Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
module Msf
4

5
###
6
#
7
# This class drives the exploitation process from start to finish for a given
8
# exploit module instance.  It's responsible for payload generation, encoding,
9
# and padding as well as initialization handlers and finally launching the
10
# exploit.
11
#
12
###
13
class ExploitDriver
14

15
  #
16
  # Initializes the exploit driver using the supplied framework instance.
17
  #
18
  def initialize(framework)
19
    self.payload                = nil
20
    self.exploit                = nil
21
    self.use_job                = false
22
    self.job_id                 = nil
23
    self.force_wait_for_session = false
24
    self.keep_handler           = false
25
    self.semaphore              = Mutex.new
26
  end
27

28
  #
29
  # Specification of the exploit target index.
30
  #
31
  def target_idx=(target_idx)
32
    if (target_idx)
33
      # Make sure the target index is valid
34
      if (target_idx >= exploit.targets.length)
35
        raise Rex::ArgumentError, "Invalid target index.", caller
36
      end
37
    end
38

39
     # Set the active target
40
    @target_idx = target_idx
41
  end
42

43
  #
44
  # This method returns the currently selected target index.
45
  #
46
  def target_idx
47
    @target_idx
48
  end
49

50
  #
51
  # Checks to see if the supplied payload is compatible with the
52
  # current exploit.  Assumes that target_idx is valid.
53
  #
54
  def compatible_payload?(payload)
55
    !exploit.compatible_payloads.find { |refname, _| refname == payload.refname }.nil?
56
  end
57

58
  ##
59
  #
60
  # Exploit execution
61
  #
62
  ##
63

64
  #
65
  # Makes sure everything's in tip-top condition prior to launching the
66
  # exploit.  For things that aren't good to go, an exception is thrown.
67
  #
68
  def validate
69
    # First, validate that a target has been selected
70
    if (target_idx == nil)
71
      raise MissingTargetError,
72
        "A payload cannot be selected until a target is specified.",
73
        caller
74
    end
75

76
    # Next, validate that a payload has been selected
77
    if (payload == nil)
78
      raise MissingPayloadError,
79
        "A payload has not been selected.", caller
80
    end
81

82
    # Make sure the payload is compatible after all
83
    unless compatible_payload?(payload)
84
      raise IncompatiblePayloadError.new(payload.refname), "#{payload.refname} is not a compatible payload.", caller
85
    end
86

87
    unless exploit.respond_to?(:allow_no_cleanup) && exploit.allow_no_cleanup
88
      # Being able to cleanup requires a session to be created from a handler, and for that
89
      # session to be able to be able to clean up files
90
      can_cleanup = payload.handler_klass != Msf::Handler::None && payload&.session&.can_cleanup_files
91
      if exploit.needs_cleanup && !can_cleanup
92
        raise IncompatiblePayloadError.new(payload.refname), "#{payload.refname} cannot cleanup files created during exploit. To run anyway, set AllowNoCleanup to true"
93
      end
94

95
      if exploit.needs_cleanup && !exploit.handler_enabled?
96
        raise ValidationError.new('Cannot cleanup files created during exploit if payload handler is disabled. To run anyway, set AllowNoCleanup to true')
97
      end
98
    end
99

100
    # Associate the payload instance with the exploit
101
    payload.assoc_exploit = exploit
102

103
    # Finally, validate options on the exploit module to ensure that things
104
    # are ready to operate as they should.
105
    exploit.options.validate(exploit.datastore)
106

107
    # Validate the payload's options.  The payload's datastore is
108
    # most likely shared against the exploit's datastore, but in case it
109
    # isn't.
110
    payload.options.validate(payload.datastore)
111

112
    return true
113
  end
114

115
  #
116
  # Kicks off an exploitation attempt and performs the following four major
117
  # operations:
118
  #
119
  #   - Generates the payload
120
  #   - Initializes & monitors the handler
121
  #   - Launches the exploit
122
  #   - Cleans up the handler
123
  #
124
  def run
125
    # First thing's first -- validate the state.  Make sure all requirement
126
    # parameters are set, including those that are derived from the
127
    # datastore.
128
    validate()
129

130
    # After validation has occurred, it's time to set some values on the
131
    # exploit instance and begin preparing the payload
132
    exploit.datastore['TARGET'] = target_idx
133

134
    # Default the session to nil
135
    self.session = nil
136

137
    # Explicitly clear the module's job_id in case it was set in a previous
138
    # run
139
    exploit.job_id = nil
140

141
    # If we are being instructed to run as a job then let's create that job
142
    # like a good person.
143
    if (use_job or exploit.passive?)
144
      # Since references to the exploit and payload will hang around for
145
      # awhile in the job, make sure we copy them so further changes to
146
      # the datastore don't alter settings in existing jobs
147
      e = exploit.replicant
148
      p = payload.replicant
149

150
      # Assign the correct exploit instance to the payload
151
      p.assoc_exploit = e
152

153
      # Generate the encoded version of the supplied payload for the
154
      # newly copied exploit module instance
155
      e.generate_payload(p)
156
      ctx = [ e, p ]
157

158
      e.job_id = e.framework.jobs.start_bg_job(
159
        "Exploit: #{e.refname}",
160
        ctx,
161
        Proc.new { |ctx_| job_run_proc(ctx_) },
162
        Proc.new { |ctx_| job_cleanup_proc(ctx_) }
163
      )
164
      self.job_id = e.job_id
165
    else
166
      # Generate the encoded version of the supplied payload on the
167
      # exploit module instance
168
      exploit.generate_payload(payload)
169

170
      # No need to copy since we aren't creating a job.  We wait until
171
      # they're finished running to do anything else with them, so
172
      # nothing should be able to modify their datastore or other
173
      # settings until after they're done.
174
      ctx = [ exploit, payload ]
175

176
      begin
177
        job_run_proc(ctx)
178
      rescue ::Interrupt
179
        job_cleanup_proc(ctx)
180
        raise $!
181
      ensure
182
        # For multi exploit targets.
183
        # Keep the payload handler until last target or interrupt
184
        job_cleanup_proc(ctx) unless keep_handler
185
      end
186
    end
187

188
    return session
189
  end
190

191
  attr_accessor :exploit # :nodoc:
192
  attr_accessor :payload # :nodoc:
193
  attr_accessor :use_job # :nodoc:
194
  #
195
  # The identifier of the job this exploit is launched as, if it's run as a
196
  # job.
197
  #
198
  attr_accessor :job_id
199
  attr_accessor :force_wait_for_session # :nodoc:
200
  attr_accessor :session # :nodoc:
201
  attr_accessor :keep_handler # :nodoc:
202

203
  # To synchronize threads cleaning up the exploit and the handler
204
  attr_accessor :semaphore
205

206
protected
207

208
  #
209
  # Job run proc, sets up the exploit and kicks it off.
210
  #
211
  def job_run_proc(ctx)
212
    begin
213
      exploit, payload = ctx
214
      # Default session wait time..
215
      delay = payload.wfs_delay + exploit.wfs_delay
216
      delay = nil if exploit.passive?
217

218
      # Set the exploit up the bomb
219
      exploit.setup
220

221
      exploit.framework.events.on_module_run(exploit)
222

223
      # Launch the exploit
224
      exploit.exploit
225

226
    rescue ::Exception => e
227
      if [::RuntimeError, ::Interrupt].include?(e.class)
228
        # Wait for session, but don't wait long.
229
        delay = 0.01
230
      end
231

232
      fail_reason = exploit.handle_exception(e)
233
    end
234

235
    # Start bind handlers after exploit completion
236
    payload.start_handler if exploit.handler_bind?
237

238
    # Wait the payload to acquire a session if this isn't a passive-style
239
    # exploit.
240
    return if not delay
241

242
    if (force_wait_for_session == true) or
243
      (exploit.passive? == false and exploit.handler_enabled?)
244
      begin
245
        self.session = payload.wait_for_session(delay)
246
      rescue ::Interrupt
247
        # Don't let interrupt pass upward
248
      end
249
    end
250

251
    return self.session if self.session
252

253
    if exploit.fail_reason == Msf::Exploit::Failure::None
254
      exploit.fail_reason = Msf::Exploit::Failure::PayloadFailed
255
      exploit.fail_detail = "No session created"
256
      exploit.report_failure
257
    end
258

259
    if fail_reason && fail_reason == Msf::Exploit::Failure::UserInterrupt
260
      raise ::Interrupt
261
    end
262
  end
263

264
  #
265
  # Clean up the exploit and the handler after the job completes.
266
  #
267
  def job_cleanup_proc(ctx)
268
    exploit, payload = ctx
269

270
    # Ensure that, no matter what, clean up of the handler occurs
271
    semaphore.synchronize { payload.stop_handler }
272

273
    exploit.framework.events.on_module_complete(exploit)
274

275
    # Allow the exploit to cleanup after itself, that messy bugger.
276
    semaphore.synchronize { exploit.cleanup }
277
  end
278

279
end
280

281
end
282

283

284