Track the machine_id and drop non-responsive sessions automatically

HD Moore · HD Moore · commit 3080feb1881b · 2015-05-04T03:22:29.000-05:00
diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb
@@ -597,7 +597,7 @@ def self.dump_sessions_verbose(framework, opts={})
       end
 
       if session.respond_to?(:last_checkin) && session.last_checkin
-        sess_checkin = "#{(Time.now.to_i - session.last_checkin.to_i)}s Ago @ #{session.last_checkin.to_s}"
+        sess_checkin = "#{(Time.now.to_i - session.last_checkin.to_i)}s ago @ #{session.last_checkin.to_s}"
       end
 
       out << "  Session ID: #{sess_id}\n"
diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb
@@ -298,6 +298,24 @@ def load_priv()
     console.disable_output = original
   end
 
+  #
+  # Validate session information by checking for a machine_id response
+  #
+  def is_valid_session?(timeout=10)
+    return true if self.machine_id
+
+    begin
+      self.machine_id = self.core.machine_id(timeout)
+      return true
+    rescue ::Rex::Post::Meterpreter::RequestError
+      # This meterpreter doesn't support core_machine_id
+      return true
+    rescue ::Exception => e
+      dlog("Session #{self.sid} did not respond to validation request #{e.class}: #{e}")
+    end
+    false
+  end
+
   #
   # Populate the session information.
   #
diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
@@ -12,6 +12,7 @@ def initialize(info = {})
     register_advanced_options(
       [
         OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
+        OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
         OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
         OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
@@ -35,45 +36,47 @@ def on_session(session)
 
     session.init_ui(self.user_input, self.user_output)
 
-    if (datastore['AutoLoadStdapi'] == true)
+    valid = true
 
-      session.load_stdapi
-
-      if datastore['AutoSystemInfo']
-        session.load_session_info
+    if datastore['AutoVerifySession'] == true
+      if not session.is_valid_session?
+        print_error("Meterpreter session #{session.sid} is not valid and will be closed")
+        valid = false
       end
+    end
+
+    if valid
+
+      if datastore['AutoLoadStdapi'] == true
 
-=begin
-      admin = false
-      begin
-        ::Timeout.timeout(30) do
-          if session.railgun and session.railgun.shell32.IsUserAnAdmin()["return"] == true
-            admin = true
-            session.info += " (ADMIN)"
-          end
+        session.load_stdapi
+
+        if datastore['AutoSystemInfo']
+          session.load_session_info
+        end
+
+        if session.platform =~ /win32|win64/i
+          session.load_priv rescue nil
         end
-      rescue ::Exception
-      end
-=end
-      if session.platform =~ /win32|win64/i
-        session.load_priv rescue nil
       end
-    end
 
-    if session.platform =~ /android/i
-      if datastore['AutoLoadAndroid']
-        session.load_android
+      if session.platform =~ /android/i
+        if datastore['AutoLoadAndroid']
+          session.load_android
+        end
       end
-    end
 
-    [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
-      if (datastore[key].empty? == false)
-        args = Shellwords.shellwords( datastore[key] )
-        print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
-        session.execute_script(args.shift, *args)
+      [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
+        if (datastore[key].empty? == false)
+          args = Shellwords.shellwords( datastore[key] )
+          print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
+          session.execute_script(args.shift, *args)
+        end
       end
     end
 
+    session.kill if not valid
+
     }
 
   end
diff --git a/lib/msf/core/session.rb b/lib/msf/core/session.rb
@@ -389,6 +389,10 @@ def alive?
   #
   attr_accessor :payload_uuid
   #
+  # The unique machine identifier for the host that created this session
+  #
+  attr_accessor :machine_id
+  #
   # The actual exploit module instance that created this session
   #
   attr_accessor :exploit
diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
@@ -245,14 +245,16 @@ def use(mod, opts = { })
     return true
   end
 
-  def machine_id
+  def machine_id(timeout=nil)
     request = Packet.create_request('core_machine_id')
 
-    response = client.send_request(request)
+    args = [ request ]
+    args << timeout if timeout
+
+    response = client.send_request(*args)
 
-    id = response.get_tlv_value(TLV_TYPE_MACHINE_ID)
-    # TODO: Determine if we're going to MD5/SHA1 this
-    return Rex::Text.md5(id)
+    mid = response.get_tlv_value(TLV_TYPE_MACHINE_ID)
+    return Rex::Text.md5(mid)
   end
 
   def transport_change(opts={})

Original file line number	Diff line number	Diff line change
`@@ -389,6 +389,10 @@ def alive?`
`389`	`389`	`#`
`390`	`390`	`attr_accessor :payload_uuid`
`391`	`391`	`#`
	`392`	`+ # The unique machine identifier for the host that created this session`
	`393`	`+ #`
	`394`	`+ attr_accessor :machine_id`
	`395`	`+ #`
`392`	`396`	`# The actual exploit module instance that created this session`
`393`	`397`	`#`
`394`	`398`	`attr_accessor :exploit`