2012-06-29 05:18:28 +00:00
|
|
|
# -*- coding: binary -*-
|
2005-07-11 02:03:48 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This module acts as a base for all handler pseudo-modules. They aren't
|
|
|
|
# really modules, so don't get the wrong idea champs! They're merely
|
|
|
|
# mixed into dynamically generated payloads to handle monitoring for
|
|
|
|
# a connection. Handlers are layered in between the base payload
|
|
|
|
# class and any other payload class. A super cool ASCII diagram would
|
|
|
|
# look something like this
|
|
|
|
#
|
|
|
|
# Module
|
|
|
|
# ^
|
|
|
|
# |
|
|
|
|
# Payload
|
|
|
|
# ^
|
|
|
|
# |
|
|
|
|
# Handler
|
|
|
|
# ^
|
|
|
|
# |
|
|
|
|
# Stager
|
|
|
|
# ^
|
|
|
|
# |
|
|
|
|
# Stage
|
|
|
|
#
|
|
|
|
###
|
|
|
|
module Handler
|
2015-10-07 14:59:12 +00:00
|
|
|
require 'msf/core/handler/reverse'
|
2005-07-11 02:03:48 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
##
|
|
|
|
#
|
|
|
|
# Constants used with the ``handler'' method to indicate whether or not the
|
|
|
|
# connection was used.
|
|
|
|
#
|
|
|
|
##
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returned by handlers to indicate that a socket has been claimed for use
|
|
|
|
# by the payload.
|
|
|
|
#
|
|
|
|
Claimed = "claimed"
|
|
|
|
#
|
|
|
|
# Returned by handlers to indicate that a socket has not been claimed for
|
|
|
|
# use.
|
|
|
|
#
|
|
|
|
Unused = "unused"
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the handler type.
|
|
|
|
#
|
|
|
|
def self.handler_type
|
|
|
|
return "none"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the transport-independent handler type.
|
|
|
|
#
|
|
|
|
def self.general_handler_type
|
|
|
|
"none"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the handler's name, if any.
|
|
|
|
#
|
|
|
|
def handler_name
|
|
|
|
module_info['HandlerName']
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Initializes the session waiter event and other fun stuff.
|
|
|
|
#
|
|
|
|
def initialize(info = {})
|
|
|
|
super
|
|
|
|
|
|
|
|
# Initialize the pending_connections counter to 0
|
|
|
|
self.pending_connections = 0
|
|
|
|
|
2015-03-26 23:26:56 +00:00
|
|
|
# Initialize the sessions counter to 0
|
|
|
|
self.sessions = 0
|
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
# Create the waiter event with auto_reset set to false so that
|
|
|
|
# if a session is ever created, waiting on it returns immediately.
|
|
|
|
self.session_waiter_event = Rex::Sync::Event.new(false, false)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Sets up the connection handler.
|
|
|
|
#
|
|
|
|
def setup_handler
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Terminates the connection handler.
|
|
|
|
#
|
|
|
|
def cleanup_handler
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Start monitoring for a connection.
|
|
|
|
#
|
|
|
|
def start_handler
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Start another connection monitor
|
|
|
|
#
|
|
|
|
def add_handler(opts={})
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Stop monitoring for a connection.
|
|
|
|
#
|
|
|
|
def stop_handler
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Checks to see if a payload connection has been established on
|
|
|
|
# the supplied connection. This is necessary for find-sock style
|
|
|
|
# payloads.
|
|
|
|
#
|
|
|
|
def handler(sock)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Handles an established connection supplied in the in and out
|
|
|
|
# handles. The handles are passed as parameters in case this
|
|
|
|
# handler is capable of handling multiple simultaneous
|
|
|
|
# connections. The default behavior is to attempt to create a session for
|
|
|
|
# the payload. This path will not be taken for multi-staged payloads.
|
|
|
|
#
|
|
|
|
def handle_connection(conn, opts={})
|
|
|
|
create_session(conn, opts)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# The amount of time to wait for a session to come in.
|
|
|
|
#
|
|
|
|
def wfs_delay
|
|
|
|
2
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Waits for a session to be created as the result of a handler connection
|
|
|
|
# coming in. The return value is a session object instance on success or
|
|
|
|
# nil if the timeout expires.
|
|
|
|
#
|
|
|
|
def wait_for_session(t = wfs_delay)
|
|
|
|
session = nil
|
|
|
|
|
|
|
|
begin
|
|
|
|
session = session_waiter_event.wait(t)
|
|
|
|
rescue ::Timeout::Error
|
|
|
|
end
|
|
|
|
|
|
|
|
# If a connection has arrived, wait longer...
|
|
|
|
if (pending_connections > 0)
|
|
|
|
session = session_waiter_event.wait
|
|
|
|
end
|
|
|
|
|
|
|
|
return session
|
|
|
|
end
|
|
|
|
|
2016-04-01 19:43:16 +00:00
|
|
|
#
|
|
|
|
# Interrupts a wait_for_session call by notifying with a nil event
|
|
|
|
#
|
|
|
|
def interrupt_wait_for_session
|
|
|
|
return unless session_waiter_event
|
|
|
|
session_waiter_event.notify(nil)
|
|
|
|
end
|
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
#
|
|
|
|
# Set by the exploit module to configure handler
|
|
|
|
#
|
|
|
|
attr_accessor :exploit_config
|
|
|
|
|
|
|
|
#
|
|
|
|
# This will be non-nil if the handler has a parent payload that it
|
|
|
|
# was spawned from. Right now, this is only the case with generic
|
|
|
|
# payloads. The parent payload is used to create a session
|
|
|
|
# rather than using the instance itself.
|
|
|
|
#
|
|
|
|
attr_accessor :parent_payload
|
2006-08-26 02:13:25 +00:00
|
|
|
|
2005-07-11 02:03:48 +00:00
|
|
|
protected
|
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
#
|
|
|
|
# Creates a session, if necessary, for the connection that's been handled.
|
|
|
|
# Sessions are only created if the payload that's been mixed in has an
|
|
|
|
# associated session.
|
|
|
|
#
|
|
|
|
def create_session(conn, opts={})
|
|
|
|
# If there is a parent payload, then use that in preference.
|
|
|
|
return parent_payload.create_session(conn, opts) if (parent_payload)
|
|
|
|
|
|
|
|
# If the payload we merged in with has an associated session factory,
|
|
|
|
# allocate a new session.
|
|
|
|
if (self.session)
|
2015-11-16 23:17:20 +00:00
|
|
|
begin
|
2016-11-27 23:34:09 +00:00
|
|
|
# if there's a create_session method then use it, as this
|
|
|
|
# can form a factory for arb session types based on the
|
|
|
|
# payload.
|
|
|
|
if self.session.respond_to?('create_session')
|
|
|
|
s = self.session.create_session(conn, opts)
|
|
|
|
else
|
|
|
|
s = self.session.new(conn, opts)
|
|
|
|
end
|
2015-11-16 23:17:20 +00:00
|
|
|
rescue ::Exception => e
|
|
|
|
# We just wanna show and log the error, not trying to swallow it.
|
|
|
|
print_error("#{e.class} #{e.message}")
|
|
|
|
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
|
|
|
raise e
|
|
|
|
end
|
2013-08-30 21:28:33 +00:00
|
|
|
|
|
|
|
# Pass along the framework context
|
|
|
|
s.framework = framework
|
|
|
|
|
|
|
|
# Associate this system with the original exploit
|
|
|
|
# and any relevant information
|
|
|
|
s.set_from_exploit(assoc_exploit)
|
|
|
|
|
2015-03-31 20:44:18 +00:00
|
|
|
# Pass along any associated payload uuid if specified
|
2017-11-15 02:13:35 +00:00
|
|
|
if opts[:payload_uuid]
|
|
|
|
s.payload_uuid = opts[:payload_uuid]
|
2019-03-06 19:22:32 +00:00
|
|
|
s.payload_uuid.registered = false
|
|
|
|
|
|
|
|
if framework.db.active
|
|
|
|
payload_info = {
|
|
|
|
uuid: s.payload_uuid.puid_hex,
|
|
|
|
workspace: framework.db.workspace
|
|
|
|
}
|
|
|
|
if s.payload_uuid.respond_to?(:puid_hex) && (uuid_info = framework.db.payloads(payload_info).first)
|
|
|
|
s.payload_uuid.registered = true
|
|
|
|
s.payload_uuid.name = uuid_info['name']
|
|
|
|
s.payload_uuid.timestamp = uuid_info['timestamp']
|
|
|
|
else
|
|
|
|
s.payload_uuid.registered = false
|
|
|
|
end
|
2017-11-15 02:13:35 +00:00
|
|
|
end
|
|
|
|
end
|
2015-03-31 20:44:18 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
# If the session is valid, register it with the framework and
|
|
|
|
# notify any waiters we may have.
|
|
|
|
if (s)
|
|
|
|
register_session(s)
|
|
|
|
end
|
|
|
|
|
|
|
|
return s
|
|
|
|
end
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Registers a session with the framework and notifies any waiters of the
|
|
|
|
# new session.
|
|
|
|
#
|
|
|
|
def register_session(session)
|
|
|
|
# Register the session with the framework
|
|
|
|
framework.sessions.register(session)
|
|
|
|
|
|
|
|
# Call the handler's on_session() method
|
2017-09-07 06:43:58 +00:00
|
|
|
if session.respond_to?(:bootstrap)
|
|
|
|
session.bootstrap(datastore, self)
|
|
|
|
else
|
2017-10-13 04:11:58 +00:00
|
|
|
# Process the auto-run scripts for this session
|
2017-10-13 20:33:27 +00:00
|
|
|
if session.respond_to?(:process_autoruns)
|
|
|
|
session.process_autoruns(datastore)
|
2017-10-13 04:11:58 +00:00
|
|
|
end
|
2017-09-07 06:43:58 +00:00
|
|
|
on_session(session)
|
|
|
|
end
|
2013-08-30 21:28:33 +00:00
|
|
|
|
|
|
|
# If there is an exploit associated with this payload, then let's notify
|
|
|
|
# anyone who is interested that this exploit succeeded
|
|
|
|
if assoc_exploit
|
|
|
|
framework.events.on_exploit_success(assoc_exploit, session)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Notify waiters that they should be ready to rock
|
|
|
|
session_waiter_event.notify(session)
|
|
|
|
|
|
|
|
# Decrement the pending connections counter now that we've processed
|
|
|
|
# one session.
|
|
|
|
self.pending_connections -= 1
|
2015-03-26 23:26:56 +00:00
|
|
|
|
|
|
|
# Count the number of sessions we have registered
|
|
|
|
self.sessions += 1
|
2013-08-30 21:28:33 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
attr_accessor :session_waiter_event # :nodoc:
|
|
|
|
attr_accessor :pending_connections # :nodoc:
|
2015-03-26 23:26:56 +00:00
|
|
|
attr_accessor :sessions # :nodoc:
|
2009-11-02 18:20:02 +00:00
|
|
|
|
2005-07-11 02:03:48 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
2005-07-17 06:01:11 +00:00
|
|
|
|
|
|
|
# The default none handler
|
2009-09-26 18:47:44 +00:00
|
|
|
require 'msf/core/handler/none'
|
2009-11-02 18:20:02 +00:00
|
|
|
|