first shot at letting scriptable.rb handle local exploits

kernelsmith · kernelsmith · commit 8fe8ee92d98a · 2014-05-06T01:21:11.000-05:00
diff --git a/lib/msf/base/sessions/scriptable.rb b/lib/msf/base/sessions/scriptable.rb
@@ -58,24 +58,66 @@ def execute_file
   #
   def execute_script(script_name, *args)
     mod = framework.modules.create(script_name)
-    if (mod and mod.type == "post")
+    if mod
       # Don't report module run events here as it will be taken care of
       # in +Post.run_simple+
+      # meterpreter scripts don't need SESSION, but it's not gonna hurt
       opts = { 'SESSION' => self.sid }
       args.each do |arg|
         k,v = arg.split("=", 2)
         opts[k] = v
       end
-      mod.run_simple(
-        # Run with whatever the default stance is for now.  At some
-        # point in the future, we'll probably want a way to force a
-        # module to run in the background
-        #'RunAsJob' => true,
-        'LocalInput'  => self.user_input,
-        'LocalOutput' => self.user_output,
-        'Options'     => opts
-      )
-    else
+      if mod.type == "post" 
+        mod.run_simple(
+          # Run with whatever the default stance is for now.  At some
+          # point in the future, we'll probably want a way to force a
+          # module to run in the background
+          #'RunAsJob' => true,
+          'LocalInput'  => self.user_input,
+          'LocalOutput' => self.user_output,
+          'Options'     => opts
+        )
+      elsif mod.type == "exploit" 
+        # well it must be a local, we're not currently supporting anything else
+        if mod.category == "local"
+          # get a copy of the session exploit's datastore if we can
+          original_exploit_datastore = self.exploit.datastore || {}
+          copy_of_orig_exploit_datastore = original_exploit_datastore.dup
+          # we don't want to inherit a couple things, like AutoRunScript's
+          to_neuter = ['AutoRunScript', 'InitialAutoRunScript']
+          to_neuter.each { |setting| copy_of_orig_exploit_datastore.delete(setting) }
+          # @TODO: if opts are the same, we don't need another handler, set
+          # DisablePayloadHandler => true in that case?
+
+          # merge in any opts that were passed in, defaulting to the
+          # copy of the datastore (of the exploit) that spawned the session
+          local_exploit_opts = copy_of_orig_exploit_datastore.merge(opts)
+
+          # try to run this local exploit, which is likely to be exception prone
+          begin
+            new_session = mod.exploit_simple(
+              'Payload'       => local_exploit_opts['PAYLOAD'],
+              'LocalInput'    => self.user_input,
+              'LocalOutput'   => self.user_output,
+              'Options'       => local_exploit_opts
+              )
+          rescue ::Interrupt
+            raise $!
+          rescue ::Exception => e
+            print_error("Local exploit exception (#{mod.refname}): #{e.class} #{e}")
+            if(e.class.to_s != 'Msf::OptionValidateError')
+              print_error("Call stack:")
+              e.backtrace.each do |line|
+                break if line =~ /lib.msf.base.simple/
+                print_error("  #{line}")
+              end
+            end
+          end # end rescue
+
+        end # end if local
+      end # end if exploit
+
+    else # else no mod
       full_path = self.class.find_script_path(script_name)
 
       # No path found?  Weak.
@@ -85,7 +127,7 @@ def execute_script(script_name, *args)
       end
       framework.events.on_session_script_run(self, full_path)
       execute_file(full_path, args)
-    end
+    end # end if mod
   end
 
 end
