infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Replace all the obvious path calls to Meterpreter 

Unfortunately, though, there seems to be a stealthy set, somewhere, of
datastore['DLL']. Not sure where yet. The stack trace in the
framework.log is:

````
[06/19/2014 17:53:34] [i(0)] core: windows/meterpreter/reverse_http: iteration 1: Successfully encoded with encoder x86/fnstenv_mov (size is
366)
[06/19/2014 17:53:35] [e(0)] rex: Proc::on_request: Errno::ENOENT: No such file or directory -
/home/todb/git/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll

/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `initialize'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `open'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `load_rdi_dll'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/payload/windows/reflectivedllinject.rb:56:in `stage_payload'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/handler/reverse_http.rb:212:in `on_request'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/handler/reverse_http.rb:129:in `block in setup_handler'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/handler/proc.rb:38:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/handler/proc.rb:38:in `on_request'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:365:in `dispatch_request'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:299:in `on_client_data'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:158:in `block in start'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:48:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:48:in `on_client_data'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:192:in `block in monitor_clients'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:190:in `each'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:190:in `monitor_clients'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:73:in `block in start'
/home/todb/git/rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/thread_manager.rb💯in `call'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/thread_manager.rb💯in `block in spawn'

````

Still tracking this down.
bug/bundler_fix
Tod Beardsley 2014-06-19 18:03:11 -05:00
parent fbb6808b1a
commit 2a4ed0e651
No known key found for this signature in database
GPG Key ID: 1EFFB682ADB9F193
5 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/rex/post/meterpreter.rb
View File

@ -1,4 +1,5 @@
# -*- coding: binary -*- # -*- coding: binary -*-
require 'meterpreter_bins'
require 'rex/post/meterpreter/client' require 'rex/post/meterpreter/client'
require 'rex/post/meterpreter/ui/console' require 'rex/post/meterpreter/ui/console'

5
lib/rex/post/meterpreter/client_core.rb
View File

@ -149,7 +149,8 @@ class ClientCore < Extension
end end
# Get us to the installation root and then into data/meterpreter, where # Get us to the installation root and then into data/meterpreter, where
# the file is expected to be # the file is expected to be
path = ::File.join(Msf::Config.data_directory, 'meterpreter', 'ext_server_' + mod.downcase + ".#{client.binary_suffix}") modname = "ext_server_#{mod.downcase}"
path = MeterpreterBinaries.path(modname, client.binary_suffix)
if (opts['ExtensionPath']) if (opts['ExtensionPath'])
path = opts['ExtensionPath'] path = opts['ExtensionPath']
@ -221,7 +222,7 @@ class ClientCore < Extension
# Create the migrate stager # Create the migrate stager
migrate_stager = c.new() migrate_stager = c.new()
migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.data_directory, "meterpreter", "metsrv.#{binary_suffix}" ) migrate_stager.datastore['DLL'] = MeterpreterBinaries.path('metsrv',binary_suffix)
blob = migrate_stager.stage_payload blob = migrate_stager.stage_payload

2
lib/rex/post/meterpreter/extensions/priv/priv.rb
View File

@ -45,7 +45,7 @@ class Priv < Extension
elevator_name = Rex::Text.rand_text_alpha_lower( 6 ) elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
elevator_path = ::File.join( Msf::Config.data_directory, "meterpreter", "elevator.#{client.binary_suffix}" ) elevator_path = MeterpreterBinaries.path(elevator, client.binary_suffix)
elevator_path = ::File.expand_path( elevator_path ) elevator_path = ::File.expand_path( elevator_path )

4
lib/rex/post/meterpreter/extensions/stdapi/ui.rb
View File

@ -156,7 +156,7 @@ class UI < Rex::Post::UI
request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY, quality ) request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY, quality )
# include the x64 screenshot dll if the host OS is x64 # include the x64 screenshot dll if the host OS is x64
if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ ) if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x64.dll' ) screenshot_path = MeterpreterBinaries.path('screenshot','x64.dll')
screenshot_path = ::File.expand_path( screenshot_path ) screenshot_path = ::File.expand_path( screenshot_path )
screenshot_dll = '' screenshot_dll = ''
::File.open( screenshot_path, 'rb' ) do |f| ::File.open( screenshot_path, 'rb' ) do |f|
@ -166,7 +166,7 @@ class UI < Rex::Post::UI
request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH, screenshot_dll.length ) request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH, screenshot_dll.length )
end end
# but allways include the x86 screenshot dll as we can use it for wow64 processes if we are on x64 # but allways include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x86.dll' ) screenshot_path = MeterpreterBinaries.path('screenshot','x86.dll')
screenshot_path = ::File.expand_path( screenshot_path ) screenshot_path = ::File.expand_path( screenshot_path )
screenshot_dll = '' screenshot_dll = ''
::File.open( screenshot_path, 'rb' ) do |f| ::File.open( screenshot_path, 'rb' ) do |f|

14
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
View File

@ -417,12 +417,15 @@ class Console::CommandDispatcher::Core
case opt case opt
when "-l" when "-l"
exts = [] exts = []
path = ::File.join(Msf::Config.data_directory, 'meterpreter') msf_path = MeterpreterBinaries.metasploit_data_dir
gem_path = MeterpreterBinaries.local_dir
[msf_path, gem_path].each do |path|
::Dir.entries(path).each { |f| ::Dir.entries(path).each { |f|
if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ ) if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
exts.push($1) exts.push($1) unless exts.include?($1)
end end
} }
end
print(exts.sort.join("\n") + "\n") print(exts.sort.join("\n") + "\n")
return true return true
@ -462,14 +465,17 @@ class Console::CommandDispatcher::Core
def cmd_load_tabs(str, words) def cmd_load_tabs(str, words)
tabs = [] tabs = []
path = ::File.join(Msf::Config.data_directory, 'meterpreter') msf_path = MeterpreterBinaries.metasploit_data_dir
gem_path = MeterpreterBinaries.local_dir
[msf_path, gem_path].each do |path|
::Dir.entries(path).each { |f| ::Dir.entries(path).each { |f|
if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ ) if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
if (not extensions.include?($1)) if (not extensions.include?($1))
tabs.push($1) tabs.push($1) unless tabs.include?($1)
end end
end end
} }
end
return tabs return tabs
end end