2005-07-09 21:18:49 +00:00
|
|
|
require 'msf/core'
|
2005-05-21 17:57:00 +00:00
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
2005-05-22 07:14:16 +00:00
|
|
|
###
|
|
|
|
#
|
|
|
|
# Event notifications that affect sessions.
|
|
|
|
#
|
|
|
|
###
|
2005-10-30 22:20:29 +00:00
|
|
|
module SessionEvent
|
2005-05-21 17:57:00 +00:00
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Called when a session is opened.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def on_session_open(session)
|
|
|
|
end
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# Called when a session is closed.
|
|
|
|
#
|
2010-02-23 05:59:30 +00:00
|
|
|
def on_session_close(session, reason='')
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
2009-12-22 18:52:48 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Called when the user interacts with a session.
|
|
|
|
#
|
|
|
|
def on_session_interact(session)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Called when the user writes data to a session.
|
|
|
|
#
|
|
|
|
def on_session_command(session, command)
|
|
|
|
end
|
|
|
|
|
2010-02-26 21:55:30 +00:00
|
|
|
#
|
|
|
|
# Called when output comes back from a user command.
|
|
|
|
#
|
|
|
|
def on_session_output(session, output)
|
|
|
|
end
|
|
|
|
|
2010-03-22 01:13:58 +00:00
|
|
|
#
|
|
|
|
# Called when a file is uploaded.
|
|
|
|
#
|
|
|
|
def on_session_upload(session, local_path, remote_path)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Called when a file is downloaded.
|
|
|
|
#
|
2010-03-22 20:56:22 +00:00
|
|
|
def on_session_download(session, remote_path, local_path)
|
2010-03-22 01:13:58 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Called when a file is deleted.
|
|
|
|
#
|
|
|
|
def on_session_filedelete(session, path)
|
|
|
|
end
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
2005-05-22 07:14:16 +00:00
|
|
|
# The session class represents a post-exploitation, uh, session.
|
2005-07-16 07:32:11 +00:00
|
|
|
# Sessions can be written to, read from, and interacted with. The
|
2010-02-22 17:54:44 +00:00
|
|
|
# underlying medium on which they are backed is arbitrary. For
|
2005-05-22 07:14:16 +00:00
|
|
|
# instance, when an exploit is provided with a command shell,
|
|
|
|
# either through a network connection or locally, the session's
|
|
|
|
# read and write operations end up reading from and writing to
|
|
|
|
# the shell that was spawned. The session object can be seen
|
|
|
|
# as a general means of interacting with various post-exploitation
|
2010-02-22 17:54:44 +00:00
|
|
|
# payloads through a common interface that is not necessarily
|
2005-05-22 07:14:16 +00:00
|
|
|
# tied to a network connection.
|
2005-05-21 17:57:00 +00:00
|
|
|
#
|
|
|
|
###
|
2005-07-16 07:32:11 +00:00
|
|
|
module Session
|
2005-05-22 07:14:16 +00:00
|
|
|
|
2005-07-16 07:32:11 +00:00
|
|
|
include Framework::Offspring
|
|
|
|
|
2010-02-23 05:59:30 +00:00
|
|
|
def initialize
|
|
|
|
self.alive = true
|
2010-03-27 02:39:52 +00:00
|
|
|
self.uuid = Rex::Text.rand_text_alphanumeric(8).downcase
|
2011-04-07 21:59:32 +00:00
|
|
|
@routes = RouteArray.new(self)
|
|
|
|
#self.routes = []
|
2010-02-23 05:59:30 +00:00
|
|
|
end
|
|
|
|
|
2005-07-16 07:32:11 +00:00
|
|
|
# Direct descendents
|
|
|
|
require 'msf/core/session/interactive'
|
|
|
|
require 'msf/core/session/basic'
|
2005-09-30 05:59:44 +00:00
|
|
|
require 'msf/core/session/comm'
|
2005-07-16 07:32:11 +00:00
|
|
|
|
|
|
|
# Provider interfaces
|
|
|
|
require 'msf/core/session/provider/single_command_execution'
|
|
|
|
require 'msf/core/session/provider/multi_command_execution'
|
|
|
|
require 'msf/core/session/provider/single_command_shell'
|
|
|
|
require 'msf/core/session/provider/multi_command_shell'
|
2005-07-19 14:33:25 +00:00
|
|
|
|
|
|
|
def self.type
|
|
|
|
"unknown"
|
|
|
|
end
|
|
|
|
|
2005-07-16 08:12:58 +00:00
|
|
|
#
|
|
|
|
# Returns the session's name if it's been assigned one, otherwise
|
|
|
|
# the sid is returned.
|
|
|
|
#
|
|
|
|
def name
|
|
|
|
return sname || sid
|
|
|
|
end
|
2005-07-16 07:32:11 +00:00
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Sets the session's name.
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2005-07-16 08:12:58 +00:00
|
|
|
def name=(name)
|
|
|
|
self.sname = name
|
2005-05-22 07:14:16 +00:00
|
|
|
end
|
|
|
|
|
2009-12-23 01:03:51 +00:00
|
|
|
#
|
|
|
|
# Brief and to the point
|
|
|
|
#
|
|
|
|
def inspect
|
2010-10-21 04:43:54 +00:00
|
|
|
"#<Session:#{self.type} #{self.tunnel_peer} #{self.info ? "\"#{self.info.to_s}\"" : nil}>" # " Fixes highlighting
|
2009-12-23 01:03:51 +00:00
|
|
|
end
|
|
|
|
|
2005-05-25 05:07:22 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Returns the description of the session.
|
2005-05-25 05:07:22 +00:00
|
|
|
#
|
2005-07-16 08:12:58 +00:00
|
|
|
def desc
|
2005-05-22 07:14:16 +00:00
|
|
|
end
|
|
|
|
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Returns the type of session in use.
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2005-07-16 08:12:58 +00:00
|
|
|
def type
|
2005-07-16 07:32:11 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Returns the local side of the tunnel.
|
2005-07-16 08:12:58 +00:00
|
|
|
#
|
|
|
|
def tunnel_local
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Returns the peer side of the tunnel.
|
2005-07-16 08:12:58 +00:00
|
|
|
#
|
|
|
|
def tunnel_peer
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Returns a pretty representation of the tunnel.
|
2005-07-16 08:12:58 +00:00
|
|
|
#
|
|
|
|
def tunnel_to_s
|
2008-12-19 07:11:08 +00:00
|
|
|
"#{(tunnel_local || '??')} -> #{(tunnel_peer || '??')}"
|
2005-07-16 08:12:58 +00:00
|
|
|
end
|
|
|
|
|
2005-10-02 03:21:26 +00:00
|
|
|
##
|
|
|
|
#
|
|
|
|
# Logging
|
|
|
|
#
|
|
|
|
##
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the suggested name of the log file for this session.
|
|
|
|
#
|
|
|
|
def log_file_name
|
|
|
|
dt = Time.now
|
|
|
|
|
2005-10-02 03:57:46 +00:00
|
|
|
dstr = sprintf("%.4d%.2d%.2d", dt.year, dt.mon, dt.mday)
|
|
|
|
rhost = (tunnel_peer || 'unknown').split(':')[0]
|
2005-10-02 03:21:26 +00:00
|
|
|
|
2005-10-02 04:06:31 +00:00
|
|
|
"#{dstr}_#{rhost}_#{type}"
|
2005-10-02 03:21:26 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the log source that should be used for this session.
|
|
|
|
#
|
|
|
|
def log_source
|
2008-12-19 07:11:08 +00:00
|
|
|
"session_#{name}"
|
2005-10-02 03:21:26 +00:00
|
|
|
end
|
|
|
|
|
2005-11-03 00:18:12 +00:00
|
|
|
#
|
|
|
|
# This method logs the supplied buffer as coming from the remote side of
|
|
|
|
# the session.
|
|
|
|
#
|
2005-10-02 03:21:26 +00:00
|
|
|
def log_from_remote(buf)
|
|
|
|
rlog(buf, log_source)
|
|
|
|
end
|
|
|
|
|
2005-11-03 00:18:12 +00:00
|
|
|
#
|
|
|
|
# This method logs the supplied buffer as coming from the local side of
|
|
|
|
# the session.
|
|
|
|
#
|
2005-10-02 03:21:26 +00:00
|
|
|
def log_from_local(buf)
|
|
|
|
rlog(buf, log_source)
|
|
|
|
end
|
|
|
|
|
2005-07-16 08:12:58 +00:00
|
|
|
##
|
|
|
|
#
|
|
|
|
# Core interface
|
2005-07-16 07:32:11 +00:00
|
|
|
#
|
2005-07-16 08:12:58 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
# Sets the vector through which this session was realized.
|
2005-07-17 06:01:11 +00:00
|
|
|
#
|
|
|
|
def set_via(opts)
|
2010-02-22 17:54:44 +00:00
|
|
|
self.via = opts || {}
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Configures via_payload, via_payload, workspace, target_host from an
|
2010-09-20 03:51:38 +00:00
|
|
|
# exploit instance. Store references from and to the exploit module.
|
2010-02-22 17:54:44 +00:00
|
|
|
#
|
|
|
|
def set_from_exploit(m)
|
2010-03-16 15:11:07 +00:00
|
|
|
self.via = { 'Exploit' => m.fullname }
|
|
|
|
self.via['Payload'] = ('payload/' + m.datastore['PAYLOAD'].to_s) if m.datastore['PAYLOAD']
|
|
|
|
|
2010-02-22 17:54:44 +00:00
|
|
|
self.target_host = m.target_host
|
|
|
|
self.workspace = m.workspace
|
2010-03-16 15:11:07 +00:00
|
|
|
self.username = m.owner
|
2010-07-01 22:02:46 +00:00
|
|
|
self.exploit_datastore = m.datastore
|
2010-03-12 21:47:27 +00:00
|
|
|
self.user_input = m.user_input if m.user_input
|
|
|
|
self.user_output = m.user_output if m.user_output
|
2010-03-27 02:39:52 +00:00
|
|
|
self.exploit_uuid = m.uuid
|
2010-09-20 03:51:38 +00:00
|
|
|
self.exploit = m
|
2005-07-17 06:01:11 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the exploit module name through which this session was
|
|
|
|
# created.
|
|
|
|
#
|
|
|
|
def via_exploit
|
|
|
|
self.via['Exploit'] if (self.via)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the payload module name through which this session was
|
|
|
|
# created.
|
|
|
|
#
|
|
|
|
def via_payload
|
|
|
|
self.via['Payload'] if (self.via)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Perform session-specific cleanup.
|
2005-07-16 08:12:58 +00:00
|
|
|
#
|
2011-04-07 21:59:32 +00:00
|
|
|
# NOTE: session classes overriding this method must call super!
|
|
|
|
# Also must tolerate being called multiple times.
|
|
|
|
#
|
2005-07-16 08:12:58 +00:00
|
|
|
def cleanup
|
2011-04-07 21:59:32 +00:00
|
|
|
if db_record and framework.db.active
|
|
|
|
db_record.closed_at = Time.now
|
|
|
|
# ignore exceptions
|
|
|
|
db_record.save
|
|
|
|
db_record = nil
|
|
|
|
end
|
2005-07-16 08:12:58 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# By default, sessions are not interactive.
|
|
|
|
#
|
|
|
|
def interactive?
|
|
|
|
false
|
2005-07-16 07:32:11 +00:00
|
|
|
end
|
|
|
|
|
2007-02-11 23:24:25 +00:00
|
|
|
|
2011-04-18 20:07:53 +00:00
|
|
|
#
|
|
|
|
# Allow the session to skip registration
|
|
|
|
#
|
|
|
|
def register?
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
2007-02-11 23:24:25 +00:00
|
|
|
#
|
|
|
|
# Allow the user to terminate this session
|
|
|
|
#
|
|
|
|
def kill
|
2011-04-18 20:07:53 +00:00
|
|
|
framework.sessions.deregister(self) if register?
|
2007-02-11 23:24:25 +00:00
|
|
|
end
|
|
|
|
|
2010-02-23 05:59:30 +00:00
|
|
|
def dead?
|
|
|
|
(not self.alive)
|
|
|
|
end
|
2011-04-07 21:59:32 +00:00
|
|
|
|
2010-02-23 05:59:30 +00:00
|
|
|
def alive?
|
|
|
|
(self.alive)
|
|
|
|
end
|
|
|
|
|
|
|
|
attr_accessor :alive
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
#
|
|
|
|
# The framework instance that created this session.
|
2010-02-22 17:54:44 +00:00
|
|
|
#
|
2005-11-15 15:11:43 +00:00
|
|
|
attr_accessor :framework
|
|
|
|
#
|
|
|
|
# The session unique identifier.
|
|
|
|
#
|
|
|
|
attr_accessor :sid
|
|
|
|
#
|
|
|
|
# The session name.
|
|
|
|
#
|
|
|
|
attr_accessor :sname
|
2010-02-22 17:54:44 +00:00
|
|
|
#
|
|
|
|
# The associated workspace name
|
|
|
|
#
|
|
|
|
attr_accessor :workspace
|
|
|
|
#
|
|
|
|
# The original target host address
|
|
|
|
#
|
|
|
|
attr_accessor :target_host
|
2010-02-25 23:20:33 +00:00
|
|
|
#
|
2010-02-26 01:09:23 +00:00
|
|
|
# The datastore of the exploit that created this session
|
|
|
|
#
|
|
|
|
attr_accessor :exploit_datastore
|
|
|
|
#
|
2010-02-25 23:20:33 +00:00
|
|
|
# The specific identified session info
|
|
|
|
#
|
|
|
|
attr_accessor :info
|
2010-03-16 15:11:07 +00:00
|
|
|
#
|
|
|
|
# The unique identifier of this session
|
|
|
|
#
|
|
|
|
attr_accessor :uuid
|
|
|
|
#
|
2010-03-27 02:39:52 +00:00
|
|
|
# The unique identifier of exploit that created this session
|
|
|
|
#
|
|
|
|
attr_accessor :exploit_uuid
|
|
|
|
#
|
2010-09-20 03:51:38 +00:00
|
|
|
# The actual exploit module instance that created this session
|
|
|
|
#
|
|
|
|
attr_accessor :exploit
|
|
|
|
#
|
2010-03-16 15:11:07 +00:00
|
|
|
# The associated username
|
|
|
|
#
|
|
|
|
attr_accessor :username
|
2010-07-02 17:38:56 +00:00
|
|
|
#
|
|
|
|
# An array of routes associated with this session
|
|
|
|
#
|
|
|
|
attr_accessor :routes
|
2011-04-07 21:59:32 +00:00
|
|
|
#
|
|
|
|
# This session's associated database record
|
|
|
|
#
|
|
|
|
attr_accessor :db_record
|
2005-05-22 07:14:16 +00:00
|
|
|
protected
|
|
|
|
|
2005-11-15 15:11:43 +00:00
|
|
|
attr_accessor :via # :nodoc:
|
2005-07-17 06:01:11 +00:00
|
|
|
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
2009-12-22 18:52:48 +00:00
|
|
|
end
|
2010-02-22 17:54:44 +00:00
|
|
|
|
2011-04-07 21:59:32 +00:00
|
|
|
class RouteArray < Array # :nodoc: all
|
|
|
|
def initialize(sess)
|
|
|
|
self.session = sess
|
|
|
|
super()
|
|
|
|
end
|
|
|
|
|
|
|
|
def <<(val)
|
|
|
|
session.framework.events.on_session_route(session, val)
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
|
|
|
def delete(val)
|
|
|
|
session.framework.events.on_session_route_remove(session, val)
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
|
|
|
attr_accessor :session
|
|
|
|
end
|