plugins/aggregator.rb
module Msf
Aggregator_yaml = "#{Msf::Config.config_directory}/aggregator.yaml".freeze # location of the aggregator.yml containing saved aggregator creds
# This plugin provides management and interaction with an external session aggregator.
class Plugin::Aggregator < Msf::Plugin
class AggregatorCommandDispatcher
include Msf::Ui::Console::CommandDispatcher
@response_queue = []
def name
'Aggregator'
end
def commands
{
'aggregator_connect' => 'Connect to a running Aggregator instance ( host[:port] )',
'aggregator_save' => 'Save connection details to an Aggregator instance',
'aggregator_disconnect' => 'Disconnect from an active Aggregator instance',
'aggregator_addresses' => 'List all remote ip addresses available for ingress',
'aggregator_cables' => 'List all remote listeners for sessions',
'aggregator_cable_add' => 'Setup remote https listener for sessions',
'aggregator_cable_remove' => 'Stop remote listener for sessions',
'aggregator_default_forward' => 'forward a unlisted/unhandled sessions to a specified listener',
'aggregator_sessions' => 'List all remote sessions currently available from the Aggregator instance',
'aggregator_session_forward' => 'forward a session to a specified listener',
'aggregator_session_park' => 'Park an existing session on the Aggregator instance'
}
end
def aggregator_verify
if !@aggregator
print_error("No active Aggregator instance has been configured, please use 'aggregator_connect'")
return false
end
true
end
def usage(*lines)
print_status('Usage: ')
lines.each do |line|
print_status(" #{line}")
end
end
def usage_save
usage('aggregator_save')
end
def usage_connect
usage('aggregator_connect host[:port]',
' -OR- ',
'aggregator_connect host port')
end
def usage_cable_add
usage('aggregator_cable_add host:port [certificate]',
' -OR- ',
'aggregator_cable_add host port [certificate]')
end
def usage_cable_remove
usage('aggregator_cable_remove host:port',
' -OR- ',
'aggregator_cable_remove host port')
end
def usage_session_forward
usage('aggregator_session_forward remote_id')
end
def usage_default_forward
usage('aggregator_session_forward')
end
def show_session(details, _target, local_id)
status = pad_space(" #{local_id}", 4)
status += " #{details['ID']}"
status = pad_space(status, 15)
status += ' meterpreter '
status += "#{guess_target_platform(details['OS'])} "
status = pad_space(status, 43)
status += "#{details['USER']} @ #{details['HOSTNAME']} "
status = pad_space(status, 64)
status += "#{details['LOCAL_SOCKET']} -> #{details['REMOTE_SOCKET']}"
print_status status
end
def show_session_detailed(details, target, local_id)
print_status "\t Remote ID: #{details['ID']}"
print_status "\t Type: meterpreter #{guess_target_platform(details['OS'])}"
print_status "\t Info: #{details['USER']} @ #{details['HOSTNAME']}"
print_status "\t Tunnel: #{details['LOCAL_SOCKET']} -> #{details['REMOTE_SOCKET']}"
print_status "\t Via: exploit/multi/handler"
print_status "\t UUID: #{details['UUID']}"
print_status "\t MachineID: #{details['MachineID']}"
print_status "\t CheckIn: #{details['LAST_SEEN'].to_i}s ago" unless details['LAST_SEEN'].nil?
print_status "\tRegistered: Not Yet Implemented"
print_status "\t Forward: #{target}"
print_status "\tSession ID: #{local_id}" unless local_id.nil?
print_status ''
end
def cmd_aggregator_save(*args)
# if we are logged in, save session details to aggregator.yaml
if !args.empty? || args[0] == '-h'
usage_save
return
end
if args[0]
usage_save
return
end
group = 'default'
if (@host && !@host.empty?) && (@port && !@port.empty? && @port.to_i > 0)
config = { group.to_s => { 'server' => @host, 'port' => @port } }
::File.open(Aggregator_yaml.to_s, 'wb') { |f| f.puts YAML.dump(config) }
print_good("#{Aggregator_yaml} created.")
else
print_error('Missing server/port - reconnect and then try again.')
return
end
end
def cmd_aggregator_connect(*args)
if !args[0] && ::File.readable?(Aggregator_yaml.to_s)
lconfig = YAML.load_file(Aggregator_yaml.to_s)
@host = lconfig['default']['server']
@port = lconfig['default']['port']
aggregator_login
return
end
if args.empty? || args[0].empty? || args[0] == '-h'
usage_connect
return
end
@host = @port = @sslv = nil
case args.length
when 1
@host, @port = args[0].split(':', 2)
@port ||= '2447'
when 2
@host, @port = args
else
usage_connect
return
end
aggregator_login
end
def cmd_aggregator_sessions(*args)
case args.length
when 0
is_detailed = false
when 1
unless args[0] == '-v'
usage_sessions
return
end
is_detailed = true
else
usage_sessions
return
end
return unless aggregator_verify
sessions_list = @aggregator.sessions
return if sessions_list.nil?
session_map = {}
# get details for each session and print in format of sessions -v
sessions_list.each do |session|
session_id, target = session
details = @aggregator.session_details(session_id)
local_id = nil
framework.sessions.each_pair do |key, value|
next unless value.conn_id == session_id
local_id = key
end
# filter session that do not have details as forwarding options (this may change later)
next unless details && details['ID']
session_map[details['ID']] = [details, target, local_id]
end
print_status('Remote sessions')
print_status('===============')
print_status('')
if session_map.empty?
print_status('No remote sessions.')
else
unless is_detailed
print_status(' Id Remote Id Type Information Connection')
print_status(' -- --------- ---- ----------- ----------')
end
session_map.keys.sort.each do |key|
details, target, local_id = session_map[key]
if is_detailed
show_session_detailed(details, target, local_id)
else
show_session(details, target, local_id)
end
end
end
end
def cmd_aggregator_addresses(*_args)
return if !aggregator_verify
address_list = @aggregator.available_addresses
return if address_list.nil?
print_status('Remote addresses found:')
address_list.each do |addr|
print_status(" #{addr}")
end
end
def cmd_aggregator_cable_add(*args)
host, port, certificate = nil
case args.length
when 1
host, port = args[0].split(':', 2)
when 2
host, port = args[0].split(':', 2)
if port.nil?
port = args[1]
else
certificate = args[1]
end
when 3
host, port, certificate = args
else
usage_cable_add
return
end
if !aggregator_verify || args.empty? || args[0] == '-h' || \
port.nil? || port.to_i <= 0
usage_cable_add
return
end
certificate = File.new(certificate).read if certificate && File.exist?(certificate)
@aggregator.add_cable(Metasploit::Aggregator::Cable::HTTPS, host, port, certificate)
end
def cmd_aggregator_cables(*_args)
return if !aggregator_verify
res = @aggregator.cables
print_status('Remote Cables:')
res.each do |k|
print_status(" #{k}")
end
end
def cmd_aggregator_cable_remove(*args)
case args.length
when 1
host, port = args[0].split(':', 2)
when 2
host, port = args
end
if !aggregator_verify || args.empty? || args[0] == '-h' || host.nil?
usage_cable_remove
return
end
@aggregator.remove_cable(host, port)
end
def cmd_aggregator_session_park(*args)
return if !aggregator_verify
case args.length
when 1
session_id = args[0]
s = framework.sessions.get(session_id)
if s.nil?
print_status("#{session_id} is not a valid session.")
elsif @aggregator.sessions.keys.include? s.conn_id
@aggregator.release_session(s.conn_id)
framework.sessions.deregister(s)
else
# TODO: determine if we can add a transport and route with the
# aggregator. For now, just report action not taken.
print_status("#{session_id} does not originate from the aggregator connection.")
end
else
usage('aggregator_session_park session_id')
return
end
end
def cmd_aggregator_default_forward(*_args)
return if !aggregator_verify
@aggregator.register_default(@aggregator.uuid, nil)
end
def cmd_aggregator_session_forward(*args)
return if !aggregator_verify
remote_id = nil
case args.length
when 1
remote_id = args[0]
else
usage_session_forward
return
end
# find session with ID matching request
@aggregator.sessions.each do |session|
session_uri, _target = session
details = @aggregator.session_details(session_uri)
next unless details['ID'] == remote_id
return @aggregator.obtain_session(session_uri, @aggregator.uuid)
end
print_error("#{remote_id} was not found.")
end
def cmd_aggregator_disconnect(*_args)
if @aggregator && @aggregator.available?
# check if this connection is the default forward
@aggregator.register_default(nil, nil) if @aggregator.default == @aggregator.uuid
# now check for any specifically forwarded sessions
local_sessions_by_id = {}
framework.sessions.each_pair do |_id, s|
local_sessions_by_id[s.conn_id] = s
end
sessions = @aggregator.sessions
unless sessions.nil?
sessions.each_pair do |session, console|
next unless local_sessions_by_id.keys.include?(session)
if console == @aggregator.uuid
# park each session locally addressed
cmd_aggregator_session_park(framework.sessions.key(local_sessions_by_id[session]))
else
# simple disconnect session that were from the default forward
framework.sessions.deregister(local_sessions_by_id[session])
end
end
end
end
@aggregator.stop if @aggregator
if @payload_job_ids
@payload_job_ids.each do |id|
framework.jobs.stop_job(id)
end
@payload_job_ids = nil
end
@aggregator = nil
end
def aggregator_login
if !((@host && !@host.empty?) && (@port && !@port.empty? && @port.to_i > 0))
usage_connect
return
end
if (@host != 'localhost') && (@host != '127.0.0.1')
print_error('Warning: SSL connections are not verified in this release, it is possible for an attacker')
print_error(' with the ability to man-in-the-middle the Aggregator traffic to capture the Aggregator')
print_error(' traffic, if you are running this on an untrusted network.')
return
end
# Wrap this so a duplicate session does not prevent access
begin
cmd_aggregator_disconnect
rescue ::Interrupt => e
raise e
rescue ::Exception
end
begin
print_status("Connecting to Aggregator instance at #{@host}:#{@port}...")
@aggregator = Metasploit::Aggregator::ServerProxy.new(@host, @port)
end
aggregator_compatibility_check
unless @payload_job_ids
@payload_job_ids = []
@my_io = local_handler
end
@aggregator.register_response_channel(@my_io)
@aggregator
end
def aggregator_compatibility_check
false if @aggregator.nil?
unless @aggregator.available?
print_error("Connection to aggregator @ #{@host}:#{@port} is unavailable.")
cmd_aggregator_disconnect
end
end
def local_handler
# get a random ephemeral port
server = TCPServer.new('127.0.0.1', 0)
port = server.addr[1]
server.close
multi_handler = framework.exploits.create('multi/handler')
multi_handler.datastore['LHOST'] = '127.0.0.1'
# multi_handler.datastore['PAYLOAD'] = "multi/meterpreter/reverse_https"
multi_handler.datastore['PAYLOAD'] = 'multi/meterpreter/reverse_http'
multi_handler.datastore['LPORT'] = port.to_s
# %w(DebugOptions PrependMigrate PrependMigrateProc
# InitialAutoRunScript AutoRunScript CAMPAIGN_ID HandlerSSLCert
# StagerVerifySSLCert PayloadUUIDTracking PayloadUUIDName
# IgnoreUnknownPayloads SessionRetryTotal SessionRetryWait
# SessionExpirationTimeout SessionCommunicationTimeout).each do |opt|
# multi_handler.datastore[opt] = datastore[opt] if datastore[opt]
# end
multi_handler.datastore['ExitOnSession'] = false
multi_handler.datastore['EXITFUNC'] = 'thread'
multi_handler.exploit_simple(
'LocalInput' => nil,
'LocalOutput' => nil,
'Payload' => multi_handler.datastore['PAYLOAD'],
'RunAsJob' => true
)
@payload_job_ids << multi_handler.job_id
# requester = Metasploit::Aggregator::Http::SslRequester.new(multi_handler.datastore['LHOST'], multi_handler.datastore['LPORT'])
requester = Metasploit::Aggregator::Http::Requester.new(multi_handler.datastore['LHOST'], multi_handler.datastore['LPORT'])
requester
end
# borrowed from Msf::Sessions::Meterpreter for now
def guess_target_platform(os)
case os
when /windows/i
Msf::Module::Platform::Windows.realname.downcase
when /darwin/i
Msf::Module::Platform::OSX.realname.downcase
when /mac os ?x/i
# this happens with java on OSX (for real!)
Msf::Module::Platform::OSX.realname.downcase
when /freebsd/i
Msf::Module::Platform::FreeBSD.realname.downcase
when /openbsd/i, /netbsd/i
Msf::Module::Platform::BSD.realname.downcase
else
Msf::Module::Platform::Linux.realname.downcase
end
end
def pad_space(status, length)
status << ' ' while status.length < length
status
end
private :guess_target_platform
private :aggregator_login
private :aggregator_compatibility_check
private :aggregator_verify
private :local_handler
private :pad_space
private :show_session
private :show_session_detailed
end
#
# Plugin initialization
#
def initialize(framework, opts)
super
#
# Require the metasploit/aggregator gem, but fail nicely if it's not there.
#
begin
require 'metasploit/aggregator'
rescue LoadError
raise 'WARNING: metasploit/aggregator is not available for now.'
end
add_console_dispatcher(AggregatorCommandDispatcher)
print_status('Aggregator interaction has been enabled')
end
def cleanup
remove_console_dispatcher('Aggregator')
end
def name
'aggregator'
end
def desc
'Interacts with the external Session Aggregator'
end
end
end