Module: Msf::Handler::ReverseSsh

Includes:
Msf::Handler, Reverse
Defined in:
lib/msf/core/handler/reverse_ssh.rb

Overview

This handler implements the SSH tunneling interface.

Constant Summary

Constants included from Msf::Handler

Claimed, Unused

Instance Attribute Summary collapse

Attributes included from Msf::Handler

#exploit_config, #parent_payload, #pending_connections, #session_waiter_event, #sessions

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Reverse

#bind_addresses, #bind_port, #is_loopback_address?

Methods included from Msf::Handler

#add_handler, #cleanup_handler, #handle_connection, #handler, #handler_name, #interrupt_wait_for_session, #register_session, #start_handler, #wait_for_session

Instance Attribute Details

#serviceObject

:nodoc:



146
147
148
# File 'lib/msf/core/handler/reverse_ssh.rb', line 146

def service
  @service
end

Class Method Details

.general_handler_typeObject

Returns the connection-described general handler type, in this case ‘tunnel’.



25
26
27
# File 'lib/msf/core/handler/reverse_ssh.rb', line 25

def self.general_handler_type
  'tunnel'
end

.handler_typeObject

Returns the string representation of the handler type



17
18
19
# File 'lib/msf/core/handler/reverse_ssh.rb', line 17

def self.handler_type
  return 'reverse_ssh'
end

Instance Method Details

#create_session(ssh, opts = {}) ⇒ Object



121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/msf/core/handler/reverse_ssh.rb', line 121

def create_session(ssh, opts = {})
  # If there is a parent payload, then use that in preference.
  s = Sessions::SshCommandShellReverse.new(ssh, opts)
  # Pass along the framework context
  s.framework = framework

  # Associate this system with the original exploit
  # and any relevant information
  s.set_from_exploit(assoc_exploit)

  # If the session is valid, register it with the framework and
  # notify any waiters we may have.
  if s
    register_session(s)
  end

  return s
end

#init_fd_client(cli) ⇒ Object



110
111
112
113
114
115
116
117
118
119
# File 'lib/msf/core/handler/reverse_ssh.rb', line 110

def init_fd_client(cli)
  Timeout.timeout(25) do
    sleep 0.02 while cli.connection.open_channel_keys.empty?
    fdc = Rex::Proto::Ssh::ChannelFD.new(cli)
    service.clients.push(fdc)
    create_session(fdc)
  end
rescue Timeout::Error
  elog("Unable to find channel FDs for client #{cli}")
end

#initialize(info = {}) ⇒ Object

Initializes the reverse SSH handler and ads the options that are required for all reverse SSH payloads, like version string and auth params.



32
33
34
35
36
37
38
39
40
41
42
43
44
# File 'lib/msf/core/handler/reverse_ssh.rb', line 32

def initialize(info = {})
  super
  register_options([Opt::LPORT(22)])
  register_advanced_options(
    [
      OptString.new('Ssh::Version', [
        true,
        'The SSH version string to provide',
        default_version_string
      ])
    ], Msf::Handler::ReverseSsh
  )
end

#listener_uri(addr = ) ⇒ String

A URI describing where we are listening

Parameters:

  • addr (String) (defaults to: )

    the address that

Returns:

  • (String)

    A URI of the form ssh://host:port/



50
51
52
53
54
# File 'lib/msf/core/handler/reverse_ssh.rb', line 50

def listener_uri(addr = datastore['ReverseListenerBindAddress'])
  addr = datastore['LHOST'] if addr.nil? || addr.empty?
  uri_host = Rex::Socket.is_ipv6?(addr) ? "[#{addr}]" : addr
  "ssh://#{uri_host}:#{bind_port}"
end

#setup_handlervoid

This method returns an undefined value.

Create an Ssh listener



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# File 'lib/msf/core/handler/reverse_ssh.rb', line 59

def setup_handler
  # The current SSH server implementation does not support OpenSSL 3
  if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? 'OpenSSL 3'
    raise RuntimeError, "ReverseSSH failed to load. OpenSSL version #{OpenSSL::VERSION} not supported."
  end

  local_addr = nil
  local_port = bind_port
  ex = false

  ssh_opts = Rex::Proto::Ssh::Connection.default_options
  ssh_opts['local_version'] = datastore['Ssh::Version']

  # Start the SSH server service on this host/port
  bind_addresses.each do |ip|
    self.service = Rex::ServiceManager.start(Rex::Proto::Ssh::Server,
                                             local_port, ip,
                                             {
                                               'Msf' => framework,
                                               'MsfExploit' => self
                                             },
                                             comm,
                                             ssh_opts)
    local_addr = ip
  rescue StandardError
    ex = $!
    print_error("Handler failed to bind to #{ip}:#{local_port}")
  else
    ex = false
    break
  end

  service.on_client_connect_proc = proc { |cli| init_fd_client(cli) }
  raise ex if ex

  print_status("Started SSH reverse handler on #{listener_uri(local_addr)}")

  if datastore['IgnoreUnknownPayloads']
    print_status('Handler is ignoring unknown payloads')
  end
end

#stop_handlervoid

This method returns an undefined value.

Stops the handler & service



104
105
106
107
108
# File 'lib/msf/core/handler/reverse_ssh.rb', line 104

def stop_handler
  if service && (sessions == 0)
    Rex::ServiceManager.stop_service(service)
  end
end

#wfs_delayObject

Always wait at least 5 seconds for this payload (due to channel delays)



143
144
145
# File 'lib/msf/core/handler/reverse_ssh.rb', line 143

def wfs_delay
  datastore['WfsDelay'] > 4 ? datastore['WfsDelay'] : 5
end