Module: Msf::Handler::ReverseSsh

Includes:
Msf::Handler, Reverse
Defined in:
lib/msf/core/handler/reverse_ssh.rb

Overview

This handler implements the SSH tunneling interface.

Constant Summary

Constants included from Msf::Handler

Claimed, Unused

Instance Attribute Summary collapse

Attributes included from Msf::Handler

#exploit_config, #parent_payload, #pending_connections, #session_waiter_event, #sessions

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Reverse

#bind_addresses, #bind_port, #is_loopback_address?

Methods included from Msf::Handler

#add_handler, #cleanup_handler, #handle_connection, #handler, #handler_name, #interrupt_wait_for_session, #register_session, #start_handler, #wait_for_session

Instance Attribute Details

#serviceObject

:nodoc:


156
157
158
# File 'lib/msf/core/handler/reverse_ssh.rb', line 156

def service
  @service
end

Class Method Details

.general_handler_typeObject

Returns the connection-described general handler type, in this case 'tunnel'.


30
31
32
# File 'lib/msf/core/handler/reverse_ssh.rb', line 30

def self.general_handler_type
  "tunnel"
end

.handler_typeObject

Returns the string representation of the handler type


22
23
24
# File 'lib/msf/core/handler/reverse_ssh.rb', line 22

def self.handler_type
  return 'reverse_ssh'
end

Instance Method Details

#create_session(ssh, opts = {}) ⇒ Object


131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# File 'lib/msf/core/handler/reverse_ssh.rb', line 131

def create_session(ssh,opts={})
  # If there is a parent payload, then use that in preference.
  s = Sessions::SshCommandShell.new(ssh,opts)
  # Pass along the framework context
  s.framework = framework

  # Associate this system with the original exploit
  # and any relevant information
  s.set_from_exploit(assoc_exploit)

  # If the session is valid, register it with the framework and
  # notify any waiters we may have.
  if (s)
    register_session(s)
  end

  return s
end

#init_fd_client(cli) ⇒ Object


116
117
118
119
120
121
122
123
124
125
126
127
128
129
# File 'lib/msf/core/handler/reverse_ssh.rb', line 116

def init_fd_client(cli)
  begin
    Timeout::timeout(5) do
      while cli.connection.open_channel_keys.empty? do
        sleep 0.02
      end
      fdc = Rex::Proto::Ssh::ChannelFD.new(cli)
      self.service.clients.push(fdc)
      create_session(fdc)
    end
  rescue Timeout::Error
    elog("Unable to find channel FDs for client #{cli}")
  end
end

#initialize(info = {}) ⇒ Object

Initializes the reverse SSH handler and ads the options that are required for all reverse SSH payloads, like version string and auth params.


37
38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/msf/core/handler/reverse_ssh.rb', line 37

def initialize(info = {})
  super
  register_options([Opt::LPORT(22)])
  register_advanced_options(
    [
      OptString.new('Ssh::Version', [
        true,
        'The SSH version string to provide',
        Rex::Proto::Ssh::Connection.default_options['local_version']
      ])
    ], Msf::Handler::ReverseSsh
  )
end

#listener_uri(addr = datastore['ReverseListenerBindAddress']) ⇒ String

A URI describing where we are listening

Parameters:

  • addr (String) (defaults to: datastore['ReverseListenerBindAddress'])

    the address that

Returns:

  • (String)

    A URI of the form ssh://host:port/


55
56
57
58
59
# File 'lib/msf/core/handler/reverse_ssh.rb', line 55

def listener_uri(addr=datastore['ReverseListenerBindAddress'])
  addr = datastore['LHOST'] if addr.nil? || addr.empty?
  uri_host = Rex::Socket.is_ipv6?(addr) ? "[#{addr}]" : addr
  "ssh://#{uri_host}:#{bind_port}"
end

#setup_handlervoid

This method returns an undefined value.

Create an Ssh listener


64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# File 'lib/msf/core/handler/reverse_ssh.rb', line 64

def setup_handler

  local_addr = nil
  local_port = bind_port
  ex = false

  ssh_opts = Rex::Proto::Ssh::Connection.default_options
  ssh_opts['local_version'] = datastore['Ssh::Version']

  # Start the SSH server service on this host/port
  bind_addresses.each do |ip|
    begin
      self.service = Rex::ServiceManager.start(Rex::Proto::Ssh::Server,
        local_port, ip,
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        },
        comm,
        ssh_opts
      )
      local_addr = ip
    rescue
      ex = $!
      print_error("Handler failed to bind to #{ip}:#{local_port}")
    else
      ex = false
      break
    end
  end

  self.service.on_client_connect_proc = Proc.new {|cli| init_fd_client(cli)}
  raise ex if (ex)

  print_status("Started SSH reverse handler on #{listener_uri(local_addr)}")

  if datastore['IgnoreUnknownPayloads']
    print_status("Handler is ignoring unknown payloads")
  end
end

#stop_handlervoid

This method returns an undefined value.

Stops the handler & service


108
109
110
111
112
113
114
# File 'lib/msf/core/handler/reverse_ssh.rb', line 108

def stop_handler
  if self.service
    if self.sessions == 0
      Rex::ServiceManager.stop_service(self.service)
    end
  end
end

#wfs_delayObject

Always wait at least 5 seconds for this payload (due to channel delays)


153
154
155
# File 'lib/msf/core/handler/reverse_ssh.rb', line 153

def wfs_delay
  datastore['WfsDelay'] > 4 ? datastore['WfsDelay'] : 5
end