Land rapid7#4962: OJ adjusts MSF to new metsrv needs

bump meterpreter bins to 0.0.17

Author: Brent Cook

.gitignore

@@ -67,17 +67,7 @@ external/source/exploits/**/Release
 
 # Avoid checking in Meterpreter binaries. These are supplied upstream by
 # the meterpreter_bins gem.
-data/meterpreter/elevator.*.dll
-data/meterpreter/ext_server_espia.*.dll
-data/meterpreter/ext_server_extapi.*.dll
-data/meterpreter/ext_server_incognito.*.dll
-data/meterpreter/ext_server_kiwi.*.dll
-data/meterpreter/ext_server_lanattacks.*.dll
-data/meterpreter/ext_server_mimikatz.*.dll
-data/meterpreter/ext_server_priv.*.dll
-data/meterpreter/ext_server_stdapi.*.dll
-data/meterpreter/metsrv.*.dll
-data/meterpreter/screenshot.*.dll
+data/meterpreter/*.dll
 
 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.16)
+      meterpreter_bins (= 0.0.17)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -132,7 +132,7 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.16)
+    meterpreter_bins (0.0.17)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.1)

lib/msf/core/handler/reverse_http.rb

@@ -3,6 +3,8 @@
 require 'rex/sync/ref'
 require 'msf/core/handler/reverse_http/uri_checksum'
 require 'rex/payloads/meterpreter/patch'
+require 'rex/parser/x509_certificate'
+require 'msf/core/payload/windows/verify_ssl'
 
 module Msf
 module Handler
@@ -16,6 +18,7 @@ module ReverseHttp
 
   include Msf::Handler
   include Msf::Handler::ReverseHttp::UriChecksum
+  include Msf::Payload::Windows::VerifySsl
 
   #
   # Returns the string representation of the handler type
@@ -291,20 +294,23 @@ def on_request(cli, req, obj)
 
         blob = obj.stage_payload
 
+        verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                             datastore['HandlerSSLCert'])
         #
         # Patch options into the payload
         #
-        Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+        Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
           :ssl            => ssl?,
           :url            => url,
+          :ssl_cert_hash  => verify_cert_hash,
           :expiration     => datastore['SessionExpirationTimeout'],
           :comm_timeout   => datastore['SessionCommunicationTimeout'],
           :ua             => datastore['MeterpreterUserAgent'],
           :proxy_host     => datastore['PayloadProxyHost'],
           :proxy_port     => datastore['PayloadProxyPort'],
           :proxy_type     => datastore['PayloadProxyType'],
           :proxy_user     => datastore['PayloadProxyUser'],
-          :proxy_pass     => datastore['PayloadProxyPass']
+          :proxy_pass     => datastore['PayloadProxyPass'])
 
         resp.body = encode_stage(blob)
 

lib/msf/core/handler/reverse_https.rb

@@ -43,7 +43,8 @@ def initialize(info = {})
 
     register_advanced_options(
       [
-        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format"])
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format"]),
+        OptBool.new('StagerVerifySSLCert', [false, "Whether to verify the SSL certificate in Meterpreter"])
       ], Msf::Handler::ReverseHttps)
 
   end

lib/msf/core/payload/windows/reverse_winhttp.rb

@@ -108,8 +108,7 @@ def asm_generate_wchar_array(str)
   # @option opts [String] :url The URI to request during staging
   # @option opts [String] :host The host to connect to
   # @option opts [Fixnum] :port The port to connect to
-  # @option opts [Bool] :verify_ssl Whether or not to do SSL certificate validation
-  # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify
+  # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify, or nil
   # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh
   # @option opts [Fixnum] :retry_count The number of times to retry a failed request before giving up
   #
@@ -121,7 +120,7 @@ def asm_reverse_winhttp(opts={})
     encoded_url       = asm_generate_wchar_array(opts[:url])
     encoded_host      = asm_generate_wchar_array(opts[:host])
 
-    if opts[:ssl] && opts[:verify_cert] && opts[:verify_cert_hash]
+    if opts[:ssl] && opts[:verify_cert_hash]
       verify_ssl = true
       encoded_cert_hash = opts[:verify_cert_hash].unpack("C*").map{|c| "0x%.2x" % c }.join(",")
     end

lib/msf/core/payload/windows/reverse_winhttps.rb

@@ -2,7 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/windows/reverse_winhttp'
-require 'rex/parser/x509_certificate'
+require 'msf/core/payload/windows/verify_ssl'
 
 module Msf
 
@@ -17,6 +17,7 @@ module Msf
 module Payload::Windows::ReverseWinHttps
 
   include Msf::Payload::Windows::ReverseWinHttp
+  include Msf::Payload::Windows::VerifySsl
 
   #
   # Register reverse_winhttps specific options
@@ -49,27 +50,13 @@ def generate_reverse_winhttps(opts={})
   #
   def generate
 
-    verify_cert = false
-    verify_cert_hash = nil
-
-    if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
-      unless datastore['HandlerSSLCert']
-        raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
-      else
-        verify_cert = true
-        hcert = Rex::Parser::X509Certificate.parse_pem_file(datastore['HandlerSSLCert'])
-        unless hcert and hcert[0] and hcert[1]
-          raise ArgumentError, "Could not parse a private key and certificate from #{datastore['HandlerSSLCert']}"
-        end
-        verify_cert_hash = Rex::Text.sha1_raw(hcert[1].to_der)
-        print_status("Stager will verify SSL Certificate with SHA1 hash #{verify_cert_hash.unpack("H*").first}")
-      end
-    end
+    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                         datastore['HandlerSSLCert'])
 
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
 
-      if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
+      if verify_cert_hash
         raise ArgumentError, "StagerVerifySSLCert is enabled but not enough payload space is available"
       end
 
@@ -78,7 +65,6 @@ def generate
         host: datastore['LHOST'],
         port: datastore['LPORT'],
         url:  generate_small_uri,
-        verify_cert: verify_cert,
         verify_cert_hash: verify_cert_hash,
         retry_count: datastore['StagerRetryCount'])
     end
@@ -89,7 +75,6 @@ def generate
       port: datastore['LPORT'],
       url:  generate_uri,
       exitfunk: datastore['EXITFUNC'],
-      verify_cert: verify_cert,
       verify_cert_hash: verify_cert_hash,
       retry_count: datastore['StagerRetryCount']
     }

lib/msf/core/payload/windows/stageless_meterpreter.rb

@@ -1,6 +1,7 @@
 #-*- coding: binary -*-
 
 require 'msf/core'
+require 'rex/payloads/meterpreter/patch'
 
 module Msf
 
@@ -75,11 +76,8 @@ def generate_stageless_meterpreter(url = nil)
 
     # the URL might not be given, as it might be patched in some other way
     if url
-      url = "s#{url}\x00"
-      location = dll.index("https://#{'X' * 256}")
-      if location
-        dll[location, url.length] = url
-      end
+      # Patch the URL using the patcher as this upports both ASCII and WCHAR.
+      Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
     end
 
     # if a block is given then call that with the meterpreter dll

lib/msf/core/payload/windows/verify_ssl.rb

@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'rex/parser/x509_certificate'
+
+module Msf
+
+###
+#
+# Implements SSL validation check options
+#
+###
+
+module Payload::Windows::VerifySsl
+
+  #
+  # Get the SSL hash from the certificate, if required.
+  #
+  def get_ssl_cert_hash(verify_cert, handler_cert)
+    unless verify_cert.to_s =~ /^(t|y|1)/i
+      return nil
+    end
+
+    unless handler_cert
+      raise ArgumentError, "Verifying SSL cert is enabled but no handler cert is configured"
+    end
+
+    hash = Rex::Parser::X509Certificate.get_cert_file_hash(handler_cert)
+    print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}")
+    hash
+  end
+
+end
+
+end
+

lib/rex/parser/x509_certificate.rb

@@ -56,6 +56,36 @@ def self.parse_pem_file(ssl_cert_file)
     parse_pem(data)
   end
 
+  #
+  # Parse a certificate in unified PEM format and retrieve
+  # the SHA1 hash.
+  #
+  # @param [String] ssl_cert 
+  # @return [String]
+  def self.get_cert_hash(ssl_cert)
+    hcert = parse_pem(ssl_cert)
+
+    unless hcert and hcert[0] and hcert[1]
+      raise ArgumentError, "Could not parse a private key and certificate"
+    end
+
+    Rex::Text.sha1_raw(hcert[1].to_der)
+  end
+
+  #
+  # Parse a file that contains a certificate in unified PEM
+  # format and retrieve the SHA1 hash.
+  #
+  # @param [String] ssl_cert_file
+  # @return [String]
+  def self.get_cert_file_hash(ssl_cert_file)
+    data = ''
+    ::File.open(ssl_cert_file, 'rb') do |fd|
+      data << fd.read(fd.stat.size)
+    end
+    get_cert_hash(data)
+  end
+
 end
 
 end