Merge pull request #19975 from dledda-r7/feat/split-stdapi

Split Stdapi

Author: bwatters-r7

Gemfile.lock

@@ -45,7 +45,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 2.0.221)
+      metasploit-payloads (= 2.0.234)
       metasploit_data_models (>= 6.0.7)
       metasploit_payloads-mettle (= 1.0.45)
       mqtt
@@ -348,7 +348,7 @@ GEM
       drb
       mutex_m
       railties (~> 7.0)
-    metasploit-payloads (2.0.221)
+    metasploit-payloads (2.0.234)
     metasploit_data_models (6.0.9)
       activerecord (~> 7.0)
       activesupport (~> 7.0)

LICENSE_GEMS

@@ -98,7 +98,7 @@ metasploit-concern, 5.0.5, "New BSD"
 metasploit-credential, 6.0.16, "New BSD"
 metasploit-framework, 6.4.92, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
-metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.234, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
 metasploit_payloads-mettle, 1.0.45, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT

lib/msf/base/sessions/meterpreter.rb

@@ -137,6 +137,26 @@ def shell_init
 
   end
 
+  def load_embedded_extensions
+
+    # First of all, let's see if we have stdapi.
+    commands = self.core.get_loaded_extension_commands('stdapi')
+    console.run_single("load stdapi") if commands.length > 0
+
+    return if self.platform != 'windows'
+
+    exts = Set.new
+    exts.merge(binary_suffix.map { |suffix| MetasploitPayloads.list_meterpreter_extensions(suffix) }.flatten)
+    exts = exts.sort.uniq
+
+    exts.each { |e| 
+      commands = self.core.get_loaded_extension_commands(e.downcase)
+      if commands.length > 0 && !e.downcase.starts_with?('stdapi')
+        console.run_single("load #{e.downcase}")
+      end
+    }
+  end
+
   def bootstrap(datastore = {}, handler = nil)
     session = self
 
@@ -180,6 +200,12 @@ def bootstrap(datastore = {}, handler = nil)
       print_warning('Meterpreter start up operations have been aborted. Use the session at your own risk.')
       return nil
     end
+
+    original = console.disable_output
+    console.disable_output = true
+
+    load_embedded_extensions
+
     extensions = datastore['AutoLoadExtensions']&.delete(' ').split(',') || []
 
     # BEGIN: This should be removed on MSF 7
@@ -192,8 +218,6 @@ def bootstrap(datastore = {}, handler = nil)
     extensions.push('android') if session.platform == 'android'
     extensions = extensions.uniq
     # END
-    original = console.disable_output
-    console.disable_output = true
     # TODO: abstract this a little, perhaps a "post load" function that removes
     # platform-specific stuff?
     extensions.each do |extension|

lib/rex/payloads/meterpreter/config.rb

@@ -173,6 +173,18 @@ def config_block
     file_extension = 'x86.dll'
     file_extension = 'x64.dll' unless is_x86?
 
+    @opts[:extensions] = [] if @opts[:extensions].blank?
+    prev_length = @opts[:extensions].length
+    @opts[:extensions] = @opts[:extensions].select {|ext_name| ext_name.index('stdapi_') != 0}
+    if prev_length != @opts[:extensions].length
+      raise Msf::OptionValidateError.new(
+        {
+          'EXTENSIONS' => 'The extensions starting with stdapi_* are currently not supported.'
+        },
+        message: "The extensions starting with stdapi_* are currently not supported."
+      )
+    end
+
     (@opts[:extensions] || []).each do |e|
       config << extension_block(e, file_extension, debug_build: @opts[:debug_build])
     end

lib/rex/post/meterpreter/client_core.rb

@@ -346,9 +346,19 @@ def use(mod, opts = { })
     # already loaded
     commands = get_loaded_extension_commands(mod.downcase)
 
-    # if there are existing commands for the given extension, then we can use
-    # what's already there
-    unless commands.length > 0
+    # This check is important to keep compatibility with Mettle:
+    # Mettle is the only meterpreter that has stdapi functions embedded in the metsrv.
+    # Double-loading of extensions is prevented by the lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb line: 1195
+    # However we need to add more flexibility here to allow users loading the split of stdapi in Windows Meterpreter. 
+    # reference: https://github.com/rapid7/metasploit-framework/pull/19975
+    # So here we are actively preventing loading of stdapi if some commands for that extension are already loaded.
+    # So we will not load stdapi if:
+    # - we are running mettle (which has by default those command registered)
+    # - we are running windows meterpreter with one of the stdapi namespace loaded (stdapi_net, stdapi_fs.... etc). 
+    #   partial loading of the other namespace is still possible, we can load stdapi_net and stdapi_fs later.
+    
+    skip_loading = commands.length > 0 && !mod.downcase.start_with?('stdapi_')
+    unless skip_loading
       image = nil
       path = nil
       # If client.sys isn't setup, it's a Windows meterpreter
@@ -393,7 +403,6 @@ def use(mod, opts = { })
           'Extension'        => true,
           'SaveToDisk'       => opts['LoadFromDisk'])
     end
-
     # wire the commands into the client
     client.add_extension(mod, commands)
 

lib/rex/post/meterpreter/extensions/stdapi_audio/stdapi_audio.rb

@@ -0,0 +1,64 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/object_aliases'
+require 'rex/post/meterpreter/extension'
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+require 'rex/post/meterpreter/extensions/stdapi/command_ids'
+require 'rex/post/meterpreter/extensions/stdapi/mic/mic'
+require 'rex/post/meterpreter/extensions/stdapi/audio_output/audio_output'
+
+module Rex
+  module Post
+    module Meterpreter
+      module Extensions
+        module Stdapi_Audio
+          module AudioOutput
+            include Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput
+          end
+          module Mic
+            include Rex::Post::Meterpreter::Extensions::Stdapi::Mic
+          end
+          include Rex::Post::Meterpreter::Extensions::Stdapi
+
+          class Stdapi_Audio < Extension
+
+            def self.extension_id
+              Rex::Post::Meterpreter::Extensions::Stdapi::EXTENSION_ID_STDAPI
+            end
+
+            #
+            # Initializes an instance of the Standard API (Audio Namespace) extension.
+            #
+            def initialize(client)
+              super(client, 'stdapi_audio')
+
+              # Alias the following things on the client object so that they
+              # can be directly referenced
+              client.register_extension_aliases(
+                [
+                  {
+                    'name' => 'audio_output',
+                    'ext'  => Rex::Post::Meterpreter::Extensions::Stdapi_Audio::AudioOutput::AudioOutput.new(client)
+                  },
+                  {
+                    'name' => 'mic',
+                    'ext'  => Rex::Post::Meterpreter::Extensions::Stdapi_Audio::Mic::Mic.new(client)
+                  },
+                ])
+            end
+
+            #
+            # Sets the client instance on a duplicated copy of the supplied class.
+            #
+            def brand(klass)
+              klass = klass.dup
+              klass.client = self.client
+              return klass
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/rex/post/meterpreter/extensions/stdapi_fs/stdapi_fs.rb

@@ -0,0 +1,87 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/object_aliases'
+require 'rex/post/meterpreter/extension'
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+require 'rex/post/meterpreter/extensions/stdapi/stdapi'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+require 'rex/post/meterpreter/extensions/stdapi/command_ids'
+require 'rex/post/meterpreter/extensions/stdapi/fs/dir'
+require 'rex/post/meterpreter/extensions/stdapi/fs/file'
+require 'rex/post/meterpreter/extensions/stdapi/fs/file_stat'
+require 'rex/post/meterpreter/extensions/stdapi/fs/mount'
+
+module Rex
+  module Post
+    module Meterpreter
+      module Extensions
+        module Stdapi_Fs
+          module Fs
+            include Rex::Post::Meterpreter::Extensions::Stdapi::Fs
+          end
+          include Rex::Post::Meterpreter::Extensions::Stdapi
+
+          class Stdapi_Fs < Extension
+
+            def self.extension_id
+              Rex::Post::Meterpreter::Extensions::Stdapi::EXTENSION_ID_STDAPI
+            end
+
+            #
+            # Initializes an instance of the Standard API (Fs Namespace) extension.
+            #
+            def initialize(client)
+              super(client, 'stdapi_fs')
+
+              # Alias the following things on the client object so that they
+              # can be directly referenced
+              client.register_extension_aliases(
+                [
+                  {
+                    'name' => 'fs',
+                    'ext'  => ObjectAliases.new(
+                      {
+                        'dir'      => self.dir,
+                        'file'     => self.file,
+                        'filestat' => self.filestat,
+                        'mount'    => Fs::Mount.new(client)
+                      })
+                  },
+                ])
+            end
+
+            #
+            # Sets the client instance on a duplicated copy of the supplied class.
+            #
+            def brand(klass)
+              klass = klass.dup
+              klass.client = self.client
+              return klass
+            end
+
+            #
+            # Returns a copy of the Dir class.
+            #
+            def dir
+              brand(Rex::Post::Meterpreter::Extensions::Stdapi_Fs::Fs::Dir)
+            end
+
+            #
+            # Returns a copy of the File class.
+            #
+            def file
+              brand(Rex::Post::Meterpreter::Extensions::Stdapi_Fs::Fs::File)
+            end
+
+            #
+            # Returns a copy of the FileStat class.
+            #
+            def filestat
+              brand(Rex::Post::Meterpreter::Extensions::Stdapi_Fs::Fs::FileStat)
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/rex/post/meterpreter/extensions/stdapi_net/stdapi_net.rb

@@ -0,0 +1,61 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/object_aliases'
+require 'rex/post/meterpreter/extension'
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+require 'rex/post/meterpreter/extensions/stdapi/command_ids'
+require 'rex/post/meterpreter/extensions/stdapi/net/resolve'
+require 'rex/post/meterpreter/extensions/stdapi/net/config'
+require 'rex/post/meterpreter/extensions/stdapi/net/socket'
+module Rex
+  module Post
+    module Meterpreter
+      module Extensions
+        module Stdapi_Net
+          module Net
+            include Rex::Post::Meterpreter::Extensions::Stdapi::Net
+          end
+          include Rex::Post::Meterpreter::Extensions::Stdapi
+          class Stdapi_Net < Extension
+
+            def self.extension_id
+              Rex::Post::Meterpreter::Extensions::Stdapi::EXTENSION_ID_STDAPI
+            end
+
+            #
+            # Initializes an instance of the Standard API (Net Namespace) extension.
+            #
+            def initialize(client)
+              super(client, 'stdapi_net')
+
+              # Alias the following things on the client object so that they
+              # can be directly referenced
+              client.register_extension_aliases(
+                [
+                  {
+                    'name' => 'net',
+                    'ext'  => ObjectAliases.new(
+                      {
+                        'config'   => Rex::Post::Meterpreter::Extensions::Stdapi_Net::Net::Config.new(client),
+                        'socket'   => Rex::Post::Meterpreter::Extensions::Stdapi_Net::Net::Socket.new(client),
+                        'resolve'  => Rex::Post::Meterpreter::Extensions::Stdapi_Net::Net::Resolve.new(client)
+                      })
+                  }
+                ])
+            end
+
+            #
+            # Sets the client instance on a duplicated copy of the supplied class.
+            #
+            def brand(klass)
+              klass = klass.dup
+              klass.client = self.client
+              return klass
+            end
+          end
+        end
+      end
+    end
+  end
+end