metasploit-framework/lib/rex/payloads/meterpreter/patch.rb

# -*- coding: binary -*-

module Rex
  module Payloads
    module Meterpreter
      ###
      #
      # Provides methods to patch options into metsrv stagers
      #
      ###
      module Patch

        # Replace the transport string
        def patch_transport! blob, ssl

          i = blob.index("METERPRETER_TRANSPORT_SSL")
          if i
            str = ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
            blob[i, str.length] = str
          end

          return blob
        end

        # Replace the URL
        def patch_url! blob, url

          i = blob.index("https://" + ("X" * 256))
          if i
            str = url
            blob[i, str.length] = str
          end

          return blob
        end

        # Replace the session expiration timeout
        def patch_expiration! blob, expiration

          i = blob.index([0xb64be661].pack("V"))
          if i
            str = [ expiration ].pack("V")
            blob[i, str.length] = str
          end

          return blob
        end

        # Replace the session communication timeout
        def patch_comm_timeout! blob, comm_timeout

          i = blob.index([0xaf79257f].pack("V"))
          if i
            str = [ comm_timeout ].pack("V")
            blob[i, str.length] = str
          end

          return blob
        end

        # Replace the user agent string with our option
        def patch_ua! blob, ua

          i = blob.index("METERPRETER_UA\x00")
          if i
            blob[i, ua.length] = ua
          end

          return blob
        end

        # Activate a custom proxy
        def patch_proxy! blob, proxyhost, proxyport, proxy_type

          i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
          if i
            if proxyhost
              if proxyhost.to_s != ""
                proxyhost = proxyhost.to_s
                proxyport = proxyport.to_s || "8080"
                proxyinfo = proxyhost + ":" + proxyport
                if proxyport == "80"
                  proxyinfo = proxyhost
                end
                if proxy_type.to_s == 'HTTP'
                  proxyinfo = 'http://' + proxyinfo
                else #socks
                  proxyinfo = 'socks=' + proxyinfo
                end
                proxyinfo << "\x00"
                blob[i, proxyinfo.length] = proxyinfo
              end
            end
          end

          return blob
        end

        # Proxy authentification
        def patch_proxy_auth! blob, proxy_username, proxy_password, proxy_type

          unless (proxy_username.nil? or proxy_username.empty?) or
            (proxy_password.nil? or proxy_password.empty?) or
            proxy_type == 'SOCKS'

            proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
            proxy_username = proxy_username << "\x00"
            blob[proxy_username_loc, proxy_username.length] = proxy_username

            proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
            proxy_password = proxy_password << "\x00"
            blob[proxy_password_loc, proxy_password.length] = proxy_password
          end

          return blob
        end

      end
    end
  end
end
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00			`# -- coding: binary --`

			`module Rex`
			`module Payloads`
			`module Meterpreter`
			`###`
			`#`
			`# Provides methods to patch options into metsrv stagers`
			`#`
			`###`
			`module Patch`

Cleaned up indents. 2014-08-25 17:03:23 +00:00			`# Replace the transport string`
Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 21:05:54 +00:00			`def patch_transport! blob, ssl`
Cleaned up indents. 2014-08-25 17:03:23 +00:00
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00			`i = blob.index("METERPRETER_TRANSPORT_SSL")`
			`if i`
			`str = ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"`
			`blob[i, str.length] = str`
			`end`
Cleaned up indents. 2014-08-25 17:03:23 +00:00
Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00			`return blob`
			`end`

			`# Replace the URL`
Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 21:05:54 +00:00			`def patch_url! blob, url`
Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00			`i = blob.index("https://" + ("X" * 256))`
			`if i`
			`str = url`
			`blob[i, str.length] = str`
			`end`

Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00			`return blob`
			`end`

			`# Replace the session expiration timeout`
Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 21:05:54 +00:00			`def patch_expiration! blob, expiration`
Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00			`i = blob.index([0xb64be661].pack("V"))`
			`if i`
			`str = [ expiration ].pack("V")`
			`blob[i, str.length] = str`
			`end`

Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00			`return blob`
			`end`

			`# Replace the session communication timeout`
Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 21:05:54 +00:00			`def patch_comm_timeout! blob, comm_timeout`
Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00			`i = blob.index([0xaf79257f].pack("V"))`
			`if i`
			`str = [ comm_timeout ].pack("V")`
			`blob[i, str.length] = str`
			`end`

Cleaned up indents. 2014-08-25 17:03:23 +00:00			`return blob`
			`end`
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00
			`# Replace the user agent string with our option`
Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 21:05:54 +00:00			`def patch_ua! blob, ua`
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00
			`i = blob.index("METERPRETER_UA\x00")`
			`if i`
			`blob[i, ua.length] = ua`
			`end`

Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00			`return blob`
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00			`end`

			`# Activate a custom proxy`
Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 21:05:54 +00:00			`def patch_proxy! blob, proxyhost, proxyport, proxy_type`
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00
			`i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")`
			`if i`
			`if proxyhost`
			`if proxyhost.to_s != ""`
			`proxyhost = proxyhost.to_s`
			`proxyport = proxyport.to_s \|\| "8080"`
			`proxyinfo = proxyhost + ":" + proxyport`
			`if proxyport == "80"`
			`proxyinfo = proxyhost`
			`end`
			`if proxy_type.to_s == 'HTTP'`
			`proxyinfo = 'http://' + proxyinfo`
			`else #socks`
			`proxyinfo = 'socks=' + proxyinfo`
			`end`
			`proxyinfo << "\x00"`
			`blob[i, proxyinfo.length] = proxyinfo`
			`end`
			`end`
			`end`

Refactored expiration and timeout logic in client_core.rb 2014-09-15 05:01:23 +00:00			`return blob`
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00			`end`

			`# Proxy authentification`
Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 21:05:54 +00:00			`def patch_proxy_auth! blob, proxy_username, proxy_password, proxy_type`
Provides methods to patch metsrv stagers with options. 2014-08-25 04:55:07 +00:00
			`unless (proxy_username.nil? or proxy_username.empty?) or`
			`(proxy_password.nil? or proxy_password.empty?) or`
			`proxy_type == 'SOCKS'`

			`proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")`
			`proxy_username = proxy_username << "\x00"`
			`blob[proxy_username_loc, proxy_username.length] = proxy_username`

			`proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")`
			`proxy_password = proxy_password << "\x00"`
			`blob[proxy_password_loc, proxy_password.length] = proxy_password`
			`end`

			`return blob`
			`end`

			`end`
			`end`
			`end`
			`end`