2005-04-11 04:56:24 +00:00
|
|
|
#!/usr/bin/ruby
|
|
|
|
|
|
2005-07-09 21:18:49 +00:00
|
|
|
require 'rex/post/meterpreter/inbound_packet_handler'
|
2005-04-12 05:37:11 +00:00
|
|
|
|
2005-04-11 04:56:24 +00:00
|
|
|
module Rex
|
|
|
|
|
module Post
|
|
|
|
|
module Meterpreter
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
#
|
|
|
|
|
# The various types of channels
|
|
|
|
|
#
|
|
|
|
|
CHANNEL_CLASS_STREAM = 1
|
|
|
|
|
CHANNEL_CLASS_DATAGRAM = 2
|
|
|
|
|
CHANNEL_CLASS_POOL = 3
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# The various flags that can affect how the channel operates
|
|
|
|
|
#
|
|
|
|
|
# CHANNEL_FLAG_SYNCHRONOUS
|
|
|
|
|
# Specifies that I/O requests on the channel are blocking.
|
|
|
|
|
#
|
|
|
|
|
CHANNEL_FLAG_SYNCHRONOUS = (1 << 0)
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# The core types of direct I/O requests
|
|
|
|
|
#
|
|
|
|
|
CHANNEL_DIO_READ = 'read'
|
|
|
|
|
CHANNEL_DIO_WRITE = 'write'
|
|
|
|
|
CHANNEL_DIO_CLOSE = 'close'
|
|
|
|
|
|
2005-04-11 04:56:24 +00:00
|
|
|
class Channel
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Class modifications to support global channel message
|
|
|
|
|
# dispatching without having to register a per-instance handler
|
|
|
|
|
class <<self
|
|
|
|
|
include Rex::Post::Meterpreter::InboundPacketHandler
|
|
|
|
|
|
|
|
|
|
# Class request handler for all channels that dispatches requests
|
|
|
|
|
# to the appropriate class instance's DIO handler
|
|
|
|
|
def request_handler(client, packet)
|
|
|
|
|
cid = packet.get_tlv_value(TLV_TYPE_CHANNEL_ID)
|
|
|
|
|
|
|
|
|
|
# No channel identifier, then drop out 'n shit
|
|
|
|
|
if (cid == nil)
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
channel = client.find_channel(cid)
|
2005-04-21 06:32:01 +00:00
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Valid channel context?
|
|
|
|
|
if (channel == nil)
|
2005-04-21 06:32:01 +00:00
|
|
|
puts "nil wtf"
|
2005-04-12 05:37:11 +00:00
|
|
|
return false
|
|
|
|
|
end
|
2005-04-21 06:32:01 +00:00
|
|
|
|
|
|
|
|
dio = channel.dio_map(packet.method)
|
2005-04-12 05:37:11 +00:00
|
|
|
|
|
|
|
|
# Supported DIO request?
|
|
|
|
|
if (dio == nil)
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Call the channel's dio handler and return success or fail
|
|
|
|
|
# based on what happens
|
|
|
|
|
return channel.dio_handler(dio, packet)
|
|
|
|
|
end
|
|
|
|
|
end
|
2005-04-11 04:56:24 +00:00
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Factory
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Creates a logical channel between the client and the server
|
|
|
|
|
# based on a given type.
|
|
|
|
|
def Channel.create(client, type = nil, klass = nil,
|
2005-04-11 04:56:24 +00:00
|
|
|
flags = CHANNEL_FLAG_SYNCHRONOUS, addends = nil)
|
|
|
|
|
request = Packet.create_request('core_channel_open')
|
|
|
|
|
|
|
|
|
|
# Set the type of channel that we're allocating
|
|
|
|
|
if (type != nil)
|
|
|
|
|
request.add_tlv(TLV_TYPE_CHANNEL_TYPE, type)
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# If no factory class was provided, use the default native class
|
|
|
|
|
if (klass == nil)
|
|
|
|
|
klass = self
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
request.add_tlv(TLV_TYPE_CHANNEL_CLASS, klass.cls)
|
2005-04-11 04:56:24 +00:00
|
|
|
request.add_tlv(TLV_TYPE_FLAGS, flags)
|
|
|
|
|
request.add_tlvs(addends);
|
|
|
|
|
|
|
|
|
|
# Transmit the request and wait for the response
|
2005-04-12 05:37:11 +00:00
|
|
|
response = client.send_request(request)
|
|
|
|
|
cid = response.get_tlv(TLV_TYPE_CHANNEL_ID).value
|
2005-04-11 04:56:24 +00:00
|
|
|
|
2005-04-15 06:23:59 +00:00
|
|
|
# FIXME: race condition where data could be sent to the channel
|
|
|
|
|
# before it's added to the list.
|
|
|
|
|
|
2005-04-11 04:56:24 +00:00
|
|
|
# Create the channel instance
|
2005-04-12 05:37:11 +00:00
|
|
|
channel = klass.new(client, cid, type, flags)
|
2005-04-11 04:56:24 +00:00
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Insert the instance into the channel hash
|
2005-04-11 04:56:24 +00:00
|
|
|
if (channel != nil)
|
2005-04-12 05:37:11 +00:00
|
|
|
client.add_channel(channel)
|
2005-04-11 04:56:24 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return channel
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Constructor
|
|
|
|
|
#
|
|
|
|
|
##
|
2005-04-12 05:37:11 +00:00
|
|
|
|
|
|
|
|
# Initializes the instance's attributes, such as client context,
|
|
|
|
|
# class identifier, type, and flags
|
|
|
|
|
def initialize(client, cid, type, flags)
|
2005-04-11 04:56:24 +00:00
|
|
|
self.client = client
|
|
|
|
|
self.cid = cid
|
|
|
|
|
self.type = type
|
|
|
|
|
self.flags = flags
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Channel interaction
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
2005-04-21 06:32:01 +00:00
|
|
|
# Wrapper around the low-level channel read operation
|
2005-04-12 05:37:11 +00:00
|
|
|
def read(length = nil, addends = nil)
|
2005-04-21 06:32:01 +00:00
|
|
|
return _read(length, addends)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Reads data from the remote half of the channel
|
|
|
|
|
def _read(length = nil, addends = nil)
|
2005-04-11 05:50:10 +00:00
|
|
|
if (self.cid == nil)
|
|
|
|
|
raise IOError, "Channel has been closed.", caller
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-11 04:56:24 +00:00
|
|
|
request = Packet.create_request('core_channel_read')
|
|
|
|
|
|
|
|
|
|
if (length == nil)
|
|
|
|
|
length = 65536
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
|
|
|
|
|
request.add_tlv(TLV_TYPE_LENGTH, length)
|
|
|
|
|
request.add_tlvs(addends)
|
|
|
|
|
|
2005-04-12 06:39:33 +00:00
|
|
|
begin
|
|
|
|
|
response = self.client.send_request(request)
|
|
|
|
|
rescue
|
|
|
|
|
return nil
|
|
|
|
|
end
|
2005-04-11 04:56:24 +00:00
|
|
|
|
|
|
|
|
# If the channel is in synchronous mode, the response should contain
|
|
|
|
|
# data that was read from the remote side of the channel
|
|
|
|
|
if (flag?(CHANNEL_FLAG_SYNCHRONOUS))
|
|
|
|
|
data = response.get_tlv(TLV_TYPE_CHANNEL_DATA);
|
|
|
|
|
|
|
|
|
|
if (data != nil)
|
|
|
|
|
return data.value
|
|
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
raise NotImplementedError, "Asynchronous channel mode is not implemented", caller
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-21 06:32:01 +00:00
|
|
|
# Wrapper around the low-level write
|
2005-04-12 05:37:11 +00:00
|
|
|
def write(buf, length = nil, addends = nil)
|
2005-04-21 06:32:01 +00:00
|
|
|
return _write(buf, length, addends)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Writes data to the remote half of the channel
|
|
|
|
|
def _write(buf, length = nil, addends = nil)
|
2005-04-11 05:50:10 +00:00
|
|
|
if (self.cid == nil)
|
|
|
|
|
raise IOError, "Channel has been closed.", caller
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-11 04:56:24 +00:00
|
|
|
request = Packet.create_request('core_channel_write')
|
|
|
|
|
|
|
|
|
|
# Truncation and celebration
|
|
|
|
|
if ((length != nil) &&
|
|
|
|
|
(buf.length >= length))
|
|
|
|
|
buf = buf[0..length]
|
|
|
|
|
else
|
|
|
|
|
length = buf.length
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Populate the request
|
|
|
|
|
request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
|
|
|
|
|
request.add_tlv(TLV_TYPE_CHANNEL_DATA, buf)
|
|
|
|
|
request.add_tlv(TLV_TYPE_LENGTH, length)
|
2005-04-11 15:45:33 +00:00
|
|
|
request.add_tlvs(addends)
|
2005-04-11 04:56:24 +00:00
|
|
|
|
|
|
|
|
response = self.client.send_request(request)
|
|
|
|
|
written = response.get_tlv(TLV_TYPE_LENGTH)
|
|
|
|
|
|
|
|
|
|
return (written == nil) ? 0 : written.value
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-21 06:32:01 +00:00
|
|
|
# Wrapper around the low-level close
|
2005-04-11 04:56:24 +00:00
|
|
|
def close(addends = nil)
|
2005-04-21 06:32:01 +00:00
|
|
|
return _close(addends)
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-22 03:42:23 +00:00
|
|
|
# Close the channel for future writes
|
|
|
|
|
def close_write
|
|
|
|
|
return _close
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Close the channel for future reads
|
|
|
|
|
def close_read
|
|
|
|
|
return _close
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-21 06:32:01 +00:00
|
|
|
# Closes the channel
|
|
|
|
|
def _close(addends = nil)
|
2005-04-11 05:50:10 +00:00
|
|
|
if (self.cid == nil)
|
|
|
|
|
raise IOError, "Channel has been closed.", caller
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-11 04:56:24 +00:00
|
|
|
request = Packet.create_request('core_channel_close')
|
|
|
|
|
|
|
|
|
|
# Populate the request
|
|
|
|
|
request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
|
2005-04-11 15:45:33 +00:00
|
|
|
request.add_tlvs(addends)
|
2005-04-11 04:56:24 +00:00
|
|
|
|
|
|
|
|
self.client.send_request(request)
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Disassociate this channel instance
|
|
|
|
|
self.client.remove_channel(self.cid)
|
|
|
|
|
|
2005-04-11 05:50:10 +00:00
|
|
|
self.cid = nil
|
2005-04-11 04:56:24 +00:00
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Direct I/O
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Handles dispatching I/O requests based on the request packet.
|
|
|
|
|
# The default implementation does nothing with direct I/O requests.
|
|
|
|
|
def dio_handler(dio, packet)
|
2005-04-13 08:19:22 +00:00
|
|
|
if (dio == CHANNEL_DIO_READ)
|
|
|
|
|
length = packet.get_tlv_value(TLV_TYPE_LENGTH)
|
|
|
|
|
|
|
|
|
|
return dio_read_handler(packet, length)
|
|
|
|
|
elsif (dio == CHANNEL_DIO_WRITE)
|
|
|
|
|
data = packet.get_tlv_value(TLV_TYPE_CHANNEL_DATA)
|
|
|
|
|
|
|
|
|
|
return dio_write_handler(packet, data)
|
|
|
|
|
elsif (dio == CHANNEL_DIO_CLOSE)
|
|
|
|
|
return dio_close_handler(packet)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Stub read handler
|
|
|
|
|
def dio_read_handler(packet, length)
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Stub write handler
|
|
|
|
|
def dio_write_handler(packet, data)
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Stub close handler
|
|
|
|
|
def dio_close_handler(packet)
|
|
|
|
|
client.remove_channel(self)
|
|
|
|
|
|
|
|
|
|
return false
|
2005-04-11 04:56:24 +00:00
|
|
|
end
|
|
|
|
|
|
2005-04-21 06:32:01 +00:00
|
|
|
# Maps packet request methods to DIO request identifiers on a
|
|
|
|
|
# per-instance basis as other instances may add custom dio
|
|
|
|
|
# handlers.
|
|
|
|
|
def dio_map(method)
|
|
|
|
|
if (method == 'core_channel_read')
|
|
|
|
|
return CHANNEL_DIO_READ
|
|
|
|
|
elsif (method == 'core_channel_write')
|
|
|
|
|
return CHANNEL_DIO_WRITE
|
|
|
|
|
elsif (method == 'core_channel_close')
|
|
|
|
|
return CHANNEL_DIO_CLOSE
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-11 04:56:24 +00:00
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
# Conditionals
|
|
|
|
|
#
|
|
|
|
|
##
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Checks to see if a flag is set on the instance's flags attribute
|
2005-04-11 04:56:24 +00:00
|
|
|
def flag?(flag)
|
|
|
|
|
return ((self.flags & flag) == flag)
|
|
|
|
|
end
|
|
|
|
|
|
2005-04-12 05:37:11 +00:00
|
|
|
# Returns whether or not the channel is operating synchronously
|
|
|
|
|
def synchronous?
|
|
|
|
|
return (self.flags & CHANNEL_FLAG_SYNCHRONOUS)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
attr_reader :cid, :type, :cls, :flags
|
2005-04-11 04:56:24 +00:00
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
|
|
|
|
|
attr_accessor :client
|
2005-04-12 05:37:11 +00:00
|
|
|
attr_writer :cid, :type, :cls, :flags
|
2005-04-11 04:56:24 +00:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end; end; end
|
