Land rapid7#6067, @bigendiansmalls' MainframeShell class

wvu · wvu · commit 5ad30d007001 · 2015-10-26T16:01:18.000-05:00
diff --git a/lib/msf/base/sessions/mainframe_shell.rb b/lib/msf/base/sessions/mainframe_shell.rb
@@ -0,0 +1,149 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/command_shell'
+
+module Msf::Sessions
+
+###
+#
+# This class provides basic interaction with a Unix Systems Service
+# command shell on a mainframe (IBM System Z) running Z/OS
+# This session is initialized with a stream that will be used
+# as the pipe for reading and writing the command shell.
+#
+#  Date:    Oct 8, 2015
+#  Author:  Bigendian Smalls
+#
+###
+class MainframeShell < Msf::Sessions::CommandShell
+
+  #
+  # This interface supports basic interaction.
+  #
+  include Msf::Session::Basic
+
+  #
+  # This interface supports interacting with a single command shell.
+  #
+  include Msf::Session::Provider::SingleCommandShell
+
+  ##
+  #
+  # initialize as mf shell session
+  #
+  def initialize(*args)
+    self.platform = "mainframe"
+    self.arch = "zarch"
+    self.translate_1047 = true
+    super
+  end
+
+  ##
+  #
+  # Returns the session description.
+  #
+  def desc
+    "Mainframe shell"
+  end
+
+  ##
+  #
+  # override shell_read to include decode of cp1047
+  #
+  def shell_read(length=-1, timeout=1)
+    #mfimpl
+    if self.respond_to?(:ring)
+      return Rex::Text.from_ibm1047(shell_read_ring(length,timeout))
+    end
+
+    begin
+      rv = Rex::Text.from_ibm1047(rstream.get_once(length, timeout))
+      framework.events.on_session_output(self, rv) if rv
+      return rv
+    rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
+      shell_close
+      raise e
+    end
+  end
+
+  ##
+  #
+  # override shell_write to include encode of cp1047
+  #
+  def shell_write(buf)
+    #mfimpl
+    return unless buf
+
+    begin
+      framework.events.on_session_command(self, buf.strip)
+      rstream.write(Rex::Text.to_ibm1047(buf))
+    rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
+      shell_close
+      raise e
+    end
+  end
+
+  def execute_file(full_path, args)
+    #mfimpl
+    raise NotImplementedError
+  end
+
+  # need to do more testing on this before we either use the default in command_shell
+  # or write a new one.  For now we just make it unavailble. This prevents a hang on
+  # initial session creation.  See PR#6067
+  undef_method  :process_autoruns
+
+  def desc
+    "Mainframe USS session"
+  end
+
+  attr_accessor :translate_1047   # tells the session whether or not to translate
+                                  # ebcdic (cp1047) <-> ASCII for certain mainframe payloads
+                                  # this will be used in post modules to be able to switch on/off the
+                                  # translation on file transfers, for instance
+
+  protected
+
+  ##
+  #
+  # _interact_ring overridden to include decoding of cp1047 data
+  #
+  def _interact_ring
+    begin
+      rdr = framework.threads.spawn("RingMonitor", false) do
+        seq = nil
+
+        while self.interacting
+          # Look for any pending data from the remote ring
+          nseq,data = ring.read_data(seq)
+
+          # Update the sequence number if necessary
+          seq = nseq || seq
+
+          # Write output to the local stream if successful
+          user_output.print(Rex::Text.from_ibm1047(data)) if data
+
+          begin
+            # Wait for new data to arrive on this session
+            ring.wait(seq)
+          rescue EOFError => e
+            print_error("EOFError: #{e.class}: #{e}")
+            break
+          end
+        end
+      end
+
+      while self.interacting
+        # Look for any pending input or errors from the local stream
+        sd = Rex::ThreadSafe.select([ _local_fd ], nil, [_local_fd], 5.0)
+
+        # Write input to the ring's input mechanism
+        shell_write(user_input.gets) if sd
+      end
+    ensure
+      rdr.kill
+    end
+  end
+
+end
+end
diff --git a/spec/lib/msf/base/sessions/mainframe_shell_spec.rb b/spec/lib/msf/base/sessions/mainframe_shell_spec.rb
@@ -0,0 +1,44 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+require 'msf/base/sessions/mainframe_shell'
+
+##
+#
+#  A quick test that MainframeShell is operable
+#  Author: Bigendian Smalls
+#
+describe Msf::Sessions::MainframeShell do
+  it 'extends Msf::Sessions::CommandShell to include EBCDIC cp1047 codepage translation' do
+  args=[0,
+   {:datastore=>
+     {"VERBOSE"=>false,
+      "WfsDelay"=>0,
+      "EnableContextEncoding"=>false,
+      "DisablePayloadHandler"=>false,
+      "ConnectTimeout"=>10,
+      "TCP::max_send_size"=>0,
+      "TCP::send_delay"=>0,
+      "RPORT"=>4444,
+      "payload"=>"mainframe/shell_reverse_notranslate_tcp",
+      "LPORT"=>5555,
+      "LHOST"=>"127.0.0.1",
+      "RHOST"=>"127.0.0.2",
+      "CPORT"=>0,
+      "ReverseConnectRetries"=>5,
+      "ReverseAllowProxy"=>false,
+      "ReverseListenerThreaded"=>false,
+      "InitialAutoRunScript"=>"",
+      "AutoRunScript"=>"",
+      "ReverseListenerBindPort"=>0,
+      "TARGET"=>0},
+    :expiration=>0,
+    :comm_timeout=>0,
+    :retry_total=>0,
+    :retry_wait=>0}]
+    expect(described_class.name).to eq('Msf::Sessions::MainframeShell')
+    mfshell = Msf::Sessions::MainframeShell.new(args)
+    expect(mfshell.platform).to eq('mainframe')
+    expect(mfshell.arch).to eq('zarch')
+    expect(mfshell.respond_to?(:translate_1047))
+  end
+end
