lib/msf/core/post/common.rb
# -*- coding: binary -*-
module Msf::Post::Common
def initialize(info = {})
super(
update_info(
info,
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_sys_config_getenv
stdapi_sys_process_execute
]
}
}
)
)
end
def clear_screen
Gem.win_platform? ? (system "cls") : (system "clear")
end
def rhost
return super unless defined?(session) and session
case session.type.downcase
when 'meterpreter'
session.sock.peerhost
when 'shell', 'powershell'
session.session_host
end
rescue
return nil
end
def rport
return super unless defined?(session) and session
case session.type.downcase
when 'meterpreter'
session.sock.peerport
when 'shell', 'powershell'
session.session_port
end
rescue
return nil
end
def peer
"#{rhost}:#{rport}"
end
#
# Executes +cmd+ on the remote system
#
# On Windows meterpreter, this will go through CreateProcess as the
# "commandLine" parameter. This means it will follow the same rules as
# Windows' path disambiguation. For example, if you were to call this method
# thusly:
#
# cmd_exec("c:\\program files\\sub dir\\program name")
#
# Windows would look for these executables, in this order, passing the rest
# of the line as arguments:
#
# c:\program.exe
# c:\program files\sub.exe
# c:\program files\sub dir\program.exe
# c:\program files\sub dir\program name.exe
#
# On POSIX meterpreter, if +args+ is set or if +cmd+ contains shell
# metacharacters, the server will run the whole thing in /bin/sh. Otherwise,
# (cmd is a single path and there are no arguments), it will execve the given
# executable.
#
# On Java, it is passed through Runtime.getRuntime().exec(String) and PHP
# uses proc_open() both of which have similar semantics to POSIX.
#
# On shell sessions, this passes +cmd+ directly the session's
# +shell_command_token+ method.
#
# Returns a (possibly multi-line) String.
#
def cmd_exec(cmd, args=nil, time_out=15, opts = {})
case session.type
when 'meterpreter'
#
# The meterpreter API requires arguments to come separately from the
# executable path. This has no effect on Windows where the two are just
# blithely concatenated and passed to CreateProcess or its brethren. On
# POSIX, this allows the server to execve just the executable when a
# shell is not needed. Determining when a shell is not needed is not
# always easy, so it assumes anything with arguments needs to go through
# /bin/sh.
#
# This problem was originally solved by using Shellwords.shellwords but
# unfortunately, it is unsuitable. When a backslash occurs inside double
# quotes (as is often the case with Windows commands) it inexplicably
# removes them. So. Shellwords is out.
#
# By setting +args+ to an empty string, we can get POSIX to send it
# through /bin/sh, solving all the pesky parsing troubles, without
# affecting Windows.
#
if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
args = ""
end
session.response_timeout = time_out
opts = {
'Hidden' => true,
'Channelized' => true,
'Subshell' => true
}.merge(opts)
if opts['Channelized']
o = session.sys.process.capture_output(cmd, args, opts, time_out)
else
session.sys.process.execute(cmd, args, opts)
end
when 'powershell'
if args.nil? || args.empty?
o = session.shell_command("#{cmd}", time_out)
else
o = session.shell_command("#{cmd} #{args}", time_out)
end
o.chomp! if o
when 'shell'
if args.nil? || args.empty?
o = session.shell_command_token("#{cmd}", time_out)
else
o = session.shell_command_token("#{cmd} #{args}", time_out)
end
o.chomp! if o
end
return "" if o.nil?
return o
end
def cmd_exec_get_pid(cmd, args=nil, time_out=15)
case session.type
when 'meterpreter'
if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
args = ""
end
session.response_timeout = time_out
process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true, 'Subshell' => true })
process.channel.close
pid = process.pid
process.close
pid
else
print_error "cmd_exec_get_pid is incompatible with non-meterpreter sessions"
end
end
#
# Reports to the database that the host is using virtualization and reports
# the type of virtualization it is (e.g VirtualBox, VMware, Xen, Docker)
#
def report_virtualization(virt)
return unless session
return unless virt
virt_normal = virt.to_s.strip
return if virt_normal.empty?
virt_data = {
:host => session.target_host,
:virtual_host => virt_normal
}
report_host(virt_data)
end
#
# Returns the value of the environment variable +env+
#
def get_env(env)
case session.type
when 'meterpreter'
return session.sys.config.getenv(env)
when 'powershell'
return cmd_exec("echo $env:#{env}").strip
when 'shell'
if session.platform == 'windows'
if env[0,1] == '%'
unless env[-1,1] == '%'
env << '%'
end
else
env = "%#{env}%"
end
return cmd_exec("echo #{env}")
else
unless env[0,1] == '$'
env = "$#{env}"
end
return cmd_exec("echo \"#{env}\"")
end
end
nil
end
#
# Returns a hash of environment variables +envs+
#
def get_envs(*envs)
case session.type
when 'meterpreter'
return session.sys.config.getenvs(*envs)
when 'shell', 'powershell'
result = {}
envs.each do |env|
res = get_env(env)
result[env] = res unless res.blank?
end
return result
end
nil
end
# Checks if the specified command can be executed by the session. It should be
# noted that not all commands correspond to a binary file on disk. For example,
# a bash shell session will provide the `eval` command when there is no `eval`
# binary on disk. Likewise, a Powershell session will provide the `Get-Item`
# command when there is no `Get-Item` executable on disk.
#
# @param [String] cmd the command to check
# @return [Boolean] true when the command exists
def command_exists?(cmd)
verification_token = Rex::Text.rand_text_alpha_upper(8)
if session.type == 'powershell'
cmd_exec("try {if(Get-Command #{cmd}) {echo #{verification_token}}} catch {}").include?(verification_token)
elsif session.platform == 'windows'
# https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/where_1
# https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/if
cmd_exec("cmd /c where /q #{cmd} & if not errorlevel 1 echo #{verification_token}").to_s.include?(verification_token)
else
cmd_exec("command -v #{cmd} || which #{cmd} && echo #{verification_token}").include?(verification_token)
end
rescue
raise "Unable to check if command `#{cmd}' exists"
end
# Executes +cmd+ on the remote system and return an array containing the
# output and if it was successful or not.
#
# This is simply a wrapper around {#cmd_exec} that also checks the exit code
# to determine if the execution was successful or not.
#
# @param [String] cmd The command to execute
# @param args [String] The optional arguments of the command (can de included in +cmd+ instead)
# @param [Integer] timeout The time in sec. to wait before giving up
# @param [Hash] opts An Hash of options (see {#cmd_exec})
# @return [Array(String, Boolean)] Array containing the output string
# followed by a boolean indicating if the command succeeded or not. When
# this boolean is `true`, the first field contains the normal command
# output. When it is `false`, the first field contains the error message
# returned by the command or a timeout error message if the timeout
# expired.
def cmd_exec_with_result(cmd, args = nil, timeout = 15, opts = {})
# This token will be returned if the command succeeds.
# Redirection operators (`&&` and `||`) are the most reliable methods to
# detect success and failure. See these references for details:
# - https://ss64.com/nt/errorlevel.html
# - https://stackoverflow.com/questions/34936240/batch-goto-loses-errorlevel/34937706#34937706
# - https://stackoverflow.com/questions/10935693/foolproof-way-to-check-for-nonzero-error-return-code-in-windows-batch-file/10936093#10936093
verification_token = Rex::Text.rand_text_alphanumeric(8)
_cmd = cmd.dup
_cmd << " #{args}" if args
if session.platform == 'windows'
if session.type == 'powershell'
# The & operator is reserved by Powershell and needs to be wrapped in double quotes
result = cmd_exec('cmd', "/c #{_cmd} \"&&\" echo #{verification_token}", timeout, opts)
else
result = cmd_exec('cmd', "/c #{_cmd} && echo #{verification_token}", timeout, opts)
end
else
result = cmd_exec('command', "#{_cmd} && echo #{verification_token}", timeout, opts)
end
if result.include?(verification_token)
# Removing the verification token to cleanup the output string
[result.lines[0...-1].join.strip, true]
else
[result.strip, false]
end
rescue Rex::TimeoutError => e
[e.message, false]
end
end