Land #19656 Close ssh session on error

rapid7 · Dec 12, 2024 · c7f7cfd · c7f7cfd
2 parents 31930f4 + 566e12b
commit c7f7cfd
Show file tree

Hide file tree

Showing 24 changed files with 60 additions and 37 deletions.
diff --git a/lib/msf/base/sessions/aws_instance_connect_command_shell_bind.rb b/lib/msf/base/sessions/aws_instance_connect_command_shell_bind.rb
@@ -76,7 +76,7 @@ def desc
     end
 
     def bootstrap(datastore = {}, handler = nil)
-      @ssh_command_stream = Net::SSH::CommandStream.new(ssh_connection)
+      @ssh_command_stream = Net::SSH::CommandStream.new(ssh_connection, session: self, logger: self)
 
       @ssh_command_stream.verify_channel
       # set remote_window_size to 32 which seems to help stability

diff --git a/lib/msf/base/sessions/ssh_command_shell_bind.rb b/lib/msf/base/sessions/ssh_command_shell_bind.rb
@@ -243,7 +243,7 @@ def bootstrap(datastore = {}, handler = nil)
       # shells accessed through SSH may respond to the echo command issued for verification as expected
       datastore['AutoVerifySession'] &= @platform.blank?
 
-      @rstream = Net::SSH::CommandStream.new(ssh_connection).lsock
+      @rstream = Net::SSH::CommandStream.new(ssh_connection, session: self, logger: self).lsock
       super
 
       @info = "SSH #{username} @ #{@peer_info}"

diff --git a/lib/net/ssh/command_stream.rb b/lib/net/ssh/command_stream.rb
@@ -2,7 +2,7 @@
 
 class Net::SSH::CommandStream
 
-  attr_accessor :channel, :thread, :error, :ssh
+  attr_accessor :channel, :thread, :error, :ssh, :session, :logger
   attr_accessor :lsock, :rsock, :monitor
 
   module PeerInfo
@@ -13,7 +13,8 @@ module PeerInfo
 
   def shell_requested(channel, success)
     unless success
-      raise Net::SSH::ChannelRequestFailed, 'Shell/exec channel request failed'
+      error = Net::SSH::ChannelRequestFailed.new('Shell/exec channel request failed')
+      handle_error(error: error)
     end
 
     self.channel = channel
@@ -40,7 +41,9 @@ def shell_requested(channel, success)
     end
   end
 
-  def initialize(ssh, cmd = nil, pty: false, cleanup: false)
+  def initialize(ssh, cmd = nil, pty: false, cleanup: false, session: nil, logger: nil)
+    self.session = session
+    self.logger = logger
     self.lsock, self.rsock = Rex::Socket.tcp_socket_pair()
     self.lsock.extend(Rex::IO::Stream)
     self.lsock.extend(PeerInfo)
@@ -74,31 +77,40 @@ def initialize(ssh, cmd = nil, pty: false, cleanup: false)
       end
 
       channel.on_open_failed do |ch, code, desc|
-        raise Net::SSH::ChannelOpenFailed.new(code, 'Session channel open failed')
+        error = Net::SSH::ChannelOpenFailed.new(code, 'Session channel open failed')
+        handle_error(error: error)
       end
 
       self.monitor = Thread.new do
-        while(true)
-          next if not self.rsock.has_read_data?(1.0)
-          buff = self.rsock.read(16384)
-          break if not buff
-          verify_channel
-          self.channel.send_data(buff) if buff
+        begin
+          Kernel.loop do
+            next if not self.rsock.has_read_data?(1.0)
+
+            buff = self.rsock.read(16384)
+            break if not buff
+
+            verify_channel
+            self.channel.send_data(buff) if buff
+          end
+        rescue ::StandardError => e
+          handle_error(error: e)
         end
       end
 
-      while true
-        rssh.process(0.5) { true }
+      begin
+        Kernel.loop { rssh.process(0.5) { true } }
+      rescue ::StandardError => e
+        handle_error(error: e)
       end
 
       # Shut down the SSH session if requested
       if !rcmd.nil? && rcleanup
         rssh.close
       end
     end
-  rescue ::Exception => e
+  rescue ::StandardError => e
     # XXX: This won't be set UNTIL there's a failure from a thread
-    self.error = e
+    handle_error(error: e)
   ensure
     self.monitor.kill if self.monitor
   end
@@ -113,7 +125,18 @@ def verify_channel
     end
   end
 
+  def handle_error(error: nil)
+    self.error = error if error
+
+    if self.logger
+      self.logger.print_error("SSH Command Stream encountered an error: #{self.error} (Server Version: #{self.ssh.transport.server_version.version})")
+    end
+
+    cleanup
+  end
+
   def cleanup
+    self.session.alive = false if self.session
     self.monitor.kill
     self.lsock.close rescue nil
     self.rsock.close rescue nil

diff --git a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb
@@ -84,7 +84,7 @@ def run_host(ip)
       info: version
     )
 
-    shell = Net::SSH::CommandStream.new(ssh)
+    shell = Net::SSH::CommandStream.new(ssh, logger: self)
 
     # XXX: Wait for CommandStream to log a channel request failure
     sleep 0.1

diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@@ -77,7 +77,7 @@ def run_host(ip)
       info: version
     )
 
-    shell = Net::SSH::CommandStream.new(ssh)
+    shell = Net::SSH::CommandStream.new(ssh, logger: self)
 
     # XXX: Wait for CommandStream to log a channel request failure
     sleep 0.1

diff --git a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb
@@ -120,7 +120,7 @@ def run_host(ip)
       info: version
     )
 
-    shell = Net::SSH::CommandStream.new(ssh, datastore['CMD'], pty: datastore['SPAWN_PTY'])
+    shell = Net::SSH::CommandStream.new(ssh, datastore['CMD'], pty: datastore['SPAWN_PTY'], logger: self)
 
     # XXX: Wait for CommandStream to log a channel request failure
     sleep 0.1

diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb
@@ -110,7 +110,7 @@ def do_login(user, pass)
     end
 
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh)
+      conn = Net::SSH::CommandStream.new(ssh, logger: self)
       ssh = nil
       return conn
     end

diff --git a/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb b/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb
@@ -349,7 +349,7 @@ def ssh_login
     end
 
     if ssh
-      Net::SSH::CommandStream.new(ssh)
+      Net::SSH::CommandStream.new(ssh, logger: self)
     end
   end
 

diff --git a/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb b/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb
@@ -156,7 +156,7 @@ def ssh_login
         private: private_key,
         private_type: :ssh_key
       )
-      return Net::SSH::CommandStream.new(ssh)
+      return Net::SSH::CommandStream.new(ssh, logger: self)
     end
 
     nil

diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb
@@ -111,7 +111,7 @@ def do_login(user)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket)
+      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)
       ssh_socket = nil
 
       return conn

diff --git a/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb b/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb
@@ -114,7 +114,7 @@ def do_login(user, pass)
     end
 
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh)
+      conn = Net::SSH::CommandStream.new(ssh, logger: self)
       ssh = nil
       return conn
     end

diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb
@@ -103,7 +103,7 @@ def do_login(ssh_options)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket)
+      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)
       ssh_socket = nil
 
       return conn

diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb
@@ -110,7 +110,7 @@ def do_login(user)
     return false unless ssh_socket
 
     # Create a new session from the socket, then dump it.
-    conn = Net::SSH::CommandStream.new(ssh_socket)
+    conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)
     ssh_socket = nil
     conn
   end

diff --git a/modules/exploits/linux/ssh/ibm_drm_a3user.rb b/modules/exploits/linux/ssh/ibm_drm_a3user.rb
@@ -113,7 +113,7 @@ def do_login(user, pass)
       fail_with(Failure::Unknown, "#{peer} SSH Error: #{e.class} : #{e.message}")
     end
 
-    return Net::SSH::CommandStream.new(ssh) if ssh
+    return Net::SSH::CommandStream.new(ssh, logger: self) if ssh
 
     nil
   end

diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb
@@ -108,7 +108,7 @@ def do_login(user)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket)
+      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)
       ssh_socket = nil
 
       return conn

diff --git a/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb b/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb
@@ -113,7 +113,7 @@ def do_login(user, pass)
     end
 
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh)
+      conn = Net::SSH::CommandStream.new(ssh, logger: self)
       ssh = nil
       return conn
     end

diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb
@@ -107,7 +107,7 @@ def do_login(user)
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket)
+      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)
       ssh_socket = nil
 
       return conn

diff --git a/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb b/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb
@@ -110,7 +110,7 @@ def do_login(user, pass)
     end
 
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh, 'shell-escape')
+      conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', logger: self)
       return conn
     end
 

diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb
@@ -100,7 +100,7 @@ def do_login(user, pass)
     end
 
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh)
+      conn = Net::SSH::CommandStream.new(ssh, logger: self)
       ssh = nil
       return conn
     end

diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
@@ -104,7 +104,7 @@ def do_login
     if ssh_socket
 
       # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(ssh_socket)
+      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)
       sockets.delete(ssh_socket.transport.socket)
 
       return conn

diff --git a/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb
@@ -141,7 +141,7 @@ def do_login(user, key_data)
 
     if ssh_socket
       # Create a new session from the socket, then close it.
-      conn = Net::SSH::CommandStream.new(ssh_socket)
+      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)
       ssh_socket = nil
 
       return conn

diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb
@@ -141,7 +141,7 @@ def do_login
       print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}"
     end
     if ssh
-      conn = Net::SSH::CommandStream.new(ssh)
+      conn = Net::SSH::CommandStream.new(ssh, logger: self)
       return conn
     end
   end

diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb
@@ -181,6 +181,6 @@ def exploit
 
     # Make the SSH connection and execute our commands + payload
     print_status("#{rhost}:#{rport} - Sending and executing payload to gain root privileges!")
-    Net::SSH::CommandStream.new(ssh, build_command)
+    Net::SSH::CommandStream.new(ssh, build_command, logger: self)
   end
 end
diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb
@@ -179,7 +179,7 @@ def userauth_passwd_change(user, transport, connection)
       message = transport.next_message.type
 
       if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT
-        shell = Net::SSH::CommandStream.new(connection)
+        shell = Net::SSH::CommandStream.new(connection, logger: self)
         connection = nil
         return shell
       end
-Original file line number
+Diff line change
@@ Expand Up / @@ -349,7 +349,7 @@ def ssh_login @@
         end
         if ssh
-          Net::SSH::CommandStream.new(ssh)
+          Net::SSH::CommandStream.new(ssh, logger: self)
         end
       end
@@ Expand Down @@