2011-05-12 20:03:55 +00:00
|
|
|
require 'rex'
|
|
|
|
require 'rex/ui/text/output/buffer'
|
2010-02-23 22:39:34 +00:00
|
|
|
|
2008-12-02 22:09:34 +00:00
|
|
|
module Msf
|
|
|
|
module RPC
|
|
|
|
class Session < Base
|
|
|
|
|
2011-04-13 17:02:45 +00:00
|
|
|
|
2008-12-02 22:09:34 +00:00
|
|
|
def list(token)
|
|
|
|
authenticate(token)
|
|
|
|
res = {}
|
|
|
|
@framework.sessions.each do |sess|
|
|
|
|
i,s = sess
|
2010-02-22 17:15:36 +00:00
|
|
|
res[s.sid] = {
|
|
|
|
'type' => s.type.to_s,
|
|
|
|
'tunnel_local'=> s.tunnel_local.to_s,
|
|
|
|
'tunnel_peer' => s.tunnel_peer.to_s,
|
|
|
|
'via_exploit' => s.via_exploit.to_s,
|
|
|
|
'via_payload' => s.via_payload.to_s,
|
2010-02-22 17:54:44 +00:00
|
|
|
'desc' => s.desc.to_s,
|
2010-02-25 23:20:33 +00:00
|
|
|
'info' => s.info.to_s,
|
2010-02-22 17:54:44 +00:00
|
|
|
'workspace' => s.workspace.to_s,
|
2010-03-17 18:25:36 +00:00
|
|
|
'target_host' => s.target_host.to_s,
|
|
|
|
'username' => s.username.to_s,
|
2010-03-27 15:44:33 +00:00
|
|
|
'uuid' => s.uuid.to_s,
|
2010-07-02 17:38:56 +00:00
|
|
|
'exploit_uuid' => s.exploit_uuid.to_s,
|
|
|
|
'routes' => s.routes.join(",")
|
2008-12-02 22:09:34 +00:00
|
|
|
}
|
2010-09-10 23:33:33 +00:00
|
|
|
if(s.type.to_s == "meterpreter")
|
|
|
|
res[s.sid]['platform'] = s.platform.to_s
|
|
|
|
end
|
2008-12-02 22:09:34 +00:00
|
|
|
end
|
|
|
|
res
|
|
|
|
end
|
2010-02-22 17:15:36 +00:00
|
|
|
|
2008-12-02 22:09:34 +00:00
|
|
|
def stop(token, sid)
|
|
|
|
authenticate(token)
|
2010-10-23 17:05:48 +00:00
|
|
|
s = @framework.sessions[sid.to_i]
|
|
|
|
if(not s)
|
2011-04-07 21:59:32 +00:00
|
|
|
raise ::XMLRPC::FaultException.new(404, "unknown session while stopping")
|
2010-10-23 17:05:48 +00:00
|
|
|
end
|
2008-12-02 22:09:34 +00:00
|
|
|
s.kill
|
|
|
|
{ "result" => "success" }
|
|
|
|
end
|
2010-02-22 17:15:36 +00:00
|
|
|
|
2011-04-13 17:02:45 +00:00
|
|
|
# Shell read is now a positon-aware reader of the shell's associated
|
|
|
|
# ring buffer. For more direct control of the pointer into a ring
|
|
|
|
# buffer, a client can instead use ring_read, and note the returned
|
|
|
|
# sequence number on their own (making multiple views into the same
|
|
|
|
# session possible, regardless of position in the stream)
|
|
|
|
def shell_read(token, sid, ptr=nil)
|
|
|
|
_valid_session(token,sid,"shell")
|
|
|
|
# @session_sequence tracks the pointer into the ring buffer
|
|
|
|
# data of sessions (by sid) in order to emulate the old behavior
|
|
|
|
# of shell_read
|
|
|
|
@session_sequence ||= {}
|
|
|
|
@session_sequence[sid] ||= 0
|
|
|
|
ring_buffer = ring_read(token,sid,(ptr || @session_sequence[sid]))
|
|
|
|
if not (ring_buffer["seq"].nil? || ring_buffer["seq"].empty?)
|
|
|
|
@session_sequence[sid] = ring_buffer["seq"].to_i
|
2008-12-02 22:09:34 +00:00
|
|
|
end
|
2011-04-13 17:02:45 +00:00
|
|
|
return ring_buffer
|
2008-12-02 22:09:34 +00:00
|
|
|
end
|
2010-02-22 17:15:36 +00:00
|
|
|
|
2011-04-13 17:02:45 +00:00
|
|
|
# shell_write is pretty much totally identical to ring_put
|
2008-12-02 22:09:34 +00:00
|
|
|
def shell_write(token, sid, data)
|
2011-04-13 17:02:45 +00:00
|
|
|
_valid_session(token,sid,"shell")
|
|
|
|
ring_put(token,sid,data)
|
2008-12-02 22:09:34 +00:00
|
|
|
end
|
2010-02-22 17:15:36 +00:00
|
|
|
|
2010-09-11 15:59:19 +00:00
|
|
|
def shell_upgrade(token, sid, lhost, lport)
|
2010-10-23 17:05:48 +00:00
|
|
|
s = _valid_session(token,sid,"shell")
|
2010-09-11 15:59:19 +00:00
|
|
|
s.exploit_datastore['LHOST'] = lhost
|
|
|
|
s.exploit_datastore['LPORT'] = lport
|
|
|
|
s.execute_script('spawn_meterpreter', nil)
|
|
|
|
{ "result" => "success" }
|
|
|
|
end
|
|
|
|
|
2010-02-23 18:07:07 +00:00
|
|
|
def meterpreter_read(token, sid)
|
2010-10-23 17:05:48 +00:00
|
|
|
s = _valid_session(token,sid,"meterpreter")
|
2010-02-24 16:46:47 +00:00
|
|
|
|
2010-02-25 17:53:27 +00:00
|
|
|
if not s.user_output.respond_to? :dump_buffer
|
2010-10-14 00:22:45 +00:00
|
|
|
s.init_ui(Rex::Ui::Text::Input::Buffer.new, Rex::Ui::Text::Output::Buffer.new)
|
2010-02-24 16:46:47 +00:00
|
|
|
end
|
|
|
|
|
2010-02-25 17:53:27 +00:00
|
|
|
data = s.user_output.dump_buffer
|
2010-03-11 00:55:21 +00:00
|
|
|
{ "data" => Rex::Text.encode_base64(data), "encoding" => "base64" }
|
2010-02-23 18:07:07 +00:00
|
|
|
end
|
|
|
|
|
2011-04-13 17:02:45 +00:00
|
|
|
def ring_read(token, sid, ptr=nil)
|
|
|
|
authenticate(token)
|
|
|
|
s = _valid_session(token,sid,"ring")
|
|
|
|
begin
|
|
|
|
res = s.ring.read_data(ptr)
|
|
|
|
{ "seq" => res[0].to_s, "data" =>(Rex::Text.encode_base64(res[1].to_s)), "encoding" => "base64"}
|
|
|
|
rescue ::Exception => e
|
|
|
|
raise ::XMLRPC::FaultException.new(500, "session disconnected: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def ring_put(token, sid, data)
|
|
|
|
authenticate(token)
|
|
|
|
s = _valid_session(token,sid,"ring")
|
|
|
|
buff = Rex::Text.decode_base64(data)
|
|
|
|
begin
|
2011-05-02 23:07:02 +00:00
|
|
|
res = s.shell_write(buff)
|
2011-04-13 17:02:45 +00:00
|
|
|
{ "write_count" => res.to_s}
|
|
|
|
rescue ::Exception => e
|
|
|
|
raise ::XMLRPC::FaultException.new(500, "session disconnected: #{e.class} #{e}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def ring_last(token, sid)
|
|
|
|
authenticate(token)
|
|
|
|
s = _valid_session(token,sid,"ring")
|
|
|
|
{ "seq" => s.ring.last_sequence.to_s }
|
|
|
|
end
|
|
|
|
|
|
|
|
def ring_clear(token, sid)
|
|
|
|
authenticate(token)
|
|
|
|
s = _valid_session(token,sid,"ring")
|
|
|
|
res = s.ring.clear_data
|
|
|
|
if res.compact.empty?
|
|
|
|
{ "result" => "success"}
|
|
|
|
else # Doesn't seem like this can fail. Maybe a race?
|
|
|
|
{ "result" => "failure"}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2010-02-23 22:39:34 +00:00
|
|
|
#
|
|
|
|
# Run a single meterpreter console command
|
|
|
|
#
|
2010-02-23 18:07:07 +00:00
|
|
|
def meterpreter_write(token, sid, data)
|
2010-10-23 17:05:48 +00:00
|
|
|
s = _valid_session(token,sid,"meterpreter")
|
2010-02-23 18:07:07 +00:00
|
|
|
|
2010-02-25 17:53:27 +00:00
|
|
|
if not s.user_output.respond_to? :dump_buffer
|
2010-10-14 00:22:45 +00:00
|
|
|
s.init_ui(Rex::Ui::Text::Input::Buffer.new, Rex::Ui::Text::Output::Buffer.new)
|
2010-02-23 18:07:07 +00:00
|
|
|
end
|
|
|
|
|
2010-03-11 00:55:21 +00:00
|
|
|
buff = Rex::Text.decode_base64(data)
|
2011-02-15 05:45:01 +00:00
|
|
|
|
2010-10-14 00:22:45 +00:00
|
|
|
interacting = false
|
|
|
|
s.channels.each_value do |ch|
|
2010-10-16 15:21:06 +00:00
|
|
|
interacting ||= ch.respond_to?('interacting') && ch.interacting
|
2010-10-14 00:22:45 +00:00
|
|
|
end
|
|
|
|
if interacting
|
|
|
|
s.user_input.put(buff+"\n")
|
|
|
|
else
|
2010-11-12 06:19:49 +00:00
|
|
|
@framework.threads.spawn("MeterpreterRunSingle", false, s) { |sess| sess.console.run_single(buff) }
|
2010-10-14 00:22:45 +00:00
|
|
|
end
|
2010-02-24 16:46:47 +00:00
|
|
|
{}
|
2010-02-23 18:07:07 +00:00
|
|
|
end
|
|
|
|
|
2010-10-23 17:05:48 +00:00
|
|
|
def meterpreter_session_detach(token,sid)
|
|
|
|
s = _valid_session(token,sid,"meterpreter")
|
|
|
|
s.channels.each_value do |ch|
|
|
|
|
if(ch.respond_to?('interacting') && ch.interacting)
|
|
|
|
ch.detach()
|
|
|
|
return { "result" => "success" }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
{ "result" => "failure" }
|
|
|
|
end
|
|
|
|
|
|
|
|
def meterpreter_session_kill(token,sid)
|
|
|
|
s = _valid_session(token,sid,"meterpreter")
|
|
|
|
s.channels.each_value do |ch|
|
|
|
|
if(ch.respond_to?('interacting') && ch.interacting)
|
|
|
|
ch._close
|
|
|
|
return { "result" => "success" }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
{ "result" => "failure" }
|
|
|
|
end
|
|
|
|
|
2010-11-04 23:01:03 +00:00
|
|
|
def meterpreter_tabs(token,sid, line)
|
|
|
|
s = _valid_session(token,sid,"meterpreter")
|
2010-11-04 23:05:01 +00:00
|
|
|
{ "tabs" => s.console.tab_complete(line) }
|
2010-11-04 23:01:03 +00:00
|
|
|
end
|
|
|
|
|
2010-11-06 16:51:48 +00:00
|
|
|
# runs a meterpreter command even if interacting with a shell or other channel
|
|
|
|
def meterpreter_run_single(token, sid, data)
|
2010-11-02 23:33:22 +00:00
|
|
|
s = _valid_session(token,sid,"meterpreter")
|
|
|
|
|
|
|
|
if not s.user_output.respond_to? :dump_buffer
|
|
|
|
s.init_ui(Rex::Ui::Text::Input::Buffer.new, Rex::Ui::Text::Output::Buffer.new)
|
|
|
|
end
|
|
|
|
|
2010-11-12 06:19:49 +00:00
|
|
|
@framework.threads.spawn("MeterpreterRunSingle", false, s) { |sess| sess.console.run_single(data) }
|
2010-11-02 23:33:22 +00:00
|
|
|
{}
|
2010-02-23 18:07:07 +00:00
|
|
|
end
|
|
|
|
|
2010-11-06 16:51:48 +00:00
|
|
|
def meterpreter_script(token, sid, data)
|
|
|
|
meterpreter_run_single(token, sid, "run #{data}")
|
|
|
|
end
|
|
|
|
|
2011-02-26 03:50:12 +00:00
|
|
|
def compatible_modules(token, sid)
|
|
|
|
authenticate(token)
|
|
|
|
ret = []
|
|
|
|
|
|
|
|
mtype = "post"
|
|
|
|
names = @framework.post.keys.map{ |x| "post/#{x}" }
|
|
|
|
names.each do |mname|
|
|
|
|
m = _find_module(mtype, mname)
|
|
|
|
next if not m.session_compatible?(sid)
|
|
|
|
ret << m.fullname
|
|
|
|
end
|
|
|
|
ret
|
|
|
|
end
|
|
|
|
|
2011-05-15 23:51:53 +00:00
|
|
|
private
|
2008-12-02 22:09:34 +00:00
|
|
|
|
2011-02-26 03:50:12 +00:00
|
|
|
def _find_module(mtype,mname)
|
|
|
|
mod = @framework.modules.create(mname)
|
|
|
|
|
|
|
|
if(not mod)
|
|
|
|
raise ::XMLRPC::FaultException.new(404, "unknown module")
|
|
|
|
end
|
|
|
|
|
|
|
|
mod
|
|
|
|
end
|
|
|
|
|
2010-10-23 17:05:48 +00:00
|
|
|
def _valid_session(token,sid,type)
|
|
|
|
authenticate(token)
|
2008-12-02 22:09:34 +00:00
|
|
|
s = @framework.sessions[sid.to_i]
|
|
|
|
if(not s)
|
2011-04-07 21:59:32 +00:00
|
|
|
raise ::XMLRPC::FaultException.new(404, "unknown session while validating")
|
2008-12-02 22:09:34 +00:00
|
|
|
end
|
2011-04-13 17:02:45 +00:00
|
|
|
if type == "ring"
|
|
|
|
if not s.respond_to?(:ring)
|
|
|
|
raise ::XMLRPC::FaultException.new(403, "session #{s.type} does not support ring operations")
|
|
|
|
end
|
|
|
|
elsif(s.type != type)
|
2010-10-23 17:05:48 +00:00
|
|
|
raise ::XMLRPC::FaultException.new(403, "session is not "+type)
|
|
|
|
end
|
2008-12-02 22:09:34 +00:00
|
|
|
s
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2010-02-22 17:15:36 +00:00
|
|
|
|