Class: Msf::RhostsWalker

Inherits:
Object
  • Object
show all
Defined in:
lib/msf/core/rhosts_walker.rb

Overview

Parses the RHOSTS datastore value, and yields the possible combinations of datastore values that exist for each host

Defined Under Namespace

Classes: Error, InvalidCIDRError, InvalidSchemaError, RhostResolveError

Instance Method Summary collapse

Constructor Details

#initialize(value = '', datastore = Msf::ModuleDataStore.new(nil)) ⇒ RhostsWalker

Returns a new instance of RhostsWalker.

Parameters:

  • value (String) (defaults to: '')
  • datastore (Msf::DataStore) (defaults to: Msf::ModuleDataStore.new(nil))


57
58
59
60
# File 'lib/msf/core/rhosts_walker.rb', line 57

def initialize(value = '', datastore = Msf::ModuleDataStore.new(nil))
  @value = value
  @datastore = datastore
end

Instance Method Details

#countInteger

Count the valid datastore permutations for the current rhosts value. This count will ignore any invalid values.

Returns:

  • (Integer)


82
83
84
# File 'lib/msf/core/rhosts_walker.rb', line 82

def count
  to_enum.count
end

#each {|Msf::DataStore| ... } ⇒ Object

Iterate over the valid rhosts datastores. This can be combined Calling ‘#valid?` beforehand to ensure that there are no invalid configuration values, as they will be ignored by this method.

Yields:



67
68
69
70
71
72
73
74
75
76
# File 'lib/msf/core/rhosts_walker.rb', line 67

def each(&block)
  return unless @value
  return unless block_given?

  parse(@value, @datastore).each do |result|
    block.call(result) if result.is_a?(Msf::DataStore)
  end

  nil
end

#errors {|Msf::RhostsWalker::Error| ... } ⇒ Object

Retrieve the list of errors associated with this rhosts walker

Yields:



89
90
91
92
93
94
95
96
97
98
# File 'lib/msf/core/rhosts_walker.rb', line 89

def errors(&block)
  return unless @value
  return unless block_given?

  parse(@value, @datastore).each do |result|
    block.call(result) if result.is_a?(Msf::RhostsWalker::Error)
  end

  nil
end

#parse(value, datastore) ⇒ Enumerable<Msf::DataStore|StandardError>

Parses the input rhosts string, and yields the possible combinations of datastore values.

Parameters:

  • value (String)

    the rhost string

  • datastore (Msf::Datastore)

    the datastore

Returns:

  • (Enumerable<Msf::DataStore|StandardError>)

    The calculated datastore values that can be iterated over for enumerating the given rhosts, or the error that occurred when iterating over the input



119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# File 'lib/msf/core/rhosts_walker.rb', line 119

def parse(value, datastore)
  Enumerator.new do |results|
    # extract the individual elements from the rhost string, ensuring that
    # whitespace, strings, escape characters, etc are handled correctly.
    values = Rex::Parser::Arguments.from_s(value)
    values.each do |value|
      if (value =~ %r{^file://(.*)}) || (value =~ /^file:(.*)/)
        file = Regexp.last_match(1)
        File.read(file).each_line(chomp: true) do |line|
          parse(line, datastore).each do |result|
            results << result
          end
        end
      elsif value =~ /^cidr:(.*)/
        cidr, child_value = Regexp.last_match(1).split(':', 2)
        # Validate cidr syntax matches ipv6 '%scope_id/mask_part' or ipv4 '/mask_part'
        raise InvalidCIDRError unless cidr =~ %r{^(%\w+)?/\d{1,3}$}

        # Parse the values, then apply range walker over the result
        parse(child_value, datastore).each do |result|
          host_with_cidr = result['RHOSTS'] + cidr
          Rex::Socket::RangeWalker.new(host_with_cidr).each_ip do |rhost|
            results << result.merge('RHOSTS' => rhost, 'UNPARSED_RHOSTS' => value)
          end
        end
      elsif value =~ /^(?<schema>\w+):.*/ && SUPPORTED_SCHEMAS.include?(Regexp.last_match(:schema))
        schema = Regexp.last_match(:schema)
        raise InvalidSchemaError unless SUPPORTED_SCHEMAS.include?(schema)

        parse_method = "parse_#{schema}_uri"
        parsed_options = send(parse_method, value, datastore)
        if perform_dns_resolution?(datastore)
          found = false
          Rex::Socket::RangeWalker.new(parsed_options['RHOSTS']).each_ip do |ip|
            results << datastore.merge(
              parsed_options.merge('RHOSTS' => ip, 'UNPARSED_RHOSTS' => value)
            )
            found = true
          end
          unless found
            raise RhostResolveError.new(value)
          end
        else
          results << datastore.merge(parsed_options.merge('UNPARSED_RHOSTS' => value))
        end
      else
        if perform_dns_resolution?(datastore)
          found = false
          Rex::Socket::RangeWalker.new(value).each_host do |rhost|
            overrides = {}
            overrides['UNPARSED_RHOSTS'] = value
            overrides['RHOSTS'] = rhost[:address]
            set_hostname(datastore, overrides, rhost[:hostname])
            results << datastore.merge(overrides)
            found = true
          end
          unless found
            raise RhostResolveError.new(value)
          end
        else
          overrides = {}
          overrides['UNPARSED_RHOSTS'] = value
          overrides['RHOSTS'] = value
          set_hostname(datastore, overrides, value)
          results << datastore.merge(overrides)
        end
      end
    rescue ::Interrupt
      raise
    rescue StandardError => e
      results << Msf::RhostsWalker::Error.new(value, cause: e)
    end
  end
end

#parse_http_uri(value, datastore) ⇒ Hash Also known as: parse_https_uri

Parses a string such as example.com into a hash which can safely be merged with a [Msf::DataStore] datastore for setting http options.

Parameters:

  • value (String)

    the http string

Returns:

  • (Hash)

    A hash where keys match the required datastore options associated with the uri value



242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
# File 'lib/msf/core/rhosts_walker.rb', line 242

def parse_http_uri(value, datastore)
  uri = ::Addressable::URI.parse(value)
  result = {}

  result['RHOSTS'] = uri.hostname
  is_ssl = %w[ssl https].include?(uri.scheme)
  result['RPORT'] = uri.port || (is_ssl ? 443 : 80)
  result['SSL'] = is_ssl

  # Both `TARGETURI` and `URI` are used as datastore options to denote the path on a uri
  has_path_specified = !uri.path.blank? # && uri.path != '/' - Note HTTP path parsing differs to the other protocol's parsing
  if has_path_specified
    target_uri = uri.path.present? ? uri.path : '/'
    result['TARGETURI'] = target_uri if datastore.options.include?('TARGETURI')
    result['PATH'] = target_uri if datastore.options.include?('PATH')
    result['URI'] = target_uri if datastore.options.include?('URI')
  end

  result['HttpQueryString'] = uri.query if datastore.options.include?('HttpQueryString')

  set_hostname(datastore, result, uri.hostname)
  set_username(datastore, result, uri.user) if uri.user
  set_password(datastore, result, uri.password) if uri.password

  result
end

#parse_ldap_uri(value, datastore) ⇒ Hash Also known as: parse_ldaps_uri

Parses a uri string such as ldap://user:password@example.com into a hash which can safely be merged with a [Msf::DataStore] datastore for setting ldap options.

Parameters:

  • value (String)

    the ldap string

Returns:

  • (Hash)

    A hash where keys match the required datastore options associated with the uri value

See Also:



278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
# File 'lib/msf/core/rhosts_walker.rb', line 278

def parse_ldap_uri(value, datastore)
  uri = ::Addressable::URI.parse(value)
  result = {}

  result['RHOSTS'] = uri.hostname
  is_ssl = %w[ssl ldaps].include?(uri.scheme)
  result['RPORT'] = uri.port || (is_ssl ? 636 : 389)
  result['SSL'] = is_ssl

  if uri.path.present?
    base_dn = uri.path.delete_prefix('/').split('?', 2).first
    result['BASE_DN'] = base_dn if base_dn.present?
  end

  set_hostname(datastore, result, uri.hostname)

  if uri.user && uri.user.include?(';')
    domain, user = uri.user.split(';')
    result['LDAPDomain'] = domain
    set_username(datastore, result, user)
  elsif uri.user
    result['LDAPDomain'] = ''
    set_username(datastore, result, uri.user)
  end

  set_password(datastore, result, uri.password) if uri.password

  result
end

#parse_mysql_uri(value, datastore) ⇒ Hash

Parses a uri string such as mysql://user:password@example.com into a hash which can safely be merged with a [Msf::DataStore] datastore for setting mysql options.

Parameters:

  • value (String)

    the uri string

Returns:

  • (Hash)

    A hash where keys match the required datastore options associated with the uri value



315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
# File 'lib/msf/core/rhosts_walker.rb', line 315

def parse_mysql_uri(value, datastore)
  uri = ::Addressable::URI.parse(value)
  result = {}

  result['RHOSTS'] = uri.hostname
  result['RPORT'] = uri.port || 3306

  has_database_specified = !uri.path.blank? && uri.path != '/'
  if datastore.options.include?('DATABASE') && has_database_specified
    result['DATABASE'] = uri.path[1..-1]
  end

  set_hostname(datastore, result, uri.hostname)
  set_username(datastore, result, uri.user) if uri.user
  set_password(datastore, result, uri.password) if uri.password
  result
end

#parse_postgres_uri(value, datastore) ⇒ Hash

Parses a uri string such as postgres://user:password@example.com into a hash which can safely be merged with a [Msf::DataStore] datastore for setting mysql options.

Parameters:

  • value (String)

    the uri string

Returns:

  • (Hash)

    A hash where keys match the required datastore options associated with the uri value



339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
# File 'lib/msf/core/rhosts_walker.rb', line 339

def parse_postgres_uri(value, datastore)
  uri = ::Addressable::URI.parse(value)
  result = {}

  result['RHOSTS'] = uri.hostname
  result['RPORT'] = uri.port || 5432

  has_database_specified = !uri.path.blank? && uri.path != '/'
  if datastore.options.include?('DATABASE') && has_database_specified
    result['DATABASE'] = uri.path[1..-1]
  end

  set_hostname(datastore, result, uri.hostname)
  set_username(datastore, result, uri.user) if uri.user
  set_password(datastore, result, uri.password) if uri.password

  result
end

#parse_smb_uri(value, datastore) ⇒ Hash

Parses a string such as smb://domain;user:pass@domain/share_name/file.txt into a hash which can safely be merged with a [Msf::DataStore] datastore for setting smb options.

Parameters:

  • value (String)

    the http string

Returns:

  • (Hash)

    A hash where keys match the required datastore options associated with the smb uri value



200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
# File 'lib/msf/core/rhosts_walker.rb', line 200

def parse_smb_uri(value, datastore)
  uri = ::Addressable::URI.parse(value)
  result = {}

  result['RHOSTS'] = uri.hostname
  result['RPORT'] = (uri.port || 445) if datastore.options.include?('RPORT')

  set_hostname(datastore, result, uri.hostname)
  # Handle users in the format:
  #   user
  #   domain;user
  if uri.user && uri.user.include?(';')
    domain, user = uri.user.split(';')
    result['SMBDomain'] = domain
    result['SMBUser'] = user
    set_username(datastore, result, user)
  elsif uri.user
    set_username(datastore, result, uri.user)
  end
  set_password(datastore, result, uri.password) if uri.password

  # Handle paths of the format:
  #    /
  #    /share_name
  #    /share_name/file
  #    /share_name/dir/file
  has_path_specified = !uri.path.blank? && uri.path != '/'
  if has_path_specified
    _preceding_slash, share, *rpath = uri.path.split('/')
    result['SMBSHARE'] = share if datastore.options.include?('SMBSHARE')
    result['RPATH'] = rpath.join('/') if datastore.options.include?('RPATH')
  end

  result
end

#parse_ssh_uri(value, datastore) ⇒ Hash

Parses a uri string such as ssh://user:password@example.com into a hash which can safely be merged with a [Msf::DataStore] datastore for setting mysql options.

Parameters:

  • value (String)

    the uri string

Returns:

  • (Hash)

    A hash where keys match the required datastore options associated with the uri value



364
365
366
367
368
369
370
371
372
373
374
375
376
# File 'lib/msf/core/rhosts_walker.rb', line 364

def parse_ssh_uri(value, datastore)
  uri = ::Addressable::URI.parse(value)
  result = {}

  result['RHOSTS'] = uri.hostname
  result['RPORT'] = uri.port || 22

  set_hostname(datastore, result, uri.hostname)
  set_username(datastore, result, uri.user) if uri.user
  set_password(datastore, result, uri.password) if uri.password

  result
end

#parse_tcp_uri(value, datastore) ⇒ Hash

Parses a uri string such as tcp://user:password@example.com into a hash which can safely be merged with a [Msf::DataStore] datastore for setting options.

Parameters:

  • value (String)

    the uri string

Returns:

  • (Hash)

    A hash where keys match the required datastore options associated with the uri value



384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
# File 'lib/msf/core/rhosts_walker.rb', line 384

def parse_tcp_uri(value, datastore)
  uri = ::Addressable::URI.parse(value)
  result = {}

  result['RHOSTS'] = uri.hostname
  if uri.port
    result['RPORT'] = uri.port
  end

  set_hostname(datastore, result, uri.hostname)
  set_username(datastore, result, uri.user) if uri.user
  set_password(datastore, result, uri.password) if uri.password

  result
end

#perform_dns_resolution?(datastore) ⇒ Boolean (protected)

Returns True if DNS resolution should be performed the RHOST values, false otherwise.

Parameters:

Returns:

  • (Boolean)

    True if DNS resolution should be performed the RHOST values, false otherwise



404
405
406
407
408
409
410
411
412
413
# File 'lib/msf/core/rhosts_walker.rb', line 404

def perform_dns_resolution?(datastore)
  # If a socks proxy has been configured, don't perform DNS resolution - so that it instead happens via the proxy
  return true unless datastore['PROXIES'].present?

  last_proxy = Rex::Socket::Proxies.parse(datastore['PROXIES']).last
  [
    Rex::Socket::Proxies::ProxyType::HTTP,
    Rex::Socket::Proxies::ProxyType::SOCKS5H
  ].exclude?(last_proxy.scheme)
end

#set_hostname(datastore, result, hostname) ⇒ Object (protected)



415
416
417
418
419
# File 'lib/msf/core/rhosts_walker.rb', line 415

def set_hostname(datastore, result, hostname)
  hostname = Rex::Socket.is_ip_addr?(hostname) ? nil : hostname
  result['RHOSTNAME'] = hostname if datastore['RHOSTNAME'].blank?
  result['VHOST'] = hostname if datastore.options.include?('VHOST') && datastore['VHOST'].blank?
end

#set_password(datastore, result, password) ⇒ Object (protected)



440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
# File 'lib/msf/core/rhosts_walker.rb', line 440

def set_password(datastore, result, password)
  # Preference setting application specific values first
  password_set = false
  password_option_names = %w[SMBPass FtpPass LDAPPassword Password pass PASSWORD password]
  password_option_names.each do |option_name|
    if datastore.options.include?(option_name)
      result[option_name] = password
      password_set = true
    end
  end

  # Only set basic auth HttpPassword as a fallback
  if !password_set && datastore.options.include?('HttpPassword')
    result['HttpPassword'] = password
  end

  result
end

#set_username(datastore, result, username) ⇒ Object (protected)



421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
# File 'lib/msf/core/rhosts_walker.rb', line 421

def set_username(datastore, result, username)
  # Preference setting application specific values first
  username_set = false
  option_names = %w[SMBUser FtpUser LDAPUsername Username user USER USERNAME username]
  option_names.each do |option_name|
    if datastore.options.include?(option_name)
      result[option_name] = username
      username_set = true
    end
  end

  # Only set basic auth HttpUsername as a fallback
  if !username_set && datastore.options.include?('HttpUsername')
    result['HttpUsername'] = username
  end

  result
end

#valid?Boolean

Indicates that the rhosts value is valid and iterable

Returns:

  • (Boolean)

    True if all items are valid, and there are at least some items present to iterate over. False otherwise.



104
105
106
107
108
109
110
# File 'lib/msf/core/rhosts_walker.rb', line 104

def valid?
  parsed_values = parse(@value, @datastore)
  parsed_values.all? { |result| result.is_a?(Msf::DataStore) } && parsed_values.count > 0
rescue StandardError => e
  elog('rhosts walker invalid', error: e)
  false
end