Module: Msf::Handler::ReverseSsh

Includes:

Msf::Handler, Reverse

Defined in:

lib/msf/core/handler/reverse_ssh.rb

Overview

This handler implements the SSH tunneling interface.

Constant Summary

Constants included from Msf::Handler

Claimed, Unused

Instance Attribute Summary

• #service ⇒ Object

  :nodoc:.

Attributes included from Msf::Handler

#exploit_config, #parent_payload, #pending_connections, #session_waiter_event, #sessions

Class Method Summary

• .general_handler_type ⇒ Object

  Returns the connection-described general handler type, in this case ‘tunnel’.

• .handler_type ⇒ Object

  Returns the string representation of the handler type.

Instance Method Summary

• #create_session(ssh, opts = {}) ⇒ Object
• #init_fd_client(cli) ⇒ Object
• #initialize(info = {}) ⇒ Object

  Initializes the reverse SSH handler and ads the options that are required for all reverse SSH payloads, like version string and auth params.

• #listener_uri(addr = ) ⇒ String

  A URI describing where we are listening.

• #setup_handler ⇒ void

  Create an Ssh listener.

• #stop_handler ⇒ void

  Stops the handler & service.

• #wfs_delay ⇒ Object

  Always wait at least 5 seconds for this payload (due to channel delays).

Methods included from Reverse

#bind_addresses, #bind_port, #is_loopback_address?

Methods included from Msf::Handler

#add_handler, #cleanup_handler, #handle_connection, #handler, #handler_name, #interrupt_wait_for_session, #register_session, #start_handler, #wait_for_session

Instance Attribute Details

#service ⇒ Object

:nodoc:

# File 'lib/msf/core/handler/reverse_ssh.rb', line 146

def service
  @service
end

Class Method Details

.general_handler_type ⇒ Object

Returns the connection-described general handler type, in this case ‘tunnel’.

# File 'lib/msf/core/handler/reverse_ssh.rb', line 25

def self.general_handler_type
  'tunnel'
end

.handler_type ⇒ Object

Returns the string representation of the handler type

# File 'lib/msf/core/handler/reverse_ssh.rb', line 17

def self.handler_type
  return 'reverse_ssh'
end

Instance Method Details

#create_session(ssh, opts = {}) ⇒ Object

# File 'lib/msf/core/handler/reverse_ssh.rb', line 121

def create_session(ssh, opts = {})
  # If there is a parent payload, then use that in preference.
  s = Sessions::SshCommandShellReverse.new(ssh, opts)
  # Pass along the framework context
  s.framework = framework

  # Associate this system with the original exploit
  # and any relevant information
  s.set_from_exploit(assoc_exploit)

  # If the session is valid, register it with the framework and
  # notify any waiters we may have.
  if s
    register_session(s)
  end

  return s
end

#init_fd_client(cli) ⇒ Object

# File 'lib/msf/core/handler/reverse_ssh.rb', line 110

def init_fd_client(cli)
  Timeout.timeout(25) do
    sleep 0.02 while cli.connection.open_channel_keys.empty?
    fdc = Rex::Proto::Ssh::ChannelFD.new(cli)
    service.clients.push(fdc)
    create_session(fdc)
  end
rescue Timeout::Error
  elog("Unable to find channel FDs for client #{cli}")
end

#initialize(info = {}) ⇒ Object

Initializes the reverse SSH handler and ads the options that are required for all reverse SSH payloads, like version string and auth params.

# File 'lib/msf/core/handler/reverse_ssh.rb', line 32

def initialize(info = {})
  super
  register_options([Opt::LPORT(22)])
  register_advanced_options(
    [
      OptString.new('Ssh::Version', [
        true,
        'The SSH version string to provide',
        default_version_string
      ])
    ], Msf::Handler::ReverseSsh
  )
end

#listener_uri(addr = ) ⇒ String

A URI describing where we are listening

Parameters:

• addr (String) (defaults to: ) —

  the address that

Returns:

• (String) —

  A URI of the form ssh://host:port/

# File 'lib/msf/core/handler/reverse_ssh.rb', line 50

def listener_uri(addr = datastore['ReverseListenerBindAddress'])
  addr = datastore['LHOST'] if addr.nil? || addr.empty?
  uri_host = Rex::Socket.is_ipv6?(addr) ? "[#{addr}]" : addr
  "ssh://#{uri_host}:#{bind_port}"
end

#setup_handler ⇒ void

This method returns an undefined value.

Create an Ssh listener

# File 'lib/msf/core/handler/reverse_ssh.rb', line 59

def setup_handler
  # The current SSH server implementation does not support OpenSSL 3
  if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? 'OpenSSL 3'
    raise RuntimeError, "ReverseSSH failed to load. OpenSSL version #{OpenSSL::VERSION} not supported."
  end

  local_addr = nil
  local_port = bind_port
  ex = false

  ssh_opts = Rex::Proto::Ssh::Connection.default_options
  ssh_opts['local_version'] = datastore['Ssh::Version']

  # Start the SSH server service on this host/port
  bind_addresses.each do |ip|
    self.service = Rex::ServiceManager.start(Rex::Proto::Ssh::Server,
                                             local_port, ip,
                                             {
                                               'Msf' => framework,
                                               'MsfExploit' => self
                                             },
                                             comm,
                                             ssh_opts)
    local_addr = ip
  rescue StandardError
    ex = $!
    print_error("Handler failed to bind to #{ip}:#{local_port}")
  else
    ex = false
    break
  end

  service.on_client_connect_proc = proc { |cli| init_fd_client(cli) }
  raise ex if ex

  print_status("Started SSH reverse handler on #{listener_uri(local_addr)}")

  if datastore['IgnoreUnknownPayloads']
    print_status('Handler is ignoring unknown payloads')
  end
end

#stop_handler ⇒ void

This method returns an undefined value.

Stops the handler & service

# File 'lib/msf/core/handler/reverse_ssh.rb', line 104

def stop_handler
  if service && (sessions == 0)
    Rex::ServiceManager.stop_service(service)
  end
end

#wfs_delay ⇒ Object

Always wait at least 5 seconds for this payload (due to channel delays)

# File 'lib/msf/core/handler/reverse_ssh.rb', line 143

def wfs_delay
  datastore['WfsDelay'] > 4 ? datastore['WfsDelay'] : 5
end