diff --git a/lib/net/ssh/command_stream.rb b/lib/net/ssh/command_stream.rb index f9d82cd518..11ef475d28 100644 --- a/lib/net/ssh/command_stream.rb +++ b/lib/net/ssh/command_stream.rb @@ -15,7 +15,34 @@ class CommandStream attr_accessor :localinfo end - def initialize(ssh, cmd, cleanup = false) + def shell_requested(channel, success) + raise "could not request ssh shell" unless success + channel[:data] = '' + + channel.on_eof do + self.rsock.close rescue nil + self.ssh.close rescue nil + self.thread.kill + end + + channel.on_close do + self.rsock.close rescue nil + self.ssh.close rescue nil + self.thread.kill + end + + channel.on_data do |ch,data| + self.rsock.write(data) + end + + channel.on_extended_data do |ch, ctype, data| + self.rsock.write(data) + end + + self.channel = channel + end + + def initialize(ssh, cmd = nil, cleanup = true) self.lsock, self.rsock = Rex::Socket.tcp_socket_pair() self.lsock.extend(Rex::IO::Stream) @@ -23,7 +50,7 @@ class CommandStream self.rsock.extend(Rex::IO::Stream) self.ssh = ssh - self.thread = Thread.new(ssh,cmd,cleanup) do |rssh,rcmd,rcleanup| + self.thread = Thread.new(ssh,cmd,cleanup) do |rssh, rcmd, rcleanup| begin info = rssh.transport.socket.getpeername_as_array @@ -33,32 +60,10 @@ class CommandStream self.lsock.localinfo = "#{info[1]}:#{info[2]}" rssh.open_channel do |rch| - rch.exec(rcmd) do |c, success| - raise "could not execute command: #{rcmd.inspect}" unless success - - c[:data] = '' - - c.on_eof do - self.rsock.close rescue nil - self.ssh.close rescue nil - self.thread.kill - end - - c.on_close do - self.rsock.close rescue nil - self.ssh.close rescue nil - self.thread.kill - end - - c.on_data do |ch,data| - self.rsock.write(data) - end - - c.on_extended_data do |ch, ctype, data| - self.rsock.write(data) - end - - self.channel = c + if cmd.nil? + rch.send_channel_request("shell", &method(:shell_requested)) + else + rch.exec(rsh, &method(:shell_requested)) end end @@ -85,7 +90,7 @@ class CommandStream end # Shut down the SSH session if requested - if(rcleanup) + if rcleanup rssh.close end end diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb index b495195fb5..79d5b38083 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login.rb @@ -57,7 +57,7 @@ class MetasploitModule < Msf::Auxiliary return unless ssh_socket # Create a new session - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) merge_me = { 'USERPASS_FILE' => nil, diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb index f0b271e46a..703e8b9094 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb @@ -72,7 +72,7 @@ class MetasploitModule < Msf::Auxiliary return unless ssh_socket # Create a new session from the socket - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) # Clean up the stored data - need to stash the keyfile into # a datastore for later reuse. diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index 781db9a106..e0ac301d69 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -110,7 +110,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index b4f9e873e8..96864ee5b4 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -106,7 +106,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb index f2304c91a6..5742000cc3 100644 --- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb +++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash -i', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb index 0cf2138f9e..4fe890b696 100644 --- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb +++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb @@ -109,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote return false unless ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil conn end diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index bff7067f67..5fb276c2ba 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -103,7 +103,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index 3c4ef23169..0d8a939067 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/bash', true) + conn = Net::SSH::CommandStream.new(ssh_socket) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb index 48714417a1..d2c4f96ea6 100644 --- a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb +++ b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb @@ -114,7 +114,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true) + conn = Net::SSH::CommandStream.new(ssh, 'shell-escape') return conn end diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index 6f812d10fb..b48a856c9b 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -117,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote end if ssh - conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb index 84d547712a..4094cb72a6 100644 --- a/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb +++ b/modules/exploits/linux/ssh/ubiquiti_airos_file_upload.rb @@ -153,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote private: private_key, private_type: :ssh_key ) - return Net::SSH::CommandStream.new(ssh, '/bin/sh', true) + return Net::SSH::CommandStream.new(ssh) end nil diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index a914837815..6a688756a5 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -102,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Remote if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) + conn = Net::SSH::CommandStream.new(ssh_socket) self.sockets.delete(ssh_socket.transport.socket) return conn diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb index 4ee91ab322..778902cb34 100644 --- a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb +++ b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb @@ -186,6 +186,6 @@ class MetasploitModule < Msf::Exploit::Remote # Make the SSH connection and execute our commands + payload print_status("#{rhost}:#{rport} - Sending and executing payload to gain root privileges!") - Net::SSH::CommandStream.new(ssh, build_command, true) + Net::SSH::CommandStream.new(ssh, build_command) end end diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index 53a0a22034..85064b1092 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -177,7 +177,7 @@ class MetasploitModule < Msf::Exploit::Remote message = transport.next_message.type if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT - shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true) + shell = Net::SSH::CommandStream.new(connection) connection = nil return shell end