lib/msf/base/sessions/command_shell.rb

require 'msf/base'
require 'msf/base/sessions/scriptable'

module Msf
module Sessions

###
#
# This class provides basic interaction with a command shell on the remote
# endpoint.  This session is initialized with a stream that will be used
# as the pipe for reading and writing the command shell.
#
###
class CommandShell

	#
	# This interface supports basic interaction.
	#
	include Msf::Session::Basic

	#
	# This interface supports interacting with a single command shell.
	#
	include Msf::Session::Provider::SingleCommandShell

	include Msf::Session::Scriptable


	#
	# Executes the supplied script, must be specified as full path.
	#
	# Msf::Session::Scriptable implementor
	#
	def execute_file(full_path, args)
		o = Rex::Script::Shell.new(self, full_path)
		o.run(args)
	end

	#
	# Returns the type of session.
	#
	def self.type
		"shell"
	end

	def initialize(*args)
		self.platform ||= ""
		self.arch     ||= ""
		super
	end

	#
	# Returns the session description.
	#
	def desc
		"Command shell"
	end

	#
	# Explicitly runs a command.
	#
	def run_cmd(cmd)
		shell_command(cmd)
	end

	#
	# Calls the class method.
	#
	def type
		self.class.type
	end

	#
	# The shell will have been initialized by default.
	#
	def shell_init
		return true
	end

	#
	# Explicitly run a single command, return the output.
	#
	def shell_command(cmd)
		# Send the command to the session's stdin.
		shell_write(cmd + "\n")

		timeo = 5
		etime = ::Time.now.to_f + timeo
		buff = ""
		
		# Keep reading data until no more data is available or the timeout is 
		# reached. 
		while (::Time.now.to_f < etime and ::IO.select([rstream], nil, nil, timeo))
			res = shell_read(-1, 0.01)
			buff << res if res
			timeo = etime - ::Time.now.to_f
		end

		buff
	end

	#
	# Read from the command shell.
	#
	def shell_read(length=-1, timeout=1)
		begin
			rv = rstream.get_once(length, timeout)
			framework.events.on_session_output(self, rv) if rv
			return rv
		rescue ::Exception => e
			shell_close
			raise e
		end
	end

	#
	# Writes to the command shell.
	#
	def shell_write(buf)
		return if not buf

		begin
			framework.events.on_session_command(self, buf.strip)
			rstream.write(buf)
		rescue ::Exception => e
			shell_close
			raise e
		end
	end

	#
	# Closes the shell.
	#
	def shell_close()
		rstream.close rescue nil
		self.kill
	end

	#
	# Execute any specified auto-run scripts for this session
	#
	def process_autoruns(datastore)
		# Read the initial output and mash it into a single line
		if (not self.info or self.info.empty?)
			initial_output = shell_read(-1, 0.01)
			if (initial_output)
				initial_output.force_encoding("ASCII-8BIT") if initial_output.respond_to?(:force_encoding)
				initial_output.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
				initial_output.gsub!(/[\r\n\t]+/, ' ')
				initial_output.strip!

				# Set the inital output to .info
				self.info = initial_output
			end
		end

		if (datastore['InitialAutoRunScript'] && datastore['InitialAutoRunScript'].empty? == false)
			args = datastore['InitialAutoRunScript'].split
			print_status("Session ID #{sid} (#{tunnel_to_s}) processing InitialAutoRunScript '#{datastore['InitialAutoRunScript']}'")
			execute_script(args.shift, *args)
		end

		if (datastore['AutoRunScript'] && datastore['AutoRunScript'].empty? == false)
			args = datastore['AutoRunScript'].split
			print_status("Session ID #{sid} (#{tunnel_to_s}) processing AutoRunScript '#{datastore['AutoRunScript']}'")
			execute_script(args.shift, *args)
		end
	end

	attr_accessor :arch
	attr_accessor :platform

protected

	# Override the basic session interaction to use shell_read and
	# shell_write instead of operating on rstream directly.
	def _interact
		framework.events.on_session_interact(self)

		fds = [rstream.fd, user_input.fd]
		while self.interacting
			sd = Rex::ThreadSafe.select(fds, nil, fds, 0.5)
			next if not sd

			if sd[0].include? rstream.fd
				user_output.print(shell_read)
			end
			if sd[0].include? user_input.fd
				shell_write(user_input.gets)
			end
		end
	end
end

class CommandShellWindows < CommandShell
	def initialize(*args)
		self.platform = "windows"
		super
	end
	def shell_command_token(cmd,timeout = 10)
		shell_command_token_win32(cmd,timeout)
	end
end

class CommandShellUnix < CommandShell
	def initialize(*args)
		self.platform = "unix"
		super
	end
	def shell_command_token(cmd,timeout = 10)
		shell_command_token_unix(cmd,timeout)
	end
end

end
end
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`require 'msf/base'`
post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`require 'msf/base/sessions/scriptable'`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00
			`module Msf`
			`module Sessions`

			`###`
The ssh login code can now create sessions 2010-02-23 07:12:54 +00:00			`#`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`# This class provides basic interaction with a command shell on the remote`
			`# endpoint. This session is initialized with a stream that will be used`
			`# as the pipe for reading and writing the command shell.`
			`#`
			`###`
			`class CommandShell`

			`#`
			`# This interface supports basic interaction.`
			`#`
			`include Msf::Session::Basic`

			`#`
			`# This interface supports interacting with a single command shell.`
			`#`
			`include Msf::Session::Provider::SingleCommandShell`

post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`include Msf::Session::Scriptable`


last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`# Executes the supplied script, must be specified as full path.`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`# Msf::Session::Scriptable implementor`
			`#`
			`def execute_file(full_path, args)`
			`o = Rex::Script::Shell.new(self, full_path)`
			`o.run(args)`
find port/tag stagers 2005-07-19 14:33:25 +00:00			`end`

adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`#`
post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`# Returns the type of session.`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`#`
post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`def self.type`
			`"shell"`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`end`

big commit for converting meterpreter scripts to modules, see #3377 . also fixes payload tab-completion and 'show payloads' after TARGET has changed 2010-12-27 17:46:42 +00:00			`def initialize(*args)`
			`self.platform \|\|= ""`
			`self.arch \|\|= ""`
			`super`
			`end`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
			`# Returns the session description.`
			`#`
some more madness 2005-07-16 08:12:58 +00:00			`def desc`
fixed booboo 2005-07-16 16:06:44 +00:00			`"Command shell"`
some more madness 2005-07-16 08:12:58 +00:00			`end`

adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`#`
			`# Explicitly runs a command.`
			`#`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. 2008-09-24 04:41:51 +00:00			`def run_cmd(cmd)`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`shell_command(cmd)`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. 2008-09-24 04:41:51 +00:00			`end`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`#`
			`# Calls the class method.`
			`#`
some more madness 2005-07-16 08:12:58 +00:00			`def type`
find port/tag stagers 2005-07-19 14:33:25 +00:00			`self.class.type`
some more madness 2005-07-16 08:12:58 +00:00			`end`

it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# The shell will have been initialized by default.`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`#`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`def shell_init`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`return true`
			`end`

adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`#`
			`# Explicitly run a single command, return the output.`
			`#`
			`def shell_command(cmd)`
add tokenized shell_command functions for CommandShell sesssions 2010-02-24 20:56:31 +00:00			`# Send the command to the session's stdin.`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`shell_write(cmd + "\n")`

Handle character echoing sessions more gracefully 2010-12-09 22:44:17 +00:00			`timeo = 5`
Minor improvements and corner case bug fixes to session handling. This fixes issues that can come up when a stream is shut down 2010-12-18 03:00:26 +00:00			`etime = ::Time.now.to_f + timeo`
Handle character echoing sessions more gracefully 2010-12-09 22:44:17 +00:00			`buff = ""`

			`# Keep reading data until no more data is available or the timeout is`
			`# reached.`
Minor improvements and corner case bug fixes to session handling. This fixes issues that can come up when a stream is shut down 2010-12-18 03:00:26 +00:00			`while (::Time.now.to_f < etime and ::IO.select([rstream], nil, nil, timeo))`
Handle character echoing sessions more gracefully 2010-12-09 22:44:17 +00:00			`res = shell_read(-1, 0.01)`
			`buff << res if res`
Minor improvements and corner case bug fixes to session handling. This fixes issues that can come up when a stream is shut down 2010-12-18 03:00:26 +00:00			`timeo = etime - ::Time.now.to_f`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`end`

Handle character echoing sessions more gracefully 2010-12-09 22:44:17 +00:00			`buff`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`end`

it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Read from the command shell.`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`#`
move session_output events to the session where they belong (instead of in rpc). add a timeout arg to shell_read 2010-03-11 20:07:06 +00:00			`def shell_read(length=-1, timeout=1)`
Closes command and meterpreter sessions in a much more consistent way 2010-03-21 04:24:27 +00:00			`begin`
			`rv = rstream.get_once(length, timeout)`
			`framework.events.on_session_output(self, rv) if rv`
			`return rv`
			`rescue ::Exception => e`
			`shell_close`
			`raise e`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. 2008-09-24 04:41:51 +00:00			`end`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`end`

			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Writes to the command shell.`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`#`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`def shell_write(buf)`
handle the user hitting ^D while interacting properly 2010-03-25 01:38:47 +00:00			`return if not buf`

Closes command and meterpreter sessions in a much more consistent way 2010-03-21 04:24:27 +00:00			`begin`
			`framework.events.on_session_command(self, buf.strip)`
			`rstream.write(buf)`
			`rescue ::Exception => e`
			`shell_close`
			`raise e`
			`end`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`end`

			`#`
last of normalized docs from last night 2005-11-15 15:11:43 +00:00			`# Closes the shell.`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`#`
adds scripting for command shell sessions 2010-02-24 01:19:59 +00:00			`def shell_close()`
Verify a host is actually a real string before using it 2010-12-18 03:37:27 +00:00			`rstream.close rescue nil`
Closes command and meterpreter sessions in a much more consistent way 2010-03-21 04:24:27 +00:00			`self.kill`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`end`

process autorun scripts for telnet_login and ssh_login 2010-03-02 18:07:50 +00:00			`#`
			`# Execute any specified auto-run scripts for this session`
			`#`
			`def process_autoruns(datastore)`
save initial command shell session output into session.info 2010-03-16 04:50:47 +00:00			`# Read the initial output and mash it into a single line`
only set .info if its nil or empty 2010-03-16 15:20:48 +00:00			`if (not self.info or self.info.empty?)`
			`initial_output = shell_read(-1, 0.01)`
			`if (initial_output)`
Fixes #3742 by sanitizing utf-8 characters for the username and system name in session.info. 2011-02-28 21:39:25 +00:00			`initial_output.force_encoding("ASCII-8BIT") if initial_output.respond_to?(:force_encoding)`
			`initial_output.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")`
only set .info if its nil or empty 2010-03-16 15:20:48 +00:00			`initial_output.gsub!(/[\r\n\t]+/, ' ')`
			`initial_output.strip!`

			`# Set the inital output to .info`
			`self.info = initial_output`
			`end`
save initial command shell session output into session.info 2010-03-16 04:50:47 +00:00			`end`

process autorun scripts for telnet_login and ssh_login 2010-03-02 18:07:50 +00:00			`if (datastore['InitialAutoRunScript'] && datastore['InitialAutoRunScript'].empty? == false)`
			`args = datastore['InitialAutoRunScript'].split`
			`print_status("Session ID #{sid} (#{tunnel_to_s}) processing InitialAutoRunScript '#{datastore['InitialAutoRunScript']}'")`
post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`execute_script(args.shift, *args)`
process autorun scripts for telnet_login and ssh_login 2010-03-02 18:07:50 +00:00			`end`

			`if (datastore['AutoRunScript'] && datastore['AutoRunScript'].empty? == false)`
			`args = datastore['AutoRunScript'].split`
			`print_status("Session ID #{sid} (#{tunnel_to_s}) processing AutoRunScript '#{datastore['AutoRunScript']}'")`
post modules working for shell sessions, fixes #3541 2011-01-19 02:24:21 +00:00			`execute_script(args.shift, *args)`
process autorun scripts for telnet_login and ssh_login 2010-03-02 18:07:50 +00:00			`end`
			`end`
Closes command and meterpreter sessions in a much more consistent way 2010-03-21 04:24:27 +00:00
big commit for converting meterpreter scripts to modules, see #3377 . also fixes payload tab-completion and 'show payloads' after TARGET has changed 2010-12-27 17:46:42 +00:00			`attr_accessor :arch`
			`attr_accessor :platform`

override the command shell session interaction to use shell_read and shell_write instead of operating on rstream directly 2010-03-23 00:33:18 +00:00			`protected`

			`# Override the basic session interaction to use shell_read and`
			`# shell_write instead of operating on rstream directly.`
			`def _interact`
			`framework.events.on_session_interact(self)`

			`fds = [rstream.fd, user_input.fd]`
			`while self.interacting`
			`sd = Rex::ThreadSafe.select(fds, nil, fds, 0.5)`
			`next if not sd`

			`if sd[0].include? rstream.fd`
			`user_output.print(shell_read)`
			`end`
			`if sd[0].include? user_input.fd`
			`shell_write(user_input.gets)`
			`end`
			`end`
			`end`
it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`end`

big commit for converting meterpreter scripts to modules, see #3377 . also fixes payload tab-completion and 'show payloads' after TARGET has changed 2010-12-27 17:46:42 +00:00			`class CommandShellWindows < CommandShell`
			`def initialize(*args)`
			`self.platform = "windows"`
			`super`
			`end`
Initial set of OSX Shell Post modules for general basic enumeration and for dumping hashes (SHA, LM and NTLM) for OSX 10.4 and above 2011-02-22 14:00:47 +00:00			`def shell_command_token(cmd,timeout = 10)`
			`shell_command_token_win32(cmd,timeout)`
big commit for converting meterpreter scripts to modules, see #3377 . also fixes payload tab-completion and 'show payloads' after TARGET has changed 2010-12-27 17:46:42 +00:00			`end`
			`end`

			`class CommandShellUnix < CommandShell`
			`def initialize(*args)`
			`self.platform = "unix"`
			`super`
			`end`
Initial set of OSX Shell Post modules for general basic enumeration and for dumping hashes (SHA, LM and NTLM) for OSX 10.4 and above 2011-02-22 14:00:47 +00:00			`def shell_command_token(cmd,timeout = 10)`
			`shell_command_token_unix(cmd,timeout)`
big commit for converting meterpreter scripts to modules, see #3377 . also fixes payload tab-completion and 'show payloads' after TARGET has changed 2010-12-27 17:46:42 +00:00			`end`
			`end`

it lives, major changes, fixed bugs, exploiting works with the test exploit 2005-07-16 07:32:11 +00:00			`end`
Revamp the event system and add some ui hooks. Sessions are still ghetto -- we get interact events (in a lame way) but no input or output events yet. see 619 2009-12-22 18:52:48 +00:00			`end`
Closes command and meterpreter sessions in a much more consistent way 2010-03-21 04:24:27 +00:00