Class: Msf::Sessions::EncryptedShell

Inherits:
CommandShell show all
Includes:
Payload::Windows::PayloadDBConf, Msf::Session::Basic, Msf::Session::Provider::SingleCommandShell
Defined in:
lib/msf/base/sessions/encrypted_shell.rb

Instance Attribute Summary collapse

Attributes included from Msf::Session::Interactive

#rstream

Attributes included from Rex::Ui::Interactive

#completed, #interacting, #next_session, #on_command_proc, #on_print_proc, #on_run_command_error_proc, #orig_suspend, #orig_usr1, #orig_winch

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Attributes included from Msf::Session

#alive, #db_record, #exploit, #exploit_datastore, #exploit_task, #exploit_uuid, #framework, #info, #machine_id, #payload_uuid, #routes, #sid, #sname, #target_host, #target_port, #username, #uuid, #via, #workspace

Attributes included from Framework::Offspring

#framework

Attributes inherited from CommandShell

#banner, #max_threads

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Payload::Windows::PayloadDBConf

#retrieve_chacha_creds, #retrieve_conf_from_db, #save_conf_to_db

Methods included from Msf::Session::Provider::SingleCommandShell

#command_termination, #set_is_echo_shell, #shell_close, #shell_command_token, #shell_command_token_base, #shell_command_token_unix, #shell_command_token_win32, #shell_init, #shell_read_until_token, #to_cmd

Methods included from Msf::Session::Basic

#_interact

Methods included from Msf::Session::Interactive

#_interact, #_interact_complete, #_interrupt, #_suspend, #_usr1, #abort_foreground, #abort_foreground_supported, #cleanup, #comm_channel, #interactive?, #kill, #run_cmd, #tunnel_local, #tunnel_peer, #user_want_abort?

Methods included from Rex::Ui::Interactive

#_interact, #_interact_complete, #_interrupt, #_local_fd, #_remote_fd, #_stream_read_local_write_remote, #_stream_read_remote_write_local, #_suspend, #_winch, #detach, #handle_suspend, #handle_usr1, #handle_winch, #interact, #interact_stream, #prompt, #prompt_yesno, #restore_suspend, #restore_usr1, #restore_winch

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Methods included from Msf::Session

#alive?, #cleanup, #comm_channel, #dead?, #inspect, #interactive?, #kill, #log_file_name, #log_source, #name, #name=, #register?, #session_host, #session_host=, #session_port, #session_port=, #session_type, #set_from_exploit, #set_via, #tunnel_local, #tunnel_peer, #tunnel_to_s, #via_exploit, #via_payload

Methods inherited from CommandShell

#_file_transfer, _glue_cmdline_escape, #_interact, #_interact_stream, #abort_foreground_supported, binary_exists, #binary_exists, can_cleanup_files, #cleanup, #cmd_background, #cmd_background_help, #cmd_download, #cmd_download_help, #cmd_help, #cmd_help_help, #cmd_irb, #cmd_irb_help, #cmd_pry, #cmd_pry_help, #cmd_resource, #cmd_resource_help, #cmd_sessions, #cmd_sessions_help, #cmd_shell, #cmd_shell_help, #cmd_source, #cmd_source_help, #cmd_upload, #cmd_upload_help, #commands, #docs_dir, #escape_arg, #execute_file, #process_autoruns, #run_builtin_cmd, #run_single, #shell_close, #shell_command, #shell_init

Methods included from Rex::Ui::Text::Resource

#load_resource

Methods included from Scriptable

#execute_file, #execute_script, included, #legacy_script_to_post_module

Constructor Details

#initialize(rstream, opts = {}) ⇒ EncryptedShell

define some sort of method that checks for the existence of payload in the db before using datastore

[View source]

25
26
27
28
29
30
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 25

def initialize(rstream, opts={})
  self.arch ||= ""
  self.platform = "windows"
  @staged = opts[:datastore][:staged]
  super
end

Instance Attribute Details

#archObject

Returns the value of attribute arch.


13
14
15
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 13

def arch
  @arch
end

#chacha_cipherObject

Returns the value of attribute chacha_cipher.


20
21
22
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 20

def chacha_cipher
  @chacha_cipher
end

#ivObject

Returns the value of attribute iv.


16
17
18
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 16

def iv
  @iv
end

#keyObject

Returns the value of attribute key.


17
18
19
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 17

def key
  @key
end

#platformObject

Returns the value of attribute platform.


14
15
16
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 14

def platform
  @platform
end

#stagedObject

Returns the value of attribute staged.


18
19
20
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 18

def staged
  @staged
end

Class Method Details

.typeObject

[View source]

40
41
42
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 40

def self.type
  self.class.type = "Encrypted"
end

Instance Method Details

#bootstrap(datastore = {}, handler = nil) ⇒ Object

[View source]

44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 44

def bootstrap(datastore = {}, handler = nil)
  @key = datastore[:key] || datastore['ChachaKey']
  nonce = datastore[:nonce] || datastore['ChachaNonce']
  @iv = nonce

  # staged payloads retrieve UUID via
  # handle_connection() in stager.rb
  unless @staged
    curr_uuid = rstream.get_once(16, 1)
    @key, @nonce = retrieve_chacha_creds(curr_uuid)
    @iv = @nonce ? @nonce : "\0" * 12

    unless @key && @nonce
      print_status('Failed to retrieve key/nonce for uuid. Resorting to datastore')
      @key = datastore['ChachaKey']
      @iv = datastore['ChachaNonce']
    end
  end

  new_nonce = SecureRandom.hex(6)
  new_key = SecureRandom.hex(16)

  @chacha_cipher = Rex::Crypto::Chacha20.new(@key, @iv)
  new_cipher = @chacha_cipher.chacha20_crypt(new_nonce + new_key)
  rstream.write(new_cipher)

  @key = new_key
  @iv = new_nonce
  @chacha_cipher.reset_cipher(@key, @iv)

  super(datastore, handler)
end

#descObject

[View source]

36
37
38
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 36

def desc
  "Encrypted reverse shell"
end

#shell_read(length = -1,, timeout = 1) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_read

Read encrypted data from console and decrypt it

[View source]

82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 82

def shell_read(length=-1, timeout=1)
  rv = rstream.get_once(length, timeout)
  # Needed to avoid crashing the +chacha20_crypt+ method
  return nil unless rv
  decrypted = @chacha_cipher.chacha20_crypt(rv)
  framework.events.on_session_output(self, decrypted) if decrypted

  return decrypted
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#shell_write(buf) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_write

Encrypt data then write it to the console

[View source]

100
101
102
103
104
105
106
107
108
109
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 100

def shell_write(buf)
  return unless buf

  framework.events.on_session_command(self, buf.strip)
  encrypted = @chacha_cipher.chacha20_crypt(buf)
  rstream.write(encrypted)
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#typeObject

[View source]

32
33
34
 
# File 'lib/msf/base/sessions/encrypted_shell.rb', line 32

def type
  "Encrypted"
end