Land #18441, Add at rest encryption to Meterpreter payloads

Author: adfoster-r7

Gemfile.lock

@@ -33,7 +33,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 2.0.156)
+      metasploit-payloads (= 2.0.159)
       metasploit_data_models
       metasploit_payloads-mettle (= 1.0.26)
       mqtt
@@ -278,7 +278,7 @@ GEM
       activemodel (~> 7.0)
       activesupport (~> 7.0)
       railties (~> 7.0)
-    metasploit-payloads (2.0.156)
+    metasploit-payloads (2.0.159)
     metasploit_data_models (6.0.3)
       activerecord (~> 7.0)
       activesupport (~> 7.0)

LICENSE_GEMS

@@ -82,7 +82,7 @@ metasploit-concern, 5.0.2, "New BSD"
 metasploit-credential, 6.0.6, "New BSD"
 metasploit-framework, 6.3.41, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.156, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.159, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
 metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT

lib/msf/core/payload/android.rb

@@ -127,7 +127,13 @@ def generate_jar(opts={})
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
+
+    files.each do |file|
+      path = ['android', 'apk', file].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      jar.add_file(file.join('/'), contents)
+    end
+
     jar.add_file("classes.dex", fix_dex_header(classes))
     jar.build_manifest
 

lib/msf/core/payload/java.rb

@@ -58,7 +58,14 @@ def generate_jar(opts={})
     jar = Rex::Zip::Jar.new
     jar.add_sub("metasploit") if opts[:random]
     jar.add_file("metasploit.dat", stager_config(opts))
-    jar.add_files(paths, ::MetasploitPayloads.path('java'))
+    jar.add_file('metasploit/', '') # Create the metasploit dir
+
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      jar.add_file(path_parts.join('/'), contents)
+    end
+
     jar.build_manifest(:main_class => main_class)
 
     jar
@@ -103,7 +110,14 @@ def generate_war(opts={})
     zip.add_file('WEB-INF/', '')
     zip.add_file('WEB-INF/web.xml', web_xml)
     zip.add_file("WEB-INF/classes/", "")
-    zip.add_files(paths, MetasploitPayloads.path('java'), 'WEB-INF/classes/')
+    zip.add_file('metasploit/', '') # Create the metasploit dir
+
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      zip.add_file(path_parts.join('/'), contents)
+    end
+
     zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts))
 
     zip
@@ -138,7 +152,14 @@ def generate_axis2(opts={})
     zip = Rex::Zip::Jar.new
     zip.add_file('META-INF/', '')
     zip.add_file('META-INF/services.xml', services_xml)
-    zip.add_files(paths, MetasploitPayloads.path('java'))
+    zip.add_file('metasploit/', '') # Create the metasploit dir
+
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      zip.add_file(path_parts.join('/'), contents)
+    end
+
     zip.add_file('metasploit.dat', stager_config(opts))
     zip.build_manifest(:app_name => app_name)
 

lib/msf/core/payload/windows/dll_inject.rb

@@ -205,9 +205,8 @@ def handle_connection_stage(conn, opts = {})
     data = library_name + "\x00"
 
     begin
-      File.open(library_path, "rb") { |f|
-        data += f.read
-      }
+      encrypted_contents = ::File.binread(library_path)
+      data += ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_contents)
     rescue
       print_error("Failed to load DLL: #{$!}.")
 

lib/msf/core/post/windows/reflective_dll_injection.rb

@@ -78,8 +78,9 @@ def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader',
   # @return [Array] Tuple of allocated memory address and offset to the
   #   +ReflectiveLoader+ function.
   def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    offset = load_rdi_dll_from_data(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
-    dll_mem = inject_into_process(process, dll_data)
+    decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
+    offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
+    dll_mem = inject_into_process(process, decrypted_dll_data)
 
     return dll_mem, offset
   end

lib/msf/core/reflective_dll_loader.rb

@@ -24,8 +24,8 @@ module Msf::ReflectiveDLLLoader
   # @return [Array] Tuple of DLL contents and offset to the
   #                 +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    dll = ''
-    ::File.open(dll_path, 'rb') { |f| dll = f.read }
+    encrypted_dll = ::File.binread(dll_path)
+    dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll)
 
     offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
@@ -43,7 +43,8 @@ def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPO
   #
   # @return [Integer] offset to the +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    offset = parse_pe(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
+    decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
+    offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
     unless offset
       raise 'Cannot find the ReflectiveLoader entry point in DLL data'

lib/msf/util/exe.rb

@@ -1599,7 +1599,14 @@ def self.to_jar(exe, opts = {})
     paths = [
       [ "metasploit", "Payload.class" ],
     ]
-    zip.add_files(paths, MetasploitPayloads.path('java'))
+
+    zip.add_file('metasploit/', '')
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      zip.add_file(path_parts.join('/'), contents)
+    end
+
     zip.build_manifest :main_class => "metasploit.Payload"
     config = "Spawn=#{spawn}\r\nExecutable=#{exe_name}\r\n"
     zip.add_file("metasploit.dat", config)

lib/rex/post/meterpreter/client_core.rb

@@ -258,7 +258,8 @@ def load_library(opts)
       end
 
       if library_image
-        request.add_tlv(TLV_TYPE_DATA, library_image, false, client.capabilities[:zlib])
+        decrypted_library_image = ::MetasploitPayloads::Crypto.decrypt(ciphertext: library_image)
+        request.add_tlv(TLV_TYPE_DATA, decrypted_library_image, false, client.capabilities[:zlib])
       else
         raise RuntimeError, "Failed to serialize library #{library_path}.", caller
       end

lib/rex/post/meterpreter/extensions/priv/priv.rb

@@ -82,11 +82,8 @@ def getsystem(technique=TECHNIQUE[:any])
         raise RuntimeError, "#{elevators.chomp(', ')} not found", caller
       end
 
-      elevator_data = ''
-
-      ::File.open(elevator_path, 'rb') { |f|
-        elevator_data += f.read(f.stat.size)
-      }
+      encrypted_elevator_data = ::File.binread(elevator_path)
+      elevator_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_elevator_data)
 
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data)
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length)