Adding stageless init script support

2015-11-10 19:18:47 +10:00 · 2015-11-10 19:18:47 +10:00 · a28ab216d3
parent 2f362aec69
commit a28ab216d3
3 changed files with 31 additions and 4 deletions
--- a/lib/rex/payloads/meterpreter/config.rb
+++ b/lib/rex/payloads/meterpreter/config.rb
@ -120,6 +120,20 @@ private
    extension_data = [ ext.length, ext ].pack('VA*')
  end

+  def extension_init_block(name, value)
+    # for now, we're going to blindly assume that the value is a path to a file
+    # which contains the data that gets passed to the extension
+    content = ::File.read(value)
+    data = [
+      name,
+      "\x00",
+      content.length,
+      content
+    ]
+
+    data.pack('A*A*VA*')
+  end
+
  def config_block
    # start with the session information
    config = session_block(@opts)
@ -148,6 +162,15 @@ private
      config << [0].pack('Q<')
    end

+    # wire in the extension init data
+    (@opts[:ext_init] || '').split(':').each do |cfg|
+      name, value = cfg.split(',')
+      config << extension_init_block(name, value)
+    end
+
+    # terminate the ext init config with a final null byte
+    config << "\x00"
+
    # and we're done
    config
  end
--- a/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
@ -35,7 +35,8 @@ module Metasploit3
      ))

    register_options([
-      OptString.new('EXTENSIONS', [false, "Comma-separate list of extensions to load"]),
+      OptString.new('EXTENSIONS', [false, 'Comma-separate list of extensions to load']),
+      OptString.new('EXTINIT',    [false, 'Initialision strings for extensions']),
    ], self.class)
  end

@ -53,7 +54,8 @@ module Metasploit3
      expiration: datastore['SessionExpirationTimeout'].to_i,
      uuid:       opts[:uuid],
      transports: [transport_config_reverse_tcp(opts)],
-      extensions: (datastore['EXTENSIONS'] || '').split(',')
+      extensions: (datastore['EXTENSIONS'] || '').split(','),
+      ext_init:   (datastore['EXTINIT'] || '')
    }

    # create the configuration instance based off the parameters
--- a/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
@ -35,7 +35,8 @@ module Metasploit4
      ))

    register_options([
-      OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
+      OptString.new('EXTENSIONS', [false, 'Comma-separate list of extensions to load']),
+      OptString.new('EXTINIT',    [false, 'Initialision strings for extensions']),
    ], self.class)
  end

@ -53,7 +54,8 @@ module Metasploit4
      expiration: datastore['SessionExpirationTimeout'].to_i,
      uuid:       opts[:uuid],
      transports: [transport_config_reverse_tcp(opts)],
-      extensions: (datastore['EXTENSIONS'] || '').split(',')
+      extensions: (datastore['EXTENSIONS'] || '').split(','),
+      ext_init:   (datastore['EXTINIT'] || '')
    }

    # create the configuration instance based off the parameters