Land rapid7#5072 : Support and embed payload UUIDs

Author: OJ

lib/msf/base/serializer/readable_text.rb

@@ -536,6 +536,7 @@ def self.dump_sessions(framework, opts={})
       ]
 
     columns << 'Via' if verbose
+    columns << 'PayloadId' if verbose
 
     tbl = Rex::Ui::Text::Table.new(
       'Indent'  => indent,
@@ -555,7 +556,11 @@ def self.dump_sessions(framework, opts={})
       if session.respond_to? :platform
         row[1] += " " + session.platform
       end
-      row << session.via_exploit if verbose and session.via_exploit
+
+      if verbose
+        row << session.via_exploit.to_s
+        row << session.payload_uuid.to_s
+      end
 
       tbl << row
     }
@@ -566,7 +571,7 @@ def self.dump_sessions(framework, opts={})
   # Dumps the list of running jobs.
   #
   # @param framework [Msf::Framework] the framework.
-  # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH 
+  # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH
   #   and start time, if they exist, for each job.
   # @param indent [Integer] the indentation amount.
   # @param col [Integer] the column wrap width.

lib/msf/core/handler.rb

@@ -198,6 +198,9 @@ def create_session(conn, opts={})
       # and any relevant information
       s.set_from_exploit(assoc_exploit)
 
+      # Pass along any associated payload uuid if specified
+      s.payload_uuid = opts[:payload_uuid] if opts[:payload_uuid]
+
       # If the session is valid, register it with the framework and
       # notify any waiters we may have.
       if (s)

lib/msf/core/handler/reverse_http.rb

@@ -215,17 +215,25 @@ def lookup_proxy_settings
   #
   def on_request(cli, req, obj)
     resp = Rex::Proto::Http::Response.new
+    info = process_uri_resource(req.relative_resource)
+    uuid = info[:uuid] || Msf::Payload::UUID.new
 
-    print_status("#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}...")
+    # Configure the UUID architecture and payload if necessary
+    uuid.arch      ||= obj.arch
+    uuid.platform  ||= obj.platform
 
-    uri_match = process_uri_resource(req.relative_resource)
+    print_status "#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}... (UUID:#{uuid.to_s})"
+
+    conn_id = nil
+    if info[:mode] && info[:mode] != :connect
+      conn_id = generate_uri_uuid(URI_CHECKSUM_CONN, uuid)
+    end
 
     self.pending_connections += 1
 
     # Process the requested resource.
-    case uri_match
-      when /^\/INITPY/
-        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+    case info[:mode]
+      when :init_python
         url = payload_uri(req) + conn_id + '/'
 
         blob = ""
@@ -256,10 +264,10 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
-      when /^\/INITJM/
-        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+      when :init_java
         url = payload_uri(req) + conn_id + "/\x00"
 
         blob = ""
@@ -283,11 +291,11 @@ def on_request(cli, req, obj)
           :url                => url,
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
-          :ssl                => ssl?
+          :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
-      when /^\/A?INITM?/
-        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+      when :init_native
         url = payload_uri(req) + conn_id + "/\x00"
 
         print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...")
@@ -323,13 +331,12 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
-      when /^\/CONN_.*\//
+      when :connect
         resp.body = ""
-        # Grab the checksummed version of CONN from the payload's request.
-        conn_id = req.relative_resource.gsub("/", "")
-
+        conn_id = req.relative_resource
         print_status("Incoming orphaned or stageless session #{conn_id}, attaching...")
 
         # Short-circuit the payload's handle_connection processing for create_session
@@ -340,6 +347,7 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
       else

lib/msf/core/handler/reverse_http/stageless.rb

@@ -5,7 +5,7 @@
 
 require 'msf/core'
 require 'rex/parser/x509_certificate'
-require 'rex/payloads/meterpreter/uri_checksum'
+require 'msf/core/payload/uuid_options'
 
 module Msf
 
@@ -18,7 +18,7 @@ module Msf
 module Handler::ReverseHttp::Stageless
 
   include Msf::Payload::Windows::VerifySsl
-  include Rex::Payloads::Meterpreter::UriChecksum
+  include Msf::Payload::UUIDOptions
 
   def initialize_stageless
     register_options([
@@ -27,9 +27,7 @@ def initialize_stageless
   end
 
   def generate_stageless(&block)
-    checksum = generate_uri_checksum(URI_CHECKSUM_CONN)
-    rand = Rex::Text.rand_text_alphanumeric(16)
-    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
+    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}#{generate_uri_uuid_mode(:connect)}/"
 
     unless block_given?
       raise ArgumentError, "Stageless generation requires a block argument"