Class: Msf::Sessions::EncryptedShell

Inherits:
CommandShell show all
Includes:
Payload::Windows::PayloadDBConf, Msf::Session::Basic, Msf::Session::Provider::SingleCommandShell
Defined in:
lib/msf/base/sessions/encrypted_shell.rb

Instance Attribute Summary collapse

Attributes included from Msf::Session::Interactive

#rstream

Attributes included from Rex::Ui::Interactive

#completed, #interacting, #next_session, #on_command_proc, #on_print_proc, #orig_suspend, #orig_usr1

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Attributes included from Msf::Session

#alive, #db_record, #exploit, #exploit_datastore, #exploit_task, #exploit_uuid, #framework, #info, #machine_id, #payload_uuid, #routes, #sid, #sname, #target_host, #target_port, #username, #uuid, #via, #workspace

Attributes included from Framework::Offspring

#framework

Attributes inherited from CommandShell

#max_threads

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Payload::Windows::PayloadDBConf

#retrieve_chacha_creds, #retrieve_conf_from_db, #save_conf_to_db

Methods included from Msf::Session::Provider::SingleCommandShell

#set_shell_token_index, #shell_close, #shell_command_token, #shell_command_token_unix, #shell_command_token_win32, #shell_init, #shell_read_until_token

Methods included from Msf::Session::Basic

#_interact

Methods included from Msf::Session::Interactive

#_interact, #_interact_complete, #_interrupt, #_suspend, #_usr1, #cleanup, #interactive?, #kill, #run_cmd, #tunnel_local, #tunnel_peer, #user_want_abort?

Methods included from Rex::Ui::Interactive

#_interact, #_interact_complete, #_interrupt, #_local_fd, #_remote_fd, #_stream_read_local_write_remote, #_stream_read_remote_write_local, #_suspend, #detach, #handle_suspend, #handle_usr1, #interact, #interact_stream, #prompt, #prompt_yesno, #restore_suspend, #restore_usr1

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Methods included from Msf::Session

#alive?, #cleanup, #dead?, #inspect, #interactive?, #kill, #log_file_name, #log_source, #name, #name=, #register?, #session_host, #session_host=, #session_port, #session_port=, #session_type, #set_from_exploit, #set_via, #tunnel_local, #tunnel_peer, #tunnel_to_s, #via_exploit, #via_payload

Methods inherited from CommandShell

#_interact, #_interact_stream, #binary_exists, #cleanup, #cmd_background, #cmd_background_help, #cmd_download, #cmd_download_help, #cmd_help, #cmd_help_help, #cmd_irb, #cmd_irb_help, #cmd_pry, #cmd_pry_help, #cmd_resource, #cmd_resource_help, #cmd_sessions, #cmd_sessions_help, #cmd_shell, #cmd_shell_help, #cmd_source, #cmd_source_help, #cmd_upload, #cmd_upload_help, #commands, #docs_dir, #execute_file, #file_exists, #repr, #run_builtin_cmd, #run_single, #shell_close, #shell_command, #shell_init

Methods included from Rex::Ui::Text::Resource

#load_resource

Methods included from Msf::Session::Scriptable

#execute_file, #execute_script, included, #legacy_script_to_post_module

Constructor Details

#initialize(rstream, opts = {}) ⇒ EncryptedShell

define some sort of method that checks for the existence of payload in the db before using datastore


27
28
29
30
31
32
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 27

def initialize(rstream, opts={})
  self.arch ||= ""
  self.platform = "windows"
  @staged = opts[:datastore][:staged]
  super
end

Instance Attribute Details

#archObject

Returns the value of attribute arch


15
16
17
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 15

def arch
  @arch
end

#chacha_cipherObject

Returns the value of attribute chacha_cipher


22
23
24
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 22

def chacha_cipher
  @chacha_cipher
end

#ivObject

Returns the value of attribute iv


18
19
20
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 18

def iv
  @iv
end

#keyObject

Returns the value of attribute key


19
20
21
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 19

def key
  @key
end

#platformObject

Returns the value of attribute platform


16
17
18
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 16

def platform
  @platform
end

#stagedObject

Returns the value of attribute staged


20
21
22
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 20

def staged
  @staged
end

Class Method Details

.typeObject


42
43
44
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 42

def self.type
  self.class.type = "Encrypted"
end

Instance Method Details

#descObject


38
39
40
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 38

def desc
  "Encrypted reverse shell"
end

#process_autoruns(datastore) ⇒ Object


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 46

def process_autoruns(datastore)
  @key = datastore[:key] || datastore['ChachaKey']
  nonce = datastore[:nonce] || datastore['ChachaNonce']
  @iv = nonce

  # staged payloads retrieve UUID via
  # handle_connection() in stager.rb
  unless @staged
    curr_uuid = rstream.get_once(16, 1)
    @key, @nonce = retrieve_chacha_creds(curr_uuid)
    @iv = @nonce ? @nonce : "\0" * 12

    unless @key && @nonce
      print_status('Failed to retrieve key/nonce for uuid. Resorting to datastore')
      @key = datastore['ChachaKey']
      @iv = datastore['ChachaNonce']
    end
  end

  new_nonce = SecureRandom.hex(6)
  new_key = SecureRandom.hex(16)

  @chacha_cipher = Rex::Crypto::Chacha20.new(@key, @iv)
  new_cipher = @chacha_cipher.chacha20_crypt(new_nonce + new_key)
  rstream.write(new_cipher)

  @key = new_key
  @iv = new_nonce
  @chacha_cipher.reset_cipher(@key, @iv)
end

#shell_read(length = -1,, timeout = 1) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_read

Read encrypted data from console and decrypt it


82
83
84
85
86
87
88
89
90
91
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 82

def shell_read(length=-1, timeout=1)
  rv = rstream.get_once(length, timeout)
  decrypted = @chacha_cipher.chacha20_crypt(rv)
  framework.events.on_session_output(self, decrypted) if decrypted

  return decrypted
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#shell_write(buf) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_write

Encrypt data then write it to the console


98
99
100
101
102
103
104
105
106
107
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 98

def shell_write(buf)
  return unless buf

  framework.events.on_session_command(self, buf.strip)
  encrypted = @chacha_cipher.chacha20_crypt(buf)
  rstream.write(encrypted)
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#typeObject


34
35
36
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 34

def type
  "Encrypted"
end