2005-07-16 07:32:11 +00:00
|
|
|
require 'msf/base'
|
2011-01-19 02:24:21 +00:00
|
|
|
require 'msf/base/sessions/scriptable'
|
2005-07-16 07:32:11 +00:00
|
|
|
|
|
|
|
module Msf
|
|
|
|
module Sessions
|
|
|
|
|
|
|
|
###
|
2010-02-23 07:12:54 +00:00
|
|
|
#
|
2005-07-16 07:32:11 +00:00
|
|
|
# This class provides basic interaction with a command shell on the remote
|
|
|
|
# endpoint. This session is initialized with a stream that will be used
|
|
|
|
# as the pipe for reading and writing the command shell.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class CommandShell
|
|
|
|
|
|
|
|
#
|
|
|
|
# This interface supports basic interaction.
|
|
|
|
#
|
|
|
|
include Msf::Session::Basic
|
|
|
|
|
|
|
|
#
|
|
|
|
# This interface supports interacting with a single command shell.
|
|
|
|
#
|
|
|
|
include Msf::Session::Provider::SingleCommandShell
|
|
|
|
|
2011-01-19 02:24:21 +00:00
|
|
|
include Msf::Session::Scriptable
|
|
|
|
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
2011-01-19 02:24:21 +00:00
|
|
|
# Executes the supplied script, must be specified as full path.
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
2011-01-19 02:24:21 +00:00
|
|
|
# Msf::Session::Scriptable implementor
|
|
|
|
#
|
|
|
|
def execute_file(full_path, args)
|
|
|
|
o = Rex::Script::Shell.new(self, full_path)
|
|
|
|
o.run(args)
|
2005-07-19 14:33:25 +00:00
|
|
|
end
|
|
|
|
|
2010-02-24 01:19:59 +00:00
|
|
|
#
|
2011-01-19 02:24:21 +00:00
|
|
|
# Returns the type of session.
|
2010-02-24 01:19:59 +00:00
|
|
|
#
|
2011-01-19 02:24:21 +00:00
|
|
|
def self.type
|
|
|
|
"shell"
|
2010-02-24 01:19:59 +00:00
|
|
|
end
|
|
|
|
|
2010-12-27 17:46:42 +00:00
|
|
|
def initialize(*args)
|
|
|
|
self.platform ||= ""
|
|
|
|
self.arch ||= ""
|
|
|
|
super
|
|
|
|
end
|
2010-02-24 01:19:59 +00:00
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Returns the session description.
|
|
|
|
#
|
2005-07-16 08:12:58 +00:00
|
|
|
def desc
|
2005-07-16 16:06:44 +00:00
|
|
|
"Command shell"
|
2005-07-16 08:12:58 +00:00
|
|
|
end
|
|
|
|
|
2010-02-24 01:19:59 +00:00
|
|
|
#
|
|
|
|
# Explicitly runs a command.
|
|
|
|
#
|
2008-09-24 04:41:51 +00:00
|
|
|
def run_cmd(cmd)
|
2010-02-24 01:19:59 +00:00
|
|
|
shell_command(cmd)
|
2008-09-24 04:41:51 +00:00
|
|
|
end
|
2010-02-24 01:19:59 +00:00
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Calls the class method.
|
|
|
|
#
|
2005-07-16 08:12:58 +00:00
|
|
|
def type
|
2005-07-19 14:33:25 +00:00
|
|
|
self.class.type
|
2005-07-16 08:12:58 +00:00
|
|
|
end
|
|
|
|
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# The shell will have been initialized by default.
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2010-02-24 01:19:59 +00:00
|
|
|
def shell_init
|
2005-07-16 07:32:11 +00:00
|
|
|
return true
|
|
|
|
end
|
|
|
|
|
2010-02-24 01:19:59 +00:00
|
|
|
#
|
|
|
|
# Explicitly run a single command, return the output.
|
|
|
|
#
|
|
|
|
def shell_command(cmd)
|
2010-02-24 20:56:31 +00:00
|
|
|
# Send the command to the session's stdin.
|
2010-02-24 01:19:59 +00:00
|
|
|
shell_write(cmd + "\n")
|
|
|
|
|
2010-12-09 22:44:17 +00:00
|
|
|
timeo = 5
|
2010-12-18 03:00:26 +00:00
|
|
|
etime = ::Time.now.to_f + timeo
|
2010-12-09 22:44:17 +00:00
|
|
|
buff = ""
|
|
|
|
|
|
|
|
# Keep reading data until no more data is available or the timeout is
|
|
|
|
# reached.
|
2011-04-07 21:59:32 +00:00
|
|
|
while (::Time.now.to_f < etime and (self.respond_to?(:ring) or ::IO.select([rstream], nil, nil, timeo)))
|
2010-12-09 22:44:17 +00:00
|
|
|
res = shell_read(-1, 0.01)
|
|
|
|
buff << res if res
|
2010-12-18 03:00:26 +00:00
|
|
|
timeo = etime - ::Time.now.to_f
|
2010-02-24 01:19:59 +00:00
|
|
|
end
|
|
|
|
|
2010-12-09 22:44:17 +00:00
|
|
|
buff
|
2010-02-24 01:19:59 +00:00
|
|
|
end
|
|
|
|
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Read from the command shell.
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2010-03-11 20:07:06 +00:00
|
|
|
def shell_read(length=-1, timeout=1)
|
2011-04-07 21:59:32 +00:00
|
|
|
return shell_read_ring(length,timeout) if self.respond_to?(:ring)
|
|
|
|
|
2010-03-21 04:24:27 +00:00
|
|
|
begin
|
|
|
|
rv = rstream.get_once(length, timeout)
|
|
|
|
framework.events.on_session_output(self, rv) if rv
|
|
|
|
return rv
|
2011-03-23 22:21:59 +00:00
|
|
|
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
|
|
|
|
#print_error("Socket error: #{e.class}: #{e}")
|
2010-03-21 04:24:27 +00:00
|
|
|
shell_close
|
|
|
|
raise e
|
2008-09-24 04:41:51 +00:00
|
|
|
end
|
2005-07-16 07:32:11 +00:00
|
|
|
end
|
|
|
|
|
2011-04-07 21:59:32 +00:00
|
|
|
#
|
|
|
|
# Read from the command shell.
|
|
|
|
#
|
|
|
|
def shell_read_ring(length=-1, timeout=1)
|
|
|
|
self.ring_buff ||= ""
|
|
|
|
|
|
|
|
# Short-circuit bad length values
|
|
|
|
return "" if length == 0
|
|
|
|
|
|
|
|
# Return data from the stored buffer if available
|
|
|
|
if self.ring_buff.length >= length and length > 0
|
|
|
|
buff = self.ring_buff.slice!(0,length)
|
|
|
|
return buff
|
|
|
|
end
|
|
|
|
|
|
|
|
buff = self.ring_buff
|
|
|
|
self.ring_buff = ""
|
|
|
|
|
|
|
|
begin
|
|
|
|
::Timeout.timeout(timeout) do
|
|
|
|
while( (length > 0 and buff.length < length) or (length == -1 and buff.length == 0))
|
|
|
|
ring.select
|
|
|
|
nseq,data = ring.read_data(self.ring_seq)
|
|
|
|
if data
|
|
|
|
self.ring_seq = nseq
|
|
|
|
buff << data
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
rescue ::Timeout::Error
|
2011-05-02 20:40:19 +00:00
|
|
|
rescue ::Interrupt => e
|
|
|
|
raise e
|
2011-04-07 21:59:32 +00:00
|
|
|
rescue ::Exception => e
|
|
|
|
shell_close
|
|
|
|
raise e
|
|
|
|
end
|
|
|
|
|
|
|
|
# Store any leftovers in the ring buffer backlog
|
|
|
|
if length > 0 and buff.length > length
|
|
|
|
self.ring_buff = buff[length, buff.length - length]
|
|
|
|
buff = buff[0,length]
|
|
|
|
end
|
|
|
|
|
|
|
|
buff
|
|
|
|
end
|
|
|
|
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Writes to the command shell.
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2010-02-24 01:19:59 +00:00
|
|
|
def shell_write(buf)
|
2010-03-25 01:38:47 +00:00
|
|
|
return if not buf
|
|
|
|
|
2010-03-21 04:24:27 +00:00
|
|
|
begin
|
|
|
|
framework.events.on_session_command(self, buf.strip)
|
|
|
|
rstream.write(buf)
|
2011-03-23 22:21:59 +00:00
|
|
|
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
|
|
|
|
#print_error("Socket error: #{e.class}: #{e}")
|
2010-03-21 04:24:27 +00:00
|
|
|
shell_close
|
|
|
|
raise e
|
|
|
|
end
|
2005-07-16 07:32:11 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Closes the shell.
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2010-02-24 01:19:59 +00:00
|
|
|
def shell_close()
|
2010-12-18 03:37:27 +00:00
|
|
|
rstream.close rescue nil
|
2010-03-21 04:24:27 +00:00
|
|
|
self.kill
|
2005-07-16 07:32:11 +00:00
|
|
|
end
|
|
|
|
|
2010-03-02 18:07:50 +00:00
|
|
|
#
|
|
|
|
# Execute any specified auto-run scripts for this session
|
|
|
|
#
|
|
|
|
def process_autoruns(datastore)
|
2010-03-16 04:50:47 +00:00
|
|
|
# Read the initial output and mash it into a single line
|
2010-03-16 15:20:48 +00:00
|
|
|
if (not self.info or self.info.empty?)
|
|
|
|
initial_output = shell_read(-1, 0.01)
|
|
|
|
if (initial_output)
|
2011-02-28 21:39:25 +00:00
|
|
|
initial_output.force_encoding("ASCII-8BIT") if initial_output.respond_to?(:force_encoding)
|
|
|
|
initial_output.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
|
2010-03-16 15:20:48 +00:00
|
|
|
initial_output.gsub!(/[\r\n\t]+/, ' ')
|
|
|
|
initial_output.strip!
|
|
|
|
|
|
|
|
# Set the inital output to .info
|
|
|
|
self.info = initial_output
|
|
|
|
end
|
2010-03-16 04:50:47 +00:00
|
|
|
end
|
|
|
|
|
2010-03-02 18:07:50 +00:00
|
|
|
if (datastore['InitialAutoRunScript'] && datastore['InitialAutoRunScript'].empty? == false)
|
|
|
|
args = datastore['InitialAutoRunScript'].split
|
|
|
|
print_status("Session ID #{sid} (#{tunnel_to_s}) processing InitialAutoRunScript '#{datastore['InitialAutoRunScript']}'")
|
2011-01-19 02:24:21 +00:00
|
|
|
execute_script(args.shift, *args)
|
2010-03-02 18:07:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if (datastore['AutoRunScript'] && datastore['AutoRunScript'].empty? == false)
|
|
|
|
args = datastore['AutoRunScript'].split
|
|
|
|
print_status("Session ID #{sid} (#{tunnel_to_s}) processing AutoRunScript '#{datastore['AutoRunScript']}'")
|
2011-01-19 02:24:21 +00:00
|
|
|
execute_script(args.shift, *args)
|
2010-03-02 18:07:50 +00:00
|
|
|
end
|
|
|
|
end
|
2011-04-29 16:02:24 +00:00
|
|
|
|
|
|
|
def reset_ring_sequence
|
|
|
|
self.ring_seq = 0
|
|
|
|
end
|
2010-03-21 04:24:27 +00:00
|
|
|
|
2010-12-27 17:46:42 +00:00
|
|
|
attr_accessor :arch
|
|
|
|
attr_accessor :platform
|
|
|
|
|
2010-03-23 00:33:18 +00:00
|
|
|
protected
|
|
|
|
|
|
|
|
# Override the basic session interaction to use shell_read and
|
|
|
|
# shell_write instead of operating on rstream directly.
|
|
|
|
def _interact
|
|
|
|
framework.events.on_session_interact(self)
|
2011-04-07 21:59:32 +00:00
|
|
|
if self.respond_to?(:ring)
|
|
|
|
_interact_ring
|
|
|
|
else
|
|
|
|
_interact_stream
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def _interact_stream
|
2010-03-23 00:33:18 +00:00
|
|
|
fds = [rstream.fd, user_input.fd]
|
|
|
|
while self.interacting
|
|
|
|
sd = Rex::ThreadSafe.select(fds, nil, fds, 0.5)
|
|
|
|
next if not sd
|
|
|
|
|
|
|
|
if sd[0].include? rstream.fd
|
|
|
|
user_output.print(shell_read)
|
|
|
|
end
|
|
|
|
if sd[0].include? user_input.fd
|
|
|
|
shell_write(user_input.gets)
|
|
|
|
end
|
2011-04-07 21:59:32 +00:00
|
|
|
Thread.pass
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def _interact_ring
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
|
|
|
rdr = Rex::ThreadFactory.spawn("RingMonitor", false) do
|
|
|
|
seq = nil
|
|
|
|
while self.interacting
|
|
|
|
|
|
|
|
# Look for any pending data from the remote ring
|
|
|
|
nseq,data = ring.read_data(seq)
|
|
|
|
|
|
|
|
# Update the sequence number if necessary
|
|
|
|
seq = nseq || seq
|
|
|
|
|
|
|
|
# Write output to the local stream if successful
|
|
|
|
user_output.print(data) if data
|
|
|
|
|
|
|
|
begin
|
|
|
|
# Wait for new data to arrive on this session
|
|
|
|
ring.wait(seq)
|
|
|
|
rescue EOFError => e
|
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
while self.interacting
|
|
|
|
# Look for any pending input or errors from the local stream
|
|
|
|
sd = Rex::ThreadSafe.select([ _local_fd ], nil, [_local_fd], 5.0)
|
|
|
|
|
|
|
|
# Write input to the ring's input mechanism
|
|
|
|
shell_write(user_input.gets) if sd
|
|
|
|
end
|
|
|
|
|
|
|
|
ensure
|
|
|
|
rdr.kill
|
2010-03-23 00:33:18 +00:00
|
|
|
end
|
|
|
|
end
|
2011-04-07 21:59:32 +00:00
|
|
|
|
|
|
|
attr_accessor :ring_seq # This tracks the last seen ring buffer sequence (for shell_read)
|
|
|
|
attr_accessor :ring_buff # This tracks left over read data to maintain a compatible API
|
2005-07-16 07:32:11 +00:00
|
|
|
end
|
|
|
|
|
2010-12-27 17:46:42 +00:00
|
|
|
class CommandShellWindows < CommandShell
|
|
|
|
def initialize(*args)
|
|
|
|
self.platform = "windows"
|
|
|
|
super
|
|
|
|
end
|
2011-02-22 14:00:47 +00:00
|
|
|
def shell_command_token(cmd,timeout = 10)
|
|
|
|
shell_command_token_win32(cmd,timeout)
|
2010-12-27 17:46:42 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
class CommandShellUnix < CommandShell
|
|
|
|
def initialize(*args)
|
|
|
|
self.platform = "unix"
|
|
|
|
super
|
|
|
|
end
|
2011-02-22 14:00:47 +00:00
|
|
|
def shell_command_token(cmd,timeout = 10)
|
|
|
|
shell_command_token_unix(cmd,timeout)
|
2010-12-27 17:46:42 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-07-16 07:32:11 +00:00
|
|
|
end
|
2009-12-22 18:52:48 +00:00
|
|
|
end
|
2010-03-21 04:24:27 +00:00
|
|
|
|