Class: Msf::SessionManager

Inherits:

Hash

• Object
• Hash
• Msf::SessionManager

Includes:

Framework::Offspring

Defined in:

lib/msf/core/session_manager.rb

Overview

The purpose of the session manager is to keep track of sessions that are created during the course of a framework instance’s lifetime. When exploits succeed, the payloads they use will create a session object, where applicable, there will implement zero or more of the core supplied interfaces for interacting with that session. For instance, if the payload supports reading and writing from an executed process, the session would implement SimpleCommandShell in a method that is applicable to the way that the command interpreter is communicated with.

Constant Summary

LAST_SEEN_INTERVAL =

60 * 2.5

SCHEDULER_THREAD_COUNT =

5

Instance Attribute Summary

• #monitor_thread ⇒ Object protected

  :nodoc:.

• #mutex ⇒ Object protected

  :nodoc:.

• #scheduler_queue ⇒ Object protected

  :nodoc:.

• #scheduler_threads ⇒ Object protected

  :nodoc:.

• #sessions ⇒ Object protected

  :nodoc:.

• #sid_pool ⇒ Object protected

  :nodoc:.

Attributes included from Framework::Offspring

#framework

Instance Method Summary

• #allocate_sid ⇒ Object

  Allocates the next Session ID.

• #deregister(session, reason = '') ⇒ Object

  Deregisters the supplied session object with the framework.

• #each(&block) ⇒ Object

  Overrides the builtin ‘each’ operator to avoid the following exception on Ruby 1.9.2+ “can’t add a new key into hash during iteration” This allows us to register new sessions while other threads are enumerating the session list.

• #each_sorted(&block) ⇒ Object

  Enumerates the sorted list of keys.

• #get(sid) ⇒ Object

  Returns the session associated with the supplied sid, if any.

• #initialize(framework) ⇒ SessionManager constructor

  A new instance of SessionManager.

• #initialize_scheduler_threads ⇒ Object

  Dedicated worker threads for pulling data out of new sessions.

• #register(session) ⇒ Object

  Registers the supplied session object with the framework and returns a unique session identifier to the caller.

• #schedule(task) ⇒ Object

  Add a new task to the loader thread queue.

Constructor Details

#initialize(framework) ⇒ SessionManager

Returns a new instance of SessionManager.

# File 'lib/msf/core/session_manager.rb', line 26

def initialize(framework)
  self.framework = framework
  self.sid_pool  = 0
  self.mutex = Mutex.new
  self.scheduler_queue = ::Queue.new
  self.initialize_scheduler_threads

  self.monitor_thread = framework.threads.spawn("SessionManager", true) do
    last_seen_timer = Time.now.utc

    respawn_max = 30
    respawn_cnt = 0

    begin
    while true

      #
      # Process incoming data from all stream-based sessions and queue the
      # data into the associated ring buffers.
      #
      rings = values.select{|s| s.respond_to?(:ring) and s.ring and s.rstream }
      ready = ::IO.select(rings.map{|s| s.rstream}, nil, nil, 0.5) || [[],[],[]]

      ready[0].each do |fd|
        s = rings.select{|s| s.rstream == fd}.first
        next if not s

        begin
          buff = fd.get_once(-1)
          if buff
            # Store the data in the associated ring
            s.ring.store_data(buff)

            # Store the session event into the database.
            # Rescue anything the event handlers raise so they
            # don't break our session.
            framework.events.on_session_output(s, buff) rescue nil
          end
        rescue ::Exception => e
          wlog("Exception reading from Session #{s.sid}: #{e.class} #{e}")
          unless e.kind_of? EOFError
            # Don't bother with a call stack if it's just a
            # normal EOF
            dlog("Call Stack\n#{e.backtrace.join("\n")}", 'core', LEV_3)
          end

          # Flush any ring data in the queue
          s.ring.clear_data rescue nil

          # Shut down the socket itself
          s.rstream.close rescue nil

          # Deregister the session
          deregister(s, "Died from #{e.class}")
        end
      end


      #
      # TODO: Call the dispatch entry point of each Meterpreter thread instead of
      #       dedicating specific processing threads to each session
      #


      #
      # Check for closed / dead / terminated sessions
      #
      values.each do |s|
        if not s.alive?
          deregister(s, "Died")
          wlog("Session #{s.sid} has died")
          next
        end
      end

      #
      # Skip the database cleanup code below if there is no database
      #
      next unless framework.db && framework.db.active && framework.db.is_local?

      #
      # Mark all open session as alive every LAST_SEEN_INTERVAL
      #
      if (Time.now.utc - last_seen_timer) >= LAST_SEEN_INTERVAL

        # Update this timer BEFORE processing the session list, this will prevent
        # processing time for large session lists from skewing our update interval.

        last_seen_timer = Time.now.utc

        ::ApplicationRecord.connection_pool.with_connection do
          values.each do |s|
            # Update the database entry on a regular basis, marking alive threads
            # as recently seen.  This notifies other framework instances that this
            # session is being maintained.
            if s.db_record
              s.db_record = framework.db.update_session(id: s.db_record.id, last_seen: Time.now.utc)
            end
          end
        end
      end

      #
      # Clean out any stale sessions that have been orphaned by a dead
      # framework instance.
      #
      framework.db.remove_stale_sessions(LAST_SEEN_INTERVAL)

    end

    #
    # All session management falls apart when any exception is raised to this point. Log it.
    #
    rescue ::Exception => e
      respawn_cnt += 1
      elog("Exception #{respawn_cnt}/#{respawn_max} in monitor thread", error: e)
      if respawn_cnt < respawn_max
        ::IO.select(nil, nil, nil, 10.0)
        retry
      end
    end
  end
end

Instance Attribute Details

#monitor_thread ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/session_manager.rb', line 289

def monitor_thread
  @monitor_thread
end

#mutex ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/session_manager.rb', line 292

def mutex
  @mutex
end

#scheduler_queue ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/session_manager.rb', line 291

def scheduler_queue
  @scheduler_queue
end

#scheduler_threads ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/session_manager.rb', line 290

def scheduler_threads
  @scheduler_threads
end

#sessions ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/session_manager.rb', line 288

def sessions
  @sessions
end

#sid_pool ⇒ Object (protected)

:nodoc:

# File 'lib/msf/core/session_manager.rb', line 288

def sid_pool
  @sid_pool
end

Instance Method Details

#allocate_sid ⇒ Object

Allocates the next Session ID

# File 'lib/msf/core/session_manager.rb', line 280

def allocate_sid
  self.mutex.synchronize do
    self.sid_pool += 1
  end
end

#deregister(session, reason = '') ⇒ Object

Deregisters the supplied session object with the framework.

# File 'lib/msf/core/session_manager.rb', line 235

def deregister(session, reason='')
  return if not session.register?

  if (session.dead? and not self[session.sid.to_i])
    return
  end

  # Tell the framework that we have a parting session
  framework.events.on_session_close(session, reason) rescue nil

  # If this session implements the comm interface, remove any routes
  # that have been created for it.
  if (session.kind_of?(Msf::Session::Comm))
    Rex::Socket::SwitchBoard.remove_by_comm(session)
  end

  # Remove it from the hash
  self.delete(session.sid.to_i)

  # Mark the session as dead
  session.alive = false

  # Close it down
  session.cleanup
end

#each(&block) ⇒ Object

Overrides the builtin ‘each’ operator to avoid the following exception on Ruby 1.9.2+

"can't add a new key into hash during iteration"

This allows us to register new sessions while other threads are enumerating the session list.

# File 'lib/msf/core/session_manager.rb', line 191

def each(&block)
  list = []
  self.keys.sort.each do |sidx|
    list << [sidx, self[sidx]]
  end
  list.each(&block)
end

#each_sorted(&block) ⇒ Object

Enumerates the sorted list of keys.

# File 'lib/msf/core/session_manager.rb', line 181

def each_sorted(&block)
  self.keys.sort.each(&block)
end

#get(sid) ⇒ Object

Returns the session associated with the supplied sid, if any.

# File 'lib/msf/core/session_manager.rb', line 264

def get(sid)
  session = nil
  sid = sid.to_i

  if sid < 0
    session = self[self.keys.sort[sid]]
  elsif sid > 0
    session = self[sid]
  end

  session
end

#initialize_scheduler_threads ⇒ Object

Dedicated worker threads for pulling data out of new sessions

# File 'lib/msf/core/session_manager.rb', line 153

def initialize_scheduler_threads
  self.scheduler_threads = []
  1.upto(SCHEDULER_THREAD_COUNT) do |i|
    self.scheduler_threads << framework.threads.spawn("SessionScheduler-#{i}", true) do
      while true
        item = self.scheduler_queue.pop
        begin
          item.call()
        rescue ::Exception => e
          wlog("Exception in scheduler thread #{e.class} #{e}")
          wlog("Call Stack\n#{e.backtrace.join("\n")}", 'core', LEV_3)
        end
      end
    end
  end
end

#register(session) ⇒ Object

Registers the supplied session object with the framework and returns a unique session identifier to the caller.

# File 'lib/msf/core/session_manager.rb', line 203

def register(session)
  if (session.sid)
    wlog("registered session passed to register again (sid #{session.sid}).")
    return nil
  end

  next_sid = allocate_sid

  # Initialize the session's sid and framework instance pointer
  session.sid       = next_sid
  session.framework = framework

  # Only register if the session allows for it
  if session.register?
    # Insert the session into the session hash table
    self[next_sid.to_i] = session

    if session.respond_to?("console")
      session.console.on_command_proc = Proc.new { |command, error| framework.events.on_session_command(session, command) }
      session.console.on_print_proc = Proc.new { |output| framework.events.on_session_output(session, output) }
    end
    if session.respond_to?("on_registered")
      session.on_registered
    end
  end

  return next_sid
end

#schedule(task) ⇒ Object

Add a new task to the loader thread queue. Task is assumed to be a Proc or another object that responds to call()

# File 'lib/msf/core/session_manager.rb', line 174

def schedule(task)
  self.scheduler_queue.push(task)
end