lib/msf/core/handler/reverse_tcp.rb

require 'rex/socket'
require 'thread'

module Msf
module Handler

###
#
# This module implements the reverse TCP handler.  This means
# that it listens on a port waiting for a connection until
# either one is established or it is told to abort.
#
# This handler depends on having a local host and port to
# listen on.
#
###
module ReverseTcp

	include Msf::Handler

	#
	# Returns the string representation of the handler type, in this case
	# 'reverse_tcp'.
	#
	def self.handler_type
		return "reverse_tcp"
	end

	#
	# Returns the connection-described general handler type, in this case
	# 'reverse'.
	#
	def self.general_handler_type
		"reverse"
	end

	#
	# Initializes the reverse TCP handler and ads the options that are required
	# for all reverse TCP payloads, like local host and local port.
	#
	def initialize(info = {})
		super

		register_options(
			[
				Opt::LHOST,
				Opt::LPORT(4444)
			], Msf::Handler::ReverseTcp)

		# XXX: Not supported by all modules
		register_advanced_options(
			[
				OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
				OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
				OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
			], Msf::Handler::ReverseTcp)


		self.handler_queue = ::Queue.new
	end

	#
	# Starts the listener but does not actually attempt
	# to accept a connection.  Throws socket exceptions
	# if it fails to start the listener.
	#
	def setup_handler
		if datastore['Proxies']
			raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies'
		end

		ex = false
		# Switch to IPv6 ANY address if the LHOST is also IPv6
		addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
		# First attempt to bind LHOST. If that fails, the user probably has
		# something else listening on that interface. Try again with ANY_ADDR.
		any = (addr.length == 4) ? "0.0.0.0" : "::0"

		addrs = [ Rex::Socket.addr_ntoa(addr), any  ]

		comm  = datastore['ReverseListenerComm']
		if comm.to_s == "local"
			comm = ::Rex::Socket::Comm::Local
		else
			comm = nil
		end

		if not datastore['ReverseListenerBindAddress'].to_s.empty?
			# Only try to bind to this specific interface
			addrs = [ datastore['ReverseListenerBindAddress'] ]

			# Pick the right "any" address if either wildcard is used
			addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
		end
		addrs.each { |ip|
			begin

				self.listener_sock = Rex::Socket::TcpServer.create(
					'LocalHost' => ip,
					'LocalPort' => datastore['LPORT'].to_i,
					'Comm'      => comm,
					'Context'   =>
						{
							'Msf'        => framework,
							'MsfPayload' => self,
							'MsfExploit' => assoc_exploit
						})

				ex = false

				comm_used = comm || Rex::Socket::SwitchBoard.best_comm( ip )
				comm_used = Rex::Socket::Comm::Local if comm_used == nil

				if( comm_used.respond_to?( :type ) and comm_used.respond_to?( :sid ) )
					via = "via the #{comm_used.type} on session #{comm_used.sid}"
				else
					via = ""
				end

				print_status("Started reverse handler on #{ip}:#{datastore['LPORT']} #{via}")
				break
			rescue
				ex = $!
				print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
			end
		}
		raise ex if (ex)
	end

	#
	# Closes the listener socket if one was created.
	#
	def cleanup_handler
		stop_handler
	end

	#
	# Starts monitoring for an inbound connection.
	#
	def start_handler
		self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{datastore['LPORT']}", false) {
			client = nil

			begin
				# Accept a client connection
				begin
					client = self.listener_sock.accept
				rescue
					wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
					break
				end

				# Increment the has connection counter
				self.pending_connections += 1

				self.handler_queue.push( client )
			end while true
		}

		self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{datastore['LPORT']}", false) {
			while true
				client = self.handler_queue.pop
				begin
					handle_connection(client)
				rescue ::Exception
					elog("Exception raised from handle_connection: #{$!.class}: #{$!}\n\n#{$@.join("\n")}")
				end
			end
		}

	end

	#
	# Stops monitoring for an inbound connection.
	#
	def stop_handler
		# Terminate the listener thread
		if (self.listener_thread and self.listener_thread.alive? == true)
			self.listener_thread.kill
			self.listener_thread = nil
		end

		# Terminate the handler thread
		if (self.handler_thread and self.handler_thread.alive? == true)
			self.handler_thread.kill
			self.handler_thread = nil
		end

		if (self.listener_sock)
			self.listener_sock.close
			self.listener_sock = nil
		end
	end

protected

	attr_accessor :listener_sock # :nodoc:
	attr_accessor :listener_thread # :nodoc:
	attr_accessor :handler_thread # :nodoc:
	attr_accessor :handler_queue # :nodoc:
end

end
end
Reverting the autoload changes until we can upgrade to a new ActiveSupport library or find a workaround 2011-05-12 20:03:55 +00:00			`require 'rex/socket'`
Major cleanups to the session manager, serialized processing of incoming connections, concurrent processing (up to a max scheduler thread count) of meterpreter initialization/scripts. This is to avoid a potential deadlock in openssl and ensure consistent, reliable session staging. This commit also fixes a bug that would mark database sessions as closed too early. 2011-04-30 18:51:50 +00:00			`require 'thread'`
Commit the Ruby end for TCP server channels, the modified TCP client channels and the support for pivoting a reverse_tcp meterpreter. 2010-02-06 17:59:25 +00:00
started working on handlers 2005-07-11 02:03:48 +00:00			`module Msf`
			`module Handler`

			`###`
			`#`
			`# This module implements the reverse TCP handler. This means`
			`# that it listens on a port waiting for a connection until`
			`# either one is established or it is told to abort.`
			`#`
			`# This handler depends on having a local host and port to`
			`# listen on.`
			`#`
			`###`
			`module ReverseTcp`

exploitation progress 2005-07-15 23:46:05 +00:00			`include Msf::Handler`

last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
			`# Returns the string representation of the handler type, in this case`
			`# 'reverse_tcp'.`
			`#`
introducing handlers to the mix 2005-07-11 04:07:52 +00:00			`def self.handler_type`
			`return "reverse_tcp"`
			`end`

last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
			`# Returns the connection-described general handler type, in this case`
			`# 'reverse'.`
			`#`
initial support for compat filtering, may be buggy 2005-10-19 01:48:10 +00:00			`def self.general_handler_type`
			`"reverse"`
			`end`

last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
			`# Initializes the reverse TCP handler and ads the options that are required`
			`# for all reverse TCP payloads, like local host and local port.`
			`#`
started working on handlers 2005-07-11 02:03:48 +00:00			`def initialize(info = {})`
			`super`

			`register_options(`
			`[`
lots of changes, making the simple wrapper better, lots of improvements 2005-07-14 06:34:58 +00:00			`Opt::LHOST,`
started working on handlers 2005-07-11 02:03:48 +00:00			`Opt::LPORT(4444)`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00			`], Msf::Handler::ReverseTcp)`
started working on handlers 2005-07-11 02:03:48 +00:00
Fixes #342 . Set ReverseConnectRetries to a value between 1 and 255 (default is 5). On failure it will ExitProcess (still better than a cpu spin) 2009-10-20 20:31:14 +00:00			`# XXX: Not supported by all modules`
			`register_advanced_options(`
			`[`
This commit adds a new option to all reverse handlers: ReverseListenerBindAddress. This setting determines exactly what address is bound on the local system 2010-09-25 03:25:09 +00:00			`OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),`
This commit brings configurability to TCP Servers as to which Comm they use. The ReverseListenerComm and ListenerComm advanced options can be used to prevent a given listener from trying to bind a listener over the pivoted routed. This is useful for a number of situations and not possible to configure explicitly before. 2010-10-04 02:11:22 +00:00			`OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),`
			`OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),`
Fixes #342 . Set ReverseConnectRetries to a value between 1 and 255 (default is 5). On failure it will ExitProcess (still better than a cpu spin) 2009-10-20 20:31:14 +00:00			`], Msf::Handler::ReverseTcp)`

massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
Major cleanups to the session manager, serialized processing of incoming connections, concurrent processing (up to a max scheduler thread count) of meterpreter initialization/scripts. This is to avoid a potential deadlock in openssl and ensure consistent, reliable session staging. This commit also fixes a bug that would mark database sessions as closed too early. 2011-04-30 18:51:50 +00:00			`self.handler_queue = ::Queue.new`
started working on handlers 2005-07-11 02:03:48 +00:00			`end`

			`#`
			`# Starts the listener but does not actually attempt`
			`# to accept a connection. Throws socket exceptions`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# if it fails to start the listener.`
started working on handlers 2005-07-11 02:03:48 +00:00			`#`
			`def setup_handler`
Tabs vs Spaces 2006-01-27 05:33:08 +00:00			`if datastore['Proxies']`
Dont print the bind message for the any address 2009-09-24 20:52:58 +00:00			`raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies'`
Tabs vs Spaces 2006-01-27 05:33:08 +00:00			`end`
Proxy chaining patch from bmc 2005-12-18 02:19:21 +00:00
better handling of LHOST vs 0.0.0.0; fixes #262 again 2008-11-21 05:12:31 +00:00			`ex = false`
Adds initial support for IPv6, including two stager. Tested Meterpreter over IPv6 stages on XP and Vista. Using this is still tricky, I will add a wiki page tomorrow to explain the ScopeID stuff for link-local testing. This commit also includes the raw (oversized) assembler for the stagers as well as the entire old metasploit assembly set (useful for development). 2008-08-22 06:34:57 +00:00			`# Switch to IPv6 ANY address if the LHOST is also IPv6`
			`addr = Rex::Socket.resolv_nbo(datastore['LHOST'])`
Commit the Ruby end for TCP server channels, the modified TCP client channels and the support for pivoting a reverse_tcp meterpreter. 2010-02-06 17:59:25 +00:00			`# First attempt to bind LHOST. If that fails, the user probably has`
			`# something else listening on that interface. Try again with ANY_ADDR.`
un-break reverse handler for ipv6 2008-11-21 05:34:39 +00:00			`any = (addr.length == 4) ? "0.0.0.0" : "::0"`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
This commit adds a new option to all reverse handlers: ReverseListenerBindAddress. This setting determines exactly what address is bound on the local system 2010-09-25 03:25:09 +00:00			`addrs = [ Rex::Socket.addr_ntoa(addr), any ]`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
This commit brings configurability to TCP Servers as to which Comm they use. The ReverseListenerComm and ListenerComm advanced options can be used to prevent a given listener from trying to bind a listener over the pivoted routed. This is useful for a number of situations and not possible to configure explicitly before. 2010-10-04 02:11:22 +00:00			`comm = datastore['ReverseListenerComm']`
			`if comm.to_s == "local"`
			`comm = ::Rex::Socket::Comm::Local`
			`else`
			`comm = nil`
			`end`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
This commit adds a new option to all reverse handlers: ReverseListenerBindAddress. This setting determines exactly what address is bound on the local system 2010-09-25 03:25:09 +00:00			`if not datastore['ReverseListenerBindAddress'].to_s.empty?`
Allows 0.0.0.0/::0 to be used in place of the real "any" address regardless of socket type when the bind address is specified 2010-09-25 03:28:19 +00:00			`# Only try to bind to this specific interface`
This commit adds a new option to all reverse handlers: ReverseListenerBindAddress. This setting determines exactly what address is bound on the local system 2010-09-25 03:25:09 +00:00			`addrs = [ datastore['ReverseListenerBindAddress'] ]`
Allows 0.0.0.0/::0 to be used in place of the real "any" address regardless of socket type when the bind address is specified 2010-09-25 03:28:19 +00:00
			`# Pick the right "any" address if either wildcard is used`
			`addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")`
This commit adds a new option to all reverse handlers: ReverseListenerBindAddress. This setting determines exactly what address is bound on the local system 2010-09-25 03:25:09 +00:00			`end`
			`addrs.each { \|ip\|`
Dont print the bind message for the any address 2009-09-24 20:52:58 +00:00			`begin`
Commit the Ruby end for TCP server channels, the modified TCP client channels and the support for pivoting a reverse_tcp meterpreter. 2010-02-06 17:59:25 +00:00
better handling of LHOST vs 0.0.0.0; fixes #262 again 2008-11-21 05:12:31 +00:00			`self.listener_sock = Rex::Socket::TcpServer.create(`
			`'LocalHost' => ip,`
			`'LocalPort' => datastore['LPORT'].to_i,`
This commit brings configurability to TCP Servers as to which Comm they use. The ReverseListenerComm and ListenerComm advanced options can be used to prevent a given listener from trying to bind a listener over the pivoted routed. This is useful for a number of situations and not possible to configure explicitly before. 2010-10-04 02:11:22 +00:00			`'Comm' => comm,`
better handling of LHOST vs 0.0.0.0; fixes #262 again 2008-11-21 05:12:31 +00:00			`'Context' =>`
			`{`
			`'Msf' => framework,`
			`'MsfPayload' => self,`
			`'MsfExploit' => assoc_exploit`
			`})`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
better handling of LHOST vs 0.0.0.0; fixes #262 again 2008-11-21 05:12:31 +00:00			`ex = false`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
This commit brings configurability to TCP Servers as to which Comm they use. The ReverseListenerComm and ListenerComm advanced options can be used to prevent a given listener from trying to bind a listener over the pivoted routed. This is useful for a number of situations and not possible to configure explicitly before. 2010-10-04 02:11:22 +00:00			`comm_used = comm \|\| Rex::Socket::SwitchBoard.best_comm( ip )`
Commit the Ruby end for TCP server channels, the modified TCP client channels and the support for pivoting a reverse_tcp meterpreter. 2010-02-06 17:59:25 +00:00			`comm_used = Rex::Socket::Comm::Local if comm_used == nil`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
Commit the Ruby end for TCP server channels, the modified TCP client channels and the support for pivoting a reverse_tcp meterpreter. 2010-02-06 17:59:25 +00:00			`if( comm_used.respond_to?( :type ) and comm_used.respond_to?( :sid ) )`
			`via = "via the #{comm_used.type} on session #{comm_used.sid}"`
			`else`
			`via = ""`
			`end`

			`print_status("Started reverse handler on #{ip}:#{datastore['LPORT']} #{via}")`
better handling of LHOST vs 0.0.0.0; fixes #262 again 2008-11-21 05:12:31 +00:00			`break`
			`rescue`
			`ex = $!`
Commit the Ruby end for TCP server channels, the modified TCP client channels and the support for pivoting a reverse_tcp meterpreter. 2010-02-06 17:59:25 +00:00			`print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")`
better handling of LHOST vs 0.0.0.0; fixes #262 again 2008-11-21 05:12:31 +00:00			`end`
			`}`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00			`raise ex if (ex)`
started working on handlers 2005-07-11 02:03:48 +00:00			`end`

			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Closes the listener socket if one was created.`
started working on handlers 2005-07-11 02:03:48 +00:00			`#`
			`def cleanup_handler`
vncinject payload 2005-12-12 07:07:19 +00:00			`stop_handler`
started working on handlers 2005-07-11 02:03:48 +00:00			`end`

			`#`
			`# Starts monitoring for an inbound connection.`
			`#`
			`def start_handler`
This patch adds detailed thread tracking across the metasploit framework, along with a new console command (threads) to manage these. This level of tracking is required to accurately monitor background tasks, assist with debugging, and kill orphaned threads. 2010-11-12 06:19:49 +00:00			`self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{datastore['LPORT']}", false) {`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`client = nil`
fixed stager merging, made things a bit more pimply 2005-07-17 06:01:11 +00:00
started working on handlers 2005-07-11 02:03:48 +00:00			`begin`
support for multiple con-current sessions 2005-09-23 06:08:04 +00:00			`# Accept a client connection`
some more madness 2005-07-16 08:12:58 +00:00			`begin`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00			`client = self.listener_sock.accept`
some more madness 2005-07-16 08:12:58 +00:00			`rescue`
vncinject payload 2005-12-12 07:07:19 +00:00			`wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")`
Minor improvements and corner case bug fixes to session handling. This fixes issues that can come up when a stream is shut down 2010-12-18 03:00:26 +00:00			`break`
some more madness 2005-07-16 08:12:58 +00:00			`end`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit 2005-11-11 01:22:03 +00:00
			`# Increment the has connection counter`
			`self.pending_connections += 1`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
Major cleanups to the session manager, serialized processing of incoming connections, concurrent processing (up to a max scheduler thread count) of meterpreter initialization/scripts. This is to avoid a potential deadlock in openssl and ensure consistent, reliable session staging. This commit also fixes a bug that would mark database sessions as closed too early. 2011-04-30 18:51:50 +00:00			`self.handler_queue.push( client )`
support for multiple con-current sessions 2005-09-23 06:08:04 +00:00			`end while true`
started working on handlers 2005-07-11 02:03:48 +00:00			`}`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
Major cleanups to the session manager, serialized processing of incoming connections, concurrent processing (up to a max scheduler thread count) of meterpreter initialization/scripts. This is to avoid a potential deadlock in openssl and ensure consistent, reliable session staging. This commit also fixes a bug that would mark database sessions as closed too early. 2011-04-30 18:51:50 +00:00			`self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{datastore['LPORT']}", false) {`
			`while true`
			`client = self.handler_queue.pop`
			`begin`
			`handle_connection(client)`
			`rescue ::Exception`
add ability to use arbitrary certs with SSL server sockets. 2011-05-20 23:12:35 +00:00			`elog("Exception raised from handle_connection: #{$!.class}: #{$!}\n\n#{$@.join("\n")}")`
Major cleanups to the session manager, serialized processing of incoming connections, concurrent processing (up to a max scheduler thread count) of meterpreter initialization/scripts. This is to avoid a potential deadlock in openssl and ensure consistent, reliable session staging. This commit also fixes a bug that would mark database sessions as closed too early. 2011-04-30 18:51:50 +00:00			`end`
			`end`
			`}`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
started working on handlers 2005-07-11 02:03:48 +00:00			`end`

massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Stops monitoring for an inbound connection.`
started working on handlers 2005-07-11 02:03:48 +00:00			`#`
			`def stop_handler`
			`# Terminate the listener thread`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`if (self.listener_thread and self.listener_thread.alive? == true)`
			`self.listener_thread.kill`
			`self.listener_thread = nil`
started working on handlers 2005-07-11 02:03:48 +00:00			`end`
ported ie object type, more work on http stuff 2005-09-22 03:24:32 +00:00
Major cleanups to the session manager, serialized processing of incoming connections, concurrent processing (up to a max scheduler thread count) of meterpreter initialization/scripts. This is to avoid a potential deadlock in openssl and ensure consistent, reliable session staging. This commit also fixes a bug that would mark database sessions as closed too early. 2011-04-30 18:51:50 +00:00			`# Terminate the handler thread`
			`if (self.handler_thread and self.handler_thread.alive? == true)`
			`self.handler_thread.kill`
			`self.handler_thread = nil`
			`end`
massive removal of spaces at EOL and some bad tabs 2011-11-20 12:32:06 +11:00
ported ie object type, more work on http stuff 2005-09-22 03:24:32 +00:00			`if (self.listener_sock)`
			`self.listener_sock.close`
			`self.listener_sock = nil`
			`end`
started working on handlers 2005-07-11 02:03:48 +00:00			`end`

			`protected`

last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`attr_accessor :listener_sock # :nodoc:`
			`attr_accessor :listener_thread # :nodoc:`
Major cleanups to the session manager, serialized processing of incoming connections, concurrent processing (up to a max scheduler thread count) of meterpreter initialization/scripts. This is to avoid a potential deadlock in openssl and ensure consistent, reliable session staging. This commit also fixes a bug that would mark database sessions as closed too early. 2011-04-30 18:51:50 +00:00			`attr_accessor :handler_thread # :nodoc:`
			`attr_accessor :handler_queue # :nodoc:`
started working on handlers 2005-07-11 02:03:48 +00:00			`end`

			`end`
bind to LHOST instead of 0.0.0.0, fixes #262 2008-11-21 01:09:17 +00:00			`end`