Add support for the session GUID in the UI

The Session GUID will identify active sessions, and is the beginning of
work that will allow for tracking of sessions that have come back alive
after failing or switching transports.

Author: OJ

lib/msf/base/serializer/readable_text.rb

@@ -618,7 +618,6 @@ def self.dump_sessions_verbose(framework, opts={})
       sess_luri    = session.exploit_datastore['LURI'] || ""
 
       sess_checkin = "<none>"
-      sess_machine_id = session.machine_id.to_s
       sess_registration = "No"
 
       if session.respond_to? :platform
@@ -642,15 +641,12 @@ def self.dump_sessions_verbose(framework, opts={})
       out << "      Tunnel: #{sess_tunnel}\n"
       out << "         Via: #{sess_via}\n"
       out << "        UUID: #{sess_uuid}\n"
-      out << "   MachineID: #{sess_machine_id}\n"
       out << "     CheckIn: #{sess_checkin}\n"
       out << "  Registered: #{sess_registration}\n"
-      if !sess_luri.empty?
+      unless sess_luri.empty?
         out << "        LURI: #{sess_luri}\n"
       end
 
-
-
       out << "\n"
     end
 

lib/msf/base/sessions/meterpreter_options.rb

@@ -51,6 +51,17 @@ def on_session(session)
     end
 
     if valid
+      # always make sure that the new session has a new guid if it's not already known
+      guid = session.core.get_session_guid
+      if guid == '00000000-0000-0000-0000-000000000000'
+        guid = SecureRandom.uuid
+        session.core.set_session_guid(guid)
+        session.guid = guid
+        # TODO: New statgeless session, do some account in the DB so we can track it later.
+      else
+        session.guid = guid
+        # TODO: This session was either staged or previously known, and so we shold do some accounting here!
+      end
 
       if datastore['AutoLoadStdapi']
 
@@ -71,7 +82,7 @@ def on_session(session)
       end
 
       [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
-        if !datastore[key].empty?
+        unless datastore[key].empty?
           args = Shellwords.shellwords( datastore[key] )
           print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
           session.execute_script(args.shift, *args)

lib/msf/core/payload/android.rb

@@ -51,7 +51,8 @@ def generate_config(opts={})
       arch:       opts[:uuid].arch,
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
-      transports: opts[:transport_config] || [transport_config(opts)]
+      transports: opts[:transport_config] || [transport_config(opts)],
+      stageless:  opts[:stageless] == true
     }
 
     config = Rex::Payloads::Meterpreter::Config.new(config_opts).to_b

lib/msf/core/payload/java/meterpreter_loader.rb

@@ -69,7 +69,8 @@ def generate_config(opts={})
       arch:       opts[:uuid].arch,
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
-      transports: opts[:transport_config] || [transport_config(opts)]
+      transports: opts[:transport_config] || [transport_config(opts)],
+      stageless:  opts[:stageless] == true
     }
 
     # create the configuration instance based off the parameters

lib/msf/core/payload/python/meterpreter_loader.rb

@@ -74,6 +74,13 @@ def stage_meterpreter(opts={})
     uuid = Rex::Text.to_hex(uuid.to_raw, prefix = '')
     met.sub!("PAYLOAD_UUID = \'\'", "PAYLOAD_UUID = \'#{uuid}\'")
 
+    if opts[:stageless] == true
+      session_guid = "00" * 16
+    else
+      session_guid = SecureRandom.uuid.gsub(/-/, '')
+    end
+    met.sub!("SESSION_GUID = \'\'", "SESSION_GUID = \'#{session_guid}\'.decode(\'hex\')")
+
     http_user_agent = opts[:http_user_agent] || ds['MeterpreterUserAgent']
     http_proxy_host = opts[:http_proxy_host] || ds['PayloadProxyHost'] || ds['PROXYHOST']
     http_proxy_port = opts[:http_proxy_port] || ds['PayloadProxyPort'] || ds['PROXYPORT']

lib/msf/core/payload/windows/meterpreter_loader.rb

@@ -82,7 +82,8 @@ def generate_config(opts={})
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
       transports: opts[:transport_config] || [transport_config(opts)],
-      extensions: []
+      extensions: [],
+      stageless:  opts[:stageless] == true
     }
 
     # create the configuration instance based off the parameters

lib/msf/core/payload/windows/x64/meterpreter_loader.rb

@@ -84,7 +84,8 @@ def generate_config(opts={})
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
       transports: opts[:transport_config] || [transport_config(opts)],
-      extensions: []
+      extensions: [],
+      stageless:  opts[:stageless] == true
     }
 
     # create the configuration instance based off the parameters

lib/msf/core/session.rb

@@ -385,6 +385,10 @@ def session_type
   #
   attr_accessor :machine_id
   #
+  # The guid that identifies an active Meterpreter session
+  #
+  attr_accessor :guid
+  #
   # The actual exploit module instance that created this session
   #
   attr_accessor :exploit

lib/rex/payloads/meterpreter/config.rb

@@ -3,6 +3,7 @@
 require 'msf/core/payload/windows'
 require 'msf/core/reflective_dll_loader'
 require 'rex/socket/x509_certificate'
+require 'securerandom'
 
 class Rex::Payloads::Meterpreter::Config
 
@@ -50,14 +51,23 @@ def session_block(opts)
     uuid = opts[:uuid].to_raw
     exit_func = Msf::Payload::Windows.exit_types[opts[:exitfunk]]
 
+    # if no session guid is given then we'll just pass the blank
+    # guid through. this is important for stageless payloads
+    if opts[:stageless] == true
+      session_guid = "\x00" * 16
+    else
+      session_guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*')
+    end
+
     session_data = [
       0,                  # comms socket, patched in by the stager
       exit_func,          # exit function identifer
       opts[:expiration],  # Session expiry
-      uuid                # the UUID
+      uuid,               # the UUID
+      session_guid        # the Session GUID
     ]
 
-    session_data.pack('VVVA*')
+    session_data.pack('VVVA*A*')
   end
 
   def transport_block(opts)

lib/rex/post/meterpreter/client_core.rb

@@ -125,6 +125,9 @@ def transport_list
     result
   end
 
+  #
+  # Set associated transport timeouts for the currently active transport.
+  #
   def set_transport_timeouts(opts={})
     request = Packet.create_request('core_transport_set_timeouts')
 
@@ -298,6 +301,9 @@ def use(mod, opts = { })
     return true
   end
 
+  #
+  # Set the UUID on the target session.
+  #
   def set_uuid(uuid)
     request = Packet.create_request('core_set_uuid')
     request.add_tlv(TLV_TYPE_UUID, uuid.to_raw)
@@ -307,10 +313,42 @@ def set_uuid(uuid)
     true
   end
 
+  #
+  # Set the session GUID on the target session.
+  #
+  def set_session_guid(guid)
+    request = Packet.create_request('core_set_session_guid')
+    request.add_tlv(TLV_TYPE_SESSION_GUID, [guid.gsub(/-/, '')].pack('H*'))
+
+    client.send_request(request)
+
+    true
+  end
+
+  #
+  # Get the session GUID from the target session.
+  #
+  def get_session_guid(timeout=nil)
+    request = Packet.create_request('core_get_session_guid')
+
+    args = [request]
+    args << timeout if timeout
+
+    response = client.send_request(*args)
+
+    bytes = response.get_tlv_value(TLV_TYPE_SESSION_GUID)
+
+    parts = bytes.unpack('H*')[0]
+    [parts[0, 8], parts[8, 4], parts[12, 4], parts[16, 4], parts[20, 12]].join('-')
+  end
+
+  #
+  # Get the machine ID from the target session.
+  #
   def machine_id(timeout=nil)
     request = Packet.create_request('core_machine_id')
 
-    args = [ request ]
+    args = [request]
     args << timeout if timeout
 
     response = client.send_request(*args)
@@ -325,6 +363,9 @@ def machine_id(timeout=nil)
     Rex::Text.md5(mid.to_s.downcase.strip)
   end
 
+  #
+  # Get the current native arch from the target session.
+  #
   def native_arch(timeout=nil)
     # Not all meterpreter implementations support this
     request = Packet.create_request('core_native_arch')
@@ -337,6 +378,9 @@ def native_arch(timeout=nil)
     response.get_tlv_value(TLV_TYPE_STRING)
   end
 
+  #
+  # Remove a transport from the session based on the provided options.
+  #
   def transport_remove(opts={})
     request = transport_prepare_request('core_transport_remove', opts)
 
@@ -347,6 +391,9 @@ def transport_remove(opts={})
     return true
   end
 
+  #
+  # Add a transport to the session based on the provided options.
+  #
   def transport_add(opts={})
     request = transport_prepare_request('core_transport_add', opts)
 
@@ -357,6 +404,9 @@ def transport_add(opts={})
     return true
   end
 
+  #
+  # Change the currently active transport on the session.
+  #
   def transport_change(opts={})
     request = transport_prepare_request('core_transport_change', opts)
 
@@ -367,6 +417,9 @@ def transport_change(opts={})
     return true
   end
 
+  #
+  # Sleep the current session for the given number of seconds.
+  #
   def transport_sleep(seconds)
     return false if seconds == 0
 
@@ -379,12 +432,18 @@ def transport_sleep(seconds)
     return true
   end
 
+  #
+  # Change the active transport to the next one in the transport list.
+  #
   def transport_next
     request = Packet.create_request('core_transport_next')
     client.send_request(request)
     return true
   end
 
+  #
+  # Change the active transport to the previous one in the transport list.
+  #
   def transport_prev
     request = Packet.create_request('core_transport_prev')
     client.send_request(request)
@@ -623,10 +682,17 @@ def valid_transport?(transport)
 
 private
 
+  #
+  # Get a reference to the currently active transport.
+  #
   def get_current_transport
     transport_list[:transports][0]
   end
 
+  #
+  # Generate a migrate stub that is specific to the current transport type and the
+  # target process.
+  #
   def generate_migrate_stub(target_process)
     stub = nil
 
@@ -663,6 +729,10 @@ def generate_migrate_stub(target_process)
     stub
   end
 
+  #
+  # Helper function to prepare a transport request that will be sent to the
+  # attached session.
+  #
   def transport_prepare_request(method, opts={})
     unless valid_transport?(opts[:transport]) && opts[:lport]
       return nil
@@ -751,6 +821,9 @@ def transport_prepare_request(method, opts={})
   end
 
 
+  #
+  # Create a full migration payload specific to the target process.
+  #
   def generate_migrate_payload(target_process)
     case client.platform
     when 'windows'
@@ -764,6 +837,9 @@ def generate_migrate_payload(target_process)
     blob
   end
 
+  #
+  # Create a full Windows-specific migration payload specific to the target process.
+  #
   def generate_migrate_windows_payload(target_process)
     c = Class.new( ::Msf::Payload )
     c.include( ::Msf::Payload::Stager )
@@ -783,16 +859,25 @@ def generate_migrate_windows_payload(target_process)
     migrate_stager.stage_meterpreter
   end
 
+  #
+  # Create a full Linux-specific migration payload specific to the target process.
+  #
   def generate_migrate_linux_payload
     MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
   end
 
+  #
+  # Determine the elf entry poitn for the given payload.
+  #
   def elf_ep(payload)
     elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
     ep = elf.elf_header.e_entry
     return ep
   end
 
+  #
+  # Get the tmp folder for the session.
+  #
   def tmp_folder
     tmp = client.sys.config.getenv('TMPDIR')