CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
# -*- coding: binary -*-
2

3
module Msf
4
module Ui
5
module Console
6

7
###
8
#
9
# Module-specific command dispatcher.
10
#
11
###
12
module ModuleCommandDispatcher
13

14
  include Msf::Ui::Console::CommandDispatcher
15
  include Msf::Ui::Console::ModuleArgumentParsing
16

17
  def commands
18
    {
19
      "reload" => "Reload the current module from disk",
20
      "check"  => "Check to see if a target is vulnerable"
21
    }
22
  end
23

24
  #
25
  # The active driver module, if any.
26
  #
27
  def mod
28
    return driver.active_module
29
  end
30

31
  #
32
  # Sets the active driver module.
33
  #
34
  def mod=(m)
35
    self.driver.active_module = m
36
  end
37

38
  def check_progress
39
    return 0 unless @range_done and @range_count
40
    pct = (@range_done / @range_count.to_f) * 100
41
  end
42

43
  def check_show_progress
44
    pct = check_progress
45
    if(pct >= (@range_percent + @show_percent))
46
      @range_percent = @range_percent + @show_percent
47
      tdlen = @range_count.to_s.length
48
      print_status("Checked #{"%.#{tdlen}d" % @range_done} of #{@range_count} hosts (#{"%.3d" % pct.to_i}% complete)")
49
    end
50
  end
51

52
  def check_multiple(mod)
53
    rhosts_walker = Msf::RhostsWalker.new(mod.datastore['RHOSTS'], mod.datastore).to_enum
54
    rhosts_walker_count = rhosts_walker.count
55

56
    # Short-circuit check_multiple if it's a single host, or doesn't have any hosts set
57
    if rhosts_walker_count <= 1
58
      nmod = mod.replicant
59
      nmod.datastore.merge!(rhosts_walker.next) if rhosts_walker_count == 1
60
      check_simple(nmod)
61
      return
62
    end
63

64
    # This part of the code is mostly from scanner.rb
65
    @show_progress = framework.datastore['ShowProgress'] || mod.datastore['ShowProgress'] || false
66
    @show_percent  = ( framework.datastore['ShowProgressPercent'] || mod.datastore['ShowProgressPercent'] ).to_i
67

68
    @range_count   = rhosts_walker_count || 0
69
    @range_done    = 0
70
    @range_percent = 0
71

72
    # Set the default thread to 1. The same behavior as before.
73
    threads_max = (framework.datastore['THREADS'] || mod.datastore['THREADS'] || 1).to_i
74
    @tl = []
75

76
    if Rex::Compat.is_windows
77
      if threads_max > 16
78
        print_warning("Thread count has been adjusted to 16")
79
        threads_max = 16
80
      end
81
    end
82

83
    if Rex::Compat.is_cygwin
84
      if threads_max > 200
85
        print_warning("Thread count has been adjusted to 200")
86
        threads_max = 200
87
      end
88
    end
89

90
    loop do
91
      while @tl.length < threads_max
92
        begin
93
          datastore = rhosts_walker.next
94
        rescue StopIteration
95
          datastore = nil
96
        end
97
        break unless datastore
98

99
        @tl << framework.threads.spawn("CheckHost-#{datastore['RHOSTS']}", false, datastore.dup) { |thr_datastore|
100
          # Make sure this is thread-safe when assigning an IP to the RHOST
101
          # datastore option
102
          nmod = mod.replicant
103
          nmod.datastore.merge!(thr_datastore)
104
          Msf::Simple::Framework.simplify_module(nmod)
105
          check_simple(nmod)
106
        }
107
      end
108

109
      break if @tl.length == 0
110

111
      tla = @tl.length
112

113
      # This exception handling is necessary, the first thread with errors can kill the
114
      # whole check_multiple and leave the rest of the threads running in background and
115
      # only accessible with the threads command (Thread.list)
116
      begin
117
        @tl.first.join
118
      rescue ::Exception => exception
119
        if exception.kind_of?(::Interrupt)
120
          raise exception
121
        else
122
          elog('Error encountered with first Thread', error: exception)
123
        end
124
      end
125

126
      @tl.delete_if { |t| not t.alive? }
127
      tlb = @tl.length
128

129
      @range_done += (tla - tlb)
130
      check_show_progress if @show_progress
131
    end
132
  end
133

134
  #
135
  # Checks to see if a target is vulnerable.
136
  #
137
  def cmd_check(*args, opts: {})
138
    if (args.include?('-r') || args.include?('--reload-libs')) && !opts[:previously_reloaded]
139
      driver.run_single('reload_lib -a')
140
    end
141

142
    return false unless (args = parse_check_opts(args))
143

144
    mod_with_opts = mod.replicant
145
    mod_with_opts.datastore.import_options_from_hash(args[:datastore_options])
146

147
    begin
148
      mod_with_opts.validate
149
    rescue ::Msf::OptionValidateError => e
150
      ::Msf::Ui::Formatter::OptionValidateError.print_error(mod_with_opts, e)
151
      return false
152
    end
153

154
    begin
155
      check_multiple(mod_with_opts)
156
    rescue ::Interrupt
157
      # When the user sends interrupt trying to quit the task, some threads will still be active.
158
      # This means even though the console tells the user the task has aborted (or at least they
159
      # assume so), the checks are still running. Because of this, as soon as we detect interrupt,
160
      # we force the threads to die.
161
      if @tl
162
        @tl.each { |t| t.kill }
163
      end
164
      print_status("Caught interrupt from the console...")
165
      return
166
    end
167
  end
168

169
  def cmd_check_help
170
    print_module_run_or_check_usage(command: :check)
171
    print_line('Multi-threaded checks:')
172
    print_line('1. set THREADS 10')
173
    print_line('2. check')
174
    print_line
175
  end
176

177
  def report_vuln(instance)
178
    framework.db.report_vuln(
179
      workspace: instance.workspace,
180
      host: instance.rhost,
181
      name: instance.name,
182
      info: "This was flagged as vulnerable by the explicit check of #{instance.fullname}.",
183
      refs: instance.references
184
    )
185
  end
186

187
  def check_simple(instance=nil)
188
    unless instance
189
      instance = mod
190
    end
191

192
    rhost = instance.datastore['RHOST']
193
    rport = instance.datastore['RPORT']
194
    peer = rhost
195
    if rport
196
      rport = instance.rport if instance.respond_to?(:rport)
197
      peer = "#{rhost}:#{rport}"
198
    end
199
    peer_msg = peer ? "#{peer} - " : ''
200

201
    begin
202
      if instance.respond_to?(:check_simple)
203
        code = instance.check_simple(
204
          'LocalInput'  => driver.input,
205
          'LocalOutput' => driver.output
206
        )
207
      else
208
        msg = "Check failed: #{instance.type.capitalize} modules do not support check."
209
        raise NotImplementedError, msg
210
      end
211

212
      if (code && code.kind_of?(Msf::Exploit::CheckCode))
213
        if (code == Msf::Exploit::CheckCode::Vulnerable)
214
          print_good("#{peer_msg}#{code[1]}")
215
          # Restore RHOST for report_vuln
216
          instance.datastore['RHOST'] ||= rhost
217
          report_vuln(instance)
218
        else
219
          print_status("#{peer_msg}#{code[1]}")
220
        end
221
      else
222
        msg = "#{peer_msg}Check failed: The state could not be determined."
223
        print_error(msg)
224
        elog("#{msg}\n#{caller.join("\n")}")
225
      end
226
    rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error => e
227
      # Connection issues while running check should be handled by the module
228
      print_error("Check failed: #{e.class} #{e}")
229
      elog('Check Failed', error: e)
230
    rescue ::Msf::Exploit::Failed => e
231
      # Handle fail_with and other designated exploit failures
232
      print_error("Check failed: #{e.class} #{e}")
233
      elog('Check Failed', error: e)
234
    rescue ::RuntimeError => e
235
      # Some modules raise RuntimeError but we don't necessarily care about those when we run check()
236
      elog('Check Failed', error: e)
237
    rescue ::NotImplementedError => e
238
      print_error(e.message)
239
      elog('Check Failed', error: e)
240
    rescue ::Exception => e
241
      print_error("Check failed: #{e.class} #{e}")
242
      elog('Check Failed', error: e)
243
    end
244
  end
245

246
  #
247
  # Reloads the active module
248
  #
249
  def cmd_reload(*args)
250
    if args.include?('-r') || args.include?('--reload-libs')
251
      driver.run_single('reload_lib -a')
252
    end
253

254
    return cmd_reload_help if args.include?('-h') || args.include?('--help')
255

256
    begin
257
      reload
258
    rescue
259
      log_error("Failed to reload: #{$!}")
260
    end
261
  end
262

263
  @@reload_opts =  Rex::Parser::Arguments.new(
264
    '-k' => [ false,  'Stop the current job before reloading.' ],
265
    '-h' => [ false,  'Help banner.' ])
266

267
  def cmd_reload_help
268
    print_line "Usage: reload [-k]"
269
    print_line
270
    print_line "Reloads the current module."
271
    print @@reload_opts.usage
272
  end
273

274
  #
275
  # Reload the current module, optionally stopping existing job
276
  #
277
  def reload(should_stop_job=false)
278
    if should_stop_job and mod.job_id
279
      print_status('Stopping existing job...')
280

281
      framework.jobs.stop_job(mod.job_id)
282
      mod.job_id = nil
283
    end
284

285
    print_status('Reloading module...')
286

287
    original_mod = self.mod
288
    reloaded_mod = framework.modules.reload_module(original_mod)
289

290
    unless reloaded_mod
291
      error = framework.modules.module_load_error_by_path[original_mod.file_path]
292

293
      print_error("Failed to reload module: #{error}")
294

295
      self.mod = original_mod
296
    else
297
      self.mod = reloaded_mod
298

299
      self.mod.init_ui(driver.input, driver.output)
300
    end
301

302
    reloaded_mod
303
  end
304

305
end
306

307

308
end end end
309

310

311