Pass loot contents over the API and write file

Author: jbarnett-r7

lib/metasploit/framework/data_service/proxy/loot_data_proxy.rb

@@ -3,6 +3,9 @@ module LootDataProxy
   def report_loot(opts)
     begin
       data_service = self.get_data_service()
+      if !data_service.is_a?(Msf::DBManager)
+        opts[:data] = Base64.urlsafe_encode64(opts[:data]) if opts[:data]
+      end
       data_service.report_loot(opts)
     rescue Exception => e
       puts "Call to #{data_service.class}#report_loot threw exception: #{e.message}"

lib/metasploit/framework/data_service/remote/http/remote_loot_data_service.rb

@@ -4,7 +4,6 @@ module RemoteLootDataService
   include ResponseDataHelper
 
   LOOT_PATH = '/api/1/msf/loot'
-  LOOT_SEARCH_PATH = LOOT_PATH + "/search"
 
   def loot(opts = {})
     json_to_open_struct_object(self.get_data(LOOT_PATH, opts), [])
@@ -21,9 +20,4 @@ def find_or_create_loot(opts)
   def report_loots(loot)
     self.post_data(LOOT_PATH, loot)
   end
-
-  def do_loot_search(search)
-    response = self.post_data(LOOT_SEARCH_PATH, search)
-    return response.body
-  end
 end

lib/msf/core/auxiliary/report.rb

@@ -416,6 +416,7 @@ def store_loot(ltype, ctype, host, data, filename=nil, info=nil, service=nil)
       conf[:workspace] = myworkspace
       conf[:name] = filename if filename
       conf[:info] = info if info
+      conf[:data] = data if data
 
       if service and service.kind_of?(::Mdm::Service)
         conf[:service] = service if service

lib/msf/core/db_manager/http/servlet/loot_servlet.rb

@@ -27,7 +27,52 @@ def self.get_loot
 
   def self.report_loot
     lambda {
-      job = lambda { |opts| get_db().report_loot(opts) }
+
+      job = lambda { |opts|
+        # This regex does a best attempt to determine if opts[:data] is valid Base64
+        # See https://stackoverflow.com/questions/8571501/how-to-check-whether-the-string-is-base64-encoded-or-not
+        if opts[:data] =~ /^([A-Za-z0-9+\/]{4})*([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)$/
+          opts[:data] = Base64.urlsafe_decode64(opts[:data]) if opts[:data]
+        end
+
+        # This code is all for writing out the file locally.
+        # It is copied from lib/msf/core/auxiliary/report.rb
+        # We shouldn't duplicate it so a better method should be used
+        if ! ::File.directory?(Msf::Config.loot_directory)
+          FileUtils.mkdir_p(Msf::Config.loot_directory)
+        end
+
+        ext = 'bin'
+        if opts[:name]
+          parts = opts[:name].to_s.split('.')
+          if parts.length > 1 and parts[-1].length < 4
+            ext = parts[-1]
+          end
+        end
+
+        case opts[:content_type]
+          when /^text\/[\w\.]+$/
+            ext = "txt"
+        end
+        # This method is available even if there is no database, don't bother checking
+        host = Msf::Util::Host.normalize_host(host)
+
+        ws = (opts[:workspace] ? opts[:workspace] : 'default')
+        name =
+            Time.now.strftime("%Y%m%d%H%M%S") + "_" + ws + "_" +
+                (host || 'unknown') + '_' + opts[:type][0,16] + '_' +
+                Rex::Text.rand_text_numeric(6) + '.' + ext
+
+        name.gsub!(/[^a-z0-9\.\_]+/i, '')
+
+        path = File.join(Msf::Config.loot_directory, name)
+        full_path = ::File.expand_path(path)
+        File.open(full_path, "wb") do |fd|
+          fd.write(opts[:data])
+        end
+
+        get_db().report_loot(opts)
+      }
       exec_report_job(request, &job)
     }
   end