Class: Msf::ExploitDriver

Inherits:
Object
  • Object
show all
Defined in:
lib/msf/core/exploit_driver.rb

Overview

This class drives the exploitation process from start to finish for a given exploit module instance. It's responsible for payload generation, encoding, and padding as well as initialization handlers and finally launching the exploit.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(framework) ⇒ ExploitDriver

Initializes the exploit driver using the supplied framework instance.


19
20
21
22
23
24
25
# File 'lib/msf/core/exploit_driver.rb', line 19

def initialize(framework)
  self.payload                = nil
  self.exploit                = nil
  self.use_job                = false
  self.job_id                 = nil
  self.force_wait_for_session = false
end

Instance Attribute Details

#exploitObject

Returns the value of attribute exploit


173
174
175
# File 'lib/msf/core/exploit_driver.rb', line 173

def exploit
  @exploit
end

#force_wait_for_sessionObject

:nodoc:


181
182
183
# File 'lib/msf/core/exploit_driver.rb', line 181

def force_wait_for_session
  @force_wait_for_session
end

#job_idObject

The identifier of the job this exploit is launched as, if it's run as a job.


180
181
182
# File 'lib/msf/core/exploit_driver.rb', line 180

def job_id
  @job_id
end

#payloadObject

Returns the value of attribute payload


174
175
176
# File 'lib/msf/core/exploit_driver.rb', line 174

def payload
  @payload
end

#sessionObject

:nodoc:


182
183
184
# File 'lib/msf/core/exploit_driver.rb', line 182

def session
  @session
end

#use_jobObject

:nodoc: :nodoc: :nodoc:


175
176
177
# File 'lib/msf/core/exploit_driver.rb', line 175

def use_job
  @use_job
end

Instance Method Details

#compatible_payload?(payload) ⇒ Boolean

Checks to see if the supplied payload is compatible with the current exploit. Assumes that target_idx is valid.


53
54
55
56
57
58
# File 'lib/msf/core/exploit_driver.rb', line 53

def compatible_payload?(payload)
  # Try to use the target's platform in preference of the exploit's
  exp_platform = exploit.targets[target_idx].platform || exploit.platform

  return ((payload.platform & exp_platform).empty? == false)
end

#runObject

Kicks off an exploitation attempt and performs the following four major operations:

- Generates the payload
- Initializes & monitors the handler
- Launches the exploit
- Cleans up the handler

114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# File 'lib/msf/core/exploit_driver.rb', line 114

def run

  # First thing's first -- validate the state.  Make sure all requirement
  # parameters are set, including those that are derived from the
  # datastore.
  validate()

  # After validation has occurred, it's time to set some values on the
  # exploit instance and begin preparing the payload
  exploit.datastore['TARGET'] = target_idx

  # Default the session to nil
  self.session = nil

  # Explicitly clear the module's job_id in case it was set in a previous
  # run
  exploit.job_id = nil

  # If we are being instructed to run as a job then let's create that job
  # like a good person.
  if (use_job or exploit.stance == Msf::Exploit::Stance::Passive)
    # Since references to the exploit and payload will hang around for
    # awhile in the job, make sure we copy them so further changes to
    # the datastore don't alter settings in existing jobs
    e = exploit.replicant
    p = payload.replicant

    # Assign the correct exploit instance to the payload
    p.assoc_exploit = e

    # Generate the encoded version of the supplied payload for the
    # newly copied exploit module instance
    e.generate_payload(p)
    ctx = [ e, p ]

    e.job_id = e.framework.jobs.start_bg_job(
      "Exploit: #{e.refname}",
      ctx,
      Proc.new { |ctx_| job_run_proc(ctx_) },
      Proc.new { |ctx_| job_cleanup_proc(ctx_) }
    )
    self.job_id = e.job_id
  else
    # Generate the encoded version of the supplied payload on the
    # exploit module instance
    exploit.generate_payload(payload)

    # No need to copy since we aren't creating a job.  We wait until
    # they're finished running to do anything else with them, so
    # nothing should be able to modify their datastore or other
    # settings until after they're done.
    ctx = [ exploit, payload ]
    job_run_proc(ctx)
    job_cleanup_proc(ctx)
  end

  return session
end

#target_idxObject

This method returns the currently selected target index.


45
46
47
# File 'lib/msf/core/exploit_driver.rb', line 45

def target_idx
  @target_idx
end

#target_idx=(target_idx) ⇒ Object

Specification of the exploit target index.


30
31
32
33
34
35
36
37
38
39
40
# File 'lib/msf/core/exploit_driver.rb', line 30

def target_idx=(target_idx)
  if (target_idx)
    # Make sure the target index is valid
    if (target_idx >= exploit.targets.length)
      raise Rex::ArgumentError, "Invalid target index.", caller
    end
  end

   # Set the active target
  @target_idx = target_idx
end

#validateObject

Makes sure everything's in tip-top condition prior to launching the exploit. For things that aren't good to go, an exception is thrown.


70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# File 'lib/msf/core/exploit_driver.rb', line 70

def validate
  # First, validate that a target has been selected
  if (target_idx == nil)
    raise MissingTargetError,
      "A payload cannot be selected until a target is specified.",
      caller
  end

  # Next, validate that a payload has been selected
  if (payload == nil)
    raise MissingPayloadError,
      "A payload has not been selected.", caller
  end

  # Make sure the payload is compatible after all
  if (compatible_payload?(payload) == false)
    raise IncompatiblePayloadError.new(payload.refname),
      "Incompatible payload", caller
  end

  # Associate the payload instance with the exploit
  payload.assoc_exploit = exploit

  # Finally, validate options on the exploit module to ensure that things
  # are ready to operate as they should.
  exploit.options.validate(exploit.datastore)

  # Validate the payload's options.  The payload's datastore is
  # most likely shared against the exploit's datastore, but in case it
  # isn't.
  payload.options.validate(payload.datastore)

  return true
end