lib/msf/base/sessions/scriptable.rb

# -*- coding: binary -*-

module Msf::Session

module Scriptable

  def self.included(base)
    base.extend(ClassMethods)
  end

  module ClassMethods
    #
    # If the +script+ exists, return its path. Otherwise return nil
    #
    def find_script_path(script)
      # Find the full file path of the specified argument
      check_paths =
        [
          script,
          ::File.join(script_base, "#{script}"),
          ::File.join(script_base, "#{script}.rb"),
          ::File.join(user_script_base, "#{script}"),
          ::File.join(user_script_base, "#{script}.rb")
        ]

      full_path = nil

      # Scan all of the path combinations
      check_paths.each { |path|
        if ::File.exist?(path)
          full_path = path
          break
        end
      }

      full_path
    end
    def script_base
      ::File.join(Msf::Config.script_directory, self.type)
    end
    def user_script_base
      ::File.join(Msf::Config.user_script_directory, self.type)
    end

  end

  #
  # Override
  #
  def execute_file
    raise NotImplementedError
  end

  #
  # Maps legacy Meterpreter script names to replacement post modules
  #
  def legacy_script_to_post_module(script_name)
    {
      'autoroute' => 'post/windows/manage/autoroute',
      'checkvm' => 'post/windows/gather/checkvm',
      'duplicate' => 'post/windows/manage/multi_meterpreter_inject',
      'enum_chrome' => 'post/windows/gather/enum_chrome',
      'enum_firefox' => 'post/windows/gather/enum_firefox',
      'enum_logged_on_users' => 'post/windows/gather/enum_logged_on_users',
      'enum_powershell_env' => 'post/windows/gather/enum_powershell_env',
      'enum_putty' => 'post/windows/gather/enum_putty_saved_sessions',
      'enum_shares' => 'post/windows/gather/enum_shares',
      'file_collector' => 'post/windows/gather/enum_files',
      'get_application_list' => 'post/windows/gather/enum_applications',
      'get_filezilla_creds' => 'post/windows/gather/credentials/filezilla_server',
      'get_local_subnets' => 'post/windows/manage/autoroute',
      'get_valid_community' => 'post/windows/gather/enum_snmp',
      'getcountermeasure' => 'post/windows/manage/killav',
      'getgui' => 'post/windows/manage/enable_rdp',
      'getvncpw' => 'post/windows/gather/credentials/vnc',
      'hashdump' => 'post/windows/gather/smart_hashdump',
      'hostsedit' => 'post/windows/manage/inject_host',
      'keylogrecorder' => 'post/windows/capture/keylog_recorder',
      'killav' => 'post/windows/manage/killav',
      'metsvc' => 'post/windows/manage/persistence_exe',
      'migrate' => 'post/windows/manage/migrate',
      'packetrecorder' => 'post/windows/manage/rpcapd_start',
      'persistence' => 'post/windows/manage/persistence_exe',
      'prefetchtool' => 'post/windows/gather/enum_prefetch',
      'remotewinenum' => 'post/windows/gather/wmic_command',
      'schelevator' => 'exploit/windows/local/ms10_092_schelevator',
      'screen_unlock' => 'post/windows/escalate/screen_unlock',
      'screenspy' => 'post/windows/gather/screen_spy',
      'search_dwld' => 'post/windows/gather/enum_files',
      'service_permissions_escalate' => 'exploits/windows/local/service_permissions',
      'uploadexec' => 'post/windows/manage/download_exec',
      'webcam' => 'post/windows/manage/webcam',
      'wmic' => 'post/windows/gather/wmic_command',
    }[script_name]
  end

  #
  # Executes the supplied script, Post module, or local Exploit module with
  #   arguments +args+
  #
  # Will search the script path.
  #
  def execute_script(script_name, *args)
    post_module = legacy_script_to_post_module(script_name)

    if post_module
      print_warning("Meterpreter scripts are deprecated. Try #{post_module}.")
      print_warning("Example: run #{post_module} OPTION=value [...]")
    end

    mod = framework.modules.create(script_name)
    if mod
      # Don't report module run events here as it will be taken care of
      # in +Post.run_simple+
      opts = { 'SESSION' => self.sid }
      args.each do |arg|
        k,v = arg.split("=", 2)
        # case doesn't matter in datastore, but it does in hashes, let's normalize
        opts[k.downcase] = v
      end
      if mod.type == "post"
        mod.run_simple(
          # Run with whatever the default stance is for now.  At some
          # point in the future, we'll probably want a way to force a
          # module to run in the background
          #'RunAsJob' => true,
          'LocalInput'  => self.user_input,
          'LocalOutput' => self.user_output,
          'Options'     => opts
        )
      elsif mod.type == "exploit"
        # well it must be a local, we're not currently supporting anything else
        if mod.exploit_type == "local"
          # get a copy of the session exploit's datastore if we can
          original_exploit_datastore = self.exploit.datastore || {}
          copy_of_orig_exploit_datastore = original_exploit_datastore.clone
          # convert datastore opts to a hash to normalize casing issues
          local_exploit_opts = {}
          copy_of_orig_exploit_datastore.each do |k,v|
            local_exploit_opts[k.downcase] = v
          end
          # we don't want to inherit a couple things, like AutoRunScript's
          to_neuter = %w{AutoRunScript InitialAutoRunScript LPORT TARGET}
          to_neuter.each do |setting|
            local_exploit_opts.delete(setting.downcase)
          end

          # merge in any opts that were passed in, defaulting all other settings
          # to the values from the datastore (of the exploit) that spawned the
          # session
          local_exploit_opts = local_exploit_opts.merge(opts)

          new_session = mod.exploit_simple(
            'Payload'       => local_exploit_opts.delete('payload'),
            'Target'        => local_exploit_opts.delete('target'),
            'LocalInput'    => self.user_input,
            'LocalOutput'   => self.user_output,
            'Options'       => local_exploit_opts
            )

        end # end if local
      end # end if exploit

    else
      full_path = self.class.find_script_path(script_name)

      # No path found?  Weak.
      if full_path.nil?
        print_error("The specified script could not be found: #{script_name}")
        return true
      end
      framework.events.on_session_script_run(self, full_path)
      execute_file(full_path, args)
    end
  end

end

end
Mark all libraries as defaulting to 8-bit strings 2012-06-29 00:18:28 -05:00			`# -- coding: binary --`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
			`module Msf::Session`

			`module Scriptable`

Retab lib 2013-08-30 16:28:33 -05:00			`def self.included(base)`
			`base.extend(ClassMethods)`
			`end`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
Retab lib 2013-08-30 16:28:33 -05:00			`module ClassMethods`
			`#`
			`# If the +script+ exists, return its path. Otherwise return nil`
			`#`
			`def find_script_path(script)`
			`# Find the full file path of the specified argument`
			`check_paths =`
			`[`
			`script,`
			`::File.join(script_base, "#{script}"),`
			`::File.join(script_base, "#{script}.rb"),`
			`::File.join(user_script_base, "#{script}"),`
			`::File.join(user_script_base, "#{script}.rb")`
			`]`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
Retab lib 2013-08-30 16:28:33 -05:00			`full_path = nil`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
Retab lib 2013-08-30 16:28:33 -05:00			`# Scan all of the path combinations`
			`check_paths.each { \|path\|`
File.exists? must die 2016-04-20 08:11:34 -04:00			`if ::File.exist?(path)`
Retab lib 2013-08-30 16:28:33 -05:00			`full_path = path`
			`break`
			`end`
			`}`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
Retab lib 2013-08-30 16:28:33 -05:00			`full_path`
			`end`
			`def script_base`
			`::File.join(Msf::Config.script_directory, self.type)`
			`end`
			`def user_script_base`
			`::File.join(Msf::Config.user_script_directory, self.type)`
			`end`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
Retab lib 2013-08-30 16:28:33 -05:00			`end`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
Retab lib 2013-08-30 16:28:33 -05:00			`#`
			`# Override`
			`#`
			`def execute_file`
			`raise NotImplementedError`
			`end`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
intercept legacy meterpreter script runs and substitute post modules 2017-01-12 14:08:43 -06:00			`#`
			`# Maps legacy Meterpreter script names to replacement post modules`
Fix argument passing for deprecated scripts 2017-01-29 14:10:34 -06:00			`#`
intercept legacy meterpreter script runs and substitute post modules 2017-01-12 14:08:43 -06:00			`def legacy_script_to_post_module(script_name)`
			`{`
			`'autoroute' => 'post/windows/manage/autoroute',`
			`'checkvm' => 'post/windows/gather/checkvm',`
			`'duplicate' => 'post/windows/manage/multi_meterpreter_inject',`
			`'enum_chrome' => 'post/windows/gather/enum_chrome',`
			`'enum_firefox' => 'post/windows/gather/enum_firefox',`
			`'enum_logged_on_users' => 'post/windows/gather/enum_logged_on_users',`
			`'enum_powershell_env' => 'post/windows/gather/enum_powershell_env',`
			`'enum_putty' => 'post/windows/gather/enum_putty_saved_sessions',`
			`'enum_shares' => 'post/windows/gather/enum_shares',`
			`'file_collector' => 'post/windows/gather/enum_files',`
			`'get_application_list' => 'post/windows/gather/enum_applications',`
			`'get_filezilla_creds' => 'post/windows/gather/credentials/filezilla_server',`
			`'get_local_subnets' => 'post/windows/manage/autoroute',`
			`'get_valid_community' => 'post/windows/gather/enum_snmp',`
Fix argument passing for deprecated scripts 2017-01-29 14:10:34 -06:00			`'getcountermeasure' => 'post/windows/manage/killav',`
			`'getgui' => 'post/windows/manage/enable_rdp',`
intercept legacy meterpreter script runs and substitute post modules 2017-01-12 14:08:43 -06:00			`'getvncpw' => 'post/windows/gather/credentials/vnc',`
			`'hashdump' => 'post/windows/gather/smart_hashdump',`
			`'hostsedit' => 'post/windows/manage/inject_host',`
			`'keylogrecorder' => 'post/windows/capture/keylog_recorder',`
			`'killav' => 'post/windows/manage/killav',`
			`'metsvc' => 'post/windows/manage/persistence_exe',`
			`'migrate' => 'post/windows/manage/migrate',`
			`'packetrecorder' => 'post/windows/manage/rpcapd_start',`
Fix #7823 , legacy_script_to_post_module fixes 2017-01-26 16:26:00 -06:00			`'persistence' => 'post/windows/manage/persistence_exe',`
intercept legacy meterpreter script runs and substitute post modules 2017-01-12 14:08:43 -06:00			`'prefetchtool' => 'post/windows/gather/enum_prefetch',`
			`'remotewinenum' => 'post/windows/gather/wmic_command',`
Fix #7823 , legacy_script_to_post_module fixes 2017-01-26 16:26:00 -06:00			`'schelevator' => 'exploit/windows/local/ms10_092_schelevator',`
intercept legacy meterpreter script runs and substitute post modules 2017-01-12 14:08:43 -06:00			`'screen_unlock' => 'post/windows/escalate/screen_unlock',`
Fix argument passing for deprecated scripts 2017-01-29 14:10:34 -06:00			`'screenspy' => 'post/windows/gather/screen_spy',`
intercept legacy meterpreter script runs and substitute post modules 2017-01-12 14:08:43 -06:00			`'search_dwld' => 'post/windows/gather/enum_files',`
			`'service_permissions_escalate' => 'exploits/windows/local/service_permissions',`
			`'uploadexec' => 'post/windows/manage/download_exec',`
			`'webcam' => 'post/windows/manage/webcam',`
			`'wmic' => 'post/windows/gather/wmic_command',`
			`}[script_name]`
			`end`

Retab lib 2013-08-30 16:28:33 -05:00			`#`
cleans up comments, line lengths, dup/clone 2014-05-08 16:04:18 -05:00			`# Executes the supplied script, Post module, or local Exploit module with`
			`# arguments +args+`
Retab lib 2013-08-30 16:28:33 -05:00			`#`
			`# Will search the script path.`
			`#`
			`def execute_script(script_name, *args)`
intercept legacy meterpreter script runs and substitute post modules 2017-01-12 14:08:43 -06:00			`post_module = legacy_script_to_post_module(script_name)`
Fix argument passing for deprecated scripts 2017-01-29 14:10:34 -06:00
			`if post_module`
			`print_warning("Meterpreter scripts are deprecated. Try #{post_module}.")`
			`print_warning("Example: run #{post_module} OPTION=value [...]")`
			`end`

Retab lib 2013-08-30 16:28:33 -05:00			`mod = framework.modules.create(script_name)`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00			`if mod`
Retab lib 2013-08-30 16:28:33 -05:00			`# Don't report module run events here as it will be taken care of`
			`# in +Post.run_simple+`
			`opts = { 'SESSION' => self.sid }`
			`args.each do \|arg\|`
			`k,v = arg.split("=", 2)`
adds some additional protection against capilization issues 2014-06-17 17:40:50 -05:00			`# case doesn't matter in datastore, but it does in hashes, let's normalize`
			`opts[k.downcase] = v`
Retab lib 2013-08-30 16:28:33 -05:00			`end`
New updates to scriptable.rb for payload/target 2014-05-06 15:33:51 -05:00			`if mod.type == "post"`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00			`mod.run_simple(`
			`# Run with whatever the default stance is for now. At some`
			`# point in the future, we'll probably want a way to force a`
			`# module to run in the background`
			`#'RunAsJob' => true,`
			`'LocalInput' => self.user_input,`
			`'LocalOutput' => self.user_output,`
			`'Options' => opts`
			`)`
New updates to scriptable.rb for payload/target 2014-05-06 15:33:51 -05:00			`elsif mod.type == "exploit"`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00			`# well it must be a local, we're not currently supporting anything else`
uses exploit_type vs category, thx egypt 2014-05-07 11:29:36 -05:00			`if mod.exploit_type == "local"`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00			`# get a copy of the session exploit's datastore if we can`
			`original_exploit_datastore = self.exploit.datastore \|\| {}`
cleans up comments, line lengths, dup/clone 2014-05-08 16:04:18 -05:00			`copy_of_orig_exploit_datastore = original_exploit_datastore.clone`
adds some additional protection against capilization issues 2014-06-17 17:40:50 -05:00			`# convert datastore opts to a hash to normalize casing issues`
			`local_exploit_opts = {}`
removes lingering debug lines, changes word script to module 2014-07-09 17:05:35 -05:00			`copy_of_orig_exploit_datastore.each do \|k,v\|`
adds some additional protection against capilization issues 2014-06-17 17:40:50 -05:00			`local_exploit_opts[k.downcase] = v`
			`end`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00			`# we don't want to inherit a couple things, like AutoRunScript's`
adds TARGET to 'to_neuter' list 2014-05-09 15:57:36 -05:00			`to_neuter = %w{AutoRunScript InitialAutoRunScript LPORT TARGET}`
cleans up comments, line lengths, dup/clone 2014-05-08 16:04:18 -05:00			`to_neuter.each do \|setting\|`
adds some additional protection against capilization issues 2014-06-17 17:40:50 -05:00			`local_exploit_opts.delete(setting.downcase)`
cleans up comments, line lengths, dup/clone 2014-05-08 16:04:18 -05:00			`end`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00
cleans up comments, line lengths, dup/clone 2014-05-08 16:04:18 -05:00			`# merge in any opts that were passed in, defaulting all other settings`
			`# to the values from the datastore (of the exploit) that spawned the`
			`# session`
adds some additional protection against capilization issues 2014-06-17 17:40:50 -05:00			`local_exploit_opts = local_exploit_opts.merge(opts)`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00
Dont rescue Exception 2014-09-28 09:03:55 +01:00			`new_session = mod.exploit_simple(`
			`'Payload' => local_exploit_opts.delete('payload'),`
			`'Target' => local_exploit_opts.delete('target'),`
			`'LocalInput' => self.user_input,`
			`'LocalOutput' => self.user_output,`
			`'Options' => local_exploit_opts`
			`)`
first shot at letting scriptable.rb handle local exploits 2014-05-06 01:21:11 -05:00
			`end # end if local`
			`end # end if exploit`

New updates to scriptable.rb for payload/target 2014-05-06 15:33:51 -05:00			`else`
Retab lib 2013-08-30 16:28:33 -05:00			`full_path = self.class.find_script_path(script_name)`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
Retab lib 2013-08-30 16:28:33 -05:00			`# No path found? Weak.`
			`if full_path.nil?`
changes 'module' back to 'script', makes more sense 2014-07-09 17:25:39 -05:00			`print_error("The specified script could not be found: #{script_name}")`
Retab lib 2013-08-30 16:28:33 -05:00			`return true`
			`end`
			`framework.events.on_session_script_run(self, full_path)`
			`execute_file(full_path, args)`
New updates to scriptable.rb for payload/target 2014-05-06 15:33:51 -05:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00			`end`
add the scriptable mixin. fixes #3550 , see #3541 . /me grumbles 2011-01-19 16:01:12 +00:00
			`end`

			`end`