Class: Msf::Sessions::EncryptedShell

Inherits:

CommandShell

• Object
• CommandShell
• Msf::Sessions::EncryptedShell

Includes:

Payload::Windows::PayloadDBConf, Msf::Session::Basic, Msf::Session::Provider::SingleCommandShell

Defined in:

lib/msf/base/sessions/encrypted_shell.rb

Instance Attribute Summary

• #arch ⇒ Object

  Returns the value of attribute arch.

• #chacha_cipher ⇒ Object

  Returns the value of attribute chacha_cipher.

• #iv ⇒ Object

  Returns the value of attribute iv.

• #key ⇒ Object

  Returns the value of attribute key.

• #platform ⇒ Object

  Returns the value of attribute platform.

• #staged ⇒ Object

  Returns the value of attribute staged.

Attributes included from Msf::Session::Interactive

#rstream

Attributes included from Rex::Ui::Interactive

#completed, #interacting, #next_session, #on_command_proc, #on_print_proc, #orig_suspend, #orig_usr1

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Attributes included from Msf::Session

#alive, #db_record, #exploit, #exploit_datastore, #exploit_task, #exploit_uuid, #framework, #info, #machine_id, #payload_uuid, #routes, #sid, #sname, #target_host, #target_port, #username, #uuid, #via, #workspace

Attributes included from Framework::Offspring

#framework

Attributes inherited from CommandShell

#max_threads

Class Method Summary

• .type ⇒ Object

Instance Method Summary

• #desc ⇒ Object
• #initialize(rstream, opts = {}) ⇒ EncryptedShell constructor

  define some sort of method that checks for the existence of payload in the db before using datastore.

• #process_autoruns(datastore) ⇒ Object
• #shell_read(length = -1,, timeout = 1) ⇒ Object

  Overridden from Msf::Sessions::CommandShell#shell_read.

• #shell_write(buf) ⇒ Object

  Overridden from Msf::Sessions::CommandShell#shell_write.

• #type ⇒ Object

Methods included from Payload::Windows::PayloadDBConf

#retrieve_chacha_creds, #retrieve_conf_from_db, #save_conf_to_db

Methods included from Msf::Session::Provider::SingleCommandShell

#set_shell_token_index, #shell_close, #shell_command_token, #shell_command_token_unix, #shell_command_token_win32, #shell_init, #shell_read_until_token

Methods included from Msf::Session::Basic

#_interact

Methods included from Msf::Session::Interactive

#_interact, #_interact_complete, #_interrupt, #_suspend, #_usr1, #cleanup, #interactive?, #kill, #run_cmd, #tunnel_local, #tunnel_peer, #user_want_abort?

Methods included from Rex::Ui::Interactive

#_interact, #_interact_complete, #_interrupt, #_local_fd, #_remote_fd, #_stream_read_local_write_remote, #_stream_read_remote_write_local, #_suspend, #detach, #handle_suspend, #handle_usr1, #interact, #interact_stream, #prompt, #prompt_yesno, #restore_suspend, #restore_usr1

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Methods included from Msf::Session

#alive?, #cleanup, #dead?, #inspect, #interactive?, #kill, #log_file_name, #log_source, #name, #name=, #register?, #session_host, #session_host=, #session_port, #session_port=, #session_type, #set_from_exploit, #set_via, #tunnel_local, #tunnel_peer, #tunnel_to_s, #via_exploit, #via_payload

Methods inherited from CommandShell

#_interact, #_interact_stream, #binary_exists, #cleanup, #cmd_background, #cmd_background_help, #cmd_download, #cmd_download_help, #cmd_help, #cmd_help_help, #cmd_irb, #cmd_irb_help, #cmd_pry, #cmd_pry_help, #cmd_resource, #cmd_resource_help, #cmd_sessions, #cmd_sessions_help, #cmd_shell, #cmd_shell_help, #cmd_source, #cmd_source_help, #cmd_upload, #cmd_upload_help, #commands, #docs_dir, #execute_file, #file_exists, #repr, #run_builtin_cmd, #run_single, #shell_close, #shell_command, #shell_init

Methods included from Rex::Ui::Text::Resource

#load_resource

Methods included from Msf::Session::Scriptable

#execute_file, #execute_script, included, #legacy_script_to_post_module

Constructor Details

#initialize(rstream, opts = {}) ⇒ EncryptedShell

define some sort of method that checks for the existence of payload in the db before using datastore

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 27

def initialize(rstream, opts={})
  self.arch ||= ""
  self.platform = "windows"
  @staged = opts[:datastore][:staged]
  super
end

Instance Attribute Details

#arch ⇒ Object

Returns the value of attribute arch

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 15

def arch
  @arch
end

#chacha_cipher ⇒ Object

Returns the value of attribute chacha_cipher

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 22

def chacha_cipher
  @chacha_cipher
end

#iv ⇒ Object

Returns the value of attribute iv

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 18

def iv
  @iv
end

#key ⇒ Object

Returns the value of attribute key

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 19

def key
  @key
end

#platform ⇒ Object

Returns the value of attribute platform

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 16

def platform
  @platform
end

#staged ⇒ Object

Returns the value of attribute staged

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 20

def staged
  @staged
end

Class Method Details

.type ⇒ Object

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 42

def self.type
  self.class.type = "Encrypted"
end

Instance Method Details

#desc ⇒ Object

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 38

def desc
  "Encrypted reverse shell"
end

#process_autoruns(datastore) ⇒ Object

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 46

def process_autoruns(datastore)
  @key = datastore[:key] || datastore['ChachaKey']
  nonce = datastore[:nonce] || datastore['ChachaNonce']
  @iv = nonce

  # staged payloads retrieve UUID via
  # handle_connection() in stager.rb
  unless @staged
    curr_uuid = rstream.get_once(16, 1)
    @key, @nonce = retrieve_chacha_creds(curr_uuid)
    @iv = @nonce ? @nonce : "\0" * 12

    unless @key && @nonce
      print_status('Failed to retrieve key/nonce for uuid. Resorting to datastore')
      @key = datastore['ChachaKey']
      @iv = datastore['ChachaNonce']
    end
  end

  new_nonce = SecureRandom.hex(6)
  new_key = SecureRandom.hex(16)

  @chacha_cipher = Rex::Crypto::Chacha20.new(@key, @iv)
  new_cipher = @chacha_cipher.chacha20_crypt(new_nonce + new_key)
  rstream.write(new_cipher)

  @key = new_key
  @iv = new_nonce
  @chacha_cipher.reset_cipher(@key, @iv)
end

#shell_read(length = -1,, timeout = 1) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_read

Read encrypted data from console and decrypt it

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 82

def shell_read(length=-1, timeout=1)
  rv = rstream.get_once(length, timeout)
  decrypted = @chacha_cipher.chacha20_crypt(rv)
  framework.events.on_session_output(self, decrypted) if decrypted

  return decrypted
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#shell_write(buf) ⇒ Object

Overridden from Msf::Sessions::CommandShell#shell_write

Encrypt data then write it to the console

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 98

def shell_write(buf)
  return unless buf

  framework.events.on_session_command(self, buf.strip)
  encrypted = @chacha_cipher.chacha20_crypt(buf)
  rstream.write(encrypted)
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
  shell_close
  raise e
end

#type ⇒ Object

# File 'lib/msf/base/sessions/encrypted_shell.rb', line 34

def type
  "Encrypted"
end