Support arbitrary external command_stager exploits

So much done, so much more to do.

Author: acammack-r7

lib/msf/core/modules/external.rb

@@ -0,0 +1,7 @@
+# -*- coding: binary -*-
+# Namespace for loading external Metasploit modules
+
+module Msf::Modules::External
+
+end
+

lib/msf/core/modules/external/bridge.rb

@@ -0,0 +1,96 @@
+# -*- coding: binary -*-
+require 'msf/core/modules/external'
+require 'msf/core/modules/external/message'
+require 'open3'
+
+class Msf::Modules::External::Bridge
+
+  attr_reader :path, :running
+
+  def meta
+    @meta ||= describe
+  end
+
+  def run(datastore)
+    unless self.running
+      m = Msf::Modules::External::Message.new(:run)
+      m.params = datastore.dup
+      send(m)
+      self.running = true
+    end
+  end
+
+  def get_status
+    if self.running
+      n = receive_notification
+      if n && n['params']
+        n['params']
+      else
+        close_ios
+        self.running = false
+        n['response'] if n
+      end
+    end
+  end
+
+  def initialize(module_path)
+    self.running = false
+    self.path = module_path
+  end
+
+  protected
+
+  attr_writer :path, :running
+  attr_accessor :ios
+
+  def describe
+    resp = send_receive(Msf::Modules::External::Message.new(:describe))
+    close_ios
+    resp['response']
+  end
+
+  # XXX TODO non-blocking writes, check write lengths, non-blocking JSON parse loop read
+
+  def send_receive(message)
+    send(message)
+    read_json(message.id, self.ios[1])
+  end
+
+  def send(message)
+    input, output, status = ::Open3.popen3([self.path, self.path])
+    self.ios = [input, output, status]
+    case Rex::ThreadSafe.select(nil, [input], nil, 0.1)
+    when nil
+      raise "Cannot run module #{self.path}"
+    when [[], [input], []]
+      m = message.to_json
+      write_message(input, m)
+    else
+      raise "Error running module #{self.path}"
+    end
+  end
+
+  def receive_notification
+    input, output, status = self.ios
+    case Rex::ThreadSafe.select([output], nil, nil, 10)
+    when nil
+      nil
+    when [[output], [], []]
+      read_json(nil, output)
+    end
+  end
+
+  def write_message(fd, json)
+    fd.write(json)
+  end
+
+  def read_json(id, fd)
+    resp = fd.readpartial(10_000)
+    JSON.parse(resp)
+  end
+
+  def close_ios
+    input, output, status = self.ios
+    [input, output].each {|fd| fd.close rescue nil} # Yeah, yeah. I know.
+  end
+end

lib/msf/core/modules/external/message.rb

@@ -0,0 +1,24 @@
+# -*- coding: binary -*-
+require 'msf/core/modules/external'
+require 'base64'
+require 'json'
+
+class Msf::Modules::External::Message
+
+  attr_reader :method, :id
+  attr_accessor :params
+
+  def initialize(m)
+    self.method = m
+    self.params = {}
+    self.id = Base64.strict_encode64(SecureRandom.random_bytes(16))
+  end
+
+  def to_json
+    JSON.generate({jsonrpc: '2.0', id: self.id, method: self.method, params: self.params.to_h})
+  end
+
+  protected
+
+  attr_writer :method, :id
+end

lib/msf/core/modules/external/shim.rb

@@ -0,0 +1,102 @@
+# -*- coding: binary -*-
+require 'msf/core/modules/external'
+require 'msf/core/modules/external/bridge'
+
+class Msf::Modules::External::Shim
+  def self.generate(module_path)
+    mod = Msf::Modules::External::Bridge.new(module_path)
+    case mod.meta['type']
+    when 'remote_exploit.cmd_stager.wget'
+      s = remote_exploit_cmd_stager(mod)
+      File.open('/tmp/module', 'w') {|f| f.write(s)}
+      s
+    end
+  end
+
+  def self.remote_exploit_cmd_stager(mod)
+    %Q|
+require 'msf/core/modules/external/bridge'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => #{mod.meta['name'].dump},
+      'Description' => #{mod.meta['description'].dump},
+      'Author'      =>
+        [
+          #{mod.meta['authors'].map(&:dump).join(', ')}
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          #{mod.meta['references'].map do |r|
+              "[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
+            end.join(', ')}
+        ],
+      'DisclosureDate' => #{mod.meta['date'].dump},
+      'Privileged'     => #{mod.meta['privileged'].inspect},
+      'Platform'       => [#{mod.meta['targets'].map{|t| t['platform'].dump}.uniq.join(', ')}],
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          #{mod.meta['targets'].map do |t|
+            %Q^[#{t['platform'].dump} + ' ' + #{t['arch'].dump},
+                 {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]^
+            end.join(', ')}
+        ],
+      'DefaultTarget'   => 0,
+      'DefaultOptions' => { 'WfsDelay' => 5 }
+      ))
+
+      register_options([
+        #{mod.meta['options'].map do |n, o|
+            "Opt#{o['type'].capitalize}.new(#{n.dump},
+              [#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
+          end.join(', ')}
+      ], self.class)
+  end
+
+  def execute_command(cmd, opts)
+    mod = Msf::Modules::External::Bridge.new(#{mod.path.dump})
+    mod.run(datastore.merge(command: cmd))
+    wait_status(mod)
+    true
+  end
+
+  def exploit
+    print_status("Exploiting...")
+    execute_cmdstager({:flavor  => :wget})
+  end
+
+  def wait_status(mod)
+    while mod.running
+      m = mod.get_status
+      if m
+        case m['level']
+        when 'error'
+          print_error m['message']
+        when 'warning'
+          print_warning m['message']
+        when 'good'
+          print_good m['message']
+        when 'info'
+          print_status m['message']
+        when 'debug'
+          vprint_status m['message']
+        else
+          print_status m['message']
+        end
+      end
+    end
+  end
+end
+    |
+  end
+end

lib/msf/core/modules/loader/executable.rb

@@ -2,6 +2,7 @@
 
 require 'msf/core/modules/loader'
 require 'msf/core/modules/loader/base'
+require 'msf/core/modules/external/shim'
 
 # Concerns loading executables from a directory as modules
 class Msf::Modules::Loader::Executable < Msf::Modules::Loader::Base
@@ -81,80 +82,6 @@ def read_module_content(parent_path, type, module_reference_name)
       load_error(full_path, Errno::ENOENT.new)
       return ''
     end
-    %Q|
-require 'msf/core'
-
-class MetasploitModule < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Haraka Remote Command Injection',
-      'Description' => %q{
-        Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command
-        injection. This vulnerability was used from the so-called "TheMoon" worm. There
-        are many Linksys systems that are potentially vulnerable, including E4200, E3200, E3000,
-        E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. This module was tested
-        successfully against an E1500 v1.0.5.
-      },
-      'Author'      =>
-        [
-          'Johannes Ullrich', #worm discovery
-          'Rew', # original exploit
-          'infodox', # another exploit
-          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
-          'juan vazquez' # minor help with msf module
-        ],
-      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          [ 'EDB', '31683' ],
-          [ 'BID', '65585' ],
-          [ 'OSVDB', '103321' ],
-          [ 'PACKETSTORM', '125253' ],
-          [ 'PACKETSTORM', '125252' ],
-          [ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ],
-          [ 'URL', 'https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630' ]
-        ],
-      'DisclosureDate' => 'Feb 13 2014',
-      'Privileged'     => true,
-      'Platform'       => %w{ linux unix },
-      'Payload'        =>
-        {
-          'DisableNops' => true
-        },
-      'Targets'        =>
-        [
-          [ 'Linux x64 Payload',
-            {
-            'Arch' => ARCH_X64,
-            'Platform' => 'linux'
-            }
-          ]
-        ],
-      'DefaultTarget'   => 0,
-      'DefaultOptions' => { 'WfsDelay' => 5 }
-      ))
-  end
-
-  def execute_command(cmd, opts)
-    to = 'admin@arnold'
-    rhost = '192.168.244.130'
-    `#{module_path(parent_path, type, module_reference_name)} -c "\#{cmd}" -t \#{to} -m \#{rhost}`
-    true
-  end
-
-  def exploit
-    print_status("Trying to access the vulnerable URL...")
-
-    print_status("Exploiting...")
-    execute_cmdstager({:flavor  => :wget})
-  end
-
-
-end
-    |
+    Msf::Modules::External::Shim.generate(full_path)
   end
 end