Land rapid7#5214, initial meterpreter session recovery support

Author: Brent Cook

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 0.4.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.22)
+      metasploit-payloads (= 0.0.3)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,6 +123,7 @@ GEM
     metasploit-model (0.29.2)
       activesupport
       railties (< 4.0.0)
+    metasploit-payloads (0.0.3)
     metasploit_data_models (0.24.0)
       activerecord (>= 3.2.13, < 4.0.0)
       activesupport
@@ -132,7 +133,6 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.22)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.2)

data/meterpreter/ext_server_networkpug.lso

@@ -16,7 +16,12 @@ def initialize(info = {})
         OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
         OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
-        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"])
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
+        OptBool.new('StagerCloseListenSocket', [false, "Close the listen socket in the stager", false]),
+        OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
+        OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
+        OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),
+        OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS])
       ], self.class)
   end
 

data/meterpreter/ext_server_sniffer.lso

@@ -141,12 +141,21 @@ def start_handler
         # Increment the has connection counter
         self.pending_connections += 1
 
+        # Timeout and datastore options need to be passed through to the client
+        opts = {
+          :datastore    => datastore,
+          :expiration   => datastore['SessionExpirationTimeout'].to_i,
+          :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total  => datastore['SessionRetryTotal'].to_i,
+          :retry_wait   => datastore['SessionRetryWait'].to_i
+        }
+
         # Start a new thread and pass the client connection
         # as the input and output pipe.  Client's are expected
         # to implement the Stream interface.
         conn_threads << framework.threads.spawn("BindTcpHandlerSession", false, client) { |client_copy|
           begin
-            handle_connection(wrap_aes_socket(client_copy), { datastore: datastore })
+            handle_connection(wrap_aes_socket(client_copy), opts)
           rescue
             elog("Exception raised from BindTcp.handle_connection: #{$!}")
           end

data/meterpreter/ext_server_stdapi.lso

@@ -250,7 +250,7 @@ def send_new_stage
     #
     # Patch options into the payload
     #
-    Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+    Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
       :ssl            => ssl?,
       :url            => url,
       :expiration     => datastore['SessionExpirationTimeout'],
@@ -260,7 +260,7 @@ def send_new_stage
       :proxy_port     => datastore['PayloadProxyPort'],
       :proxy_type     => datastore['PayloadProxyType'],
       :proxy_user     => datastore['PayloadProxyUser'],
-      :proxy_pass     => datastore['PayloadProxyPass']
+      :proxy_pass     => datastore['PayloadProxyPass'])
 
     blob = encode_stage(blob)
 

data/meterpreter/msflinker_linux_x86.bin

@@ -52,8 +52,6 @@ def initialize(info = {})
     register_advanced_options(
       [
         OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
-        OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', (24*3600*7)]),
-        OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', 300]),
         OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
         OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
         OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
@@ -283,6 +281,8 @@ def on_request(cli, req, obj)
           :url                => url,
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total        => datastore['SessionRetryTotal'].to_i,
+          :retry_wait         => datastore['SessionRetryWait'].to_i,
           :ssl                => ssl?,
           :payload_uuid       => uuid
         })
@@ -312,6 +312,8 @@ def on_request(cli, req, obj)
           :url                => url,
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total        => datastore['SessionRetryTotal'].to_i,
+          :retry_wait         => datastore['SessionRetryWait'].to_i,
           :ssl                => ssl?,
           :payload_uuid       => uuid
         })
@@ -330,17 +332,19 @@ def on_request(cli, req, obj)
         # Patch options into the payload
         #
         Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
-          :ssl            => ssl?,
-          :url            => url,
-          :ssl_cert_hash  => verify_cert_hash,
-          :expiration     => datastore['SessionExpirationTimeout'],
-          :comm_timeout   => datastore['SessionCommunicationTimeout'],
-          :ua             => datastore['MeterpreterUserAgent'],
-          :proxy_host     => datastore['PayloadProxyHost'],
-          :proxy_port     => datastore['PayloadProxyPort'],
-          :proxy_type     => datastore['PayloadProxyType'],
-          :proxy_user     => datastore['PayloadProxyUser'],
-          :proxy_pass     => datastore['PayloadProxyPass'])
+          :ssl           => ssl?,
+          :url           => url,
+          :ssl_cert_hash => verify_cert_hash,
+          :expiration    => datastore['SessionExpirationTimeout'].to_i,
+          :comm_timeout  => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total   => datastore['SessionRetryTotal'].to_i,
+          :retry_wait    => datastore['SessionRetryWait'].to_i,
+          :ua            => datastore['MeterpreterUserAgent'],
+          :proxy_host    => datastore['PayloadProxyHost'],
+          :proxy_port    => datastore['PayloadProxyPort'],
+          :proxy_type    => datastore['PayloadProxyType'],
+          :proxy_user    => datastore['PayloadProxyUser'],
+          :proxy_pass    => datastore['PayloadProxyPass'])
 
         resp.body = encode_stage(blob)
 
@@ -351,6 +355,8 @@ def on_request(cli, req, obj)
           :url                => url,
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total        => datastore['SessionRetryTotal'].to_i,
+          :retry_wait         => datastore['SessionRetryWait'].to_i,
           :ssl                => ssl?,
           :payload_uuid       => uuid
         })
@@ -366,8 +372,13 @@ def on_request(cli, req, obj)
           :passive_dispatcher => obj.service,
           :conn_id            => conn_id,
           :url                => payload_uri(req) + conn_id + "/\x00",
-          :expiration         => datastore['SessionExpirationTimeout'].to_i,
-          :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+          # TODO ### Figure out what to do with these options given that the payload ###
+          # settings might not match the handler, should we instead read the remote?   #
+          :expiration         => datastore['SessionExpirationTimeout'].to_i,           #
+          :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,        #
+          :retry_total        => datastore['SessionRetryTotal'].to_i,                  #
+          :retry_wait         => datastore['SessionRetryWait'].to_i,                   #
+          ##############################################################################
           :ssl                => ssl?,
           :payload_uuid       => uuid
         })

lib/msf/base/sessions/meterpreter_options.rb

@@ -58,6 +58,8 @@ def generate_stageless(opts={})
         :ssl_cert_hash => verify_cert_hash,
         :expiration    => datastore['SessionExpirationTimeout'].to_i,
         :comm_timeout  => datastore['SessionCommunicationTimeout'].to_i,
+        :retry_total   => datastore['SessionRetryTotal'].to_i,
+        :retry_wait    => datastore['SessionRetryWait'].to_i,
         :ua            => datastore['MeterpreterUserAgent'],
         :proxy_host    => datastore['PayloadProxyHost'],
         :proxy_port    => datastore['PayloadProxyPort'],