) ⇒ Object

Return any text that should be appended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


908
909
910
911
912
913
914
915
916
# File 'lib/msf/core/exploit.rb', line 908

def payload_append(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_append)
    explicit_target.payload_append
  else
    payload_info['Append'] || ''
  end
end

#payload_append_encoder(explicit_target = nil) ⇒ Object

Return any text that should be appended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


940
941
942
943
944
945
946
947
948
949
950
# File 'lib/msf/core/exploit.rb', line 940

def payload_append_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_append_encoder)
    p = explicit_target.payload_append_encoder
  else
    p = payload_info['AppendEncoder'] || ''
  end

  p
end

#payload_badchars(explicit_target = nil) ⇒ Object

Returns the bad characters that cannot be in any payload used by this exploit.


1012
1013
1014
1015
1016
1017
1018
1019
1020
# File 'lib/msf/core/exploit.rb', line 1012

def payload_badchars(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_badchars)
    explicit_target.payload_badchars
  else
    payload_info['BadChars']
  end
end

#payload_disable_nops(explicit_target = nil) ⇒ Object

Whether NOP generation should be enabled or disabled


955
956
957
958
959
960
961
962
963
# File 'lib/msf/core/exploit.rb', line 955

def payload_disable_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_disable_nops)
    explicit_target.payload_disable_nops
  else
    payload_info['DisableNops']
  end
end

#payload_encoder(explicit_target = nil) ⇒ Object

Returns the payload encoder that is associated with either the current target or the exploit in general.


1026
1027
1028
1029
1030
1031
1032
1033
1034
# File 'lib/msf/core/exploit.rb', line 1026

def payload_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder)
    explicit_target.payload_encoder
  else
    payload_info['Encoder']
  end
end

#payload_encoder_options(explicit_target = nil) ⇒ Object

Returns the payload encoder option hash that is used to initialize the datastore of the encoder that is selected when generating an encoded payload.


1069
1070
1071
1072
1073
1074
1075
1076
1077
# File 'lib/msf/core/exploit.rb', line 1069

def payload_encoder_options(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder_options)
    explicit_target.payload_encoder_options
  else
    payload_info['EncoderOptions']
  end
end

#payload_encoder_type(explicit_target = nil) ⇒ Object

Returns the payload encoder type that is associated with either the current target or the exploit in general.


1054
1055
1056
1057
1058
1059
1060
1061
1062
# File 'lib/msf/core/exploit.rb', line 1054

def payload_encoder_type(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_encoder_type)
    explicit_target.payload_encoder_type
  else
    payload_info['EncoderType']
  end
end

#payload_extended_options(explicit_target = nil) ⇒ Object

Returns the payload extended options hash which is used to provide a location to store extended information that may be useful to a particular type of payload or mixin.


1084
1085
1086
1087
1088
1089
1090
1091
1092
# File 'lib/msf/core/exploit.rb', line 1084

def payload_extended_options(explicit_target = nil)
  explicit_target ||= target

  if explicit_target and explicit_target.payload_extended_options
    explicit_target.payload_extended_options
  else
    payload_info['ExtendedOptions']
  end
end

#payload_max_nops(explicit_target = nil) ⇒ Object

Maximum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.


969
970
971
972
973
974
975
976
977
# File 'lib/msf/core/exploit.rb', line 969

def payload_max_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_max_nops)
    explicit_target.payload_max_nops
  else
    payload_info['MaxNops'] || nil
  end
end

#payload_min_nops(explicit_target = nil) ⇒ Object

Minimum number of nops to use as a hint to the framework. Nil signifies that the framework should decide.


983
984
985
986
987
988
989
990
991
# File 'lib/msf/core/exploit.rb', line 983

def payload_min_nops(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_min_nops)
    explicit_target.payload_min_nops
  else
    payload_info['MinNops'] || nil
  end
end

#payload_nop(explicit_target = nil) ⇒ Object

Returns the payload NOP generator that is associated with either the current target or the exploit in general.


1040
1041
1042
1043
1044
1045
1046
1047
1048
# File 'lib/msf/core/exploit.rb', line 1040

def payload_nop(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_nop)
    explicit_target.payload_nop
  else
    payload_info['Nop']
  end
end

#payload_prepend(explicit_target = nil) ⇒ Object

Return any text that should be prepended to the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit. This automatically takes into account any require stack adjustments.


891
892
893
894
895
896
897
898
899
900
901
# File 'lib/msf/core/exploit.rb', line 891

def payload_prepend(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_prepend)
    p = explicit_target.payload_prepend
  else
    p = payload_info['Prepend'] || ''
  end

  stack_adjustment + p
end

#payload_prepend_encoder(explicit_target = nil) ⇒ Object

Return any text that should be prepended to the encoder of the payload. The payload module is passed so that the exploit can take a guess at architecture and platform if it's a multi exploit.


923
924
925
926
927
928
929
930
931
932
933
# File 'lib/msf/core/exploit.rb', line 923

def payload_prepend_encoder(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_prepend_encoder)
    p = explicit_target.payload_prepend_encoder
  else
    p = payload_info['PrependEncoder'] || ''
  end

  p
end

#payload_space(explicit_target = nil) ⇒ Object

Returns the maximum amount of room the exploit has for a payload.


996
997
998
999
1000
1001
1002
1003
1004
1005
1006
# File 'lib/msf/core/exploit.rb', line 996

def payload_space(explicit_target = nil)
  explicit_target ||= target

  if (explicit_target and explicit_target.payload_space)
    explicit_target.payload_space
  elsif (payload_info['Space'])
    payload_info['Space'].to_i
  else
    nil
  end
end

#rand_char(bad = payload_badchars) ⇒ Object

Generate a random character avoiding the exploit's bad characters.


1325
1326
1327
1328
1329
1330
1331
# File 'lib/msf/core/exploit.rb', line 1325

def rand_char(bad=payload_badchars)
  if debugging?
    "A"
  else
    Rex::Text.rand_char(bad)
  end
end

#rand_text(length, bad = payload_badchars) ⇒ Object

Generate random text characters avoiding the exploit's bad characters.


1217
1218
1219
1220
1221
1222
1223
# File 'lib/msf/core/exploit.rb', line 1217

def rand_text(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text(length, bad)
  end
end

#rand_text_alpha(length, bad = payload_badchars) ⇒ Object

Generate random alpha characters avoiding the exploit's bad characters.


1253
1254
1255
1256
1257
1258
1259
# File 'lib/msf/core/exploit.rb', line 1253

def rand_text_alpha(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alpha(length, bad)
  end
end

#rand_text_alpha_lower(length, bad = payload_badchars) ⇒ Object

Generate random alpha lower characters avoiding the exploit's bad characters.


1277
1278
1279
1280
1281
1282
1283
# File 'lib/msf/core/exploit.rb', line 1277

def rand_text_alpha_lower(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, 'a')
  else
    Rex::Text.rand_text_alpha_lower(length, bad)
  end
end

#rand_text_alpha_upper(length, bad = payload_badchars) ⇒ Object

Generate random alpha upper characters avoiding the exploit's bad characters.


1265
1266
1267
1268
1269
1270
1271
# File 'lib/msf/core/exploit.rb', line 1265

def rand_text_alpha_upper(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alpha_upper(length, bad)
  end
end

#rand_text_alphanumeric(length, bad = payload_badchars) ⇒ Object

Generate random alphanumeric characters avoiding the exploit's bad characters.


1289
1290
1291
1292
1293
1294
1295
# File 'lib/msf/core/exploit.rb', line 1289

def rand_text_alphanumeric(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_alphanumeric(length, bad)
  end
end

#rand_text_debug(length, char = 'A') ⇒ Object

Utility methods for generating random text that implicitly uses the exploit's bad character set.


1209
1210
1211
# File 'lib/msf/core/exploit.rb', line 1209

def rand_text_debug(length, char = 'A')
  char * (length.kind_of?(Range) ? length.first : length)
end

#rand_text_english(length, bad = payload_badchars) ⇒ Object

Generate random english-like avoiding the exploit's bad characters.


1229
1230
1231
1232
1233
1234
1235
# File 'lib/msf/core/exploit.rb', line 1229

def rand_text_english(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_english(length, bad)
  end
end

#rand_text_hex(length, bad = payload_badchars) ⇒ Object

Generate random hexadecimal characters avoiding the exploit's bad characters.


1313
1314
1315
1316
1317
1318
1319
# File 'lib/msf/core/exploit.rb', line 1313

def rand_text_hex(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, '0')
  else
    Rex::Text.rand_text_hex(length, bad)
  end
end

#rand_text_highascii(length, bad = payload_badchars) ⇒ Object

Generate random high ascii characters avoiding the exploit's bad characters.


1241
1242
1243
1244
1245
1246
1247
# File 'lib/msf/core/exploit.rb', line 1241

def rand_text_highascii(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length)
  else
    Rex::Text.rand_text_highascii(length, bad)
  end
end

#rand_text_numeric(length, bad = payload_badchars) ⇒ Object

Generate random numeric characters avoiding the exploit's bad characters.


1301
1302
1303
1304
1305
1306
1307
# File 'lib/msf/core/exploit.rb', line 1301

def rand_text_numeric(length, bad=payload_badchars)
  if debugging?
    rand_text_debug(length, '0')
  else
    Rex::Text.rand_text_numeric(length, bad)
  end
end

#regenerate_payload(platform = nil, arch = nil, explicit_target = nil) ⇒ Object Also known as: exploit_regenerate_payload

Re-generates an encoded payload, typically called after something in the datastore has changed. An optional platform and architecture can be supplied as well.


650
651
652
# File 'lib/msf/core/exploit.rb', line 650

def regenerate_payload(platform = nil, arch = nil, explicit_target = nil)
  generate_single_payload(nil, platform, arch, explicit_target)
end

#register_autofilter_ports(ports = []) ⇒ Object

Adds a port into the list of ports


463
464
465
466
467
468
# File 'lib/msf/core/exploit.rb', line 463

def register_autofilter_ports(ports=[])
  @autofilter_ports ||= []
  @autofilter_ports << ports
  @autofilter_ports.flatten!
  @autofilter_ports.uniq!
end

#register_autofilter_services(services = []) ⇒ Object


470
471
472
473
474
475
# File 'lib/msf/core/exploit.rb', line 470

def register_autofilter_services(services=[])
  @autofilter_services ||= []
  @autofilter_services << services
  @autofilter_services.flatten!
  @autofilter_services.uniq!
end

#report_failureObject


1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
# File 'lib/msf/core/exploit.rb', line 1544

def report_failure
  return unless framework.db and framework.db.active

  info = {
    :timestamp   => Time.now.utc,
    :workspace   => framework.db.find_workspace(self.workspace),
    :module      => self.fullname,
    :fail_reason => self.fail_reason,
    :fail_detail => self.fail_detail,
    :target_name => self.target.name,
    :username    => self.owner,
    :refs        => self.references,
    :run_id      => self.datastore['RUN_ID']
  }

  if self.datastore['RHOST'] and self.options['RHOST']
    info[:host] = self.datastore['RHOST']
  end

  if self.datastore['RPORT'] and self.options['RPORT']
    info[:port] = self.datastore['RPORT']
    if self.class.ancestors.include?(Msf::Exploit::Remote::Tcp)
      info[:proto] = 'tcp'
    end
  end

  framework.db.report_exploit_failure(info)
end

#reset_session_countsObject

Reset the session counter to zero (which occurs during set up of the exploit prior to calling exploit).


1412
1413
1414
# File 'lib/msf/core/exploit.rb', line 1412

def reset_session_counts
  self.session_count = 0
end

#session_created?Boolean

A boolean for whether a session has been created yet

Returns:

  • (Boolean)

1401
1402
1403
1404
1405
1406
# File 'lib/msf/core/exploit.rb', line 1401

def session_created?
  # Start bind handlers before checking session creation
  payload_instance.start_handler if handler_bind?

  (self.session_count > 0) ? true : false
end

#setupObject

Prepares the module for exploitation, initializes any state, and starts the payload handler.


481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
# File 'lib/msf/core/exploit.rb', line 481

def setup
  alert_user

  # Reset the session counts to zero.
  reset_session_counts

  return if not payload_instance
  return if not handler_enabled?

  # Configure the payload handler
  payload_instance.exploit_config = {
    'active_timeout' => self.active_timeout
  }

  # Set up the payload handlers
  payload_instance.setup_handler

  # Defer starting bind handlers until after exploit completion
  return if handler_bind?

  # Start the payload handler
  payload_instance.start_handler
end

#setup_fail_detail_from_exception(e) ⇒ Object


1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
# File 'lib/msf/core/exploit.rb', line 1448

def setup_fail_detail_from_exception e
  # Build a user-friendly error message
  msg = "#{e}"
  unless e.class == Msf::Exploit::Failed
    msg = "#{e.class} #{e}"
  end

  self.error = e

  # Record the detailed reason
  self.fail_detail ||= e.to_s
  msg
end

#stack_adjustmentObject

This method returns the encoded instruction(s) required to adjust the stack pointer prior to executing any code. The number of bytes to adjust is indicated to the routine through the payload 'StackAdjustment' attribute or through a target's payload 'StackAdjustment' attribute.


862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
# File 'lib/msf/core/exploit.rb', line 862

def stack_adjustment
  if target && target.payload_stack_adjustment
    adj = target.payload_stack_adjustment
  else
    adj = payload_info['StackAdjustment']
  end

  return '' unless adj

  # Get the architecture for the current target or use the one specific to
  # this exploit
  arch = (target && target.arch) ? target.arch : self.arch

  # Default to x86 if we can't find a list of architectures
  if arch && !arch.empty?
    arch = [arch].flatten.join(', ')
  else
    arch = 'x86'
  end

  Rex::Arch::adjust_stack_pointer(arch, adj) || ''
end

#stanceObject

Generally, all exploits take an aggressive stance.


700
701
702
# File 'lib/msf/core/exploit.rb', line 700

def stance
  module_info['Stance'] || Stance::Aggressive
end

#targetObject

Returns the active target for this exploit. If not target has been defined, nil is returned. If no target was defined but there is a default target, that one will be automatically used.


723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
# File 'lib/msf/core/exploit.rb', line 723

def target
  if self.respond_to?(:auto_targeted_index)
    if auto_target?
      auto_idx = auto_targeted_index
      if auto_idx.present?
        datastore['TARGET'] = auto_idx
      else
        # If our inserted Automatic Target was selected but we failed to
        # find a suitable target, we just grab the original first target.
        datastore['TARGET'] = 1
      end
    end
  end

  target_idx = target_index
  return (target_idx) ? targets[target_idx.to_i] : nil
end

#target_archObject

Returns the target's architecture, or the one assigned to the module itself.


774
775
776
# File 'lib/msf/core/exploit.rb', line 774

def target_arch
  (target and target.arch) ? target.arch : (arch == []) ? nil : arch
end

#target_indexObject

The target index that has been selected.


744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
# File 'lib/msf/core/exploit.rb', line 744

def target_index
  target_idx =
    begin
      Integer(datastore['TARGET'])
    rescue TypeError, ArgumentError
      datastore['TARGET']
    end

  default_idx = default_target || 0
  # Use the default target if one was not supplied.
  if (target_idx == nil and default_idx and default_idx >= 0)
    target_idx = default_idx
  elsif target_idx.is_a?(String)
    target_idx = targets.index { |target| target.name == target_idx }
  end

  return (target_idx) ? target_idx.to_i : nil
end

#target_platformObject

Returns the target's platform, or the one assigned to the module itself.


766
767
768
# File 'lib/msf/core/exploit.rb', line 766

def target_platform
  (target and target.platform) ? target.platform : platform
end

#typeObject

Returns MODULE_EXPLOIT to indicate that this is an exploit module.


686
687
688
# File 'lib/msf/core/exploit.rb', line 686

def type
  Msf::MODULE_EXPLOIT
end

#wfs_delayObject

The default “wait for session” delay is zero for all exploits.


1343
1344
1345
# File 'lib/msf/core/exploit.rb', line 1343

def wfs_delay
  (datastore['WfsDelay'] || 0).to_i
end