Land #11103, CreateSession option for aux modules

GSoC/Meterpreter_Web_Console
William Vu 2018-12-12 16:25:38 -06:00
commit da0202aa90
No known key found for this signature in database
GPG Key ID: 68BD00CE25866743
17 changed files with 39 additions and 22 deletions

View File

@ -17,6 +17,7 @@ module CommandShellOptions
register_advanced_options( register_advanced_options(
[ [
OptBool.new('CreateSession', [false, 'Create a new session for every successful login', true]),
OptString.new('InitialAutoRunScript', "An initial script to run on session creation (before AutoRunScript)"), OptString.new('InitialAutoRunScript', "An initial script to run on session creation (before AutoRunScript)"),
OptString.new('AutoRunScript', "A script to run automatically on session creation."), OptString.new('AutoRunScript', "A script to run automatically on session creation."),
OptString.new('CommandShellCleanupCommand', "A command to run before the session is closed") OptString.new('CommandShellCleanupCommand', "A command to run before the session is closed")

View File

@ -182,6 +182,6 @@ class MetasploitModule < Msf::Auxiliary
# Don't tie the life of this socket to the exploit # Don't tie the life of this socket to the exploit
self.sockets.delete(stderr_sock) self.sockets.delete(stderr_sock)
start_session(self, "rexec #{user}:#{pass} (#{host}:#{port})", merge_me) start_session(self, "rexec #{user}:#{pass} (#{host}:#{port})", merge_me) if datastore['CreateSession']
end end
end end

View File

@ -326,7 +326,7 @@ class MetasploitModule < Msf::Auxiliary
end end
report_auth_info(auth_info) report_auth_info(auth_info)
start_session(self, info, merge_me) start_session(self, info, merge_me) if datastore['CreateSession']
end end
end end

View File

@ -267,6 +267,6 @@ class MetasploitModule < Msf::Auxiliary
# Don't tie the life of this socket to the exploit # Don't tie the life of this socket to the exploit
self.sockets.delete(stderr_sock) self.sockets.delete(stderr_sock)
start_session(self, "RSH #{user} from #{luser} (#{host}:#{port})", merge_me) start_session(self, "RSH #{user} from #{luser} (#{host}:#{port})", merge_me) if datastore['CreateSession']
end end
end end

View File

@ -87,13 +87,23 @@ class MetasploitModule < Msf::Auxiliary
shell = Net::SSH::CommandStream.new(ssh) shell = Net::SSH::CommandStream.new(ssh)
return unless shell # XXX: Wait for CommandStream to log a channel request failure
sleep 0.1
if (e = shell.error)
print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
return
end
info = "#{self.name} (#{version})"
ds_merge = { ds_merge = {
'USERNAME' => 'admin' 'USERNAME' => 'admin'
} }
start_session(self, "Eaton Xpert Meter SSH Backdoor (#{version})", ds_merge, false, shell.lsock) if datastore['CreateSession']
start_session(self, info, ds_merge, false, shell.lsock)
end
# XXX: Ruby segfaults if we don't remove the SSH socket # XXX: Ruby segfaults if we don't remove the SSH socket
remove_socket(ssh.transport.socket) remove_socket(ssh.transport.socket)

View File

@ -4,6 +4,7 @@
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::SSH
include Msf::Auxiliary::Scanner include Msf::Auxiliary::Scanner
include Msf::Auxiliary::CommandShell include Msf::Auxiliary::CommandShell
@ -81,15 +82,23 @@ class MetasploitModule < Msf::Auxiliary
shell = Net::SSH::CommandStream.new(ssh) shell = Net::SSH::CommandStream.new(ssh)
return unless shell # XXX: Wait for CommandStream to log a channel request failure
sleep 0.1
info = "Fortinet SSH Backdoor (#{version})" if (e = shell.error)
print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
return
end
info = "#{self.name} (#{version})"
ds_merge = { ds_merge = {
'USERNAME' => 'Fortimanager_Access' 'USERNAME' => 'Fortimanager_Access'
} }
start_session(self, info, ds_merge, false, shell.lsock) if datastore['CreateSession']
start_session(self, info, ds_merge, false, shell.lsock)
end
# XXX: Ruby segfaults if we don't remove the SSH socket # XXX: Ruby segfaults if we don't remove the SSH socket
remove_socket(ssh.transport.socket) remove_socket(ssh.transport.socket)
@ -98,4 +107,5 @@ class MetasploitModule < Msf::Auxiliary
def rport def rport
datastore['RPORT'] datastore['RPORT']
end end
end end

View File

@ -8,10 +8,9 @@ require 'metasploit/framework/login_scanner/ssh'
require 'metasploit/framework/credential_collection' require 'metasploit/framework/credential_collection'
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::CommandShell
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
DEFAULT_USERNAME = 'karaf' DEFAULT_USERNAME = 'karaf'
DEFAULT_PASSWORD = 'karaf' DEFAULT_PASSWORD = 'karaf'

View File

@ -137,7 +137,9 @@ class MetasploitModule < Msf::Auxiliary
case action.name case action.name
when 'Shell' when 'Shell'
start_session(self, "#{self.name} (#{version})", {}, false, shell.lsock) if datastore['CreateSession']
start_session(self, "#{self.name} (#{version})", {}, false, shell.lsock)
end
when 'Execute' when 'Execute'
output = shell.channel && (shell.channel[:data] || '').chomp output = shell.channel && (shell.channel[:data] || '').chomp

View File

@ -128,7 +128,7 @@ class MetasploitModule < Msf::Auxiliary
credential_core = create_credential(credential_data) credential_core = create_credential(credential_data)
credential_data[:core] = credential_core credential_data[:core] = credential_core
create_credential_login(credential_data) create_credential_login(credential_data)
session_setup(result, scanner) session_setup(result, scanner) if datastore['CreateSession']
:next_user :next_user
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}" vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}"

View File

@ -152,7 +152,7 @@ class MetasploitModule < Msf::Auxiliary
create_credential_login(credential_data) create_credential_login(credential_data)
tmp_key = result.credential.private tmp_key = result.credential.private
ssh_key = SSHKey.new tmp_key ssh_key = SSHKey.new tmp_key
session_setup(result, scanner, ssh_key.fingerprint) session_setup(result, scanner, ssh_key.fingerprint) if datastore['CreateSession']
:next_user :next_user
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
if datastore['VERBOSE'] if datastore['VERBOSE']

View File

@ -152,6 +152,6 @@ class MetasploitModule < Msf::Auxiliary
'PASSWORD' => pass 'PASSWORD' => pass
} }
start_session(self, "TELNET #{user}:#{pass} (#{host}:#{port})", merge_me, true, scanner.sock) start_session(self, "TELNET #{user}:#{pass} (#{host}:#{port})", merge_me, true, scanner.sock) if datastore['CreateSession']
end end
end end

View File

@ -90,7 +90,7 @@ class MetasploitModule < Msf::Auxiliary
credential_data[:core] = credential_core credential_data[:core] = credential_core
create_credential_login(credential_data) create_credential_login(credential_data)
print_good "#{ip}:#{rport} - Login Successful: #{result.credential}" print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"
start_telnet_session(ip,rport,result.credential.public,result.credential.private,scanner) start_telnet_session(ip,rport,result.credential.public,result.credential.private,scanner) if datastore['CreateSession']
else else
invalidate_login(credential_data) invalidate_login(credential_data)
vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})" vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"

View File

@ -9,7 +9,6 @@ require 'net/ssh/command_stream'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Auxiliary::CommandShell
include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::SSH
def initialize(info={}) def initialize(info={})

View File

@ -7,7 +7,6 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking # It's backdooring the remote device Rank = ManualRanking # It's backdooring the remote device
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::CommandShell
include Msf::Exploit::FileDropper include Msf::Exploit::FileDropper
RESPONSE_PATTERN = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data" RESPONSE_PATTERN = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"

View File

@ -9,7 +9,6 @@ require 'net/ssh/command_stream'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Auxiliary::CommandShell
include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::SSH
def initialize(info={}) def initialize(info={})

View File

@ -9,7 +9,6 @@ require 'net/ssh/command_stream'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Auxiliary::CommandShell
include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::SSH
def initialize(info={}) def initialize(info={})

View File

@ -9,9 +9,8 @@ require 'net/ssh/command_stream'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Auxiliary::CommandShell
include Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::SSH
include Msf::Auxiliary::Report
def initialize(info = {}) def initialize(info = {})
super(update_info(info, { super(update_info(info, {