Land rapid7#9290, Fix OverrideLHOST/LPORT with http/s Meterpreter payloads

Author: busterb

Gemfile.lock

@@ -17,7 +17,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.19)
+      metasploit-payloads (= 1.3.20)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.3.2)
       msgpack
@@ -177,7 +177,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.19)
+    metasploit-payloads (1.3.20)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

lib/msf/core/handler/reverse_http.rb

@@ -339,6 +339,13 @@ def on_request(cli, req)
 
     self.pending_connections += 1
 
+    resp.body = ''
+    resp.code = 200
+    resp.message = 'OK'
+
+    url = payload_uri(req) + conn_id
+    url << '/' unless url[-1] == '/'
+
     # Process the requested resource.
     case info[:mode]
       when :init_connect
@@ -354,59 +361,27 @@ def on_request(cli, req)
         pkt.add_tlv(Rex::Post::Meterpreter::TLV_TYPE_TRANS_URL, conn_id + "/")
         resp.body = pkt.to_r
 
-      when :init_python, :init_native, :init_java
+      when :init_python, :init_native, :init_java, :connect
         # TODO: at some point we may normalise these three cases into just :init
-        url = payload_uri(req) + conn_id + '/'
-
-        # Damn you, python! Ruining my perfect world!
-        url += "\x00" unless uuid.arch == ARCH_PYTHON
-        uri = URI(payload_uri(req) + conn_id)
-
-        # TODO: does this have to happen just for windows, or can we set it for all?
-        resp['Content-Type'] = 'application/octet-stream' if uuid.platform == 'windows'
-
-        begin
-          blob = self.generate_stage(
-            url:   url,
-            uuid:  uuid,
-            uri:   conn_id
-          )
-
-          blob = encode_stage(blob) if self.respond_to?(:encode_stage)
-
-          print_status("Staging #{uuid.arch} payload (#{blob.length} bytes) ...")
-
-          resp.body = blob
-
-          # Short-circuit the payload's handle_connection processing for create_session
-          create_session(cli, {
-            :passive_dispatcher => self.service,
-            :conn_id            => conn_id,
-            :url                => url,
-            :expiration         => datastore['SessionExpirationTimeout'].to_i,
-            :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
-            :retry_total        => datastore['SessionRetryTotal'].to_i,
-            :retry_wait         => datastore['SessionRetryWait'].to_i,
-            :ssl                => ssl?,
-            :payload_uuid       => uuid
-          })
-        rescue NoMethodError
-          print_error("Staging failed. This can occur when stageless listeners are used with staged payloads.")
-          return
-        end
 
-      when :connect
-        print_status("Attaching orphaned/stageless session...")
+        if info[:mode] == :connect
+          print_status("Attaching orphaned/stageless session...")
+        else
+          begin
+            blob = self.generate_stage(url: url, uuid: uuid, uri: conn_id)
+            blob = encode_stage(blob) if self.respond_to?(:encode_stage)
 
-        resp.body = ''
+            print_status("Staging #{uuid.arch} payload (#{blob.length} bytes) ...")
 
-        url = payload_uri(req) + conn_id
-        url << '/' unless url[-1] == '/'
+            resp['Content-Type'] = 'application/octet-stream'
+            resp.body = blob
 
-        # Damn you, python! Ruining my perfect world!
-        url += "\x00" unless uuid.arch == ARCH_PYTHON
+          rescue NoMethodError
+            print_error("Staging failed. This can occur when stageless listeners are used with staged payloads.")
+            return
+          end
+        end
 
-        # Short-circuit the payload's handle_connection processing for create_session
         create_session(cli, {
           :passive_dispatcher => self.service,
           :conn_id            => conn_id,
@@ -423,8 +398,6 @@ def on_request(cli, req)
         unless [:unknown_uuid, :unknown_uuid_url].include?(info[:mode])
           print_status("Unknown request to #{request_summary}")
         end
-        resp.code    = 200
-        resp.message = 'OK'
         resp.body    = datastore['HttpUnknownRequestResponse'].to_s
         self.pending_connections -= 1
     end
@@ -436,6 +409,5 @@ def on_request(cli, req)
   end
 
 end
-
 end
 end

lib/msf/core/payload/python/meterpreter_loader.rb

@@ -1,6 +1,7 @@
 # -*- coding: binary -*-
 
 require 'msf/core'
+require 'msf/core/payload/transport_config'
 require 'msf/base/sessions/meterpreter_options'
 require 'msf/core/payload/uuid/options'
 
@@ -16,6 +17,7 @@ module Payload::Python::MeterpreterLoader
 
   include Msf::Payload::Python
   include Msf::Payload::UUID::Options
+  include Msf::Payload::TransportConfig
   include Msf::Sessions::MeterpreterOptions
 
   def initialize(info = {})
@@ -106,17 +108,12 @@ def stage_meterpreter(opts={})
     # so we need to generate it
     # TODO: move this to somewhere more common so that it can be used across payload types
     unless opts[:url].to_s == ''
+
+      # Build the callback URL (TODO: share this logic with TransportConfig
       uri = "/#{opts[:url].split('/').reject(&:empty?)[-1]}"
-      callback_url = [
-        opts[:url].to_s.split(':')[0],
-        '://',
-        (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s,
-        ':',
-        (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s,
-        ds['LURI'].to_s,
-        uri,
-        '/'
-      ].join('')
+      opts[:scheme] ||= opts[:url].to_s.split(':')[0]
+      scheme, lhost, lport = transport_uri_components(opts)
+      callback_url = "#{scheme}://#{lhost}:#{lport}#{ds['LURI']}#{uri}/"
 
       # patch in the various payload related configuration
       met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'")

lib/msf/core/payload/transport_config.rb

@@ -36,13 +36,26 @@ def transport_config_bind_tcp(opts={})
 
   def transport_config_reverse_https(opts={})
     ds = opts[:datastore] || datastore
+    opts[:scheme] ||= 'https'
     config = transport_config_reverse_http(opts)
-    config[:scheme] = ds['OverrideScheme'] || 'https'
     config[:ssl_cert_hash] = get_ssl_cert_hash(ds['StagerVerifySSLCert'],
                                                ds['HandlerSSLCert'])
     config
   end
 
+  def transport_uri_components(opts={})
+    ds = opts[:datastore] || datastore
+    scheme = opts[:scheme]
+    lhost = ds['LHOST']
+    lport = ds['LPORT']
+    if ds['OverrideRequestHost']
+      scheme = ds['OverrideScheme'] || scheme
+      lhost = ds['OverrideLHOST'] || lhost
+      lport = ds['OverrideLPORT'] || lport
+    end
+    [scheme, lhost, lport]
+  end
+
   def transport_config_reverse_http(opts={})
     # most cases we'll have a URI already, but in case we don't
     # we should ask for a connect to happen given that this is
@@ -55,10 +68,13 @@ def transport_config_reverse_http(opts={})
     end
 
     ds = opts[:datastore] || datastore
+    opts[:scheme] ||= 'http'
+    scheme, lhost, lport = transport_uri_components(opts)
+
     {
-      scheme:          ds['OverrideScheme'] || 'http',
-      lhost:           opts[:lhost] || ds['LHOST'],
-      lport:           (opts[:lport] || ds['LPORT']).to_i,
+      scheme:          scheme,
+      lhost:           lhost,
+      lport:           lport.to_i,
       uri:             uri,
       ua:              ds['HttpUserAgent'],
       proxy_host:      ds['HttpProxyHost'],

metasploit-framework.gemspec

@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.3.19'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.3.20'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.2'
   # Needed by msfgui and other rpc components

modules/payloads/singles/python/meterpreter_bind_tcp.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 57798
+  CachedSize = 58390
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_http.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 57762
+  CachedSize = 58354
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_https.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 57762
+  CachedSize = 58354
 
   include Msf::Payload::Single
   include Msf::Payload::Python

modules/payloads/singles/python/meterpreter_reverse_tcp.rb

@@ -11,7 +11,7 @@
 
 module MetasploitModule
 
-  CachedSize = 57714
+  CachedSize = 58306
 
   include Msf::Payload::Single
   include Msf::Payload::Python