Land rapid7#8807, template for external module servers

Author: mkienow-r7

lib/msf/core/module/external.rb

@@ -1,23 +1,72 @@
+include Msf::Auxiliary::Report
+
 module Msf::Module::External
   def wait_status(mod)
     while mod.running
       m = mod.get_status
       if m
-        case m['level']
-        when 'error'
-          print_error m['message']
-        when 'warning'
-          print_warning m['message']
-        when 'good'
-          print_good m['message']
-        when 'info'
-          print_status m['message']
-        when 'debug'
-          vprint_status m['message']
-        else
-          print_status m['message']
+        case m.method
+        when :message
+          log_output(m)
+        when :report
+          process_report(m)
+        when :reply
+          # we're done
+          break
         end
       end
     end
   end
+
+  def log_output(m)
+    message = m.params['message']
+
+    case m.params['level']
+    when 'error'
+      print_error message
+    when 'warning'
+      print_warning message
+    when 'good'
+      print_good message
+    when 'info'
+      print_status message
+    when 'debug'
+      vprint_status message
+    else
+      print_status message
+    end
+  end
+
+  def process_report(m)
+    data = m.params['data']
+
+    case m.params['type']
+    when 'host'
+      # Required
+      host = {host: data['host']}
+
+      # Optional
+      host[:state] = data['state'] if data['state'] # TODO: validate -- one of the Msf::HostState constants (unknown, alive, dead)
+      host[:os_name] = data['os_name'] if data['os_name']
+      host[:os_flavor] = data['os_flavor'] if data['os_flavor']
+      host[:os_sp] = data['os_sp'] if data['os_sp']
+      host[:os_lang] = data['os_lang'] if data['os_lang']
+      host[:arch] = data['arch'] if data['arch'] # TODO: validate -- one of the ARCH_* constants
+      host[:mac] = data['mac'] if data['mac']
+      host[:scope] = data['scope'] if data['scope']
+      host[:virtual_host] = data['virtual_host'] if data['virtual_host']
+
+      report_host(host)
+    when 'service'
+      # Required
+      service = {host: data['host'], port: data['port'], proto: data['proto']}
+
+      # Optional
+      service[:name] = data['name'] if data['name']
+
+      report_service(service)
+    else
+      print_warning "Skipping unrecognized report type #{m.params['type']}"
+    end
+  end
 end

lib/msf/core/module_manager/loading.rb

@@ -116,8 +116,8 @@ def load_modules(path, options={})
 
     loaders.each do |loader|
       if loader.loadable?(path)
-        count_by_type.merge!(loader.load_modules(path, options)) do |key, old, new|
-          old + new
+        count_by_type.merge!(loader.load_modules(path, options)) do |key, prev, now|
+          prev + now
         end
       end
     end

lib/msf/core/modules/external/bridge.rb

@@ -2,6 +2,7 @@
 require 'msf/core/modules/external'
 require 'msf/core/modules/external/message'
 require 'open3'
+require 'json'
 
 class Msf::Modules::External::Bridge
 
@@ -26,45 +27,47 @@ def run(datastore)
 
   def get_status
     if self.running
-      n = receive_notification
-      if n && n['params']
-        n['params']
-      else
+      m = receive_notification
+      if m.nil?
         close_ios
         self.running = false
-        n['response'] if n
       end
+
+      return m
     end
   end
 
   def initialize(module_path)
     self.env = {}
     self.running = false
     self.path = module_path
+    self.cmd = [self.path, self.path]
+    self.messages = Queue.new
   end
 
   protected
 
   attr_writer :path, :running
-  attr_accessor :env, :ios
+  attr_accessor :cmd, :env, :ios, :messages
 
   def describe
     resp = send_receive(Msf::Modules::External::Message.new(:describe))
     close_ios
-    resp['response']
+    resp.params
   end
 
-  # XXX TODO non-blocking writes, check write lengths, non-blocking JSON parse loop read
+  # XXX TODO non-blocking writes, check write lengths
 
   def send_receive(message)
     send(message)
-    read_json(message.id, self.ios[1])
+    recv(message.id)
   end
 
   def send(message)
-    input, output, status = ::Open3.popen3(env, [self.path, self.path])
+    input, output, status = ::Open3.popen3(self.env, self.cmd)
     self.ios = [input, output, status]
-    case Rex::ThreadSafe.select(nil, [input], nil, 0.1)
+    # We would call Rex::Threadsafe directly, but that would require rex for standalone use
+    case select(nil, [input], nil, 0.1)
     when nil
       raise "Cannot run module #{self.path}"
     when [[], [input], []]
@@ -76,23 +79,57 @@ def send(message)
   end
 
   def receive_notification
-    input, output, status = self.ios
-    case Rex::ThreadSafe.select([output], nil, nil, 10)
-    when nil
-      nil
-    when [[output], [], []]
-      read_json(nil, output)
+    if self.messages.empty?
+      recv
+    else
+      self.messages.pop
     end
   end
 
   def write_message(fd, json)
     fd.write(json)
   end
 
-  def read_json(id, fd)
+  def recv(filter_id=nil, timeout=600)
+    _, fd, _ = self.ios
+
+    # Multiple messages can come over the wire all at once, and since yajl
+    # doesn't play nice with windows, we have to emulate a state machine to
+    # read just enough off the wire to get one request at a time. Since
+    # Windows cannot do a nonblocking read on a pipe, we are forced to do a
+    # whole lot of `select` syscalls :(
+    buf = ""
     begin
-      resp = fd.readpartial(10_000)
-      JSON.parse(resp)
+      loop do
+        # We would call Rex::Threadsafe directly, but that would require Rex for standalone use
+        case select([fd], nil, nil, timeout)
+        when nil
+          # This is what we would have gotten without Rex and what `readpartial` can also raise
+          raise EOFError.new
+        when [[fd], [], []]
+          c = fd.readpartial(1)
+          buf << c
+
+          # This is so we don't end up calling JSON.parse on every char and
+          # having to catch an exception. Windows can't do nonblock on pipes,
+          # so we still have to do the select each time.
+          break if c == '}'
+        end
+      end
+
+      m = Msf::Modules::External::Message.from_module(JSON.parse(buf))
+      if filter_id && m.id != filter_id
+        # We are filtering for a response to a particular message, but we got
+        # something else, store the message and try again
+        self.messages.push m
+        read_json(filter_id, timeout)
+      else
+        # Either we weren't filtering, or we got what we were looking for
+        m
+      end
+    rescue JSON::ParserError
+      # Probably an incomplete response, but no way to really tell
+      retry
     rescue EOFError => e
       {}
     end

lib/msf/core/modules/external/message.rb

@@ -2,11 +2,25 @@
 require 'msf/core/modules/external'
 require 'base64'
 require 'json'
+require 'securerandom'
 
 class Msf::Modules::External::Message
 
-  attr_reader :method, :id
-  attr_accessor :params
+  attr_reader :method
+  attr_accessor :params, :id
+
+  def self.from_module(j)
+    if j['method']
+      m = self.new(j['method'].to_sym)
+      m.params = j['params']
+      m
+    elsif j['response']
+      m = self.new(:reply)
+      m.params = j['response']
+      m.id = j['id']
+      m
+    end
+  end
 
   def initialize(m)
     self.method = m
@@ -20,5 +34,5 @@ def to_json
 
   protected
 
-  attr_writer :method, :id
+  attr_writer :method
 end

lib/msf/core/modules/external/python/metasploit/module.py

@@ -1,20 +1,37 @@
 import sys, os, json
 
 def log(message, level='info'):
-    print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': {
+    rpc_send({'jsonrpc': '2.0', 'method': 'message', 'params': {
         'level': level,
         'message': message
-    }}))
-    sys.stdout.flush()
+    }})
+
+def report_host(ip, opts={}):
+    host = opts.copy()
+    host.update({'host': ip})
+    rpc_send({'jsonrpc': '2.0', 'method': 'report', 'params': {
+        'type': 'host', 'data': host
+    }})
+
+def report_service(ip, opts={}):
+    service = opts.copy()
+    service.update({'host': ip})
+    rpc_send({'jsonrpc': '2.0', 'method': 'report', 'params': {
+        'type': 'service', 'data': service
+    }})
+
 
 def run(metadata, exploit):
     req = json.loads(os.read(0, 10000))
     if req['method'] == 'describe':
-        print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}))
+        rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata})
     elif req['method'] == 'run':
         args = req['params']
         exploit(args)
-        print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': {
+        rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': {
             'message': 'Exploit completed'
-        }}))
-        sys.stdout.flush()
+        }})
+
+def rpc_send(req):
+    print(json.dumps(req))
+    sys.stdout.flush()

lib/msf/core/modules/external/shim.rb

@@ -9,6 +9,11 @@ def self.generate(module_path)
     case mod.meta['type']
     when 'remote_exploit_cmd_stager'
       remote_exploit_cmd_stager(mod)
+    when 'capture_server'
+      capture_server(mod)
+    else
+      # TODO have a nice load error show up in the logs
+      ''
     end
   end
 
@@ -26,10 +31,6 @@ def self.mod_meta_common(mod, meta = {})
     meta[:name]        = mod.meta['name'].dump
     meta[:description] = mod.meta['description'].dump
     meta[:authors]     = mod.meta['authors'].map(&:dump).join(",\n          ")
-    meta[:date]        = mod.meta['date'].dump
-    meta[:references]  = mod.meta['references'].map do |r|
-      "[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
-    end.join(",\n          ")
 
     meta[:options]     = mod.meta['options'].map do |n, o|
       "Opt#{o['type'].capitalize}.new(#{n.dump},
@@ -39,11 +40,15 @@ def self.mod_meta_common(mod, meta = {})
   end
 
   def self.mod_meta_exploit(mod, meta = {})
+    meta[:date]        = mod.meta['date'].dump
     meta[:wfsdelay]    = mod.meta['wfsdelay'] || 5
     meta[:privileged]  = mod.meta['privileged'].inspect
     meta[:platform]    = mod.meta['targets'].map do |t|
       t['platform'].dump
     end.uniq.join(",\n          ")
+    meta[:references]  = mod.meta['references'].map do |r|
+      "[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
+    end.join(",\n          ")
     meta[:targets]     = mod.meta['targets'].map do |t|
       "[#{t['platform'].dump} + ' ' + #{t['arch'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]"
     end.join(",\n          ")
@@ -56,4 +61,9 @@ def self.remote_exploit_cmd_stager(mod)
     meta[:command_stager_flavor] = mod.meta['payload']['command_stager_flavor'].dump
     render_template('remote_exploit_cmd_stager.erb', meta)
   end
+
+  def self.capture_server(mod)
+    meta = mod_meta_common(mod)
+    render_template('capture_server.erb', meta)
+  end
 end

lib/msf/core/modules/external/templates/capture_server.erb

@@ -0,0 +1,26 @@
+require 'msf/core/modules/external/bridge'
+require 'msf/core/module/external'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Module::External
+
+  def initialize
+    super({
+	  <%= common_metadata meta %>
+      'Actions'     => [ ['Capture'] ],
+      'PassiveActions' => ['Capture'],
+      'DefaultAction'  => 'Capture'
+      })
+
+      register_options([
+        <%= meta[:options] %>
+      ])
+  end
+
+  def run
+    print_status("Starting server...")
+    mod = Msf::Modules::External::Bridge.open(<%= meta[:path] %>)
+    mod.run(datastore)
+    wait_status(mod)
+  end
+end