Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

exploit.rb 41KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557
  1. # -*- coding: binary -*-
  2. require 'msf/core'
  3. require 'msf/core/module'
  4. module Msf
  5. ###
  6. #
  7. # This module exposes an interface that is used when wanting to receive
  8. # notifications about events pertaining to exploitation.
  9. #
  10. ###
  11. module ExploitEvent
  12. #
  13. # This method is called when an exploit succeeds.
  14. #
  15. def on_exploit_success(exploit, session)
  16. end
  17. end
  18. ###
  19. #
  20. # The exploit class acts as the base class for all exploit modules. It
  21. # provides a common interface for interacting with exploits at the most basic
  22. # level.
  23. #
  24. ###
  25. class Exploit < Msf::Module
  26. require 'msf/core/post'
  27. require 'msf/core/exploit/local'
  28. ##
  29. # Exceptions
  30. ##
  31. # Indicate that the exploit should abort because it has completed
  32. class Complete < RuntimeError
  33. end
  34. # Indicate that the exploit should abort because it has failed
  35. class Failed < RuntimeError
  36. end
  37. ##
  38. #
  39. # Default compatibility settings for exploit modules.
  40. #
  41. ##
  42. module CompatDefaults
  43. #
  44. # Default compatibility specifications for payloads
  45. #
  46. Payload =
  47. {
  48. # Support reverse, bind, and noconn connection types
  49. # for all exploits unless expressly disabled.
  50. 'ConnectionType' => 'reverse bind noconn none tunnel',
  51. }
  52. end
  53. ##
  54. #
  55. # The various check codes that can be returned from the ``check'' routine.
  56. # Please read the following wiki to learn how these codes are used:
  57. # https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-check()-method
  58. #
  59. ##
  60. module CheckCode
  61. #
  62. # Can't tell if the target is exploitable or not. This is recommended if the module fails to
  63. # retrieve enough information from the target machine, such as due to a timeout.
  64. #
  65. Unknown = [ 'unknown', "Cannot reliably check exploitability."]
  66. #
  67. # The target is safe and is therefore not exploitable. This is recommended after the check
  68. # fails to trigger the vulnerability, or even detect the service.
  69. #
  70. Safe = [ 'safe', "The target is not exploitable." ]
  71. #
  72. # The target is running the service in question, but the check fails to determine whether
  73. # the target is vulnerable or not.
  74. #
  75. Detected = [ 'detected', "The target service is running, but could not be validated." ]
  76. #
  77. # The target appears to be vulnerable. This is recommended if the vulnerability is determined
  78. # based on passive reconnaissance. For example: version, banner grabbing, or having the resource
  79. # that's known to be vulnerable.
  80. #
  81. Appears = [ 'appears', "The target appears to be vulnerable." ]
  82. #
  83. # The target is vulnerable. Only used if the check is able to actually take advantage of the
  84. # bug, and obtain hard evidence. For example: executing a command on the target machine, and
  85. # retrieve the output.
  86. #
  87. Vulnerable = [ 'vulnerable', "The target is vulnerable." ]
  88. #
  89. # The module does not support the check method.
  90. #
  91. Unsupported = [ 'unsupported', "This module does not support check." ]
  92. end
  93. #
  94. # The various basic types of exploits
  95. #
  96. module Type
  97. #
  98. # Indicates that the exploit is a remote exploit.
  99. #
  100. Remote = "remote"
  101. #
  102. # Indicates that the exploit is a local exploit.
  103. #
  104. Local = "local"
  105. #
  106. # Indicates that the exploit can work anywhere it damn pleases.
  107. #
  108. Omni = "omnipresent"
  109. end
  110. #
  111. # The types of stances an exploit can take, such as passive or aggressive.
  112. # Stances indicate whether or not the exploit triggers the exploit without
  113. # waiting for one or more conditions to be met (aggressive) or whether it
  114. # must wait for certain conditions to be satisfied before the exploit can
  115. # be initiated (passive)
  116. #
  117. module Stance
  118. #
  119. # Used to indicate that an exploit takes an aggressive stance. This
  120. # means that the exploit proactively triggers a vulnerability.
  121. #
  122. Aggressive = "aggressive"
  123. #
  124. # Used to indicate that an exploit takes a passive stance. This means
  125. # that the exploit waits for interaction from a client or other entity
  126. # before being able to trigger the vulnerability.
  127. #
  128. Passive = "passive"
  129. end
  130. ###
  131. #
  132. # The remote exploit class is a specialization of the exploit module class
  133. # that is geared toward exploits that are performed against targets other than
  134. # the local machine. This typically implies exploiting other machines via a
  135. # network connection, though it is not limited to this scope.
  136. #
  137. ###
  138. class Remote < Exploit
  139. #
  140. # Initializes the socket array.
  141. #
  142. def initialize(info)
  143. super
  144. self.sockets = Array.new
  145. end
  146. #
  147. # Returns the fact that this exploit is a remote exploit.
  148. #
  149. def exploit_type
  150. Exploit::Type::Remote
  151. end
  152. #
  153. # Adds a socket to the list of sockets opened by this exploit.
  154. #
  155. def add_socket(sock)
  156. self.sockets << sock
  157. end
  158. #
  159. # Removes a socket from the list of sockets.
  160. #
  161. def remove_socket(sock)
  162. self.sockets.delete(sock)
  163. end
  164. #
  165. # This method is called once a new session has been created on behalf of
  166. # this exploit instance and all socket connections created by this
  167. # exploit should be closed.
  168. #
  169. def abort_sockets
  170. sockets.delete_if { |sock|
  171. begin
  172. sock.close
  173. rescue ::Exception
  174. end
  175. true
  176. }
  177. end
  178. protected
  179. #
  180. # The list of sockets established by this exploit.
  181. #
  182. attr_accessor :sockets
  183. end
  184. #
  185. # Load all of the exploit mixins
  186. #
  187. require 'msf/core/exploit/mixins'
  188. #
  189. # Returns an array of all of the exploit mixins. Lame algorithm right now.
  190. # We search the Msf::Exploit namespace for all modules that do not have any
  191. # constants in them. In the future we can replace this with a better
  192. # algorithm. It's just important that it returns an array of all of the
  193. # mixin modules.
  194. #
  195. # @return [Array]
  196. def self.mixins
  197. mixins = []
  198. wl = [ Msf::Exploit ]
  199. visited = {}
  200. until wl.length == 0
  201. wl.delete_if { |mod|
  202. mod.constants.each { |const|
  203. child = mod.const_get(const)
  204. next if child.to_s !~ /^Msf::Exploit/
  205. next if visited[child]
  206. next if child.kind_of?(::Module) == false
  207. visited[child] = true
  208. if child.constants.length > 0
  209. wl << child
  210. else
  211. mixins << child
  212. end
  213. }
  214. true
  215. }
  216. end
  217. return mixins
  218. end
  219. #
  220. # Creates an instance of the exploit module. Mad skillz.
  221. #
  222. def initialize(info = {})
  223. # Ghetto compat mirroring for payload compatibilities. This mirrors
  224. #
  225. # Payload => Compat => xyz
  226. #
  227. # to
  228. #
  229. # Compat => Payload => xyz
  230. if (info['Payload'] and info['Payload']['Compat'])
  231. info['Compat'] = Hash.new if (info['Compat'] == nil)
  232. info['Compat']['Payload'] = Hash.new if (info['Compat']['Payload'] == nil)
  233. info['Compat']['Payload'].update(info['Payload']['Compat'])
  234. end
  235. # Call the parent constructor after making any necessary modifications
  236. # to the information hash.
  237. super(info)
  238. self.targets = Rex::Transformer.transform(info['Targets'], Array,
  239. [ Target ], 'Targets')
  240. self.default_target = info['DefaultTarget']
  241. self.payload_info = info['Payload'] || {}
  242. self.successful = false
  243. self.session_count = 0
  244. self.active_timeout = 120
  245. self.fail_reason = Failure::None
  246. if (info['Payload'] and info['Payload']['ActiveTimeout'])
  247. self.active_timeout = info['Payload']['ActiveTimeout'].to_i
  248. end
  249. # All exploits can increase the delay when waiting for a session.
  250. # However, this only applies to aggressive exploits.
  251. if aggressive?
  252. register_advanced_options(
  253. [
  254. OptInt.new('WfsDelay', [ false, "Additional delay when waiting for a session", 0 ])
  255. ], Msf::Exploit)
  256. end
  257. # Allow all exploits to leverage context keyed encoding
  258. register_advanced_options(
  259. [
  260. OptBool.new('EnableContextEncoding', [ false, "Use transient context when encoding payloads", false ]),
  261. OptPath.new('ContextInformationFile', [ false, "The information file that contains context information", nil ])
  262. ], Msf::Exploit)
  263. # Allow all exploits to disable their payload handlers
  264. register_advanced_options(
  265. [
  266. OptBool.new('DisablePayloadHandler', [ false, "Disable the handler code for the selected payload", false ])
  267. ], Msf::Exploit)
  268. end
  269. ##
  270. #
  271. # Core exploit interface
  272. #
  273. # These are the methods that exploits will override to perform various
  274. # tasks, such as checking a target to see if it's vulnerable, automatically
  275. # selecting a target, or performing an exploit.
  276. #
  277. ##
  278. #
  279. # Kicks off the actual exploit. Prior to this call, the framework will
  280. # have validated the data store using the options associated with this
  281. # exploit module. It will also pre-generate the desired payload, though
  282. # exploits can re-generate the payload if necessary.
  283. #
  284. # This method is designed to be overriden by exploit modules.
  285. #
  286. def exploit
  287. end
  288. #
  289. # Performs last-minute sanity checking of auxiliary parameters. This method
  290. # is called during automated exploitation attempts and allows an
  291. # auxiliary module to filter bad attempts, obtain more information, and choose
  292. # better parameters based on the available data. Returning anything that
  293. # evaluates to "false" will cause this specific auxiliary attempt to
  294. # be skipped. This method can and will change datastore values and
  295. # may interact with the backend database.
  296. #
  297. def autofilter
  298. true
  299. end
  300. #
  301. # Provides a list of ports that can be used for matching this module
  302. # against target systems.
  303. #
  304. def autofilter_ports
  305. @autofilter_ports || []
  306. end
  307. #
  308. # Provides a list of services that can be used for matching this module
  309. # against target systems.
  310. #
  311. def autofilter_services
  312. @autofilter_services || []
  313. end
  314. #
  315. # Adds a port into the list of ports
  316. #
  317. def register_autofilter_ports(ports=[])
  318. @autofilter_ports ||= []
  319. @autofilter_ports << ports
  320. @autofilter_ports.flatten!
  321. @autofilter_ports.uniq!
  322. end
  323. def register_autofilter_services(services=[])
  324. @autofilter_services ||= []
  325. @autofilter_services << services
  326. @autofilter_services.flatten!
  327. @autofilter_services.uniq!
  328. end
  329. #
  330. # Prepares the module for exploitation, initializes any state, and starts
  331. # the payload handler.
  332. #
  333. def setup
  334. # Reset the session counts to zero.
  335. reset_session_counts
  336. return if not payload_instance
  337. return if not handler_enabled?
  338. # Configure the payload handler
  339. payload_instance.exploit_config = {
  340. 'active_timeout' => self.active_timeout
  341. }
  342. # Set up the payload handlers
  343. payload_instance.setup_handler
  344. # Start the payload handler
  345. payload_instance.start_handler
  346. end
  347. #
  348. # Performs any cleanup that may be necessary, such as disconnecting
  349. # connections and any other such fun things. If a payload is active then
  350. # its handler cleanup routines are called as well.
  351. #
  352. def cleanup
  353. if (payload_instance and handler_enabled?)
  354. payload_instance.cleanup_handler
  355. end
  356. self.abort_sockets if self.respond_to?(:abort_sockets)
  357. end
  358. #
  359. # Generates the encoded version of the supplied payload using the payload
  360. # requirements specific to this exploit. The encoded instance is returned
  361. # to the caller. This method is exposed in the manner that it is such
  362. # that passive exploits and re-generate an encoded payload on the fly
  363. # rather than having to use the pre-generated one.
  364. #
  365. # The return value is an EncodedPayload instance.
  366. #
  367. def generate_payload(pinst = nil)
  368. # Set the encoded payload to the result of the encoding process
  369. self.payload = generate_single_payload(pinst)
  370. # Save the payload instance
  371. self.payload_instance = (pinst) ? pinst : self.payload_instance
  372. return self.payload
  373. end
  374. #
  375. # Allows arbitrary shellcode to be encoded from within an exploit
  376. #
  377. def encode_shellcode_stub(code, badchars=payload_badchars)
  378. platform = self.platform
  379. if(self.payload_instance)
  380. self.payload_instance.platform
  381. end
  382. compatible_encoders.each do |name, mod|
  383. begin
  384. enc = framework.encoders.create(name)
  385. raw = enc.encode(code, badchars, nil, platform)
  386. return raw if raw
  387. rescue ::Exception
  388. end
  389. end
  390. nil
  391. end
  392. #
  393. # Allows the payload handler to spawn a new monitor
  394. #
  395. def add_handler(opts={})
  396. return if not payload_instance
  397. return if not handler_enabled?
  398. payload_instance.add_handler(opts)
  399. end
  400. #
  401. # This method generates a non-cached payload which is typically useful for
  402. # passive exploits that will have more than one client.
  403. #
  404. def generate_single_payload(pinst = nil, platform = nil, arch = nil, explicit_target = nil)
  405. explicit_target ||= target
  406. if (explicit_target == nil)
  407. raise MissingTargetError, "No target has been specified.",
  408. caller
  409. end
  410. # If a payload instance was supplied, use it, otherwise
  411. # use the active payload instance
  412. real_payload = (pinst) ? pinst : self.payload_instance
  413. if (real_payload == nil)
  414. raise MissingPayloadError, "No payload has been selected.",
  415. caller
  416. end
  417. # If this is a generic payload, then we should specify the platform
  418. # and architecture so that it knows how to pass things on.
  419. if real_payload.kind_of?(Msf::Payload::Generic)
  420. # Convert the architecture specified into an array.
  421. if arch and arch.kind_of?(String)
  422. arch = [ arch ]
  423. end
  424. # Define the explicit platform and architecture information only if
  425. # it's been specified.
  426. if platform
  427. real_payload.explicit_platform = Msf::Module::PlatformList.transform(platform)
  428. end
  429. if arch
  430. real_payload.explicit_arch = arch
  431. end
  432. # Force it to reset so that it will find updated information.
  433. real_payload.reset
  434. end
  435. # Duplicate the exploit payload requirements
  436. reqs = self.payload_info.dup
  437. # Pass save register requirements to the NOP generator
  438. reqs['Space'] = payload_space(explicit_target)
  439. reqs['SaveRegisters'] = nop_save_registers(explicit_target)
  440. reqs['Prepend'] = payload_prepend(explicit_target)
  441. reqs['PrependEncoder'] = payload_prepend_encoder(explicit_target)
  442. reqs['BadChars'] = payload_badchars(explicit_target)
  443. reqs['Append'] = payload_append(explicit_target)
  444. reqs['AppendEncoder'] = payload_append_encoder(explicit_target)
  445. reqs['MaxNops'] = payload_max_nops(explicit_target)
  446. reqs['MinNops'] = payload_min_nops(explicit_target)
  447. reqs['Encoder'] = datastore['ENCODER']
  448. reqs['Nop'] = datastore['NOP']
  449. reqs['EncoderType'] = payload_encoder_type(explicit_target)
  450. reqs['EncoderOptions'] = payload_encoder_options(explicit_target)
  451. reqs['ExtendedOptions'] = payload_extended_options(explicit_target)
  452. reqs['Exploit'] = self
  453. # Pass along the encoder don't fall through flag
  454. reqs['EncoderDontFallThrough'] = datastore['EncoderDontFallThrough']
  455. # Incorporate any context encoding requirements that are needed
  456. define_context_encoding_reqs(reqs)
  457. # Call the encode begin routine.
  458. encode_begin(real_payload, reqs)
  459. # Generate the encoded payload.
  460. encoded = EncodedPayload.create(real_payload, reqs)
  461. # Call the encode end routine which is expected to return the actual
  462. # encoded payload instance.
  463. return encode_end(real_payload, reqs, encoded)
  464. end
  465. #
  466. # Re-generates an encoded payload, typically called after something in the
  467. # datastore has changed. An optional platform and architecture can be
  468. # supplied as well.
  469. #
  470. def regenerate_payload(platform = nil, arch = nil, explicit_target = nil)
  471. generate_single_payload(nil, platform, arch, explicit_target)
  472. end
  473. #
  474. # Called prior to encoding a payload.
  475. #
  476. def encode_begin(real_payload, reqs)
  477. end
  478. #
  479. # Called after an encoded payload has been generated. This gives exploits
  480. # or mixins a chance to alter the encoded payload.
  481. #
  482. def encode_end(real_payload, reqs, encoded)
  483. encoded
  484. end
  485. ##
  486. #
  487. # Feature detection
  488. #
  489. # These methods check to see if there is a derived implementation of
  490. # various methods as a way of inferring whether or not a given exploit
  491. # supports the feature.
  492. #
  493. ##
  494. #
  495. # Returns true if the exploit module supports the check method.
  496. #
  497. def supports_check?
  498. derived_implementor?(Msf::Exploit, 'check')
  499. end
  500. #
  501. # Returns true if the exploit module supports the exploit method.
  502. #
  503. def supports_exploit?
  504. derived_implementor?(Msf::Exploit, 'exploit')
  505. end
  506. #
  507. # Returns a hash of the capabilities this exploit module has support for,
  508. # such as whether or not it supports check and exploit.
  509. #
  510. def capabilities
  511. {
  512. 'check' => supports_check?,
  513. 'exploit' => supports_exploit?
  514. }
  515. end
  516. ##
  517. #
  518. # Getters/Setters
  519. #
  520. # Querying and set interfaces for some of the exploit's attributes.
  521. #
  522. ##
  523. #
  524. # Returns MODULE_EXPLOIT to indicate that this is an exploit module.
  525. #
  526. def self.type
  527. Msf::MODULE_EXPLOIT
  528. end
  529. #
  530. # Returns MODULE_EXPLOIT to indicate that this is an exploit module.
  531. #
  532. def type
  533. Msf::MODULE_EXPLOIT
  534. end
  535. #
  536. # If we don't know the exploit type, then I guess it's omnipresent!
  537. #
  538. def exploit_type
  539. Type::Omni
  540. end
  541. #
  542. # Generally, all exploits take an aggressive stance.
  543. #
  544. def stance
  545. module_info['Stance'] || Stance::Aggressive
  546. end
  547. #
  548. # Returns true if the exploit has an aggressive stance.
  549. #
  550. def aggressive?
  551. (stance == Stance::Aggressive || stance.include?(Stance::Aggressive))
  552. end
  553. #
  554. # Returns if the exploit has a passive stance.
  555. #
  556. def passive?
  557. (stance == Stance::Passive || stance.include?(Stance::Passive))
  558. end
  559. #
  560. # Returns the active target for this exploit. If not target has been
  561. # defined, nil is returned. If no target was defined but there is a
  562. # default target, that one will be automatically used.
  563. #
  564. def target
  565. target_idx = target_index
  566. return (target_idx) ? targets[target_idx.to_i] : nil
  567. end
  568. #
  569. # The target index that has been selected.
  570. #
  571. def target_index
  572. target_idx = datastore['TARGET']
  573. # Use the default target if one was not supplied.
  574. if (target_idx == nil and default_target and default_target >= 0)
  575. target_idx = default_target
  576. end
  577. return (target_idx) ? target_idx.to_i : nil
  578. end
  579. #
  580. # Returns the target's platform, or the one assigned to the module itself.
  581. #
  582. def target_platform
  583. (target and target.platform) ? target.platform : platform
  584. end
  585. #
  586. # Returns the target's architecture, or the one assigned to the module
  587. # itself.
  588. #
  589. def target_arch
  590. (target and target.arch) ? target.arch : (arch == []) ? nil : arch
  591. end
  592. #
  593. # Returns whether the requested payload is compatible with the module.
  594. #
  595. # @param [String] payload_name The payload name
  596. # @return [TrueClass] Payload is compatible.
  597. # @return [FalseClass] Payload is not compatible.
  598. #
  599. def is_payload_compatible?(payload_name)
  600. payload_names = compatible_payloads.collect { |entry| entry[0] }
  601. payload_names.include?(payload_name)
  602. end
  603. #
  604. # Returns a list of compatible payloads based on platform, architecture,
  605. # and size requirements.
  606. #
  607. def compatible_payloads
  608. payloads = []
  609. c_platform = (target and target.platform) ? target.platform : platform
  610. c_arch = (target and target.arch) ? target.arch : (arch == []) ? nil : arch
  611. c_arch ||= [ ARCH_X86 ]
  612. framework.payloads.each_module(
  613. 'Platform' => c_platform,
  614. 'Arch' => c_arch ) { |name, mod|
  615. # Skip over payloads that are too big
  616. if ((payload_space) and
  617. (framework.payloads.sizes[name]) and
  618. (framework.payloads.sizes[name] > payload_space))
  619. dlog("#{refname}: Skipping payload #{name} for being too large", 'core',
  620. LEV_1)
  621. next
  622. end
  623. # Are we compatible in terms of conventions and connections and
  624. # what not?
  625. next if (compatible?(framework.payloads.instance(name)) == false)
  626. # If the payload is privileged but the exploit does not give
  627. # privileged access, then fail it.
  628. next if (self.privileged == false and framework.payloads.instance(name).privileged == true)
  629. # This one be compatible!
  630. payloads << [ name, mod ]
  631. }
  632. return payloads;
  633. end
  634. #
  635. # Returns a list of compatible encoders based on architecture
  636. #
  637. def compatible_encoders
  638. encoders = []
  639. c_platform = (target and target.platform) ? target.platform : platform
  640. c_arch = (target and target.arch) ? target.arch : (arch == []) ? nil : arch
  641. framework.encoders.each_module_ranked(
  642. 'Arch' => c_arch, 'Platform' => c_platform) { |name, mod|
  643. encoders << [ name, mod ]
  644. }
  645. return encoders;
  646. end
  647. #
  648. # This method returns the number of bytes that should be adjusted to the
  649. # stack pointer prior to executing any code. The number of bytes to adjust
  650. # is indicated to the routine through the payload 'StackAdjustment'
  651. # attribute or through a target's payload 'StackAdjustment' attribute.
  652. #
  653. def stack_adjustment
  654. if (target and target.payload_stack_adjustment)
  655. adj = target.payload_stack_adjustment
  656. else
  657. adj = payload_info['StackAdjustment']
  658. end
  659. # Get the architecture for the current target or use the one specific to
  660. # this exploit
  661. arch = (target and target.arch) ? target.arch : self.arch
  662. # Default to x86 if we can't find a list of architectures
  663. if (arch and arch.empty? == false)
  664. arch = arch.join(", ")
  665. else
  666. arch = 'x86'
  667. end
  668. (adj != nil) ? Rex::Arch::adjust_stack_pointer(arch, adj) || '' : ''
  669. end
  670. #
  671. # Return any text that should be prepended to the payload. The payload
  672. # module is passed so that the exploit can take a guess at architecture
  673. # and platform if it's a multi exploit. This automatically takes into
  674. # account any require stack adjustments.
  675. #
  676. def payload_prepend(explicit_target = nil)
  677. explicit_target ||= target
  678. if (explicit_target and explicit_target.payload_prepend)
  679. p = explicit_target.payload_prepend
  680. else
  681. p = payload_info['Prepend'] || ''
  682. end
  683. stack_adjustment + p
  684. end
  685. #
  686. # Return any text that should be appended to the payload. The payload
  687. # module is passed so that the exploit can take a guess at architecture
  688. # and platform if it's a multi exploit.
  689. #
  690. def payload_append(explicit_target = nil)
  691. explicit_target ||= target
  692. if (explicit_target and explicit_target.payload_append)
  693. explicit_target.payload_append
  694. else
  695. payload_info['Append'] || ''
  696. end
  697. end
  698. #
  699. # Return any text that should be prepended to the encoder of the payload.
  700. # The payload module is passed so that the exploit can take a guess
  701. # at architecture and platform if it's a multi exploit.
  702. #
  703. def payload_prepend_encoder(explicit_target = nil)
  704. explicit_target ||= target
  705. if (explicit_target and explicit_target.payload_prepend_encoder)
  706. p = explicit_target.payload_prepend_encoder
  707. else
  708. p = payload_info['PrependEncoder'] || ''
  709. end
  710. p
  711. end
  712. #
  713. # Return any text that should be appended to the encoder of the payload.
  714. # The payload module is passed so that the exploit can take a guess
  715. # at architecture and platform if it's a multi exploit.
  716. #
  717. def payload_append_encoder(explicit_target = nil)
  718. explicit_target ||= target
  719. if (explicit_target and explicit_target.payload_append_encoder)
  720. p = explicit_target.payload_append_encoder
  721. else
  722. p = payload_info['AppendEncoder'] || ''
  723. end
  724. p
  725. end
  726. #
  727. # Maximum number of nops to use as a hint to the framework.
  728. # Nil signifies that the framework should decide.
  729. #
  730. def payload_max_nops(explicit_target = nil)
  731. explicit_target ||= target
  732. if (explicit_target and explicit_target.payload_max_nops)
  733. explicit_target.payload_max_nops
  734. else
  735. payload_info['MaxNops'] || nil
  736. end
  737. end
  738. #
  739. # Minimum number of nops to use as a hint to the framework.
  740. # Nil signifies that the framework should decide.
  741. #
  742. def payload_min_nops(explicit_target = nil)
  743. explicit_target ||= target
  744. if (explicit_target and explicit_target.payload_min_nops)
  745. explicit_target.payload_min_nops
  746. else
  747. payload_info['MinNops'] || nil
  748. end
  749. end
  750. #
  751. # Returns the maximum amount of room the exploit has for a payload.
  752. #
  753. def payload_space(explicit_target = nil)
  754. explicit_target ||= target
  755. if (explicit_target and explicit_target.payload_space)
  756. explicit_target.payload_space
  757. elsif (payload_info['Space'])
  758. payload_info['Space'].to_i
  759. else
  760. nil
  761. end
  762. end
  763. #
  764. # Returns the bad characters that cannot be in any payload used by this
  765. # exploit.
  766. #
  767. def payload_badchars(explicit_target = nil)
  768. explicit_target ||= target
  769. if (explicit_target and explicit_target.payload_badchars)
  770. explicit_target.payload_badchars
  771. else
  772. payload_info['BadChars']
  773. end
  774. end
  775. #
  776. # Returns the payload encoder type that is associated with either the
  777. # current target of the exploit in general.
  778. #
  779. def payload_encoder_type(explicit_target = nil)
  780. explicit_target ||= target
  781. if (explicit_target and explicit_target.payload_encoder_type)
  782. explicit_target.payload_encoder_type
  783. else
  784. payload_info['EncoderType']
  785. end
  786. end
  787. #
  788. # Returns the payload encoder option hash that is used to initialize the
  789. # datastore of the encoder that is selected when generating an encoded
  790. # payload.
  791. #
  792. def payload_encoder_options(explicit_target = nil)
  793. explicit_target ||= target
  794. if (explicit_target and explicit_target.payload_encoder_options)
  795. explicit_target.payload_encoder_options
  796. else
  797. payload_info['EncoderOptions']
  798. end
  799. end
  800. #
  801. # Returns the payload extended options hash which is used to provide
  802. # a location to store extended information that may be useful to
  803. # a particular type of payload or mixin.
  804. #
  805. def payload_extended_options(explicit_target = nil)
  806. explicit_target ||= target
  807. if explicit_target and explicit_target.payload_extended_options
  808. explicit_target.payload_extended_options
  809. else
  810. payload_info['ExtendedOptions']
  811. end
  812. end
  813. ##
  814. #
  815. # NOP requirements
  816. #
  817. # Hints to the nop generator on how it should perform if it's used.
  818. #
  819. ##
  820. #
  821. # Returns the list of registers that the NOP generator should save,
  822. # if any. It will use the current target's save registers in precedence
  823. # over those defined globally for the exploit module.
  824. #
  825. # If there are no save registers, nil is returned.
  826. #
  827. def nop_save_registers(explicit_target = nil)
  828. explicit_target ||= target
  829. if (explicit_target and explicit_target.save_registers)
  830. return explicit_target.save_registers
  831. else
  832. return module_info['SaveRegisters']
  833. end
  834. end
  835. #
  836. # Returns the first compatible NOP generator for this exploit's payload
  837. # instance.
  838. #
  839. def nop_generator
  840. return nil if (!payload_instance)
  841. payload_instance.compatible_nops.each { |nopname, nopmod|
  842. return nopmod.new
  843. }
  844. end
  845. #
  846. # Generates a NOP sled using the #make_nops method.
  847. # The difference between this and #make_nops is this method is much faster, good for exploit
  848. # developers that actually want huge chunks of NOPs. The downside of using this is the NOP sled
  849. # is less randomized.
  850. #
  851. # @param count [String] Number of NOPs to return.
  852. # @return [String] NOPs
  853. #
  854. def make_fast_nops(count)
  855. max_nop_chunk_size = 100
  856. if count < max_nop_chunk_size
  857. return make_nops(count)
  858. end
  859. nops = make_nops(max_nop_chunk_size)
  860. nops += nops while nops.length < count
  861. nops[0, count]
  862. end
  863. #
  864. # Generates a nop sled of a supplied length and returns it to the caller.
  865. #
  866. def make_nops(count)
  867. # If we're debugging, then make_nops will return a safe sled. We
  868. # currently assume x86.
  869. if debugging?
  870. return "\x90" * count
  871. end
  872. nop_sled = nil
  873. # If there is no payload instance then we can't succeed.
  874. return nil if (!payload_instance)
  875. payload_instance.compatible_nops.each { |nopname, nopmod|
  876. # Create an instance of the nop module
  877. nop = nopmod.new
  878. # The list of save registers
  879. save_regs = nop_save_registers || []
  880. if (save_regs.empty? == true)
  881. save_regs = nil
  882. end
  883. begin
  884. nop.copy_ui(self)
  885. nop_sled = nop.generate_sled(count,
  886. 'BadChars' => payload_badchars || '',
  887. 'SaveRegisters' => save_regs)
  888. if nop_sled && nop_sled.length == count
  889. break
  890. else
  891. wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit", 'core', LEV_0)
  892. end
  893. rescue
  894. wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit: #{$!}",
  895. 'core', LEV_0)
  896. end
  897. }
  898. nop_sled
  899. end
  900. ##
  901. #
  902. # Utility methods for generating random text that implicitly uses the
  903. # exploit's bad character set.
  904. #
  905. ##
  906. #
  907. # Generate random text characters avoiding the exploit's bad
  908. # characters.
  909. #
  910. def rand_text(length, bad=payload_badchars)
  911. if debugging?
  912. "A" * length
  913. else
  914. Rex::Text.rand_text(length, bad)
  915. end
  916. end
  917. #
  918. # Generate random english-like avoiding the exploit's bad
  919. # characters.
  920. #
  921. def rand_text_english(length, bad=payload_badchars)
  922. if debugging?
  923. "A" * length
  924. else
  925. Rex::Text.rand_text_english(length, bad)
  926. end
  927. end
  928. #
  929. # Generate random high ascii characters avoiding the exploit's bad
  930. # characters.
  931. #
  932. def rand_text_highascii(length, bad=payload_badchars)
  933. if debugging?
  934. "A" * length
  935. else
  936. Rex::Text.rand_text_highascii(length, bad)
  937. end
  938. end
  939. #
  940. # Generate random alpha characters avoiding the exploit's bad
  941. # characters.
  942. #
  943. def rand_text_alpha(length, bad=payload_badchars)
  944. if debugging?
  945. "A" * length
  946. else
  947. Rex::Text.rand_text_alpha(length, bad)
  948. end
  949. end
  950. #
  951. # Generate random alpha upper characters avoiding the exploit's bad
  952. # characters.
  953. #
  954. def rand_text_alpha_upper(length, bad=payload_badchars)
  955. if debugging?
  956. "A" * length
  957. else
  958. Rex::Text.rand_text_alpha_upper(length, bad)
  959. end
  960. end
  961. #
  962. # Generate random alpha lower characters avoiding the exploit's bad
  963. # characters.
  964. #
  965. def rand_text_alpha_lower(length, bad=payload_badchars)
  966. if debugging?
  967. "a" * length
  968. else
  969. Rex::Text.rand_text_alpha_lower(length, bad)
  970. end
  971. end
  972. #
  973. # Generate random alphanumeric characters avoiding the exploit's bad
  974. # characters.
  975. #
  976. def rand_text_alphanumeric(length, bad=payload_badchars)
  977. if debugging?
  978. "A" * length
  979. else
  980. Rex::Text.rand_text_alphanumeric(length, bad)
  981. end
  982. end
  983. #
  984. # Generate random numeric characters avoiding the exploit's bad
  985. # characters.
  986. #
  987. def rand_text_numeric(length, bad=payload_badchars)
  988. if debugging?
  989. "0" * length
  990. else
  991. Rex::Text.rand_text_numeric(length, bad)
  992. end
  993. end
  994. #
  995. # Generate a random character avoiding the exploit's bad
  996. # characters.
  997. #
  998. def rand_char(bad=payload_badchars)
  999. if debugging?
  1000. "A"
  1001. else
  1002. Rex::Text.rand_char(bad)
  1003. end
  1004. end
  1005. #
  1006. # Generate a non-repeating static random string
  1007. #
  1008. def pattern_create(length, sets = nil)
  1009. Rex::Text.pattern_create(length, sets)
  1010. end
  1011. #
  1012. # The default "wait for session" delay is zero for all exploits.
  1013. #
  1014. def wfs_delay
  1015. (datastore['WfsDelay'] || 0).to_i
  1016. end
  1017. #
  1018. # Allow the user to disable the payload handler
  1019. #
  1020. def handler_enabled?
  1021. not datastore['DisablePayloadHandler']
  1022. end
  1023. ##
  1024. #
  1025. # Handler interaction
  1026. #
  1027. ##
  1028. #
  1029. # Passes the connection to the associated payload handler to see if the
  1030. # exploit succeeded and a connection has been established. The return
  1031. # value can be one of the Handler::constants.
  1032. #
  1033. def handler(*args)
  1034. if payload_instance && handler_enabled?
  1035. payload_instance.handler(*args)
  1036. end
  1037. end
  1038. def interrupt_handler
  1039. if payload_instance && handler_enabled? && payload_instance.respond_to?(:interrupt_wait_for_session)
  1040. payload_instance.interrupt_wait_for_session()
  1041. end
  1042. end
  1043. ##
  1044. #
  1045. # Session tracking
  1046. #
  1047. ##
  1048. #
  1049. # This is called by the payload when a new session is created
  1050. #
  1051. def on_new_session(session)
  1052. self.session_count += 1
  1053. self.successful = true
  1054. end
  1055. #
  1056. # A boolean for whether a session has been created yet
  1057. #
  1058. def session_created?
  1059. (self.session_count > 0) ? true : false
  1060. end
  1061. #
  1062. # Reset the session counter to zero (which occurs during set up of the
  1063. # exploit prior to calling exploit).
  1064. #
  1065. def reset_session_counts
  1066. self.session_count = 0
  1067. end
  1068. ##
  1069. # Failure tracking
  1070. ##
  1071. # Raises a Msf::Exploit::Failed exception. It overrides the fail_with method
  1072. # in lib/msf/core/module.rb
  1073. #
  1074. # @param reason [String] A constant from Msf::Module::Failure.
  1075. # If the reason does not come from there, then it will default to
  1076. # Msf::Module::Failure::Unknown.
  1077. # @param msg [String] (Optional) A message about the failure.
  1078. # @raise [Msf::Exploit::Failed] A custom Msf::Exploit::Failed exception.
  1079. # @return [void]
  1080. # @see Msf::Module::Failure
  1081. # @see Msf::Module#fail_with
  1082. # @example
  1083. # fail_with(Msf::Module::Failure::NoAccess, 'Unable to login to upload payload')
  1084. def fail_with(reason,msg=nil)
  1085. # The reason being registered here will be used later on, so it's important we don't actually
  1086. # provide a made-up one.
  1087. allowed_values = Msf::Module::Failure.constants.collect {|e| Msf::Module::Failure.const_get(e)}
  1088. if allowed_values.include?(reason)
  1089. self.fail_reason = reason
  1090. else
  1091. self.fail_reason = Msf::Module::Failure::Unknown
  1092. end
  1093. self.fail_detail = msg
  1094. raise Msf::Exploit::Failed, (msg || "No failure message given")
  1095. end
  1096. def setup_fail_detail_from_exception e
  1097. # Build a user-friendly error message
  1098. msg = "#{e}"
  1099. unless e.class == Msf::Exploit::Failed
  1100. msg = "#{e.class} #{e}"
  1101. end
  1102. self.error = e
  1103. # Record the detailed reason
  1104. self.fail_detail ||= e.to_s
  1105. msg
  1106. end
  1107. #
  1108. # Handle the exception
  1109. #
  1110. def handle_exception e
  1111. msg = setup_fail_detail_from_exception e
  1112. case e
  1113. when Msf::Exploit::Complete
  1114. # Nothing to show in this case
  1115. return
  1116. when Msf::Exploit::Failed
  1117. self.print_error("Exploit aborted due to failure: #{self.fail_reason}: #{msg}")
  1118. # The caller should have already set self.fail_reason
  1119. if self.fail_reason == Msf::Exploit::Failure::None
  1120. self.fail_reason = Msf::Exploit::Failure::Unknown
  1121. end
  1122. when Rex::ConnectionError
  1123. self.fail_reason = Msf::Exploit::Failure::Unreachable
  1124. self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
  1125. elog("Exploit failed (#{self.refname}): #{msg}", 'core', LEV_0)
  1126. dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
  1127. when Rex::BindFailed
  1128. self.fail_reason = Msf::Exploit::Failure::BadConfig
  1129. self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
  1130. elog("Exploit failed (#{self.refname}): #{msg}", 'core', LEV_0)
  1131. dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
  1132. when Timeout::Error
  1133. self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
  1134. self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
  1135. elog("Exploit failed (#{self.refname}): #{msg}", 'core', LEV_0)
  1136. dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
  1137. else
  1138. # Compare as a string since not all error classes may be loaded
  1139. case msg
  1140. when /access.denied|Login Failed/i # Covers SMB as well as some generic errors
  1141. self.fail_reason = Msf::Exploit::Failure::NoAccess
  1142. when /connection reset/i
  1143. self.fail_reason = Msf::Exploit::Failure::Disconnected
  1144. when /connection timed out|SSL_connect|unreachable|connection was refused/i
  1145. self.fail_reason = Msf::Exploit::Failure::Unreachable
  1146. when /unable.*target/i
  1147. self.fail_reason = Msf::Exploit::Failure::NoTarget
  1148. when /execution expired/i
  1149. self.fail_reason = Msf::Exploit::Failure::TimeoutExpired
  1150. when /(doesn.t|not).*vulnerable|may.*patched/i
  1151. self.fail_reason = Msf::Exploit::Failure::NotVulnerable
  1152. end
  1153. # The caller should have already set self.fail_reason
  1154. if self.fail_reason == Msf::Exploit::Failure::None
  1155. self.fail_reason = Msf::Exploit::Failure::Unknown
  1156. end
  1157. if self.fail_reason == Msf::Exploit::Failure::Unknown
  1158. self.print_error("Exploit failed: #{msg}")
  1159. else
  1160. self.print_error("Exploit failed [#{self.fail_reason}]: #{msg}")
  1161. end
  1162. elog("Exploit failed (#{self.refname}): #{msg}", 'core', LEV_0)
  1163. dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
  1164. end
  1165. # Record the error to various places
  1166. self.framework.events.on_module_error(self, msg)
  1167. # Report the failure (and attempt) in the database
  1168. self.report_failure
  1169. # Interrupt any session waiters in the handler
  1170. self.interrupt_handler
  1171. end
  1172. def report_failure
  1173. return unless framework.db and framework.db.active
  1174. info = {
  1175. :timestamp => Time.now.utc,
  1176. :workspace => framework.db.find_workspace(self.workspace),
  1177. :module => self.fullname,
  1178. :fail_reason => self.fail_reason,
  1179. :fail_detail => self.fail_detail,
  1180. :target_name => self.target.name,
  1181. :username => self.owner,
  1182. :refs => self.references,
  1183. :run_id => self.datastore['RUN_ID']
  1184. }
  1185. if self.datastore['RHOST'] and self.options['RHOST']
  1186. info[:host] = self.datastore['RHOST']
  1187. end
  1188. if self.datastore['RPORT'] and self.options['RPORT']
  1189. info[:port] = self.datastore['RPORT']
  1190. if self.class.ancestors.include?(Msf::Exploit::Remote::Tcp)
  1191. info[:proto] = 'tcp'
  1192. end
  1193. end
  1194. framework.db.report_exploit_failure(info)
  1195. end
  1196. ##
  1197. #
  1198. # Aliases
  1199. #
  1200. # These allow access to methods inside this class, even if exploits use mixins that
  1201. # override them.
  1202. #
  1203. ##
  1204. # Give exploits the ability to use the original +regenerate_payload+ so
  1205. # they can avoid needing additional arguments added by overridden versions.
  1206. # Used specifically by things that include +TcpServer+ (or a descendant)
  1207. # but which are active exploits.
  1208. alias :exploit_regenerate_payload :regenerate_payload
  1209. ##
  1210. #
  1211. # Attributes
  1212. #
  1213. ##
  1214. #
  1215. # The reason why the exploit was not successful (one of Msf::Module::Failure)
  1216. #
  1217. attr_accessor :fail_reason
  1218. #
  1219. # Detailed exception string indicating why the exploit was not successful
  1220. #
  1221. attr_accessor :fail_detail
  1222. #
  1223. # The list of targets.
  1224. #
  1225. attr_reader :targets
  1226. #
  1227. # The default target.
  1228. #
  1229. attr_reader :default_target
  1230. #
  1231. # The payload requirement hash.
  1232. #
  1233. attr_reader :payload_info
  1234. #
  1235. # The active payload instance.
  1236. #
  1237. attr_accessor :payload_instance
  1238. #
  1239. # The encoded payload instance. An instance of an
  1240. # EncodedPayload object.
  1241. #
  1242. attr_accessor :payload
  1243. #
  1244. # The number of active sessions created by this instance
  1245. #
  1246. attr_reader :session_count
  1247. #
  1248. # The boolean indicating whether the exploit succeeded
  1249. #
  1250. attr_reader :successful
  1251. protected
  1252. #
  1253. # Writable copy of the list of targets.
  1254. #
  1255. attr_writer :targets
  1256. #
  1257. # Writable copy of the default target.
  1258. #
  1259. attr_writer :default_target
  1260. #
  1261. # Writable copy of the payload requirement hash.
  1262. #
  1263. attr_writer :payload_info
  1264. #
  1265. # Number of sessions created by this exploit instance.
  1266. #
  1267. attr_writer :session_count
  1268. #
  1269. # Maximum number of seconds for active handlers
  1270. #
  1271. attr_accessor :active_timeout
  1272. #
  1273. # Boolean indicating whether the exploit succeeded
  1274. #
  1275. attr_writer :successful
  1276. #
  1277. # Overrides the base class method and serves to initialize default
  1278. # compatibilities for exploits
  1279. #
  1280. def init_compat
  1281. super
  1282. #
  1283. # Merge in payload compatible defaults
  1284. #
  1285. p = module_info['Compat']['Payload']
  1286. CompatDefaults::Payload.each_pair { |k,v|
  1287. (p[k]) ? p[k] << " #{v}" : p[k] = v
  1288. }
  1289. #
  1290. # Set the default save registers if none have been explicitly
  1291. # specified.
  1292. #
  1293. if (module_info['SaveRegisters'] == nil)
  1294. module_info['SaveRegisters'] = [ 'esp', 'ebp' ]
  1295. end
  1296. end
  1297. #
  1298. # Gets the memory map file and other context information that is
  1299. # required when wanting to support context keyed encoding
  1300. #
  1301. def define_context_encoding_reqs(reqs)
  1302. return unless datastore['EnableContextEncoding']
  1303. # At present, we don't support any automatic methods of obtaining
  1304. # context information. In the future, we might support obtaining
  1305. # temporal information remotely.
  1306. # Pass along the information specified in our exploit datastore as
  1307. # encoder options
  1308. reqs['EncoderOptions'] = {} if reqs['EncoderOptions'].nil?
  1309. reqs['EncoderOptions']['EnableContextEncoding'] = datastore['EnableContextEncoding']
  1310. reqs['EncoderOptions']['ContextInformationFile'] = datastore['ContextInformationFile']
  1311. end
  1312. end
  1313. end