Class: Msf::Ui::Console::CommandDispatcher::Exploit

Inherits:
Object
  • Object
show all
Includes:
ModuleCommandDispatcher
Defined in:
lib/msf/ui/console/command_dispatcher/exploit.rb

Overview

Exploit module command dispatcher.

Constant Summary collapse

@@exploit_opts =
Rex::Parser::Arguments.new(
"-e" => [ true,  "The payload encoder to use.  If none is specified, ENCODER is used." ],
"-f" => [ false, "Force the exploit to run regardless of the value of MinimumRank."    ],
"-h" => [ false, "Help banner."                                                        ],
"-j" => [ false, "Run in the context of a job."                                        ],
"-n" => [ true,  "The NOP generator to use.  If none is specified, NOP is used."       ],
"-o" => [ true,  "A comma separated list of options in VAR=VAL format."                ],
"-p" => [ true,  "The payload to use.  If none is specified, PAYLOAD is used."         ],
"-t" => [ true,  "The target index to use.  If none is specified, TARGET is used."     ],
"-z" => [ false, "Do not interact with the session after successful exploitation."     ])

Instance Attribute Summary

Attributes included from Msf::Ui::Console::CommandDispatcher

#driver

Attributes included from Rex::Ui::Text::DispatcherShell::CommandDispatcher

#shell, #tab_complete_items

Class Method Summary collapse

Instance Method Summary collapse

Methods included from ModuleCommandDispatcher

#check_multiple, #check_progress, #check_show_progress, #check_simple, #cmd_check, #cmd_pry, #cmd_pry_help, #cmd_reload, #cmd_reload_help, #mod, #mod=, #reload

Methods included from Msf::Ui::Console::CommandDispatcher

#active_module, #active_module=, #active_session, #active_session=, #defanged?, #framework, #initialize, #log_error

Methods included from Rex::Ui::Text::DispatcherShell::CommandDispatcher

#cmd_help, #cmd_help_help, #cmd_help_tabs, #deprecated_cmd, #deprecated_commands, #deprecated_help, #help_to_s, #initialize, #print, #print_error, #print_good, #print_line, #print_status, #print_warning, #tab_complete_filenames, #update_prompt

Class Method Details

.choose_payload(mod, target) ⇒ Object

Picks a reasonable payload and minimally configures it


211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 211

def self.choose_payload(mod, target)

  # Choose either the real target or an invalid address
  # This is used to determine the LHOST value
  rhost = mod.datastore['RHOST'] || '50.50.50.50'

  # A list of preferred payloads in the best-first order
  pref = [
    'windows/meterpreter/reverse_tcp',
    'java/meterpreter/reverse_tcp',
    'php/meterpreter/reverse_tcp',
    'php/meterpreter_reverse_tcp',
    'ruby/shell_reverse_tcp',
    'cmd/unix/interact',
    'cmd/unix/reverse',
    'cmd/unix/reverse_perl',
    'cmd/unix/reverse_netcat_gaping',
    'windows/meterpreter/reverse_nonx_tcp',
    'windows/meterpreter/reverse_ord_tcp',
    'windows/shell/reverse_tcp',
    'generic/shell_reverse_tcp'
  ]
  pset = mod.compatible_payloads.map{|x| x[0] }
  pref.each do |n|
    if(pset.include?(n))
      mod.datastore['PAYLOAD'] = n
      mod.datastore['LHOST']   = Rex::Socket.source_address(rhost)
      return n
    end
  end
  return
end

Instance Method Details

#cmd_exploit(*args) ⇒ Object Also known as: cmd_run

Launches an exploitation attempt.


51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 51

def cmd_exploit(*args)
  defanged?

  opt_str = nil
  payload = mod.datastore['PAYLOAD']
  encoder = mod.datastore['ENCODER']
  target  = mod.datastore['TARGET']
  nop     = mod.datastore['NOP']
  bg      = false
  jobify  = false
  force   = false

  # Always run passive exploits in the background
  if (mod.passive?)
    jobify = true
  end

  @@exploit_opts.parse(args) { |opt, idx, val|
    case opt
      when '-e'
        encoder = val
      when '-f'
        force = true
      when '-j'
        jobify = true
      when '-n'
        nop = val
      when '-o'
        opt_str = val
      when '-p'
        payload = val
      when '-t'
        target = val.to_i
      when '-z'
        bg = true
      when '-h'
        cmd_exploit_help
        return false
    end
  }

  minrank = RankingName.invert[framework.datastore['MinimumRank']] || 0
  if minrank > mod.rank
    if force
      print_status("Forcing #{mod.refname} to run despite MinimumRank '#{framework.datastore['MinimumRank']}'")
      ilog("Forcing #{mod.refname} to run despite MinimumRank '#{framework.datastore['MinimumRank']}'", 'core')
    else
      print_error("This exploit is below the minimum rank, '#{framework.datastore['MinimumRank']}'.")
      print_error("If you really want to run it, do 'exploit -f' or")
      print_error("setg MinimumRank to something lower ('manual' is")
      print_error("the lowest and would allow running all exploits).")
      return
    end
  end

  if not payload
    payload = Exploit.choose_payload(mod, target)
  end

  begin
    session = mod.exploit_simple(
      'Encoder'        => encoder,
      'Payload'        => payload,
      'Target'         => target,
      'Nop'            => nop,
      'OptionStr'      => opt_str,
      'LocalInput'     => driver.input,
      'LocalOutput'    => driver.output,
      'RunAsJob'       => jobify)
  rescue ::Interrupt
    raise $!
  rescue ::Exception => e
    print_error("Exploit exception (#{mod.refname}): #{e.class} #{e}")
    if(e.class.to_s != 'Msf::OptionValidateError')
      print_error("Call stack:")
      e.backtrace.each do |line|
        break if line =~ /lib.msf.base.simple/
        print_error("  #{line}")
      end
    end
  end

  # If we were given a session, let's see what we can do with it
  if (session)

    # If we aren't told to run in the background and the session can be
    # interacted with, start interacting with it by issuing the session
    # interaction command.
    if (bg == false and session.interactive?)
      print_line

      driver.run_single("sessions -q -i #{session.sid}")
    # Otherwise, log that we created a session
    else
      print_status("Session #{session.sid} created in the background.")
    end
  # If we ran the exploit as a job, indicate such so the user doesn't
  # wonder what's up.
  elsif (jobify)
    if mod.job_id
      print_status("Exploit running as background job.")
    end
  # Worst case, the exploit ran but we got no session, bummer.
  else
    # If we didn't run a payload handler for this exploit it doesn't
    # make sense to complain to the user that we didn't get a session
    unless (mod.datastore["DisablePayloadHandler"])
      print_status("Exploit completed, but no session was created.")
    end
  end
end

#cmd_exploit_helpObject Also known as: cmd_run_help


165
166
167
168
169
170
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 165

def cmd_exploit_help
  print_line "Usage: exploit [options]"
  print_line
  print_line "Launches an exploitation attempt."
  print @@exploit_opts.usage
end

#cmd_rcheck(*args) ⇒ Object

Reloads an exploit module and checks the target to see if it's vulnerable.


178
179
180
181
182
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 178

def cmd_rcheck(*args)
  reload()

  cmd_check(*args)
end

#cmd_rexploit(*args) ⇒ Object Also known as: cmd_rerun

Reloads an exploit module and launches an exploit.


187
188
189
190
191
192
193
194
195
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 187

def cmd_rexploit(*args)
  return cmd_rexploit_help if args.include? "-h"

  # Stop existing job and reload the module
  if reload(true)
    # Delegate to the exploit command unless the reload failed
    cmd_exploit(*args)
  end
end

#cmd_rexploit_helpObject Also known as: cmd_rerun_help


199
200
201
202
203
204
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 199

def cmd_rexploit_help
  print_line "Usage: rexploit [options]"
  print_line
  print_line "Reloads a module, stopping any associated job, and launches an exploitation attempt."
  print @@exploit_opts.usage
end

#commandsObject

Returns the hash of exploit module specific commands.


30
31
32
33
34
35
36
37
38
39
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 30

def commands
  super.update({
    "exploit"  => "Launch an exploit attempt",
    "rcheck"   => "Reloads the module and checks if the target is vulnerable",
    "rexploit" => "Reloads the module and launches an exploit attempt",
    "reload"   => "Just reloads the module",
    "run"      => "Alias for exploit",
    "rerun"    => "Alias for rexploit",
  })
end

#nameObject

Returns the name of the command dispatcher.


44
45
46
# File 'lib/msf/ui/console/command_dispatcher/exploit.rb', line 44

def name
  "Exploit"
end