Skip to content

Enable non-session command output for SSH modules #10855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 23, 2018
Merged

Enable non-session command output for SSH modules #10855

merged 5 commits into from
Oct 23, 2018

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Oct 23, 2018
edited
Loading

Looks like channel[:data] was initialized but never used.

The socket pair is closed on EOF from the command, which is why we couldn't read output outside a shell session.

msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set action Execute
action => Execute
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set cmd id; uname -a
cmd => id; uname -a
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run

[*] 172.28.128.3:2222 - Attempting authentication bypass
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
[*] 172.28.128.3:2222 - Executed: id; uname -a
uid=0(root) gid=0(root) groups=0(root)
Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >

#10820

@wvu wvu requested a review from busterb October 23, 2018 13:52
@wvu wvu mentioned this pull request Oct 23, 2018
Merged
@busterb
Copy link
Contributor

busterb commented Oct 23, 2018

Very nice, now sessions -K doesn't throw a nasty stracktrace either.

Before:

msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -K
[*] Killing all sessions...
#<Thread:0x000055ec29db7890@/home/bcook/projects/metasploit-framework/lib/net/ssh/command_stream.rb:69 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
	3: from /home/bcook/projects/metasploit-framework/lib/net/ssh/command_stream.rb:72:in `block (2 levels) in initialize'
	2: from /home/bcook/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-core-0.1.13/lib/rex/io/stream.rb:72:in `read'
	1: from /home/bcook/.rvm/rubies/ruby-2.5.3/lib/ruby/2.5.0/socket.rb:452:in `read_nonblock'
/home/bcook/.rvm/rubies/ruby-2.5.3/lib/ruby/2.5.0/socket.rb:452:in `__read_nonblock': Connection reset by peer (Errno::ECONNRESET)
[*] 127.0.0.1 - Command shell session 1 closed.

After:

msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -K
[*] Killing all sessions...
[*] 127.0.0.1 - Command shell session 1 closed.

@busterb busterb merged commit 9c49acb into rapid7:master Oct 23, 2018
busterb added a commit that referenced this pull request Oct 23, 2018
@busterb
Land #10855, Enable non-session command output for SSH modules
e73a568
@busterb
Copy link
Contributor

busterb commented Oct 23, 2018

Release Notes

This fixes defects in SSH session types enabling data to be read from a SSH session while it is in the background, and issues with killing a session in the background.

@wvu wvu deleted the feature/ssh branch October 23, 2018 21:18
jmartin-tech pushed a commit that referenced this pull request Oct 23, 2018
@busterb @jmartin-tech
Land #10855, Enable non-session command output for SSH modules
2c347d5
This was referenced Nov 2, 2018
Merged
Merged
@gdavidson-r7 gdavidson-r7 added the rn-fix release notes fix label Nov 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@busterb busterb busterb approved these changes

Assignees

@busterb busterb

Labels
bug enhancement library module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wvu @busterb @gdavidson-r7