CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/msf/core/module/target.rb
Views: 11784
1
# -*- coding: binary -*-

2


3
###

4
#

5
# A target for an exploit.

6
#

7
###

8
class Msf::Module::Target

9


10
  ###

11
  #

12
  # Target-specific brute force information, such as the addresses

13
  # to step, the step size (if the framework default is bad), and

14
  # other stuff.

15
  #

16
  ###

17
  class Bruteforce < Hash

18


19
    #

20
    # Initializes a brute force target from the supplied brute forcing

21
    # information.

22
    #

23
    def initialize(hash)

24
      update(hash)

25
    end

26


27
    #

28
    # Returns a hash of addresses that should be stepped during

29
    # exploitation and passed in to the bruteforce exploit

30
    # routine.

31
    #

32
    def start_addresses

33
      if (self['Start'] and self['Start'].kind_of?(Hash) == false)

34
        return {'Address' => self['Start'] }

35
      else

36
        return self['Start']

37
      end

38
    end

39


40
    #

41
    # Returns a hash of addresses that should be stopped at once

42
    # they are reached.

43
    #

44
    def stop_addresses

45
      if (self['Stop'] and self['Stop'].kind_of?(Hash) == false)

46
        return {'Address' => self['Stop'] }

47
      else

48
        return self['Stop']

49
      end

50
    end

51


52
    #

53
    # The step size to use, or zero if the framework should figure

54
    # it out.

55
    #

56
    def step_size

57
      self['Step'] || 0

58
    end

59


60
    #

61
    # Returns the default step direction.  -1 indicates that brute forcing

62
    # should go toward lower addresses.  1 indicates that brute forcing

63
    # should go toward higher addresses.

64
    #

65
    def default_direction

66
      dd = self['DefaultDirection']

67


68
      if (dd and dd.to_s.match(/(-1|backward)/i))

69
        return -1

70
      end

71


72
      return 1

73
    end

74


75
    #

76
    # The delay to add between attempts

77
    #

78
    def delay

79
      self['Delay'].to_i || 0

80
    end

81
  end

82


83
  #

84
  # Serialize from an array to a Target instance.

85
  #

86
  def self.from_a(ary)

87
    return nil if (ary.length < 2)

88


89
    self.new(ary.shift, ary.shift)

90
  end

91


92
  #

93
  # Transforms the supplied source into an array of Targets.

94
  #

95
  def self.transform(src)

96
    Rex::Transformer.transform(src, Array, [ self, String ], 'Target')

97
  end

98


99
  #

100
  # Initializes an instance of a bruteforce target from the supplied

101
  # information.  The hash of options that this constructor takes is as

102
  # follows:

103
  #

104
  # Platform

105
  #

106
  # 	The platform(s) that this target is to operate against.

107
  #

108
  # SaveRegisters

109
  #

110
  # 	The registers that must be saved by NOP generators.

111
  #

112
  # Arch

113
  #

114
  # 	The architectures, if any, that this target is specific to (E.g.

115
  # 	ARCH_X86).

116
  #

117
  # Bruteforce

118
  #

119
  # 	Settings specific to a target that supports brute forcing.  See the

120
  # 	BruteForce class.

121
  #

122
  # Ret

123
  #

124
  # 	The target-specific return address or addresses that will be used.

125
  #

126
  # Payload

127
  #

128
  # 	Payload-specific options, such as append, prepend, and other values that

129
  # 	can be set on a per-exploit or per-target basis.

130
  #

131
  # DefaultOptions

132
  #

133
  #   DefaultOptions hash to be imported into the datastore.

134
  #

135
  def initialize(name, opts)

136
    opts = {} unless opts

137


138
    self.name            = name

139
    self.opts            = opts

140
    self.save_registers  = opts['SaveRegisters']

141
    self.ret             = opts['Ret']

142
    self.default_options = opts['DefaultOptions']

143


144
    if opts['Platform']

145
      self.platform = Msf::Module::PlatformList.transform(opts['Platform'])

146
    end

147


148
    if opts['Arch']

149
      self.arch = Rex::Transformer.transform(opts['Arch'], Array, [String], 'Arch')

150
    end

151


152
    # Does this target have brute force information?

153
    if opts['Bruteforce']

154
      self.bruteforce = Bruteforce.new(opts['Bruteforce'])

155
    end

156
  end

157


158
  #

159
  # Index the options directly.

160
  #

161
  def [](key)

162
    opts[key]

163
  end

164


165
  #

166
  # Returns whether or not this is a bruteforce target, forces boolean

167
  # result.

168
  #

169
  def bruteforce?

170
    return (bruteforce != nil)

171
  end

172


173
  ##

174
  #

175
  # Target-specific payload modifications

176
  #

177
  ##

178


179
  #

180
  # The bad characters specific to this target for the payload.

181
  #

182
  def payload_badchars

183
    opts['Payload'] ? opts['Payload']['BadChars'] : nil

184
  end

185


186
  #

187
  # Payload prepend information for this target.

188
  #

189
  def payload_prepend

190
    opts['Payload'] ? opts['Payload']['Prepend'] : nil

191
  end

192


193
  #

194
  # Payload append information for this target.

195
  #

196
  def payload_append

197
    opts['Payload'] ? opts['Payload']['Append'] : nil

198
  end

199


200
  #

201
  # Payload prepend encoder information for this target.

202
  #

203
  def payload_prepend_encoder

204
    opts['Payload'] ? opts['Payload']['PrependEncoder'] : nil

205
  end

206


207
  #

208
  # Payload append encoder information for this target.

209
  #

210
  def payload_append_encoder

211
    opts['Payload'] ? opts['Payload']['AppendEncoder'] : nil

212
  end

213


214
  #

215
  # Payload stack adjustment information for this target.

216
  #

217
  def payload_stack_adjustment

218
    opts['Payload'] ? opts['Payload']['StackAdjustment'] : nil

219
  end

220


221
  #

222
  # Whether NOP generation should be enabled or disabled

223
  #

224
  def payload_disable_nops

225
    opts['Payload'] ? opts['Payload']['DisableNops'] : nil

226
  end

227


228
  #

229
  # Payload max nops information for this target.

230
  #

231
  def payload_max_nops

232
    opts['Payload'] ? opts['Payload']['MaxNops'] : nil

233
  end

234


235
  #

236
  # Payload min nops information for this target.

237
  #

238
  def payload_min_nops

239
    opts['Payload'] ? opts['Payload']['MinNops'] : nil

240
  end

241


242
  #

243
  # Payload space information for this target.

244
  #

245
  def payload_space

246
    opts['Payload'] ? opts['Payload']['Space'] : nil

247
  end

248


249
  #

250
  # The payload encoder or encoders that can be used when generating the

251
  # encoded payload (such as x86/shikata_ga_nai and so on).

252
  #

253
  def payload_encoder

254
    opts['Payload'] ? opts['Payload']['Encoder'] : nil

255
  end

256


257
  #

258
  # The payload NOP generator or generators that can be used when generating the

259
  # encoded payload (such as x86/opty2 and so on).

260
  #

261
  def payload_nop

262
    opts['Payload'] ? opts['Payload']['Nop'] : nil

263
  end

264


265
  #

266
  # The payload encoder type or types that can be used when generating the

267
  # encoded payload (such as alphanum, unicode, xor, and so on).

268
  #

269
  def payload_encoder_type

270
    opts['Payload'] ? opts['Payload']['EncoderType'] : nil

271
  end

272


273
  #

274
  # A hash of options that be initialized in the select encoder's datastore

275
  # that may be required as parameters for the encoding operation.  This is

276
  # particularly useful when a specific encoder type is being used (as

277
  # specified by the EncoderType hash element).

278
  #

279
  def payload_encoder_options

280
    opts['Payload'] ? opts['Payload']['EncoderOptions'] : nil

281
  end

282


283
  #

284
  # Returns a hash of extended options that are applicable to payloads used

285
  # against this particular target.

286
  #

287
  def payload_extended_options

288
    opts['Payload'] ? opts['Payload']['ExtendedOptions'] : nil

289
  end

290


291
  #

292
  # The name of the target (E.g. Windows XP SP0/SP1)

293
  #

294
  attr_reader :name

295
  #

296
  # The platforms that this target is for.

297
  #

298
  attr_reader :platform

299
  #

300
  # The architectures, if any, that the target is specific to.

301
  #

302
  attr_reader :arch

303
  #

304
  # The target-specific options, like payload settings and other stuff like

305
  # that.

306
  #

307
  attr_reader :opts

308
  #

309
  # An alias for the target 'Ret' option.

310
  #

311
  attr_reader :ret

312
  #

313
  # The list of registers that need to be saved.

314
  #

315
  attr_reader :save_registers

316
  #

317
  # The bruteforce target information that will be non-nil if a Bruteforce

318
  # option is passed to the constructor of the class.

319
  #

320
  attr_reader :bruteforce

321
  #

322
  # DefaultOptions hash to be imported into the datastore.

323
  #

324
  attr_reader :default_options

325


326
protected

327


328
  attr_writer :name, :platform, :arch, :opts, :ret, :save_registers # :nodoc:

329
  attr_writer :bruteforce # :nodoc:

330
  attr_writer :default_options # :nodoc:

331


332
end

333


334