metasploit-gs/lib/msf/core/modules/external/bridge.rb

# -*- coding: binary -*-
require 'open3'
require 'json'

module Msf::Modules
  class External
    class Bridge

      attr_reader :path, :running, :messages, :exit_status

      def self.applies?(module_name)
        File::executable? module_name
      end

      def exec(req)
        unless self.running
          self.running = true
          send(req)
          self.read_thread = threadme do
            begin
              while self.running && m = next_message
                self.messages.push m
              end
            ensure
              cleanup
            end
          end

          self
        end
      end

      def close
        self.running = false
        self.read_thread.join

        self
      end

      def success?
        self.exit_status && self.exit_status.success?
      end

      def initialize(module_path, framework: nil)
        self.env = {}
        self.running = false
        self.path = module_path
        self.cmd = [[self.path, self.path]]
        self.messages = Queue.new
        self.buf = ''
        self.framework = framework
      end

      protected

      attr_writer :path, :running, :messages, :exit_status
      attr_accessor :cmd, :env, :ios, :buf, :read_thread, :wait_thread, :framework

      # XXX TODO non-blocking writes, check write lengths

      def send(message)
        input, output, err, status = ::Open3.popen3(self.env, *self.cmd)
        self.ios = [input, output, err]
        self.wait_thread = status
        # We would call Rex::Threadsafe directly, but that would require rex for standalone use
        case select(nil, [input], nil, 0.1)
        when nil
          raise "Cannot run module #{self.path}"
        when [[], [input], []]
          m = message.to_json
          write_message(input, m)
        else
          raise "Error running module #{self.path}"
        end
      rescue => e
        raise handle_exception(e)
      end

      def handle_exception(e)
        e
      end

      def write_message(fd, json)
        fd.write(json)
      end

      def next_message(timeout=600)
        _, out, err = self.ios
        message = ''

        # Multiple messages can come over the wire all at once, and since yajl
        # doesn't play nice with windows, we have to emulate a state machine to
        # read just enough off the wire to get one request at a time. Since
        # Windows cannot do a nonblocking read on a pipe, we are forced to do a
        # whole lot of `select` syscalls and keep a buffer ourselves :(
        begin
          loop do
            # This is so we don't end up calling JSON.parse on every char and
            # catch an exception. Windows can't do nonblock on pipes, so we
            # still have to do the select if we are not at the end of object
            # and don't have any buffer left
            parts = self.buf.split '}', 2
            if parts.length == 2 # [part, rest]
              message << parts[0] << '}'
              self.buf = parts[1]
              break
            elsif parts.length == 1 # [part]
              message << parts[0]
              self.buf = ''
            end

            # We would call Rex::Threadsafe directly, but that would require Rex for standalone use
            res = select([out, err], nil, nil, timeout)
            if res == nil
              # This is what we would have gotten without Rex and what `readpartial` can also raise
              raise EOFError.new
            else
              fds = res[0]
              # Preferentially drain and log stderr, EOF counts as activity, but
              # stdout might have some buffered data left, so carry on
              if fds.include?(err) && !err.eof?
                errbuf = err.readpartial(4096)
                if self.framework
                  elog "Unexpected output running #{self.path}:\n#{errbuf}"
                else
                  $stderr.puts errbuf
                end
              end
              if fds.include? out
                self.buf << out.readpartial(4096)
              end
            end
          end

          Message.from_module(JSON.parse(message))
        rescue JSON::ParserError
          # Probably an incomplete response, but no way to really tell. Keep trying
          # until EOF
          retry
        rescue EOFError => e
          self.running = false
        end
      end

      def harvest_process
        if self.wait_thread.join(10)
          self.exit_status = self.wait_thread.value
        elsif Process.kill('TERM', self.wait_thread.pid) && self.wait_thread.join(10)
          self.exit_status = self.wait_thread.value
        else
          Process.kill('KILL', self.wait_thread.pid)
          self.exit_status = self.wait_thread.value
        end
      end

      def cleanup
        self.running = false
        self.messages.close
        harvest_process
        self.ios.each {|fd| fd.close rescue nil} # Yeah, yeah. I know.
      end

      def threadme(&block)
        if self.framework
          # Leak as few connections as possible
          self.framework.threads.spawn("External Module #{self.path}", false, &block)
        else
          ::Thread.new &block
        end
      end
    end
  end
end

class Msf::Modules::External::PyBridge < Msf::Modules::External::Bridge
  def self.applies?(module_name)
    module_name.match? /\.py$/
  end

  def initialize(module_path, framework: nil)
    super
    pythonpath = ENV['PYTHONPATH'] || ''
    self.env = self.env.merge({ 'PYTHONPATH' => File.expand_path('../python', __FILE__) + File::PATH_SEPARATOR + pythonpath})
  end

  def handle_exception(error)
    case error
    when Errno::ENOENT
      LoadError.new('Failed to execute external Python module. Please ensure you have Python3 installed on your environment.')
    else
      super
    end
  end
end

class Msf::Modules::External::RbBridge < Msf::Modules::External::Bridge
  def self.applies?(module_name)
    module_name.match? /\.rb$/
  end

  def initialize(module_path, framework: nil)
    super
    ruby_path = File.expand_path('../ruby', __FILE__)
    self.cmd = [[Gem.ruby, 'ruby'], "-I#{ruby_path}", self.path]
  end
end

class Msf::Modules::External::GoBridge < Msf::Modules::External::Bridge
  def self.applies?(module_name)
    module_name.match? /\.go$/
  end

  def initialize(module_path, framework: nil)
    super
    default_go_path = ENV['GOPATH'] || ''
    shared_module_lib_path = File.dirname(module_path) + "/shared"
    go_path = File.expand_path('../go', __FILE__)

    if File.exist?(default_go_path)
      go_path = go_path + File::PATH_SEPARATOR + default_go_path
    end

    if File.exist?(shared_module_lib_path)
      go_path = go_path + File::PATH_SEPARATOR + shared_module_lib_path
    end

    self.env = self.env.merge(
      {
        'GOPATH' => go_path,
        'GO111MODULE' => 'auto'
      }
    )
    self.cmd = ['go', 'run', self.path]
  end

  def handle_exception(error)
    case error
    when Errno::ENOENT
      LoadError.new('Failed to execute external Go module. Please ensure you have Go installed on your environment.')
    else
      super
    end
  end
end

class Msf::Modules::External::Bridge

  LOADERS = [
    Msf::Modules::External::PyBridge,
    Msf::Modules::External::RbBridge,
    Msf::Modules::External::GoBridge,
    Msf::Modules::External::Bridge
  ]

  def self.open(module_path, framework: nil)
    LOADERS.each do |klass|
      return klass.new module_path, framework: framework if klass.applies? module_path
    end

    nil
  end
end