diff --git a/lib/msf/base/sessions/aws_instance_connect_command_shell_bind.rb b/lib/msf/base/sessions/aws_instance_connect_command_shell_bind.rb index 75de6e720451..cb9ab15a8832 100644 --- a/lib/msf/base/sessions/aws_instance_connect_command_shell_bind.rb +++ b/lib/msf/base/sessions/aws_instance_connect_command_shell_bind.rb @@ -76,7 +76,7 @@ def desc end def bootstrap(datastore = {}, handler = nil) - @ssh_command_stream = Net::SSH::CommandStream.new(ssh_connection) + @ssh_command_stream = Net::SSH::CommandStream.new(ssh_connection, session: self, logger: self) @ssh_command_stream.verify_channel # set remote_window_size to 32 which seems to help stability diff --git a/lib/msf/base/sessions/ssh_command_shell_bind.rb b/lib/msf/base/sessions/ssh_command_shell_bind.rb index a6bc1dd97b33..e645c47da993 100644 --- a/lib/msf/base/sessions/ssh_command_shell_bind.rb +++ b/lib/msf/base/sessions/ssh_command_shell_bind.rb @@ -243,7 +243,7 @@ def bootstrap(datastore = {}, handler = nil) # shells accessed through SSH may respond to the echo command issued for verification as expected datastore['AutoVerifySession'] &= @platform.blank? - @rstream = Net::SSH::CommandStream.new(ssh_connection).lsock + @rstream = Net::SSH::CommandStream.new(ssh_connection, session: self, logger: self).lsock super @info = "SSH #{username} @ #{@peer_info}" diff --git a/lib/net/ssh/command_stream.rb b/lib/net/ssh/command_stream.rb index 16bccbb0712a..352c04a96c22 100644 --- a/lib/net/ssh/command_stream.rb +++ b/lib/net/ssh/command_stream.rb @@ -2,7 +2,7 @@ class Net::SSH::CommandStream - attr_accessor :channel, :thread, :error, :ssh + attr_accessor :channel, :thread, :error, :ssh, :session, :logger attr_accessor :lsock, :rsock, :monitor module PeerInfo @@ -13,7 +13,8 @@ module PeerInfo def shell_requested(channel, success) unless success - raise Net::SSH::ChannelRequestFailed, 'Shell/exec channel request failed' + error = Net::SSH::ChannelRequestFailed.new('Shell/exec channel request failed') + handle_error(error: error) end self.channel = channel @@ -40,7 +41,9 @@ def shell_requested(channel, success) end end - def initialize(ssh, cmd = nil, pty: false, cleanup: false) + def initialize(ssh, cmd = nil, pty: false, cleanup: false, session: nil, logger: nil) + self.session = session + self.logger = logger self.lsock, self.rsock = Rex::Socket.tcp_socket_pair() self.lsock.extend(Rex::IO::Stream) self.lsock.extend(PeerInfo) @@ -74,21 +77,30 @@ def initialize(ssh, cmd = nil, pty: false, cleanup: false) end channel.on_open_failed do |ch, code, desc| - raise Net::SSH::ChannelOpenFailed.new(code, 'Session channel open failed') + error = Net::SSH::ChannelOpenFailed.new(code, 'Session channel open failed') + handle_error(error: error) end self.monitor = Thread.new do - while(true) - next if not self.rsock.has_read_data?(1.0) - buff = self.rsock.read(16384) - break if not buff - verify_channel - self.channel.send_data(buff) if buff + begin + Kernel.loop do + next if not self.rsock.has_read_data?(1.0) + + buff = self.rsock.read(16384) + break if not buff + + verify_channel + self.channel.send_data(buff) if buff + end + rescue ::StandardError => e + handle_error(error: e) end end - while true - rssh.process(0.5) { true } + begin + Kernel.loop { rssh.process(0.5) { true } } + rescue ::StandardError => e + handle_error(error: e) end # Shut down the SSH session if requested @@ -96,9 +108,9 @@ def initialize(ssh, cmd = nil, pty: false, cleanup: false) rssh.close end end - rescue ::Exception => e + rescue ::StandardError => e # XXX: This won't be set UNTIL there's a failure from a thread - self.error = e + handle_error(error: e) ensure self.monitor.kill if self.monitor end @@ -113,7 +125,18 @@ def verify_channel end end + def handle_error(error: nil) + self.error = error if error + + if self.logger + self.logger.print_error("SSH Command Stream encountered an error: #{self.error} (Server Version: #{self.ssh.transport.server_version.version})") + end + + cleanup + end + def cleanup + self.session.alive = false if self.session self.monitor.kill self.lsock.close rescue nil self.rsock.close rescue nil diff --git a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb index 31832116bdc0..5365eb64ea95 100644 --- a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb @@ -84,7 +84,7 @@ def run_host(ip) info: version ) - shell = Net::SSH::CommandStream.new(ssh) + shell = Net::SSH::CommandStream.new(ssh, logger: self) # XXX: Wait for CommandStream to log a channel request failure sleep 0.1 diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index 7f874e63e9dd..566ef871b267 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -77,7 +77,7 @@ def run_host(ip) info: version ) - shell = Net::SSH::CommandStream.new(ssh) + shell = Net::SSH::CommandStream.new(ssh, logger: self) # XXX: Wait for CommandStream to log a channel request failure sleep 0.1 diff --git a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb index b5341b2b9585..5a043c992de9 100644 --- a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb +++ b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb @@ -120,7 +120,7 @@ def run_host(ip) info: version ) - shell = Net::SSH::CommandStream.new(ssh, datastore['CMD'], pty: datastore['SPAWN_PTY']) + shell = Net::SSH::CommandStream.new(ssh, datastore['CMD'], pty: datastore['SPAWN_PTY'], logger: self) # XXX: Wait for CommandStream to log a channel request failure sleep 0.1 diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index 4ab55b0fce97..3b80bacf6382 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -110,7 +110,7 @@ def do_login(user, pass) end if ssh - conn = Net::SSH::CommandStream.new(ssh) + conn = Net::SSH::CommandStream.new(ssh, logger: self) ssh = nil return conn end diff --git a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb index 6a48241c626b..9f4dbcf6cf6f 100644 --- a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb +++ b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb @@ -349,7 +349,7 @@ def ssh_login end if ssh - Net::SSH::CommandStream.new(ssh) + Net::SSH::CommandStream.new(ssh, logger: self) end end diff --git a/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb b/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb index df867f0fb842..2edc63de8346 100644 --- a/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb +++ b/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb @@ -156,7 +156,7 @@ def ssh_login private: private_key, private_type: :ssh_key ) - return Net::SSH::CommandStream.new(ssh) + return Net::SSH::CommandStream.new(ssh, logger: self) end nil diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index 116cad9e906b..d909e5ec2cfa 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -111,7 +111,7 @@ def do_login(user) if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket) + conn = Net::SSH::CommandStream.new(ssh_socket, logger: self) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb b/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb index 539e44d1795c..ca5e9af4477e 100644 --- a/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb +++ b/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb @@ -114,7 +114,7 @@ def do_login(user, pass) end if ssh - conn = Net::SSH::CommandStream.new(ssh) + conn = Net::SSH::CommandStream.new(ssh, logger: self) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb index d4cce50196d7..998634663839 100644 --- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb +++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb @@ -103,7 +103,7 @@ def do_login(ssh_options) if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket) + conn = Net::SSH::CommandStream.new(ssh_socket, logger: self) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb index 9fabb88999ce..64125268d4d0 100644 --- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb +++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb @@ -110,7 +110,7 @@ def do_login(user) return false unless ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket) + conn = Net::SSH::CommandStream.new(ssh_socket, logger: self) ssh_socket = nil conn end diff --git a/modules/exploits/linux/ssh/ibm_drm_a3user.rb b/modules/exploits/linux/ssh/ibm_drm_a3user.rb index f011ef9d17ef..c6367baef543 100644 --- a/modules/exploits/linux/ssh/ibm_drm_a3user.rb +++ b/modules/exploits/linux/ssh/ibm_drm_a3user.rb @@ -113,7 +113,7 @@ def do_login(user, pass) fail_with(Failure::Unknown, "#{peer} SSH Error: #{e.class} : #{e.message}") end - return Net::SSH::CommandStream.new(ssh) if ssh + return Net::SSH::CommandStream.new(ssh, logger: self) if ssh nil end diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index 750e4cb387d1..26060244ed3c 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -108,7 +108,7 @@ def do_login(user) if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket) + conn = Net::SSH::CommandStream.new(ssh_socket, logger: self) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb b/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb index f12ce10a97fb..bebda2b76ea2 100644 --- a/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb +++ b/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb @@ -113,7 +113,7 @@ def do_login(user, pass) end if ssh - conn = Net::SSH::CommandStream.new(ssh) + conn = Net::SSH::CommandStream.new(ssh, logger: self) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index ce79add91200..30732a229fd4 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -107,7 +107,7 @@ def do_login(user) if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket) + conn = Net::SSH::CommandStream.new(ssh_socket, logger: self) ssh_socket = nil return conn diff --git a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb index ac2a5674a360..13b67ff2f752 100644 --- a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb +++ b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb @@ -110,7 +110,7 @@ def do_login(user, pass) end if ssh - conn = Net::SSH::CommandStream.new(ssh, 'shell-escape') + conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', logger: self) return conn end diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index 8c7f32067c28..f6c12aa36bfc 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -100,7 +100,7 @@ def do_login(user, pass) end if ssh - conn = Net::SSH::CommandStream.new(ssh) + conn = Net::SSH::CommandStream.new(ssh, logger: self) ssh = nil return conn end diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index e1b41727d070..a9b3eefdff32 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -104,7 +104,7 @@ def do_login if ssh_socket # Create a new session from the socket, then dump it. - conn = Net::SSH::CommandStream.new(ssh_socket) + conn = Net::SSH::CommandStream.new(ssh_socket, logger: self) sockets.delete(ssh_socket.transport.socket) return conn diff --git a/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb index c2443ab3bbb4..64dedec97d03 100644 --- a/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb @@ -141,7 +141,7 @@ def do_login(user, key_data) if ssh_socket # Create a new session from the socket, then close it. - conn = Net::SSH::CommandStream.new(ssh_socket) + conn = Net::SSH::CommandStream.new(ssh_socket, logger: self) ssh_socket = nil return conn diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index a26bf80f6424..5370ad671e99 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -141,7 +141,7 @@ def do_login print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}" end if ssh - conn = Net::SSH::CommandStream.new(ssh) + conn = Net::SSH::CommandStream.new(ssh, logger: self) return conn end end diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb index 078f2a61534f..4a00473d50bf 100644 --- a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb +++ b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb @@ -181,6 +181,6 @@ def exploit # Make the SSH connection and execute our commands + payload print_status("#{rhost}:#{rport} - Sending and executing payload to gain root privileges!") - Net::SSH::CommandStream.new(ssh, build_command) + Net::SSH::CommandStream.new(ssh, build_command, logger: self) end end diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index b08c4861e45a..2493f2002053 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -179,7 +179,7 @@ def userauth_passwd_change(user, transport, connection) message = transport.next_message.type if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT - shell = Net::SSH::CommandStream.new(connection) + shell = Net::SSH::CommandStream.new(connection, logger: self) connection = nil return shell end