Per MS-2916, load Mettle extensions via new API.

Author: pbarry-r7

lib/rex/post/meterpreter/client_core.rb

@@ -194,6 +194,10 @@ def set_transport_timeouts(opts={})
   #	LibraryFilePath
   #		The path to the library that is to be loaded
   #
+  #	LibraryFileImage
+  #		Binary object containing the library to be loaded
+  #		(can be used instead of LibraryFilePath)
+  #
   #	TargetFilePath
   #		The target library path when uploading
   #
@@ -209,12 +213,13 @@ def set_transport_timeouts(opts={})
   #
   def load_library(opts)
     library_path = opts['LibraryFilePath']
+    library_image = opts['LibraryFileImage']
     target_path  = opts['TargetFilePath']
     load_flags   = LOAD_LIBRARY_FLAG_LOCAL
 
     # No library path, no cookie.
-    if library_path.nil?
-      raise ArgumentError, 'No library file path was supplied', caller
+    if library_path.nil? && library_image.nil?
+      raise ArgumentError, 'No library file path or image was supplied', caller
     end
 
     # Set up the proper loading flags
@@ -233,14 +238,17 @@ def load_library(opts)
 
     # If we must upload the library, do so now
     if (load_flags & LOAD_LIBRARY_FLAG_LOCAL) != LOAD_LIBRARY_FLAG_LOCAL
-      image = ''
+      if library_image.nil?
+        # Caller did not provide the image, load it from the path
+        library_image = ''
 
-      ::File.open(library_path, 'rb') { |f|
-        image = f.read
-      }
+        ::File.open(library_path, 'rb') { |f|
+          library_image = f.read
+        }
+      end
 
-      if image
-        request.add_tlv(TLV_TYPE_DATA, image, false, client.capabilities[:zlib])
+      if library_image
+        request.add_tlv(TLV_TYPE_DATA, library_image, false, client.capabilities[:zlib])
       else
         raise RuntimeError, "Failed to serialize library #{library_path}.", caller
       end
@@ -328,22 +336,31 @@ def use(mod, opts = { })
     # if there are existing commands for the given extension, then we can use
     # what's already there
     unless commands.length > 0
-      # Get us to the installation root and then into data/meterpreter, where
-      # the file is expected to be
-      modname = "ext_server_#{mod.downcase}"
-      path = MetasploitPayloads.meterpreter_path(modname, suffix)
+      image = nil
+      path = nil
+      # If client.sys isn't setup, it's a Windows meterpreter 
+      if client.respond_to?(:sys) && !client.sys.config.sysinfo['BuildTuple'].blank?
+        # Query the payload gem directly for the extension image
+        image = MetasploitPayloads::Mettle.load_extension(client.sys.config.sysinfo['BuildTuple'], mod.downcase, suffix)
+      else
+        # Get us to the installation root and then into data/meterpreter, where
+        # the file is expected to be
+        modname = "ext_server_#{mod.downcase}"
+        path = MetasploitPayloads.meterpreter_path(modname, suffix)
 
-      if opts['ExtensionPath']
-        path = ::File.expand_path(opts['ExtensionPath'])
+        if opts['ExtensionPath']
+          path = ::File.expand_path(opts['ExtensionPath'])
+        end
       end
 
-      if path.nil?
+      if path.nil? and image.nil?
         raise RuntimeError, "No module of the name #{modnameprovided} found", caller
       end
 
       # Load the extension DLL
       commands = load_library(
           'LibraryFilePath' => path,
+          'LibraryFileImage' => image,
           'UploadLibrary'   => true,
           'Extension'       => true,
           'SaveToDisk'      => opts['LoadFromDisk'])

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -122,6 +122,7 @@ def sysinfo(refresh: false)
         'Computer'        => response.get_tlv_value(TLV_TYPE_COMPUTER_NAME),
         'OS'              => response.get_tlv_value(TLV_TYPE_OS_NAME),
         'Architecture'    => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
+        'BuildTuple'      => response.get_tlv_value(TLV_TYPE_BUILD_TUPLE),
         'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
         'Domain'          => response.get_tlv_value(TLV_TYPE_DOMAIN),
         'Logged On Users' => response.get_tlv_value(TLV_TYPE_LOGGED_ON_USER_COUNT)

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -130,6 +130,7 @@ module Stdapi
 TLV_TYPE_DOMAIN                 = TLV_META_TYPE_STRING  | 1046
 TLV_TYPE_LOGGED_ON_USER_COUNT   = TLV_META_TYPE_UINT    | 1047
 TLV_TYPE_LOCAL_DATETIME         = TLV_META_TYPE_STRING  | 1048
+TLV_TYPE_BUILD_TUPLE            = TLV_META_TYPE_STRING  | 1049
 
 # Environment
 TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -1147,22 +1147,27 @@ def cmd_load(*args)
       case opt
       when '-l'
         exts = SortedSet.new
-        msf_path = MetasploitPayloads.msf_meterpreter_dir
-        gem_path = MetasploitPayloads.local_meterpreter_dir
-        [msf_path, gem_path].each do |path|
-          ::Dir.entries(path).each { |f|
-            if (::File.file?(::File.join(path, f)))
-              client.binary_suffix.each { |s|
-                if (f =~ /ext_server_(.*)\.#{s}/ )
-                  if (client.binary_suffix.size > 1)
-                    exts.add($1 + ".#{s}")
-                  else
-                    exts.add($1)
+        if !client.sys.config.sysinfo['BuildTuple'].blank?
+          # Use API to get list of extensions from the gem
+          exts.merge(MetasploitPayloads::Mettle.available_extensions(client.sys.config.sysinfo['BuildTuple']))
+        else
+          msf_path = MetasploitPayloads.msf_meterpreter_dir
+          gem_path = MetasploitPayloads.local_meterpreter_dir
+          [msf_path, gem_path].each do |path|
+            ::Dir.entries(path).each { |f|
+              if (::File.file?(::File.join(path, f)))
+                client.binary_suffix.each { |s|
+                  if (f =~ /ext_server_(.*)\.#{s}/ )
+                    if (client.binary_suffix.size > 1)
+                      exts.add($1 + ".#{s}")
+                    else
+                      exts.add($1)
+                    end
                   end
-                end
-              }
-            end
-          }
+                }
+              end
+            }
+          end
         end
         print(exts.to_a.join("\n") + "\n")
 
@@ -1212,22 +1217,31 @@ def cmd_load(*args)
 
   def cmd_load_tabs(str, words)
     tabs = SortedSet.new
-    msf_path = MetasploitPayloads.msf_meterpreter_dir
-    gem_path = MetasploitPayloads.local_meterpreter_dir
-    [msf_path, gem_path].each do |path|
-    ::Dir.entries(path).each { |f|
-      if (::File.file?(::File.join(path, f)))
-        client.binary_suffix.each { |s|
-          if (f =~ /ext_server_(.*)\.#{s}/ )
-            if (client.binary_suffix.size > 1 && !extensions.include?($1 + ".#{s}"))
-              tabs.add($1 + ".#{s}")
-            elsif (!extensions.include?($1))
-              tabs.add($1)
+    if !client.sys.config.sysinfo['BuildTuple'].blank?
+      # Use API to get list of extensions from the gem
+      MetasploitPayloads::Mettle.available_extensions(client.sys.config.sysinfo['BuildTuple']).each { |f|
+        if !extensions.include?(f.split('.').first)
+          tabs.add(f)
+        end
+      }
+    else
+      msf_path = MetasploitPayloads.msf_meterpreter_dir
+      gem_path = MetasploitPayloads.local_meterpreter_dir
+      [msf_path, gem_path].each do |path|
+      ::Dir.entries(path).each { |f|
+        if (::File.file?(::File.join(path, f)))
+          client.binary_suffix.each { |s|
+            if (f =~ /ext_server_(.*)\.#{s}/ )
+              if (client.binary_suffix.size > 1 && !extensions.include?($1 + ".#{s}"))
+                tabs.add($1 + ".#{s}")
+              elsif (!extensions.include?($1))
+                tabs.add($1)
+              end
             end
-          end
-        }
+          }
+        end
+      }
       end
-    }
     end
     return tabs.to_a
   end