Land rapid7#7766, Add Automatic Targeting to all Exploits

Author: dmohanty-r7

lib/msf/core/db_manager/host.rb

@@ -181,6 +181,16 @@ def report_host(opts)
       opts[:name] = opts[:name][0,255]
     end
 
+    if opts[:os_name]
+      os_name, os_flavor = split_windows_os_name(opts[:os_name])
+      opts[:os_name] = os_name if os_name.present?
+      if opts[:os_flavor].present?
+        opts[:os_flavor] = os_flavor + opts[:os_flavor]
+      else
+        opts[:os_flavor] = os_flavor
+      end
+    end
+
     opts.each { |k,v|
       if (host.attribute_names.include?(k.to_s))
         unless host.attribute_locked?(k.to_s)
@@ -213,6 +223,13 @@ def report_host(opts)
   }
   end
 
+  def split_windows_os_name(os_name)
+    return [] if os_name.nil?
+    flavor_match = os_name.match(/Windows\s+(.*)/)
+    return [] if flavor_match.nil?
+    ["Windows", flavor_match.captures.first]
+  end
+
   #
   # Update a host's attributes via semi-standardized sysinfo hash (Meterpreter)
   #
@@ -273,7 +290,8 @@ def update_host_via_sysinfo(opts)
     end
 
     if info['OS'] =~ /^Windows\s*([^\(]+)\(([^\)]+)\)/i
-      res[:os_name]   = "Windows #{$1.strip}"
+      res[:os_name]   = "Windows"
+      res[:os_flavor] = $1.strip
       build = $2.strip
 
       if build =~ /Service Pack (\d+)/

lib/msf/core/exploit.rb

@@ -162,6 +162,8 @@ module Stance
   #
   ###
   class Remote < Exploit
+    require 'msf/core/exploit/auto_target'
+    include Msf::Exploit::AutoTarget
 
     #
     # Initializes the socket array.
@@ -285,9 +287,22 @@ def initialize(info = {})
     # to the information hash.
     super(info)
 
+    # Skip this whole routine if there are no targets
+    unless info['Targets'].nil?
+      # Add an Automatic Target to the Exploit if it doesn't have one
+      unless has_auto_target?(info['Targets'])
+        # Don't add the automatic target unless there's already more than one target to pick from
+        if info['Targets'].count > 1
+          auto = ["Automatic", { 'AutoGenerated' => true}]
+          info['Targets'].unshift(auto)
+        end
+      end
+    end
+
+
     self.targets = Rex::Transformer.transform(info['Targets'], Array,
         [ Target ], 'Targets')
-    self.default_target = info['DefaultTarget']
+    self.default_target = info['DefaultTarget'] || 0
     self.payload_info = info['Payload'] || {}
     self.successful = false
     self.session_count = 0
@@ -321,6 +336,14 @@ def initialize(info = {})
       ], Msf::Exploit)
   end
 
+  def has_auto_target?(targets=[])
+    target_names = targets.collect { |target| target.first}
+    target_names.each do |target|
+      return true if target =~ /Automatic/
+    end
+    return false
+  end
+
   ##
   #
   # Core exploit interface
@@ -665,8 +688,21 @@ def passive?
   # default target, that one will be automatically used.
   #
   def target
-    target_idx = target_index
+    if self.respond_to?(:auto_targeted_index)
+      if auto_target?
+        auto_idx = auto_targeted_index
+        if auto_idx.present?
+          datastore['TARGET'] = auto_idx
+        else
+          # If our inserted Automatic Target was selected but we failed to
+          # find a suitable target, we just grab the original first target.
+          datastore['TARGET'] = 1
+        end
+      end
 
+    end
+
+    target_idx = target_index
     return (target_idx) ? targets[target_idx.to_i] : nil
   end
 
@@ -676,9 +712,10 @@ def target
   def target_index
     target_idx = datastore['TARGET']
 
+    default_idx = default_target || 0
     # Use the default target if one was not supplied.
-    if (target_idx == nil and default_target and default_target >= 0)
-      target_idx = default_target
+    if (target_idx == nil and default_idx and default_idx >= 0)
+      target_idx = default_idx
     end
     return (target_idx) ? target_idx.to_i : nil
   end

lib/msf/core/exploit/auto_target.rb

@@ -0,0 +1,120 @@
+
+module Msf
+  module Exploit::AutoTarget
+
+    # Checks to see if the auto-generated Automatic Targeting
+    # has been selected. If the module had an already defined
+    # Automatic target, then we let the module handle the targeting
+    # itself.
+    #
+    # @return [Boolean] whether or not to use our automatic targeting routine
+    def auto_target?
+      selected_target = targets[target_index]
+      return false if selected_target.nil?
+      if selected_target.name =~ /Automatic/ && selected_target['AutoGenerated'] == true
+        true
+      else
+        false
+      end
+    end
+
+    # Returns the Target Index of the automatically selected Target from
+    # our Automatic Targeting routine.
+    #
+    # @return [Integer] the index of the selected Target
+    # @return [nil] if no target could be selected
+    def auto_targeted_index
+      selected_target = select_target
+      return nil if selected_target.nil?
+      targets.each_with_index do |target, index|
+        return index if target == selected_target
+      end
+      nil
+    end
+
+    # Chooses the best possible Target for what we know about
+    # the targeted host.
+    #
+    # @return [Msf::Module::Target] the Target that our automatic routine selected
+    def select_target
+      return nil unless auto_target?
+      host_record = target_host
+      return nil if host_record.nil?
+      filtered_targets = filter_by_os(host_record)
+      filtered_targets.first
+    end
+
+    # Finds an <Mdm::Host> for the RHOST if one exists
+    #
+    # @return [Mdm:Host] the Host record if one exists
+    # @return [nil] if no Host record is present, or the DB is not active
+    def target_host
+      return nil unless self.respond_to?(:rhost)
+      return nil unless framework.db.active
+      current_workspace = framework.db.find_workspace(self.workspace)
+      current_workspace.hosts.where(address: rhost).first
+    end
+
+    # Returns the best matching Targets based on the target host's
+    # OS information. It looks at the OS Family, OS Name, and OS SP.
+    #
+    # @param host_record [Mdm::Host] the target host record
+    # @return [Array<Msf::Module::Target>] an array of matching targets
+    def filter_by_os(host_record)
+      filtered_by_family = filter_by_os_family(host_record)
+      filtered_by_name   = filter_by_os_name(filtered_by_family, host_record)
+      # If Filtering by name gave us no results, then we reset back to the family filter group
+      filtered_by_name   = filtered_by_family if filtered_by_name.empty?
+      filtered_by_sp     = filter_by_os_sp(filtered_by_name,host_record)
+      # If Filtering by SP was a bust, revert back one level
+      filtered_by_sp     = filtered_by_name if filtered_by_sp.empty?
+      filtered_by_sp
+    end
+
+    # Returns all Targets that match the target host's OS Family
+    # e.g Windows, Linux, OS X, etc
+    #
+    # @param host_record [Mdm::Host] the target host record
+    # @return [Array<Msf::Module::Target>] an array of matching targets
+    def filter_by_os_family(host_record)
+      return [] if host_record.os_family.blank?
+      filtered_targets = targets.collect do |target|
+        if target.name =~ /#{host_record.os_family}/
+          target
+        else
+          nil
+        end
+      end
+      filtered_targets.compact
+    end
+
+    # Returns all Targets that match the target host's OS Name
+    # e.g Windows 7, Windows XP, Windows Vista, etc
+    #
+    # @param potential_targets [Array<Msf::Module::Target>] the filtered targets that we wish to filter further
+    # @param host_record [Mdm::Host] the target host record
+    # @return [Array<Msf::Module::Target>] an array of matching targets
+    def filter_by_os_name(potential_targets, host_record)
+      return [] if host_record.os_name.blank?
+      filtered_targets = []
+      potential_targets.each do |target|
+        filtered_targets << target if target.name =~ /#{host_record.os_name}/
+      end
+      filtered_targets
+    end
+
+    # Returns all Targets that match the target host's OS SP
+    #
+    # @param potential_targets [Array<Msf::Module::Target>] the filtered targets that we wish to filter further
+    # @param host_record [Mdm::Host] the target host record
+    # @return [Array<Msf::Module::Target>] an array of matching targets
+    def filter_by_os_sp(potential_targets, host_record)
+      return [] if host_record.os_sp.blank?
+      filtered_targets = []
+      potential_targets.each do |target|
+        filtered_targets << target if target.name =~ /#{host_record.os_sp}/
+      end
+      filtered_targets
+    end
+  end
+end

lib/msf/core/exploit/remote/firefox_privilege_escalation.rb

@@ -151,7 +151,11 @@ def run_payload
 
   # @return [Boolean] the user has selected a javascript (non-native) target
   def js_target?
-    target.arch[0] == ARCH_FIREFOX
+    if target.arch
+      target.arch[0] == ARCH_FIREFOX
+    else
+      false
+    end
   end
 
 end