CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/msf/ui/console/command_dispatcher/payload.rb
Views: 11784
1
# -*- coding: binary -*-

2


3
module Msf

4
  module Ui

5
    module Console

6
      module CommandDispatcher

7
        ###

8
        # Payload module command dispatcher.

9
        ###

10
        class Payload

11
          include Msf::Ui::Console::ModuleCommandDispatcher

12
          include Msf::Ui::Console::ModuleOptionTabCompletion

13


14
          # Load supported formats

15
          @@supported_formats = \

16
            Msf::Simple::Buffer.transform_formats + \

17
            Msf::Util::EXE.to_executable_fmt_formats

18


19
          @@to_handler_opts = Rex::Parser::Arguments.new(

20
            '-h' => [ false, 'Show this message' ]

21
          )

22


23
          @@generate_opts = Rex::Parser::Arguments.new(

24
            '-p' => [ true, 'The platform of the payload' ],

25
            '-n' => [ true, 'Prepend a nopsled of [length] size on to the payload' ],

26
            '-f' => [ true, "Output format: #{@@supported_formats.join(',')}" ],

27
            '-E' => [ false, 'Force encoding' ],

28
            '-e' => [ true, 'The encoder to use' ],

29
            '-P' => [ true, 'Total desired payload size, auto-produce appropriate NOP sled length'],

30
            '-S' => [ true, 'The new section name to use when generating (large) Windows binaries'],

31
            '-b' => [ true, "The list of characters to avoid example: '\\x00\\xff'" ],

32
            '-i' => [ true, 'The number of times to encode the payload' ],

33
            '-x' => [ true, 'Specify a custom executable file to use as a template' ],

34
            '-k' => [ false, 'Preserve the template behavior and inject the payload as a new thread' ],

35
            '-o' => [ true, 'The output file name (otherwise stdout)' ],

36
            '-O' => [ true, "Deprecated: alias for the '-o' option" ],

37
            '-v' => [ false, 'Verbose output (display stage in addition to stager)' ],

38
            '-h' => [ false, 'Show this message' ]

39
          )

40


41
          #

42
          # Returns the hash of commands specific to payload modules.

43
          #

44
          def commands

45
            super.update(

46
              'generate' => 'Generates a payload',

47
              'to_handler' => 'Creates a handler with the specified payload',

48
              'exploit' => 'Creates a handler with the specified payload'

49
            )

50
          end

51


52
          def cmd_to_handler_help

53
            print_line 'Usage: to_handler [options]'

54
            print_line

55
            print_line 'Creates a handler a payload. Datastore options may be supplied after normal options.'

56
            print_line 'This is convenient way of using multi/handler, setting the payload, and then setting datastore options.'

57
            print_line

58
            print_line 'Example: to_handler'

59
            print_line 'Example: to_handler LHOST=192.168.123.1'

60
            print @@to_handler_opts.usage

61
          end

62


63
          def cmd_to_handler(*args)

64
            if args.include?('-r') || args.include?('--reload-libs')

65
              driver.run_single('reload_lib -a')

66
            end

67


68
            mod_with_opts = mod.replicant

69
            handler = framework.modules.create('exploit/multi/handler')

70
            handler.share_datastore(mod_with_opts.datastore)

71


72
            @@to_handler_opts.parse(args) do |opt, _idx, val|

73
              case opt

74
              when '-h'

75
                cmd_to_handler_help

76
                return false

77
              else

78
                unless val.include?('=')

79
                  cmd_to_handler_help

80
                  return false

81
                end

82


83
                handler.datastore.import_options_from_s(val)

84
              end

85
            end

86


87
            handler_opts = {

88
              'Payload' => mod.refname,

89
              'LocalInput' => driver.input,

90
              'LocalOutput' => driver.output,

91
              'RunAsJob' => true,

92
              'Options' => {

93
                'ExitOnSession' => false

94
              }

95
            }

96


97
            replicant_handler = nil

98
            handler.exploit_simple(handler_opts) do |yielded_replicant_handler|

99
              replicant_handler = yielded_replicant_handler

100
            end

101


102
            if replicant_handler.nil?

103
              print_error('Failed to run module')

104
              return

105
            end

106


107
            if replicant_handler.error.nil?

108
              job_id = handler.job_id

109


110
              print_status "Payload Handler Started as Job #{job_id}"

111
            end

112
          end

113


114
          alias cmd_exploit cmd_to_handler

115


116
          #

117
          # Tab completion for the generate command

118
          #

119
          def cmd_to_handler_tabs(str, words)

120
            fmt = {

121
              '-h' => [ nil ],

122
            }

123
            flags = tab_complete_generic(fmt, str, words)

124
            options = tab_complete_option(active_module, str, words)

125
            flags + options

126
          end

127


128
          #

129
          # Returns the command dispatcher name.

130
          #

131
          def name

132
            'Payload'

133
          end

134


135
          def cmd_generate_help

136
            print_line 'Usage: generate [options]'

137
            print_line

138
            print_line 'Generates a payload. Datastore options may be supplied after normal options.'

139
            print_line

140
            print_line 'Example: generate -f python LHOST=127.0.0.1'

141
            print @@generate_opts.usage

142
          end

143


144
          #

145
          # Generates a payload.

146
          #

147
          def cmd_generate(*args)

148
            # Parse the arguments

149
            encoder_name = nil

150
            sled_size = nil

151
            pad_nops = nil

152
            sec_name = nil

153
            option_str = nil

154
            badchars = nil

155
            format = 'ruby'

156
            ofile = nil

157
            iter = 1

158
            force = nil

159
            template = nil

160
            plat = nil

161
            keep = false

162
            verbose = false

163
            mod_with_opts = mod.replicant

164


165
            @@generate_opts.parse(args) do |opt, _idx, val|

166
              case opt

167
              when '-b'

168
                badchars = Rex::Text.dehex(val)

169
              when '-e'

170
                encoder_name = val

171
              when '-E'

172
                force = true

173
              when '-n'

174
                sled_size = val.to_i

175
              when '-P'

176
                pad_nops = val.to_i

177
              when '-S'

178
                sec_name = val

179
              when '-f'

180
                format = val

181
              when '-o'

182
                if val.include?('=')

183
                  print_error("The -o parameter of 'generate' is now preferred to indicate the output file, like with msfvenom\n")

184
                  option_str = val

185
                else

186
                  ofile = val

187
                end

188
              when '-O'

189
                print("Usage of the '-O' parameter is deprecated, prefer '-o' to indicate the output file")

190
                ofile = val

191
              when '-i'

192
                iter = val

193
              when '-k'

194
                keep = true

195
              when '-p'

196
                plat = val

197
              when '-x'

198
                template = val

199
              when '-v'

200
                verbose = true

201
              when '-h'

202
                cmd_generate_help

203
                return false

204
              else

205
                unless val.include?('=')

206
                  cmd_generate_help

207
                  return false

208
                end

209


210
                mod_with_opts.datastore.import_options_from_s(val)

211
              end

212
            end

213
            if encoder_name.nil? && mod_with_opts.datastore['ENCODER']

214
              encoder_name = mod_with_opts.datastore['ENCODER']

215
            end

216


217
            # Generate the payload

218
            begin

219
              buf = mod_with_opts.generate_simple(

220
                'BadChars' => badchars,

221
                'Encoder' => encoder_name,

222
                'Format' => format,

223
                'NopSledSize' => sled_size,

224
                'PadNops' => pad_nops,

225
                'SecName' => sec_name,

226
                'OptionStr' => option_str,

227
                'ForceEncode' => force,

228
                'Template' => template,

229
                'Platform' => plat,

230
                'KeepTemplateWorking' => keep,

231
                'Iterations' => iter,

232
                'Verbose' => verbose

233
              )

234
            rescue StandardError

235
              log_error("Payload generation failed: #{$ERROR_INFO}")

236
              return false

237
            end

238


239
            if !ofile

240
              # Display generated payload

241
              puts(buf)

242
            else

243
              print_status("Writing #{buf.length} bytes to #{ofile}...")

244
              f = File.expand_path(ofile)

245
              fd = File.open(f, 'wb')

246
              fd.write(buf)

247
              fd.close

248
            end

249
            true

250
          end

251


252
          #

253
          # Tab completion for the generate command

254
          #

255
          def cmd_generate_tabs(str, words)

256
            fmt = {

257
              '-b' => [ true ],

258
              '-E' => [ nil ],

259
              '-e' => [ framework.encoders.module_refnames ],

260
              '-h' => [ nil ],

261
              '-o' => [ :file ],

262
              '-P' => [ true ],

263
              '-S' => [ true ],

264
              '-f' => [ @@supported_formats ],

265
              '-p' => [ true ],

266
              '-k' => [ nil ],

267
              '-x' => [ :file ],

268
              '-i' => [ true ],

269
              '-v' => [ nil ]

270
            }

271
            flags = tab_complete_generic(fmt, str, words)

272
            options = tab_complete_option(active_module, str, words)

273
            flags + options

274
          end

275
        end

276
      end

277
    end

278
  end

279
end

280


281