Module: Msf::Post::Common

Instance Method Summary collapse

Instance Method Details

#clear_screenObject


5
6
7
# File 'lib/msf/core/post/common.rb', line 5

def clear_screen
  Gem.win_platform? ? (system "cls") : (system "clear")
end

#cmd_exec(cmd, args = nil, time_out = 15) ⇒ Object

Executes cmd on the remote system

On Windows meterpreter, this will go through CreateProcess as the “commandLine” parameter. This means it will follow the same rules as Windows' path disambiguation. For example, if you were to call this method thusly:

cmd_exec("c:\\program files\\sub dir\\program name")

Windows would look for these executables, in this order, passing the rest of the line as arguments:

c:\program.exe
c:\program files\sub.exe
c:\program files\sub dir\program.exe
c:\program files\sub dir\program name.exe

On POSIX meterpreter, if args is set or if cmd contains shell metacharacters, the server will run the whole thing in /bin/sh. Otherwise, (cmd is a single path and there are no arguments), it will execve the given executable.

On Java, it is passed through Runtime.getRuntime().exec(String) and PHP uses proc_open() both of which have similar semantics to POSIX.

On shell sessions, this passes cmd directly the session's shell_command_token method.

Returns a (possibly multi-line) String.


87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# File 'lib/msf/core/post/common.rb', line 87

def cmd_exec(cmd, args=nil, time_out=15)
  case session.type
  when /meterpreter/
    #
    # The meterpreter API requires arguments to come separately from the
    # executable path. This has no effect on Windows where the two are just
    # blithely concatenated and passed to CreateProcess or its brethren. On
    # POSIX, this allows the server to execve just the executable when a
    # shell is not needed. Determining when a shell is not needed is not
    # always easy, so it assumes anything with arguments needs to go through
    # /bin/sh.
    #
    # This problem was originally solved by using Shellwords.shellwords but
    # unfortunately, it is unsuitable. When a backslash occurs inside double
    # quotes (as is often the case with Windows commands) it inexplicably
    # removes them. So. Shellwords is out.
    #
    # By setting +args+ to an empty string, we can get POSIX to send it
    # through /bin/sh, solving all the pesky parsing troubles, without
    # affecting Windows.
    #
    start = Time.now.to_i
    if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
      args = ""
    end

    session.response_timeout = time_out
    process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true, 'Subshell' => true })
    o = ""
    # Wait up to time_out seconds for the first bytes to arrive
    while (d = process.channel.read)
      o << d
      if d == ""
        if Time.now.to_i - start < time_out
          sleep 0.1
        else
          break
        end
      end
    end
    o.chomp! if o

    begin
      process.channel.close
    rescue IOError => e
      # Channel was already closed, but we got the cmd output, so let's soldier on.
    end

    process.close
  when /powershell/
    if args.nil? || args.empty?
      o = session.shell_command("#{cmd}", time_out)
    else
      o = session.shell_command("#{cmd} #{args}", time_out)
    end
    o.chomp! if o
  when /shell/
    if args.nil? || args.empty?
      o = session.shell_command_token("#{cmd}", time_out)
    else
      o = session.shell_command_token("#{cmd} #{args}", time_out)
    end
    o.chomp! if o
  end
  return "" if o.nil?
  return o
end

#cmd_exec_get_pid(cmd, args = nil, time_out = 15) ⇒ Object


155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# File 'lib/msf/core/post/common.rb', line 155

def cmd_exec_get_pid(cmd, args=nil, time_out=15)
  case session.type
    when /meterpreter/
      if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
        args = ""
      end
      session.response_timeout = time_out
      process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true, 'Subshell' => true })
      process.channel.close
      pid = process.pid
      process.close
      pid
    else
      print_error "cmd_exec_get_pid is incompatible with non-meterpreter sessions"
  end
end

#command_exists?(cmd) ⇒ Boolean

Checks if the `cmd` is installed on the system

Returns:

  • (Boolean)

242
243
244
245
246
247
248
249
250
251
252
# File 'lib/msf/core/post/common.rb', line 242

def command_exists?(cmd)
  if session.platform == 'windows'
    # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/where_1
    # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/if
    cmd_exec("cmd /c where /q #{cmd} & if not errorlevel 1 echo true").to_s.include? 'true'
  else
    cmd_exec("command -v #{cmd} && echo true").to_s.include? 'true'
  end
rescue
  raise "Unable to check if command `#{cmd}' exists"
end

#get_env(env) ⇒ Object

Returns the value of the environment variable env


191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
# File 'lib/msf/core/post/common.rb', line 191

def get_env(env)
  case session.type
  when /meterpreter/
    return session.sys.config.getenv(env)
  when /shell/
    if session.platform == 'windows'
      if env[0,1] == '%'
        unless env[-1,1] == '%'
          env << '%'
        end
      else
        env = "%#{env}%"
      end

      return cmd_exec("echo #{env}")
    else
      unless env[0,1] == '$'
        env = "$#{env}"
      end

      return cmd_exec("echo \"#{env}\"")
    end
  end

  nil
end

#get_envs(*envs) ⇒ Object

Returns a hash of environment variables envs


221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# File 'lib/msf/core/post/common.rb', line 221

def get_envs(*envs)
  case session.type
  when /meterpreter/
    return session.sys.config.getenvs(*envs)
  when /shell/
    result = {}
    envs.each do |env|
      res = get_env(env)
      result[env] = res unless res.blank?
    end

    return result
  end

  nil
end

#has_pid?(pid) ⇒ Boolean

Checks if the remote system has a process with ID pid

Returns:

  • (Boolean)

36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'lib/msf/core/post/common.rb', line 36

def has_pid?(pid)
  pid_list = []
  case client.type
  when /meterpreter/
    pid_list = client.sys.process.processes.collect {|e| e['pid']}
  when /shell/
    if client.platform == 'windows'
      o = cmd_exec('tasklist /FO LIST')
      pid_list = o.scan(/^PID:\s+(\d+)/).flatten
    else
      o = cmd_exec('ps ax')
      pid_list = o.scan(/^\s*(\d+)/).flatten
    end

    pid_list = pid_list.collect {|e| e.to_i}
  end

  pid_list.include?(pid)
end

#peerObject


29
30
31
# File 'lib/msf/core/post/common.rb', line 29

def peer
  "#{rhost}:#{rport}"
end

#report_virtualization(virt) ⇒ Object

Reports to the database that the host is using virtualization and reports the type of virtualization it is (e.g VirtualBox, VMware, Xen, Docker)


176
177
178
179
180
181
182
183
184
185
186
# File 'lib/msf/core/post/common.rb', line 176

def report_virtualization(virt)
  return unless session
  return unless virt
  virt_normal = virt.to_s.strip
  return if virt_normal.empty?
  virt_data = {
    :host => session.target_host,
    :virtual_host => virt_normal
  }
  report_host(virt_data)
end

#rhostObject


9
10
11
12
13
14
15
16
17
18
# File 'lib/msf/core/post/common.rb', line 9

def rhost
  return nil unless session

  case session.type
  when 'meterpreter'
    session.sock.peerhost
  when 'shell'
    session.session_host
  end
end

#rportObject


20
21
22
23
24
25
26
27
# File 'lib/msf/core/post/common.rb', line 20

def rport
  case session.type
  when 'meterpreter'
    session.sock.peerport
  when 'shell'
    session.session_port
  end
end