James Lee
624e19fd8b
Squashed commit of the following: commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:31:03 2012 -0700 Clean up some rdoc comments This adds categories for the various interfaces that meterpreter and shell sessions implement so they are grouped logically in the docs. commit 9d31bc1b35845f7279148412f49bda56a39c9d9d Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 13:00:25 2012 -0700 Combine the docs into one output dir There's really no need to separate the API sections into their own directory. Combining them makes it much easier to read. commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 08:27:22 2012 -0700 Keep the order of iface attributes the same accross rubies 1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we end up with ~random order for the display with the previous technique. Switch to an Array instead of a Hash so it's always the same. commit 6f66dd40f39959711f9bacbda99717253a375d21 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 08:23:35 2012 -0700 Fix a few more compiler warnings commit f39cb536a80c5000a5b9ca1fec5902300ae4b440 Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 08:17:39 2012 -0700 Fix a type-safety warning commit 1e52785f38146515409da3724f858b9603d19454 Author: James Lee <egypt@metasploit.com> Date: Mon Feb 27 15:21:36 2012 -0700 LHOST should be OptAddress, not OptAddressRange commit acef978aa4233c7bd0b00ef63646eb4da5457f67 Author: James Lee <egypt@metasploit.com> Date: Sun Feb 26 17:45:59 2012 -0700 Fix a couple of warnings and a typo commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b Author: HD Moore <hdm@digitaloffense.net> Date: Mon Feb 27 11:54:29 2012 -0600 Fix ctype vs content_type typo commit 83b5400356c47dd1973e6be3aa343084dfd09c73 Author: Gregory Man <man.gregory@gmail.com> Date: Sun Feb 26 15:38:33 2012 +0200 Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x commit 49c2c80b347820d02348d694cc71f1b3028b4365 Author: Steve Tornio <swtornio@gmail.com> Date: Sun Feb 26 07:13:13 2012 -0600 add osvdb ref commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee Author: Matt Andreko <mandreko@gmail.com> Date: Sat Feb 25 18:02:56 2012 -0500 Added aspx target to msfvenom. This in turn added it to msfencode as well. Ref: https://github.com/rapid7/metasploit-framework/pull/188 Tested on winxp with IIS in .net 1.1 and 2.0 modes commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5 Author: Joshua J. Drake <github.jdrake@qoop.org> Date: Sat Feb 25 13:00:48 2012 -0600 Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver commitb3371e8bfeAuthor: James Lee <egypt@metasploit.com> Date: Tue Feb 28 17:07:42 2012 -0700 Simplify logic for whether an inner iface has the same address commit5417419f35Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:58:16 2012 -0700 Whitespace commit9036875c29Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:53:45 2012 -0700 Set session info before worrying about address get_interfaces can take a while on Linux, grab uid and hostname earlier so we can give the user an idea of what they popped as soon as possible. commitf34b51c629Author: James Lee <egypt@metasploit.com> Date: Tue Feb 28 16:48:42 2012 -0700 Clean up rdoc commite61a066345Author: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 04:54:45 2012 -0600 Ensure the architecture is only the first word (not the full WOW64 message in some cases) commit4c70161097Author: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 04:49:17 2012 -0600 More paranoia code, just in case RHOST is set to whitespace commitc5ff89fe3dAuthor: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 04:47:01 2012 -0600 A few more small bug fixes to handle cases with an empty string target host resulting in a bad address commit462d0188a1Author: HD Moore <hd_moore@rapid7.com> Date: Tue Feb 28 03:55:10 2012 -0600 Fix up the logic (reversed by accident) commit2b2b0adaecAuthor: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 23:29:52 2012 -0600 Automatically parse system information and populate the db, identify and report NAT when detected, show the real session_host in the sessions -l listing commit547a4ab4c6Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:16:03 2012 -0600 Fix typo introduced commit27a7b7961eAuthor: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:11:38 2012 -0600 More session.session_host tweaks commite447302a1aAuthor: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:08:20 2012 -0600 Additional tunnel_peer changes commit93369fcffaAuthor: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:06:21 2012 -0600 Additional changes to session.session_host commitc3552f66d1Author: HD Moore <hd_moore@rapid7.com> Date: Mon Feb 27 22:00:19 2012 -0600 Merge changes into the new branch
426 lines
9.7 KiB
Ruby
426 lines
9.7 KiB
Ruby
require 'msf/core'
|
|
require 'msf/util'
|
|
|
|
module Msf
|
|
|
|
###
|
|
#
|
|
# This class is the primary context that modules, scripts, and user
|
|
# interfaces interact with. It ties everything together.
|
|
#
|
|
###
|
|
class Framework
|
|
|
|
#
|
|
# Versioning information
|
|
#
|
|
|
|
Major = 4
|
|
Minor = 3
|
|
Point = 0
|
|
Release = "-dev"
|
|
|
|
if(Point)
|
|
Version = "#{Major}.#{Minor}.#{Point}#{Release}"
|
|
else
|
|
Version = "#{Major}.#{Minor}#{Release}"
|
|
end
|
|
|
|
Revision = "$Revision$"
|
|
|
|
|
|
# Repository information
|
|
RepoRevision = ::Msf::Util::SVN.revision
|
|
RepoUpdated = ::Msf::Util::SVN.updated
|
|
RepoUpdatedDays = ::Msf::Util::SVN.days_since_update
|
|
RepoUpdatedDaysNote = ::Msf::Util::SVN.last_updated_friendly
|
|
RepoUpdatedDate = ::Msf::Util::SVN.last_updated_date
|
|
RepoRoot = ::Msf::Util::SVN.root
|
|
|
|
# EICAR canary
|
|
EICARCorrupted = ::Msf::Util::EXE.is_eicar_corrupted?
|
|
|
|
# API Version
|
|
APIMajor = 1
|
|
APIMinor = 0
|
|
|
|
# Base/API Version
|
|
VersionCore = Major + (Minor / 10.0)
|
|
VersionAPI = APIMajor + (APIMinor / 10.0)
|
|
|
|
#
|
|
# Mixin meant to be included into all classes that can have instances that
|
|
# should be tied to the framework, such as modules.
|
|
#
|
|
module Offspring
|
|
|
|
#
|
|
# A reference to the framework instance from which this offspring was
|
|
# derived.
|
|
#
|
|
attr_accessor :framework
|
|
end
|
|
|
|
require 'msf/core/thread_manager'
|
|
require 'msf/core/module_manager'
|
|
require 'msf/core/session_manager'
|
|
require 'msf/core/plugin_manager'
|
|
require 'msf/core/db_manager'
|
|
require 'msf/core/event_dispatcher'
|
|
|
|
|
|
#
|
|
# Creates an instance of the framework context.
|
|
#
|
|
def initialize(opts={})
|
|
|
|
# Allow specific module types to be loaded
|
|
types = opts[:module_types] || MODULE_TYPES
|
|
|
|
self.threads = ThreadManager.new(self)
|
|
self.events = EventDispatcher.new(self)
|
|
self.modules = ModuleManager.new(self,types)
|
|
self.sessions = SessionManager.new(self)
|
|
self.datastore = DataStore.new
|
|
self.jobs = Rex::JobContainer.new
|
|
self.plugins = PluginManager.new(self)
|
|
self.db = DBManager.new(self, opts)
|
|
|
|
# Configure the thread factory
|
|
Rex::ThreadFactory.provider = self.threads
|
|
|
|
subscriber = FrameworkEventSubscriber.new(self)
|
|
events.add_exploit_subscriber(subscriber)
|
|
events.add_session_subscriber(subscriber)
|
|
events.add_general_subscriber(subscriber)
|
|
events.add_db_subscriber(subscriber)
|
|
events.add_ui_subscriber(subscriber)
|
|
end
|
|
|
|
def inspect
|
|
"#<Framework (#{sessions.length} sessions, #{jobs.length} jobs, #{plugins.length} plugins#{db.active ? ", #{db.driver} database active" : ""})>"
|
|
end
|
|
|
|
#
|
|
# Returns the module set for encoders.
|
|
#
|
|
def encoders
|
|
return modules.encoders
|
|
end
|
|
|
|
#
|
|
# Returns the module set for exploits.
|
|
#
|
|
def exploits
|
|
return modules.exploits
|
|
end
|
|
|
|
#
|
|
# Returns the module set for nops
|
|
#
|
|
def nops
|
|
return modules.nops
|
|
end
|
|
|
|
#
|
|
# Returns the module set for payloads
|
|
#
|
|
def payloads
|
|
return modules.payloads
|
|
end
|
|
|
|
#
|
|
# Returns the module set for auxiliary modules
|
|
#
|
|
def auxiliary
|
|
return modules.auxiliary
|
|
end
|
|
|
|
#
|
|
# Returns the module set for post modules
|
|
#
|
|
def post
|
|
return modules.post
|
|
end
|
|
|
|
#
|
|
# Returns the framework version in Major.Minor format.
|
|
#
|
|
def version
|
|
Version
|
|
end
|
|
|
|
#
|
|
# Event management interface for registering event handler subscribers and
|
|
# for interacting with the correlation engine.
|
|
#
|
|
attr_reader :events
|
|
#
|
|
# Module manager that contains information about all loaded modules,
|
|
# regardless of type.
|
|
#
|
|
attr_reader :modules
|
|
#
|
|
# Session manager that tracks sessions associated with this framework
|
|
# instance over the course of their lifetime.
|
|
#
|
|
attr_reader :sessions
|
|
#
|
|
# The global framework datastore that can be used by modules.
|
|
#
|
|
attr_reader :datastore
|
|
#
|
|
# The framework instance's aux manager. The aux manager is responsible
|
|
# for collecting and catalogging all aux information that comes in from
|
|
# aux modules.
|
|
#
|
|
attr_reader :auxmgr
|
|
#
|
|
# Background job management specific to things spawned from this instance
|
|
# of the framework.
|
|
#
|
|
attr_reader :jobs
|
|
#
|
|
# The framework instance's plugin manager. The plugin manager is
|
|
# responsible for exposing an interface that allows for the loading and
|
|
# unloading of plugins.
|
|
#
|
|
attr_reader :plugins
|
|
#
|
|
# The framework instance's db manager. The db manager
|
|
# maintains the database db and handles db events
|
|
#
|
|
attr_reader :db
|
|
#
|
|
# The framework instance's thread manager. The thread manager
|
|
# provides a cleaner way to manage spawned threads
|
|
#
|
|
attr_reader :threads
|
|
|
|
protected
|
|
|
|
attr_writer :events # :nodoc:
|
|
attr_writer :modules # :nodoc:
|
|
attr_writer :sessions # :nodoc:
|
|
attr_writer :datastore # :nodoc:
|
|
attr_writer :auxmgr # :nodoc:
|
|
attr_writer :jobs # :nodoc:
|
|
attr_writer :plugins # :nodoc:
|
|
attr_writer :db # :nodoc:
|
|
attr_writer :threads # :nodoc:
|
|
end
|
|
|
|
class FrameworkEventSubscriber
|
|
include Framework::Offspring
|
|
def initialize(framework)
|
|
self.framework = framework
|
|
end
|
|
|
|
def report_event(data)
|
|
if framework.db.active
|
|
framework.db.report_event(data)
|
|
end
|
|
end
|
|
|
|
include GeneralEventSubscriber
|
|
|
|
#
|
|
# Generic handler for module events
|
|
#
|
|
def module_event(name, instance, opts={})
|
|
if framework.db.active
|
|
event = {
|
|
:workspace => framework.db.find_workspace(instance.workspace),
|
|
:name => name,
|
|
:username => instance.owner,
|
|
:info => {
|
|
:module_name => instance.fullname,
|
|
:module_uuid => instance.uuid
|
|
}.merge(opts)
|
|
}
|
|
|
|
report_event(event)
|
|
end
|
|
end
|
|
def on_module_run(instance)
|
|
opts = { :datastore => instance.datastore.to_h }
|
|
module_event('module_run', instance, opts)
|
|
end
|
|
|
|
def on_module_complete(instance)
|
|
module_event('module_complete', instance)
|
|
end
|
|
|
|
def on_module_error(instance, exception=nil)
|
|
module_event('module_error', instance, :exception => exception.to_s)
|
|
end
|
|
|
|
include ::Msf::UiEventSubscriber
|
|
def on_ui_command(command)
|
|
if framework.db.active
|
|
report_event(:name => "ui_command", :info => {:command => command})
|
|
end
|
|
end
|
|
|
|
def on_ui_stop()
|
|
if framework.db.active
|
|
report_event(:name => "ui_stop")
|
|
end
|
|
end
|
|
|
|
def on_ui_start(rev)
|
|
#
|
|
# The database is not active at startup time unless msfconsole was
|
|
# started with a database.yml, so this event won't always be saved to
|
|
# the db. Not great, but best we can do.
|
|
#
|
|
info = { :revision => rev }
|
|
report_event(:name => "ui_start", :info => info)
|
|
end
|
|
|
|
require 'msf/core/session'
|
|
|
|
include ::Msf::SessionEvent
|
|
|
|
#
|
|
# Generic handler for session events
|
|
#
|
|
def session_event(name, session, opts={})
|
|
address = session.session_host
|
|
|
|
if not (address and address.length > 0)
|
|
elog("Session with no session_host/target_host/tunnel_peer")
|
|
dlog("#{session.inspect}", LEV_3)
|
|
return
|
|
end
|
|
|
|
if framework.db.active
|
|
ws = framework.db.find_workspace(session.workspace)
|
|
event = {
|
|
:workspace => ws,
|
|
:username => session.username,
|
|
:name => name,
|
|
:host => address,
|
|
:info => {
|
|
:session_id => session.sid,
|
|
:session_info => session.info,
|
|
:session_uuid => session.uuid,
|
|
:session_type => session.type,
|
|
:username => session.username,
|
|
:target_host => address,
|
|
:via_exploit => session.via_exploit,
|
|
:via_payload => session.via_payload,
|
|
:tunnel_peer => session.tunnel_peer,
|
|
:exploit_uuid => session.exploit_uuid
|
|
}.merge(opts)
|
|
}
|
|
report_event(event)
|
|
end
|
|
end
|
|
|
|
|
|
def on_session_open(session)
|
|
opts = { :datastore => session.exploit_datastore.to_h, :critical => true }
|
|
session_event('session_open', session, opts)
|
|
framework.db.report_session(:session => session)
|
|
end
|
|
|
|
def on_session_upload(session, lpath, rpath)
|
|
session_event('session_upload', session, :local_path => lpath, :remote_path => rpath)
|
|
framework.db.report_session_event({
|
|
:etype => 'upload',
|
|
:session => session,
|
|
:local_path => lpath,
|
|
:remote_path => rpath
|
|
})
|
|
end
|
|
def on_session_download(session, rpath, lpath)
|
|
session_event('session_download', session, :local_path => lpath, :remote_path => rpath)
|
|
framework.db.report_session_event({
|
|
:etype => 'download',
|
|
:session => session,
|
|
:local_path => lpath,
|
|
:remote_path => rpath
|
|
})
|
|
end
|
|
|
|
def on_session_close(session, reason='')
|
|
session_event('session_close', session)
|
|
if session.db_record
|
|
# Don't bother saving here, the session's cleanup method will take
|
|
# care of that later.
|
|
session.db_record.close_reason = reason
|
|
session.db_record.closed_at = Time.now.utc
|
|
end
|
|
end
|
|
|
|
#def on_session_interact(session)
|
|
# $stdout.puts('session_interact', session.inspect)
|
|
#end
|
|
|
|
def on_session_command(session, command)
|
|
session_event('session_command', session, :command => command)
|
|
framework.db.report_session_event({
|
|
:etype => 'command',
|
|
:session => session,
|
|
:command => command
|
|
})
|
|
end
|
|
|
|
def on_session_output(session, output)
|
|
# Break up the output into chunks that will fit into the database.
|
|
buff = output.dup
|
|
chunks = []
|
|
if buff.length > 1024
|
|
while buff.length > 0
|
|
chunks << buff.slice!(0,1024)
|
|
end
|
|
else
|
|
chunks << buff
|
|
end
|
|
chunks.each { |chunk|
|
|
session_event('session_output', session, :output => chunk)
|
|
framework.db.report_session_event({
|
|
:etype => 'output',
|
|
:session => session,
|
|
:output => chunk
|
|
})
|
|
}
|
|
end
|
|
|
|
def on_session_route(session, route)
|
|
framework.db.report_session_route(session, route)
|
|
end
|
|
|
|
def on_session_route_remove(session, route)
|
|
framework.db.report_session_route_remove(session, route)
|
|
end
|
|
|
|
def on_session_script_run(session, script)
|
|
framework.db.report_session_event({
|
|
:etype => 'script_run',
|
|
:session => session,
|
|
:local_path => script
|
|
})
|
|
end
|
|
|
|
def on_session_module_run(session, mod)
|
|
framework.db.report_session_event({
|
|
:etype => 'module_run',
|
|
:session => session,
|
|
:local_path => mod.fullname
|
|
})
|
|
end
|
|
|
|
#
|
|
# This is covered by on_module_run and on_session_open, so don't bother
|
|
#
|
|
#require 'msf/core/exploit'
|
|
#include ExploitEvent
|
|
#def on_exploit_success(exploit, session)
|
|
#end
|
|
|
|
end
|
|
end
|
|
|