The `php_preamble`/`php_system_block` combo has builtin low-hanging evasion for
PHP's `disabled_functions` configuration (eg. `system` might not be available
but `shell_exec` is), so use it instead of hardcoding `system`.
This commit also brings modules/payloads/singles/php/reverse_perl.rb's style
more in line with the other uses of `php_preamble`/`php_system_block`.
Oh, and it makes lib/msf/core/payload/php.rb work on older Ruby version as
well.
Co-authored-by: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com>
* Build the HTTPS server on top of HTTP instead of the other way around
* Set the fetch service to nil after it has been cleaned up
* Don't capitalize the H in the word handler
* Check if the fetch_service is truthy before cleaning it up
* Remove the unused FetchServerName datastore option
* Fixup the description text
* Don't allow slashes in fetch file names
* Also add the #fetch_bindnetloc method
Fix a problem in fetch/tftp.rb
The connection needs to slowly send data to the remote end for
stability. Additionally, the `exit` command should be issued when
closing the connction so it is reset back to the logon prompt.
Windows shells require an extra configuration that when present still
doesn't offer either the cmd.exe or powershell session that MSF expects
but rather a SAC shell.
AWS EC2 Nitro instances (and possibly others) support serial proxy
over SSH using the Instance Connect API:
https://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/
connect-to-serial-console.html
This process consists of sending an SSH pubkey to the serial proxy
control plane, connecting to a well-known URL with the instance ID
and port number as username, and the SSH private key as credential.
The resulting session is a "fragile" SSH context which does not
tolerate Channel-closing, requiring some special handling in Msf to
safeguard the initial Net::SSH::CommandStream.
Implement a BindAwsInstanceConnect Handler which loads an SSH key
from the local FS or generates a new one on the fly, passes the
pubkey to the InstanceConnect API, and then establishes SSH comms
with the InstanceConnect SSH proxy.
Implement a AwsInstanceConnectBind to handle resulting connetions,
derived from SshCommandShellBind, with an updated #bootstrap which
avoids meddling with the fragile CommandStream/Channel.
Testing:
Got serial console to the ttyS0 login prompt of a Nitro EC2 VM.
Logged in using previously-known credentials.
Verified console operations.
Notes:
Handler keeps firing, same as the SSM session concern.
There is a limit to the number of sessions which an instance can
hold (possibly only one).
This updates the aarch64 payloads to include comments with the
corresponding instructions for each little-endian integer. It also fixes
the debug output for x64 payloads under rosetta.
dwelch-r7