lib/msf/ui/console/command_dispatcher/exploit.rb

module Msf
module Ui
module Console
module CommandDispatcher

###
#
# Exploit module command dispatcher.
#
###
class Exploit

	include Msf::Ui::Console::ModuleCommandDispatcher

	@@exploit_opts = Rex::Parser::Arguments.new(
		"-e" => [ true,  "The payload encoder to use.  If none is specified, ENCODER is used." ],
		"-h" => [ false, "Help banner."                                                        ],
		"-j" => [ false, "Run in the context of a job."                                        ],
		"-n" => [ true,  "The NOP generator to use.  If none is specified, NOP is used."       ],
		"-o" => [ true,  "A comma separated list of options in VAR=VAL format."                ],
		"-p" => [ true,  "The payload to use.  If none is specified, PAYLOAD is used."         ],
		"-t" => [ true,  "The target index to use.  If none is specified, TARGET is used."     ],
		"-z" => [ false, "Do not interact with the session after successful exploitation."     ])

	#
	# Returns the hash of exploit module specific commands.
	#
	def commands
		{
			"check"    => "Check to see if a target is vulnerable",
			"exploit"  => "Launch an exploit attempt",
			"rcheck"   => "Reloads the module and checks if the target is vulnerable",
			"rexploit" => "Reloads the module and launches an exploit attempt",
		}
	end

	#
	# Returns the name of the command dispatcher.
	#
	def name
		"Exploit"
	end

	#
	# Checks to see if a target is vulnerable.
	#
	def cmd_check(*args)
		defanged?

		begin

			code = mod.check_simple(
				'LocalInput'  => driver.input,
				'LocalOutput' => driver.output)

			if (code)
				stat = '[*]'

				if (code == Msf::Exploit::CheckCode::Vulnerable)
					stat = '[+]'
				end
					
				print_line(stat + ' ' + code[1])
			else
				print_error(
					"Check failed: The state could not be determined.")
			end
		rescue
			log_error("Check failed: #{$!}")
		end
	end

	#
	# Launches an exploitation attempt.
	#
	def cmd_exploit(*args)
		defanged?

		opt_str = nil
		payload = mod.datastore['PAYLOAD']
		encoder = mod.datastore['ENCODER']
		target  = mod.datastore['TARGET']
		nop     = mod.datastore['NOP']
		bg      = false
		jobify  = false

		# Always run passive exploits in the background
		if (mod.passive?)
			jobify = true
		end

		@@exploit_opts.parse(args) { |opt, idx, val|
			case opt
				when '-e'
					encoder = val
				when '-j'
					jobify = true
				when '-n'
					nop = val
				when '-o'
					opt_str = val
				when '-p'
					payload = val
				when '-t'
					target = val.to_i
				when '-z'
					bg = true
				when '-h'
					print(
						"Usage: exploit [options]\n\n" +
						"Launches an exploitation attempt.\n" +
						@@exploit_opts.usage)
					return false
			end
		}

		begin
			session = mod.exploit_simple(
				'Encoder'        => encoder,
				'Payload'        => payload,
				'Target'         => target,
				'Nop'            => nop,
				'OptionStr'      => opt_str,
				'LocalInput'     => driver.input,
				'LocalOutput'    => driver.output,
				'RunAsJob'       => jobify)
		rescue ::Interrupt
			raise $!
		rescue ::Exception => e
			# All exceptions should be handled below this layer
			nil
		end

		# If we were given a session, let's see what we can do with it
		if (session)
		
			# If we aren't told to run in the background and the session can be
			# interacted with, start interacting with it by issuing the session
			# interaction command.
			if (bg == false and session.interactive?)
				print_line

				driver.run_single("sessions -q -i #{session.sid}")
			# Otherwise, log that we created a session
			else
				print_status("Session #{session.sid} created in the background.")
			end
		# If we ran the exploit as a job, indicate such so the user doesn't
		# wonder what's up.
		elsif (jobify)
			print_status("Exploit running as background job.")
		# Worst case, the exploit ran but we got no session, bummer.
		else
			print_status("Exploit completed, but no session was created.")
		end
	end

	#
	# Reloads an exploit module and checks the target to see if it's
	# vulnerable.
	#
	def cmd_rcheck(*args)
		omod = self.mod
		self.mod = framework.modules.reload_module(mod)
		if(not self.mod)
			print_status("Failed to reload module: #{framework.modules.failed[omod.file_path]}")
			self.mod = omod
			return
		end
				
		self.mod.init_ui(driver.input, driver.output)
		cmd_check(*args)
	end

	#
	# Reloads an exploit module and launches an exploit.
	#
	def cmd_rexploit(*args)
		if mod.job_id
			print_status("Stopping existing job...")

			framework.jobs.stop_job(mod.job_id)
			mod.job_id = nil
		end

		omod = self.mod
		self.mod = framework.modules.reload_module(mod)
		
		if(not self.mod)
			print_status("Failed to reload module: #{framework.modules.failed[omod.file_path]}")
			self.mod = omod
			return
		end

		self.mod.init_ui(driver.input, driver.output)

		cmd_exploit(*args)
	end

end

end end end end
how you like me now, gold teef when I smile 2005-07-10 07:15:20 +00:00			`module Msf`
			`module Ui`
			`module Console`
			`module CommandDispatcher`

last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`###`
			`#`
			`# Exploit module command dispatcher.`
			`#`
			`###`
how you like me now, gold teef when I smile 2005-07-10 07:15:20 +00:00			`class Exploit`

added check 2005-07-14 20:36:34 +00:00			`include Msf::Ui::Console::ModuleCommandDispatcher`

lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`@@exploit_opts = Rex::Parser::Arguments.new(`
			`"-e" => [ true, "The payload encoder to use. If none is specified, ENCODER is used." ],`
			`"-h" => [ false, "Help banner." ],`
Updates to the web interface 2007-02-10 06:54:03 +00:00			`"-j" => [ false, "Run in the context of a job." ],`
lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`"-n" => [ true, "The NOP generator to use. If none is specified, NOP is used." ],`
			`"-o" => [ true, "A comma separated list of options in VAR=VAL format." ],`
			`"-p" => [ true, "The payload to use. If none is specified, PAYLOAD is used." ],`
added check 2005-07-14 20:36:34 +00:00			`"-t" => [ true, "The target index to use. If none is specified, TARGET is used." ],`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`"-z" => [ false, "Do not interact with the session after successful exploitation." ])`
lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
			`# Returns the hash of exploit module specific commands.`
			`#`
lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`def commands`
			`{`
support for module reloading 2005-10-10 00:30:14 +00:00			`"check" => "Check to see if a target is vulnerable",`
			`"exploit" => "Launch an exploit attempt",`
			`"rcheck" => "Reloads the module and checks if the target is vulnerable",`
			`"rexploit" => "Reloads the module and launches an exploit attempt",`
lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`}`
			`end`

last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
			`# Returns the name of the command dispatcher.`
			`#`
formatting of help 2005-07-14 20:18:36 +00:00			`def name`
			`"Exploit"`
			`end`

added check 2005-07-14 20:36:34 +00:00			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Checks to see if a target is vulnerable.`
added check 2005-07-14 20:36:34 +00:00			`#`
			`def cmd_check(*args)`
defanged mode 2007-01-30 04:48:35 +00:00			`defanged?`

added check 2005-07-14 20:36:34 +00:00			`begin`
defanged mode 2007-01-30 04:48:35 +00:00
added option validation to check path 2007-03-17 19:39:30 +00:00			`code = mod.check_simple(`
			`'LocalInput' => driver.input,`
			`'LocalOutput' => driver.output)`
added check 2005-07-14 20:36:34 +00:00
			`if (code)`
			`stat = '[*]'`

			`if (code == Msf::Exploit::CheckCode::Vulnerable)`
			`stat = '[+]'`
			`end`

			`print_line(stat + ' ' + code[1])`
			`else`
			`print_error(`
			`"Check failed: The state could not be determined.")`
			`end`
			`rescue`
added option validation to check path 2007-03-17 19:39:30 +00:00			`log_error("Check failed: #{$!}")`
added check 2005-07-14 20:36:34 +00:00			`end`
			`end`

lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Launches an exploitation attempt.`
lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`#`
			`def cmd_exploit(*args)`
defanged mode 2007-01-30 04:48:35 +00:00			`defanged?`

restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`opt_str = nil`
added check 2005-07-14 20:36:34 +00:00			`payload = mod.datastore['PAYLOAD']`
			`encoder = mod.datastore['ENCODER']`
			`target = mod.datastore['TARGET']`
			`nop = mod.datastore['NOP']`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`bg = false`
moved some stuff around, working on adding the concept of jobs 2005-09-22 04:53:46 +00:00			`jobify = false`

			`# Always run passive exploits in the background`
			`if (mod.passive?)`
			`jobify = true`
			`end`
added check 2005-07-14 20:36:34 +00:00
			`@@exploit_opts.parse(args) { \|opt, idx, val\|`
			`case opt`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`when '-e'`
			`encoder = val`
moved some stuff around, working on adding the concept of jobs 2005-09-22 04:53:46 +00:00			`when '-j'`
			`jobify = true`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`when '-n'`
			`nop = val`
			`when '-o'`
			`opt_str = val`
			`when '-p'`
			`payload = val`
			`when '-t'`
			`target = val.to_i`
			`when '-z'`
			`bg = true`
added check 2005-07-14 20:36:34 +00:00			`when '-h'`
			`print(`
			`"Usage: exploit [options]\n\n" +`
			`"Launches an exploitation attempt.\n" +`
			`@@exploit_opts.usage)`
			`return false`
			`end`
			`}`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00
			`begin`
			`session = mod.exploit_simple(`
moved some stuff around, working on adding the concept of jobs 2005-09-22 04:53:46 +00:00			`'Encoder' => encoder,`
			`'Payload' => payload,`
			`'Target' => target,`
			`'Nop' => nop,`
			`'OptionStr' => opt_str,`
			`'LocalInput' => driver.input,`
			`'LocalOutput' => driver.output,`
			`'RunAsJob' => jobify)`
Merged revisions 5366-5377 via svnmerge from 2008-01-28 03:06:31 +00:00			`rescue ::Interrupt`
			`raise $!`
			`rescue ::Exception => e`
			`# All exceptions should be handled below this layer`
			`nil`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`end`

			`# If we were given a session, let's see what we can do with it`
			`if (session)`
Fix session interaction again 2008-10-10 05:01:49 +00:00
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`# If we aren't told to run in the background and the session can be`
making shit pimp 2005-07-17 02:14:15 +00:00			`# interacted with, start interacting with it by issuing the session`
			`# interaction command.`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`if (bg == false and session.interactive?)`
fixed stager merging, made things a bit more pimply 2005-07-17 06:01:11 +00:00			`print_line`

Readline mode disabledby defualt for interactive sessios 2006-07-29 23:01:38 +00:00			`driver.run_single("sessions -q -i #{session.sid}")`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`# Otherwise, log that we created a session`
			`else`
fixed stager merging, made things a bit more pimply 2005-07-17 06:01:11 +00:00			`print_status("Session #{session.sid} created in the background.")`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`end`
moved some stuff around, working on adding the concept of jobs 2005-09-22 04:53:46 +00:00			`# If we ran the exploit as a job, indicate such so the user doesn't`
			`# wonder what's up.`
			`elsif (jobify)`
			`print_status("Exploit running as background job.")`
			`# Worst case, the exploit ran but we got no session, bummer.`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`else`
cosmetic 2006-03-30 15:06:41 +00:00			`print_status("Exploit completed, but no session was created.")`
restructured things to encourage better code re-use 2005-07-14 22:45:10 +00:00			`end`
lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`end`

support for module reloading 2005-10-10 00:30:14 +00:00			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Reloads an exploit module and checks the target to see if it's`
			`# vulnerable.`
support for module reloading 2005-10-10 00:30:14 +00:00			`#`
			`def cmd_rcheck(*args)`
Fixes #278 . Handle cases where a reload fails and indicate why 2009-09-20 20:22:45 +00:00			`omod = self.mod`
Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`self.mod = framework.modules.reload_module(mod)`
Fixes #278 . Handle cases where a reload fails and indicate why 2009-09-20 20:22:45 +00:00			`if(not self.mod)`
			`print_status("Failed to reload module: #{framework.modules.failed[omod.file_path]}")`
			`self.mod = omod`
			`return`
			`end`

Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`self.mod.init_ui(driver.input, driver.output)`
			`cmd_check(*args)`
support for module reloading 2005-10-10 00:30:14 +00:00			`end`

			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Reloads an exploit module and launches an exploit.`
support for module reloading 2005-10-10 00:30:14 +00:00			`#`
			`def cmd_rexploit(*args)`
Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`if mod.job_id`
			`print_status("Stopping existing job...")`
added the ability to track jobs, and made rexploit stop the existing job 2007-04-04 02:49:08 +00:00
Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`framework.jobs.stop_job(mod.job_id)`
			`mod.job_id = nil`
			`end`
added the ability to track jobs, and made rexploit stop the existing job 2007-04-04 02:49:08 +00:00
Fixes #278 . Handle cases where a reload fails and indicate why 2009-09-20 20:22:45 +00:00			`omod = self.mod`
Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`self.mod = framework.modules.reload_module(mod)`
Fixes #278 . Handle cases where a reload fails and indicate why 2009-09-20 20:22:45 +00:00
			`if(not self.mod)`
			`print_status("Failed to reload module: #{framework.modules.failed[omod.file_path]}")`
			`self.mod = omod`
			`return`
			`end`

Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`self.mod.init_ui(driver.input, driver.output)`
support for module reloading 2005-10-10 00:30:14 +00:00
Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`cmd_exploit(*args)`
support for module reloading 2005-10-10 00:30:14 +00:00			`end`

how you like me now, gold teef when I smile 2005-07-10 07:15:20 +00:00			`end`

Fixes #215 . Reinitialize the input/output after a reload 2008-11-08 17:48:21 +00:00			`end end end end`