Class: Msf::Sessions::EncryptedShell

Inherits:
CommandShell show all
Includes:
Payload::Windows::PayloadDBConf, Msf::Session::Basic, Msf::Session::Provider::SingleCommandShell
Defined in:
lib/msf/base/sessions/encrypted_shell.rb

Instance Attribute Summary collapse

Attributes included from Msf::Session::Interactive

#rstream

Attributes included from Rex::Ui::Interactive

#completed, #interacting, #next_session, #on_command_proc, #on_print_proc, #on_run_command_error_proc, #orig_suspend, #orig_usr1, #orig_winch

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Attributes included from Msf::Session

#alive, #db_record, #exploit, #exploit_datastore, #exploit_task, #exploit_uuid, #framework, #info, #machine_id, #payload_uuid, #routes, #sid, #sname, #target_host, #target_port, #username, #uuid, #via, #workspace

Attributes included from Framework::Offspring

#framework

Attributes inherited from CommandShell

#banner, #max_threads

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Payload::Windows::PayloadDBConf

#retrieve_chacha_creds, #retrieve_conf_from_db, #save_conf_to_db

Methods included from Msf::Session::Provider::SingleCommandShell

#command_termination, #set_is_echo_shell, #shell_close, #shell_command_token, #shell_command_token_base, #shell_command_token_unix, #shell_command_token_win32, #shell_init, #shell_read_until_token, #to_cmd

Methods included from Msf::Session::Basic

#_interact

Methods included from Msf::Session::Interactive

#_interact, #_interact_complete, #_interrupt, #_suspend, #_usr1, #abort_foreground, #abort_foreground_supported, #cleanup, #comm_channel, #interactive?, #kill, #run_cmd, #tunnel_local, #tunnel_peer, #user_want_abort?

Methods included from Rex::Ui::Interactive

#_interact, #_interact_complete, #_interrupt, #_local_fd, #_remote_fd, #_stream_read_local_write_remote, #_stream_read_remote_write_local, #_suspend, #_winch, #detach, #handle_suspend, #handle_usr1, #handle_winch, #interact, #interact_stream, #prompt, #prompt_yesno, #restore_suspend, #restore_usr1, #restore_winch

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Methods included from Msf::Session

#alive?, #cleanup, #comm_channel, #dead?, #inspect, #interactive?, #kill, #log_file_name, #log_source, #name, #name=, #register?, #session_host, #session_host=, #session_port, #session_port=, #session_type, #set_from_exploit, #set_via, #tunnel_local, #tunnel_peer, #tunnel_to_s, #via_exploit, #via_payload

Methods inherited from CommandShell

#_file_transfer, _glue_cmdline_escape, #_interact, #_interact_stream, #abort_foreground_supported, binary_exists, #binary_exists, can_cleanup_files, #cleanup, #cmd_background, #cmd_background_help, #cmd_download, #cmd_download_help, #cmd_help, #cmd_help_help, #cmd_irb, #cmd_irb_help, #cmd_pry, #cmd_pry_help, #cmd_resource, #cmd_resource_help, #cmd_sessions, #cmd_sessions_help, #cmd_shell, #cmd_shell_help, #cmd_source, #cmd_source_help, #cmd_upload, #cmd_upload_help, #commands, #docs_dir, #execute_file, #process_autoruns, #run_builtin_cmd, #run_single, #shell_close, #shell_command, #shell_init

Methods included from Rex::Ui::Text::Resource

#load_resource

Methods included from Scriptable

#execute_file, #execute_script, included, #legacy_script_to_post_module

Constructor Details

#initialize(rstream, opts = {}) ⇒ EncryptedShell

define some sort of method that checks for the existence of payload in the db before using datastore



25
26
27
28
29
30
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 25

def initialize(rstream, opts={})
  self.arch ||= ""
  self.platform = "windows"
  @staged = opts[:datastore][:staged]
  super
end

Instance Attribute Details

#archObject

Returns the value of attribute arch.



13
14
15
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 13

def arch
  @arch
end

#chacha_cipherObject

Returns the value of attribute chacha_cipher.



20
21
22
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 20

def chacha_cipher
  @chacha_cipher
end

#ivObject

Returns the value of attribute iv.



16
17
18
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 16

def iv
  @iv
end

#keyObject

Returns the value of attribute key.



17
18
19
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 17

def key
  @key
end

#platformObject

Returns the value of attribute platform.



14
15
16
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 14

def platform
  @platform
end

#stagedObject

Returns the value of attribute staged.



18
19
20
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 18

def staged
  @staged
end

Class Method Details

.typeObject



40
41
42
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 40

def self.type
  self.class.type = "Encrypted"
end

Instance Method Details

#bootstrap(datastore = {}, handler = nil) ⇒ Object



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 44

def bootstrap(datastore = {}, handler = nil)
  @key = datastore[:key] || datastore['ChachaKey']
  nonce = datastore[:nonce] || datastore['ChachaNonce']
  @iv = nonce

  # staged payloads retrieve UUID via
  # handle_connection() in stager.rb
  unless @staged
    curr_uuid = rstream.get_once(16, 1)
    @key, @nonce = retrieve_chacha_creds(curr_uuid)
    @iv = @nonce ? @nonce : "\0" * 12

    unless @key && @nonce
      print_status('Failed to retrieve key/nonce for uuid. Resorting to datastore')
      @key = datastore['ChachaKey']
      @iv = datastore['ChachaNonce']
    end
  end

  new_nonce = SecureRandom.hex(6)
  new_key = SecureRandom.hex(16)

  @chacha_cipher = Rex::Crypto::Chacha20.new(@key, @iv)
  new_cipher = @chacha_cipher.chacha20_crypt(new_nonce + new_key)
  rstream.write(new_cipher)

  @key = new_key
  @iv = new_nonce
  @chacha_cipher.reset_cipher(@key, @iv)

  super(datastore, handler)
end

#descObject



36
37
38
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 36

def desc
  "Encrypted reverse shell"
end

#shell_read(length = -1,, timeout = 1) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_read

Read encrypted data from console and decrypt it



82
83
84
85
86
87
88
89
90
91
92
93
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 82

def shell_read(length=-1, timeout=1)
  rv = rstream.get_once(length, timeout)
  # Needed to avoid crashing the +chacha20_crypt+ method
  return nil unless rv
  decrypted = @chacha_cipher.chacha20_crypt(rv)
  framework.events.on_session_output(self, decrypted) if decrypted

  return decrypted
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#shell_write(buf) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_write

Encrypt data then write it to the console



100
101
102
103
104
105
106
107
108
109
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 100

def shell_write(buf)
  return unless buf

  framework.events.on_session_command(self, buf.strip)
  encrypted = @chacha_cipher.chacha20_crypt(buf)
  rstream.write(encrypted)
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#typeObject



32
33
34
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 32

def type
  "Encrypted"
end