forked from rapid7/metasploit-framework
/
common.rb
240 lines (216 loc) · 6.26 KB
/
common.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
# -*- coding: binary -*-
module Msf::Post::Common
def clear_screen
Gem.win_platform? ? (system "cls") : (system "clear")
end
def rhost
return nil unless session
case session.type
when 'meterpreter'
session.sock.peerhost
when 'shell'
session.session_host
end
end
def rport
case session.type
when 'meterpreter'
session.sock.peerport
when 'shell'
session.session_port
end
end
def peer
"#{rhost}:#{rport}"
end
#
# Checks if the remote system has a process with ID +pid+
#
def has_pid?(pid)
pid_list = []
case client.type
when /meterpreter/
pid_list = client.sys.process.processes.collect {|e| e['pid']}
when /shell/
if client.platform == 'windows'
o = cmd_exec('tasklist /FO LIST')
pid_list = o.scan(/^PID:\s+(\d+)/).flatten
else
o = cmd_exec('ps ax')
pid_list = o.scan(/^\s*(\d+)/).flatten
end
pid_list = pid_list.collect {|e| e.to_i}
end
pid_list.include?(pid)
end
#
# Executes +cmd+ on the remote system
#
# On Windows meterpreter, this will go through CreateProcess as the
# "commandLine" parameter. This means it will follow the same rules as
# Windows' path disambiguation. For example, if you were to call this method
# thusly:
#
# cmd_exec("c:\\program files\\sub dir\\program name")
#
# Windows would look for these executables, in this order, passing the rest
# of the line as arguments:
#
# c:\program.exe
# c:\program files\sub.exe
# c:\program files\sub dir\program.exe
# c:\program files\sub dir\program name.exe
#
# On POSIX meterpreter, if +args+ is set or if +cmd+ contains shell
# metacharacters, the server will run the whole thing in /bin/sh. Otherwise,
# (cmd is a single path and there are no arguments), it will execve the given
# executable.
#
# On Java, it is passed through Runtime.getRuntime().exec(String) and PHP
# uses proc_open() both of which have similar semantics to POSIX.
#
# On shell sessions, this passes +cmd+ directly the session's
# +shell_command_token+ method.
#
# Returns a (possibly multi-line) String.
#
def cmd_exec(cmd, args=nil, time_out=15)
case session.type
when /meterpreter/
#
# The meterpreter API requires arguments to come separately from the
# executable path. This has no effect on Windows where the two are just
# blithely concatenated and passed to CreateProcess or its brethren. On
# POSIX, this allows the server to execve just the executable when a
# shell is not needed. Determining when a shell is not needed is not
# always easy, so it assumes anything with arguments needs to go through
# /bin/sh.
#
# This problem was originally solved by using Shellwords.shellwords but
# unfortunately, it is unsuitable. When a backslash occurs inside double
# quotes (as is often the case with Windows commands) it inexplicably
# removes them. So. Shellwords is out.
#
# By setting +args+ to an empty string, we can get POSIX to send it
# through /bin/sh, solving all the pesky parsing troubles, without
# affecting Windows.
#
start = Time.now.to_i
if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
args = ""
end
session.response_timeout = time_out
process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true})
o = ""
# Wait up to time_out seconds for the first bytes to arrive
while (d = process.channel.read)
o << d
if d == ""
if Time.now.to_i - start < time_out
sleep 0.1
else
break
end
end
end
o.chomp! if o
begin
process.channel.close
rescue IOError => e
# Channel was already closed, but we got the cmd output, so let's soldier on.
end
process.close
when /powershell/
if args.nil? || args.empty?
o = session.shell_command("#{cmd}", time_out)
else
o = session.shell_command("#{cmd} #{args}", time_out)
end
o.chomp! if o
when /shell/
if args.nil? || args.empty?
o = session.shell_command_token("#{cmd}", time_out)
else
o = session.shell_command_token("#{cmd} #{args}", time_out)
end
o.chomp! if o
end
return "" if o.nil?
return o
end
def cmd_exec_get_pid(cmd, args=nil, time_out=15)
case session.type
when /meterpreter/
if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
args = ""
end
session.response_timeout = time_out
process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true})
process.channel.close
pid = process.pid
process.close
pid
else
print_error "cmd_exec_get_pid is incompatible with non-meterpreter sessions"
end
end
#
# Reports to the database that the host is using virtualization and reports
# the type of virtualization it is (e.g VirtualBox, VMware, Xen, Docker)
#
def report_virtualization(virt)
return unless session
return unless virt
virt_normal = virt.to_s.strip
return if virt_normal.empty?
virt_data = {
:host => session.target_host,
:virtual_host => virt_normal
}
report_host(virt_data)
end
#
# Returns the value of the environment variable +env+
#
def get_env(env)
case session.type
when /meterpreter/
return session.sys.config.getenv(env)
when /shell/
if session.platform == 'windows'
if env[0,1] == '%'
unless env[-1,1] == '%'
env << '%'
end
else
env = "%#{env}%"
end
return cmd_exec("echo #{env}")
else
unless env[0,1] == '$'
env = "$#{env}"
end
return cmd_exec("echo \"#{env}\"")
end
end
nil
end
#
# Returns a hash of environment variables +envs+
#
def get_envs(*envs)
case session.type
when /meterpreter/
return session.sys.config.getenvs(*envs)
when /shell/
result = {}
envs.each do |env|
res = get_env(env)
result[env] = res unless res.blank?
end
return result
end
nil
end
private
end