Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
module Msf::Sessions
4

5
module Scriptable
6

7
  def self.included(base)
8
    base.extend(ClassMethods)
9
  end
10

11
  module ClassMethods
12
    #
13
    # If the +script+ exists, return its path. Otherwise return nil
14
    #
15
    def find_script_path(script)
16
      # Find the full file path of the specified argument
17
      check_paths =
18
        [
19
          script,
20
          ::File.join(script_base, "#{script}"),
21
          ::File.join(script_base, "#{script}.rb"),
22
          ::File.join(user_script_base, "#{script}"),
23
          ::File.join(user_script_base, "#{script}.rb")
24
        ]
25

26
      full_path = nil
27

28
      # Scan all of the path combinations
29
      check_paths.each { |path|
30
        if ::File.file?(path)
31
          full_path = path
32
          break
33
        end
34
      }
35

36
      full_path
37
    end
38
    def script_base
39
      ::File.join(Msf::Config.script_directory, self.type)
40
    end
41
    def user_script_base
42
      ::File.join(Msf::Config.user_script_directory, self.type)
43
    end
44

45
  end
46

47
  #
48
  # Override
49
  #
50
  def execute_file
51
    raise NotImplementedError
52
  end
53

54
  #
55
  # Maps legacy Meterpreter script names to replacement post modules
56
  #
57
  def legacy_script_to_post_module(script_name)
58
    {
59
      'arp_scanner' => 'post/windows/gather/arp_scanner',
60
      'autoroute' => 'post/multi/manage/autoroute',
61
      'checkvm' => 'post/windows/gather/checkvm',
62
      'credcollect' => 'post/windows/gather/credentials/credential_collector',
63
      'domain_list_gen' => 'post/windows/gather/enum_domain_group_users',
64
      'dumplinks' => 'post/windows/gather/dumplinks',
65
      'duplicate' => 'post/windows/manage/multi_meterpreter_inject',
66
      'enum_chrome' => 'post/windows/gather/enum_chrome',
67
      'enum_firefox' => 'post/windows/gather/enum_firefox',
68
      'enum_logged_on_users' => 'post/windows/gather/enum_logged_on_users',
69
      'enum_powershell_env' => 'post/windows/gather/enum_powershell_env',
70
      'enum_putty' => 'post/windows/gather/enum_putty_saved_sessions',
71
      'enum_shares' => 'post/windows/gather/enum_shares',
72
      'file_collector' => 'post/windows/gather/enum_files',
73
      'get_application_list' => 'post/windows/gather/enum_applications',
74
      'get_env' => 'post/multi/gather/env',
75
      'get_filezilla_creds' => 'post/windows/gather/credentials/filezilla_server',
76
      'get_pidgin_creds' => 'post/multi/gather/pidgin_cred',
77
      'get_local_subnets' => 'post/multi/manage/autoroute',
78
      'get_valid_community' => 'post/windows/gather/enum_snmp',
79
      'getcountermeasure' => 'post/windows/manage/killav',
80
      'getgui' => 'post/windows/manage/enable_rdp',
81
      'getvncpw' => 'post/windows/gather/credentials/vnc',
82
      'hashdump' => 'post/windows/gather/smart_hashdump',
83
      'hostsedit' => 'post/windows/manage/inject_host',
84
      'keylogrecorder' => 'post/windows/capture/keylog_recorder',
85
      'killav' => 'post/windows/manage/killav',
86
      'metsvc' => 'exploit/windows/local/persistence',
87
      'migrate' => 'post/windows/manage/migrate',
88
      'panda_2007_pavsrv51' => 'exploit/windows/local/service_permissions',
89
      'pml_driver_config' => 'exploit/windows/local/service_permissions',
90
      'packetrecorder' => 'post/windows/manage/rpcapd_start',
91
      'persistence' => 'exploit/windows/local/persistence',
92
      'prefetchtool' => 'post/windows/gather/enum_prefetch',
93
      'remotewinenum' => 'post/windows/gather/wmic_command',
94
      'schelevator' => 'exploit/windows/local/ms10_092_schelevator',
95
      'screen_unlock' => 'post/windows/escalate/screen_unlock',
96
      'screenspy' => 'post/windows/gather/screen_spy',
97
      'search_dwld' => 'post/windows/gather/enum_files',
98
      'service_permissions_escalate' => 'exploits/windows/local/service_permissions',
99
      'sound_recorder' => 'post/multi/manage/record_mic',
100
      'srt_webdrive_priv' => 'exploit/windows/local/service_permissions',
101
      'uploadexec' => 'post/windows/manage/download_exec',
102
      'webcam' => 'post/windows/manage/webcam',
103
      'wmic' => 'post/windows/gather/wmic_command',
104
    }[script_name]
105
  end
106

107
  #
108
  # Executes the supplied script, Post module, or local Exploit module with
109
  #   arguments +args+
110
  #
111
  # Will search the script path.
112
  #
113
  def execute_script(script_name, *args)
114
    post_module = legacy_script_to_post_module(script_name)
115

116
    if post_module
117
      print_warning("Meterpreter scripts are deprecated. Try #{post_module}.")
118
      print_warning("Example: run #{post_module} OPTION=value [...]")
119
    end
120

121
    mod = framework.modules.create(script_name)
122
    if mod
123
      # Don't report module run events here as it will be taken care of
124
      # in +Post.run_simple+
125
      opts = { 'SESSION' => self.sid }
126
      args.each do |arg|
127
        k,v = arg.split("=", 2)
128
        # case doesn't matter in datastore, but it does in hashes, let's normalize
129
        opts[k.downcase] = v
130
      end
131
      if mod.type == "post"
132
        mod.run_simple(
133
          # Run with whatever the default stance is for now.  At some
134
          # point in the future, we'll probably want a way to force a
135
          # module to run in the background
136
          #'RunAsJob' => true,
137
          'LocalInput'  => self.user_input,
138
          'LocalOutput' => self.user_output,
139
          'Options'     => opts
140
        )
141
      elsif mod.type == "exploit"
142
        # well it must be a local, we're not currently supporting anything else
143
        if mod.exploit_type == "local"
144
          # get a copy of the session exploit's datastore if we can
145
          original_exploit_datastore = self.exploit.datastore || {}
146
          copy_of_orig_exploit_datastore = original_exploit_datastore.clone
147
          # convert datastore opts to a hash to normalize casing issues
148
          local_exploit_opts = {}
149
          copy_of_orig_exploit_datastore.each do |k,v|
150
            local_exploit_opts[k.downcase] = v
151
          end
152
          # we don't want to inherit a couple things, like AutoRunScript's
153
          to_neuter = %w{AutoRunScript InitialAutoRunScript LPORT TARGET}
154
          to_neuter.each do |setting|
155
            local_exploit_opts.delete(setting.downcase)
156
          end
157

158
          # merge in any opts that were passed in, defaulting all other settings
159
          # to the values from the datastore (of the exploit) that spawned the
160
          # session
161
          local_exploit_opts = local_exploit_opts.merge(opts)
162

163
          mod.exploit_simple(
164
            'Payload'       => local_exploit_opts.delete('payload'),
165
            'Target'        => local_exploit_opts.delete('target'),
166
            'LocalInput'    => self.user_input,
167
            'LocalOutput'   => self.user_output,
168
            'Options'       => local_exploit_opts
169
            )
170

171
        end # end if local
172
      end # end if exploit
173

174
    else
175
      full_path = self.class.find_script_path(script_name)
176

177
      if full_path.nil?
178
        print_error("The specified #{self.type} session script could not be found: #{script_name}")
179
        return
180
      end
181

182
      begin
183
        execute_file(full_path, args)
184
        framework.events.on_session_script_run(self, full_path)
185
      rescue StandardError => e
186
        elog("Could not execute #{script_name}: #{e.class} #{e}", error: e)
187
        print_error("Could not execute #{script_name}: #{e.class} #{e}")
188
      end
189
    end
190
  end
191

192
end
193

194
end
195

196