Add support for moving transports and uuid fetching

OJ · OJ · commit 4f9c8d04a2ff · 2015-04-28T20:24:44.000+10:00
The 'next' and 'prev' commands were added so that the session can jump
transports without having to add new ones at the same time.

There's also a command which gives the UUID now so that this can be
reused across sessions.
diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb
@@ -307,8 +307,12 @@ def load_session_info()
     begin
       ::Timeout.timeout(60) do
         # Gather username/system information
-        username  = self.sys.config.getuid
-        sysinfo   = self.sys.config.sysinfo
+        username = self.sys.config.getuid
+        sysinfo  = self.sys.config.sysinfo
+
+        # TODO: use one of these to determine of the end shell is dead?
+        self.payload_uuid = self.core.uuid
+        self.machinie_id = self.core.machine_id
 
         safe_info = "#{username} @ #{sysinfo['Computer']}"
         safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
@@ -47,18 +47,6 @@ def on_session(session)
         session.load_session_info
       end
 
-=begin
-      admin = false
-      begin
-        ::Timeout.timeout(30) do
-          if session.railgun and session.railgun.shell32.IsUserAnAdmin()["return"] == true
-            admin = true
-            session.info += " (ADMIN)"
-          end
-        end
-      rescue ::Exception
-      end
-=end
       if session.platform =~ /win32|win64/i
         session.load_priv rescue nil
       end
diff --git a/lib/msf/core/session.rb b/lib/msf/core/session.rb
@@ -377,6 +377,10 @@ def alive?
   #
   attr_accessor :info
   #
+  # The identifier for the machine of the current session
+  #
+  attr_accessor :machine_id
+  #
   # The unique identifier of this session
   #
   attr_accessor :uuid
diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
@@ -273,6 +273,16 @@ def use(mod, opts = { })
     return true
   end
 
+  def uuid
+    request = Packet.create_request('core_uuid')
+
+    response = client.send_request(request)
+
+    id = response.get_tlv_value(TLV_TYPE_UUID)
+
+    return id
+  end
+
   def machine_id
     request = Packet.create_request('core_machine_id')
 
@@ -283,83 +293,34 @@ def machine_id
     return Rex::Text.md5(id)
   end
 
-  def transport_change(opts={})
-
-    unless valid_transport?(opts[:transport]) && opts[:lport]
-      return false
-    end
-
-    if opts[:transport].starts_with?('reverse')
-      return false unless opts[:lhost]
-    else
-      # Bind shouldn't have lhost set
-      opts[:lhost] = nil
-    end
-
-    transport = VALID_TRANSPORTS[opts[:transport]]
-
-    request = Packet.create_request('core_transport_change')
-
-    scheme = opts[:transport].split('_')[1]
-    url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
-
-    if opts[:comm_timeout]
-      request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, opts[:comm_timeout])
-    end
+  def transport_add(opts={})
+    request = transport_prepare_request('core_transport_add', opts)
 
-    if opts[:session_exp]
-      request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
-    end
-
-    if opts[:retry_total]
-      request.add_tlv(TLV_TYPE_TRANS_RETRY_TOTAL, opts[:retry_total])
-    end
-
-    if opts[:retry_wait]
-      request.add_tlv(TLV_TYPE_TRANS_RETRY_WAIT, opts[:retry_wait])
-    end
+    return false unless request
 
-    # do more magic work for http(s) payloads
-    unless opts[:transport].ends_with?('tcp')
-      sum = uri_checksum_lookup(:connect)
-      uuid = client.payload_uuid
-      unless uuid
-        arch, plat = client.platform.split('/')
-        uuid = Msf::Payload::UUID.new({
-          arch:     arch,
-          platform: plat.starts_with?('win') ? 'windows' : plat
-        })
-      end
-      url << generate_uri_uuid(sum, uuid) + '/'
+    client.send_request(request)
 
-      # TODO: randomise if not specified?
-      opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
-      request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
+    return true
+  end
 
-      if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
-        hash = Rex::Parser::X509Certificate.get_cert_file_hash(opts[:cert])
-        request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
-      end
+  def transport_change(opts={})
+    request = transport_prepare_request('core_transport_change', opts)
 
-      if opts[:proxy_host] && opts[:proxy_port]
-        prefix = 'http://'
-        prefix = 'socks=' if opts[:proxy_type] == 'socks'
-        proxy = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
-        request.add_tlv(TLV_TYPE_TRANS_PROXY_INFO, proxy)
+    return false unless request
 
-        if opts[:proxy_user]
-          request.add_tlv(TLV_TYPE_TRANS_PROXY_USER, opts[:proxy_user])
-        end
-        if opts[:proxy_pass]
-          request.add_tlv(TLV_TYPE_TRANS_PROXY_PASS, opts[:proxy_pass])
-        end
-      end
+    client.send_request(request)
 
-    end
+    return true
+  end
 
-    request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
-    request.add_tlv(TLV_TYPE_TRANS_URL, url)
+  def transport_next
+    request = Packet.create_request('core_transport_next')
+    client.send_request(request)
+    return true
+  end
 
+  def transport_prev
+    request = Packet.create_request('core_transport_prev')
     client.send_request(request)
     return true
   end
@@ -602,6 +563,78 @@ def valid_transport?(transport)
 
   private
 
+  def transport_prepare_request(method, opts={})
+    unless valid_transport?(opts[:transport]) && opts[:lport]
+      return nil
+    end
+
+    if opts[:transport].starts_with?('reverse')
+      return false unless opts[:lhost]
+    else
+      # Bind shouldn't have lhost set
+      opts[:lhost] = nil
+    end
+
+    transport = VALID_TRANSPORTS[opts[:transport]]
+
+    request = Packet.create_request(method)
+
+    scheme = opts[:transport].split('_')[1]
+    url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
+
+    if opts[:comm_timeout]
+      request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, opts[:comm_timeout])
+    end
+
+    if opts[:session_exp]
+      request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
+    end
+
+    if opts[:retry_total]
+      request.add_tlv(TLV_TYPE_TRANS_RETRY_TOTAL, opts[:retry_total])
+    end
+
+    if opts[:retry_wait]
+      request.add_tlv(TLV_TYPE_TRANS_RETRY_WAIT, opts[:retry_wait])
+    end
+
+    # do more magic work for http(s) payloads
+    unless opts[:transport].ends_with?('tcp')
+      sum = uri_checksum_lookup(:connect)
+      url << generate_uri_uuid(sum, uuid) + '/'
+
+      # TODO: randomise if not specified?
+      opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
+      request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
+
+      if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
+        hash = Rex::Parser::X509Certificate.get_cert_file_hash(opts[:cert])
+        request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
+      end
+
+      if opts[:proxy_host] && opts[:proxy_port]
+        prefix = 'http://'
+        prefix = 'socks=' if opts[:proxy_type] == 'socks'
+        proxy = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
+        request.add_tlv(TLV_TYPE_TRANS_PROXY_INFO, proxy)
+
+        if opts[:proxy_user]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_USER, opts[:proxy_user])
+        end
+        if opts[:proxy_pass]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_PASS, opts[:proxy_pass])
+        end
+      end
+
+    end
+
+    request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
+    request.add_tlv(TLV_TYPE_TRANS_URL, url)
+
+    return request
+  end
+
+
   def generate_payload_stub(process)
     case client.platform
     when /win/i
diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb
@@ -101,6 +101,7 @@ module Meterpreter
 TLV_TYPE_TRANS_RETRY_WAIT    = TLV_META_TYPE_UINT   | 440
 
 TLV_TYPE_MACHINE_ID          = TLV_META_TYPE_STRING | 460
+TLV_TYPE_UUID                = TLV_META_TYPE_STRING | 461
 
 TLV_TYPE_CIPHER_NAME         = TLV_META_TYPE_STRING | 500
 TLV_TYPE_CIPHER_PARAMETERS   = TLV_META_TYPE_GROUP  | 501
@@ -205,6 +206,7 @@ def inspect
       when TLV_TYPE_TRANS_RETRY_TOTAL; "TRANS-RETRY-TOTAL"
       when TLV_TYPE_TRANS_RETRY_WAIT; "TRANS-RETRY-WAIT"
       when TLV_TYPE_MACHINE_ID; "MACHINE-ID"
+      when TLV_TYPE_UUID; "UUID"
 
       #when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface'
       #when Extensions::Stdapi::TLV_TYPE_IP; 'ip-address'
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -50,6 +50,7 @@ def commands
       "use"        => "Deprecated alias for 'load'",
       "load"       => "Load one or more meterpreter extensions",
       "machine_id" => "Get the MSF ID of the machine attached to the session",
+      "uuid"       => "Get the UUID for the current session",
       "quit"       => "Terminate the meterpreter session",
       "resource"   => "Run the commands stored in a file",
       "read"       => "Reads data from a channel",
@@ -392,7 +393,16 @@ def print_timeouts(timeouts)
   # Get the machine ID of the target
   #
   def cmd_machine_id(*args)
-    print_good("Machine ID: #{client.core.machine_id}")
+    client.machine_id = client.core.machine_id unless client.machine_id
+    print_good("Machine ID: #{client.machine_id}")
+  end
+
+  #
+  # Get the machine ID of the target
+  #
+  def cmd_uuid(*args)
+    client.payload_uuid = client.core.uuid unless client.payload_uuid
+    print_good("UUID: #{client.payload_uuid}")
   end
 
   #
@@ -497,24 +507,33 @@ def cmd_ssl_verify(*args)
     '-h'  => [ false, 'Help menu' ])
 
   #
-  # Display help for transport switching
+  # Display help for transport management.
   #
   def cmd_transport_help
-    print_line('Usage: transport [options]')
+    print_line('Usage: transport <change|add|next|prev> [options]')
     print_line
-    print_line('Change the current Meterpreter transport mechanism')
+    print_line('    add: add a new transport to the transport list.')
+    print_line(' change: same as add, but changes directly to the added entry.')
+    print_line('   next: jump to the next transport in the list (no options).')
+    print_line('   prev: jump to the previous transport in the list (no options).')
     print_line(@@transport_opts.usage)
   end
 
   #
-  # Change the current transport setings.
+  # Manage transports
   #
   def cmd_transport(*args)
     if ( args.length == 0 or args.include?("-h") )
       cmd_transport_help
       return
     end
 
+    command = args.shift
+    unless ['add', 'change', 'prev', 'next'].include?(command)
+      cmd_transport_help
+      return
+    end
+
     opts = {
       :transport     => nil,
       :lhost         => nil,
@@ -569,12 +588,41 @@ def cmd_transport(*args)
       end
     end
 
-    print_status("Swapping transport ...")
-    if client.core.transport_change(opts)
-      client.shutdown_passive_dispatcher
-      shell.stop
-    else
-      print_error("Failed to switch transport, please check the parameters")
+    case command
+    when 'next'
+      print_status("Changing to next transport ...")
+      if client.core.transport_next
+        print_good("Successfully changed to the next transport, killing current session.")
+        client.shutdown_passive_dispatcher
+        shell.stop
+      else
+        print_error("Failed to change transport, please check the parameters")
+      end
+    when 'prev'
+      print_status("Changing to previous transport ...")
+      if client.core.transport_prev
+        print_good("Successfully changed to the previous transport, killing current session.")
+        client.shutdown_passive_dispatcher
+        shell.stop
+      else
+        print_error("Failed to change transport, please check the parameters")
+      end
+    when 'change'
+      print_status("Changing to new transport ...")
+      if client.core.transport_change(opts)
+        print_good("Successfully added #{opts[:transport]} transport, killing current session.")
+        client.shutdown_passive_dispatcher
+        shell.stop
+      else
+        print_error("Failed to change transport, please check the parameters")
+      end
+    when 'add'
+      print_status("Adding new transport ...")
+      if client.core.transport_add(opts)
+        print_good("Successfully added #{opts[:transport]} transport.")
+      else
+        print_error("Failed to add transport, please check the parameters")
+      end
     end
   end
 

Original file line number	Diff line number	Diff line change
`@@ -377,6 +377,10 @@ def alive?`
`377`	`377`	`#`
`378`	`378`	`attr_accessor :info`
`379`	`379`	`#`
	`380`	`+ # The identifier for the machine of the current session`
	`381`	`+ #`
	`382`	`+ attr_accessor :machine_id`
	`383`	`+ #`
`380`	`384`	`# The unique identifier of this session`
`381`	`385`	`#`
`382`	`386`	`attr_accessor :uuid`