Merged with HD's stuff as he fixed up a few things that I had done too.
Conflicts:
lib/msf/base/sessions/meterpreter_options.rb
lib/rex/post/meterpreter/client_core.rb
lib/rex/post/meterpreter/packet_dispatcher.rb
Stageless payloads need to have the socket FD left along (ie. 0)
otherwise each of them will think that the socket is already open.
Instead we need to make sure it's left as 0 as per the configuration and
from there the stageless code will fire up a new socket based on the
transport in question.
Timeouts are correctly passed through to the client instances from the
handlers. The cilent also passes those values through to the RDI code so
that the binaries are correctly patched.
There were some issues with this module that caused backtraces when run outside
of msfconsole. Reverting it for now so we can add some specs and ensure that it
works like the other login scanners.
The 'next' and 'prev' commands were added so that the session can jump
transports without having to add new ones at the same time.
There's also a command which gives the UUID now so that this can be
reused across sessions.
Migration now uses the new meterpreter loader. Migration configuration
is loaded and created by meterpreter on the fly, and supports the
multiple transport stuff that's just been wired in.
Getting closer to a normalised view of what this stuff will look like.
There URL patching is slowly being removed. Reverse HTTPS works fine,
and by default HTTP should too.
Next up, x64 for the same main ones.
RDI is now back to what it was before, as this leaves all the other RDI
style payloads alone. Instead we have a new Meterpreter loader which
does the stuff that is required to make meterpreter work well with the
new configuration options.
This is just the case for reverse_tcp and bind_tcp so far, need to do
the other payloads too, along with all the x64 versions.
Metaprogramming should be reserved for when you don't know things. Here
we're making methods from literal strings, so replace the
metaprogramming with much easier to understand regular programming. Also
has the benefit that yard can parse it.
The fail_with for an exploit is used differently than a non-exploit,
so it would be nice to document about this. Also, be strict about
the reason for the exploit one, because this can affect other
components of Metasploit.
Rather than listening forever after a session shuts down, close the session if
there are no other URI's registered on the listener. This allows reconfiguring
the listener without restarting framework, but should be safe for situations
where multiple modules share the same listener.
MSP-12557
Was calling `.class` blindly on the output of `create`, but `nil` has a
class, `NilClass`, so it didn't call `module_rank` as expected and
assigned NormaLRanking to `nil` instead of ManualRanking.
MSP-12557
Extract Msf::ModuleSet#module_rank to handle getting the module rank if
the Metasploit Module is already loaded, needs to be loaded, or can't be
loaded. If a Metasploit Module can't be loaded it is ranked as
Msf::ManualRanking. If is loaded or can be loaded and it doesn't define
Rank, it gets the Msf::NormalRanking as before. Finally, if it is
loaded or can be loaded and defines Rank, that is used as before.
This fixes#4866, an issue with msfvenom not properly handling special
cases with generic payloads. So the story behind this fix is that
we have these two problems:
Problem 1: The current payload selection design relies on the payload
module in order to set the platform and arch. Almost all MSF payloads
contain a default platform and arch, however, the bind and reverse
generic payloads don't.
Problem 2: By default, Msf::Payload::Generic also explicitly sets the
PLATFORM and ARCH datastore options to nil. So there is no way the
payload generator can figure out what platform and arch to use.
As a result of these problems, msfvenom will actually end up getting
a Msf::Module::Platform as the default platform, which doesn't
actually represent any valid platform we can use (such as
Msf::Module::Platform::Windows). And the first item of ARCH_ALL for
the arch.
In addition, msfvenom has these two arguments that the user can use:
--platform and --arch. In most cases, these arguments are used more
like checks than actually setting anything. Because remember:
Framework's payload selector retreives the platform & arch from the
module (trusted), not the user input (untrusted). But from the user's
perspective it's impossible to know this.
After experimenting different ways to fix this, I came up with this
patch. It feels sort of more like a hack than a real fix, but as
far as I can tell, this is the best you can get unless you want to
redesign generic payload selection.
* Stageless payloads weren't adding brackets around IPv6 hosts.
* Staged HTTP handler was using an undefined function to check for IPv6
addresses when host header overriding was disabled.
Session expiry, comms timeout, retry total/wait are all now part of all
of the meterpreter payloads as these are going to be used for
maintaining access with resiliency and will aim for consistency across
the payload types.
This code adjusts the bind_tcp stager for x86 so that the listener
socket isn't close for meterpreter payloads. This means that meterpreter
can make an educated guess as to whether or not the payload was a bind
or tcp payload, and from there can attempt to establish communications
in the same way as before should something break along the way.
Some simple adjustments to the x64 meterpreter stage as well, but more
to come here.
Methods now require a hash. I went with the hash because 1) that's what
we seem to use everywhere else, and 2) I couldn't get the new keyword
arguments working nicely with the block syntax (I'm clearly stupid).
If the session doesn't have a payload UUID we now generate one as best
we can. This code will probably go away when TCP related transports have
had the UUID stuf baked in.
This uses HD's UUID stuff to generate a new URI for the transport.
Currently we don't have UUID support for TCP connections, but that's
coming.
Still do to: generation of a valid UUID for payloads that don't already
have one.
OJ
William Vu
Brent Cook
wchen-r7
root
darkbushido
jvazquez-r7
HD Moore
Tom Sellers
David Maloney
Matt Buck
Trevor Rosen
James Lee
Christian Mehlmauer
Luke Imhoff
joev
root
Samuel Huckins