infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "make the esx driver dependent on meterpreter" 

This reverts commit eec70706d0.
unstable
Jonathan Cran 2012-01-05 23:09:05 -06:00
parent eec70706d0
commit 7a71d22625
6 changed files with 138 additions and 216 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
lib/lab/driver/remote_esx_driver.rb
View File

@ -97,6 +97,26 @@ class RemoteEsxDriver < VmDriver
def delete_all_snapshots def delete_all_snapshots
remote_system_command("vim-cmd vmsvc/snapshot.removeall #{@vmid}") remote_system_command("vim-cmd vmsvc/snapshot.removeall #{@vmid}")
end end
def run_command(command)
raise "Not Implemented"
end
def copy_from_guest(from, to)
if @os == "linux"
scp_from(from, to)
else
raise "Unimplemented"
end
end
def copy_to_guest(from, to)
if @os == "linux"
scp_to(from, to)
else
raise "Unimplemented"
end
end
def check_file_exists(file) def check_file_exists(file)
raise "Not Implemented" raise "Not Implemented"
@ -106,137 +126,16 @@ class RemoteEsxDriver < VmDriver
raise "Not Implemented" raise "Not Implemented"
end end
def run_command(command, timeout=60)
setup_session
#puts "Using session #{@session}"
# TODO: pass the timeout down
if @session
if @session.type == "shell"
#puts "Running command via shell: #{command}"
@session.shell_command_token(command, timeout)
elsif @session.type == "meterpreter"
#puts "Running command via meterpreter: #{command}"
@session.shell_command(command)
end
else
raise "No session"
end
end
def copy_to_guest(local,remote)
setup_session
if @session.type == "meterpreter"
@session.run_cmd("upload #{local} #{remote}")
else
@driver.copy_to(local,remote)
end
end
def copy_from_guest(local, remote)
setup_session
if @session.type == "meterpreter"
@session.run_cmd("download #{local} #{remote}")
else
@driver.copy_from(local,remote)
end
end
def cleanup def cleanup
end end
def running? def running?
power_status_string = `ssh #{@user}@#{@host} \"vim-cmd vmsvc/power.getstate #{@vmid}\"` #power_status_string = `ssh #{@user}@#{@host} \"vim-cmd vmsvc/power.getstate #{@vmid}\"`
return true if power_status_string =~ /Powered on/ #return true if power_status_string =~ /Powered on/
true
end end
private
def create_framework
return if @framework
@framework = Msf::Simple::Framework.create
end
# perform the setup only once
def setup_session
return if @session
# require the framework (assumes this sits in lib/lab/modifiers)
require 'msf/base'
create_framework # TODO - this should use a single framework for all hosts, not one-per-host
@session = nil
@session_input = Rex::Ui::Text::Input::Buffer.new
@session_output = Rex::Ui::Text::Output::Buffer.new
if @os == "windows"
exploit_name = 'windows/smb/psexec'
# TODO - check for x86, choose the appropriate payload
payload_name = 'windows/meterpreter/bind_tcp'
options = {
"RHOST" => @hostname,
"SMBUser" => @vm_user,
"SMBPass" => @vm_pass}
#puts "DEBUG: using options #{options}"
# Initialize the exploit instance
exploit = @framework.exploits.create(exploit_name)
begin
# Fire it off.
@session = exploit.exploit_simple(
'Payload' => payload_name,
'Options' => options,
'LocalInput' => @session_input,
'LocalOutput' => @session_output)
@session.load_stdapi
#puts "DEBUG: Generated session: #{@session}"
rescue Exception => e
#puts "DEBUG: Unable to exploit"
#puts e.to_s
end
else
module_name = 'scanner/ssh/ssh_login'
# TODO - check for x86, choose the appropriate payload
payload_name = 'linux/x86/shell_bind_tcp'
options = { "RHOSTS" => @hostname,
"USERNAME" => @vm_user,
"PASSWORD" => @vm_pass,
"BLANK_PASSWORDS" => false,
"USER_AS_PASS" => false,
"VERBOSE" => false}
# Initialize the module instance
aux = @framework.auxiliary.create(module_name)
#puts "DEBUG: created module: #{aux}"
begin
# Fire it off.
aux.run_simple(
'Payload' => payload_name,
'Options' => options,
'LocalInput' => @session_input,
'LocalOutput' => @session_output)
@session = @framework.sessions.first.last
rescue Exception => e
#puts "DEBUG: Unable to exploit"
#puts e.to_s
end
end
end
def get_snapshots def get_snapshots
# Command take the format: # Command take the format:
# vmware-vim-cmd vmsvc/snapshot.revert [vmid: int] [snapshotlevel: int] [snapshotindex: int] # vmware-vim-cmd vmsvc/snapshot.revert [vmid: int] [snapshotlevel: int] [snapshotindex: int]
@ -248,7 +147,7 @@ private
# ... # ...
snapshots = [] snapshots = []
# Use these to keep track of the parsing... # Use these to keep track of the parsing...
current_tree = -1 current_tree = -1
current_num = 0 current_num = 0
count = 0 count = 0

19
lib/lab/driver/vm_driver.rb
View File

@ -86,11 +86,11 @@ class VmDriver
def run_command(command) def run_command(command)
raise "Command not Implemented" raise "Command not Implemented"
end end
def copy_from_guest(from, to) def copy_from_guest(from, to)
raise "Command not Implemented" raise "Command not Implemented"
end end
def copy_to_guest(from, to) def copy_to_guest(from, to)
raise "Command not Implemented" raise "Command not Implemented"
end end
@ -117,6 +117,7 @@ private
#::Net::SCP.start(@hostname, @vm_user, :password => @vm_pass) do |scp| #::Net::SCP.start(@hostname, @vm_user, :password => @vm_pass) do |scp|
# scp.upload!(from,to) # scp.upload!(from,to)
#end #end
system_command("scp #{local} #{@vm_user}@#{@hostname}:#{remote}") system_command("scp #{local} #{@vm_user}@#{@hostname}:#{remote}")
end end
@ -126,13 +127,17 @@ private
#::Net::SCP.start(@hostname, @vm_user, :password => @vm_pass) do |scp| #::Net::SCP.start(@hostname, @vm_user, :password => @vm_pass) do |scp|
# scp.download!(from,to) # scp.download!(from,to)
#end #end
system_command("scp #{@vm_user}@#{@hostname}:#{remote} #{local}") system_command("scp #{@vm_user}@#{@hostname}:#{remote} #{local}")
end
end
def ssh_exec(command) def ssh_exec(command)
::Net::SSH.start(@hostname, @vm_user, :password => @vm_pass) do |ssh| ::Net::SSH.start(@hostname, @vm_user, :password => @vm_pass) do |ssh|
result = ssh.exec!(command) result = ssh.exec!(command)
end end
`scp #{@vm_user}@#{@hostname} from to` `scp #{@vm_user}@#{@hostname} from to`
end end
@ -143,6 +148,7 @@ private
unless /^[\d\w\s\[\]\{\}\/\\\.\-\"\(\):!]*$/.match string unless /^[\d\w\s\[\]\{\}\/\\\.\-\"\(\):!]*$/.match string
raise "WARNING! Invalid character in: #{string}" raise "WARNING! Invalid character in: #{string}"
end end
string string
end end
@ -153,17 +159,18 @@ private
unless /^[\d\w\s\[\]\{\}\/\\\.\-\"\(\)]*$/.match string unless /^[\d\w\s\[\]\{\}\/\\\.\-\"\(\)]*$/.match string
raise "WARNING! Invalid character in: #{string}" raise "WARNING! Invalid character in: #{string}"
end end
string string
end end
# The only reason we don't filter here is because we need # The only reason we don't filter here is because we need
# the ability to still run clean (controlled entirely by us) # the ability to still run clean (controlled entirely by us)
# command lines. # command lines.
def system_command(command) def system_command(command)
`#{command}` `#{command}`
end end
def remote_system_command(command) def remote_system_command(command)
system_command("ssh #{@user}@#{@host} \"#{command}\"") system_command("ssh #{@user}@#{@host} \"#{command}\"")
end end

140
lib/lab/modifier/meterpreter_modifier.rb
View File

@ -1,73 +1,26 @@
$:.unshift(File.join(File.dirname(__FILE__), '..', '..')) $:.unshift(File.join(File.dirname(__FILE__), '..', '..'))
# This allows us to override the default way of running commands # This allows us to override the default way of running commands
# Currently useful for the remote esx driver # Currently useful for the esx controller
module Lab module Lab
module Modifier module Modifier
module Meterpreter module Meterpreter
attr_accessor :framework attr_accessor :framework
attr_accessor :session attr_accessor :session
attr_accessor :session_input attr_accessor :session_input
attr_accessor :session_output attr_accessor :session_output
def meterpreter_run_command(command, timeout=60)
setup_session
puts "Using session #{@session}"
# TODO: pass the timeout down
if @session
if @session.type == "shell"
puts "Running command via shell: #{command}"
@session.shell_command_token(command, timeout)
elsif @session.type == "meterpreter"
puts "Running command via meterpreter: #{command}"
@session.shell_command(command) #, timeout)
end
else
raise "No session"
end
end
def meterpreter_copy_to_guest(local,remote)
puts "DEBUG: Meterpreter"
setup_session
if @session.type == "meterpreter"
@session.run_cmd("upload #{local} #{remote}")
else
@driver.copy_to(local,remote)
end
end
def meterpreter_copy_from_guest(local, remote)
puts "DEBUG: Meterpreter"
setup_session
if @session.type == "meterpreter"
@session.run_cmd("download #{local} #{remote}")
else
@driver.copy_from(local,remote)
end
end
# This isn't part of the normal API, but too good to pass up.
def meterpreter_run_script(script, options)
if @session.type == "meterpreter"
@session.execute_script(script, options)
else
raise "Unsupported on #{@session.type}"
end
end
private
def create_framework def create_framework
return if @framework return if @framework
@framework = Msf::Simple::Framework.create @framework = Msf::Simple::Framework.create
end end
# perform the setup only once # perform the setup only once
def setup_session def setup_session
return if @session return if @session
@ -75,11 +28,12 @@ private
# require the framework (assumes this sits in lib/lab/modifiers) # require the framework (assumes this sits in lib/lab/modifiers)
require 'msf/base' require 'msf/base'
create_framework # TODO - this should use a single framework for all hosts, not one-per-host create_framework ## TODO - this should use a single framework
## for all hosts, not one-per-host
@session = nil @session = nil
@session_input = Rex::Ui::Text::Input::Buffer.new @session_input = Rex::Ui::Text::Input::Buffer.new
@session_output = Rex::Ui::Text::Output::Buffer.new @session_output = Rex::Ui::Text::Output::Buffer.new
if @os == "windows" if @os == "windows"
exploit_name = 'windows/smb/psexec' exploit_name = 'windows/smb/psexec'
@ -87,12 +41,11 @@ private
# TODO - check for x86, choose the appropriate payload # TODO - check for x86, choose the appropriate payload
payload_name = 'windows/meterpreter/bind_tcp' payload_name = 'windows/meterpreter/bind_tcp'
options = { options = { "RHOST" => @hostname,
"RHOST" => @hostname, "SMBUser" => @vm_user,
"SMBUser" => @vm_user, "SMBPass" => @vm_pass}
"SMBPass" => @vm_pass}
puts "DEBUG: using options #{options}" puts "DEBUG: using options #{options}"
# Initialize the exploit instance # Initialize the exploit instance
exploit = @framework.exploits.create(exploit_name) exploit = @framework.exploits.create(exploit_name)
@ -126,7 +79,7 @@ private
"USER_AS_PASS" => false, "USER_AS_PASS" => false,
"VERBOSE" => false} "VERBOSE" => false}
puts "DEBUG: using options #{options}" puts "DEBUG: using options #{options}"
# Initialize the module instance # Initialize the module instance
aux = @framework.auxiliary.create(module_name) aux = @framework.auxiliary.create(module_name)
@ -148,7 +101,64 @@ private
puts e.to_s puts e.to_s
end end
end end
end end
def run_command(command, timeout=60)
setup_session
puts "Using session #{@session}"
# TODO: pass the timeout down
if @session
if @session.type == "shell"
puts "Running command via shell: #{command}"
@session.shell_command_token(command, timeout)
elsif @session.type == "meterpreter"
puts "Running command via meterpreter: #{command}"
@session.shell_command(command) #, timeout)
end
else
raise "No session"
end
end
# This isn't part of the normal API, but too good to pass up.
def run_script(script, options)
if @session.type == "meterpreter"
@session.execute_script(script, options)
else
raise "Unsupported on #{@session.type}"
end
end
# For meterpreter API compatibility
#def execute_file(script,options)
# run_script(script,options)
#end
def copy_to_guest(local,remote)
setup_session
if @session.type == "meterpreter"
@session.run_cmd("upload #{local} #{remote}")
else
@driver.copy_to(local,remote)
end
end
def copy_from_guest(local, remote)
setup_session
if @session.type == "meterpreter"
@session.run_cmd("download #{local} #{remote}")
else
@driver.copy_from(local,remote)
end
end
end end
end end
end end

19
lib/lab/vm.rb
View File

@ -103,15 +103,12 @@ class Vm
# modifiers are properly used with the correct VM image. # modifiers are properly used with the correct VM image.
@modifiers = config['modifiers'] @modifiers = config['modifiers']
if @modifiers if @modifiers
@modifiers.each do |modifier| begin
begin @modifiers.each { |modifier| self.class.send(:include, eval("Lab::Modifier::#{modifier}"))}
self.class.send(:include, eval("Lab::Modifier::#{modifier}")) rescue Exception => e
rescue Exception => e # modifier likely didn't exist
#puts "WARNING: Unable to load: #{modifier}" end
#puts "Exception: #{e}"
end
end
end end
# Consume all tags # Consume all tags
@ -209,9 +206,11 @@ class Vm
end end
def to_yaml def to_yaml
# TODO - push this down to the drivers.
# Standard configuration options # Standard configuration options
out = " - vmid: #{@vmid}\n" out = " - vmid: #{@vmid}\n"
out = " hostname: #{@hostname}\n"
out += " driver: #{@driver_type}\n" out += " driver: #{@driver_type}\n"
out += " location: #{@location}\n" out += " location: #{@location}\n"
out += " type: #{@type}\n" out += " type: #{@type}\n"

21
lib/lab/vm_controller.rb
View File

@ -158,12 +158,12 @@ module Controllers
case driver_type.intern case driver_type.intern
when :workstation when :workstation
vm_list = ::Lab::Controllers::WorkstationController::running_list vm_list = ::Lab::Controllers::WorkstationController::running_list
vm_list.each do |item| vm_list.each do |item|
## Name the VM ## Name the VM
index = @vms.count + 1 index = @vms.count + 1
## Add it to the vm list ## Add it to the vm list
@vms << Vm.new( { 'vmid' => "vm_#{index}", @vms << Vm.new( { 'vmid' => "vm_#{index}",
'driver' => driver_type, 'driver' => driver_type,
@ -171,6 +171,8 @@ module Controllers
'user' => user, 'user' => user,
'host' => host } ) 'host' => host } )
end end
when :virtualbox when :virtualbox
vm_list = ::Lab::Controllers::VirtualBoxController::running_list vm_list = ::Lab::Controllers::VirtualBoxController::running_list
vm_list.each do |item| vm_list.each do |item|
@ -187,10 +189,10 @@ module Controllers
vm_list = ::Lab::Controllers::RemoteWorkstationController::running_list(user, host) vm_list = ::Lab::Controllers::RemoteWorkstationController::running_list(user, host)
vm_list.each do |item| vm_list.each do |item|
## Name the VM ## Name the VM
index = @vms.count + 1 index = @vms.count + 1
## Add it to the vm list ## Add it to the vm list
@vms << Vm.new( { 'vmid' => "vm_#{index}", @vms << Vm.new( { 'vmid' => "vm_#{index}",
'driver' => driver_type, 'driver' => driver_type,
@ -200,6 +202,7 @@ module Controllers
end end
when :remote_esx when :remote_esx
vm_list = ::Lab::Controllers::RemoteEsxController::running_list(user,host) vm_list = ::Lab::Controllers::RemoteEsxController::running_list(user,host)
vm_list.each do |item| vm_list.each do |item|
@vms << Vm.new( { 'vmid' => "#{item[:id]}", @vms << Vm.new( { 'vmid' => "#{item[:id]}",
'name' => "#{item[:name]}", 'name' => "#{item[:name]}",
@ -207,11 +210,12 @@ module Controllers
'user' => user, 'user' => user,
'host' => host } ) 'host' => host } )
end end
else else
raise TypeError, "Unsupported VM Type" raise TypeError, "Unsupported VM Type"
end end
end end
def build_from_config(driver_type=nil, user=nil, host=nil, clear=false) def build_from_config(driver_type=nil, user=nil, host=nil, clear=false)
if clear if clear
@ -230,17 +234,18 @@ module Controllers
'user' => user, 'user' => user,
'host' => host } ) 'host' => host } )
end end
else else
raise TypeError, "Unsupported VM Type" raise TypeError, "Unsupported VM Type"
end end
end end
def running?(vmid) def running?(vmid)
if includes_vmid?(vmid) if includes_vmid?(vmid)
return self.find_by_hostname(vmid).running? return self.find_by_hostname(vmid).running?
end end
return false return false
end end
end end
end end

4
plugins/lab.rb
View File

@ -384,6 +384,8 @@ class Plugin::Lab < Msf::Plugin
local_path = args[args.count-2] local_path = args[args.count-2]
vm_path = args[args.count-1] vm_path = args[args.count-1]
print_line "Copying from #{local_path} to #{vm_path} on #{args[0]}"
if args[0] == "all" if args[0] == "all"
@controller.each do |vm| @controller.each do |vm|
if vm.running? if vm.running?
@ -393,7 +395,7 @@ class Plugin::Lab < Msf::Plugin
end end
else else
args[0..-2].each do |vmid_arg| args[0..-2].each do |vmid_arg|
next unless @controller.includes_hostname? vmid_arg next unless @controller.includes_vmid? vmid_arg
if @controller[vmid_arg].running? if @controller[vmid_arg].running?
print_line "Copying from #{local_path} to #{vm_path} on #{vmid_arg}" print_line "Copying from #{local_path} to #{vm_path} on #{vmid_arg}"
@controller[vmid_arg].copy_to_guest(local_path, vm_path) @controller[vmid_arg].copy_to_guest(local_path, vm_path)