Module: Msf::Handler::ReverseTcpDoubleSSL

Includes:

Msf::Handler, Reverse, Msf::Handler::Reverse::Comm, Msf::Handler::Reverse::SSL

Defined in:

lib/msf/core/handler/reverse_tcp_double_ssl.rb

Overview

This module implements the reverse double TCP handler. This means that it listens on a port waiting for a two connections, one connection is treated as stdin, the other as stdout.

This handler depends on having a local host and port to listen on.

Defined Under Namespace

Modules: TcpReverseDoubleSSLChannelExt Classes: TcpReverseDoubleSSLSessionChannel

Constant Summary

Constants included from Msf::Handler

Claimed, Unused

Instance Attribute Summary

• #conn_threads ⇒ Object protected

  :nodoc:.

• #listener_sock ⇒ Object protected

  :nodoc:.

• #listener_thread ⇒ Object protected

  :nodoc:.

Attributes included from Msf::Handler

#exploit_config, #parent_payload, #pending_connections, #session_waiter_event, #sessions

Class Method Summary

• .general_handler_type ⇒ Object

  Returns the connection-described general handler type, in this case ‘reverse’.

• .handler_type ⇒ Object

  Returns the string representation of the handler type, in this case ‘reverse_tcp_double’.

Instance Method Summary

• #cleanup_handler ⇒ Object

  Closes the listener socket if one was created.

• #comm_string ⇒ Object
• #detect_input_output(sock_a, sock_b) ⇒ Object

  Accept two sockets and determine which one is the input and which is the output.

• #human_name ⇒ String

  A string suitable for displaying to the user.

• #initialize(info = {}) ⇒ Object

  Initializes the reverse TCP handler and adds the options that are required for all reverse TCP payloads, like local host and local port.

• #payload_uri ⇒ Object

  A URI describing what the payload is configured to use for transport.

• #setup_handler ⇒ Object

  Starts the listener but does not actually attempt to accept a connection.

• #start_handler ⇒ Object

  Starts monitoring for an inbound connection.

• #stop_handler ⇒ Object

  Stops monitoring for an inbound connection.

Methods included from Msf::Handler::Reverse::Comm

#select_comm, #via_string

Methods included from Reverse

#bind_addresses, #bind_port, #is_loopback_address?

Methods included from Msf::Handler

#add_handler, #create_session, #handle_connection, #handler, #handler_name, #interrupt_wait_for_session, #register_session, #wait_for_session, #wfs_delay

Instance Attribute Details

#conn_threads ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 249

def conn_threads
  @conn_threads
end

#listener_sock ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 247

def listener_sock
  @listener_sock
end

#listener_thread ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 248

def listener_thread
  @listener_thread
end

Class Method Details

.general_handler_type ⇒ Object

Returns the connection-described general handler type, in this case ‘reverse’.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 34

def self.general_handler_type
  "reverse"
end

.handler_type ⇒ Object

Returns the string representation of the handler type, in this case ‘reverse_tcp_double’.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 26

def self.handler_type
  return "reverse_tcp_double_ssl"
end

Instance Method Details

#cleanup_handler ⇒ Object

Closes the listener socket if one was created.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 123

def cleanup_handler
  stop_handler

  # Kill any remaining handle_connection threads that might
  # be hanging around
  conn_threads.each { |thr|
    thr.kill rescue nil
  }
end

#comm_string ⇒ Object

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 112

def comm_string
  if listener_sock.nil?
    "(setting up)"
  else
    via_string(listener_sock.client) if listener_sock.respond_to?(:client)
  end
end

#detect_input_output(sock_a, sock_b) ⇒ Object

Accept two sockets and determine which one is the input and which is the output. This method assumes that these sockets pipe to a remote shell, it should overridden if this is not the case.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 178

def detect_input_output(sock_a, sock_b)

  begin

    # Flush any pending socket data
    sock_a.get_once if sock_a.has_read_data?(0.25)
    sock_b.get_once if sock_b.has_read_data?(0.25)

    etag = Rex::Text.rand_text_alphanumeric(16)
    echo = "echo #{etag};\n"

    print_status("Command: #{echo.strip}")

    print_status("Writing to socket A")
    sock_a.put(echo)

    print_status("Writing to socket B")
    sock_b.put(echo)

    print_status("Reading from sockets...")

    resp_a = ''
    resp_b = ''

    if (sock_a.has_read_data?(1))
      print_status("Reading from socket A")
      resp_a = sock_a.get_once
      print_status("A: #{resp_a.inspect}")
    end

    if (sock_b.has_read_data?(1))
      print_status("Reading from socket B")
      resp_b = sock_b.get_once
      print_status("B: #{resp_b.inspect}")
    end

    print_status("Matching...")
    if (resp_b.match(etag))
      print_status("A is input...")
      return sock_a, sock_b
    else
      print_status("B is input...")
      return sock_b, sock_a
    end

  rescue ::Exception
    print_status("Caught exception in detect_input_output: #{$!}")
  end

end

#human_name ⇒ String

A string suitable for displaying to the user

Returns:

• (String)

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 56

def human_name
  "reverse TCP double SSL"
end

#initialize(info = {}) ⇒ Object

Initializes the reverse TCP handler and adds the options that are required for all reverse TCP payloads, like local host and local port.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 42

def initialize(info = {})
  super

  register_advanced_options(
    [
      OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
    ], Msf::Handler::ReverseTcpDoubleSSL)

  self.conn_threads = []
end

#payload_uri ⇒ Object

A URI describing what the payload is configured to use for transport

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 106

def payload_uri
  addr = datastore['LHOST']
  uri_host = Rex::Socket.is_ipv6?(addr) ? "[#{addr}]" : addr
  "ssl://#{uri_host}:#{datastore['LPORT']}"
end

#setup_handler ⇒ Object

Starts the listener but does not actually attempt to accept a connection. Throws socket exceptions if it fails to start the listener.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 65

def setup_handler
  if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
    raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overridden by setting ReverseAllowProxy to true'
  end

  ex = false

  comm = select_comm
  local_port = bind_port

  bind_addresses.each { |ip|
    begin

      self.listener_sock = Rex::Socket::SslTcpServer.create(
      'LocalHost'  => ip,
      'LocalPort'  => local_port,
      'Comm'       => comm,
      'SSLCert'    => datastore['HandlerSSLCert'],
      'SSLVersion' => datastore['SSLVersion'],
      'Context'    =>
        {
          'Msf'        => framework,
          'MsfPayload' => self,
          'MsfExploit' => assoc_exploit
        })

      ex = false

      via = via_string(self.listener_sock.client) if self.listener_sock.respond_to?(:client)

      print_status("Started reverse double SSL handler on #{ip}:#{local_port} #{via}")
      break
    rescue
      ex = $!
      print_error("Handler failed to bind to #{ip}:#{local_port}")
    end
  }
  raise ex if (ex)
end

#start_handler ⇒ Object

Starts monitoring for an inbound connection.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 136

def start_handler
  self.listener_thread = framework.threads.spawn("ReverseTcpDoubleSSLHandlerListener", false) {
    sock_inp = nil
    sock_out = nil

    begin
      # Accept two client connection
      begin
        client_a = self.listener_sock.accept
        print_status("Accepted the first client connection...")

        client_b = self.listener_sock.accept
        print_status("Accepted the second client connection...")
      rescue
        wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
        return nil
      end

      # Increment the has connection counter
      self.pending_connections += 1

      # Start a new thread and pass the client connection
      # as the input and output pipe.  Client's are expected
      # to implement the Stream interface.
      conn_threads << framework.threads.spawn("ReverseTcpDoubleSSLHandlerSession", false, client_a, client_b) { | client_a_copy, client_b_copy|
        begin
          sock_inp, sock_out = detect_input_output(client_a_copy, client_b_copy)
          chan = TcpReverseDoubleSSLSessionChannel.new(framework, sock_inp, sock_out)
          handle_connection(chan.lsock, { datastore: datastore })
        rescue => e
          elog('Exception raised from handle_connection', error: e)
        end
      }
    end while true
  }
end

#stop_handler ⇒ Object

Stops monitoring for an inbound connection.

# File 'lib/msf/core/handler/reverse_tcp_double_ssl.rb', line 232

def stop_handler
  # Terminate the listener thread
  if (self.listener_thread and self.listener_thread.alive? == true)
    self.listener_thread.kill
    self.listener_thread = nil
  end

  if (self.listener_sock)
    self.listener_sock.close
    self.listener_sock = nil
  end
end