Land rapid7#8178, Add support for non-Ruby modules

Author: Brent Cook

lib/metasploit/framework/spec/constants.rb

@@ -20,6 +20,7 @@ module Metasploit::Framework::Spec::Constants
   # and not dynamically loaded code
   PERSISTENT_CHILD_CONSTANT_NAMES = %w{
     Error
+    External
     Loader
     MetasploitClassCompatibilityError
     Namespace

lib/msf/core/module_manager/cache.rb

@@ -81,14 +81,15 @@ def load_cached_module(type, reference_name)
     if module_info
       parent_path = module_info[:parent_path]
 
+      # XXX borked
       loaders.each do |loader|
         if loader.loadable?(parent_path)
           type = module_info[:type]
           reference_name = module_info[:reference_name]
 
           loaded = loader.load_module(parent_path, type, reference_name, :force => true)
 
-          break
+          break if loaded
         end
       end
     end
@@ -162,11 +163,9 @@ def module_info_by_path_from_database!(allowed_paths=[""])
           # Skip cached modules that are not in our allowed load paths
           next if allowed_paths.select{|x| path.index(x) == 0}.empty?
 
-          typed_path = Msf::Modules::Loader::Base.typed_path(type, reference_name)
-          # join to '' so that typed_path_prefix starts with file separator
-          typed_path_suffix = File.join('', typed_path)
-          escaped_typed_path = Regexp.escape(typed_path_suffix)
-          parent_path = path.gsub(/#{escaped_typed_path}$/, '')
+          # The load path is assumed to be the next level above the type directory
+          type_dir = File.join('', Mdm::Module::Detail::DIRECTORY_BY_TYPE[type], '')
+          parent_path = path.split(type_dir)[0..-2].join(type_dir) # TODO: rewrite
 
           module_info_by_path[path] = {
               :reference_name => reference_name,

lib/msf/core/module_manager/loading.rb

@@ -8,6 +8,7 @@
 # Project
 #
 require 'msf/core/modules/loader/directory'
+require 'msf/core/modules/loader/executable'
 
 # Deals with loading modules for the {Msf::ModuleManager}
 module Msf::ModuleManager::Loading
@@ -19,7 +20,8 @@ module Msf::ModuleManager::Loading
 
   # Classes that can be used to load modules.
   LOADER_CLASSES = [
-      Msf::Modules::Loader::Directory
+      Msf::Modules::Loader::Directory,
+      Msf::Modules::Loader::Executable # TODO: XXX: When this is the first loader we can load normal exploits, but not payloads
   ]
 
   def file_changed?(path)
@@ -115,8 +117,6 @@ def load_modules(path, options={})
     loaders.each do |loader|
       if loader.loadable?(path)
         count_by_type = loader.load_modules(path, options)
-
-        break
       end
     end
 

lib/msf/core/modules/external.rb

@@ -0,0 +1,7 @@
+# -*- coding: binary -*-
+# Namespace for loading external Metasploit modules
+
+module Msf::Modules::External
+
+end
+

lib/msf/core/modules/external/bridge.rb

@@ -0,0 +1,100 @@
+# -*- coding: binary -*-
+require 'msf/core/modules/external'
+require 'msf/core/modules/external/message'
+require 'open3'
+
+class Msf::Modules::External::Bridge
+
+  attr_reader :path, :running
+
+  def meta
+    @meta ||= describe
+  end
+
+  def run(datastore)
+    unless self.running
+      m = Msf::Modules::External::Message.new(:run)
+      m.params = datastore.dup
+      send(m)
+      self.running = true
+    end
+  end
+
+  def get_status
+    if self.running
+      n = receive_notification
+      if n && n['params']
+        n['params']
+      else
+        close_ios
+        self.running = false
+        n['response'] if n
+      end
+    end
+  end
+
+  def initialize(module_path)
+    self.running = false
+    self.path = module_path
+  end
+
+  protected
+
+  attr_writer :path, :running
+  attr_accessor :ios
+
+  def describe
+    resp = send_receive(Msf::Modules::External::Message.new(:describe))
+    close_ios
+    resp['response']
+  end
+
+  # XXX TODO non-blocking writes, check write lengths, non-blocking JSON parse loop read
+
+  def send_receive(message)
+    send(message)
+    read_json(message.id, self.ios[1])
+  end
+
+  def send(message)
+    input, output, status = ::Open3.popen3([self.path, self.path])
+    self.ios = [input, output, status]
+    case Rex::ThreadSafe.select(nil, [input], nil, 0.1)
+    when nil
+      raise "Cannot run module #{self.path}"
+    when [[], [input], []]
+      m = message.to_json
+      write_message(input, m)
+    else
+      raise "Error running module #{self.path}"
+    end
+  end
+
+  def receive_notification
+    input, output, status = self.ios
+    case Rex::ThreadSafe.select([output], nil, nil, 10)
+    when nil
+      nil
+    when [[output], [], []]
+      read_json(nil, output)
+    end
+  end
+
+  def write_message(fd, json)
+    fd.write(json)
+  end
+
+  def read_json(id, fd)
+    begin
+      resp = fd.readpartial(10_000)
+      JSON.parse(resp)
+    rescue EOFError => e
+      {}
+    end
+  end
+
+  def close_ios
+    input, output, status = self.ios
+    [input, output].each {|fd| fd.close rescue nil} # Yeah, yeah. I know.
+  end
+end

lib/msf/core/modules/external/message.rb

@@ -0,0 +1,24 @@
+# -*- coding: binary -*-
+require 'msf/core/modules/external'
+require 'base64'
+require 'json'
+
+class Msf::Modules::External::Message
+
+  attr_reader :method, :id
+  attr_accessor :params
+
+  def initialize(m)
+    self.method = m
+    self.params = {}
+    self.id = Base64.strict_encode64(SecureRandom.random_bytes(16))
+  end
+
+  def to_json
+    JSON.generate({jsonrpc: '2.0', id: self.id, method: self.method, params: self.params.to_h})
+  end
+
+  protected
+
+  attr_writer :method, :id
+end

lib/msf/core/modules/external/shim.rb

@@ -0,0 +1,103 @@
+# -*- coding: binary -*-
+require 'msf/core/modules/external'
+require 'msf/core/modules/external/bridge'
+
+class Msf::Modules::External::Shim
+  def self.generate(module_path)
+    mod = Msf::Modules::External::Bridge.new(module_path)
+    return '' unless mod.meta
+    case mod.meta['type']
+    when 'remote_exploit.cmd_stager.wget'
+      s = remote_exploit_cmd_stager(mod)
+      File.open('/tmp/module', 'w') {|f| f.write(s)}
+      s
+    end
+  end
+
+  def self.remote_exploit_cmd_stager(mod)
+    %Q|
+require 'msf/core/modules/external/bridge'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => #{mod.meta['name'].dump},
+      'Description' => #{mod.meta['description'].dump},
+      'Author'      =>
+        [
+          #{mod.meta['authors'].map(&:dump).join(', ')}
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          #{mod.meta['references'].map do |r|
+              "[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
+            end.join(', ')}
+        ],
+      'DisclosureDate' => #{mod.meta['date'].dump},
+      'Privileged'     => #{mod.meta['privileged'].inspect},
+      'Platform'       => [#{mod.meta['targets'].map{|t| t['platform'].dump}.uniq.join(', ')}],
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          #{mod.meta['targets'].map do |t|
+            %Q^[#{t['platform'].dump} + ' ' + #{t['arch'].dump},
+                 {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]^
+            end.join(', ')}
+        ],
+      'DefaultTarget'   => 0,
+      'DefaultOptions' => { 'WfsDelay' => 5 }
+      ))
+
+      register_options([
+        #{mod.meta['options'].map do |n, o|
+            "Opt#{o['type'].capitalize}.new(#{n.dump},
+              [#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
+          end.join(', ')}
+      ], self.class)
+  end
+
+  def execute_command(cmd, opts)
+    mod = Msf::Modules::External::Bridge.new(#{mod.path.dump})
+    mod.run(datastore.merge(command: cmd))
+    wait_status(mod)
+    true
+  end
+
+  def exploit
+    print_status("Exploiting...")
+    execute_cmdstager({:flavor  => :wget})
+  end
+
+  def wait_status(mod)
+    while mod.running
+      m = mod.get_status
+      if m
+        case m['level']
+        when 'error'
+          print_error m['message']
+        when 'warning'
+          print_warning m['message']
+        when 'good'
+          print_good m['message']
+        when 'info'
+          print_status m['message']
+        when 'debug'
+          vprint_status m['message']
+        else
+          print_status m['message']
+        end
+      end
+    end
+  end
+end
+    |
+  end
+end

lib/msf/core/modules/loader/directory.rb

@@ -11,11 +11,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
   # @return [true] if path is a directory
   # @return [false] otherwise
   def loadable?(path)
-    if File.directory?(path)
-      true
-    else
-      false
-    end
+    File.directory?(path)
   end
 
   protected
@@ -35,8 +31,7 @@ def each_module_reference_name(path, opts={})
       full_entry_path = ::File.join(path, entry)
       type = entry.singularize
 
-      unless ::File.directory?(full_entry_path) and
-             module_manager.type_enabled? type
+      unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
         next
       end