CoCalc -- aggregator.rb

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/plugins/aggregator.rb
Views: ¹⁹⁰³
1
module Msf
2
  Aggregator_yaml = "#{Msf::Config.config_directory}/aggregator.yaml".freeze # location of the aggregator.yml containing saved aggregator creds
3

4
  # This plugin provides management and interaction with an external session aggregator.
5
  class Plugin::Aggregator < Msf::Plugin
6
    class AggregatorCommandDispatcher
7
      include Msf::Ui::Console::CommandDispatcher
8

9
      @response_queue = []
10

11
      def name
12
        'Aggregator'
13
      end
14

15
      def commands
16
        {
17
          'aggregator_connect' => 'Connect to a running Aggregator instance ( host[:port] )',
18
          'aggregator_save' => 'Save connection details to an Aggregator instance',
19
          'aggregator_disconnect' => 'Disconnect from an active Aggregator instance',
20
          'aggregator_addresses' => 'List all remote ip addresses available for ingress',
21
          'aggregator_cables' => 'List all remote listeners for sessions',
22
          'aggregator_cable_add' => 'Setup remote https listener for sessions',
23
          'aggregator_cable_remove' => 'Stop remote listener for sessions',
24
          'aggregator_default_forward' => 'forward a unlisted/unhandled sessions to a specified listener',
25
          'aggregator_sessions' => 'List all remote sessions currently available from the Aggregator instance',
26
          'aggregator_session_forward' => 'forward a session to a specified listener',
27
          'aggregator_session_park' => 'Park an existing session on the Aggregator instance'
28
        }
29
      end
30

31
      def aggregator_verify
32
        if !@aggregator
33
          print_error("No active Aggregator instance has been configured, please use 'aggregator_connect'")
34
          return false
35
        end
36

37
        true
38
      end
39

40
      def usage(*lines)
41
        print_status('Usage: ')
42
        lines.each do |line|
43
          print_status("       #{line}")
44
        end
45
      end
46

47
      def usage_save
48
        usage('aggregator_save')
49
      end
50

51
      def usage_connect
52
        usage('aggregator_connect host[:port]',
53
              ' -OR- ',
54
              'aggregator_connect host port')
55
      end
56

57
      def usage_cable_add
58
        usage('aggregator_cable_add host:port [certificate]',
59
              ' -OR- ',
60
              'aggregator_cable_add host port [certificate]')
61
      end
62

63
      def usage_cable_remove
64
        usage('aggregator_cable_remove host:port',
65
              ' -OR- ',
66
              'aggregator_cable_remove host port')
67
      end
68

69
      def usage_session_forward
70
        usage('aggregator_session_forward remote_id')
71
      end
72

73
      def usage_default_forward
74
        usage('aggregator_session_forward')
75
      end
76

77
      def show_session(details, _target, local_id)
78
        status = pad_space("  #{local_id}", 4)
79
        status += "  #{details['ID']}"
80
        status = pad_space(status, 15)
81
        status += '  meterpreter '
82
        status += "#{guess_target_platform(details['OS'])} "
83
        status = pad_space(status, 43)
84
        status += "#{details['USER']} @ #{details['HOSTNAME']} "
85
        status = pad_space(status, 64)
86
        status += "#{details['LOCAL_SOCKET']} -> #{details['REMOTE_SOCKET']}"
87
        print_status status
88
      end
89

90
      def show_session_detailed(details, target, local_id)
91
        print_status "\t Remote ID: #{details['ID']}"
92
        print_status "\t      Type: meterpreter #{guess_target_platform(details['OS'])}"
93
        print_status "\t      Info: #{details['USER']} @ #{details['HOSTNAME']}"
94
        print_status "\t    Tunnel: #{details['LOCAL_SOCKET']} -> #{details['REMOTE_SOCKET']}"
95
        print_status "\t       Via: exploit/multi/handler"
96
        print_status "\t      UUID: #{details['UUID']}"
97
        print_status "\t MachineID: #{details['MachineID']}"
98
        print_status "\t   CheckIn: #{details['LAST_SEEN'].to_i}s ago" unless details['LAST_SEEN'].nil?
99
        print_status "\tRegistered: Not Yet Implemented"
100
        print_status "\t   Forward: #{target}"
101
        print_status "\tSession ID: #{local_id}" unless local_id.nil?
102
        print_status ''
103
      end
104

105
      def cmd_aggregator_save(*args)
106
        # if we are logged in, save session details to aggregator.yaml
107
        if !args.empty? || args[0] == '-h'
108
          usage_save
109
          return
110
        end
111

112
        if args[0]
113
          usage_save
114
          return
115
        end
116

117
        group = 'default'
118

119
        if (@host && !@host.empty?) && (@port && !@port.empty? && @port.to_i > 0)
120
          config = { group.to_s => { 'server' => @host, 'port' => @port } }
121
          ::File.open(Aggregator_yaml.to_s, 'wb') { |f| f.puts YAML.dump(config) }
122
          print_good("#{Aggregator_yaml} created.")
123
        else
124
          print_error('Missing server/port - reconnect and then try again.')
125
          return
126
        end
127
      end
128

129
      def cmd_aggregator_connect(*args)
130
        if !args[0] && ::File.readable?(Aggregator_yaml.to_s)
131
          lconfig = YAML.load_file(Aggregator_yaml.to_s)
132
          @host = lconfig['default']['server']
133
          @port = lconfig['default']['port']
134
          aggregator_login
135
          return
136
        end
137

138
        if args.empty? || args[0].empty? || args[0] == '-h'
139
          usage_connect
140
          return
141
        end
142

143
        @host = @port = @sslv = nil
144

145
        case args.length
146
        when 1
147
          @host, @port = args[0].split(':', 2)
148
          @port ||= '2447'
149
        when 2
150
          @host, @port = args
151
        else
152
          usage_connect
153
          return
154
        end
155
        aggregator_login
156
      end
157

158
      def cmd_aggregator_sessions(*args)
159
        case args.length
160
        when 0
161
          is_detailed = false
162
        when 1
163
          unless args[0] == '-v'
164
            usage_sessions
165
            return
166
          end
167
          is_detailed = true
168
        else
169
          usage_sessions
170
          return
171
        end
172
        return unless aggregator_verify
173

174
        sessions_list = @aggregator.sessions
175
        return if sessions_list.nil?
176

177
        session_map = {}
178

179
        # get details for each session and print in format of sessions -v
180
        sessions_list.each do |session|
181
          session_id, target = session
182
          details = @aggregator.session_details(session_id)
183
          local_id = nil
184
          framework.sessions.each_pair do |key, value|
185
            next unless value.conn_id == session_id
186

187
            local_id = key
188
          end
189
          # filter session that do not have details as forwarding options (this may change later)
190
          next unless details && details['ID']
191

192
          session_map[details['ID']] = [details, target, local_id]
193
        end
194

195
        print_status('Remote sessions')
196
        print_status('===============')
197
        print_status('')
198
        if session_map.empty?
199
          print_status('No remote sessions.')
200
        else
201
          unless is_detailed
202
            print_status('  Id  Remote Id  Type                      Information          Connection')
203
            print_status('  --  ---------  ----                      -----------          ----------')
204
          end
205
          session_map.keys.sort.each do |key|
206
            details, target, local_id = session_map[key]
207
            if is_detailed
208
              show_session_detailed(details, target, local_id)
209
            else
210
              show_session(details, target, local_id)
211
            end
212
          end
213
        end
214
      end
215

216
      def cmd_aggregator_addresses(*_args)
217
        return if !aggregator_verify
218

219
        address_list = @aggregator.available_addresses
220
        return if address_list.nil?
221

222
        print_status('Remote addresses found:')
223
        address_list.each do |addr|
224
          print_status("    #{addr}")
225
        end
226
      end
227

228
      def cmd_aggregator_cable_add(*args)
229
        host, port, certificate = nil
230
        case args.length
231
        when 1
232
          host, port = args[0].split(':', 2)
233
        when 2
234
          host, port = args[0].split(':', 2)
235
          if port.nil?
236
            port = args[1]
237
          else
238
            certificate = args[1]
239
          end
240
        when 3
241
          host, port, certificate = args
242
        else
243
          usage_cable_add
244
          return
245
        end
246

247
        if !aggregator_verify || args.empty? || args[0] == '-h' || \
248
           port.nil? || port.to_i <= 0
249
          usage_cable_add
250
          return
251
        end
252

253
        certificate = File.new(certificate).read if certificate && File.exist?(certificate)
254

255
        @aggregator.add_cable(Metasploit::Aggregator::Cable::HTTPS, host, port, certificate)
256
      end
257

258
      def cmd_aggregator_cables(*_args)
259
        return if !aggregator_verify
260

261
        res = @aggregator.cables
262
        print_status('Remote Cables:')
263
        res.each do |k|
264
          print_status("    #{k}")
265
        end
266
      end
267

268
      def cmd_aggregator_cable_remove(*args)
269
        case args.length
270
        when 1
271
          host, port = args[0].split(':', 2)
272
        when 2
273
          host, port = args
274
        end
275
        if !aggregator_verify || args.empty? || args[0] == '-h' || host.nil?
276
          usage_cable_remove
277
          return
278
        end
279
        @aggregator.remove_cable(host, port)
280
      end
281

282
      def cmd_aggregator_session_park(*args)
283
        return if !aggregator_verify
284

285
        case args.length
286
        when 1
287
          session_id = args[0]
288
          s = framework.sessions.get(session_id)
289
          if s.nil?
290
            print_status("#{session_id} is not a valid session.")
291
          elsif @aggregator.sessions.keys.include? s.conn_id
292
            @aggregator.release_session(s.conn_id)
293
            framework.sessions.deregister(s)
294
          else
295
            # TODO: determine if we can add a transport and route with the
296
            # aggregator. For now, just report action not taken.
297
            print_status("#{session_id} does not originate from the aggregator connection.")
298
          end
299
        else
300
          usage('aggregator_session_park session_id')
301
          return
302
        end
303
      end
304

305
      def cmd_aggregator_default_forward(*_args)
306
        return if !aggregator_verify
307

308
        @aggregator.register_default(@aggregator.uuid, nil)
309
      end
310

311
      def cmd_aggregator_session_forward(*args)
312
        return if !aggregator_verify
313

314
        remote_id = nil
315
        case args.length
316
        when 1
317
          remote_id = args[0]
318
        else
319
          usage_session_forward
320
          return
321
        end
322
        # find session with ID matching request
323
        @aggregator.sessions.each do |session|
324
          session_uri, _target = session
325
          details = @aggregator.session_details(session_uri)
326
          next unless details['ID'] == remote_id
327

328
          return @aggregator.obtain_session(session_uri, @aggregator.uuid)
329
        end
330
        print_error("#{remote_id} was not found.")
331
      end
332

333
      def cmd_aggregator_disconnect(*_args)
334
        if @aggregator && @aggregator.available?
335
          # check if this connection is the default forward
336
          @aggregator.register_default(nil, nil) if @aggregator.default == @aggregator.uuid
337

338
          # now check for any specifically forwarded sessions
339
          local_sessions_by_id = {}
340
          framework.sessions.each_pair do |_id, s|
341
            local_sessions_by_id[s.conn_id] = s
342
          end
343

344
          sessions = @aggregator.sessions
345
          unless sessions.nil?
346
            sessions.each_pair do |session, console|
347
              next unless local_sessions_by_id.keys.include?(session)
348

349
              if console == @aggregator.uuid
350
                # park each session locally addressed
351
                cmd_aggregator_session_park(framework.sessions.key(local_sessions_by_id[session]))
352
              else
353
                # simple disconnect session that were from the default forward
354
                framework.sessions.deregister(local_sessions_by_id[session])
355
              end
356
            end
357
          end
358
        end
359
        @aggregator.stop if @aggregator
360
        if @payload_job_ids
361
          @payload_job_ids.each do |id|
362
            framework.jobs.stop_job(id)
363
          end
364
          @payload_job_ids = nil
365
        end
366
        @aggregator = nil
367
      end
368

369
      def aggregator_login
370
        if !((@host && !@host.empty?) && (@port && !@port.empty? && @port.to_i > 0))
371
          usage_connect
372
          return
373
        end
374

375
        if (@host != 'localhost') && (@host != '127.0.0.1')
376
          print_error('Warning: SSL connections are not verified in this release, it is possible for an attacker')
377
          print_error('         with the ability to man-in-the-middle the Aggregator traffic to capture the Aggregator')
378
          print_error('         traffic, if you are running this on an untrusted network.')
379
          return
380
        end
381

382
        # Wrap this so a duplicate session does not prevent access
383
        begin
384
          cmd_aggregator_disconnect
385
        rescue ::Interrupt => e
386
          raise e
387
        rescue ::Exception
388
        end
389

390
        begin
391
          print_status("Connecting to Aggregator instance at #{@host}:#{@port}...")
392
          @aggregator = Metasploit::Aggregator::ServerProxy.new(@host, @port)
393
        end
394

395
        aggregator_compatibility_check
396

397
        unless @payload_job_ids
398
          @payload_job_ids = []
399
          @my_io = local_handler
400
        end
401

402
        @aggregator.register_response_channel(@my_io)
403
        @aggregator
404
      end
405

406
      def aggregator_compatibility_check
407
        false if @aggregator.nil?
408
        unless @aggregator.available?
409
          print_error("Connection to aggregator @ #{@host}:#{@port} is unavailable.")
410
          cmd_aggregator_disconnect
411
        end
412
      end
413

414
      def local_handler
415
        # get a random ephemeral port
416
        server = TCPServer.new('127.0.0.1', 0)
417
        port = server.addr[1]
418
        server.close
419

420
        multi_handler = framework.exploits.create('multi/handler')
421

422
        multi_handler.datastore['LHOST'] = '127.0.0.1'
423
        # multi_handler.datastore['PAYLOAD']              = "multi/meterpreter/reverse_https"
424
        multi_handler.datastore['PAYLOAD'] = 'multi/meterpreter/reverse_http'
425
        multi_handler.datastore['LPORT'] = port.to_s
426

427
        # %w(DebugOptions PrependMigrate PrependMigrateProc
428
        #  InitialAutoRunScript AutoRunScript CAMPAIGN_ID HandlerSSLCert
429
        #  StagerVerifySSLCert PayloadUUIDTracking PayloadUUIDName
430
        #  IgnoreUnknownPayloads SessionRetryTotal SessionRetryWait
431
        #  SessionExpirationTimeout SessionCommunicationTimeout).each do |opt|
432
        #   multi_handler.datastore[opt] = datastore[opt] if datastore[opt]
433
        # end
434

435
        multi_handler.datastore['ExitOnSession'] = false
436
        multi_handler.datastore['EXITFUNC'] = 'thread'
437

438
        multi_handler.exploit_simple(
439
          'LocalInput' => nil,
440
          'LocalOutput' => nil,
441
          'Payload' => multi_handler.datastore['PAYLOAD'],
442
          'RunAsJob' => true
443
        )
444
        @payload_job_ids << multi_handler.job_id
445
        # requester = Metasploit::Aggregator::Http::SslRequester.new(multi_handler.datastore['LHOST'], multi_handler.datastore['LPORT'])
446
        requester = Metasploit::Aggregator::Http::Requester.new(multi_handler.datastore['LHOST'], multi_handler.datastore['LPORT'])
447
        requester
448
      end
449

450
      # borrowed from Msf::Sessions::Meterpreter for now
451
      def guess_target_platform(os)
452
        case os
453
        when /windows/i
454
          Msf::Module::Platform::Windows.realname.downcase
455
        when /darwin/i
456
          Msf::Module::Platform::OSX.realname.downcase
457
        when /mac os ?x/i
458
          # this happens with java on OSX (for real!)
459
          Msf::Module::Platform::OSX.realname.downcase
460
        when /freebsd/i
461
          Msf::Module::Platform::FreeBSD.realname.downcase
462
        when /openbsd/i, /netbsd/i
463
          Msf::Module::Platform::BSD.realname.downcase
464
        else
465
          Msf::Module::Platform::Linux.realname.downcase
466
        end
467
      end
468

469
      def pad_space(status, length)
470
        status << ' ' while status.length < length
471
        status
472
      end
473

474
      private :guess_target_platform
475
      private :aggregator_login
476
      private :aggregator_compatibility_check
477
      private :aggregator_verify
478
      private :local_handler
479
      private :pad_space
480
      private :show_session
481
      private :show_session_detailed
482
    end
483

484
    #
485
    # Plugin initialization
486
    #
487

488
    def initialize(framework, opts)
489
      super
490

491
      #
492
      # Require the metasploit/aggregator gem, but fail nicely if it's not there.
493
      #
494
      begin
495
        require 'metasploit/aggregator'
496
      rescue LoadError
497
        raise 'WARNING: metasploit/aggregator is not available for now.'
498
      end
499

500
      add_console_dispatcher(AggregatorCommandDispatcher)
501
      print_status('Aggregator interaction has been enabled')
502
    end
503

504
    def cleanup
505
      remove_console_dispatcher('Aggregator')
506
    end
507

508
    def name
509
      'aggregator'
510
    end
511

512
    def desc
513
      'Interacts with the external Session Aggregator'
514
    end
515
  end
516
end
517

518
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

Product

Resources

Company
