Module: Msf::Simple::Exploit

Includes:
Module
Defined in:
lib/msf/base/simple/exploit.rb

Overview

A simplified exploit wrapper.

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Module

#_import_extra_options, #init_simplified, #inspect, #load_config, #save_config

Class Method Details

.check_simple(mod, opts, job_listener: Msf::Simple::NoopJobListener.instance) ⇒ Object

Initiates a check, setting up the exploit to be used. The following options can be specified:

LocalInput

The local input handle that data can be read in from.

LocalOutput

The local output through which data can be displayed.


179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
# File 'lib/msf/base/simple/exploit.rb', line 179

def self.check_simple(mod, opts, job_listener: Msf::Simple::NoopJobListener.instance)
  Msf::Simple::Framework.simplify_module(mod, false)
  mod._import_extra_options(opts)

  if opts['LocalInput']
    mod.init_ui(opts['LocalInput'], opts['LocalOutput'])
  end

  unless mod.has_check?
    # Bail out early if the module doesn't have check
    raise ::NoMethodError.new(Msf::Exploit::CheckCode::Unsupported.message, 'check')
  end

  # Validate the option container state so that options will
  # be normalized
  mod.validate

  run_uuid = Rex::Text.rand_text_alphanumeric(24)
  job_listener.waiting run_uuid
  ctx = [mod, run_uuid, job_listener]

  if opts['RunAsJob']
    mod.job_id = mod.framework.jobs.start_bg_job(
      "Exploit: #{mod.refname} check",
      ctx,
      Proc.new { |ctx_| self.job_check_proc(ctx_) },
      Proc.new { |ctx_| nil }
    )
    [run_uuid, mod.job_id]
  else
    self.job_check_proc(ctx)
  end
end

.exploit_simple(oexploit, opts, &block) ⇒ Object

Wraps the exploitation process in a simple single method. The options hash can have the following values passed in it:

Encoder

The encoder module that should be used.

Payload

The payload module name that should be used.

Target

The selected target index.

Nop

The NOP generator that should be used in preference.

OptionStr

A string of comma separated option values that should be imported into the datastore.

Options

A hash of values to be imported directly into the datastore.

LocalInput

The local input handle that data can be read in from.

LocalOutput

The local output through which data can be displayed.

RunAsJob

Whether or not the exploit should be run in the context of a background job.


58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# File 'lib/msf/base/simple/exploit.rb', line 58

def self.exploit_simple(oexploit, opts, &block)
  exploit = oexploit.replicant
  # Trap and print errors here (makes them UI-independent)
  begin
    # Clone the module to prevent changes to the original instance

    Msf::Simple::Framework.simplify_module( exploit, false )
    yield(exploit) if block_given?

    # Import options from the OptionStr or Option hash.
    exploit._import_extra_options(opts)

    # Make sure parameters are valid.
    if (opts['Payload'] == nil)
      raise MissingPayloadError, 'A payload has not been selected.', caller
    end

    # Verify the options
    exploit.options.validate(exploit.datastore)

    # Start it up
    driver = ExploitDriver.new(exploit.framework)

    # Keep the handler of driver running if exploit multi targets.
    driver.keep_handler = true if opts["multi"]

    # Initialize the driver instance
    driver.exploit    = exploit
    driver.payload    = exploit.framework.payloads.create(opts['Payload'])

    # Set the force wait for session flag if the caller requested force
    # blocking.  This is so that passive exploits can be blocked on from
    # things like the cli.
    driver.force_wait_for_session = true if (opts['ForceBlocking'] == true)

    # Was the payload valid?
    if (driver.payload == nil)
      raise MissingPayloadError,
        "You specified an invalid payload: #{opts['Payload']}", caller
    end

    # Use the supplied encoder, if any.  If one was not specified, then
    # nil will be assigned causing the exploit to default to picking the
    # best encoder.
    exploit.datastore['ENCODER'] = opts['Encoder'] if opts['Encoder']

    # Use the supplied NOP generator, if any.  If one was not specified, then
    # nil will be assigned causing the exploit to default to picking a
    # compatible NOP generator.
    exploit.datastore['NOP'] = opts['Nop'] if opts['Nop']

    # Force the payload to share the exploit's datastore
    driver.payload.share_datastore(driver.exploit.datastore)

    # Verify the payload options
    driver.payload.options.validate(driver.payload.datastore)

    # Set the target and then work some magic to derive index
    exploit.datastore['TARGET'] = opts['Target'] if opts['Target']
    target_idx = exploit.target_index

    if (target_idx == nil or target_idx < 0)
      raise MissingTargetError,
        "You must select a target.", caller
    end

    driver.target_idx = target_idx

    # Set the payload and exploit's subscriber values
    if ! opts['Quiet']
      driver.exploit.init_ui(opts['LocalInput'] || exploit.user_input, opts['LocalOutput'] || exploit.user_output)
      driver.payload.init_ui(opts['LocalInput'] || exploit.user_input, opts['LocalOutput'] || exploit.user_output)
    else
      driver.exploit.init_ui(nil, nil)
      driver.payload.init_ui(nil, nil)
    end

    if (opts['RunAsJob'])
      driver.use_job = true
    end

    # Let's rock this party
    driver.run

    # Save the job identifier this exploit is running as
    exploit.job_id  = driver.job_id

    # Propagate this back to the caller for console mgmt
    oexploit.job_id = exploit.job_id
  rescue ::Interrupt
    exploit.error = $!
    raise $!
  rescue ::Exception => e
    exploit.error = e
    exploit.print_error("Exploit failed: #{e}")
    elog("Exploit failed (#{exploit.refname})", error: e)
  end

  return driver.session if driver
  nil
end

.job_check_proc(ctx) ⇒ Object (protected)


222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
# File 'lib/msf/base/simple/exploit.rb', line 222

def self.job_check_proc(ctx)
  mod = ctx[0]
  run_uuid = ctx[1]
  job_listener = ctx[2]
  begin
    job_listener.start run_uuid
    mod.setup
    result = mod.check
    job_listener.completed(run_uuid, result, mod)
  rescue => e
    job_listener.failed(run_uuid, e, mod)
    mod.handle_exception e
  end

  return result
end

Instance Method Details

#check_simple(opts) ⇒ Object

Calls the class method.


216
217
218
# File 'lib/msf/base/simple/exploit.rb', line 216

def check_simple(opts)
  Msf::Simple::Exploit.check_simple(self, opts)
end

#exploit_simple(opts, &block) ⇒ Object

Calls the class method.


163
164
165
# File 'lib/msf/base/simple/exploit.rb', line 163

def exploit_simple(opts, &block)
  Msf::Simple::Exploit.exploit_simple(self, opts, &block)
end