Class: Metasploit::Framework::DataService::RemoteHTTPDataService

Inherits:

Object

• Object
• Metasploit::Framework::DataService::RemoteHTTPDataService

Includes:

DataServiceAutoLoader, Metasploit::Framework::DataService

Defined in:

lib/metasploit/framework/data_service/remote/http/core.rb

Defined Under Namespace

Classes: ErrorResponse, FailedResponse, ResponseWrapper, SuccessResponse

Constant Summary

DEFAULT_USER_AGENT =

"metasploit v#{Metasploit::Framework::VERSION}"

EXEC_ASYNC =

{ :exec_async => true }

GET_REQUEST =

'GET'

POST_REQUEST =

'POST'

DELETE_REQUEST =

'DELETE'

PUT_REQUEST =

'PUT'

Constants included from RemoteRouteDataService

RemoteRouteDataService::ROUTE_API_PATH, RemoteRouteDataService::ROUTE_MDM_CLASS

Constants included from RemotePayloadDataService

RemotePayloadDataService::PAYLOAD_API_PATH, RemotePayloadDataService::PAYLOAD_MDM_CLASS

Constants included from RemoteDbImportDataService

RemoteDbImportDataService::DB_IMPORT_API_PATH

Constants included from RemoteMsfDataService

RemoteMsfDataService::MSF_API_PATH, RemoteMsfDataService::MSF_VERSION_API_PATH

Constants included from RemoteVulnAttemptDataService

RemoteVulnAttemptDataService::VULN_ATTEMPT_API_PATH, RemoteVulnAttemptDataService::VULN_ATTEMPT_MDM_CLASS

Constants included from RemoteDbExportDataService

RemoteDbExportDataService::DB_EXPORT_API_PATH

Constants included from RemoteNmapDataService

RemoteNmapDataService::NMAP_PATH

Constants included from RemoteLoginDataService

RemoteLoginDataService::LOGIN_API_PATH, RemoteLoginDataService::LOGIN_MDM_CLASS

Constants included from RemoteCredentialDataService

RemoteCredentialDataService::CREDENTIAL_API_PATH, RemoteCredentialDataService::CREDENTIAL_MDM_CLASS

Constants included from RemoteSessionEventDataService

RemoteSessionEventDataService::SESSION_EVENT_API_PATH, RemoteSessionEventDataService::SESSION_EVENT_MDM_CLASS

Constants included from RemoteLootDataService

RemoteLootDataService::LOOT_API_PATH, RemoteLootDataService::LOOT_MDM_CLASS

Constants included from RemoteExploitDataService

RemoteExploitDataService::EXPLOIT_API_PATH

Constants included from RemoteSessionDataService

RemoteSessionDataService::SESSION_API_PATH, RemoteSessionDataService::SESSION_MDM_CLASS

Constants included from RemoteServiceDataService

RemoteServiceDataService::SERVICE_API_PATH, RemoteServiceDataService::SERVICE_MDM_CLASS

Constants included from RemoteWebDataService

RemoteWebDataService::WEB_API_PATH

Constants included from RemoteVulnDataService

RemoteVulnDataService::VULN_API_PATH, RemoteVulnDataService::VULN_MDM_CLASS

Constants included from RemoteWorkspaceDataService

RemoteWorkspaceDataService::WORKSPACE_API_PATH, RemoteWorkspaceDataService::WORKSPACE_MDM_CLASS

Constants included from RemoteNoteDataService

RemoteNoteDataService::NOTE_API_PATH, RemoteNoteDataService::NOTE_MDM_CLASS

Constants included from RemoteEventDataService

RemoteEventDataService::EVENT_API_PATH, RemoteEventDataService::EVENT_MDM_CLASS

Constants included from RemoteHostDataService

RemoteHostDataService::HOST_API_PATH, RemoteHostDataService::HOST_MDM_CLASS, RemoteHostDataService::HOST_SEARCH_PATH, RemoteHostDataService::TAG_MDM_CLASS

Instance Attribute Summary

• #api_token ⇒ Object readonly

  Returns the value of attribute api_token.

• #endpoint ⇒ Object readonly

  Returns the value of attribute endpoint.

• #https_opts ⇒ Object readonly

  Returns the value of attribute https_opts.

Instance Method Summary

• #active ⇒ Object
• #active=(value) ⇒ Object
• #after_establish_connection ⇒ Object
• #connection_established? ⇒ Boolean
• #delete_data(path, data_hash, query = nil) ⇒ Object

  Send DELETE request to delete the specified resource from the HTTP endpoint.

• #driver ⇒ Object
• #error ⇒ Object
• #get_data(path, data_hash = nil, query = nil) ⇒ Object

  GET data from the HTTP endpoint.

• #get_path_select(opts, path) ⇒ String

  Select the correct path for GET request based on the options parameters provided.

• #initialize(endpoint, opts = {}) ⇒ RemoteHTTPDataService constructor

  A new instance of RemoteHTTPDataService.

• #is_local? ⇒ Boolean
• #is_online? ⇒ Boolean

  Checks if the data service is online by making a request for the Metasploit version number from the remote endpoint.

• #make_request(request_type, path, data_hash = nil, query = nil) ⇒ Object

  Make the specified request_type.

• #name ⇒ Object
• #post_data(path, data_hash, query = nil) ⇒ Object

  POST data to the HTTP endpoint.

• #post_data_async(path, data_hash, query = nil) ⇒ Object

  POST data to the HTTP endpoint and don't wait for the endpoint to process the data before getting a response.

• #put_data(path, data_hash, query = nil) ⇒ Object

  Send PUT request to store data for the specified resource at the HTTP endpoint.

• #set_header(key, value) ⇒ Object

Methods included from RemoteRouteDataService

#report_session_route, #report_session_route_remove

Methods included from ResponseDataHelper

#json_to_hash, #json_to_mdm_object, #process_file, #to_ar

Methods included from RemotePayloadDataService

#create_payload, #delete_payload, #payloads, #update_payload

Methods included from RemoteDbImportDataService

#import_file

Methods included from RemoteMsfDataService

#get_msf_version

Methods included from RemoteVulnAttemptDataService

#report_vuln_attempt, #vuln_attempts

Methods included from RemoteDbExportDataService

#run_db_export

Methods included from RemoteNmapDataService

#import_nmap_xml_file

Methods included from RemoteLoginDataService

#create_credential_login, #logins, #update_login

Methods included from RemoteCredentialDataService

#create_credential, #creds, #delete_credentials, #update_credential

Methods included from RemoteSessionEventDataService

#report_session_event, #session_events

Methods included from RemoteLootDataService

#delete_loot, #loot, #report_loot, #update_loot

Methods included from RemoteExploitDataService

#report_exploit_attempt, #report_exploit_failure, #report_exploit_success

Methods included from RemoteSessionDataService

#report_session, #sessions, #update_session

Methods included from RemoteServiceDataService

#delete_service, #report_service, #services, #update_service

Methods included from RemoteWebDataService

#report_web_form, #report_web_page, #report_web_site, #report_web_vuln

Methods included from RemoteVulnDataService

#delete_vuln, #report_vuln, #update_vuln, #vulns

Methods included from RemoteWorkspaceDataService

#add_workspace, #default_workspace, #delete_workspaces, #update_workspace, #workspace, #workspace=, #workspaces

Methods included from RemoteNoteDataService

#delete_note, #notes, #report_note, #update_note

Methods included from RemoteEventDataService

#events, #report_event

Methods included from RemoteHostDataService

#add_host_tag, #delete_host, #delete_host_tag, #get_host, #get_host_tags, #hosts, #report_host, #update_host

Methods included from MsfDataService

#get_msf_version

Methods included from LootDataService

#find_or_create_loot, #loot, #report_loot, #update_loot

Methods included from ExploitDataService

#report_exploit_attempt, #report_exploit_failure, #report_exploit_success

Methods included from SessionEventDataService

#report_session_event, #session_events

Methods included from SessionDataService

#report_session, #sessions, #update_session

Methods included from ServiceDataService

#delete_service, #find_or_create_service, #report_service, #services, #update_service

Methods included from NoteDataService

#delete_note, #find_or_create_note, #notes, #report_note, #update_note

Methods included from WebDataService

#report_web_form, #report_web_page, #report_web_site, #report_web_vuln

Methods included from WorkspaceDataService

#add_workspace, #default_workspace, #delete_workspaces, #find_workspace, #update_workspace, #workspace, #workspace=, #workspaces

Methods included from VulnDataService

#delete_vuln, #find_or_create_vuln, #report_vuln, #update_vuln, #vulns

Methods included from EventDataService

#events, #report_event

Methods included from HostDataService

#add_host_tag, #delete_host, #delete_host_tag, #find_or_create_host, #get_host, #get_host_tags, #hosts, #report_host, #report_hosts, #update_host

Constructor Details

#initialize(endpoint, opts = {}) ⇒ RemoteHTTPDataService

Returns a new instance of RemoteHTTPDataService.

Parameters:

• endpoint (String) —

  A valid http or https URL. Cannot be nil

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 30

def initialize(endpoint, opts = {})
  validate_endpoint(endpoint)
  @endpoint = URI.parse(endpoint)
  @https_opts = opts[:https_opts]
  @api_token = opts[:api_token]

  @headers = {}
  user_agent = !opts[:user_agent].nil? ? opts[:user_agent] : DEFAULT_USER_AGENT
  set_header('User-Agent', user_agent)
  set_header('Authorization', "Bearer #{@api_token}") unless @api_token.nil?

  build_client_pool(5)
end

Instance Attribute Details

#api_token ⇒ Object (readonly)

Returns the value of attribute api_token.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 25

def api_token
  @api_token
end

#endpoint ⇒ Object (readonly)

Returns the value of attribute endpoint.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 25

def endpoint
  @endpoint
end

#https_opts ⇒ Object (readonly)

Returns the value of attribute https_opts.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 25

def https_opts
  @https_opts
end

Instance Method Details

#active ⇒ Object

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 56

def active
  # checks if data service is online when @active is falsey and makes the assignment
  # this is to prevent repetitive calls to check if data service is online
  # logic should be enhanced to considering data service connectivity
  # and future data service implementations
  @active ||= is_online?
end

#active=(value) ⇒ Object

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 64

def active=(value)
  @active = value
end

#after_establish_connection ⇒ Object

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 48

def after_establish_connection

end

#connection_established? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 44

def connection_established?
  true
end

#delete_data(path, data_hash, query = nil) ⇒ Object

Send DELETE request to delete the specified resource from the HTTP endpoint

Parameters:

• path —

  • The URI path to send the request

• data_hash —

  • A hash representation of the object to be deleted. Cannot be nil or empty.

• query (defaults to: nil) —

  • A hash representation of the URI query data. Key-value pairs will be URL-encoded.

Returns:

• A wrapped response (ResponseWrapper), see below.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 128

def delete_data(path, data_hash, query = nil)
  make_request(DELETE_REQUEST, path, data_hash, query)
end

#driver ⇒ Object

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 76

def driver
  'http'
end

#error ⇒ Object

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 72

def error
  'none'
end

#get_data(path, data_hash = nil, query = nil) ⇒ Object

GET data from the HTTP endpoint

Parameters:

• path —

  • The URI path to send the request

• data_hash (defaults to: nil) —

  • A hash representation of the object to be included. Can be nil or empty.

• query (defaults to: nil) —

  • A hash representation of the URI query data. Key-value pairs will be URL-encoded.

Returns:

• A wrapped response (ResponseWrapper), see below.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 115

def get_data(path, data_hash = nil, query = nil)
  make_request(GET_REQUEST, path, data_hash, query)
end

#get_path_select(opts, path) ⇒ String

Select the correct path for GET request based on the options parameters provided. If 'id' is present, the user is requesting a single record and should use api/<version>/<resource>/ID path.

Parameters:

• opts (Hash) —

  The parameters for the request

• path (String) —

  The base resource path for the endpoint

Returns:

• (String) —

  The correct path for the request.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 229

def get_path_select(opts, path)
  if opts.key?(:id)
    path = "#{path}/#{opts[:id]}"
    opts.delete(:id)
  end
  path
end

#is_local? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 68

def is_local?
  false
end

#is_online? ⇒ Boolean

Checks if the data service is online by making a request for the Metasploit version number from the remote endpoint

Returns:

• (Boolean)

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 207

def is_online?
  begin
    response = self.get_msf_version
    if response && !response[:metasploit_version].empty?
      return true
    end
  rescue
    # Ignore exceptions that are raised when checking the version,
    # and assume the server is not online.
  end

  return false
end

#make_request(request_type, path, data_hash = nil, query = nil) ⇒ Object

Make the specified request_type

Parameters:

• request_type —

  • A string representation of the HTTP method

• path —

  • The URI path to send the request

• data_hash (defaults to: nil) —

  • A hash representation of the object to be included in the request. Cannot be nil or empty.

• query (defaults to: nil) —

  • A hash representation of the URI query data. Key-value pairs will be URL-encoded.

Returns:

• A wrapped response (ResponseWrapper)

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 155

def make_request(request_type, path, data_hash = nil, query = nil)
  begin
    # simplify query by removing nil values
    query_str = (!query.nil? && !query.empty?) ? query.compact.to_query : nil
    uri = URI::HTTP::build({path: path, query: query_str})
    # TODO: Re-enable this logging when framework handles true log levels.
    #dlog("HTTP #{request_type} request to #{uri.request_uri} with #{data_hash ? data_hash : "nil"}")

    client = @client_pool.pop
    case request_type
      when GET_REQUEST
        request = Net::HTTP::Get.new(uri.request_uri, initheader=@headers)
      when POST_REQUEST
        request = Net::HTTP::Post.new(uri.request_uri, initheader=@headers)
      when DELETE_REQUEST
        request = Net::HTTP::Delete.new(uri.request_uri, initheader=@headers)
      when PUT_REQUEST
        request = Net::HTTP::Put.new(uri.request_uri, initheader=@headers)
      else
        raise Exception, 'A request_type must be specified'
    end
    built_request = build_request(request, data_hash)
    response = client.request(built_request)

    case response
      when Net::HTTPOK
        return SuccessResponse.new(response)
      else
        ilog "HTTP #{request_type} request: #{uri.request_uri} failed with code: #{response.code} message: #{response.body}"
        return ErrorResponse.new(response)
    end
  rescue EOFError => e
    error_msg = "No data was returned from the data service for request type/path : #{request_type}/#{path}, message: #{e.message}"
    ilog error_msg
    return FailedResponse.new(error_msg)
  rescue => e
    error_msg = "Problem with HTTP request for type/path: #{request_type} #{path} message: #{e.message}"
    ilog error_msg
    return FailedResponse.new(error_msg)
  ensure
    @client_pool << client
  end
end

#name ⇒ Object

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 52

def name
  "remote_data_service: (#{@endpoint})"
end

#post_data(path, data_hash, query = nil) ⇒ Object

POST data to the HTTP endpoint

Parameters:

• path —

  • The URI path to send the request

• data_hash —

  • A hash representation of the object to be posted. Cannot be nil or empty.

• query (defaults to: nil) —

  • A hash representation of the URI query data. Key-value pairs will be URL-encoded.

Returns:

• A wrapped response (ResponseWrapper), see below.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 102

def post_data(path, data_hash, query = nil)
  make_request(POST_REQUEST, path, data_hash, query)
end

#post_data_async(path, data_hash, query = nil) ⇒ Object

POST data to the HTTP endpoint and don't wait for the endpoint to process the data before getting a response

Parameters:

• path —

  • The URI path to send the request

• data_hash —

  • A hash representation of the object to be posted. Cannot be nil or empty.

• query (defaults to: nil) —

  • A hash representation of the URI query data. Key-value pairs will be URL-encoded.

Returns:

• A wrapped response (ResponseWrapper), see below.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 89

def post_data_async(path, data_hash, query = nil)
  make_request(POST_REQUEST, path, data_hash.merge(EXEC_ASYNC), query)
end

#put_data(path, data_hash, query = nil) ⇒ Object

Send PUT request to store data for the specified resource at the HTTP endpoint

Parameters:

• path —

  • The URI path to send the request

• data_hash —

  • A hash representation of the object to be stored. Cannot be nil or empty.

• query (defaults to: nil) —

  • A hash representation of the URI query data. Key-value pairs will be URL-encoded.

Returns:

• A wrapped response (ResponseWrapper), see below.

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 141

def put_data(path, data_hash, query = nil)
  make_request(PUT_REQUEST, path, data_hash, query)
end

#set_header(key, value) ⇒ Object

# File 'lib/metasploit/framework/data_service/remote/http/core.rb', line 199

def set_header(key, value)
  @headers[key] = value
end