Metasploit-framework: GSoC2018: Idea discuession about `Add meta-shell commands`

Hi,

The main goals of the project are actually pretty simple: to add some extra commands to the shell sessions so that they have prompts, and have some of the nice high-level commands that you would seen from a meterpreter prompt ('background', 'sessions', etc.)

Locking the session simply refers to the lack of any internal locks on the session stream itself inside of meterpreter. This means that if you run 2 post modules, or interact and run a post module, the two interactions with the shell will interact poorly. Unlike Meterpreter, where each command runs independent of the others.

If you wanted to implement posix-style job control on the remote side, that would also be nifty, but I would call that secondary to the goal of adding the higher-level dispatcher.

@bcoles and @wvu might have some other suggestions for this proposal, since it is based on discussions I have had with both of them

Got it, thank you @bcook-r7

@wvu @bcoles
I just describe this idea via UML Timing Diagram
But I am not sure whether my understanding is correct, so could you guys give me some suggestions
Thank you guys so much!

I found a article may be useful, google by keywords: send signal over socket

https://blog.stalkr.net/2015/12/from-remote-shell-to-remote-terminal.html
http://comp.unix.programmer.narkive.com/ow31N0bX/sending-ascii-eot-signal-over-tcp-ip-sockets

Today, if you open a shell session, the interaction looks like this:

$ ./msfconsole -qx 'use multi/handler; set payload linux/x86/shell/reverse_tcp; set lhost 127.0.0.1; run'
payload => linux/x86/shell/reverse_tcp
lhost => 127.0.0.1
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Sending stage (36 bytes) to 127.0.0.1
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:48904) at 2018-03-16 21:52:35 -0500

background
/bin//sh: 1: background: not found
sessions
/bin//sh: 2: sessions: not found
resource test.rc
/bin//sh: 3: resource: not found
^Z
Background session 1? [y/N]  y
msf5 exploit(multi/handler) >

Compared to meterpreter, which has all of the above commands. The primary goal of this project is to implement the above commands such that they get interpreted by Metasploit instead of being sent straight to the shell. When this project is implemented, the 'meta shell' layer should be able to support higher-level interactions like:

[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:48904) at 2018-03-16 21:52:35 -0500
> sessions
Active sessions
===============

  Id  Name  Type             Information  Connection
  --  ----  ----             -----------  ----------
  1         shell x86/linux               127.0.0.1:4444 -> 127.0.0.1:48904 (127.0.0.1)
> resource test.rc
Executing resource script test.rc
> echo "Hello"
 Hello
Resource script test.rc complete
> background
Background session 1? [y/N]  y
msf5 exploit(multi/handler) > 

A 'session' script should be able to run identically on Meterpreter or a Shell session.

Secondary bits around handling 'Shell' Job control (Ctrl+C and Ctrl+Z) more properly in Metasploit could also be added to shell sessions, but the primary goal of the 'meta shell' project isn't necessarily to fix that. Though, I could see it as a secondary phase. After adding the high level 'meta shell' commands for existing and backgrounding the shell itself, 'Ctrl+C' and 'Ctrl+Z', etc. could then be passed to the shell itself now, allowing some form of job control on native shell commands. But first you'd need to add the new way to control the shell session itself.

Another interesting capability that could be added to the meta shell would be the ability to 'upgrade' the shell session so it has a PTY, encryption, etc. Similar to how you can 'upgrade' a shell session to Meterpreter, this could be something that leverages existing tools on the target to upgrade without deploying any extra binaries on the target. I'd consider this a possible third phase to the project.

Check out the 'on_new_session' method in modules/exploits/linux/http/pandora_fms_exec.rb to see how it could be done.

download and upload commands could also be implemented in terms of shell interaction. This would be tremendously useful in a lot of cases when switching to a different session type is hard, or Meterpreter isn't working in the target environment.

And of course we need @OJ's getsystem exploit for shell sessions as well. Maybe it could just run 'sudo su -' etc, and see what works :)

Goddammit :)

On Sat., 17 Mar. 2018, 13:08 Brent Cook, notifications@github.com wrote:

And of course we need @OJ https://github.com/oj's getsystem exploit for
shell sessions as well. Maybe it could just run 'sudo su -' etc, and see
what works.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/rapid7/metasploit-framework/issues/9714#issuecomment-373890091,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AABw4APNYbqav80DlKOsBZbIEiryOrBnks5tfH4pgaJpZM4SrzjK
.

@busterb @wvu @bcook-r7 Thank all you guys help me to understand this idea
If my understanding is wrong, please do let me know if I am wrong here.
So, This will be the way I would be taking care of the project:

1. Implement the build-in command: sessions, background, resource
2. Handle signals in the reverse shell, such as: CTRL+C, CTRL+Z...
3. Upgrade the shell session to a terminal session(PTY)
4. Implement the download and the upload Build-in commands.

So these targets actually is helping to upgrade a normal reverse shell session to a meterpreter session, just like meterpreter session created by virus binaries. All the aims is going to make the command user interface more friendly to the users, right?

All the aims is going to make the command user interface more friendly to the users, right?

Correct. More user-friendly, and more similar to the Meterpreter interface.

Upgrade the shell session to a terminal session(PTY)

These links may help:
http://thor-sec.com/cheatsheet/oscp/tty_spawnage/
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

I am doing some research on this idea. However, I am currently experiencing some difficulties. I want to perform HOOK when the user types, but I did not find a function that handles user input and sends it to Socket. I found that there are two threads running when we start a reverse handler, but I am not familiar with debugging a multithreading ruby program...

The following code maybe the execution path while a new connection is accepted.

lib/msf/core/handler/reverse_tcp.rb:160:            handle_connection(wrap_aes_socket(client), opts)
lib/msf/core/handler.rb:135:    create_session(conn, opts)

I would like to ask if you can give me some advices or some help. Thank you guys so much.

Calling this done. Thanks all!