Module: Msf::Handler::ReverseSsh

Includes:
Msf::Handler, Reverse
Defined in:
lib/msf/core/handler/reverse_ssh.rb

Overview

This handler implements the SSH tunneling interface.

Constant Summary

Constants included from Msf::Handler

Claimed, Unused

Instance Attribute Summary collapse

Attributes included from Msf::Handler

#exploit_config, #parent_payload, #pending_connections, #session_waiter_event, #sessions

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Reverse

#bind_addresses, #bind_port, #is_loopback_address?

Methods included from Msf::Handler

#add_handler, #cleanup_handler, #handle_connection, #handler, #handler_name, #interrupt_wait_for_session, #register_session, #start_handler, #wait_for_session

Instance Attribute Details

#serviceObject

:nodoc:


153
154
155
# File 'lib/msf/core/handler/reverse_ssh.rb', line 153

def service
  @service
end

Class Method Details

.general_handler_typeObject

Returns the connection-described general handler type, in this case 'tunnel'.


27
28
29
# File 'lib/msf/core/handler/reverse_ssh.rb', line 27

def self.general_handler_type
  "tunnel"
end

.handler_typeObject

Returns the string representation of the handler type


19
20
21
# File 'lib/msf/core/handler/reverse_ssh.rb', line 19

def self.handler_type
  return 'reverse_ssh'
end

Instance Method Details

#create_session(ssh, opts = {}) ⇒ Object


128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# File 'lib/msf/core/handler/reverse_ssh.rb', line 128

def create_session(ssh,opts={})
  # If there is a parent payload, then use that in preference.
  s = Sessions::SshCommandShell.new(ssh,opts)
  # Pass along the framework context
  s.framework = framework

  # Associate this system with the original exploit
  # and any relevant information
  s.set_from_exploit(assoc_exploit)

  # If the session is valid, register it with the framework and
  # notify any waiters we may have.
  if (s)
    register_session(s)
  end

  return s
end

#init_fd_client(cli) ⇒ Object


113
114
115
116
117
118
119
120
121
122
123
124
125
126
# File 'lib/msf/core/handler/reverse_ssh.rb', line 113

def init_fd_client(cli)
  begin
    Timeout::timeout(5) do
      while cli.connection.open_channel_keys.empty? do
        sleep 0.02
      end
      fdc = Rex::Proto::Ssh::ChannelFD.new(cli)
      self.service.clients.push(fdc)
      create_session(fdc)
    end
  rescue Timeout::Error
    elog("Unable to find channel FDs for client #{cli}")
  end
end

#initialize(info = {}) ⇒ Object

Initializes the reverse SSH handler and ads the options that are required for all reverse SSH payloads, like version string and auth params.


34
35
36
37
38
39
40
41
42
43
44
45
46
# File 'lib/msf/core/handler/reverse_ssh.rb', line 34

def initialize(info = {})
  super
  register_options([Opt::LPORT(22)])
  register_advanced_options(
    [
      OptString.new('Ssh::Version', [
        true,
        'The SSH version string to provide',
        Rex::Proto::Ssh::Connection.default_options['local_version']
      ])
    ], Msf::Handler::ReverseSsh
  )
end

#listener_uri(addr = datastore['ReverseListenerBindAddress']) ⇒ String

A URI describing where we are listening

Parameters:

  • addr (String) (defaults to: datastore['ReverseListenerBindAddress'])

    the address that

Returns:

  • (String)

    A URI of the form ssh://host:port/


52
53
54
55
56
# File 'lib/msf/core/handler/reverse_ssh.rb', line 52

def listener_uri(addr=datastore['ReverseListenerBindAddress'])
  addr = datastore['LHOST'] if addr.nil? || addr.empty?
  uri_host = Rex::Socket.is_ipv6?(addr) ? "[#{addr}]" : addr
  "ssh://#{uri_host}:#{bind_port}"
end

#setup_handlervoid

This method returns an undefined value.

Create an Ssh listener


61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# File 'lib/msf/core/handler/reverse_ssh.rb', line 61

def setup_handler

  local_addr = nil
  local_port = bind_port
  ex = false

  ssh_opts = Rex::Proto::Ssh::Connection.default_options
  ssh_opts['local_version'] = datastore['Ssh::Version']

  # Start the SSH server service on this host/port
  bind_addresses.each do |ip|
    begin
      self.service = Rex::ServiceManager.start(Rex::Proto::Ssh::Server,
        local_port, ip,
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        },
        comm,
        ssh_opts
      )
      local_addr = ip
    rescue
      ex = $!
      print_error("Handler failed to bind to #{ip}:#{local_port}")
    else
      ex = false
      break
    end
  end

  self.service.on_client_connect_proc = Proc.new {|cli| init_fd_client(cli)}
  raise ex if (ex)

  print_status("Started SSH reverse handler on #{listener_uri(local_addr)}")

  if datastore['IgnoreUnknownPayloads']
    print_status("Handler is ignoring unknown payloads")
  end
end

#stop_handlervoid

This method returns an undefined value.

Stops the handler & service


105
106
107
108
109
110
111
# File 'lib/msf/core/handler/reverse_ssh.rb', line 105

def stop_handler
  if self.service
    if self.sessions == 0
      Rex::ServiceManager.stop_service(self.service)
    end
  end
end

#wfs_delayObject

Always wait at least 5 seconds for this payload (due to channel delays)


150
151
152
# File 'lib/msf/core/handler/reverse_ssh.rb', line 150

def wfs_delay
  datastore['WfsDelay'] > 4 ? datastore['WfsDelay'] : 5
end