Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2
module Msf
3

4
###
5
#
6
# This modules provides a target-aware brute-forcing wrapper.  It implements
7
# the exploit method and calls exploit_brute with target supplied information.
8
# If the selected target is not a bruteforce target, then single_exploit is
9
# called.
10
#
11
###
12
module Exploit::Brute
13

14
  #
15
  # Initializes an instance of an exploit module that supports brute force
16
  # targets.
17
  #
18
  def initialize(info = {})
19
    super
20

21
    #
22
    # Register BruteWait and BruteStep as two advanced options for this
23
    # exploit even though not all targets may be brute force targets.
24
    #
25
    register_advanced_options(
26
      [
27
        OptInt.new('BruteWait', [ false, "Delay between brute force attempts"     ]),
28
        OptInt.new('BruteStep', [ false, "Step size between brute force attempts" ])
29
      ], Msf::Exploit::Brute)
30
  end
31

32
  #
33
  # Entry point for initiating an exploit.  This module wrappers the exploit
34
  # method and determines whether or not the selected target supports brute
35
  # force.  If it does, it does some special things and wraps the brute
36
  # forcing logic.
37
  #
38
  def exploit
39
    # Is the selected target a brute force target?
40
    if (target.bruteforce?)
41
      # The step direction is automatically calculated
42
      direction = {}
43

44
      bf = target.bruteforce
45

46
      # Get the start and stop address hashes
47
      start = bf.start_addresses ? bf.start_addresses.dup : {}
48
      stop  = bf.stop_addresses ? bf.stop_addresses.dup : {}
49
      step  = bf.step_size
50
      delay = bf.delay
51

52
      # Enumerate each start address and try to figure out the direction
53
      start.each_pair { |name, addr|
54
        # If there's a stop address, figure out if it's above or below
55
        # the start address
56
        if (stop[name])
57
          if (stop[name] < addr)
58
            direction[name] = -1
59
          else
60
            direction[name] = 1
61
          end
62
        # If there's no stop address, infer the direction based on
63
        # the default
64
        else
65
          direction[name] = bf.default_direction
66
        end
67
      }
68

69
      # Import start/stop address overrides from the datastore
70
      import_from_datastore(start, 'Start')
71
      import_from_datastore(stop,  'Stop')
72

73
      # User-defined brute wait?
74
      if self.datastore['BruteWait'] and self.datastore['BruteWait'] > 0
75
        delay = self.datastore['BruteWait'].to_i
76
      end
77

78
      # User-defined brute step?
79
      if self.datastore['BruteStep'] and self.datastore['BruteStep'] > 0
80
        step = self.datastore['BruteStep'].to_i
81
      end
82

83
      # Sane defaults
84
      delay = 1 if delay.nil? or delay == 0
85

86
      # Okay, we've got all this crap out of the way, let's actually brute
87
      # force
88
      stopped = []
89
      curr    = start.dup
90

91
      # Automatically determine the step size based off the nop sled length
92
      if step == 0
93
        step = payload.nop_sled_size
94

95
        if step == 0
96
          raise Msf::OptionValidateError.new(
97
            {
98
              'BruteStep' => 'The step size for this exploit is invalid'
99
            }
100
          )
101
        end
102
      end
103

104
      # Keep going until we run out of options
105
      while (curr.length != stopped.length)
106

107
        # Stop brute forcing once a session is found
108
        break if session_created?
109

110
        # Fire off an exploit attempt with the supplied addresses
111
        brute_exploit(curr)
112

113
        # Give it time before we try again
114
        brute_wait(delay)
115

116
        # Scan each current key, increasing it or decreasing it by the
117
        # step size according to its direction
118
        curr.each_key { |k|
119

120
          # Has movement been stopped on this address?  If so, skip it.
121
          next if (stopped.include?(k))
122

123
          # Calculate the next address before we move it to see if
124
          # we're going to go over
125
          next_addr = step * direction[k]
126

127
          # If this item has hit a stop address, add it to the stopped
128
          # hash and move it no further
129
          if (stop[k])
130
            if ((direction[k] == 1 and curr[k] + next_addr >= stop[k]) or
131
                (direction[k] == -1 and curr[k] + next_addr < stop[k]))
132
              stopped << k
133
              next
134
            end
135
          end
136

137
          # If it's not time to stop, move it
138
          curr[k] += next_addr
139
        }
140
      end
141
    else
142
      single_exploit
143
    end
144
  end
145

146
  #
147
  # This routine is called once per brute force iteration.  The addresses
148
  # parameter is a hash of addresses that are incremented each iteration and
149
  # are derived from the target's bruteforce information or the module's
150
  # datastore in case they are being overridden.
151
  #
152
  def brute_exploit(addrs)
153
  end
154

155
  #
156
  # Call if the target is not a brute force target.
157
  #
158
  def single_exploit
159
  end
160

161
  #
162
  # Waits for the provide delay.
163
  #
164
  def brute_wait(delay)
165
    sleep(delay)
166
  end
167

168
protected
169

170
  #
171
  # Imports information into the supplied hash from the datastore.
172
  # This is a way of allowing the user to override values for a
173
  # specific brute force target by name without them actually
174
  # being conveyed in the options list.  This is a bit of a change
175
  # from 2.x, but 2.x didn't have per-target brute force
176
  # addresses, which I think is more valuable.
177
  #
178
  def import_from_datastore(hash, prefix = '')
179
    hash.each_key { |k|
180
      if (self.datastore[prefix + k])
181
        hash[k] = self.datastore[prefix + k]
182
      end
183
    }
184
  end
185

186
end
187

188
end
189

190