Land rapid7#9524, prefer 'shell' channels over 'exec' channels for ssh CommandStream

Author: busterb

lib/net/ssh/command_stream.rb

@@ -15,15 +15,42 @@ module PeerInfo
     attr_accessor :localinfo
   end
 
-  def initialize(ssh, cmd, cleanup = false)
+  def shell_requested(channel, success)
+    raise "could not request ssh shell" unless success
+    channel[:data] = ''
+
+    channel.on_eof do
+      self.rsock.close rescue nil
+      self.ssh.close rescue nil
+      self.thread.kill
+    end
+
+    channel.on_close do
+      self.rsock.close rescue nil
+      self.ssh.close rescue nil
+      self.thread.kill
+    end
+
+    channel.on_data do |ch,data|
+      self.rsock.write(data)
+    end
+
+    channel.on_extended_data do |ch, ctype, data|
+      self.rsock.write(data)
+    end
+
+    self.channel = channel
+  end
+
+  def initialize(ssh, cmd = nil, cleanup = true)
 
     self.lsock, self.rsock = Rex::Socket.tcp_socket_pair()
     self.lsock.extend(Rex::IO::Stream)
     self.lsock.extend(PeerInfo)
     self.rsock.extend(Rex::IO::Stream)
 
     self.ssh = ssh
-    self.thread = Thread.new(ssh,cmd,cleanup) do |rssh,rcmd,rcleanup|
+    self.thread = Thread.new(ssh,cmd,cleanup) do |rssh, rcmd, rcleanup|
 
       begin
         info = rssh.transport.socket.getpeername_as_array
@@ -33,32 +60,10 @@ def initialize(ssh, cmd, cleanup = false)
         self.lsock.localinfo = "#{info[1]}:#{info[2]}"
 
         rssh.open_channel do |rch|
-          rch.exec(rcmd) do |c, success|
-            raise "could not execute command: #{rcmd.inspect}" unless success
-
-            c[:data] = ''
-
-            c.on_eof do
-              self.rsock.close rescue nil
-              self.ssh.close rescue nil
-              self.thread.kill
-            end
-
-            c.on_close do
-              self.rsock.close rescue nil
-              self.ssh.close rescue nil
-              self.thread.kill
-            end
-
-            c.on_data do |ch,data|
-              self.rsock.write(data)
-            end
-
-            c.on_extended_data do |ch, ctype, data|
-              self.rsock.write(data)
-            end
-
-            self.channel = c
+          if cmd.nil?
+            rch.send_channel_request("shell", &method(:shell_requested))
+          else
+            rch.exec(rsh, &method(:shell_requested))
           end
         end
 
@@ -85,7 +90,7 @@ def initialize(ssh, cmd, cleanup = false)
       end
 
       # Shut down the SSH session if requested
-      if(rcleanup)
+      if rcleanup
         rssh.close
       end
     end

modules/auxiliary/scanner/ssh/ssh_login.rb

@@ -57,7 +57,7 @@ def session_setup(result, ssh_socket)
     return unless ssh_socket
 
     # Create a new session
-    conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
+    conn = Net::SSH::CommandStream.new(ssh_socket)
 
     merge_me = {
       'USERPASS_FILE' => nil,

modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb

@@ -72,7 +72,7 @@ def session_setup(result, ssh_socket, fingerprint)
     return unless ssh_socket
 
     # Create a new session from the socket
-    conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
+    conn = Net::SSH::CommandStream.new(ssh_socket)
 
     # Clean up the stored data - need to stash the keyfile into
     # a datastore for later reuse.

modules/exploits/apple_ios/ssh/cydia_default_ssh.rb

@@ -110,7 +110,7 @@ def do_login(user, pass)
     end
 
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
+      conn = Net::SSH::CommandStream.new(ssh)
       ssh = nil
       return conn
     end

modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb

@@ -106,7 +106,7 @@ def do_login(user)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
+      conn = Net::SSH::CommandStream.new(ssh_socket)
       ssh_socket = nil
 
       return conn

modules/exploits/linux/ssh/exagrid_known_privkey.rb

@@ -94,7 +94,7 @@ def do_login(ssh_options)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true)
+      conn = Net::SSH::CommandStream.new(ssh_socket)
       ssh_socket = nil
 
       return conn

modules/exploits/linux/ssh/f5_bigip_known_privkey.rb

@@ -109,7 +109,7 @@ def do_login(user)
     return false unless ssh_socket
 
     # Create a new session from the socket, then dump it.
-    conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
+    conn = Net::SSH::CommandStream.new(ssh_socket)
     ssh_socket = nil
     conn
   end

modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb

@@ -103,7 +103,7 @@ def do_login(user)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true)
+      conn = Net::SSH::CommandStream.new(ssh_socket)
       ssh_socket = nil
 
       return conn

modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb

@@ -102,7 +102,7 @@ def do_login(user)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true)
+      conn = Net::SSH::CommandStream.new(ssh_socket)
       ssh_socket = nil
 
       return conn

modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb

@@ -114,7 +114,7 @@ def do_login(user, pass)
     end
 
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true)
+      conn = Net::SSH::CommandStream.new(ssh, 'shell-escape')
       return conn
     end