Module: Msf::DBManager::ExploitAttempt

Included in:
Msf::DBManager
Defined in:
lib/msf/core/db_manager/exploit_attempt.rb

Instance Method Summary collapse

Instance Method Details

#report_exploit(opts = {}) ⇒ Object

report_exploit() used to be used to track sessions and which modules opened them. That information is now available with the session table directly. TODO: kill this completely some day – for now just warn if some other UI is actually using it.



6
7
8
9
10
11
 
# File 'lib/msf/core/db_manager/exploit_attempt.rb', line 6

def report_exploit(opts={})
  wlog("Deprecated method call: report_exploit()\n" +
    "report_exploit() options: #{opts.inspect}\n" +
    "report_exploit() call stack:\n\t#{caller.join("\n\t")}"
  )
end

#report_exploit_attempt(host, opts) ⇒ Object 



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
# File 'lib/msf/core/db_manager/exploit_attempt.rb', line 13

def report_exploit_attempt(host, opts)
::ApplicationRecord.connection_pool.with_connection {
  return if not host
  info = {}

  # Opts can be keyed by strings or symbols
  ::Mdm::VulnAttempt.column_names.each do |kn|
    k = kn.to_sym
    next if ['id', 'host_id'].include?(kn)
    info[k] = opts[kn] if opts[kn]
    info[k] = opts[k]  if opts[k]
  end

  host.exploit_attempts.create(info)
}
end

#report_exploit_failure(opts) ⇒ void

This method returns an undefined value.

Create an ‘Mdm::ExploitAttempt` (and possibly an `Mdm::VulnAttempt`, if the `vuln` option is passed).

Options Hash (opts):

  • :refs (Array<String>, Array<Msf::Module::Reference>)
  • :host (Mdm::Host)
  • :service (Mdm::Service)
  • :port (Integer) — default: nil
  • :proto ("tcp", "udp") — default: Msf::DBManager::DEFAULT_SERVICE_PROTO

    See ‘Mdm::Service::PROTOS`

  • :vuln (Mdm::Vuln) — default: nil
  • :timestamp (Time) — default: nil
  • :timestamp (Mdm::Vuln) — default: nil
  • :module (String) — default: nil 


35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
# File 'lib/msf/core/db_manager/exploit_attempt.rb', line 35

def report_exploit_failure(opts)
  return unless opts[:refs].present? && opts[:host].present?

  host = opts[:host]
  wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework)
  opts = opts.clone()
  port = opts[:port]
  proto = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
  svc = opts[:service]
  rids = opts.delete(:ref_ids) || []

  opts[:refs].each do |ref|
    if ref.instance_of?(Mdm::Module::Ref)
      str = ref.name
    elsif (ref.respond_to?(:ctx_id)) && (ref.respond_to?(:ctx_val))
      str = "#{ref.ctx_id}-#{ref.ctx_val}"
    elsif (ref.is_a?(Hash) && ref[:ctx_id] && ref[:ctx_val])
      str = "#{ref[:ctx_id]}-#{ref[:ctx_val]}"
    elsif ref.is_a?(String)
      str = ref
    end
    rids << find_or_create_ref(name: str) unless str.nil?
  end

  # Look up the service as appropriate
  if port && svc.nil?
    # only one result can be returned, as the +port+ field restricts potential results to a single service
    svc = services(:workspace => wspace,
                   :hosts => {address: host},
                   :proto => proto,
                   :port => port).first
  end

  # Look up the host as appropriate
  if !host || !host.kind_of?(::Mdm::Host)
    if svc&.kind_of? ::Mdm::Service
      host = svc.host
    else
      host = get_host(workspace: wspace, address: host)
    end
  end

  # Bail if we dont have a host object
  return unless host

  vuln = nil
  if rids.present?
    # Only perform vuln lookup when no check_code is present (normal
    # exploit flow) or the check result positively indicates vulnerability.
    # Safe, Unknown, and Detected results should not associate this attempt
    # with an existing vuln.  Only key off check_code — fail_reason alone
    # is too broad (e.g. Failure::Unknown covers real exploit failures too).
    vuln_check_codes = [Msf::Exploit::CheckCode::Appears.code, Msf::Exploit::CheckCode::Vulnerable.code]
    if opts[:check_code].nil? || vuln_check_codes.include?(opts[:check_code])
      # Try to find an existing vulnerability with the same service & references
      # or, if svc is nil, with the same host & references
      vuln = find_vuln_by_refs(rids, host, svc, false)

      # Fall back to a host-only lookup when the service-scoped query found
      # nothing.  Only match vulns with no associated service to avoid
      # misattributing attempts to a vuln on a different service.
      if svc && vuln.nil?
        fallback_vuln = find_vuln_by_refs(rids, host, nil, false)
        vuln = fallback_vuln if fallback_vuln && fallback_vuln.service_id.nil?
      end
    end
  end

  opts[:service] = svc
  opts[:host] = host
  opts[:vuln] = vuln if vuln

  do_report_failure_or_success(opts)
end

#report_exploit_success(opts) ⇒ void

This method returns an undefined value.

Create an ‘Mdm::ExploitAttempt` (and possibly an `Mdm::VulnAttempt`, if the `vuln` option is passed).



114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
 
# File 'lib/msf/core/db_manager/exploit_attempt.rb', line 114

def report_exploit_success(opts)
  return unless opts[:refs]
  host   = opts[:host] || return

  wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework)
  # it is rude to modify arguments in place
  opts = opts.clone()
  port   = opts[:port]
  prot   = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
  svc    = opts[:service]

  # Look up or generate the service as appropriate
  if port and svc.nil?
    opts[:proto] ||= Msf::DBManager::DEFAULT_SERVICE_PROTO
    opts[:service] = report_service(
      workspace: wspace, host: host, port: port, proto: prot
    )
  end

  do_report_failure_or_success(opts)
end