Land #5838, @bcook-r7's fixes for paylaod cached sizes

bug/bundler_fix
jvazquez-r7 2015-08-14 12:39:58 -05:00
commit b908f41b0f
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
86 changed files with 143 additions and 94 deletions

View File

@ -14,6 +14,27 @@ module Util
class PayloadCachedSize
OPTS = {
'Format' => 'raw',
'Options' => {
'CPORT' => 4444,
'LPORT' => 4444,
'LHOST' => '255.255.255.255',
'KHOST' => '255.255.255.255',
'AHOST' => '255.255.255.255',
'CMD' => '/bin/sh',
'URL' => 'http://a.com',
'PATH' => '/',
'BUNDLE' => 'data/isight.bundle',
'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
'RC4PASSWORD' => 'Metasploit',
'DNSZONE' => 'corelan.eu',
'PEXEC' => '/bin/sh'
},
'Encoder' => nil,
'DisableNops' => true
}
# Insert a new CachedSize value into the text of a payload module
#
# @param data [String] The source code of a payload module
@ -60,7 +81,7 @@ class PayloadCachedSize
# @return [Fixnum]
def self.compute_cached_size(mod)
return ":dynamic" if is_dynamic?(mod)
return mod.new.size
return mod.generate_simple(OPTS).size
end
# Determines whether a payload generates a static sized output
@ -69,8 +90,9 @@ class PayloadCachedSize
# @param generation_count [Fixnum] The number of iterations to use to
# verify that the size is static.
# @return [Fixnum]
def self.is_dynamic?(mod,generation_count=5)
[*(1..generation_count)].map{|x| mod.new.size}.uniq.length != 1
def self.is_dynamic?(mod, generation_count=5)
[*(1..generation_count)].map{|x|
mod.generate_simple(OPTS).size}.uniq.length != 1
end
# Determines whether a payload's CachedSize is up to date
@ -78,9 +100,9 @@ class PayloadCachedSize
# @param mod [Msf::Payload] The class of the payload module to update
# @return [Boolean]
def self.is_cached_size_accurate?(mod)
return true if mod.dynamic_size?
return true if mod.dynamic_size? && is_dynamic?(mod)
return false if mod.cached_size.nil?
mod.cached_size == mod.new.size
mod.cached_size == mod.generate_simple(OPTS).size
end
end

View File

@ -17,7 +17,7 @@ require 'msf/core'
###
module Metasploit3
CachedSize = 23
CachedSize = 31
include Msf::Payload::Single
include Msf::Payload::Bsd

View File

@ -40,7 +40,7 @@ module Metasploit3
# build the shellcode payload dynamically based on the user-provided CMD
def generate
cmd = (datastore['CMD'] || '') << "\x00"
cmd = (datastore['CMD'] || '') + "\x00"
port = [datastore['LPORT'].to_i].pack('n')
call = "\xe8" + [cmd.length].pack('V')
payload =

View File

@ -49,7 +49,7 @@ module Metasploit3
raise ArgumentError, "LHOST must be in IPv4 format."
end
cmd = (datastore['CMD'] || '') << "\x00"
cmd = (datastore['CMD'] || '') + "\x00"
port = [datastore['LPORT'].to_i].pack('n')
ipaddr = [lhost.split('.').inject(0) {|t,v| (t << 8 ) + v.to_i}].pack("N")

View File

@ -17,7 +17,7 @@ require 'msf/core'
###
module Metasploit3
CachedSize = 16
CachedSize = 24
include Msf::Payload::Single
include Msf::Payload::Bsd

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
CachedSize = 8
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 100
CachedSize = 130
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 95
CachedSize = 110
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 209
CachedSize = 224
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 20
CachedSize = 35
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 1911
CachedSize = 1971
include Msf::Payload::Single
include Msf::Payload::NodeJS

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 152
CachedSize = 182
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 219
CachedSize = 234
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 129
CachedSize = 144
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 117
CachedSize = 132
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 567
CachedSize = 587
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 118
CachedSize = 133
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 170
CachedSize = 185
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 106
CachedSize = 136
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 95
CachedSize = 110
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 258
CachedSize = 97
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
CachedSize = 8
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -11,7 +11,7 @@ require 'msf/core/handler/bind_tcp'
module Metasploit3
CachedSize = 1510
CachedSize = 1518
include Msf::Payload::Single
include Rex::Powershell::Command

View File

@ -11,7 +11,7 @@ require 'msf/core/handler/reverse_tcp_ssl'
module Metasploit3
CachedSize = 1518
CachedSize = 1526
include Msf::Payload::Single
include Rex::Powershell::Command

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 209
CachedSize = 224
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 133
CachedSize = 148
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 1189
CachedSize = 1204
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 111
CachedSize = 126
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -7,7 +7,7 @@ require 'msf/core'
module Metasploit3
CachedSize = :dynamic
CachedSize = 1019
include Msf::Payload::Single
include Msf::Payload::Firefox

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
CachedSize = 1501
include Msf::Payload::Single
include Msf::Payload::JSP

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 7748
CachedSize = 7761
include Msf::Payload::Single
include Msf::Payload::Java

View File

@ -15,7 +15,7 @@ require 'msf/core'
###
module Metasploit3
CachedSize = 22
CachedSize = 29
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -7,7 +7,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 48
CachedSize = 52
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
CachedSize = 184
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -7,7 +7,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 48
CachedSize = 52
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 0
CachedSize = 184
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -8,7 +8,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 40
CachedSize = 47
include Msf::Payload::Single
include Msf::Payload::Linux
@ -29,7 +29,7 @@ module Metasploit3
end
def generate_stage(opts={})
cmd = (datastore['CMD'] || '') << "\x00"
cmd = (datastore['CMD'] || '') + "\x00"
call = "\xe8" + [cmd.length].pack('V')
payload =
"\x6a\x3b" + # pushq $0x3b

View File

@ -15,7 +15,7 @@ require 'msf/core'
###
module Metasploit3
CachedSize = 36
CachedSize = 43
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -7,7 +7,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 62
CachedSize = 63
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 103
CachedSize = 70
include Msf::Payload::Single
include Msf::Payload::Linux

View File

@ -14,7 +14,7 @@ require 'msf/base/sessions/command_shell'
module Metasploit3
CachedSize = 473
CachedSize = 488
include Msf::Payload::Single
include Msf::Payload::NodeJS

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 501
CachedSize = 516
include Msf::Payload::Single
include Msf::Payload::NodeJS

View File

@ -8,7 +8,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 23
CachedSize = 31
include Msf::Payload::Single

View File

@ -37,7 +37,7 @@ module Metasploit3
# build the shellcode payload dynamically based on the user-provided CMD
def generate
cmd = (datastore['CMD'] || '') << "\x00"
cmd = (datastore['CMD'] || '') + "\x00"
port = [datastore['LPORT'].to_i].pack('n')
call = "\xe8" + [cmd.length].pack('V')
payload =

View File

@ -40,7 +40,7 @@ module Metasploit3
# ensures the setting of tag to a four byte value
#
def generate
cmd = (datastore['CMD'] || '') << "\x00"
cmd = (datastore['CMD'] || '') + "\x00"
call = "\xe8" + [cmd.length].pack('V')
payload =

View File

@ -45,7 +45,7 @@ module Metasploit3
raise ArgumentError, "LHOST must be in IPv4 format."
end
cmd = (datastore['CMD'] || '') << "\x00"
cmd = (datastore['CMD'] || '') + "\x00"
port = [datastore['LPORT'].to_i].pack('n')
ipaddr = [lhost.split('.').inject(0) {|t,v| (t << 8 ) + v.to_i}].pack("N")

View File

@ -16,7 +16,7 @@ require 'msf/core'
###
module Metasploit3
CachedSize = 16
CachedSize = 24
include Msf::Payload::Single
include Msf::Payload::Bsd::X86

View File

@ -12,7 +12,7 @@ require 'msf/base/sessions/meterpreter_options'
module Metasploit4
CachedSize = 25679
CachedSize = 25685
include Msf::Payload::Single
include Msf::Payload::Php::ReverseTcp

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 381
CachedSize = 401
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 537
CachedSize = 557
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 496
CachedSize = 516
include Msf::Payload::Single
include Msf::Payload::Ruby

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 424
CachedSize = 444
include Msf::Payload::Single
include Msf::Payload::Ruby

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = :dynamic
CachedSize = 136
include Msf::Payload::Single
include Msf::Payload::Solaris

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 160
CachedSize = 95
include Msf::Payload::Single
include Msf::Payload::Solaris

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 151
CachedSize = 86
include Msf::Payload::Single
include Msf::Payload::Solaris

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 156
CachedSize = 91
include Msf::Payload::Single
include Msf::Payload::Solaris

View File

@ -15,7 +15,7 @@ require 'msf/core/payload/windows/exec'
###
module Metasploit3
CachedSize = 443
CachedSize = 282
include Msf::Payload::Windows::Exec

View File

@ -7,7 +7,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 275
CachedSize = 285
include Msf::Payload::Windows
include Msf::Payload::Single

View File

@ -8,7 +8,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 439
CachedSize = 423
include Msf::Payload::Windows
include Msf::Payload::Single

View File

@ -13,7 +13,7 @@ require 'msf/core/payload/windows/exec'
###
module Metasploit3
CachedSize = 185
CachedSize = 192
include Msf::Payload::Windows::Exec

View File

@ -13,7 +13,7 @@ require 'msf/core/payload/windows/loadlibrary'
###
module Metasploit3
CachedSize = 183
CachedSize = 230
include Msf::Payload::Windows::LoadLibrary

View File

@ -16,7 +16,7 @@ require 'msf/core/handler/bind_tcp'
###
module Metasploit3
CachedSize = 1695
CachedSize = 1703
include Msf::Payload::Windows::Exec
include Rex::Powershell::Command

View File

@ -16,7 +16,7 @@ require 'msf/core/handler/reverse_tcp_ssl'
###
module Metasploit3
CachedSize = 1703
CachedSize = 1711
include Msf::Payload::Windows::Exec
include Msf::Payload::Windows::Powershell

View File

@ -9,7 +9,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 268
CachedSize = 275
include Msf::Payload::Windows
include Msf::Payload::Single

View File

@ -9,7 +9,7 @@ require 'msf/core'
module Metasploit3
CachedSize = 267
CachedSize = 314
include Msf::Payload::Windows
include Msf::Payload::Single

View File

@ -16,7 +16,7 @@ require 'msf/core/handler/bind_tcp'
###
module Metasploit3
CachedSize = 1778
CachedSize = 1786
include Msf::Payload::Windows::Exec_x64
include Rex::Powershell::Command

View File

@ -16,7 +16,7 @@ require 'msf/core/handler/reverse_tcp_ssl'
###
module Metasploit3
CachedSize = 1786
CachedSize = 1794
include Msf::Payload::Windows::Exec_x64
include Msf::Payload::Windows::Powershell

View File

@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_http'
module Metasploit3
CachedSize = 5499
CachedSize = 5505
include Msf::Payload::Stager
include Msf::Payload::Java

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/uuid/options'
module Metasploit3
CachedSize = 6307
CachedSize = 6313
include Msf::Payload::Stager
include Msf::Payload::Java

View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit3
CachedSize = 5487
CachedSize = 5500
include Msf::Payload::Stager
include Msf::Payload::Java

View File

@ -10,7 +10,7 @@ require 'msf/core/payload/linux/reverse_tcp'
module Metasploit4
CachedSize = 193
CachedSize = 71
include Msf::Payload::Stager
include Msf::Payload::Linux::ReverseTcp

View File

@ -10,7 +10,7 @@ require 'msf/core/payload/linux/reverse_tcp'
module Metasploit4
CachedSize = 236
CachedSize = 114
include Msf::Payload::Stager
include Msf::Payload::Linux::ReverseTcp

View File

@ -11,7 +11,7 @@ require 'msf/core/handler/reverse_tcp'
module Metasploit3
CachedSize = 279
CachedSize = 281
include Msf::Payload::Stager
include Msf::Payload::Netware

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/php/reverse_tcp'
module Metasploit4
CachedSize = 936
CachedSize = 951
include Msf::Payload::Stager
include Msf::Payload::Php::ReverseTcp

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/php/reverse_tcp'
module Metasploit4
CachedSize = 1110
CachedSize = 1125
include Msf::Payload::Stager
include Msf::Payload::Php::ReverseTcp

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit4
CachedSize = 342
CachedSize = 362
include Msf::Payload::Stager
include Msf::Payload::Python::ReverseTcp

View File

@ -11,7 +11,7 @@ require 'msf/base/sessions/command_shell_options'
module Metasploit4
CachedSize = 446
CachedSize = 466
include Msf::Payload::Stager
include Msf::Payload::Python

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/windows/reverse_http'
module Metasploit4
CachedSize = 312
CachedSize = 327
include Msf::Payload::Stager
include Msf::Payload::Windows

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/uuid/options'
module Metasploit3
CachedSize = 650
CachedSize = 665
include Msf::Payload::Stager
include Msf::Payload::Windows

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/windows/reverse_https'
module Metasploit4
CachedSize = 332
CachedSize = 347
include Msf::Payload::Stager
include Msf::Payload::Windows

View File

@ -10,7 +10,7 @@ require 'msf/core/handler/reverse_https_proxy'
module Metasploit3
CachedSize = 391
CachedSize = 397
include Msf::Payload::Stager
include Msf::Payload::Windows

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_http'
module Metasploit4
CachedSize = 486
CachedSize = 501
include Msf::Payload::Stager
include Msf::Payload::Windows

View File

@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_https'
module Metasploit4
CachedSize = 517
CachedSize = 532
include Msf::Payload::Stager
include Msf::Payload::Windows

View File

@ -863,7 +863,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/firefox/exec'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'firefox/exec'
end
@ -2320,7 +2320,7 @@ describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/solaris/sparc/shell_find_port'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'solaris/sparc/shell_find_port'
end

View File

@ -70,6 +70,7 @@
# `:ancestor_reference_names`.
# @return [void]
shared_examples_for 'payload cached size is consistent' do |options|
options.assert_valid_keys(:ancestor_reference_names, :modules_pathname, :reference_name, :dynamic_size)
ancestor_reference_names = options.fetch(:ancestor_reference_names)
@ -85,6 +86,27 @@ shared_examples_for 'payload cached size is consistent' do |options|
include_context 'Msf::Simple::Framework#modules loading'
opts = {
'Format' => 'raw',
'Options' => {
'CPORT' => 4444,
'LPORT' => 4444,
'LHOST' => '255.255.255.255',
'KHOST' => '255.255.255.255',
'AHOST' => '255.255.255.255',
'CMD' => '/bin/sh',
'URL' => 'http://a.com',
'PATH' => '/',
'BUNDLE' => 'data/isight.bundle',
'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
'RC4PASSWORD' => 'Metasploit',
'DNSZONE' => 'corelan.eu',
'PEXEC' => '/bin/sh'
},
'Encoder' => nil,
'DisableNops' => true
}
#
# lets
#
@ -111,6 +133,8 @@ shared_examples_for 'payload cached size is consistent' do |options|
)
end
next if reference_name =~ /generic/
if dynamic_size
it 'is dynamic_size?' do
pinst = load_and_create_module(
@ -132,7 +156,7 @@ shared_examples_for 'payload cached size is consistent' do |options|
)
expect(pinst.cached_size).to_not(be_nil)
expect(pinst.dynamic_size?).to be(false)
expect(pinst.cached_size).to eq(pinst.size)
expect(pinst.cached_size).to eq(pinst.generate_simple(opts).size)
end
end
end

View File

@ -22,8 +22,11 @@ require 'msf/util/payload_cached_size'
framework = Msf::Simple::Framework.create('DisableDatabase' => true)
framework.payloads.each_module do |name, mod|
next if Msf::Util::PayloadCachedSize.is_cached_size_accurate?(mod)
next if name =~ /generic/
mod_inst = framework.payloads.create(name)
#mod_inst.datastore.merge!(framework.datastore)
next if Msf::Util::PayloadCachedSize.is_cached_size_accurate?(mod_inst)
$stdout.puts "[*] Updating the CacheSize for #{mod.file_path}..."
Msf::Util::PayloadCachedSize.update_module_cached_size(mod)
Msf::Util::PayloadCachedSize.update_module_cached_size(mod_inst)
end