Lands #4991, fixes a potential backcompat issue w/meterpreter

2015-03-23 20:00:35 -05:00 · 2015-03-23 20:00:35 -05:00 · f6731f115f
parent 1869977921 25dcfc796a
commit f6731f115f
3 changed files with 26 additions and 3 deletions
--- a/lib/msf/core/payload/windows/stageless_meterpreter.rb
+++ b/lib/msf/core/payload/windows/stageless_meterpreter.rb
@ -77,7 +77,12 @@ module Payload::Windows::StagelessMeterpreter
    # the URL might not be given, as it might be patched in some other way
    if url
      # Patch the URL using the patcher as this upports both ASCII and WCHAR.
-      Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
+      unless Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
+        # If the patching failed this could mean that we are somehow
+        # working with outdated binaries, so try to patch with the
+        # old stuff.
+        Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 256}", "s#{url}\x00")
+      end
    end

    # if a block is given then call that with the meterpreter dll
--- a/lib/rex/payloads/meterpreter/patch.rb
+++ b/lib/rex/payloads/meterpreter/patch.rb
@ -18,7 +18,12 @@ module Rex

        # Replace the URL
        def self.patch_url!(blob, url)
-          patch_string!(blob, "https://#{'X' * 512}", url)
+          unless patch_string!(blob, "https://#{'X' * 512}", url)
+            # If the patching failed this could mean that we are somehow
+            # working with outdated binaries, so try to patch with the
+            # old stuff.
+            patch_string!(blob, "https://#{'X' * 256}", url)
+          end
        end

        # Replace the session expiration timeout
@ -122,16 +127,22 @@ module Rex
        # Patch an ASCII value in the given payload. If not found, try WCHAR instead.
        #
        def self.patch_string!(blob, search, replacement)
+          result = false
+
          i = blob.index(search)
          if i
            blob[i, replacement.length] = replacement
+            result = true
          else
            i = blob.index(wchar(search))
            if i
              r = wchar(replacement)
              blob[i, r.length] = r
+              result = true
            end
          end
+
+          result
        end

        private
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@ -48,7 +48,14 @@ class ClientCore < Extension
    request = Packet.create_request('core_enumextcmd')
    request.add_tlv(TLV_TYPE_STRING, extension_name)

-    response = self.client.send_packet_wait_response(request, self.client.response_timeout)
+    begin
+      response = self.client.send_packet_wait_response(request, self.client.response_timeout)
+    rescue
+      # In the case where orphaned shells call back with OLD copies of the meterpreter
+      # binaries, we end up with a case where this fails. So here we just return the
+      # empty list of supported commands.
+      return []
+    end

    # No response?
    if response.nil?