-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Pingback Payloads #12129
Merged
Merged
Add Pingback Payloads #12129
Changes from 72 commits
Commits
Show all changes
80 commits
Select commit
Hold shift + click to select a range
47ee86a
WIP: REST API for async-callbacks
asoto-r7 a1b5136
Bring pingback-payload changes into public framework
asoto-r7 353e8e6
WIP: Remove PUT and DELETE endpoints
asoto-r7 67d3bf5
WIP: REST API for async-callbacks, added UUID search
asoto-r7 542bf00
REST API for async-callbacks, removed array datatypes, cleaned up Swa…
asoto-r7 f0f45d9
Maybe stage the new files, too
bwatters-r7 e798a0d
Add pingback changes
bwatters-r7 4ca6c35
Add new files
bwatters-r7 cc69fa2
Let's try it as a single this time....
bwatters-r7 9805a14
Add support for pingback as a single and session...
bwatters-r7 d626e56
Updated to have a handler
bwatters-r7 5202a85
Use nonvolitile register for the counter
bwatters-r7 1b64b9f
Fix odd edge case converting binary to hex string
bwatters-r7 3b54fb3
Record UUID upon reverse_tcp_pingback generation and callback
asoto-r7 6d6b339
Record UUID upon pingback_reverse_tcp generation and callback
asoto-r7 8c6f2d9
Enable database support in msfvenom to allow for saving UUIDs
asoto-r7 f4fa70d
Add error handling for users without a database configured
asoto-r7 247f246
Linux pingback payloads
asoto-r7 94c6ee3
Python pingback payload (bind only)
asoto-r7 8991392
Remove 'workspace' option from Mdm::Payload.create
asoto-r7 1d45c3a
python pingback_bind_tcp: send UUID as raw bytes instead of ASCII
asoto-r7 4241d33
Python pingback payload (reverse only)
asoto-r7 be011da
Ruby pingback payload (bind and reverse)
asoto-r7 e51e271
Remove extra stuff that was part of the staged attempt at pingback.
bwatters-r7 c866e0a
First swing at x86 windows reverse_tcp pingback
bwatters-r7 9989c73
That's better.....
bwatters-r7 58f3a06
cmd/unix/pingback_reverse and cmd/unix/pingback_bind
asoto-r7 79c45a6
Clean up `require`'s and calculate CachedSize
asoto-r7 92fa8f4
Clean up `require`s and `include`s
asoto-r7 cb270cd
WIP: Adding default pingback payload to parent check method
asoto-r7 e1e75d8
Code deduplication
bwatters-r7 2a242d9
Add the new file
bwatters-r7 f7f7e96
Hold off on venom changes for a new PR
bwatters-r7 08a765d
Shut up, nmsftidy.... I hope
bwatters-r7 3e76509
Fix some spacing
bwatters-r7 39f193e
Stupid last trailing space
bwatters-r7 33513bd
Undo changes to windows/bind_tcp
bwatters-r7 7778ada
Remove workspace reference in async_callback database table
asoto-r7 8f0aaa7
cmd/unix/pingback_* payloads now use 'printf' in place of 'echo'
asoto-r7 374b56d
Should not have changed reverse_tcp.rb
bwatters-r7 5344746
Remove a left-over 'pry' debugger invocation
asoto-r7 398a5dc
Reset send_uuid because it should not have been changed
bwatters-r7 a12f9a5
Revert f162822
asoto-r7 949b356
Update the session to die after callback
bwatters-r7 f098a83
Stupid pry...
bwatters-r7 88213f1
Pingback: Addressed some comments and suggestions
asoto-r7 9b6d458
cmd/unix/pingback_bind: Add resiliency to netcat, per wvu's suggestion
asoto-r7 72977e6
pingback: Removing seemingly unnecessary 'generate_raw' method
asoto-r7 26257fa
Updated json_to_mdm_object() calls, removing third parameter
asoto-r7 14039b1
Correctly fixed json_to_mdm_object (thanks @mkienow-r7 for the catch)!
asoto-r7 80dbef2
Follow acammack's guidance for excluding filedropped exploits
bwatters-r7 310533f
First stab at filtering payloads that require cleanup
bwatters-r7 6ae3f97
Maybe include the super pingback type in the payloads?
bwatters-r7 7c2d214
Clean up debugging, move options to one place and delete superflous file
bwatters-r7 e1ba4bd
delete extra file
bwatters-r7 2aadd63
Fix printing in session handler while I'm at it...
bwatters-r7 b0d602e
Added autoload entries for AsyncCallback
asoto-r7 af28534
Copy-pasta badness
asoto-r7 68f7ece
Removed superfluous assignment and populated datastore with pingback_…
bwatters-r7 3536e8a
Remove extra assignments elsewhere
bwatters-r7 7a8090c
Fix variable name
bwatters-r7 9ed8aa9
update the read/write for pingback data
bwatters-r7 8af6cad
fix copy/pasta error on payload data read
bwatters-r7 cd4ba13
Unpry
bwatters-r7 4a59c1b
Other pry...
bwatters-r7 e710c93
Remove async callback stuff for later work and change db checks
bwatters-r7 93f8d94
Changes to venom to handle pingbacks and really delete extra files, t…
bwatters-r7 463c147
fix method check in metadata updates
busterb 2f804fa
Rubocop and @acammack cleanup suggestions
bwatters-r7 79b7bbd
Update payload cache size and fix import bug
bwatters-r7 cec29c6
More fixes for syntax
bwatters-r7 bd6a0c8
Remove workspace reqs from remote db payloads
acammack-r7 6bf10e1
Fixups for syntax
bwatters-r7 d6dc397
Fix bugs introduced by syntax changes.
bwatters-r7 05ffa6e
More updates, optimizations, and style fixes
bwatters-r7 79e17d0
Remove unsupported options
bwatters-r7 3cb1b45
Golf Python payload variable names
acammack-r7 e6ea0c9
Use binascii for Python pingback UUID encoding
acammack-r7 23ea772
Golf Ruby pingback payload syntax
acammack-r7 517d32b
Update payload cache sizes
acammack-r7 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -41,4 +41,4 @@ module DataProxyAutoLoader | |
include VulnAttemptDataProxy | ||
include MsfDataProxy | ||
include PayloadDataProxy | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
# -*- coding: binary -*- | ||
require 'msf/base' | ||
|
||
module Msf | ||
module Sessions | ||
|
||
### | ||
# | ||
# This class provides the ability to receive a pingback UUID | ||
# | ||
### | ||
class Pingback | ||
|
||
# | ||
# This interface supports basic interaction. | ||
# | ||
include Msf::Session | ||
include Msf::Session::Basic | ||
|
||
# | ||
# Returns the type of session. | ||
# | ||
def self.type | ||
"pingback" | ||
end | ||
|
||
def initialize(rstream, opts = {}) | ||
super | ||
self.platform ||= "" | ||
self.arch ||= "" | ||
datastore = opts[:datastore] | ||
end | ||
|
||
def self.create_session(rstream, opts = {}) | ||
Msf::Sessions::Pingback.new(rstream, opts) | ||
end | ||
|
||
def process_autoruns(datastore) | ||
uuid_read | ||
cleanup | ||
end | ||
|
||
def cleanup | ||
if rstream | ||
# this is also a best-effort | ||
rstream.close rescue nil | ||
rstream = nil | ||
end | ||
end | ||
|
||
def uuid_read | ||
uuid_raw = rstream.get_once(16, 1) | ||
if uuid_raw | ||
acammack-r7 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
self.uuid_string = uuid_raw.each_byte.map { |b| "%02x" % b.to_i() }.join | ||
print_status("Incoming UUID = #{uuid_string}") | ||
if framework.db.active | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could return early. |
||
begin | ||
payload = framework.db.payloads(uuid: uuid_string).first | ||
if payload.nil? | ||
print_warning("Provided UUID (#{uuid_string}) was not found in database!") | ||
else | ||
print_good("UUID identified (#{uuid_string})") | ||
end | ||
rescue ActiveRecord::ConnectionNotEstablished | ||
print_status("WARNING: UUID verification and logging is not available, because the database is not active.") | ||
rescue => e | ||
# TODO: Can we have a more specific exception handler? | ||
# Test: what if we send no bytes back? What if we send less than 16 bytes? Or more than? | ||
elog("Can't get original UUID") | ||
elog("Exception Class: #{e.class.name}") | ||
elog("Exception Message: #{e.message}") | ||
elog("Exception Backtrace: #{e.backtrace}") | ||
end | ||
else | ||
print_warning("WARNING: UUID verification and logging is not available, because the database is not active.") | ||
end | ||
end | ||
nil | ||
end | ||
|
||
# | ||
# Returns the session description. | ||
# | ||
def desc | ||
"Pingback" | ||
end | ||
|
||
# | ||
# Calls the class method | ||
# | ||
def type | ||
self.class.type | ||
end | ||
|
||
attr_accessor :arch | ||
acammack-r7 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
attr_accessor :platform | ||
attr_accessor :uuid_string | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# -*- coding => binary -*- | ||
|
||
require 'msf/core' | ||
require 'msf/core/module/platform' | ||
require 'rex/text' | ||
|
||
# | ||
# This class provides methods for calculating, extracting, and parsing | ||
# unique ID values used by payloads. | ||
# | ||
module Msf::Payload::Pingback | ||
|
||
attr_accessor :pingback_uuid | ||
attr_accessor :can_cleanup | ||
|
||
# Generate a Pingback UUID and write it to the database | ||
def generate_pingback_uuid | ||
self.pingback_uuid ||= SecureRandom.uuid() | ||
datastore['PingbackUUID'] = self.pingback_uuid | ||
vprint_status("PingbackUUID = #{datastore['PingbackUUID'].gsub('-', '')}") | ||
if framework.db.active | ||
vprint_status("Writing UUID #{datastore['PingbackUUID'].gsub('-', '')} to database...") | ||
framework.db.create_payload(name: datastore['PayloadUUIDName'], | ||
uuid: datastore['PingbackUUID'].gsub('-', ''), | ||
description: 'pingback', | ||
platform: platform.platforms.first.realname.downcase) | ||
else | ||
print_warning("Unable to save UUID #{datastore['PingbackUUID']} to database -- database support not active") | ||
end | ||
self.pingback_uuid | ||
end | ||
|
||
def initialize(info = {}) | ||
super(info) | ||
self.can_cleanup = false | ||
self | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# -*- coding => binary -*- | ||
|
||
require 'msf/core' | ||
require 'msf/core/payload/pingback' | ||
|
||
# | ||
# This module provides datastore option definitions and helper methods for payload modules that support UUIDs | ||
# | ||
module Msf::Payload::Pingback::Options | ||
|
||
def initialize(info = {}) | ||
super | ||
register_advanced_options( | ||
[ | ||
Msf::OptInt.new('PingbackRetries', [true, "How many additional successful pingbacks", 0]), | ||
Msf::OptInt.new('PingbackSleep', [true, "Time (in seconds) to sleep between pingbacks", 30]), | ||
Msf::OptString.new('PingbackUUID', [ false, 'A pingback UUID to use']), | ||
Msf::OptBool.new('PingbackUUIDDatabase', [ true, 'Save the pingback UUID to the database', false]), | ||
acammack-r7 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
], self.class) | ||
end | ||
|
||
|
||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the rescue and assignment that happen in here, this guard doesn't do any thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It prevents unnecessary exception handling, when we already know the
close
method call is going to fail.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I definitely wouldn't want to generate unnecessary exceptions in a tight loop or hot code path. This isn't in one of those, though, and in my testing this method doesn't get called with a falsey
rstream
value (not that it never could be called that way or should require a non-nullrstream
as a precondition). This guard is optimizing for the exceptional case and thus is overly defensive. It doesn't need to be one way or the other, I was just pointing out that it was extra code that could be safely removed.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll note that this method is just a clone of the same from
lib/msf/base/sessions/command_shell.rb
minus the shell interaction bits. While I can appreciate further minimization, this may not be the only thing we ever use pingback payloads for (there may be other work we do on cleanup when there are other protocols implemented). It may be necessary later to provide some sort of interactive cleanup trigger, for instance.