Hacked support for transport switching

Author: OJ

lib/rex/post/meterpreter/client_core.rb

@@ -222,6 +222,20 @@ def use(mod, opts = { })
     return true
   end
 
+  def change_transport(opts={})
+    request = Packet.create_request('core_change_transport')
+
+    url = "#{opts[:scheme]}://#{opts[:lhost]}:#{opts[:lport]}"
+    url <<  '/' + opts[:suffix] if opts[:suffix]
+
+    request.add_tlv(TLV_TYPE_TRANSPORT_TYPE, opts[:type])
+    request.add_tlv(TLV_TYPE_TRANSPORT_URL, url)
+
+    response = client.send_request(request)
+
+    # TODO: shut this baby down.
+  end
+
   #
   # Migrates the meterpreter instance to the process specified
   # by pid.  The connection to the server remains established.

lib/rex/post/meterpreter/packet.rb

@@ -87,6 +87,10 @@ module Meterpreter
 TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_META_TYPE_UINT   | 408
 TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_META_TYPE_STRING | 409
 
+
+TLV_TYPE_TRANSPORT_TYPE      = TLV_META_TYPE_UINT   | 430
+TLV_TYPE_TRANSPORT_URL       = TLV_META_TYPE_STRING | 431
+
 TLV_TYPE_CIPHER_NAME         = TLV_META_TYPE_STRING | 500
 TLV_TYPE_CIPHER_PARAMETERS   = TLV_META_TYPE_GROUP  | 501
 
@@ -179,6 +183,8 @@ def inspect
       when TLV_TYPE_MIGRATE_LEN; "MIGRATE-LEN"
       when TLV_TYPE_MIGRATE_PAYLOAD; "MIGRATE-PAYLOAD"
       when TLV_TYPE_MIGRATE_ARCH; "MIGRATE-ARCH"
+      when TLV_TYPE_TRANSPORT_TYPE; "TRANSPORT-TYPE"
+      when TLV_TYPE_TRANSPORT_URL; "TRANSPORT-URL"
 
       #when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface'
       #when Extensions::Stdapi::TLV_TYPE_IP; 'ip-address'

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -50,6 +50,7 @@ def commands
       "irb"        => "Drop into irb scripting mode",
       "use"        => "Deprecated alias for 'load'",
       "load"       => "Load one or more meterpreter extensions",
+      "transport"  => "Change the current transport mechanism",
       "quit"       => "Terminate the meterpreter session",
       "resource"   => "Run the commands stored in a file",
       "read"       => "Reads data from a channel",
@@ -320,6 +321,53 @@ def cmd_irb(*args)
     Rex::Ui::Text::IrbShell.new(binding).run
   end
 
+  def cmd_transport(*args)
+    if ( args.length == 0 or args.include?("-h") )
+      #cmd_transport_help
+      return true
+    end
+
+    # the order of these is important (hacky!)
+    valid_transports = ['reverse_tcp', 'reverse_http', 'reverse_https', 'bind_tcp']
+
+    transport = args.shift.downcase
+    unless valid_transports.include?(transport)
+      #cmd_transport_help
+    end
+
+    if transport == 'bind_tcp'
+      unless args.length == 1
+        #cmd_transport_help
+      end
+
+      lhost = ""
+      lport = args.shift.to_i
+      type = 0
+    else
+      unless args.length == 2
+        #cmd_transport_help
+      end
+
+      lhost = args.shift
+      lport = args.shift.to_i
+      type = valid_transports.index(transport)
+    end
+
+    suffix = nil
+    unless transport.ends_with?("tcp")
+      suffix = "some magic URL"
+    end
+
+    client.core.change_transport({
+      :type   => type,
+      :scheme => transport.split('_')[1],
+      :lhost  => lhost,
+      :lport  => lport,
+      :suffix => suffix
+    })
+
+  end
+
   def cmd_migrate_help
     if client.platform =~ /linux/
       print_line "Usage: migrate <pid> [writable_path]"