Pass timeouts to clients and correctly patch timeouts

Timeouts are correctly passed through to the client instances from the
handlers. The cilent also passes those values through to the RDI code so
that the binaries are correctly patched.

Author: OJ

lib/msf/core/handler/bind_tcp.rb

@@ -141,12 +141,21 @@ def start_handler
         # Increment the has connection counter
         self.pending_connections += 1
 
+        # Timeout and datastore options need to be passed through to the client
+        opts = {
+          :datastore    => datastore,
+          :expiration   => datastore['SessionExpirationTimeout'].to_i,
+          :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total  => datastore['SessionRetryTotal'].to_i,
+          :retry_wait   => datastore['SessionRetryWait'].to_i
+        }
+
         # Start a new thread and pass the client connection
         # as the input and output pipe.  Client's are expected
         # to implement the Stream interface.
         conn_threads << framework.threads.spawn("BindTcpHandlerSession", false, client) { |client_copy|
           begin
-            handle_connection(wrap_aes_socket(client_copy), { datastore: datastore })
+            handle_connection(wrap_aes_socket(client_copy), opts)
           rescue
             elog("Exception raised from BindTcp.handle_connection: #{$!}")
           end

lib/msf/core/handler/reverse_tcp.rb

@@ -169,12 +169,21 @@ def start_handler
             break
           end
 
+          # Timeout and datastore options need to be passed through to the client
+          opts = {
+            :datastore    => datastore,
+            :expiration   => datastore['SessionExpirationTimeout'].to_i,
+            :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
+            :retry_total  => datastore['SessionRetryTotal'].to_i,
+            :retry_wait   => datastore['SessionRetryWait'].to_i
+          }
+
           if datastore['ReverseListenerThreaded']
             self.conn_threads << framework.threads.spawn("ReverseTcpHandlerSession-#{local_port}-#{client.peerhost}", false, client) { |client_copy|
-              handle_connection(wrap_aes_socket(client_copy), { datastore: datastore })
+              handle_connection(wrap_aes_socket(client_copy), opts)
             }
           else
-            handle_connection(wrap_aes_socket(client), { datastore: datastore })
+            handle_connection(wrap_aes_socket(client), opts)
           end
         rescue ::Exception
           elog("Exception raised from handle_connection: #{$!.class}: #{$!}\n\n#{$@.join("\n")}")

lib/rex/post/meterpreter/client_core.rb

@@ -639,6 +639,13 @@ def generate_windows_stub(process)
     end
     migrate_stager.datastore['DLL'] = dll
 
+    # Pass the timeout information to the RDI loader so that it correctly
+    # patches the timeouts into the binary.
+    migrate_stager.datastore['SessionExpirationTimeout']    = self.client.expiration
+    migrate_stager.datastore['SessionCommunicationTimeout'] = self.client.comm_timeout
+    migrate_stager.datastore['SessionRetryTotal']           = self.client.retry_total
+    migrate_stager.datastore['SessionRetryWait']            = self.client.retry_wait
+
     blob = migrate_stager.stage_payload
 
     if client.passive_service
@@ -656,14 +663,6 @@ def generate_windows_stub(process)
         :proxy_type   => client.exploit_datastore['PayloadProxyType'],
         :proxy_user   => client.exploit_datastore['PayloadProxyUser'],
         :proxy_pass   => client.exploit_datastore['PayloadProxyPass'])
-    # This should be done by the reflective loader payloads
-    #else
-    #  # Just patch the timeouts, which are consistent on each of the payloads.
-    #  Rex::Payloads::Meterpreter::Patch.patch_timeouts!(blob,
-    #    :expiration   => self.client.expiration,
-    #    :comm_timeout => self.client.comm_timeout,
-    #    :retry_total  => self.client.retry_total,
-    #    :retry_wait   => self.client.retry_wait)
     end
 
     blob